designing and implementing identity security - cisco.com · designing and implementing identity ......
TRANSCRIPT
Session ID 20PT
Designing and Implementing Identity Security
Maurice Wheatley
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 2
Agenda
Authentication Protocols and Operation
IEEE 802.1X, MAB, Web Auth
Authorization
Host Modes and IP Telephony
Security Group Access
Deployment Scenarios
Monitor Mode
Low Impact Mode
Low Impact Mode with Security Group Access
High Security Mode
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 3
Who are you?
802.1X (or supplementary method) authenticates the user
Why Is Identity Security Important?
1
What service level to you receive?
The user can be given per-user services
3
What are you doing?
The user’s identity and location can be used for tracking and accounting
4
Where can you go?
Based on authentication, user is placed in correct VLAN
2
Keep the
Outsiders Out
Keep the
Insiders
Honest
Personalize
the Network
Increase
Network
Visibility
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Authentication Protocols and Operation: IEEE 802.1X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 5
Primary Components
Supplicant Authenticator Authentication
Server
Backend
Database
802.1X Client Switch / WLAN RADIUS Server AD, LDAP, etc.
• Submits credentials
for authentication
• Forwards credentials
to authentication
server
• Controls access to
network
• Validates supplicant’s
credentials
• Defines access policy
• Supports
authentication
server functions
IEEE 802.1X Has Multiple Components
SSC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Authentication Protocols and Operation: MAC Authentication Bypass (MAB)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 7
Unauthenticated
Real Networks Can’t Live on 802.1X Alone Default Access Control Is Binary
802.1X Passed
SSC
Employee (bad credential)
802.1X
SSC
Employee
Guest
Managed Assets
Rogue
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 8
802.1X with MAC Auth Bypass (MAB) Deployment Considerations
MAB enables differentiated access control
MAB leverages centralized policy on AAA server
Not as strong as 802.1x - MAC addresses can be spoofed
MAB requires a database of known MAC addresses
Contractor VLAN
Printer VLAN
MAC Database
RADIUS LDAP ACS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 9
MAC Databases: Device Discovery
Find It
• Leverage Existing Asset Database
• e.g. Purchasing Department, CUCM
Build It
• Bootstrap methods to gather data
• e.g. SNMP, Syslog, Accounting, dhcp, Monitor Mode
Buy It
• Automated Device Discovery
• e.g. ISE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Authentication Protocols and Operation: Web Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 11
802.1X with Web-Auth
Web-Auth is only for users (not devices)
• browser required
• manual entry of username/password
Web-Auth can be a fallback from 802.1X or MAB.
Web-Auth and Guest VLAN are mutually exclusive
Web-Auth supports ACL authorization only
Web-Auth behind an IP Phone requires Multi-
Domain Authentication (MDA)
Deployment Considerations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 12
Authentication Summary
• Strong authentication
• Requires a (configured) client
IEEE 802.1X
• Supports clientless/legacy devices
• Requires pre-existing database
MAB
• Support for clientless users
• Limited applications
WebAuth
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Authorization: Host Modes and IP Telephony
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 14
IPT & 802.1X: Fundamental Challenges
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Two devices per port 1
IPT Breaks the Point-to-Point Model
Security Violation PC Link State is Unknown to Switch 2
?????
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
“The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.”
IEEE 802.1X rev 2004
One device per port 1
Link State Dependency 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 15
interface fast Ethernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication host-mode multi-domain
Multi-Domain Authentication (MDA) Host Mode
Single device per port Single device per domain per port
IEEE 802.1X MDA
MDA replaces CDP Bypass
Supports Cisco & 3rd Party Phones
Phones and PCs use 802.1X or MAB
Data Domain
Voice Domain
Modifying Single-MAC Requirement IP Phones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 16
MAC–based enforcement for
each device
802.1X and/or MAB
Multi-Auth is a superset of MDA
interface fast Ethernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication host-mode multi-auth
VM
Multi-Authentication Host Mode
Modifying Single-MAC Requirement Virtualized Endpoints
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Authorization: Security Group Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 18
Various Authorization Mechanisms
Three major enforcement mechanisms:
Dynamic VLAN assignment – Ingress
Simplifies ACLs but has major network impact – trunked vlans and IP network fragmentation
Downloadable per session ACL – Ingress
Less impact than dynamic vlans but not scalable and hard to maintain.
Security Group Access Control List (SGACL) – Egress
Scalable and easy to maintain. Allows context-aware authorisation.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 19 19
Traditional Access Control
User (Source)
S1
D1
D2
D3
D4
D5
D6
S2
S3
S4
Servers (Destination)
permit tcp S1 D1 eq https
permit tcp S1 D1 eq 8081
permit tcp S1 D1 eq 445
deny ip S1 D1
Sales
HR
Finance
Managers
IT Admins
HR Rep
S1 to D1 Access Control
ACE # grows as # users/servers
increases
Network Admin manages every IP source to IP destination
relationship explicitly
# of ACEs = (# of sources) * (# of Destinations) * permissions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 20 20
Security Group Access
SGACL
Security Group Based Access Control allows customers
To keep existing logical design at access layer
To change / apply policy to meet today’s business requirement
To distribute policy from central management server
802.1X/MAB/Web Auth
Database (SGT=4)
IT Server (SGT=10)
I’m a contractor
My group is IT Admin
Contactor
& IT Admin
SGT = 100
SGT = 100
SGT capable device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 21 21
Security Group Access Key Features
Topology independent access control based on roles
Scalable ingress tagging (SGT) / egress filtering (SGACL)
Centralized Policy Management / Distributed Policy Enforcement
Encryption based on IEEE802.1AE (AES-GCM 128-Bit)
Wire rate hop by hop layer 2 encryption
Key management based on 802.11n (SAP) standardized in 802.1X-2010
Endpoint admission enforced via 802.1X authentication, MAB, Web Auth (Cisco Identity compatibility)
Network device admission control based on 802.1X creates trusted networking environment
Only trusted network imposes Security Group TAG
Security Group Based Access
Control
Confidentiality and
Integrity
Authenticated Networking
Environment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 22 22
How SGACL simplifies Access Control User Servers
Security Group
(Source)
MGMT A
(SGT10)
HR Rep
(SGT30)
IT Admins
(SGT40)
Security Group
(Destination)
Sales SRV
(SGT400)
HR SRV
(SGT500)
Finance SRV
(SGT600)
MGMT B
(SGT20)
SGACL
10 Network
Resources
10 Network
Resources
10 Network
Resources
x 100
x 100
x 100
x 100
• Network Admin manages every source “group” to destination
“group” relationship
• This abstracts the network topology from the policy and reducing
the number of policy rules necessary for the admin to maintain
• The network automates the alignment of users/servers to groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Deployment Scenarios
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 24
What Is a Deployment Scenario?
A set of configuration guidelines designed to meet particular deployment goal
Simplify deployments by following a blueprint
Increase efficiency by combining features that interoperate most effectively
Phase deployments for minimal impact to end users
Customize basic blueprint as needed
General Principles:
Start simple, start small
Start with minimal restrictions
Evolve as necessary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 25
Prevent Unauthorized Access
Increase Network Visibility
Increase Network Security
Solution deployment should be transparent to end users
Employee end-user behavior should not change.
Legacy devices must not be locked out.
Best authentication method based on device capabilities should be chosen.
Define your Goals
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 26
Considerations
What authentication method(s) should be used?
Which devices support what authentication method(s)?
Any software or firmware upgrades needed?
Where are credentials stored? How to build and manage a MAC database?
What authorization methods scale to meet ultimate goals?
How do we discover what is out on our network?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 27
The First Scenario: Monitor Mode
Monitor Mode
• Authentication Without Access Control
Low Impact Mode
• Minimal Impact to Network and Users
High Security Mode
• Logical Isolation of User Groups / Device Types
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 28
Monitor Mode: How To
Enable 802.1X & MAB
Enable Open Access
All traffic in addition to EAP is allowed
Like not having 802.1X enabled except authentications still occur
Enable Multi-Auth Host-Mode
Disable Authorization
Monitor Mode Goals
No Impact to Existing Network Access
See… …what is on the network
…who has a supplicant
…who has good credentials
…who has bad credentials
Deterrence through accountability
Monitor Mode Overview
SSC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 29
Monitor Mode: AAA Server and Endpoints
Should be fully configured except for authorization policy before this scenario:
Communication with AAA clients (i.e. switches)
Communication with credential repository (e.g. AD, MAC Database)
PKI (CA certs, server cert)
EAP Configuration
MAB Configuration
Should be fully configured by the end of this scenario:
PKI (CA certs, client cert) or other credentials
Supplicants configured & installed everywhere supported
Enable machine auth
Enable user auth if needed
AAA Server Endpoints
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 30
RADIUS Authentication & Accounting Logs Passed/failed 802.1x/eap attempts
List of valid 802.1X-capable endpoints List of invalid 802.1X-capable endpoints
Passed/Failed MAB attempts List of Valid MACs List of Invalid or unknown MACs
Monitor Mode: Next Steps
SSC
Monitor Mode Next Steps
Improve Accuracy
Evaluate Remaining Risk
Leverage Information
Prepare for Access Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 31
Preparing for Access Control Fix 802.1X Errors
Observed Failure:
Fix:
Import ACS
Server Cert
Signed by
Enterprise CA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 32
Preparing for Access Control Put Valid MACs in MAB Database
MAC.CSV
Observed Failure
Fix
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 33
Information Pays for Itself ROI Without Access Control
RADIUS Attribute Example Value
Framed-IP-Address(8) 10.100.41.200
User-Name(1) scadora
Acct-Session-Time(46) 27
Acct-Input-Octets(42) 2614
Acct-Output-Octets(43) 2469
Acct-Input-Packets(47) 7
Acct-Output-Packets(48) 18
RADIUS Attribute Example Value
Acct-Status-Type(40) Interim-Update
NAS-Port-Type(61) Ethernet
NAS-Port-Id(87) FastEthernet2/48
Called-Station-Id(30) 00-1F-6C-3E-56-8F
Calling-Station-Id(31) 00-1E-4A-A9-00-A8
Service-Type(6) Framed-User
NAS-IP-Address(4) 10.100.10.4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 34
Monitor Mode in a Nutshell
• Authentication without Authorization Summary
• Extensive Network Visibility
• No Impact to Endpoints or Network
• Define/refine your support processes Benefits
• No Access Control Limitations
• Monitor the Network
• Evaluate Remaining Risk
• Prepare for Access Control Next Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 35
The Second Scenario: Low Impact
Monitor Mode
• Authentication Without Access Control
Low Impact Mode
• Minimal Impact to Network and Users
High Security Mode
• Logical Isolation of User Groups / Device Types
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 36
Low Impact Mode: How To
Start from Monitor Mode
Add new features for access-control
downloadable ACLs
flexible auth fail handling
security group access
Limit number of devices connecting to port
Add new features to support IP Phones
Low Impact Mode Goals
Begin to control/differentiate network access
Minimize Impact to Existing Network Access
Retain Visibility of Monitor Mode
“Low Impact” == no need to re-architect your network
Keep existing VLAN design
Minimize LAN changes
Low Impact Mode Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 37
Example: Using Low Impact Mode to Bootstrap a New Phone
Pre-auth ACL allows just enough access for config, CTL
New config enables 802.1X on phone
After 802.1X, phone has full access
Same idea can give MAB phones access before 802.1X times out
permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000
Pre-Auth
ACL
10.100.10.238
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 38
Example: Using Low Impact Mode for PXE
Pre-auth ACL allows just enough access for DHCP, TFTP
Downloaded OS has 802.1X Enabled
After 802.1X, Client Has Full Access
permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp
Pre-Auth
ACL
DHCP, TFTP
PXE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 39
IPT & 802.1X: The Link-State Problem
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
B
Port authorized for 0011.2233.4455 only
Security Violation S:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
Security Hole S:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 40
Link State: Three Solutions
CDP Link Down
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Proxy EAPoL-Logoff SSC
Inactivity Timer
Session Cleared
Session Cleared
Session Cleared
Proxy EAPoL-Logoff Only works for 802.1X endpoints
Requires Logoff-capable phone
Inactivity Timer Switch feature
Works for MAB endpoints
Port vulnerable during timeout
Quiet devices may get kicked off
CDP 2nd Port Status Works for all 802.1X, MAB, Web-Auth.
Nothing to configure
Combined switch + phone feature.
Recommended!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Low Impact Mode with Security Group Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 42
ISE 1.0
Catalyst® Switches
(3K/4K/6K)
Challenge of Ingress Access Control List
Users,
Endpoints
Campus
Network
Ingress Enforcement
Downloadable ACL
TrustSec™ Domain
Switch needs to be aware of all network segment + address
that need to be protected
More dACL ACEs consume limited TCAM space on switches
Simple Networks/Policy can use dACL only
Site A
Site B
Site C
Site D
permit protocol any to Site A Servers eq services permit protocol any to Site B Servers eq services deny protocol any to Site C Servers eq services permit protocol any to Site D Servers eq services
dA
CL C
on
ten
t
Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 43
SGA with Low Impact Mode Use Case Selective Access with SGT Enforcement
ISE 1.0
1. User connects to network
2. Pre-Auth ACL only allows selective service before authentication
3. Authentication is performed and results are logged by ACS. dACL is downloaded
along with SGT
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point
5. Only permitted traffic path (source SGT to destination SGT) is allowed
Egress Enforcement
Security Group ACL
Cat 6500 w/
SUP 2T
Internet
Catalyst® Switches
(3K/4K/6K)
Users,
Endpoints
Low Impact Mode
SRC \ DST HR Server
(111)
ACME Server
(222)
Unknown
(0)
ACME
User(10) Deny all Permit all Permit all
HR User
(10) Permit all Permit all Permit all
Guest (30) Deny all Deny all Permit all
HR Server
ACME Server
ACME Server AUTH=OK
ACL=Permit IP Any
SGT=10 authentication port-control auto
authentication open
ip access-group PRE-AUTH-ACL in
dot1x pae authenticator
permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
Campus
Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 44
+
Access
Privilege
Engineering
Human Resources
Finance
Home Access
Deny Access
Guest
Other
Conditions
Time and Date
Access Type
Location
More Flexible Policy with Role-Based Access Control
Francois Didier
Employee
Consultant
Vicky Sanchez
Employee
Marketing
Susan Kowalski
Employee
Sales Director
Everyone Has a Different Role
Identity
Information
Identity:
Network
Administrator
Identity:
Full-Time
Employee
Identity:
Guest
Rossi Barks
Employee
HR
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 45
+
Identity
Information
Identity:
Network
Administrator
Identity:
Guest
Identity:
Full-Time
Employee
Role + Rule–Based Access Control Example: Human Resources Role
Rossi Barks
Employee
HR
Access
Privilege
Engineering
Finance
Home Access
Deny Access
Guest
Human Resources
Other
Conditions
Time and Date
Location: Campus
Access Type:
Wired
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 46
+
Identity
Information
Identity:
Network
Administrator
Identity:
Guest
Identity:
Full-Time
Employee
Role + Rule–Based Access Control Example: Human Resources Role
Rossi Barks
Employee
HR
Access
Privilege
Engineering
Finance
Home Access
Guest
Human Resources
Other
Conditions
Time and Date
Location: Off-site
Access Type:
Wired Deny Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 47
SGA with Low Impact Mode Use Case Selective Access with SGT Enforcement
ISE 1.0
1. User connects to network
2. Pre-Auth ACL only allows selective service before authentication
3. Authentication is performed and results are logged by ACS. dACL is downloaded
along with SGT
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point
5. Only permitted traffic path (source SGT to destination SGT) is allowed
Egress Enforcement
Security Group ACL
Cat 6500 w/
SUP 2T
Internet
Catalyst® Switches
(3K/4K/6K)
HR user in
wrong locale
Low Impact Mode
SRC \ DST HR Server
(111)
ACME Server
(222)
Unknown
(0)
HR Off Site (8) Deny all Permit all Permit all
HR User (10) Permit all Permit all Permit all
Guest (30) Deny all Deny all Permit all
HR Server
ACME Server
ACME Server AUTH=OK
SGT=8
Campus
Network
X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 48
Low Impact in a Nutshell
• Default open + pre-auth ACL
• Differentiated Access Control using dynamic ACLs and/or SGA
Summary
• Minimal Impact to Endpoints
• Minimal Impact to Network Benefits
• No L2 Isolation Limitations
• Monitor the Network
• Tune ACLs as necessary
• Evaluate Remaining Risk Next Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 49
The Last Scenario: High Security
Monitor Mode
• Authentication Without Access Control
Low Impact Mode
• Minimal Impact to Network and Users
High Security Mode
• Logical Isolation of User Groups / Device Types
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 50
High Security: How To
Return to default “closed” access
Timers or authentication order change
Implement identity-based VLAN assignment
High Security Mode Goals
No access before authentication
Rapid access for non-802.1X-capable corporate assets
Logical isolation of traffic at the access edge
High Security Mode Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 51
High Security in a Nutshell
• Default closed
• Differentiated access control using dynamic VLANs, dynamic ACLs and/or Security Group Access
Summary
• Logical Isolation at L2
• No Access for Unauthorized Endpoints Benefits
• Impact to Network
• Impact to Endpoints Limitations
• Monitor the Network Next Steps
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Conclusion
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 53
Lessons Learned & Factors for Success
• Collect and study network telemetry
• Progressively configure your endpoints
• Phase in authorization when you’re ready
Start with Monitor Mode
Homogeneity makes things easier
• Multiple protocols, multiple features, multiple products
• It’s not just about technology, support processes need to change too
Prioritize teamwork and communication
Proof of concept is not optional
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 54
Complete Your Session Evaluation
Please give us your feedback!!
Complete the evaluation form you were given when you entered the room
This is session 4.4
Don’t forget to complete the overall event evaluation form included in your registration kit
YOUR FEEDBACK IS VERY IMPORTANT FOR US!!! THANKS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 55