Gaining  Visibility  by  Using  the  Network    

•  Daniel  Braine  •  CCIE  R/S:24663  •  Security/Wireless  CSE  •  Dec  2012  

Access Core Data Center

Print Server

SQL Server

Analyst Server

Access Core Data Center

Print Server

SQL Server

Analyst Server

Access Core Data Center

Print Server

SQL Server

Analyst Server

User-BasedDecision

Who's actually on my network?What's actually on my network?

Where are these device plugged in?Where have the devices been?

Have there been security violations?Security

Management&

OperationsTeam

Red Net

Gray Net

Black Net

Fly  By  the  Seat  of  Your  Pants    Network  Management  

ANempt  at  Enforcement  

MAC MACMAC MAC

ConfigurationPermitted MACs:00:40:3F:55:E3:0404:53:32:EA:35:9F67:8B:C4:C6:75:3204:53:32:EA:33:63

Port Security

MAC MACMAC MAC

Syslog ServerConfiguration

Permitted MACs:00:23:3F:3E:E3:3657:53:32:EA:35:723C:8B:C4:C6:75:9312:53:32:3B:AA:CA

•  Classification Mechanisms: Types of Identity (Device Only)

•  Configuration: Manual Moves, Adds, and Changes – Decentralized Approach

•  Identity Verification: None

•  Differentiated Access: None (Permit Access Only)

•  Roaming Abilities: None

•  Recovery From Failure: Manual/Time-Based (Err-Disable)

•  Scalability: Not scalable, headache to manage

= SECURED?!...SOMEWHAT

SWITCHPORT SSH

HTTPS

DHCP

TFTP

Default: Open TRANSPORT

PRESENTATION

SESSION

NETWORK

- Server Admins left holding the keys to security.

- Functionality and Availability atthe forefront. Visibility is an afterthought

- Admins not able to monitor live connections to the network

-Forced to scroll through application logs

Why  Not  Network  Access  Policy?  

The  Vision:  “God  Mode  Enabled”    Network  Management  

Employee Device Location:- East Wing Rm:402

Port 21 of Cisco 3750X Switch-West Wing Rm:109

Port 45 of Cisco 3750X Switch-North Wing Rm: 800

Port 3/30 of Cisco 6500 Switch

Employee Device IP:- 172.16.99.2-172.16.99.80-172.16.99.5

-172.16.99.190

Employee Device Type:- Windows XP SP3 Dell

- Windows 7 HP

Application Use:- HTTPS 60%

- Collaboration 25%-Video 5%

- Voice 10%

VLAN Access:- 99- 20 - 45

Authorized Permissions:- Allow HTTPS

- Allow Collaboration- Allow Video-Allow Voice

-Deny Analyst Database Access

On Network Off Network

Exploring  the  SoluVon:    The  First  Step  Towards  Visibility  

Monitoring  for  Visibility  (Find  the  “who”)  

SWITCHPORT

KRB5 HTTP

TFTP DHCP

EAPoL Permit All

SWITCHPORT

KRB5 HTTP

TFTP DHCP

EAPoL Permit All

Traffic always allowed

Pre-AuthC Post-AuthC

•  Enables 802.1X Authentication on the Switch •  But: Even failed Authentication will gain Access •  Allows Network Admins to see who would have failed,

and the “who” attribute for visibility

•  Most  Important  Note:  WE  DON’T  WANT  TO  BLOCK  •  AuthenVcaVon  is  opVonal,  but  can  be  transparent    

AuthenVcaVon  Overview  

EAPoL  

User/Password  

user1 C#2!ç@_E(

CerVficate  

RADIUS  

Token  

Active Directory, Generic LDAP, PKI

RADIUS, e.g. Safeword Token Server

RSA SecureID

local DB

Machine

User AND/OR

Backend  Database  

Identity Source Sequences

IdenVfying  a  User  or  Endpoint  

Visibility Center

Authentication Credentials Creden8al  Type   Why  You  Might  Use  It   Why  You  Might  Not  Use  it   Example  EAP-­‐

Type  

Username  Password  

• Familiar  concept  • Everyone  already  has  one  (e.g.  AD)  

• Can  re-­‐use  exisVng  pwds,  pwd  mgmt  techniques  

 

• Passwords  can  be  stolen  • Single  factor  authenVcaVon  

• Needs  to  be  sent  in  encrypted  tunnel  

• PEAP-­‐MSCHAPv2  

Sod  cerVficates  (stored  on  hard  drive)  

• Two-­‐factor  auth  • Auto-­‐enrollment  simplifies  PKI  

• Extensive  PKI  (server  certs,  user  certs,  machine  certs)  requires  dedicated  IT/admin  

• EAP-­‐TLS  

Hard  cerVficates  (USB,  TPM)  

• Up  to  three-­‐factor  auth   • Significant  overhead   • EAP-­‐TLS  

PAC  (Protected  Access  CredenVal)  

• Faster  processing   • SVll  need  password  or  cert  for  iniVal  provisioning  

• EAP-­‐FAST  

Exploring  the  SoluVon:  The  Second  Step  Towards  Visibility  

Device  ClassificaVon  Visibility   PCs Non-PCs

UPS Phone Printer AP

 Additional benefits of Profiling -  Visibility: A view of what is truly on your network

Tracking of where a device has been, what IP Addresses it has had, and other historical data. An understanding of WHY the device was profiled as a particular type (what profile signatures were matched)

Understand  Network  Probes  Available  

•  In  order  to  figure  the  “what”,  we  need  to  use  the  informaVon  we  have  available.  

 

Probes  

RADIUS  

DHCP  

DNS  

HTTP  

SNMP  

Neelow  

DHCPSPAN  

NMAP  

•  Passive  assessment  or  acVve  polling/scanning?  •  What  is  performing  the  data  collecVon  and  what  can  be  

collected?  –  Dedicated  collecVon  devices  or  exisVng  infrastructure?    Must  traffic  pass  inline?  

–  SNMP  data?  DHCP?  RADIUS?  Packet  capture  for  deeper  analysis?      

•  Which  aNributes  consVtute  device  type  X?  –  Is  MAC  OUI  alone  good  enough?    What  about  DHCP  data,  locaVon,  connecVon  protocols,    or  network  traffic?      

•  Can  I  collect  the  needed  aNributes  to  make  a  decision?    –  Will  addiVonal  collecVon  devices  need  to  be  deployed?      –  What  is  the  network  or  endpoint  load  impact?  

•  How  is  my  profile  for  Device  X  created,  maintained,  updated?  

Classifying  Endpoints  ConsideraVons   For Your

Reference

Select  Data  Probes  for  a  Wired  Network  

•  For  a  wired  network  we  recommend  using  a  combinaVon  of  RADIUS,  DHCP,  DNS  and  SNMP  :  

 

Best  PracVce  

RADIUS  

DHCP  

DNS  

SNMP  

NetFlow  

OUI  (MAC  @  prefix),  IP  

Hostname  

DHCP  class  idenVfier,  Client  IdenVfier,  parameters,  req  list    

CDP/  LLDP/  Mac  Move  

Traffic  idenVficaVon  

NMAP  Scan   OS  and  Common  Ports  

HTTP, and NetFlow could also be used as additional methods when required.

HTTP   User  agent    (OS  type/version)  

Username:00:11:22:33:44:55:66 Password: 00:11:22:33:44:55:66

Probe  Data  Flow  for  a  Wired  Network  SNMP  Query,  SNMP  Trap,  RADIUS,  DHCP  Helper  

Authenticator Visibility Center

Initial Attempt

802.1X times out MAB

802.1X

(max-reauth-req +1) x tx-timer

Access-Accept

Open Mode: Time when MAC address is moved to FWD state

MAC-Notification Trap is sent if configured

Link-State trap if configured 30 sec to start SNMP Query

SNMP Query

Point of Profiling

DCHP Discovery / Request DHCP Helper

SNMP Response

Device

MAC-Notification Trap

Authorized

Primary Key: 00:11:22:33:44:55:66

Switch IP Port ID CDP Info VLAN Data Session Data DHCP Options

Attributes EAPOL / ID-Req

Probe  ImplementaVon  Using  Profiling  Base  on  RADIUS,  DNS,  DHCP  in  a  Wired  Network  

DNS

Visibility Center

SiSi

EAP-OL

RADIUS  

DNS  probe  (reverse-­‐lookup)  

DHCP

interface  Vlan20    ip  helper-­‐address  @IP  DHCP  server    ip  helper-­‐address  @IP_ISE  

DHCP Server

Oui,  IP  

DHCP  probe   DHCP  class  idenVfier,  hostname  req  aNributes  

radius-­‐server  host  @IP_ISE  key  xxxx  ip  device  tracking  

Dot1x  Selec8ve  Open  Mode  Only  DHCP  is  permited    

Probe  ImplementaVon  Cont.  SNMP/CDP/LLDP,  NetFlow  

ISE

SiSi

CDP / LLDP

snmp-­‐server  community  xxxxxx  RW  snmp-­‐server  enable  traps  snmp  linkdown  linkup  snmp-­‐server  enable  traps  mac-­‐noVficaVon  change  move  snmp-­‐server  host  @IP_ISE    version  2c  xxxxxx     SNMP  

CDP/  LLDP/  Mac  noVficaVon  

Queries  following  mibs:    -­‐  system    -­‐  cdpCacheEntry    -­‐  cLApEntry  (If  device  is  WLC)    -­‐  cldcClientEntry  (If  device  is  WLC)  

LinkUp/Mac  No8fica8on/RADIUS  Acct  Start  event  queries:    -­‐  interface  data  (ifIndex,  ifDesc,  etc)    -­‐  Port  and  Vlan  data    -­‐  Session  Data  (if  interface  type  is  Ethernet)    -­‐  CDP  data  (if  device  is  Cisco)  

 

Neelow  v5  or  v9  

ip  flow-­‐export  desVnaVon  @IP  ISE  ip  flow-­‐export  source  FastEthernet  0/1  ip  flow-­‐export  version  9  

NMAP  AcVve  Scan  Manual  Scan  

For  manual  scan  Specify  subnet  then  «  Run  Scan  »  

Click  to  see  scan  results  

Devices  will  be  added    to  the  database  only  if  the  real  MAC  address  is  known  

Use  alternate  probe  to  discover  MAC  @  (eg  RADIUS  or  SNMP    probe)  

Large  network  scan    could  be  very  Vme  consuming  and  could  add  a  heavy  load  to  ISE  service  node  

Switch  Sensor  

•  Low  touch  deployment    •  Profiling  Base  on  CDP/LLDP  or  DHCP  •  Centralize  visibility  without  big  ISE  sensor  investment  •  AutomaVc  discovery  for  most  common  devices  (Printers,  Cisco  devices,  phones)  •  Topology  independent  

Switch Sensor Distributed Probes

Switch  Sensor:  Endpoint  Profiling    Policy Assignment:

Indicates matched profiling policy

  Calling-Station-ID: Indicates Endpoint MAC Address

  Device IP Address: Indicates Switch

  CDP and DHCP information used for profiling.

Sw

itch

Dev

ice

Sen

sor C

ache

Switch  Sensor  in  AcVon  

Cisco  IP  Phone  7945  

SEP002155D60133  

Cisco  Systems,  Inc.  IP  Phone  CP-­‐7945G  

SEP002155D60133  

ISE

Pro

filin

g re

sult

Device Attributes More attributes

And more attributes

Profiling  Determining  required  profile  aNributes    

 

•  Feeds  OUI’s,  Profiles,  Posture  and  BootStraps    

•  Has  approval  /  publish  process  

Exploring  the  SoluVon:  The  Final  Step  Towards  Visibility  

•  Live  AuthenVcaVons  and  Correlated  Sessions.  

Send  CoA  right  from  here!  

•  Contextual  ApplicaVon  based  informaVon  from  one  view  •  What  are  the  Top  Server  and  Top  Clients  in  my  network  that  are  having  worst  transacVon  Vme  –  Assessed  by  looking  at  the  Worst  Clients  by  transac<on  <me  and  Applica<on  Server  Performance  

•  Which  of  my  Sites  are  experiencing  worst  transacVon  Vme  for  any  given  applicaVon  –  Obtained  by  looking  at  Worst  Sites  by  transac<on  <me  

•  Which  of  my  Clients  are  using  the  most  bandwidth-­‐  Top  N  Clients  (In  and  Out)  

•  How  is  my  ApplicaVon  Traffic  staVsVcs  over  Vme-­‐  ApplicaVon  Traffic  Analysis  dashlet  

Beyond  Visibility:  Looking  Ahead  

SWITCHPORT

KRB5 HTTP

TFTP DHCP

EAPoL

SWITCHPORT

KRB5 HTTP

RDP DHCP

EAPoL

Role-Based ACL Permit Some

Pre-AuthC Post-AuthC

Enforcement  Mode  If  AuthenVcaVon  is  Valid,  then  Specific  Access!  

•  AuthC  Success  =  Role  Specific  Access  •  dVLAN  Assignment  /  dACLs  •  Specific  dACL,  dVLAN  •  Secure  Group  Access    

•  SVll  Allows  for  pre-­‐AuthC  Access  for  Thin  Clients,  PXE,  etc…  

•  WebAuth  for  non-­‐AuthenVcated  

interface  GigabitEthernet1/0/1    authenVcaVon  host-­‐mode  mulV-­‐auth    authenVcaVon  open    authenVcaVon  port-­‐control  auto    mab    dot1x  pae  authenVcator    ip  access-­‐group  default-­‐ACL  in  

Interface  Config  

SGT

Closed  Mode  No  Access  prior  to  Login,  then  Specific  Access!  

•  Default  802.1X  Behavior  •  No  access  at  all  prior  to  AuthC  •  SVll  use  all  AuthZ  Enforcement  Types  

•  dACL,  dVLAN,  SGA  •  Must  take  consideraVons  for  Thin  

Clients  &  PXE,  etc…  

interface  GigabitEthernet1/0/1    authenVcaVon  host-­‐mode  mulV-­‐auth    authenVcaVon  port-­‐control  auto    mab    dot1x  pae  authenVcator  

Interface  Config  

SWITCHPORT

DHCP TFTP

KRB5 HTTP

EAPoL

SWITCHPORT

KRB5 HTTP

EAPoL

DHCP TFTP

Pre-AuthC Post-AuthC

Permit EAP

Permit All

Role-Based ACL

- or -

SGT

 

Device Type Location User Posture Time Access Method Custom