1. Cisco TrustSec Security Solution Overview
Nicole Johnson
Systems Engineer
Cisco

2. Agenda
Movement from Location-Based to Identity-Based Security Strategy
Cisco TrustSec Approach
802.1x
MacSec (802.1ae) encryption
Security Group Tags
Identity Services Engine (ISE) and it’s role in the network
Network Control System
Introduction on how to manage the lifecycle of both wired and wireless devices in your network
Q & A
Next Steps

3. Policy Evolving with Borderless Network
Anyone
The RIGHT Person
Any Device
Borderless Networks
An approved Device
Anywhere
Let’s now look at how network policies which we discussed previously evolves within the borderless network.
Everyone here aware of - borderless Network its Cisco's big push to deliver borderless experience –which is connecting anyone, anywhere on any device at anytime. Security is in the forefront.
WHO: Identify users and provide differentiated access in a dynamic, borderless environment
WHAT: Enforcing compliance for proliferating consumer and network capable purpose-built devices
WHERE: Traditional borders are blurred. Access is possible from anywhere
WHEN: in today’s world companies resources are used 24 by 7.
In The Right Way
Anytime 3

4. Introducing Cisco TrustSec
Enables Business Productivity
Remote VPN User
Wireless User
VPN User
Devices
Devices
Delivers Security & Risk Management
Guest Access
VLANs
Identity-enabled infrastructure
Profiling
dACLs
Posture
SGTs
Policy-Based Access
& Services
Scalable Enforcement
Improves IT Operational Efficiency
Data Center
Intranet
Internet
Security Zones

5. What is TrustSec? Think of it as “NAC-Next_Generation”
TrustSec is an Umbrella Term:
Covers anything having to do with Identity:
IEEE 802.1X (Dot1x)
Cisco NAC Appliance
Profiling Technologies
Guest Services
Secure Group Access (SGA)
MACSec (802.1AE)
Access Control Server (ACS)
Identity Services Engine (ISE)

6. Why Identity Is Important
Authentication
Who are you?
802.1X (or supplementary method) authenticates the user 1
Keep the Outsiders Out
Where can you go?
Based on authentication, user is placed in correct VLAN 2
Keep the Insiders Honest
Authorization
What service level to you receive?
The user can be given per-user services (ACLs today, more to come) 3
Personalize the Network
What are you doing?
The user’s identity and location can be used for tracking and accounting 4
Increase Network Visibility
Accounting 6

7. What does Identity allow you to do?
Ensure that only allowed types of user and machine connect to key resources
Provide guest network access in a controlled and specific manner
Deliver differentiated network services to meet security policy needs, for examples like:
Ensure compliance requirements (PCI, etc.) for user authentication are met
Facilitate voice/data traffic separation in the campus
Ensure that only employees with legitimate devices access classified systems
Ensure that contractors/business partners get appropriate access
Provide user and access device visibility to network security operations

8. Why 802.1X? Industry-standard approach to identity
Most secure user/machine authentication solution
Complements other switch security features
Easier to deploy
Provides foundation for additional services (e.g., posture)
Industry-standard approach to identity
Widespread support across multiple vendors
This is the most secure user/machine authentication solution
Can be certificate-based
Authenticate prior to IP connectivity
Complements other switch security features (ARP inspection, DHCP snooping, private VLAN)
New features make 802.1X much easier to deploy
Start with 802.1X and add additional services such as posture 8

9. How Does 802.1X Work? Layer 3 Layer 2 Authenticator
Switch, router, WAP
Identity Store/Management
Active directory, LDAP
Layer 3
Layer 2
Clean up this slide please.
Supplicant
Authentication Server
RADIUS server
Request for Service (Connectivity)
Back-End Authentication Support
Identity Store Integration 9

10. Who (or What) Can Be Authenticated?
User Authentication
Device Authentication
alice
host\XP2
Enables Devices To Access Network Prior To (or In the Absence of) User Login
Enables Critical Device Traffic (DHCP, NFS, Machine GPO)
Is Required In Managed Wired Environments
Enables User-Based Access Control and Visibility
If Enabled, Should Be In Addition To Device Authentication

11. Various Authorization Mechanisms
802.1X provides various authorization mechanisms for policy enforcement.
Three major enforcement / segmentation mechanisms:
Dynamic VLAN assignment – Ingress
Downloadable per session ACL – Ingress
Security Group Access Control List (SGACL) - Egress
Three different enforcement modes:
Monitor Mode
Low Impact Mode (with Downloadable ACL)
High-Security Mode
Session-Based on-demand authorization:
Change of Authorization (RFC3576 RADIUS Disconnect Messages)
[[EDITS:
Do you mean “authorization” or “authentication”?]]

12. Pre-Emptive Dead Server Detection
Cisco Switches with 802.1X
A Systems Approach:
Fully Planned, Tested, and Vetted SYSTEM for identity
The many business units have all worked together to form a full System-Based approach to ensure the most capable / fully functional & proven identity system in the industry.
Consistent across all switch platforms!
Same Features
Same Code
Multi-Auth
Deployment Modes
Pre-Emptive Dead Server Detection
Critical Vlan
DACL per Host

13. MACsec (802.1AE) Overview

14. Quick Review of MACsec (802.1AE)
Media Access Control (MAC) Security is standards based
MACsec is a Layer 2 encryption mechanism (Ratified in 2006)
802.1AE defines the use of AES-GCM-128 as the encryption cipher.
Cisco working with IETF to extend to AES-GCM-256
Secures communication for trusted components on the LAN
Builds on 802.1X for Key Management, Authentication, and Access Control
802.1X-2010 defines the use of MACsec, MACsec Key Agreement (MKA) (Previously 802.1AF), and 802.1AR (Ratified in 2010)
MACsec is very efficient
Authenticated Encryption with Associated Data (AEAD)
HW implementations run very quickly
1G and 10G line rate crypto currently deployed
Intel AES-NI support in CPU (Cisco FIPS Validated)
Emphasize the point that MACsec is still relatively new.
802.1AE, which defines MACsec, was ratified in 2006.
MKA wasn’t ratified until 2010.
Cisco is the first, and only, customer to take Intel AES-NI support through FIPS validation for use in Cisco products. Cisco is committed to Intel’s technologies. Asking for Intel to stay committed to Cisco.

15. Confidentiality and Integrity Securing Data Path with MACSec
Media Access Control Security (MACSec)
Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection
NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X- 2010/MKA or Security Association Protocol).
Allows the network to continue to perform auditing (Security Services)
* National Institute of Standards and Technology Special Publication D
TrustSec™ provides encrypted data path regardless your access methods (WLAN, Remote Access, and LAN!)
Guest User
Data sent in clear
Authenticated User
Encrypt
Decrypt
802.1X
&^*RTW#(*J^*&*sd#J$%UJ&(
&^*RTW#(*J^*&*sd#J$%UJWD&(
Supplicant
with
MACSec
MACSec Capable Devices
MACSec Link
Note: Cat3750-X currently supports MACSec on downlink only
© 2011, Cisco Systems, Inc. All rights reserved.
TECSEC-2041.scr

16. MACSec Benefits and Limitations
Confidentiality
Strong encryption at Layer 2 protects data.
Endpoint Support
Not all endpoints support MACSec
Integrity
Integrity checking ensures data cannot be modified in transit
Network Support
Line-rate encryption typically requires updated hardware on the access switch
Flexibility
Selectively enabled with centralized policy
Technology Integration
MACSec may impact other technologies that connect at the access edge (e.g. IP Phones)
Network Intelligence
Hop-by-hop encryption enables the network to inspect, monitor, mark and forward traffic according to your existing policies.

17. Cisco TrustSec Security Group Tags Hop-by-hop encryption (802.1AE)
Unique 16 bit (65K) tag assigned to unique role
Represents privilege of the source user, device, or entity
Tagged at ingress of TrustSec domain
Provides topology-independent policy
Flexible and scalable policy based on user role
Centralized policy management for dynamic policy provisioning
Hop-by-hop encryption (802.1AE)
Provides confidentiality and integrity while still allowing for inspection of traffic between endpoints

18. Layer 2 SGT Frame Format Cisco Meta Data
Authenticated
Encrypted
DMAC
SMAC
802.1AE Header
802.1Q
CMD
ETYPE
PAYLOAD
ICV
CRC
Version
Length
CMD EtherType
SGT Opt Type
SGT Value
Other CMD Options
Cisco Meta Data
Ethernet Frame field
are the L AE + TrustSec overhead
Frame is always tagged at ingress port of SGT capable device
Tagging process prior to other L2 service such as QoS
No impact IP MTU/Fragmentation
L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU)
Transcript:
SGT, or the security tag, is the tag actually inserted into the Layer 2 frame. As you can see on the slide, I have the frame format of the Ethernet and also the actual field that is inserted to the Ethernet frame. We insert the 802.1AE headers, the encryption headers along with a field called Cisco metadata, which includes the SGT value in it. We are going to manipulate actual Layer 2 frame. There is no IP MTU fragmentation, but there will be an impact to the Layer 2 frame MTU, about 40 bytes. It's not going to be like any giant frame, but it's going to be a little bit less than the baby giant frame.
Author’s Original Notes:
802.1AE header (Sec Tag) = 8 or 16 bytes
CMD = 8 ~ 64 bytes
ICV = 16 bytes
~ 96 bytes overhead MTU (baby Giant)
802.1AE Header
CMD
ICV

19. Identity Services Engine (ISE)

20. Corporate issued laptop
Policy-Based Access
Identity Services Engine Delivers “Business Policy”
Define network policy as an extension of business goals
Finance Manager
Corporate issued laptop
Personal iPad
Product Bookings
SalesForce.com
Customer Data X
Policy extends to all access types (wired, wireless, VPN)
Lifecycle Services Integration – guest, profiling, posture
Optional encryption-based Policies for Security-conscious users

21. Identity Services Engine
ISE: Policies for people and devices
Authorized Access
Guest Access
Non-User Devices
How can I restrict access to my network?
Can I manage the risk of using personal PCs, tablets, smart-devices?
Access rights on premises, at home, on the road?
Devices are healthy?
Can I allow guests Internet-only access?
How do I manage guest access?
Can this work in wireless and wired?
How do I monitor guest activities?
How do I discover non-user devices?
Can I determine what they are?
Can I control their access?
Are they being spoofed?
There are 3 main use-cases customers try to address:
Authorized access for employees
Guest access – everyone has guests, and generally want them to get access to the internet
Devices w/o users – there are tones of these, and they are often overlooked when thinking about access policy
The questions in each silo are great real-world examples of problems customers are trying to solve
We will dive into each of these areas as we learn about the ISE and it’s features

22. A Practical Example of Policies
“Employees should be able to access everything but have limited access on personal devices”
Internet
“Everyone’s traffic should be encrypted”
Internal Resources
Campus Network
“Printers should only ever communicate internally”
Cisco Switch
Let’s look at a common customer policy
1. An Employee on a wired or wireless network should have full access to the internal resources when he/she is using a corporate devices vs a limited access when using a personal device.
2 Printers should communicate internally and not say across the Internet.
3. Any user who wants to access the internal resources across the internet should be coming across a VPN tunnel or in other words the traffic should be encrypted.
We could implement this policy earlier before ISE, but it would require multiple devices /solutions to implement this – like the ACS for the .1X, NAC profiler to profile end points and NAC to control access
With ISE we’ve combined the functionality of ACS, NAC, Profiler , Guest. ISE enables centralized policy creation and consistent policy enforcement across the entire corporate infrastructure , from the head office to branch office
Cisco® Identity Services Engine
Cisco Access Point
Cisco Wireless
LAN Controller

23. Let’s Start With What We Know
Previous Cisco TrustSec Solution Portfolio
AnyConnect
Identity & Access Control
Access Control System
NAC Agent
Identity & Access Control + Posture
NAC Manager
NAC Server
Device Profiling & Provisioning + Identity Monitoring
To understand ISE – let’s begin with what we know
We’ve separate appliances which provide specific service through our ACS, NAC Appliances, Guest Services and Profiling services . So if a customer wants to implement network access control ,posture , guest and profiling – they’ll need a minimum of 5 devices
NAC Profiler
NAC Collector
Standalone appliance or licensed as a module on NAC Server
Guest Lifecycle Management
NAC Guest Server

24. Introducing Identity Services Engine
Next Generation Solution Portfolio
AnyConnect
Identity & Access Control
Access Control System
Identity & Access Control + Posture
NAC Manager
NAC Server
ISE
Device Profiling & Provisioning + Identity Monitoring
Moving forward, in ISE we have consolidated all these services and functions into a single appliance and deploying them as and when needed rather than allocating specific appliances tied down with user licenses
Identity Service Engine
NAC Profiler
NAC Collector
Standalone appliance or licensed as a module on NAC Server
NAC Agent
Guest Lifecycle Management
NAC Guest Server

25. Benefits of Identity Services Engine
Consolidated Services, Software Packages
Visibility
Flexible Service Deployment
ACS
NAC Manager
User ID
Access Rights
ISE
Admin
Console
Monitoring
All-in-One HA Pair
NAC Profiler
NAC Server
NAC Guest
Distributed Policy servers
Location
Device (& IP/MAC)
Simplify Deployment & Admin
Track Active Users & Devices
Optimize Where Services Run
Guest
Manage Security Group Access
System-wide Monitoring & Troubleshooting
The benefits of ISE are that the platform combines authentication, authorization, posture, profiling and guest management services in a single unified appliance . It has a single management console for configuring and administering services enabling consistent and simplified administrations. Fewer boxes are needed because multiple services can run on a single node when compared to having a separate appliance for ACS, NAC, Profilers and Guest
SGT
Public
Private
Staff
Permit
Permit
Guest
Permit
Deny
Manage Guests & Sponsors
Keep Existing Logical Design
Consolidate Data, Three-Click Drill-In

26. Identity & Context-Awareness Leveraging your Infrastructure Network
Authorized Users
Consistent identity features supported on all Catalyst switch models authenticates authorized users (802.1X), devices (MAB/profiling) and guests (Web Auth)
802.1X
Cisco®
Catalyst® Switch
IP Phones
MAB & Profiling
Network
Device
Web Auth
Guests
Identity Feature Differentiators
Monitor Mode
Cisco has considerable investment in identity features on our infrastructure. A number of differentiators include monitor mode that allows you to authenticate users wthout enforcement. Another differentiator is flex auth, our ability to order authentication appropriately along with the right behavior when authentication fails. Interop with IP telephony and in VDI environments are also supported
These features are delivered consistently across our entire switch portfolio, so whether you’re deploying a Cat 3K, 4K or 6K, the customer just has to select the right switch
Flex Authentication Sequence
IP Telephony Interoperability
VDI Deployment Support
Most flexible authentication in the market automates ports for rolling authentication with a flexible sequence
Features like multi-domain auth and link state provides authentication for IP telephony environments, or users behind VoIP devices
Delivers visibility by authenticating users/devices (without enforcement)
Multi-authentication feature enables authentication of multiple MAC addresses behind a single port

27. Temporary Limited Network Access until remediation is complete
ISE Lifecycle Services ISE Posture Ensures Endpoint Health before Network Access
Non-Compliant
Wired, wireless, VPN user
Employee Policy:
Microsoft patches updated
McAfee AV installed, running, and current
Corp asset checks
Enterprise application running
Temporary Limited Network Access until remediation is complete

28. ISE Lifecyle Services ISE Guest Service for managing guests
Provision: Guest accounts via sponsor portal
Web Auth
Guests
Internet
Manage: Sponsor privileges, guest accounts and policies, guest portal
Notify: Guests of account details by print, , or SMS
Guest Policy:
Wireless or wired access
Internet-only access
Report: On all aspects of guest accounts

29. Identity and Context-Awareness ISE Profiling for Non-Authenticating Devices
“What is on my Network”
Reduces MAB effort by identifying more than 90 device categories
Create policy for users and endpoints –
“Limited access by employee on IPAD”
Confidence-match based on multiple attributes
Future “template feed”
The key component of the TrustSec architecture is ISE. It converges NAC and ACS functionality from AAA functions to security services like guest, profiling and posture into one appliance, making the choice of deploying either a “overlay mode” or “infrastructure integrated mode” a lot simpler for customers.
Current NAC and ACS hardware platform is software upgradeable to ISE
License migration program for all software licenses
Data and Configurations migration tools available*

30. ISE Device Profiling Capabilities
Smart Phones
Minimum Confidence for a Match
Multiple Rules to Establish Confidence Level
Gaming Consoles
Workstations

31. ISE Device Profiling Example - iPad
Once the device is profiled, it is stored within the ISE for future associations:
Is the MAC Address from Apple?
Does the Hostname Contain “iPad”?
Is the Web Browser Safari on an iPad?
ISE
Apple iPad

32. Cisco ISE Provides Policy for Wired and Wireless LANs
NCS
Centralized Monitoring of Wired and Wireless Networking, Users and Endpoints
ISE
Central Point of Policy for Wired and Wireless Users and Endpoints
Unified wired and wireless policy (ISE) and management (NCS).

33. TrustSec Deployment Options
Monitor Mode
Low Impact Mode
High Security Mode
Primary Features
Open mode
Multi-Auth
Flex Auth (Optional)
Benefits
Unobstructed Access
No Impact on Productivity
Gain Visibility AAA Logs
Primary Features
Open mode
Multi-Domain
Port & dACLs
Benefits
Maintain Basic Connectivity
Increased Access Security
Differentiated Access
Primary Features
Traditional Closed Mode
Dynamic VLANs
Benefits
Strict Access Control

34. Deployment Overview Planning Typical TrustSec deployment Scenario
Plan in advance and keep user experience impact as minimum as possible
Proof of Concept
Pilot Deployment
(Size: 1 segment or 1 floor)
Switch Setup
Supplicant Provisioning
RADIUS Setup
Transcript:
So as a deployment overview, I want us to make sure that when you talk about the TrustSec deployment, you want to keep the impact to the customers and the users, actual users in the network. Impact it as minimum as possible. One of the biggest challenges that we have in the .1x is that you enable the .1x on the switch, and what's going to happen is if you don't open the gate, you're out. And that has been kind of a big barrier, and also harder for us because it changes the user experience completely differently. So when we deploy the .1x, we want to make sure that we keep it as minimum as possible. We'll start with the planning phase, of course, and then we're going to talk about what you can actually do in the planning phase. We're going to go into the proof of concept-- of course, you want us to do the proof of concept-- and then the deployment mode. Lets start your deployment with a very, very limited amount of people. Some customers still use like one floor, some customers want to limit the size to the IT department, or a very small area or very small segment. We suggest you start the deployment using supplicant first, and then go to the AAA, and then tweak the config on the switch last. Fay is going to talk about the next phase, which is no enforcement, or monitor mode. We always recommend you start with this phase and then go to the next phase, which is introducing some enforcement on top of it. And it depends on how the customer wants it-- you can add the service after this. And then once you feel comfortable, you can go to the next step where you can actually expand this deployment to the one building or one or multiple floors.
No Enforcement (Monitor Mode)
Review & Adjust
Expansion
Enforcement (Low Impact Mode)
Review & Adjust
(Size: Multi-Floor, Bldg.)
Services

35. Why Cisco TrustSec Architecture
One Policy for wired, wireless and VPN
Integrated lifecycle services (posture, profiling, guest)
Differentiated identity features (monitor mode, flex auth, multiauth.. )
Phased approach to deployments – i.e. monitor mode
Flexible and scalable authorization options
Encryption to protect communications and SGT tags

36. Trustsec.cisco.com

37. 802.1x Resources

38. MACsec Resources