Network as a Sensor and Enforcerd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKSEC-2026.pdf · Path...
104
Transcript of Network as a Sensor and Enforcerd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKSEC-2026.pdf · Path...
Network as a Sensor and EnforcerMatthew Robertson - Technical Marketing Engineer
Why are we here today?
Managing the Insider Threat
Insider Threats
About This Session: Building Security into the Network
The Cisco NetworkThe Cisco Network
Security Group TagsNetFlow
Identity Services Engine StealthWatch
THIS SESSION:
Bringing it all together
Building Security into the Network Identify and control policy, behaviour and threats
NetFlow: Transactional dataSGT: Enforce Group Policy
ISE: Discover assets
& direct policy
StealthWatch:
Transactional visibility
& intelligence
Context sharing and dynamic response
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
Network
Active
Monitoring
Discover and
Classify AssetsEnforce Policy
Summary
Policy NBAD
Design and
Model Policy
Rapid Threat
Containment
About Me: Your Master Builder for Today
Matt Robertson• Security Technical Marketing Engineer• Focused on Advanced Threat• Author of 3 CVDs • 8 years at Cisco: development, TME, Lancope• Sorry, also Canadian
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmentation begins with visibility
You can’t protect what you can’t see
Who is on the network
and what are they up to?
ISE: Identifying the WhoAuthentication (host supplied):
• User & Device Authentication
• MAC Authentication bypass
• Web portal
Profile (collected):
• Infrastructure provided
• (DHCP, HTTP, etc)
• Signature based
Authenticated Session Table
Attributes
NetFlow: Identifying the what
10.2.2.2port 1024
10.1.1.1port 80
eth
0/1
eth
0/2
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
NetFlow = Transactional Visibility
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION ADDRESS: 192.168.20.6
TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443
INTERFACE INPUT: Gi0/0/0
FLOW CTS SOURCE GROUP TAG: 100
FLOW CTS DESTINATION GROUP TAG: 1010
IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6
tcp flags: 0x1A
interface output: Gi0/1.20
counter bytes: 1482
counter packets: 23
timestamp first: 12:33:53.358
timestamp last: 12:33:53.370
ip dscp: 0x00
ip ttl min: 127
ip ttl max: 127
application name: nbar secure-http
…
A single NetFlow Record provides a wealth of information
Components for NetFlow Security Monitoring
Cisco Network
UDP Director
• UDP Packet copier
• Forward to multiple
collection systems
NetFlowStealthWatch FlowSensor (VE)
• Generate NetFlow data
• Additional contextual fields
(ex. App, URL, SRT, RTT)
StealthWatch FlowCollector
• Collect and analyse
• Up to 2000 sources
• Up to sustained 240,000 fps
StealthWatch Management
Console
• Management and reporting
• Up to 25 FlowCollectors
• Up 6 million fps globally
Best Practice: Centralise
collection globally
NetFlow Collection: Flow Stitching
10.2.2.2port 1024
10.1.1.1port 80
eth
0/1
eth
0/2
Start Time Client
IP
Client
Port
Server IP Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
Client
SGT
Server
SGT
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1
eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualisation and analysis
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
NetFlow Collection: De-duplication
Start Time Client
IP
Client
Port
Server
IP
Server
Port
Prot
o
Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
App Client
SGT
Server
SGT
Exporter, Interface,
Direction, Action
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in
Sw1, eth1, out
Sw2, eth0, in
Sw2, eth1, out
ASA, eth1, in
ASA, eth0, out, Permitted
ASA eth0, in, Permitted
ASA, eth1, out
Sw3, eth1, in
Sw3, eth0, out
Sw1, eth1, in
Sw1, eth0, out
10.2.2.2port 1024 10.1.1.1
port 80Sw1
Sw2
Sw3
ASA
Adding Context and Situation Awareness
NATEvents
Known Command
& Control Servers
User
Identity
Application
Application
& URL
URL &
Username
Conversational Flow Record
WhoWhoWhat
When
How
Where
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
More context
Conversational Flow Record: Exporters
Path the flow is taking through the network
NetFlow Analysis with StealthWatch:
Identify additional Indicators of Compromise (IoC)
• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
• Audit trail of all host-to-host communication
Discovery
• Identify business critical applications and services across the network
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
NetworkDiscover and
Classify Assets
ISE as a Telemetry Source
Authenticated Session Table
Cisco ISE
• Maintain historical session table
• Correlate NetFlow to username
• Build User-centric reports
StealthWatch Management
Console
syslog
• Device/User Authentication
• Device Profiling
Configuration: Logging on ISE1. Create Remote Logging Target on ISE
2. Add Target to Logging Categories1
2
Required Logging categories:
• Passed Authentications
• RADIUS Accounting
• Profiler
• Administrative and Operational Audit
Configuration: Add ISE to SMC1. (Not Shown) Create Admin User on ISE
2. (Not Shown) Configure ISE or CA certificate on SMC
3. (Not Shown) Configure SMC or CA certificate on ISE
4. Add Cisco ISE nodes to SMC Configuration
Order to add nodes:
1. Primary MnT
2. Secondary MnT
3. Any PSN’s
StealthWatch-ISE Attribution Configuration
Lancope published:• http://cs.co/StealthWatch_ISE_Attribution
Cisco published:• http://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd1-
0/design_guides/ctd_1-1_dig.pdf
• http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-
secure-data-center-portfolio/sea_ctd.pdf
• http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/threat-
defense/guide_c07-728137.pdf
Follow these guides
Locate Services and Applications
Search for assets based on transactional data:
• Ex. Protocol (HTTP Servers, FTP Server, etc)
Identify servers
Locate Assets
Find hosts communicating on the network
• Pivot based on transactional data
Host Groups: Applied Situational Awareness
Virtual container of multiple
IP Addresses/ranges that
have similar attributes
Lab servers
Best Practice: classify all
known IP Addresses in one
or more host groups
Classify Assets with Host Groups
• User defined
• Model any Process/Application
Understand Behaviour
List of all hosts communicating
with HTTP Servers
Understand Behaviour Complete list of all hosts
communicating with HTTP Servers:
who, what, when, where, how
Classify Applications Classify business critical applications
Model Business Critical Processes
PCI Zone Map
Overall system profile
Inter-system relationships
Simplifying Segmentation with TrustSec
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on Topology
High cost and complex maintenance
Voice
VLAN
Voice
Data
VLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate
security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
Enterprise
Backbone
DC Firewall / Switch
DC Servers
Policy
TrustSecTraditional Segmentation
Network Segmentation with TrustSec
Username: johnd
Group: Store
Managers
Location: Store Office
Time: Business Hour
Security Group: ManagerEnforcement
AUTHORISED
PERSONNEL
ONLY
Switches
Routers
Firewall
DC Switch
Hypervisor SW
Resource
Segmentation based on roles
• Not based on IP addresses, VLANs etc
Role based on context
• AD, LDAP attributes, device type, location, time, access methods, etc…
Use Tagging technology
• To represent logical group (Classification)
• To enforce policy on switches, routers, firewalls
Software Defined
• Policy managed centrally
• Policy provisioned automatically on demand
• Policy invoked anywhere on the network dynamically
What TrustSec Provides
Software defined
Network
Segmentation
Context-based
Data Access
Agile Security Policy
Changes and
Simpler
Management
Context based
Service Chaining
TrustSec Functions
Classification
Static
Dynamic
Enforcement
SGACL
SG-FW
WSA
Propagation
Inline
SXP
5 Employee
6 Supplier
8 SuspiciousA B
8 5
Enforcement
TrustSec in Action
Classification Propagation
Application
Servers
Database
Servers
Network
Cisco TrustSec Segmentation
Enterprise
Backbone
Policy
Voice Data
Suppliers Employee
Non
Compliant
Suppliers
Employee
Non
Compliant
• Regardless of topology or location,
policy (Security Group Tag) stays
with users, devices, and servers
• TrustSec simplifies ACL
management for intra/inter-VLAN
traffic
Supplier
Employee
Non Compliant
Policy
Voice Data Voice Data
Campus Segmentation
Suppliers Employee
Non
Compliant
Suppliers
Employee
Non
Compliant
Filtered Access
Supplier
Employee
Non Compliant
• Segmented traffic based on
classified group (SGT), not
based on topology (VLAN, IP
subnet)
• Micro-Segmentation with
single policy (segment devices
even in same VLAN)
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
NetworkDiscover and
Classify Assets
Design and
Model Policy
Starting a TrustSec Design
Policy
Enforcement
Points
Discuss
assets to
protect
Classification
Mechanisms
Example:
Cardholder Data,
Medical Record,
intellectual data
Example:
Dynamic,
Static, etc.
• DC segmentation (DC
virtual/ physical switches
or virtual/physical
Firewalls)
• User to DC access control
• (Identify capable switches
or firewalls in the path)
Propagation
Methods
• Inline Tagging
• SXP
• DM-VPN
• GET-VPN
• IPSec
• OTP etc..
Security Group Initial Considerations
• Unlike traditional segmentation/access control…
• Adding dynamically assigned groups later with TrustSec should be easy
• No configuration impact on infrastructure
• Keep groups as simple as possible whilst still meeting policy requirements
• Should not be necessary to transfer complexity, e.g. extensive AD groups, into Security Groups
• Consider if all roles need a tag assigned?
• Remember that group membership may change
How to Tag Users / Devices?
• TrustSec decouples network topology and security policy to simplify access control and segmentation
• Classification process groups network resources into Security Groups
PC
MAC
802.1X
MAB
Web
Authentication
Profiling
IPv4 Prefix
Learning
IPv6 Prefix
LearningIPv6
Prefix-SGT
IPv4
Subnet-SGT
Address
Pool-SGT
VLAN-SGT
IP-SGT
Port
Profile
Port-SGT
ISE NX-OS/
CIAC/
Hypervisors
IOS/Routing
Data Centre/
VirtualisationUser/Device/
Location Cisco
Access Layer
Campus & VPN Access
non-Cisco & legacy
environment
Business Partners and Supplier Access
Controls
Identify Where SGTs Need to be Assigned
WLC FW
Enterprise
Backbone
Hypervisor SW
Campus Access Distribution Core DC Core DC Dist/Access
Dynamic
Classification
VLAN-SGT Mapping
Dynamic
Classification
SVI (L3 Interface)
to SGTL2 Port to SGT
VM (Port Profile)
to SGTSubnet-SGT
Enabling Classifications
• If per-user authorisation is not in place
• Enabling VLAN, subnet , L3 Interface mappings can provide coarse classification initially
• Per-user authorisation and SXP can then ‘override’ static classification
• Many systems may get ‘Unknown SGT’ assignments initially
• Focus on the explicit classifications needed to meet policy
• Keeping classifications simple can mean days not weeks to enable
Deployment Approach
Catalyst® Switches/WLC
• Users connect to network, Monitor mode allows traffic regardless of authentication
• Authentication can be performed passively resulting in SGT assignments
Enterprise
Network
• Classified traffic traverses the network allowing
monitoring and validation that:
• Assets are correctly classified
• Traffic flows to assets are as predicted/expected
Monitor Mode
SRC \ DSTPCI Server
(2000)
Prod Server
(1000)
Dev Server
(1010)
Employees (100) Permit all Permit all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Permit all Permit all Permit all
Configuring Inline Tagging
interface TenGigabitEthernet1/5
cts manual
policy static sgt 2 trusted
C6K2T-CORE-1#sho cts interface brief
Global Dot1x feature is Enabled
Interface GigabitEthernet1/1:
CTS is enabled, mode: MANUAL
IFC state: OPEN
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: ""
Authorization Status: SUCCEEDED
Peer SGT: 2:device_sgt
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE
Propagate SGT: Enabled
Cache Info:
Expiration : N/A
Cache applied to link : NONE
L3 IPM: disabled.
Always “shut” and “no shut” interfaces after any cts manual or cts dot1x change
‘cts manual’ config for inline tagging generally used
‘cts dot1x’ alternative depends on AAA reachability - unless new ‘critical auth’ feature used & timers set carefully
Creating The Policy Matrix
Source Group
Destination Group
Action
• How do I know my policy works?
• How do I decide what protocols?
• How do I know if I am tagging?
I can help here
SGT in NetFlow Fields
Source Tag:
• Retrieved from the packet
Destination Tag:
• Derived based on
destination IP Address
Switch Derived Source Tag:
• 4K Only: Value applied on
the packet on egress
SGT Table
• 6K only: export in NetFlow
template data tables mapping
Security Group Tags to
Security Group Names
SGACL Drop Record
• 6k only: Generate a flow
record on a SGACL drop
SGT-NetFlow Device List Device First Release Source
Tag
Destination
tag
Switch-
Derived SGT
SGT
Table
SGACL Drop
Record
Catalyst 6500
(Sup2T)
IOS 15.1(1)SY1 Yes
(match)
Yes
(match)
No Yes Yes
(dedicated monitor)
ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No
Catalyst 3850, 3650 IOS XE 3.7.1E
IOS XE 3.6.3E*
Yes
(match)
Yes
(match)
No No No
Catalyst 4500
(Sup 7-E, 7L-E, 8-E)
IOS XE 3.7.1E
IOS XE 3.6.3E*
Yes
(collect)
Yes
(collect)
Yes No No
ASA 9.1.3 No No No No NSEL Record
StealthWatch
FlowSensor
6.8 Yes No No No No
Considerations: 3850 !
flow monitor cts-cyber-monitor-in
exporter StealthWatch-FC
cache timeout active 60
record cts-cyber-3k-in
!
!
flow monitor cts-cyber-monitor-out
exporter StealthWatch-FC
cache timeout active 60
record cts-cyber-3k-out
!
interface GigabitEthernet1/0/1
ip flow monitor cts-cyber-monitor-in input
ip flow monitor cts-cyber-monitor-out output
!
vlan configuration 100
ip flow monitor cts-cyber-monitor-in input
ip flow monitor cts-cyber-monitor-out output
!
Ingress:• Source Tag Sources:
• Derived from packet header
• DGT Sources:
• Derived based on destination IP lookup
• SGACL enforcement must be enabled
• Trunk link only
Egress:• Source Tag Sources:
• Incoming packet header
• Port configured SGT
• IP to SGT mapping
• Destination Tag Sources:
• Derived based on destination IP lookup
• Requires SGACL enforcement to be enabled
• Trunk link only
Considerations: 3850
!
flow record cts-cyber-3k-in match datalink mac source
address input
match datalink mac destination address input
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
!
flow record cts-cyber-3k-out
match ipv4 tos
match ipv4 ttl
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
Considerations: 4500 Sup 7-E, 7L-E, 8-ESource Tag:• Packet header
• Maximum 12K distinct SRC-IP’s
Destination Tag:• Derived based on destination IP
Switch Derived Source Tag:• SGT enforced on the packet from the switch
• Policy acquisition
• SGT in the packet
• SGT lookup on source IP
• Port SGT lookup
• SGT on packet at egress
!
flow record cts-cyber-4k
match ipv4 tos
match ipv4 protocol
match ipv4 source address match ipv4 destination
address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect flow cts source group-tag
collect flow cts destination group-tag
collect flow cts switch derived-sgt
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
Considerations: 6500 Sup 2T !
flow record cts-cyber-6k
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow cts source group-tag
match flow cts destination group-tag
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
TrustSec data table:• Export SGT-SGN mapping in
NetFlow template
SGACL Drop:• Flow record generated on a drop
• Requires dedicated Flow Monitor
Source Tag:• Packet header
• IP-SGT lookup
Destination Tag:
• Derived based on destination IP lookup
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/appc_cat6k.html
Considerations: 6500 Sup2T
!
flow exporter ise
destination 10.1.100.3
source TenGigabitEthernet2/1
transport udp 9993
option cts-sgt-table timeout 10
!
flow monitor FNF_SGACL_DROP
exporter ise
record cts-record-ipv4
!
cts role-based ip flow monitor FNF_SGACL_DROP dropped
!
flow exporter CYBER_EXPORTER
destination 10.1.100.230
source TenGigabitEthernet2/1
transport udp 2055
option cts-sgt-table timeout 10
!
flow monitor CYBER_MONITOR
exporter CYBER_EXPORTER
cache timeout active 60
record cts-cyber-6k
!
SGACL Drop config: Exporter and monitor:
Considerations: ISR, ASR, CSR !
flow record cts-cyber-ipv4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect application name
!
Source Tag:• Packet header
• IP-SGT lookup
Destination Tag:• Destination IP lookup
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-fnf.pdf
Modeling Policy in StealthWatch
Custom event triggers
on traffic condition
Trigger on traffic in both directions;
Successful or unsuccessful
Source Tag Destination Tag
Rule name and
description
Modeling Policy in StealthWatch
Create flow-based rules for all
proposed policy elements
Policy Violation alarm will trigger if condition
is met. Simulating proposed drop.
Modeling Policy: Alarm Occurrence
Alarm dashboard showing all Policy alarms
Details of “Employee to Productions Servers”
alarm occurrences
Modeled Policy: Flow Details
Who
Who
What
When
How
Where
Destination
Tag
Is this
communication
permissible?
Tune
Yes
Respond
No
Source
Tag
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
NetworkDiscover and
Classify AssetsEnforce Policy
Design and
Model Policy
Enabling Enforcement• Enforcement may be enabled gradually per destination security group basis
• Initially use SGACLs with deny logging enabled (remove log later if not required)
• Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment
Catalyst® Switches/WLC
Monitor Mode
PCI Server
Production Server
Development Server
SRC \ DSTPCI Server
(2000)
Prod Server
(1000)
Dev Server
(1010)
Employees (100) Deny all Deny all Deny all
PCI User (105) Permit all Permit all Deny all
Unknown (0) Deny all Deny all Deny all
ISE
DC Switch
Centralised SGACL Management in ISE
Applying SGACL Policies in ISE (Tree view)
Applying SGACLs (ISE 2.0)
permit tcp dst eq 443permit tcp dst eq 80permit tcp dst eq 22permit tcp dst eq 3389permit tcp dst eq 135permit tcp dst eq 136permit tcp dst eq 137permit tcp dst eq 138permit tcp des eq 139deny ip
SGACL_1
SGACL Downloads
• New Servers provisioned, e.g. Prod Server & Dev Server Roles
• DC switches requests policies for assets they protect
• Policies downloaded & applied dynamically
• What this means:
• All controls centrally managed
• Security policies de-coupled from network
• No switch-specific security configs needed
• Wire-rate policy enforcement
• One place to audit network-wide policies
Prod_Servers Dev_Servers
Dev_Server
(SGT=10)
Prod_Server
(SGT=7)
SG
T=
3
SG
T=
4
SG
T=
5
SGACL
Enforcement
Switches
request policies
for assets they
protect Switches pull
down only the
policies they
need
Enabling Policy Enforcement in Switches
• After setting up SGT/SGACL in ISE, you can now enable SGACL Enforcement on network devices
• Devices need to be defined in ISE and provisioned to talk to ISE (omitted from these slides for brevity)
• If switches have SGT assignments they will download policy for the assets they are protecting
Switch(config)#cts role-based enforcement
Switch(config)#cts role-based enforcement vlan-list 40
Enabling SGACL Enforcement Globally and for VLAN
Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5
Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6
Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7
As example - defining IP to SGT mapping for servers on a switch
Policy Enforcement on Firewalls: ASA SG-FW
Can still use Network Object (Host,
Range, Network (subnet), or
FQDN)
AND / OR the SGT
Switches inform the ASA of
Security Group membership
Security Group definitions from
ISE
Trigger FirePower services
by SGT policies
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
Network
Active
Monitoring
Discover and
Classify AssetsEnforce Policy
Policy NBAD
Design and
Model Policy
Active Monitoring
Segmentation Monitoring in StealthWatch
Custom event triggers
on traffic condition
Trigger on traffic in both directions;
Successful or unsuccessful
Source Tag Destination
Tag
Rule name and
description
Segmentation Monitoring with StealthWatch
Alarm dashboard showing all Policy alarms
Segmentation Monitoring with StealthWatch
PCI Zone Map
Define communication
policy between Zones
Monitor for violations
StealthWatch NBAD Model
Algorithm Security
EventAlarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Notification of security event generated
Alarm Categories
Each category accrues points.
Example Alarm Category: Concern IndexConcern Index: Track hosts that appear to compromising network integrity
Security events. Over 90 different
algorithms.
StealthWatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour
or established policies
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
Network
Active
Monitoring
Discover and
Classify AssetsEnforce Policy
Policy NBAD
Design and
Model Policy
Rapid Threat
Containment
Rapid Threat Containment: Managing the Threat
Quarantine from StealthWatch
ANC Quarantine: ISE Live Log
Security Group AssignmentEPSStatus check
WAIT!
How did this dark
magic happen?
Adaptive Network ControlExtension of the endpoint monitoring and controlling capabilities
Endpoint control based on IP or MAC address
Three actions:
• Quarantine
• Unquarantine
• Shutdown wired access ports
Enable a change of the authorisation state
• Through administrative action
• Without modification of the overall authorisation policy
• Supported in both wired and wireless environments
ANC Quarantine Flow
PSN
MnT
PAN
1. Endpoint is connected
2. StealthWatch issues quarantine instruction to PAN
3. PAN issues quarantine instruction to MnT
4. MnT instructs PSN
to invoke a CoA
5. Endpoint is disconnected through CoA
7. RADIUS request
6. Endpoint reconnects and authenticates
8. Quarantine check
9. Quarantine profile applied
Configuring ANC on ISE 2.0
1. Enable ANC (EPS)
• Enabled by default on ISE 2.0
2. Create Quarantine authorisation profile
or Security Group
3. Create Quarantine Authorisation Policy
4. Manually quarantine or unquarantine
• Based on IP or MAC address
Exception Authorisation Policy
Assign to SGT
Suspicous_Investigate
and Permit Access
EPSStatus in Session
Best Practice
Configuration of RTC with StealthWatch and ISE1. Enable pxGrid
2. Provision pxGrid server certificate 3. Provision pxGrid client certificate
4. Configure pxGrid node connection
5. Assign SMC to EPS Group in
6. Configure pxGrid node connection
pxGrid Node
Configuration of RTC with StealthWatch and ISE
Lancope published:
• http://cs.co/StealthWatch_ISE_Remediation
Cisco published:
• http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/
HowTo-101-
Deploying_Lancope_StealthWatch_with_pxGrid.pdf
Follow these guides
So now
what?
Suspicous_Investigate Egress Policy
Create an Egress Policy for
the suspicious Security Group
SGACLCreate meaningful SGACL for Suspicious hosts:
• Restrict applications and services
• Block access to Business Critical Processes
• Prevent access to Intellectual Property
SGT Based Policy Based Routing
route-map native_demo permit 10
match security-group source tag Employee
match security-group destination tag Critical_Asset
set interface Tunnel1
!
route-map native_demo permit 20
match security-group source tag Suspicious
match security-group destination tag Critical_Asset
set interface Tunnel2
!
route-map native_demo permit 30
match security-group source tag Guest
set vrf Guest
VRF-GUEST
Enterprise
WAN
Inspection Router
Router /
Firewall
Network A
Policy-based
Routing based
on SGT
SGT-based VRF
Selection
User B
Suspicious
User C
Guest
User A
Employee
Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)
FirePOWER Services Redirect Create service policy to forward suspicious
traffic to FirePOWER Services
Agenda
Introduction Understanding
the
Landscape
Components of
Network Visibility
Segmenting the
Network
Active
Monitoring
Discover and
Classify AssetsEnforce Policy
Summary
Policy NBAD
Design and
Model Policy
Rapid Threat
Containment
Related Sessions:• TECSEC-2666 – TrustSec / NGFW and NGIPS
• Tuesday, March 8, 9:00 AM - 6:00 PM
• BRKSEC-2690 – Deploying Security Group Tags• Kevin Regan – Wednesday, March 9, 4:30 PM – 6:00 PM
• BRKSEC-3690 – Advanced Security Group Tags• Kevin Regan – Friday, March 8, 8:45 AM – 10:45 AM
• BRKCRS-2891 – Enterprise Network Segmentation (with Cisco TrustSec) • Hari Holla – Wednesday, March 9, 4:30-6:00 PM
• BRKSEC-2653 – Cyber Range• Paul Qiu – Wednesday, March 9, 4:30 PM – 6:00 PM
• BRKSEC-2044 – Building an Enterprise Access Control Architecture using ISE and TrustSec• Hosuk Won – Thursday, March 8, 8:30 AM – 10:30 AM
Call to ActionVisit the World of Solutions for:
• Security Zone: • Identity Services Engine
• Cisco Cyber Threat Defence Solution
• Enterprise Networking Zone: • Network as a Sensor / Enforcer
Meet The ExpertMatt Robertson:
• Thursday 12-2 pm
More Reading:
• http://www.cisco.com/go/stealthwatch
• http://www.cisco.com/go/trustsec
• http://www.cisco.com/go/ctd
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration
Key Takeaways
NetFlow and Lancope StealthWatch provides visibility and intelligence
TrustSec is used to dynamically (micro)segment the network
The network is a key asset for threat detection and control
Q & A
Thank you
