gaining&visibility&by&using&the& network&& · pdf fileaccess core...
TRANSCRIPT
Gaining Visibility by Using the Network
• Daniel Braine • CCIE R/S:24663 • Security/Wireless CSE • Dec 2012
Access Core Data Center
Print Server
SQL Server
Analyst Server
Access Core Data Center
Print Server
SQL Server
Analyst Server
Access Core Data Center
Print Server
SQL Server
Analyst Server
User-BasedDecision
Who's actually on my network?What's actually on my network?
Where are these device plugged in?Where have the devices been?
Have there been security violations?Security
Management&
OperationsTeam
Red Net
Gray Net
Black Net
Fly By the Seat of Your Pants Network Management
ANempt at Enforcement
MAC MACMAC MAC
ConfigurationPermitted MACs:00:40:3F:55:E3:0404:53:32:EA:35:9F67:8B:C4:C6:75:3204:53:32:EA:33:63
Port Security
MAC MACMAC MAC
Syslog ServerConfiguration
Permitted MACs:00:23:3F:3E:E3:3657:53:32:EA:35:723C:8B:C4:C6:75:9312:53:32:3B:AA:CA
• Classification Mechanisms: Types of Identity (Device Only)
• Configuration: Manual Moves, Adds, and Changes – Decentralized Approach
• Identity Verification: None
• Differentiated Access: None (Permit Access Only)
• Roaming Abilities: None
• Recovery From Failure: Manual/Time-Based (Err-Disable)
• Scalability: Not scalable, headache to manage
= SECURED?!...SOMEWHAT
SWITCHPORT SSH
HTTPS
DHCP
TFTP
Default: Open TRANSPORT
PRESENTATION
SESSION
NETWORK
- Server Admins left holding the keys to security.
- Functionality and Availability atthe forefront. Visibility is an afterthought
- Admins not able to monitor live connections to the network
-Forced to scroll through application logs
Why Not Network Access Policy?
The Vision: “God Mode Enabled” Network Management
Employee Device Location:- East Wing Rm:402
Port 21 of Cisco 3750X Switch-West Wing Rm:109
Port 45 of Cisco 3750X Switch-North Wing Rm: 800
Port 3/30 of Cisco 6500 Switch
Employee Device IP:- 172.16.99.2-172.16.99.80-172.16.99.5
-172.16.99.190
Employee Device Type:- Windows XP SP3 Dell
- Windows 7 HP
Application Use:- HTTPS 60%
- Collaboration 25%-Video 5%
- Voice 10%
VLAN Access:- 99- 20 - 45
Authorized Permissions:- Allow HTTPS
- Allow Collaboration- Allow Video-Allow Voice
-Deny Analyst Database Access
On Network Off Network
Monitoring for Visibility (Find the “who”)
SWITCHPORT
KRB5 HTTP
TFTP DHCP
EAPoL Permit All
SWITCHPORT
KRB5 HTTP
TFTP DHCP
EAPoL Permit All
Traffic always allowed
Pre-AuthC Post-AuthC
• Enables 802.1X Authentication on the Switch • But: Even failed Authentication will gain Access • Allows Network Admins to see who would have failed,
and the “who” attribute for visibility
• Most Important Note: WE DON’T WANT TO BLOCK • AuthenVcaVon is opVonal, but can be transparent
AuthenVcaVon Overview
EAPoL
User/Password
user1 C#2!ç@_E(
CerVficate
RADIUS
Token
Active Directory, Generic LDAP, PKI
RADIUS, e.g. Safeword Token Server
RSA SecureID
local DB
Machine
User AND/OR
Backend Database
Identity Source Sequences
IdenVfying a User or Endpoint
Visibility Center
Authentication Credentials Creden8al Type Why You Might Use It Why You Might Not Use it Example EAP-‐
Type
Username Password
• Familiar concept • Everyone already has one (e.g. AD)
• Can re-‐use exisVng pwds, pwd mgmt techniques
• Passwords can be stolen • Single factor authenVcaVon
• Needs to be sent in encrypted tunnel
• PEAP-‐MSCHAPv2
Sod cerVficates (stored on hard drive)
• Two-‐factor auth • Auto-‐enrollment simplifies PKI
• Extensive PKI (server certs, user certs, machine certs) requires dedicated IT/admin
• EAP-‐TLS
Hard cerVficates (USB, TPM)
• Up to three-‐factor auth • Significant overhead • EAP-‐TLS
PAC (Protected Access CredenVal)
• Faster processing • SVll need password or cert for iniVal provisioning
• EAP-‐FAST
Device ClassificaVon Visibility PCs Non-PCs
UPS Phone Printer AP
Additional benefits of Profiling - Visibility: A view of what is truly on your network
Tracking of where a device has been, what IP Addresses it has had, and other historical data. An understanding of WHY the device was profiled as a particular type (what profile signatures were matched)
Understand Network Probes Available
• In order to figure the “what”, we need to use the informaVon we have available.
Probes
RADIUS
DHCP
DNS
HTTP
SNMP
Neelow
DHCPSPAN
NMAP
• Passive assessment or acVve polling/scanning? • What is performing the data collecVon and what can be
collected? – Dedicated collecVon devices or exisVng infrastructure? Must traffic pass inline?
– SNMP data? DHCP? RADIUS? Packet capture for deeper analysis?
• Which aNributes consVtute device type X? – Is MAC OUI alone good enough? What about DHCP data, locaVon, connecVon protocols, or network traffic?
• Can I collect the needed aNributes to make a decision? – Will addiVonal collecVon devices need to be deployed? – What is the network or endpoint load impact?
• How is my profile for Device X created, maintained, updated?
Classifying Endpoints ConsideraVons For Your
Reference
Select Data Probes for a Wired Network
• For a wired network we recommend using a combinaVon of RADIUS, DHCP, DNS and SNMP :
Best PracVce
RADIUS
DHCP
DNS
SNMP
NetFlow
OUI (MAC @ prefix), IP
Hostname
DHCP class idenVfier, Client IdenVfier, parameters, req list
CDP/ LLDP/ Mac Move
Traffic idenVficaVon
NMAP Scan OS and Common Ports
HTTP, and NetFlow could also be used as additional methods when required.
HTTP User agent (OS type/version)
Username:00:11:22:33:44:55:66 Password: 00:11:22:33:44:55:66
Probe Data Flow for a Wired Network SNMP Query, SNMP Trap, RADIUS, DHCP Helper
Authenticator Visibility Center
Initial Attempt
802.1X times out MAB
802.1X
(max-reauth-req +1) x tx-timer
Access-Accept
Open Mode: Time when MAC address is moved to FWD state
MAC-Notification Trap is sent if configured
Link-State trap if configured 30 sec to start SNMP Query
SNMP Query
Point of Profiling
DCHP Discovery / Request DHCP Helper
SNMP Response
Device
MAC-Notification Trap
Authorized
Primary Key: 00:11:22:33:44:55:66
Switch IP Port ID CDP Info VLAN Data Session Data DHCP Options
Attributes EAPOL / ID-Req
Probe ImplementaVon Using Profiling Base on RADIUS, DNS, DHCP in a Wired Network
DNS
Visibility Center
SiSi
EAP-OL
RADIUS
DNS probe (reverse-‐lookup)
DHCP
interface Vlan20 ip helper-‐address @IP DHCP server ip helper-‐address @IP_ISE
DHCP Server
Oui, IP
DHCP probe DHCP class idenVfier, hostname req aNributes
radius-‐server host @IP_ISE key xxxx ip device tracking
Dot1x Selec8ve Open Mode Only DHCP is permited
Probe ImplementaVon Cont. SNMP/CDP/LLDP, NetFlow
ISE
SiSi
CDP / LLDP
snmp-‐server community xxxxxx RW snmp-‐server enable traps snmp linkdown linkup snmp-‐server enable traps mac-‐noVficaVon change move snmp-‐server host @IP_ISE version 2c xxxxxx SNMP
CDP/ LLDP/ Mac noVficaVon
Queries following mibs: -‐ system -‐ cdpCacheEntry -‐ cLApEntry (If device is WLC) -‐ cldcClientEntry (If device is WLC)
LinkUp/Mac No8fica8on/RADIUS Acct Start event queries: -‐ interface data (ifIndex, ifDesc, etc) -‐ Port and Vlan data -‐ Session Data (if interface type is Ethernet) -‐ CDP data (if device is Cisco)
Neelow v5 or v9
ip flow-‐export desVnaVon @IP ISE ip flow-‐export source FastEthernet 0/1 ip flow-‐export version 9
NMAP AcVve Scan Manual Scan
For manual scan Specify subnet then « Run Scan »
Click to see scan results
Devices will be added to the database only if the real MAC address is known
Use alternate probe to discover MAC @ (eg RADIUS or SNMP probe)
Large network scan could be very Vme consuming and could add a heavy load to ISE service node
Switch Sensor
• Low touch deployment • Profiling Base on CDP/LLDP or DHCP • Centralize visibility without big ISE sensor investment • AutomaVc discovery for most common devices (Printers, Cisco devices, phones) • Topology independent
Switch Sensor Distributed Probes
Switch Sensor: Endpoint Profiling Policy Assignment:
Indicates matched profiling policy
Calling-Station-ID: Indicates Endpoint MAC Address
Device IP Address: Indicates Switch
CDP and DHCP information used for profiling.
Sw
itch
Dev
ice
Sen
sor C
ache
Switch Sensor in AcVon
Cisco IP Phone 7945
SEP002155D60133
Cisco Systems, Inc. IP Phone CP-‐7945G
SEP002155D60133
ISE
Pro
filin
g re
sult
• Contextual ApplicaVon based informaVon from one view • What are the Top Server and Top Clients in my network that are having worst transacVon Vme – Assessed by looking at the Worst Clients by transac<on <me and Applica<on Server Performance
• Which of my Sites are experiencing worst transacVon Vme for any given applicaVon – Obtained by looking at Worst Sites by transac<on <me
• Which of my Clients are using the most bandwidth-‐ Top N Clients (In and Out)
• How is my ApplicaVon Traffic staVsVcs over Vme-‐ ApplicaVon Traffic Analysis dashlet
SWITCHPORT
KRB5 HTTP
TFTP DHCP
EAPoL
SWITCHPORT
KRB5 HTTP
RDP DHCP
EAPoL
Role-Based ACL Permit Some
Pre-AuthC Post-AuthC
Enforcement Mode If AuthenVcaVon is Valid, then Specific Access!
• AuthC Success = Role Specific Access • dVLAN Assignment / dACLs • Specific dACL, dVLAN • Secure Group Access
• SVll Allows for pre-‐AuthC Access for Thin Clients, PXE, etc…
• WebAuth for non-‐AuthenVcated
interface GigabitEthernet1/0/1 authenVcaVon host-‐mode mulV-‐auth authenVcaVon open authenVcaVon port-‐control auto mab dot1x pae authenVcator ip access-‐group default-‐ACL in
Interface Config
SGT
Closed Mode No Access prior to Login, then Specific Access!
• Default 802.1X Behavior • No access at all prior to AuthC • SVll use all AuthZ Enforcement Types
• dACL, dVLAN, SGA • Must take consideraVons for Thin
Clients & PXE, etc…
interface GigabitEthernet1/0/1 authenVcaVon host-‐mode mulV-‐auth authenVcaVon port-‐control auto mab dot1x pae authenVcator
Interface Config
SWITCHPORT
DHCP TFTP
KRB5 HTTP
EAPoL
SWITCHPORT
KRB5 HTTP
EAPoL
DHCP TFTP
Pre-AuthC Post-AuthC
Permit EAP
Permit All
Role-Based ACL
- or -
SGT