• No results found

Network as a Sensor and Enforcer. Matthew Robertson - Technical Marketing Engineer

N/A
N/A
Protected

Academic year: 2021

Share "Network as a Sensor and Enforcer. Matthew Robertson - Technical Marketing Engineer"

Copied!
104
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

Network as a Sensor and Enforcer

(3)
(4)
(5)
(6)

About This Session: Building Security into the Network

The Cisco Network

The Cisco Network

Security Group Tags

NetFlow

Identity Services Engine

StealthWatch

THIS SESSION:

Bringing it all together

(7)

Building Security into the Network

Identify and control policy, behaviour and threats

NetFlow

: Transactional data

SGT

: Enforce Group Policy

ISE

: Discover assets

& direct policy

StealthWatch

:

Transactional visibility

& intelligence

Context sharing and

dynamic response

(8)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and Classify Assets Enforce Policy

Summary

Policy NBAD Design and Model Policy

Rapid Threat

Containment

(9)

About Me: Your Master Builder for Today

Matt Robertson

• Security Technical Marketing Engineer

• Focused on Advanced Threat

• Author of 3 CVDs

• 8 years at Cisco: development, TME, Lancope

• Sorry, also Canadian

(10)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

(11)

Segmentation begins with visibility

You can’t protect

what you can’t see

Who

is on the network

(12)

ISE: Identifying the Who

Authentication (host supplied):

• User & Device Authentication • MAC Authentication bypass • Web portal

Profile (collected):

• Infrastructure provided • (DHCP, HTTP, etc) • Signature based

Authenticated Session Table

(13)

NetFlow: Identifying the what

10.2.2.2 port 1024 10.1.1.1port 80 e th 0 /1 e th 0 /2

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

(14)

NetFlow = Transactional Visibility

Router# show flow monitor CYBER-MONITOR cache

IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321

TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0

FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 1010 IP TOS: 0x00

IP PROTOCOL: 6

ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A

interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127

application name: nbar secure-http

(15)

Components for NetFlow Security Monitoring

Cisco Network

UDP Director

• UDP Packet copier • Forward to multiple

collection systems

NetFlow

StealthWatch FlowSensor (VE)

• Generate NetFlow data • Additional contextual fields

(ex. App, URL, SRT, RTT)

StealthWatch FlowCollector

• Collect and analyse • Up to 2000 sources

• Up to sustained 240,000 fps

StealthWatch Management Console

• Management and reporting • Up to 25 FlowCollectors • Up 6 million fps globally

Best Practice: Centralise

(16)

NetFlow Collection: Flow Stitching

10.2.2.2 port 1024 10.1.1.1port 80 e th 0 /1 e th 0 /2

Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1 eth0/2

Uni-directional flow records

Bi-directional:

• Conversation flow record

• Allows easy visualisation and analysis Start Time Interface Src IP Src

Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

(17)

NetFlow Collection: De-duplication

Start Time Client IP Client Port Server IP Server Port Prot o Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in

ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out

Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out 10.2.2.2 port 1024 10.1.1.1 port 80 Sw1 Sw2 Sw3 ASA

(18)

Adding Context and Situation Awareness

NAT Events

Known Command & Control Servers

User Identity Application Application & URL URL & Username

(19)

Conversational Flow Record

Who

Who

What

When

How

Where

• Highly scalable (enterprise class) collection • High compression => long term storage

• Months of data retention

(20)

Conversational Flow Record: Exporters

(21)

NetFlow Analysis with StealthWatch:

Identify additional Indicators of Compromise (IoC)

Policy & Segmentation

Network Behaviour & Anomaly Detection (NBAD)

Better understand / respond to an IOC:

Audit trail of all host-to-host communication

Discovery

(22)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Discover and Classify Assets

(23)

ISE as a Telemetry Source

Authenticated Session Table

Cisco ISE

• Maintain historical session table • Correlate NetFlow to username • Build User-centric reports

StealthWatch Management Console syslog • Device/User Authentication • Device Profiling

(24)

Configuration: Logging on ISE

1. Create Remote Logging Target on ISE

2. Add Target to Logging Categories

1

2

Required Logging categories: • Passed Authentications • RADIUS Accounting • Profiler

(25)

Configuration: Add ISE to SMC

1. (Not Shown) Create Admin User on ISE

2. (Not Shown) Configure ISE or CA certificate on SMC

3. (Not Shown) Configure SMC or CA certificate on ISE

4. Add Cisco ISE nodes to SMC Configuration

Order to add nodes:

1. Primary MnT 2. Secondary MnT 3. Any PSN’s

(26)

StealthWatch-ISE Attribution Configuration

Lancope published:

• http://cs.co/StealthWatch_ISE_Attribution

Cisco published:

• http://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd1-0/design_guides/ctd_1-1_dig.pdf • http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sea_ctd.pdf • http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/threat-defense/guide_c07-728137.pdf

(27)

Locate Services and Applications

Search for assets based on transactional data: • Ex. Protocol (HTTP Servers, FTP Server, etc)

(28)

Locate Assets

Find hosts communicating on the network • Pivot based on transactional data

(29)

Host Groups: Applied Situational Awareness

Virtual container of multiple IP Addresses/ranges that

have similar attributes

Lab servers

Best Practice: classify all

known IP Addresses in one or more host groups

(30)

Classify Assets with Host Groups

• User defined

(31)

Understand Behaviour

List of all hosts communicating

with HTTP Servers

(32)

Understand Behaviour

Complete list of all hosts

communicating with HTTP Servers:

who, what, when, where, how

(33)
(34)

Model Business Critical Processes

PCI Zone Map

Overall system profile

(35)

Simplifying Segmentation with TrustSec

Access Layer Enterprise Backbone Voice VLAN Voice Data VLAN Employee Aggregation Layer Supplier Guest VLAN BYOD BYOD VLAN Non-Compliant Quarantine VLAN VLAN Address DHCP Scope Redundancy Routing Static ACL VACL

Security Policy based on Topology High cost and complex maintenance

Voice VLAN

Voice

Data VLAN

Employee Supplier BYOD

Non-Compliant

Use existing topology and automate security policy to reduce OpEx

ISE

No VLAN Change No Topology Change Central Policy Provisioning Micro/Macro Segmentation Employee Tag Supplier Tag Non-Compliant Tag Access Layer Enterprise Backbone DC Firewall / Switch DC Servers Policy TrustSec Traditional Segmentation

(36)

Network Segmentation with TrustSec

Username: johnd Group: Store Managers

Location: Store Office Time: Business Hour

Security Group: Manager

Enforcement AUTHORISED PERSONNEL ONLY Switches Routers Firewall DC Switch Hypervisor SW Resource Segmentation based on roles

• Not based on IP addresses, VLANs etc

Role based on context

• AD, LDAP attributes, device type, location, time, access methods, etc…

Use Tagging technology

• To represent logical group (Classification)

• To enforce policy on switches, routers, firewalls

Software Defined

• Policy managed centrally

• Policy provisioned automatically on demand

• Policy invoked anywhere on the network dynamically

(37)

What TrustSec Provides

Software defined Network Segmentation Context-based Data Access

Agile Security Policy Changes and

Simpler Management

Context based Service Chaining

(38)

TrustSec Functions

Classification Static Dynamic Enforcement SGACL SG-FW WSA Propagation Inline SXP 5 Employee 6 Supplier 8 Suspicious A B 8 5

(39)

Enforcement

TrustSec in Action

Classification Propagation Application Servers Database Servers Network

(40)

Cisco TrustSec Segmentation

Enterprise Backbone Policy Voice Data Suppliers Employee Non Compliant Suppliers

Employee

Non Compliant

• Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers • TrustSec simplifies ACL

management for intra/inter-VLAN traffic

Supplier Employee

Non Compliant

Policy

(41)

Campus Segmentation

Suppliers Employee Non Compliant Suppliers

Employee

Non Compliant

Filtered Access Supplier Employee Non Compliant

• Segmented traffic based on classified group (SGT), not based on topology (VLAN, IP subnet)

• Micro-Segmentation with single policy (segment devices even in same VLAN)

(42)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Discover and Classify Assets Design and Model Policy

(43)

Starting a TrustSec Design

Policy

Enforcement

Points

Discuss

assets to

protect

Classification

Mechanisms

Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. • DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls)

• User to DC access control • (Identify capable switches

or firewalls in the path)

Propagation

Methods

• Inline Tagging • SXP • DM-VPN • GET-VPN • IPSec • OTP etc..

(44)

Security Group Initial Considerations

Unlike traditional segmentation/access control…

Adding dynamically assigned groups later with TrustSec should be easy

No configuration impact on infrastructure

Keep groups as simple as possible whilst still meeting policy requirements

Should not be necessary to transfer complexity, e.g. extensive AD groups, into

Security Groups

Consider if all roles need a tag assigned?

(45)

How to Tag Users / Devices?

• TrustSec decouples network

topology and security policy to simplify access control and segmentation

• Classification process groups network resources into Security Groups

PC MAC 802.1X MAB Web Authentication Profiling IPv4 Prefix Learning IPv6 Prefix Learning IPv6 Prefix-SGT IPv4 Subnet-SGT Address Pool-SGT VLAN-SGT IP-SGT Port Profile Port-SGT ISE NX-OS/ CIAC/ Hypervisors IOS/Routing Data Centre/ Virtualisation User/Device/ Location Cisco Access Layer

Campus & VPN Access non-Cisco & legacy environment

Business Partners and Supplier Access Controls

(46)

Identify Where SGTs Need to be Assigned

WLC FW

Enterprise Backbone

Hypervisor SW Campus Access Distribution Core DC Core DC Dist/Access

Dynamic Classification VLAN-SGT Mapping Dynamic Classification SVI (L3 Interface) to SGT L2 Port to SGT VM (Port Profile) to SGT Subnet-SGT

(47)

Enabling Classifications

If per-user authorisation is not in place

Enabling VLAN, subnet , L3 Interface mappings can provide coarse classification

initially

Per-user authorisation

and SXP can then ‘override’ static classification

Many systems may get ‘Unknown SGT’ assignments initially

Focus on the explicit classifications needed to meet policy

(48)

Deployment Approach

Catalyst®Switches/WLC

• Users connect to network, Monitor mode allows traffic regardless of authentication • Authentication can be performed passively resulting in SGT assignments

Enterprise Network

• Classified traffic traverses the network allowing monitoring and validation that:

• Assets are correctly classified

• Traffic flows to assets are as predicted/expected

Monitor Mode SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010)

Employees (100) Permit all Permit all Permit all

PCI User (105) Permit all Permit all Permit all

(49)

Configuring Inline Tagging

interface TenGigabitEthernet1/5

cts manual

policy static sgt 2 trusted

C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled

Interface GigabitEthernet1/1:

CTS is enabled, mode: MANUAL

IFC state: OPEN

Authentication Status: NOT APPLICABLE Peer identity: "unknown"

Peer's advertised capabilities: "" Authorization Status: SUCCEEDED

Peer SGT: 2:device_sgt

Peer SGT assignment: Trusted

SAP Status: NOT APPLICABLE Propagate SGT: Enabled

Cache Info:

Expiration : N/A Cache applied to link : NONE

L3 IPM: disabled.

Always

“shut” and “no shut” interfaces

after any cts manual or cts dot1x change

‘cts manual’ config for inline tagging

generally used

‘cts dot1x’ alternative depends on AAA

reachability -

unless new ‘critical auth’

feature used & timers set carefully

(50)

Creating The Policy Matrix

Source Group

Destination Group

Action

How do I know my policy works?

How do I decide what protocols?

How do I know if I am tagging?

(51)

SGT in NetFlow Fields

Source Tag:

• Retrieved from the packet

Destination Tag:

• Derived based on

destination IP Address Switch Derived Source Tag:

• 4K Only: Value applied on

the packet on egress

SGT Table

• 6K only: export in NetFlow

template data tables mapping Security Group Tags to

Security Group Names

SGACL Drop Record

• 6k only: Generate a flow record on a SGACL drop

(52)

SGT-NetFlow Device List

Device First Release Source

Tag Destination tag Switch-Derived SGT SGT Table SGACL Drop Record Catalyst 6500 (Sup2T)

IOS 15.1(1)SY1 Yes (match)

Yes (match)

No Yes Yes

(dedicated monitor)

ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No

Catalyst 3850, 3650 IOS XE 3.7.1E IOS XE 3.6.3E* Yes (match) Yes (match) No No No Catalyst 4500 (Sup 7-E, 7L-E, 8-E)

IOS XE 3.7.1E IOS XE 3.6.3E* Yes (collect) Yes (collect) Yes No No

ASA 9.1.3 No No No No NSEL Record

StealthWatch FlowSensor

(53)

Considerations: 3850

!

flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in !

!

flow monitor cts-cyber-monitor-out exporter StealthWatch-FC

cache timeout active 60 record cts-cyber-3k-out !

interface GigabitEthernet1/0/1

ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output !

vlan configuration 100

ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output !

Ingress:

• Source Tag Sources:

• Derived from packet header • DGT Sources:

• Derived based on destination IP lookup • SGACL enforcement must be enabled • Trunk link only

Egress:

• Source Tag Sources:

• Incoming packet header • Port configured SGT • IP to SGT mapping • Destination Tag Sources:

• Derived based on destination IP lookup • Requires SGACL enforcement to be enabled • Trunk link only

(54)

Considerations: 3850

!

flow record cts-cyber-3k-in match datalink mac source address input

match datalink mac destination address input match ipv4 tos

match ipv4 ttl match ipv4 protocol

match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input

match flow direction

match flow cts source group-tag match flow cts destination group-tag collect counter bytes long

collect counter packets long collect timestamp absolute first collect timestamp absolute last !

!

flow record cts-cyber-3k-out match ipv4 tos

match ipv4 ttl match ipv4 protocol

match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction

match flow cts source group-tag match flow cts destination group-tag collect counter bytes long

collect counter packets long collect timestamp absolute first collect timestamp absolute last !

(55)

Considerations: 4500 Sup 7-E, 7L-E, 8-E

Source Tag:

• Packet header

• Maximum 12K distinct SRC-IP’s

Destination Tag:

• Derived based on destination IP

Switch Derived Source Tag:

• SGT enforced on the packet from the switch • Policy acquisition • SGT in the packet • SGT lookup on source IP • Port SGT lookup • SGT on packet at egress !

flow record cts-cyber-4k match ipv4 tos

match ipv4 protocol

match ipv4 source address match ipv4 destination address

match transport source-port match transport destination-port match interface input

match flow direction

collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags

collect interface output collect counter bytes collect counter packets

collect timestamp sys-uptime first collect timestamp sys-uptime last !

(56)

Considerations: 6500 Sup 2T

!

flow record cts-cyber-6k match ipv4 protocol

match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags

collect interface output collect counter bytes collect counter packets

collect timestamp sys-uptime first collect timestamp sys-uptime last !

TrustSec data table:

• Export SGT-SGN mapping in NetFlow template

SGACL Drop:

• Flow record generated on a drop • Requires dedicated Flow Monitor

Source Tag:

• Packet header • IP-SGT lookup Destination Tag:

• Derived based on destination IP lookup

(57)

Considerations: 6500 Sup2T

!

flow exporter ise destination 10.1.100.3

source TenGigabitEthernet2/1 transport udp 9993

option cts-sgt-table timeout 10 !

flow monitor FNF_SGACL_DROP exporter ise

record cts-record-ipv4 !

cts role-based ip flow monitor FNF_SGACL_DROP dropped

!

flow exporter CYBER_EXPORTER destination 10.1.100.230

source TenGigabitEthernet2/1 transport udp 2055

option cts-sgt-table timeout 10 !

flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 record cts-cyber-6k !

(58)

Considerations: ISR, ASR, CSR

!

flow record cts-cyber-ipv4 match ipv4 protocol

match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input

match flow direction

match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp

collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets

collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name

! Source Tag: • Packet header • IP-SGT lookup Destination Tag: • Destination IP lookup http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-fnf.pdf

(59)

Modeling Policy in StealthWatch

Custom event triggers on traffic condition

Trigger on traffic in both directions; Successful or unsuccessful

Source Tag Destination Tag

Rule name and description

(60)

Modeling Policy in StealthWatch

Create flow-based rules for all proposed policy elements

Policy Violation alarm will trigger if condition is met. Simulating proposed drop.

(61)

Modeling Policy: Alarm Occurrence

Alarm dashboard showing all Policy alarms

Details of “Employee to Productions Servers” alarm occurrences

(62)

Modeled Policy: Flow Details

Who

Who

What

When

How

Where

Destination

Tag

Is this communication permissible?

Tune

Yes

Respond

No

Source

Tag

(63)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Discover and Classify Assets

Enforce Policy Design and

(64)

Enabling Enforcement

• Enforcement may be enabled gradually per destination security group basis • Initially use SGACLs with deny logging enabled (remove log later if not required) • Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment

Catalyst®Switches/WLC Monitor Mode PCI Server Production Server Development Server SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010)

Employees (100) Deny all Deny all Deny all PCI User (105) Permit all Permit all Deny all Unknown (0) Deny all Deny all Deny all

ISE

(65)
(66)
(67)

Applying SGACLs (ISE 2.0)

permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip SGACL_1

(68)

SGACL Downloads

• New Servers provisioned, e.g. Prod Server & Dev Server Roles

• DC switches requests policies for assets they protect • Policies downloaded & applied dynamically

• What this means:

• All controls centrally managed

• Security policies de-coupled from network

No switch-specific security configs needed

• Wire-rate policy enforcement

• One place to audit network-wide policies

Prod_Servers Dev_Servers Dev_Server (SGT=10) Prod_Server (SGT=7) S GT=3 S GT=4 S GT=5 SGACL Enforcement Switches request policies

for assets they

protect Switches pull

down only the policies they

(69)

Enabling Policy Enforcement in Switches

After setting up SGT/SGACL in ISE, you can now enable SGACL Enforcement

on network devices

Devices need to be defined in ISE and provisioned to talk to ISE (omitted from

these slides for brevity)

If switches have SGT assignments they will download policy for the assets they

are protecting

Switch(config)#cts role-based enforcement

Switch(config)#cts role-based enforcement vlan-list 40

Enabling SGACL Enforcement Globally and for VLAN

Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5 Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6 Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7

(70)

Policy Enforcement on Firewalls: ASA SG-FW

Can still use Network Object (Host, Range, Network (subnet), or

FQDN)

AND / OR the SGT

Switches inform the ASA of Security Group membership Security Group definitions from

ISE

Trigger FirePower services by SGT policies

(71)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and Classify Assets Enforce Policy Policy NBAD Design and Model Policy

(72)
(73)

Segmentation Monitoring in StealthWatch

Custom event triggers on traffic condition

Trigger on traffic in both directions; Successful or unsuccessful

Source Tag Destination

Tag

Rule name and description

(74)

Segmentation Monitoring with StealthWatch

(75)

Segmentation Monitoring with StealthWatch

PCI Zone Map

Define communication policy between Zones

(76)

StealthWatch NBAD Model

Algorithm

Security

Event

Alarm

Track and/or measure behaviour/activity

Suspicious behaviour observed or anomaly detected

(77)

Alarm Categories

(78)

Example Alarm Category: Concern Index

Concern Index: Track hosts that appear to compromising network integrity

Security events. Over 90 different algorithms.

(79)

StealthWatch: Alarms

Alarms

• Indicate significant behaviour changes and policy violations • Known and unknown attacks generate alarms

• Activity that falls outside the baseline, acceptable behaviour or established policies

(80)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and Classify Assets Enforce Policy Policy NBAD Design and Model Policy

Rapid Threat

Containment

(81)
(82)
(83)

ANC Quarantine: ISE Live Log

Security Group Assignment EPSStatus check

(84)

WAIT!

How did this dark

magic happen?

(85)

Adaptive Network Control

Extension of the endpoint monitoring and controlling capabilities

Endpoint control based on IP or MAC address

Three actions:

• Quarantine

• Unquarantine

• Shutdown wired access ports

Enable a change of the authorisation state

• Through administrative action

• Without modification of the overall authorisation policy

(86)

ANC Quarantine Flow

PSN MnT PAN 1. Endpoint is connected 2. StealthWatch issues

quarantine instruction to PAN

3. PAN issues quarantine instruction to MnT 4. MnT instructs PSN to invoke a CoA 5. Endpoint is disconnected through CoA 7. RADIUS request 6. Endpoint reconnects and authenticates 8. Quarantine check 9. Quarantine profile applied

(87)

Configuring ANC on ISE 2.0

1. Enable ANC (EPS)

Enabled by default on ISE 2.0

2. Create Quarantine authorisation profile

or Security Group

3. Create Quarantine Authorisation Policy

4. Manually quarantine or unquarantine

(88)

Exception Authorisation Policy

Assign to SGT

Suspicous_Investigate

and Permit Access EPSStatus in Session

(89)

Configuration of RTC with StealthWatch and ISE

1. Enable pxGrid

2. Provision pxGrid server certificate 3. Provision pxGrid client certificate

4. Configure pxGrid node connection

5. Assign SMC to EPS Group in 6. Configure pxGrid node connection

(90)

Configuration of RTC with StealthWatch and ISE

Lancope published:

http://cs.co/StealthWatch_ISE_Remediation

Cisco published:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/

HowTo-101-Deploying_Lancope_StealthWatch_with_pxGrid.pdf

Follow these guides

(91)

So now

what?

(92)

Suspicous_Investigate Egress Policy

Create an Egress Policy for the suspicious Security Group

(93)

SGACL

Create meaningful SGACL for Suspicious hosts:• Restrict applications and services

• Block access to Business Critical Processes

(94)

SGT Based Policy Based Routing

route-map native_demo permit 10

match security-group source tag Employee

match security-group destination tag Critical_Asset set interface Tunnel1

!

route-map native_demo permit 20

match security-group source tag Suspicious

match security-group destination tag Critical_Asset set interface Tunnel2

!

route-map native_demo permit 30 match security-group source tag Guest set vrf Guest VRF-GUEST Enterprise WAN Inspection Router Router / Firewall Network A Policy-based Routing based on SGT SGT-based VRF Selection User B Suspicious User C Guest User A Employee

(95)
(96)

Agenda

Introduction

Understanding

the

Landscape

Components of Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and Classify Assets Enforce Policy

Summary

Policy NBAD Design and Model Policy

Rapid Threat

Containment

(97)

Related Sessions:

TECSEC-2666 – TrustSec / NGFW and NGIPS

• Tuesday, March 8, 9:00 AM - 6:00 PM

BRKSEC-2690 – Deploying Security Group Tags

• Kevin Regan – Wednesday, March 9, 4:30 PM – 6:00 PM •

BRKSEC-3690 – Advanced Security Group Tags

• Kevin Regan – Friday, March 8, 8:45 AM – 10:45 AM

BRKCRS-2891 – Enterprise Network Segmentation (with Cisco TrustSec)

• Hari Holla – Wednesday, March 9, 4:30-6:00 PM

BRKSEC-2653 – Cyber Range

• Paul Qiu– Wednesday, March 9, 4:30 PM – 6:00 PM

BRKSEC-2044 – Building an Enterprise Access Control Architecture using ISE and TrustSec

(98)

Call to Action

Visit the World of Solutions for:

Security Zone:

• Identity Services Engine

• Cisco Cyber Threat Defence Solution

Enterprise Networking Zone:

• Network as a Sensor / Enforcer

Meet The Expert

Matt Robertson: • Thursday 12-2 pm

More Reading:

http://www.cisco.com/go/stealthwatch

http://www.cisco.com/go/trustsec

http://www.cisco.com/go/ctd

(99)

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.

– Directly from your mobile device on the Cisco Live Mobile App

– By visiting the Cisco Live Mobile Site

http://showcase.genie-connect.com/ciscolivemelbourne2016/ – Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

(100)

Key Takeaways

NetFlow

and

Lancope StealthWatch

provides visibility and intelligence

TrustSec

is used to dynamically

(micro)

segment

the network

(101)
(102)
(103)
(104)

References

Related documents

We then play a four-note arpeggio up from the 5 th , descend three notes of the diminished scale and approach the target tone (the root) by lower chromatic neighbour..

Having defined the Hoare state monad, we can now write a different ver- sion of the relabelling function that more closely resembles the original Haskell definition.. There are

Moodle is an Internet-based course management system that is used for delivery of courses online and runs as an interactive website with features and activities designed to

The meeting was also attended by: Michael Johnson, General Manager; Derrick Murphy, Assistant General Manager of Engineering and Maintenance; Jeffrey Thompson, Assistant

Strengthen us to bring forth the fruits of the Spirit, that through life and death we may live in your Son, Jesus Christ, our Savior and Lord, who lives and reigns with you and

We proved some properties of MSNB distribution to t trace data and developed a tting algorithm based on Expectation Maximization (EM) to estimate its parameters.. We measured

Ball attachments are the most commonly used type of attachments for non-splinted implants. They are very easy to install and can be used to stabilize a pre-existing denture,

Use the scp application on the host that contains the AVP file, and connect to the NVE virtual appliance with the root account. Installation