Gaining Visibility by Using the
Network
•
Daniel Braine
•
CCIE R/S:24663
•
Security/Wireless CSE
•
Dec 2012
Access Core Data Center
Print Server SQL Server
Analyst Server
Access Core Data Center
Print Server SQL Server
Analyst Server
Access Core Data Center
Print Server SQL Server
Analyst Server
User-Based
Decision
Who's actually on my network? What's actually on my network? Where are these device plugged in?
Where have the devices been? Have there been security violations? Security Management & Operations Team Red Net Gray Net Black Net
Fly By the Seat of Your Pants
Network Management
ANempt at Enforcement
MAC MAC MAC MAC Configuration Permitted MACs: 00:40:3F:55:E3:04 04:53:32:EA:35:9F 67:8B:C4:C6:75:32 04:53:32:EA:33:63
Port Security
MAC MAC MAC MAC Syslog Server Configuration Permitted MACs: 00:23:3F:3E:E3:36 57:53:32:EA:35:72 3C:8B:C4:C6:75:93 12:53:32:3B:AA:CA
• Classification Mechanisms: Types of
Identity (Device Only)
• Configuration: Manual Moves, Adds, and
Changes – Decentralized Approach
• Identity Verification: None
• Differentiated Access: None (Permit
Access Only)
• Roaming Abilities: None
• Recovery From Failure:
Manual/Time-Based (Err-Disable)
• Scalability: Not scalable, headache to
manage
SWITCHPORT SSH HTTPS DHCP TFTP Default: Open TRANSPORT PRESENTATION SESSION NETWORK
- Server Admins left holding the keys to security.
- Functionality and Availability at the forefront. Visibility is an afterthought - Admins not able to monitor live connections to the network -Forced to scroll through application logs
The Vision:
“God Mode Enabled”
Network Management
Employee Device Location:
- East Wing Rm:402 Port 21 of Cisco 3750X Switch
-West Wing Rm:109 Port 45 of Cisco 3750X Switch
-North Wing Rm: 800 Port 3/30 of Cisco 6500 Switch
Employee Device IP:
- 172.16.99.2 -172.16.99.80
-172.16.99.5 -172.16.99.190
Employee Device Type:
- Windows XP SP3 Dell - Windows 7 HP Application Use: - HTTPS 60% - Collaboration 25% -Video 5% - Voice 10% VLAN Access: - 99 - 20 - 45 Authorized Permissions: - Allow HTTPS - Allow Collaboration - Allow Video -Allow Voice
-Deny Analyst Database Access
Exploring the SoluVon:
Monitoring for Visibility
(Find the “who”)
SWITCHPORT
KRB5 HTTP
TFTP
DHCP
EAPoL Permit All
SWITCHPORT
KRB5 HTTP
TFTP
DHCP
EAPoL Permit All
Traffic always allowed
Pre-AuthC Post-AuthC
•
Enables 802.1X Authentication on the Switch
•
But: Even failed Authentication will gain Access
•
Allows Network Admins to see who would have failed,
and
the “who” attribute for visibility
•
Most Important Note:
WE DON’T WANT TO BLOCK
AuthenVcaVon Overview
EAPoL
User/Password user1 C#2!ç@_E( CerVficateRADIUS
TokenActive Directory,
Generic LDAP, PKI
RADIUS, e.g.
Safeword Token Server
RSA SecureID
local DB
Machine
User
AND/OR
Backend DatabaseIdentity Source Sequences
IdenVfying a User or Endpoint
Authentication Credentials
Creden8al Type
Why You Might Use It
Why You Might Not Use it
Example EAP-‐
Type
Username
Password
•
Familiar concept
•
Everyone already has one
(e.g. AD)
•
Can re-‐use exisVng pwds,
pwd mgmt techniques
•
Passwords can be stolen
•
Single factor
authenVcaVon
•
Needs to be sent in
encrypted tunnel
•
PEAP-‐
MSCHAPv2
Sod cerVficates
(stored on hard
drive)
•
Two-‐factor auth
•
Auto-‐enrollment simplifies
PKI
•
Extensive PKI (server certs,
user certs, machine certs)
requires dedicated IT/
admin
•
EAP-‐TLS
Hard cerVficates
(USB, TPM)
•
Up to three-‐factor auth
•
Significant overhead
•
EAP-‐TLS
PAC (Protected
Exploring the SoluVon:
Device ClassificaVon
Visibility
PCs
Non-PCs
UPS Phone Printer AP
Additional benefits of Profiling
-
Visibility
: A view of what is truly on your network
Tracking of where a device has been, what IP Addresses it has had, and
other historical data.
An understanding of WHY the device was profiled as a particular type (what
profile signatures were matched)
Understand Network Probes
Available
•
In order to figure the “what”, we need to use the
informaVon we have available.
Probes
RADIUS
DHCP
DNS
HTTP
SNMP
Neelow
DHCPSPAN
NMAP
•
Passive assessment or acVve polling/scanning?
•
What is performing the data collecVon and what can be
collected?
–
Dedicated collecVon devices or exisVng infrastructure? Must
traffic pass inline?
–
SNMP data? DHCP? RADIUS? Packet capture for deeper
analysis?
•
Which aNributes consVtute device type X?
–
Is MAC OUI alone good enough? What about DHCP data,
locaVon, connecVon protocols, or network traffic?
•
Can I collect the needed aNributes to make a decision?
–
Will addiVonal collecVon devices need to be deployed?
–
What is the network or endpoint load impact?
•
How is my profile for Device X created, maintained,
updated?
Classifying Endpoints
Select Data Probes for a Wired Network
•
For a
wired network
we recommend using a combinaVon of
RADIUS, DHCP, DNS and SNMP :
Best PracVce
RADIUS
DHCP
DNS
SNMP
NetFlow
OUI (MAC @ prefix), IP
Hostname
DHCP class idenVfier, Client IdenVfier, parameters, req list
CDP/ LLDP/ Mac Move
Traffic idenVficaVon
NMAP Scan
OS and Common Ports
HTTP, and NetFlow could also
be used as additional
methods when required.
Username:00:11:22:33:44:55:66
Password: 00:11:22:33:44:55:66
Probe Data Flow for a Wired Network
SNMP Query, SNMP Trap, RADIUS, DHCP Helper
Authenticator
Visibility Center
Initial Attempt
802.1X times out MAB
802.1X (max-reauth-req +1) x tx-timer
Access-Accept
Open Mode: Time when MAC address is moved to FWD state MAC-Notification Trap is sent if
configured
Link-State trap if configured
30 sec to
start SNMP Query
SNMP Query
Point of Profiling
DCHP Discovery / Request DHCP Helper
SNMP Response
Device
MAC-Notification Trap Authorized Primary Key: 00:11:22:33:44:55:66 Switch IP Port ID CDP Info VLAN Data Session Data DHCP Options Attributes EAPOL / ID-ReqProbe ImplementaVon
Using Profiling Base on RADIUS, DNS, DHCP in a Wired Network
DNS
Visibility Center
Si Si EAP-OLRADIUS
DNS probe (reverse-‐lookup) DHCP interface Vlan20ip helper-‐address @IP DHCP server
ip helper-‐address @IP_ISE
DHCP Server
Oui, IP
DHCP probe DHCP class idenVfier, hostname req aNributes
radius-‐server host
@IP_ISE
key xxxx
ip device tracking
Dot1x Selec8ve Open Mode Only DHCP is permited
Probe ImplementaVon Cont.
SNMP/CDP/LLDP, NetFlow
ISE
Si Si CDP / LLDPsnmp-‐server community xxxxxx RW
snmp-‐server enable traps snmp linkdown linkup
snmp-‐server enable traps mac-‐noVficaVon change move
snmp-‐server host
@IP_ISE
version 2c xxxxxx
SNMP
CDP/ LLDP/ Mac noVficaVon
Queries following mibs:
-‐ system
-‐ cdpCacheEntry
-‐ cLApEntry (If device is WLC) -‐ cldcClientEntry (If device is WLC)
LinkUp/Mac No8fica8on/RADIUS Acct Start event queries:
-‐ interface data (ifIndex, ifDesc, etc) -‐ Port and Vlan data
-‐ Session Data (if interface type is Ethernet) -‐ CDP data (if device is Cisco)
Neelow v5 or v9
ip flow-‐export desVnaVon @IP ISE
ip flow-‐export source FastEthernet 0/1
ip flow-‐export version 9
NMAP AcVve Scan
Manual Scan
For manual scan
Specify subnet then « Run Scan »
Click to see scan results
Devices will be added to the database only if the real MAC address is known
Use alternate probe to discover MAC @ (eg RADIUS or SNMP probe)
Switch Sensor
•
Low touch deployment
•
Profiling Base on CDP/LLDP or DHCP
•
Centralize visibility without big ISE sensor investment
•
AutomaVc discovery for most common devices (Printers, Cisco devices, phones)
•
Topology independent
Switch Sensor: Endpoint Profiling
Policy Assignment:
Indicates matched
profiling policy
Calling-Station-ID:
Indicates Endpoint
MAC Address
Device IP Address:
Indicates Switch
CDP and DHCP
information used for
profiling.
Sw
itch
D
evi
ce
Se
nso
r
C
ach
e
Switch
Sensor
in AcVon
Cisco IP Phone 7945
SEP002155D60133
Cisco Systems, Inc. IP Phone CP-‐7945G
SEP002155D60133
ISE
Pro
fil
in
g
re
su
lt
Device Attributes
More attributes
And more attributes
Profiling
Determining required profile aNributes
•
Feeds OUI’s, Profiles,
Posture and BootStraps
•
Has approval / publish
Exploring the SoluVon:
•
Live AuthenVcaVons and
Correlated Sessions
.
•
Contextual ApplicaVon based
informaVon from one view
•
What are the Top Server
and Top Clients in my
network that are having
worst transacVon Vme
–Assessed by looking at the Worst Clients by
transac<on <me and Applica<on Server Performance
•
Which of my Sites are
experiencing worst
transacVon Vme for any
given applicaVon –
Obtained bylooking at Worst Sites by transac<on <me
•
Which of my Clients are
using the most bandwidth-‐
Top N Clients (In and Out)•
How is my ApplicaVon
Traffic staVsVcs over Vme-‐
Beyond Visibility:
Looking Ahead
SWITCHPORT KRB5 HTTP TFTP DHCP EAPoL SWITCHPORT KRB5 HTTP RDP DHCP EAPoL Role-Based ACL Permit Some Pre-AuthC Post-AuthC
Enforcement Mode
If AuthenVcaVon is Valid, then
Specific
Access!
•
AuthC Success = Role Specific Access
•
dVLAN Assignment / dACLs
•
Specific dACL, dVLAN
•
Secure Group Access
•
SVll Allows for pre-‐AuthC Access for
Thin Clients, PXE, etc…
•
WebAuth for non-‐AuthenVcated
interface GigabitEthernet1/0/1 authenVcaVon host-‐mode mulV-‐auth authenVcaVon open
authenVcaVon port-‐control auto mab
dot1x pae authenVcator ip access-‐group default-‐ACL in
Interface Config
Closed Mode
No Access prior to Login, then
Specific
Access!
•
Default 802.1X Behavior
•
No access at all prior to AuthC
•
SVll use all AuthZ Enforcement Types
•
dACL, dVLAN, SGA
•
Must take consideraVons for Thin
Clients & PXE, etc…
interface GigabitEthernet1/0/1 authenVcaVon host-‐mode mulV-‐auth authenVcaVon port-‐control auto mab
dot1x pae authenVcator
Interface Config
SWITCHPORT DHCP TFTP KRB5 HTTP EAPoL SWITCHPORT KRB5 HTTP EAPoL DHCP TFTP Pre-AuthC Post-AuthC PermitEAP Permit All
Role-Based ACL
- or -
Device Type Location
