Post on 21-Mar-2021
© 2019 NIL, Security Tag: PROTECTED 1
nil.com © 2019 NIL, Security Tag: PROTECTED
© 2019 NIL, Security Tag: PROTECTED 2
Marija Škoda in Maja Podbevšek
Poenostavitev segmentacije omrežja s Cisco SD-Access
© 2019 NIL, Security Tag: PROTECTED 3 3
BYOD
BYODVLAN
Supplier
GuestVLAN
VoiceVLAN
Voice
DataVLAN
Employee
Traditional Security Policy
Access Layer
EnterpriseBackbone
Aggregation Layer
Non-Compliant
QuarantineVLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on Topology
Manual, time-consumingsecurity and maintenance
Policy inconsistencies across devices and networks
Complicated access management
access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533
Traditional Segmentation
© 2019 NIL, Security Tag: PROTECTED 4
DDI
Branch IWAN DC IWAN Internet
MPLS MPLS I-NET
Services Block
WAN Block
DC Block
Internet Block
Super Core
Core Core
Aggregation Layer
Aggregation Layer
Aggregation Layer
Layer-2 LinkLayer-3 Link
Traditional Segmentation Example
© 2019 NIL, Security Tag: PROTECTED 5
Traditional Segmentation Example
300 segments
3 VRFs
10 VLANs
10 distribution
points
© 2019 NIL, Security Tag: PROTECTED 6
Unleashes the true power within a Cisco secure network
ISE + SW Visibility Context
Written Security Policy
Dramatically reduces the attack surface
and is manageable
Cisco Digital Network Architecture (DNA)
Segmentation Enforcement
Segmentation 2.0
© 2019 NIL, Security Tag: PROTECTED 7
Easen the process with SD-Access
© 2019 NIL, Security Tag: PROTECTED 8
SD-AccessQuick Intro
© 2019 NIL, Security Tag: PROTECTED 9
CB B
IoT Network Employee Network
User Mobility
Policy follows User
Outside
Cisco DNA Center
AssuranceAutomationPolicy
SD-AccessExtension
Automated Network Fabric
Single fabric for Wired and Wireless with full automation
Insights and Telemetry
Analytics and insights into User and Application experience
Identity-Based Policy and Segmentation
Policy definition decoupled from VLAN and IP address
Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network
© 2019 NIL, Security Tag: PROTECTED 10
SD-Access Terminology
© 2019 NIL, Security Tag: PROTECTED 11
Overlay Control Plane
Underlay Control PlaneUnderlay Network
Hosts
(End-Points)
Edge DeviceEdge Device
Overlay Network
Encapsulation
Cisco SD-Access: Fabric Roles & Terminology
© 2019 NIL, Security Tag: PROTECTED 12
NCP
ISE NDP
▪ Control-Plane Nodes – Map System that manages Endpoint to Device relationships
▪ Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric
▪ Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition
▪ Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric
Identity Services
Intermediate Nodes (Underlay)
Fabric Border Nodes
Fabric Edge Nodes
▪ Cisco DNA Automation – provides simple GUI management and intent based automation (e.g. NCP) and context sharing
Cisco DNA Automation
▪ Cisco DNA Assurance – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status
Cisco DNA Assurance
Control-PlaneNodes
▪ Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric
Fabric Wireless
Controller
CampusFabric
B
C
B
Cisco DNA Center
Cisco SD-Access: Fabric Roles & Terminology
© 2019 NIL, Security Tag: PROTECTED 13
B B APICEM
APIC-EM Identity Service
DHCP/DNS
Shared ServicesFusion
Router or Firewall
Cisco SD-Access:Outside of the Fabric
© 2019 NIL, Security Tag: PROTECTED 14
SD-Access Operation
© 2019 NIL, Security Tag: PROTECTED 15
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on CTSC
B B
SD-Access FabricCampus Fabric - Key Components
© 2019 NIL, Security Tag: PROTECTED 16
SD-Access FabricControl-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information
UnknownNetworks
KnownNetworks
• A simple Host Database that mapsEndpoint IDs to a current Location, along with other attributes• EID and RLOC info
• Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs
B
C
B
172.16.101.11/16
192.168.1.11/32 192.168.1.13/32
172.16.101.12/16
172.16.101.11/16 → 192.168.1.11
172.16.101.12/16 → 192.168.1.13
© 2019 NIL, Security Tag: PROTECTED 17
SD-Access Fabric:Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to a Fabric
UnknownNetworks
KnownNetworks
• Responsible for Identifying and AuthenticatingEndpoints (e.g. Static, 802.1X, Active Directory)
• Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints
B
C
B
VXLAN VXLAN
© 2019 NIL, Security Tag: PROTECTED 18
SD-Access Fabric:Overlay Benefit
Stretched Subnets allow an IP subnet to be “stretched” via the Overlay
• Fabric Dynamic EID mapping allows Host-specific (/32, /128, MAC) advertisement and mobility
• Host 1 connected to Edge A can now use the same IP subnet to communicate with Host 2 on Edge B
• No longer need a VLAN to connect Host 1 and 2 ☺
• When a Host moves from Edge 1 to Edge 2, it does not need to change it’s Default Gateway ☺
DynamicEID
UnknownNetworks
KnownNetworks
B
C
B
GW GW GWGW GW
Segments
VRFs
VLANs
Distributionpoints
© 2019 NIL, Security Tag: PROTECTED 19
Fabric Control Plane5.1.1.1
Branch
10.2.2.2/32 → (2.1.2.1)
Cache Entry
Fabric Edge
Subnet 10.2.0.0 255.255.0.0 stretched across
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
10.2.2.2/32 → ( 2.1.2.1)
Database Mapping Entry10.2.2.4/32 → ( 3.1.2.1)
Database Mapping Entry Fabric Edges
10.2.2.2/1610.2.2.3/16 10.2.2.4/1610.2.2.5/16
Where is 10.2.2.2?
SD-Access FabricControl-Plane and Edge Nodes Operation Example
© 2019 NIL, Security Tag: PROTECTED 20
Segmentation in SD-Access
© 2019 NIL, Security Tag: PROTECTED 21
Virtual Network maintains a separate Routing & Switching table for each instance
• VN Instance ID to maintain separate VRF topologies
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and advertised within a Virtual Network
VNCampu
s
VNIOT
VNGuest
UnknownNetworks
KnownNetworks
B
C
B
SD-Access MacrosegmentationVirtual Network – A Closer Look
Segments
VRFs
VLANs
Distributionpoints
© 2019 NIL, Security Tag: PROTECTED 22
SD-Access Macrosegmentation
Building Management VN
SD-AccessFabric
Campus Users VN
First level Segmentation ensures zero communication between forwarding domains. Ability to consolidate multiple networks into one management plane.
Virtual Network (VN)
UnknownNetworks
KnownNetworks
VN“A”
VN“B”
VN“C”
By default access is blocked between the
virtual networks in the fabric.
© 2019 NIL, Security Tag: PROTECTED 23
SD-Access MicrosegmentationScalable Groups – A Closer Look
Scalable Group is a logical policy object to “group” Users and/or Devices
• Nodes use “Scalable Groups” to ID and assign a unique Scalable Group Tag (SGT) to Endpoints
• Nodes add a SGT to the Fabric encapsulation
• SGTs are used to manage address-independent “Group-Based Policies”
• Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)
UnknownNetworks
KnownNetworks
B
C
B
SGT17
SGT3
SGT23
SGT4 SGT
8
SGT12
SGT11
SGT19
SGT25
Segments
VRFs
VLANs
Distributionpoints
© 2019 NIL, Security Tag: PROTECTED 24
SD-Access Microsegmentation
Building Management VN
Campus Users VN
Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks.
Scalable Group (SG)
UnknownNetworks
KnownNetworks
SG1
SG2
SG3
SG4
SG5
SG6
SG7
SG8
SG9
SD-AccessFabric
© 2019 NIL, Security Tag: PROTECTED 25
FABRIC
VN: THINGSVN: USERS
Employees Contractors Cameras Printers
Contracts (SGACLs)
Macro segmentation with ‘Virtual Networks’
Micro segmentation with ‘Scalable Groups’
Contracts control access between SGTs
SD-Access Segmentation
© 2019 NIL, Security Tag: PROTECTED 26
IP Network
Edge Node 1 Edge Node 2
Encapsulation Decapsulation
VXLAN
VN ID SGT ID
VXLAN
VN ID SGT ID
PropagationCarry VN and Group context across the network
EnforcementGroup Based Policies ACLs, Firewall Rules
ClassificationStatic or Dynamic VN and SGT assignments
SD-Access Segmentation ParametersVN and SGT Propagation
© 2019 NIL, Security Tag: PROTECTED 27
How Does This Work
© 2019 NIL, Security Tag: PROTECTED 28
Campus Fabric
Authentication
Authorization Policies
Fabric Management
Policy Authoring Workflows
Groups and Policies
pxGridREST APIs
Cisco Identity Services Engine
Cisco DNA Center
SD-Access MicrosegmentationISE Integration
© 2019 NIL, Security Tag: PROTECTED 29
ISE-PAN ISE-PXG
ISE-MNT
ISE-PSN
Employee SGT 10if then
Contractor SGT 20if then
Things SGT 30if then
Authorization Policy Exchange Topics
TrustSecMetaData
SessionDirectory*
SGT Name: Employee = SGT 10SGT Name: Contractor = SGT 20...
Bob with Win10 on CorpSSID
* Future Plan
Network Devices
Users
Config Sync Context
DNA-Center
REST pxGrid
Admin/Operate
Users
Devices
Things
SD-Access MicrosegmentationISE Integration
© 2019 NIL, Security Tag: PROTECTED 30
SD-Access SegmentationWorkflow is Simple
© 2019 NIL, Security Tag: PROTECTED 31
SD-Access SegmentationSGACL Example on ISE
© 2019 NIL, Security Tag: PROTECTED 32
SGACL - Name Table Policy matrix to be pushed down to the network devices
SGT & SGT NamesCentrally defined Endpoint ID Groups
Dynamic SGTAssignment
ISE dynamically authenticates endpoint users and devices, and assigns SGTs
Static SGT Assignment
SGACL Name Table
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
Scalable Group ACL
AAA
SGT & SGT Names 3: Employee
4: Contractors8: PCI_Servers9: App_Servers
Scalable Group Tags
ISE authenticates Network Devices for a trusted domain
Cisco ISE
MAB, 802.1x,Easy Connect
SD-Access Microsegmentation
© 2019 NIL, Security Tag: PROTECTED 33
▪ Border Nodes– Enforce policy for traffic leaving the fabric, such as user to DC Access Control
NCP
ISE
Fabric Border Nodes
Fabric Edge Nodes
CampusFabric
B
C
B
DNA Center
▪ Edge Nodes– Enforce policy for traffic within the fabric, user to user flows
SD-Access Policy Enforcement Points
© 2019 NIL, Security Tag: PROTECTED 34
SGT Inside the FabricEgress Switch Enforcement Flow
Employee SGT (5)10.1.100.1
Employee SGT (5)10.2.200.6
Egress switches enforce policy : • Stores IP-SGT for adjacent hosts • Downloads policies for local groups (e.g.
Employee & Contractor)• Programs policies to ‘protect’ the SGTs
of adjacent endpoints
Contractor SGT (10)10.2.200.6
© 2019 NIL, Security Tag: PROTECTED 35
IP Network
Edge Node 1 Border Node Host Pool 10 Shared Services
Data Center
BGP
• SG ACLS’s are enforced at the Border or at the Fusion router
• Destination IP subnets needs to be mapped to SGT’s
• Manually
• Via SXP/pxGrid
BGP
Fusion Router
Control-Plane NodeC
B
SGT Outside the Fabric
© 2019 NIL, Security Tag: PROTECTED 36
POLICY-PLANE
SGT in VXLAN
B B
C
APICEM
APIC-EM Identity ServiceDHCP/DNS
Shared Services/Data Center
cts role-based sgt-map 10.10.10.0/30 sgt 101cts role-based sgt-map 10.11.11.0/29 sgt 11111cts role-based sgt-map 172.168.1.0/28 sgt 65000cts role-based sgt-map 10.10.12.0/30 sgt 101cts role-based sgt-map 10.11.12.0/29 sgt 11111cts role-based sgt-map 172.168.12.0/28 sgt 65000cts role-based sgt-map 10.10.13.0/30 sgt 101cts role-based sgt-map 10.11.13.0/29 sgt 11111cts role-based sgt-map 172.168.13.0/28 sgt 65000cts role-based sgt-map 10.10.14.0/30 sgt 101cts role-based sgt-map 10.11.14.0/29 sgt 11111cts role-based sgt-map 172.168.14.0/28 sgt 65000
Router gets Group Based Tags statically assigned
Destination Group Tags
SourceGroup Tags
SXP
ISE
SGT in-line Tagging
SGT Outside the FabricFusion Router
© 2019 NIL, Security Tag: PROTECTED 37
Firewall
POLICY-PLANE
SGT in VXLAN
Group Tags
SXP/PXGRID
Firewall gets Group Based Tags from ISE
ISE
B B
C
APICEM
APIC-EM Identity ServiceDHCP/DNS
Shared Services/Data Center
SGT Outside the FabricFirewall as Fusion Router
SGT in-line Tagging
© 2019 NIL, Security Tag: PROTECTED 38
Can also combine with Network Object (Host, Range, Network (subnet), or
FQDN) AND / OR the SGT
Security Group definitions from ISE
Trigger FirePower services by SGT matches
SGT Outside the FabricExample: ASA Policy Configuration
© 2019 NIL, Security Tag: PROTECTED 39
To Sum it Up …
© 2019 NIL, Security Tag: PROTECTED 40
Key Take-Aways
Before SD-Access After SD-Access
• VLAN and IP address based
• Numerous IP segments
• Create IP based ACLs for access policy
• Deal with policy violations and errors manually
• No VLAN or subnet dependency for segmentation and access control
• One stretched subnet
• Define one consistent policy
• Policy follows Identity
Group-Based Policy Policy follows Identity
Completely Automated
Drag policy to apply
Users
Devices
Apps
Employee Virtual Network
IoT Virtual Network
Guest Virtual Network
Group 5
Group 3
Group 1
Group 6
Group 4
Group 2
© 2019 NIL, Security Tag: PROTECTED 41
Simplifying Segmentation
Access Layer
EnterpriseBackbone
VoiceVLAN
Voice
DataVLAN
Employee
Aggregation Layer
Supplier
GuestVLAN
Non-Compliant
QuarantineVLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on VLAN/Topology
VoiceVLAN
Voice
DataVLAN
Employee SupplierNon-Compliant
Automated security policy, works independently of VLANs/topology
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Access Layer
EnterpriseBackbone
DC Firewall / Switch
DC Servers
Policy
With SGT/VNsTraditional Segmentation
CAMPUS VNBuilding
Management VN
Employee Tag
Supplier Tag
Non-Compliant Tag
Cameras Tag
Cameras
CamerasVLAN
Lighting
LightingVLAN
CamerasLighting
Intent
© 2019 NIL, Security Tag: PROTECTED 42
access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570
Key Take-Aways
© 2019 NIL, Security Tag: PROTECTED 43
Cisco SD-Access SupportDigital Platforms for your Cisco Digital Network Architecture
WirelessRoutingSwitching Extended
Catalyst 3560-CX
Cisco IE 4K/5K
ISR 4430
ISR 4451
ISR 4330
BETA
Wave 1 APs* (1700,2700,3700)
AIR-CT5520
AIR-CT8540
AIR-CT3504
Cisco Digital Building
Catalyst 9200Catalyst 9400
Catalyst 9300
Catalyst 3650 & 3850
Catalyst 9500 Catalyst 9800
Catalyst 4500E Catalyst 6800 Nexus 7700
ASR-1000-X
ASR-1000-HX
ENCS 5400
Wave 2 APs (1800,2800, 3800)
4800
© 2019 NIL, Security Tag: PROTECTED 44nil.com
ENABLING IT FOR BUSINESS