Network as a Sensor and Enforcer
About This Session: Building Security into the Network
The Cisco Network
The Cisco Network
Security Group Tags
NetFlow
Identity Services Engine
StealthWatch
THIS SESSION:
Bringing it all together
Building Security into the Network
Identify and control policy, behaviour and threats
NetFlow
: Transactional data
SGT
: Enforce Group Policy
ISE
: Discover assets
& direct policy
StealthWatch
:
Transactional visibility
& intelligence
Context sharing and
dynamic response
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Active
Monitoring
Discover and Classify Assets Enforce PolicySummary
Policy NBAD Design and Model PolicyRapid Threat
Containment
About Me: Your Master Builder for Today
Matt Robertson
• Security Technical Marketing Engineer
• Focused on Advanced Threat
• Author of 3 CVDs
• 8 years at Cisco: development, TME, Lancope
• Sorry, also Canadian
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmentation begins with visibility
You can’t protect
what you can’t see
Who
is on the network
ISE: Identifying the Who
Authentication (host supplied):
• User & Device Authentication • MAC Authentication bypass • Web portal
Profile (collected):
• Infrastructure provided • (DHCP, HTTP, etc) • Signature based
Authenticated Session Table
NetFlow: Identifying the what
10.2.2.2 port 1024 10.1.1.1port 80 e th 0 /1 e th 0 /2Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
NetFlow = Transactional Visibility
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0
FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 1010 IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A
interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127
application name: nbar secure-http
…
Components for NetFlow Security Monitoring
Cisco Network
UDP Director• UDP Packet copier • Forward to multiple
collection systems
NetFlow
StealthWatch FlowSensor (VE)
• Generate NetFlow data • Additional contextual fields
(ex. App, URL, SRT, RTT)
StealthWatch FlowCollector
• Collect and analyse • Up to 2000 sources
• Up to sustained 240,000 fps
StealthWatch Management Console
• Management and reporting • Up to 25 FlowCollectors • Up 6 million fps globally
Best Practice: Centralise
NetFlow Collection: Flow Stitching
10.2.2.2 port 1024 10.1.1.1port 80 e th 0 /1 e th 0 /2Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1 eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualisation and analysis Start Time Interface Src IP Src
Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
NetFlow Collection: De-duplication
Start Time Client IP Client Port Server IP Server Port Prot o Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in
ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out
Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out 10.2.2.2 port 1024 10.1.1.1 port 80 Sw1 Sw2 Sw3 ASA
Adding Context and Situation Awareness
NAT Events
Known Command & Control Servers
User Identity Application Application & URL URL & Username
Conversational Flow Record
Who
Who
What
When
How
Where
• Highly scalable (enterprise class) collection • High compression => long term storage
• Months of data retention
Conversational Flow Record: Exporters
NetFlow Analysis with StealthWatch:
Identify additional Indicators of Compromise (IoC)
•
Policy & Segmentation
•
Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
•
Audit trail of all host-to-host communication
Discovery
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Discover and Classify AssetsISE as a Telemetry Source
Authenticated Session Table
Cisco ISE
• Maintain historical session table • Correlate NetFlow to username • Build User-centric reports
StealthWatch Management Console syslog • Device/User Authentication • Device Profiling
Configuration: Logging on ISE
1. Create Remote Logging Target on ISE
2. Add Target to Logging Categories
1
2
Required Logging categories: • Passed Authentications • RADIUS Accounting • Profiler
Configuration: Add ISE to SMC
1. (Not Shown) Create Admin User on ISE
2. (Not Shown) Configure ISE or CA certificate on SMC
3. (Not Shown) Configure SMC or CA certificate on ISE
4. Add Cisco ISE nodes to SMC Configuration
Order to add nodes:
1. Primary MnT 2. Secondary MnT 3. Any PSN’s
StealthWatch-ISE Attribution Configuration
Lancope published:
• http://cs.co/StealthWatch_ISE_AttributionCisco published:
• http://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd1-0/design_guides/ctd_1-1_dig.pdf • http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sea_ctd.pdf • http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/threat-defense/guide_c07-728137.pdfLocate Services and Applications
Search for assets based on transactional data: • Ex. Protocol (HTTP Servers, FTP Server, etc)
Locate Assets
Find hosts communicating on the network • Pivot based on transactional data
Host Groups: Applied Situational Awareness
Virtual container of multiple IP Addresses/ranges that
have similar attributes
Lab servers
Best Practice: classify all
known IP Addresses in one or more host groups
Classify Assets with Host Groups
• User defined
Understand Behaviour
List of all hosts communicating
with HTTP Servers
Understand Behaviour
Complete list of all hosts
communicating with HTTP Servers:
who, what, when, where, how
Model Business Critical Processes
PCI Zone Map
Overall system profile
Simplifying Segmentation with TrustSec
Access Layer Enterprise Backbone Voice VLAN Voice Data VLAN Employee Aggregation Layer Supplier Guest VLAN BYOD BYOD VLAN Non-Compliant Quarantine VLAN VLAN Address DHCP Scope Redundancy Routing Static ACL VACLSecurity Policy based on Topology High cost and complex maintenance
Voice VLAN
Voice
Data VLAN
Employee Supplier BYOD
Non-Compliant
Use existing topology and automate security policy to reduce OpEx
ISE
No VLAN Change No Topology Change Central Policy Provisioning Micro/Macro Segmentation Employee Tag Supplier Tag Non-Compliant Tag Access Layer Enterprise Backbone DC Firewall / Switch DC Servers Policy TrustSec Traditional Segmentation
Network Segmentation with TrustSec
Username: johnd Group: Store Managers
Location: Store Office Time: Business Hour
Security Group: Manager
Enforcement AUTHORISED PERSONNEL ONLY Switches Routers Firewall DC Switch Hypervisor SW Resource Segmentation based on roles
• Not based on IP addresses, VLANs etc
Role based on context
• AD, LDAP attributes, device type, location, time, access methods, etc…
Use Tagging technology
• To represent logical group (Classification)
• To enforce policy on switches, routers, firewalls
Software Defined
• Policy managed centrally
• Policy provisioned automatically on demand
• Policy invoked anywhere on the network dynamically
What TrustSec Provides
Software defined Network Segmentation Context-based Data AccessAgile Security Policy Changes and
Simpler Management
Context based Service Chaining
TrustSec Functions
Classification Static Dynamic Enforcement SGACL SG-FW WSA Propagation Inline SXP 5 Employee 6 Supplier 8 Suspicious A B 8 5Enforcement
TrustSec in Action
Classification Propagation Application Servers Database Servers NetworkCisco TrustSec Segmentation
Enterprise Backbone Policy Voice Data Suppliers Employee Non Compliant Suppliers
Employee
Non Compliant
• Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers • TrustSec simplifies ACL
management for intra/inter-VLAN traffic
Supplier Employee
Non Compliant
Policy
Campus Segmentation
Suppliers Employee Non Compliant Suppliers
Employee
Non Compliant
Filtered Access Supplier Employee Non Compliant• Segmented traffic based on classified group (SGT), not based on topology (VLAN, IP subnet)
• Micro-Segmentation with single policy (segment devices even in same VLAN)
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Discover and Classify Assets Design and Model PolicyStarting a TrustSec Design
Policy
Enforcement
Points
Discuss
assets to
protect
Classification
Mechanisms
Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. • DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls)• User to DC access control • (Identify capable switches
or firewalls in the path)
Propagation
Methods
• Inline Tagging • SXP • DM-VPN • GET-VPN • IPSec • OTP etc..Security Group Initial Considerations
•
Unlike traditional segmentation/access control…
•
Adding dynamically assigned groups later with TrustSec should be easy
•No configuration impact on infrastructure
•
Keep groups as simple as possible whilst still meeting policy requirements
•
Should not be necessary to transfer complexity, e.g. extensive AD groups, into
Security Groups
•
Consider if all roles need a tag assigned?
How to Tag Users / Devices?
• TrustSec decouples networktopology and security policy to simplify access control and segmentation
• Classification process groups network resources into Security Groups
PC MAC 802.1X MAB Web Authentication Profiling IPv4 Prefix Learning IPv6 Prefix Learning IPv6 Prefix-SGT IPv4 Subnet-SGT Address Pool-SGT VLAN-SGT IP-SGT Port Profile Port-SGT ISE NX-OS/ CIAC/ Hypervisors IOS/Routing Data Centre/ Virtualisation User/Device/ Location Cisco Access Layer
Campus & VPN Access non-Cisco & legacy environment
Business Partners and Supplier Access Controls
Identify Where SGTs Need to be Assigned
WLC FW
Enterprise Backbone
Hypervisor SW Campus Access Distribution Core DC Core DC Dist/Access
Dynamic Classification VLAN-SGT Mapping Dynamic Classification SVI (L3 Interface) to SGT L2 Port to SGT VM (Port Profile) to SGT Subnet-SGT
Enabling Classifications
•
If per-user authorisation is not in place
•
Enabling VLAN, subnet , L3 Interface mappings can provide coarse classification
initially
•
Per-user authorisation
and SXP can then ‘override’ static classification
•
Many systems may get ‘Unknown SGT’ assignments initially
•Focus on the explicit classifications needed to meet policy
Deployment Approach
Catalyst®Switches/WLC
• Users connect to network, Monitor mode allows traffic regardless of authentication • Authentication can be performed passively resulting in SGT assignments
Enterprise Network
• Classified traffic traverses the network allowing monitoring and validation that:
• Assets are correctly classified
• Traffic flows to assets are as predicted/expected
Monitor Mode SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010)
Employees (100) Permit all Permit all Permit all
PCI User (105) Permit all Permit all Permit all
Configuring Inline Tagging
interface TenGigabitEthernet1/5
cts manual
policy static sgt 2 trusted
C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled
Interface GigabitEthernet1/1:
CTS is enabled, mode: MANUAL
IFC state: OPEN
Authentication Status: NOT APPLICABLE Peer identity: "unknown"
Peer's advertised capabilities: "" Authorization Status: SUCCEEDED
Peer SGT: 2:device_sgt
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE Propagate SGT: Enabled
Cache Info:
Expiration : N/A Cache applied to link : NONE
L3 IPM: disabled.
Always
“shut” and “no shut” interfaces
after any cts manual or cts dot1x change
‘cts manual’ config for inline tagging
generally used
‘cts dot1x’ alternative depends on AAA
reachability -
unless new ‘critical auth’
feature used & timers set carefully
Creating The Policy Matrix
Source Group
Destination Group
Action
•
How do I know my policy works?
•
How do I decide what protocols?
•
How do I know if I am tagging?
SGT in NetFlow Fields
Source Tag:
• Retrieved from the packet
Destination Tag:
• Derived based on
destination IP Address Switch Derived Source Tag:
• 4K Only: Value applied on
the packet on egress
SGT Table
• 6K only: export in NetFlow
template data tables mapping Security Group Tags to
Security Group Names
SGACL Drop Record
• 6k only: Generate a flow record on a SGACL drop
SGT-NetFlow Device List
Device First Release Source
Tag Destination tag Switch-Derived SGT SGT Table SGACL Drop Record Catalyst 6500 (Sup2T)
IOS 15.1(1)SY1 Yes (match)
Yes (match)
No Yes Yes
(dedicated monitor)
ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No
Catalyst 3850, 3650 IOS XE 3.7.1E IOS XE 3.6.3E* Yes (match) Yes (match) No No No Catalyst 4500 (Sup 7-E, 7L-E, 8-E)
IOS XE 3.7.1E IOS XE 3.6.3E* Yes (collect) Yes (collect) Yes No No
ASA 9.1.3 No No No No NSEL Record
StealthWatch FlowSensor
Considerations: 3850
!flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in !
!
flow monitor cts-cyber-monitor-out exporter StealthWatch-FC
cache timeout active 60 record cts-cyber-3k-out !
interface GigabitEthernet1/0/1
ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output !
vlan configuration 100
ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output !
Ingress:
• Source Tag Sources:
• Derived from packet header • DGT Sources:
• Derived based on destination IP lookup • SGACL enforcement must be enabled • Trunk link only
Egress:
• Source Tag Sources:
• Incoming packet header • Port configured SGT • IP to SGT mapping • Destination Tag Sources:
• Derived based on destination IP lookup • Requires SGACL enforcement to be enabled • Trunk link only
Considerations: 3850
!
flow record cts-cyber-3k-in match datalink mac source address input
match datalink mac destination address input match ipv4 tos
match ipv4 ttl match ipv4 protocol
match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input
match flow direction
match flow cts source group-tag match flow cts destination group-tag collect counter bytes long
collect counter packets long collect timestamp absolute first collect timestamp absolute last !
!
flow record cts-cyber-3k-out match ipv4 tos
match ipv4 ttl match ipv4 protocol
match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction
match flow cts source group-tag match flow cts destination group-tag collect counter bytes long
collect counter packets long collect timestamp absolute first collect timestamp absolute last !
Considerations: 4500 Sup 7-E, 7L-E, 8-E
Source Tag:
• Packet header
• Maximum 12K distinct SRC-IP’s
Destination Tag:
• Derived based on destination IP
Switch Derived Source Tag:
• SGT enforced on the packet from the switch • Policy acquisition • SGT in the packet • SGT lookup on source IP • Port SGT lookup • SGT on packet at egress !
flow record cts-cyber-4k match ipv4 tos
match ipv4 protocol
match ipv4 source address match ipv4 destination address
match transport source-port match transport destination-port match interface input
match flow direction
collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags
collect interface output collect counter bytes collect counter packets
collect timestamp sys-uptime first collect timestamp sys-uptime last !
Considerations: 6500 Sup 2T
!flow record cts-cyber-6k match ipv4 protocol
match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags
collect interface output collect counter bytes collect counter packets
collect timestamp sys-uptime first collect timestamp sys-uptime last !
TrustSec data table:
• Export SGT-SGN mapping in NetFlow template
SGACL Drop:
• Flow record generated on a drop • Requires dedicated Flow Monitor
Source Tag:
• Packet header • IP-SGT lookup Destination Tag:
• Derived based on destination IP lookup
Considerations: 6500 Sup2T
!
flow exporter ise destination 10.1.100.3
source TenGigabitEthernet2/1 transport udp 9993
option cts-sgt-table timeout 10 !
flow monitor FNF_SGACL_DROP exporter ise
record cts-record-ipv4 !
cts role-based ip flow monitor FNF_SGACL_DROP dropped
!
flow exporter CYBER_EXPORTER destination 10.1.100.230
source TenGigabitEthernet2/1 transport udp 2055
option cts-sgt-table timeout 10 !
flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 record cts-cyber-6k !
Considerations: ISR, ASR, CSR
!flow record cts-cyber-ipv4 match ipv4 protocol
match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input
match flow direction
match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp
collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets
collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name
! Source Tag: • Packet header • IP-SGT lookup Destination Tag: • Destination IP lookup http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-fnf.pdf
Modeling Policy in StealthWatch
Custom event triggers on traffic condition
Trigger on traffic in both directions; Successful or unsuccessful
Source Tag Destination Tag
Rule name and description
Modeling Policy in StealthWatch
Create flow-based rules for all proposed policy elements
Policy Violation alarm will trigger if condition is met. Simulating proposed drop.
Modeling Policy: Alarm Occurrence
Alarm dashboard showing all Policy alarms
Details of “Employee to Productions Servers” alarm occurrences
Modeled Policy: Flow Details
Who
Who
What
When
How
Where
Destination
Tag
Is this communication permissible?Tune
Yes
Respond
No
Source
Tag
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Discover and Classify AssetsEnforce Policy Design and
Enabling Enforcement
• Enforcement may be enabled gradually per destination security group basis • Initially use SGACLs with deny logging enabled (remove log later if not required) • Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment
Catalyst®Switches/WLC Monitor Mode PCI Server Production Server Development Server SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010)
Employees (100) Deny all Deny all Deny all PCI User (105) Permit all Permit all Deny all Unknown (0) Deny all Deny all Deny all
ISE
Applying SGACLs (ISE 2.0)
permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip SGACL_1SGACL Downloads
• New Servers provisioned, e.g. Prod Server & Dev Server Roles
• DC switches requests policies for assets they protect • Policies downloaded & applied dynamically
• What this means:
• All controls centrally managed
• Security policies de-coupled from network
• No switch-specific security configs needed
• Wire-rate policy enforcement
• One place to audit network-wide policies
Prod_Servers Dev_Servers Dev_Server (SGT=10) Prod_Server (SGT=7) S GT=3 S GT=4 S GT=5 SGACL Enforcement Switches request policies
for assets they
protect Switches pull
down only the policies they
Enabling Policy Enforcement in Switches
•
After setting up SGT/SGACL in ISE, you can now enable SGACL Enforcement
on network devices
•
Devices need to be defined in ISE and provisioned to talk to ISE (omitted from
these slides for brevity)
•
If switches have SGT assignments they will download policy for the assets they
are protecting
Switch(config)#cts role-based enforcement
Switch(config)#cts role-based enforcement vlan-list 40
Enabling SGACL Enforcement Globally and for VLAN
Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5 Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6 Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7
Policy Enforcement on Firewalls: ASA SG-FW
Can still use Network Object (Host, Range, Network (subnet), or
FQDN)
AND / OR the SGT
Switches inform the ASA of Security Group membership Security Group definitions from
ISE
Trigger FirePower services by SGT policies
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Active
Monitoring
Discover and Classify Assets Enforce Policy Policy NBAD Design and Model PolicySegmentation Monitoring in StealthWatch
Custom event triggers on traffic condition
Trigger on traffic in both directions; Successful or unsuccessful
Source Tag Destination
Tag
Rule name and description
Segmentation Monitoring with StealthWatch
Segmentation Monitoring with StealthWatch
PCI Zone Map
Define communication policy between Zones
StealthWatch NBAD Model
Algorithm
Security
Event
Alarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Alarm Categories
Example Alarm Category: Concern Index
Concern Index: Track hosts that appear to compromising network integritySecurity events. Over 90 different algorithms.
StealthWatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour or established policies
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Active
Monitoring
Discover and Classify Assets Enforce Policy Policy NBAD Design and Model PolicyRapid Threat
Containment
ANC Quarantine: ISE Live Log
Security Group Assignment EPSStatus check
WAIT!
How did this dark
magic happen?
Adaptive Network Control
Extension of the endpoint monitoring and controlling capabilities
Endpoint control based on IP or MAC addressThree actions:
• Quarantine
• Unquarantine
• Shutdown wired access ports
Enable a change of the authorisation state
• Through administrative action
• Without modification of the overall authorisation policy
ANC Quarantine Flow
PSN MnT PAN 1. Endpoint is connected 2. StealthWatch issuesquarantine instruction to PAN
3. PAN issues quarantine instruction to MnT 4. MnT instructs PSN to invoke a CoA 5. Endpoint is disconnected through CoA 7. RADIUS request 6. Endpoint reconnects and authenticates 8. Quarantine check 9. Quarantine profile applied
Configuring ANC on ISE 2.0
1. Enable ANC (EPS)
•
Enabled by default on ISE 2.0
2. Create Quarantine authorisation profile
or Security Group
3. Create Quarantine Authorisation Policy
4. Manually quarantine or unquarantine
Exception Authorisation Policy
Assign to SGT
Suspicous_Investigate
and Permit Access EPSStatus in Session
Configuration of RTC with StealthWatch and ISE
1. Enable pxGrid
2. Provision pxGrid server certificate 3. Provision pxGrid client certificate
4. Configure pxGrid node connection
5. Assign SMC to EPS Group in 6. Configure pxGrid node connection
Configuration of RTC with StealthWatch and ISE
Lancope published:
•
http://cs.co/StealthWatch_ISE_Remediation
Cisco published:
•
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/
HowTo-101-Deploying_Lancope_StealthWatch_with_pxGrid.pdf
Follow these guides
So now
what?
Suspicous_Investigate Egress Policy
Create an Egress Policy for the suspicious Security Group
SGACL
Create meaningful SGACL for Suspicious hosts:• Restrict applications and services• Block access to Business Critical Processes
SGT Based Policy Based Routing
route-map native_demo permit 10match security-group source tag Employee
match security-group destination tag Critical_Asset set interface Tunnel1
!
route-map native_demo permit 20
match security-group source tag Suspicious
match security-group destination tag Critical_Asset set interface Tunnel2
!
route-map native_demo permit 30 match security-group source tag Guest set vrf Guest VRF-GUEST Enterprise WAN Inspection Router Router / Firewall Network A Policy-based Routing based on SGT SGT-based VRF Selection User B Suspicious User C Guest User A Employee
Agenda
Introduction
Understanding
the
Landscape
Components of Network VisibilitySegmenting the
Network
Active
Monitoring
Discover and Classify Assets Enforce PolicySummary
Policy NBAD Design and Model PolicyRapid Threat
Containment
Related Sessions:
•
TECSEC-2666 – TrustSec / NGFW and NGIPS
• Tuesday, March 8, 9:00 AM - 6:00 PM•
BRKSEC-2690 – Deploying Security Group Tags
• Kevin Regan – Wednesday, March 9, 4:30 PM – 6:00 PM •BRKSEC-3690 – Advanced Security Group Tags
• Kevin Regan – Friday, March 8, 8:45 AM – 10:45 AM
•
BRKCRS-2891 – Enterprise Network Segmentation (with Cisco TrustSec)
• Hari Holla – Wednesday, March 9, 4:30-6:00 PM•
BRKSEC-2653 – Cyber Range
• Paul Qiu– Wednesday, March 9, 4:30 PM – 6:00 PM
•
BRKSEC-2044 – Building an Enterprise Access Control Architecture using ISE and TrustSec
Call to Action
Visit the World of Solutions for:
•
Security Zone:
• Identity Services Engine
• Cisco Cyber Threat Defence Solution
•
Enterprise Networking Zone:
• Network as a Sensor / Enforcer
Meet The Expert
Matt Robertson: • Thursday 12-2 pm
More Reading:
•http://www.cisco.com/go/stealthwatch
•http://www.cisco.com/go/trustsec
•http://www.cisco.com/go/ctd
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.
– Directly from your mobile device on the Cisco Live Mobile App
– By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/ – Visit any Cisco Live Internet Station located
throughout the venue