inside cisco it: how cisco it deploy ise and trustsec ... · inside cisco it: how cisco it deploy...

Inside Cisco IT:

How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise

Donald Gunn – Program Manager IT, Cisco

Adam Cobbsky – Senior Engineer IT, Cisco

BRKCOC-2279

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-2279

• Designing ISE for Scale & High Availability [BRKSEC-3699]

• Deploying ISE in a Dynamic Environment [BRKSEC-2059]

• ISE under magnifying glass. How to troubleshoot ISE [BRKSEC-3229]

• Lets get practical with your network security by using Cisco Identity Services Engine (Cisco ISE) [BRKSEC-2464]

• Advanced Security Integration, Tips & Tricks [BRKSEC-3557]

Related ISE SessionsBRKCOC-2279

• Defending the Enterprise

• Addressing the Challenge

• Guest Access

• Production System Architecture

• Increasing Security Step by Step

• Enforcement

• Identity Based Differentiated Access

• Posture Based Differentiated Access

• Q&A

Agenda

Defending the Enterprise


Cisco at a Glance

10,690UCS Servers

76,136Virtual Machines

28.1MW

Data Center

Capacity

87PBOverall Usable

Storage

72,354Employees

434Offices

94Countries

6,243Routers

8,415LAN Switches

133,361Connected

Stakeholders

192,770Connected

User Devices

100

Services

SJC

45%RTP

14%

AM Other

6%

EU/EM 7%

India

21%

AP Other

7%

Global

Distribution

of IT Staff

7.6 Billion

DNS Requests

per day

Data as of January 2018

500+Cloud ASPs

47TBDaily Bandwidth Usage

468WLCs

BRKCOC-2279 7

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCOC-2279

Cisco IT Network Security Requirements

Visibility + Attribution

Control

Consistency

Centralization

Automation

Simplification

Integration

Real-Time Defense


What is Identity Services Engine (ISE)?

Network ResourcesAccess Policy

TraditionalCisco

TrustSec®

BYOD Access

Threat Containment

Guest Access

Role-Based

Access

Identity Profiling

and Posture

A centralized security solution that enables context-aware access control and shares

contextual data

Network

Door

ISE pxGrid

Controller

Who

Compliant

What

When

Where

How

Context

Threat

Vulnerability


Cisco IT ISE Production Deployment Metrics

Guest Net (Internet)

Corporate Access

WLAN, CVO, VPN, LAN

ISE 1.2, 8 VMs, 2 DCs

ISE 2.1, 24 VMs, 8 DCs

1.5 Million active profiled “Endpoints”

Max ~450K Concurrent “Endpoints”

26K CVO x 2; ~60K EP

468 WLC; ~200K EP

70 ASA; ~90K EP

2K SW; ~200K EP

25 Sites; ~50K EP

~14K Guest/DayCWA

Central Web Auth


Seamless Connectivity and Integrated Security

Identity Services Engine

Wireless Devices

AnyConnect- VPN

- Umbrella - AMP For Endpoints

WSAESA

AMP For Network

Wired Network Devices

Adaptive Security

Appliance

Device Management

StealthWatch

AMP Threat-Grid

FireSight

Home Access (CVO)

UmbrellaCisco Core

Network


ISE As a Data Provider - Spark Board Locations

Addressing the Challenge


ISE Program Management Structure

ISE Program

Management

Desktop & Mobility

ServicesDevice Management,

Posture Compliance,

User Experience

ISE Architecture &

Design

Security model & ISE

Architecture

Network Infra &

Security ServicesAccess, Platform

management, Deployment

& Operations

ISE BU & TAC

ISE Best Practices,

Config Optimization,

Support

InfoSec

Security Policies,

Quarantine.

Directory

Services (AD)

DC & Hosting

Services (VMs)


Sample ISE Basic Deployment Roadmap

Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion

Fine tune Optimize

FoundationISE 1.2

Install

ISE 1.3

Upgrade

ISE 1.4

Upgrade

Infra

Design, Proof of Concepts, Data Analysis

Apply

patches

Fine tune Optimize

Network

Guest

Wireless

Monitor

Endpoint Analysis: Wired dot1x MM & Profiling

VPN

Wired

Guest Access

Wireless (WLAN) Auth Deployment

CVO (Home Office) Wireless Auth

VPN AuthCVO Wired Auth

Limited Sites Wired Auth

Global Wired Auth Enforcement

Quarantine/Remediation

Posture Enforcement (ISE)

Security Group Tagging (SGT)Advanced Capabilities

ISE 2.1

Upgrade

Fine tune

Posture Assessment (DM)

PxGrid Integration

Wired 802.1X Monitor Mode Deployment

802.1x Authentication

Guest Access


Guest Access Deployment (ION)

Sponsor Portal GSSinternet.cisco.com

Guest Account Creation

Wireless access

Wired access

NADs AMER

Guest Portal Auth

Pri

mary

ion-mtv-sponsor

Wireless access

Wired access

NADs EMEA/APJC

Guest Portal Auth

PPAN Alias PAN MnT

MTV

PSN PSN

AER

PSN PSN

ion-aer-sponsor

Pri

mary

ION LB

VIPs

Visitor

Management

Tool (API

Integration)

Lobby Ambassadors

(Physical & Virtual)

Guest Account Creation

Integration With Reception

Secondary

Secondary

PAN MnT

ION LB

VIPs

ion-aer-guestion-mtv-guest

Account Creation

Authentication


Top 4 cities by number of guest authentication on a typical business day

6,379 3,583

2,232

2,107

BRKCOC-2279

Cisco IT ISE Guest Network

18

Production System Architecture

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2279

Single Global ISE Deployment (WLAN, CVO, LAN, VPN)

AER

RTP

ALN

SNG

Secondary ISE PAN/M&T

ISE PSNs

Primary ISE PAN/M&T

24 ISE Nodes

20 PSNs; 8 DC (Node Groups)

TYO

HKG

BGL

20

MTV

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2279

Cisco IT ISE Global Deployment (WLAN, VPN, LAN)

ISE PSNs Data Center (8) Network Devices (sites/cities)

21


Authentication Statistics (24 hours)


ISE Deployment High Availability Architecture

PS

N PS

N

MTV-VIPs

PS

N

PS

N PS

N

RTP-VIPs

Primary, Secondary

RADIUS Servers

NADs Proximity

HA NAD Configuration

MTV-WLAN

MTV-LAN

MTV-VPN

MTV-CVO

Modularity

ALN-VIPs

PPAN SPAN

Primary -> Secondary

Automatic Failover

PMnT SMnT

MTV ALN

ISE Product EvolutionHA SLB Configuration

Load Balancer

User-probe AuthVIP by Service

Is PSN Authenticating?

• Interval = 10 sec

• Down Time = 30 sec

• Retries = 3

PSN1

PSN2

PSN3


We Recommend You Use Load Balancers

• Ease of global configuration

• Overcome device limits for AAA servers

• Ease of migration, cluster split. No need to change thousands of network devices

Request for

service at

single host

‘psn-cluster’PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

LB

Response from ise-psn-3.company.com

DNS Lookup = psn-cluster.company.com

DNS Response = 10.1.98.10

Request to psn-cluster.company.com

VIP: 10.1.98.10

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

DNS

Server

VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)

Access

Device

DNS

request sent

to resolve

psn.cluster

FQDN

Request sent to Virtual IP Address

(VIP) 10.1.98.10

Response received from real server

ise-psn-3 @ 10.1.99.7


Load Balancing Dashboard

Authentication, Accounting, and Profiling events over 24 hours.


Consideration When Using Load Balancers

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-1

SLB10.1.98.10

10.1.99.5

10.1.99.6

10.1.99.7

ISE-PSN-2

CoA SRC=10.1.99.5

CoA SRC=10.1.98.10

aaa server radius dynamic-author

client 10.1.99.5 server-key cisco123






<…one entry per PSN…>aaa server radius dynamic-author


PSN

ISE-PSN-X

Before

After10.1.99.x

Increasing Security Step by Step

First Steps

In the Lab

Wired 802.1x

Identity Based Differentiated Access

Posture Based Differentiated Access


When You First Enable ISE


802.1X Wired - Monitor Mode

30

RADIUS Authentication & Accounting Logs:

• Passed / Failed 802.1X

(Who has bad credentials? Misconfigurations?)

• Passed / Failed MAB attempts

(What don’t I know?)

MONITOR MODE

AuthC without Enforcement

Prepares for Enforcement Mode

Evaluates Remaining Risk

Provides BaselineNAD ISE

.1X-Pass

Known

MAC

Unknown

MAC

.1X

Failures

BRKCOC-2279


IBNS 2.0 Concurrent AuthenticationFaster on-boarding of endpoints into the network

• You configure IBNS using the

Cisco Common Classification

Policy Language - CCCPL

• Faster on-boarding, good for

delay sensitive endpoints.

• An endpoint may be

authenticated by both methods,

but priority determines the

ultimate authorization.

authentication order dot1x mab

Flex Auth - Sequential Authentication

Campus LAN

.1x

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x priority 10

20 authenticate using mab priority 20

IBNS 2.0 - Concurrent Authentication

Campus LAN

.1x

EAP

EAP RADIUS

CDP/DHCP

EAP

EAP RADIUS

CDP/DHCP

• Additional load to RADIUS

Server. Two authentication

requests sent for same client


IBNS 2.0 Fine Tuning

MAB Devices (w/o supplicants) & minimal traffic Configure switch ports to initiate EAP transactions

“access-session control-direction in”

Dot1x timer adjustments Modify defaults per best practices, e.g.

“dot1x timeout quiet-period 300”

“dot1x timeout tx-period 10”

“dot1x timeout supp-timeout 5”

“dot1x timeout ratelimit-period 300”

Apple Thunderbolt ethernet adapter Dot1x authentication not automatically initiated

Resolved: Change network profile from System to User type

32BRKCOC-2279


Wired 802.1x AuthLearning

• Start with Monitor Mode

• Communicate !

• Evaluate – employee feedback

• Work with device teams ahead of enforcement

• Think User-Experience

Enforcement


Access-Accept

dACL: Permit IP any

35BRKCOC-2279

Wired Connection Authentication

Access-Accept (Restricted)

Access restricted by dACL

URL-Redirect

Redirect ACL (Called by ISE)

Deny traffic for: Laptop builds,

Support portal, PWD Reset

Port ACL Permit

DNS, DHCP, NTP

dACL Defined on ISE:

Permit DNS, TCP 80/443

ICMP, & Redirect Traffic

Access-Request

802.1x &

MAB

Permit Access

dACL Defined on ISE:

Permit IP

Access-Accept

Access-Request

Failed Auth


MAB Devices - Recommendations

• Manually add them to ISE Identity Group

• Create an Automated Request Process

• Enable Probes / Device Sensors

• Enable Profiling

• Be aware of challenges and monitor inconsistencies

• Create your own Custom Profiles

• Standard naming, OUI Data.

• Note: When CDP & LLDP concurrently enabled

Some older UCV 89xx & 9xxxx phones with firmware > 9.2.1 reboot

Simple workaround disable LLDP on the phone

36BRKCOC-2279


Minimizing Service Disruption – Wired

X

AuthC (automate-tester)

Access-Reject

Active DirectorySynthetic AuthC (test user)

Access-RejectService Disruption

Detected

EEM

X

Allow

Access

Temp.

EEM

AuthC

Restore

EEM

X

Access-Accept

Service Disruption

NOT Detected


EEM script provides assurance

End-to-end test of authentication process

If authentication fails:

1. Inserts "ip permit any any” as line 1 in the port ACL

2. Records which switch ports configured with dot1x

“sh run | i interface GigabitEthernet|dot1x timeout”

3. Removes commands under the Interface template

"no dot1x pae authenticator”, “no mab” …

Upon successful authentication:

802.1x restored

Users/devices must re-authenticate

38BRKCOC-2279


OnBoarding IoT Devices

• Franking Machines

• Coffee Machine

• Building Management (BMS)

• …

IoT Devices

Internet Only

Access

Full access

No

restrictions

Appropriate

Access

Provisioning

Web Tool + API to ISE:

• Auto approval for Internet

• InfoSec approval for Internal Access (Full/Appropriate)

Access Based

On

Endpoint Identity Group

Identity Based Differentiated Access


ACLs Dependent Upon Device Profile

• Redirect-ACLs have size limitation Same as dACLs & per-user ACLs

Max 4000 ASCII characters (Switch)

Max 64 lines (WLC)

More apparent when we consider Remediation

41BRKCOC-2279

ACL By Endpoint Type, Profiling Based

Windows

Cisco Linux

Others

Windows

Cisco Linux

Others


Software Defined Segmentation Use Cases

Divestiture IoTPartnersDevelopment

Benefits:

• Maintain existing network topologies

• Simple, cost effective

• Centralize policy management

• Consistent, faster deployments

• Quicker response to threats


IP-SGT (TrustSec)

43BRKCOC-2279

Engr. App.

(1000)

10.10.0.0/16

10.20.0.0/15

10.30.96.0/20

10.40.0.0/14

cts role-based sgt-map 10.10.0.0/16 sgt 1000cts role-based sgt-map 10.3.5.0/28 sgt 1001cts role-based sgt-map 10.6.7.0/29 sgt 1003cts role-based set-map 10.50.1.0/28 sgt 1009

Static - SG Destination ACL

Mail

(1001)

10.3.5.0/28

10.70.24.0/28

10.80.64.0/28

10.90.32.0/28

DNS

(1003)

10.6.7.0/29

10.60.24.0/29

AD

(1009)

10.50.1.0/28

10.100.2.0/29

Divestiture Employee (2)

Dynamic - SGT Source

Printer(3)

AD Group /

Profiling

Tag assigned by

ISE at Authentication

Cisco Employee (1)


Policy Matrix

44BRKCOC-2279

Destination SGT (Static SGT)

En

gin

ee

rin

g A

pp

(10

00

)

Ma

il

(10

01

)

MD

M

(1002)

DN

S

(1003)

Un

kn

ow

n

(10

05

)

Cis

co

Em

plo

ye

e

(1)

Div

es

titu

re E

mp

.

(2)

Part

ner

(3)

So

urc

e S

GT

(Dyn

am

ic) Divestiture Emp. (2) O SGACL SGACL SGACL SGACL O SGACL O

Partner (3) O O SGACL SGACL O O O SGACL

Untrusted (1810) O O O O O O O O


Example: DC Access Control with TrustSec

Voice Employee Suppliers Guest Quarantine

Employee Tag

Supplier Tag

Guest Tag

Quarantine Tag

Data Center

Firewall

Voice

Wireless

Campus Core

Data Center

Wired

Employee Quarantine

Access Layer

• IP-SGT mapping

• Policy creation

• Policy enforcement

• Policy deployment

Enforcement


Where to Enforce Policy

IT Objective: • Enforce as close to user as possible

• Ideally on the access switches and WLCs

Challenges:• WLC 64 line ACL limit

• 3850 has a limit of 255 Destination SGTs

• 4510 could not enforce policies for destination subnets – only hosts

• ASAs configured to support Remote Access VPN (AnyConnect) could not enforce TrustSec policies

46BRKCOC-2279


Solution: Install SXP and Enforce at 1st Hop Router

• SXP = SecureGroup Exchange Protocol

• Dynamically assigned SGT’s and SGACLs propagated to the policy enforcement point (PEP)

47BRKCOC-2279

Cisco User

Technicolor

SXP Listener

(Enforcement Point)

SXP Speaker

(NAD)

SXP Speaker

(NAD)

AD Group Membership


NAD

Enforcement

Point

Access based on

Policy Matrix from ISE

48BRKCOC-2279

Posture Based Differentiated Access Enforcement

Assign tag based on

device postureSend IP <-> SGT Mapping

& Policy Matrix

Internal

Network

& Internet

Remediation

& Internet

COMPLIANT

Non-COMPLIANT 21

20

COMPLIANT

Non-COMPLIANT 21

20


Differentiated Access For AnyConnect VPN

Problem• Different VPN solutions for

different user communities

• Overhead of HW and

management

Solution• Use consolidated VPN clusters

• Tag traffic and enforce policies as required

• Allows greater resiliency and availability

Before TrustSec

Employee High Risk Partner

With TrustSec

Employee Partner High Risk

Single Cluster


NAD

Policy

Enforcement

Point

SSH

ISE

PAN

Speaker Listener

51BRKCOC-2279

Configuring SXP IP <-> SGT Mapping Via SSH

Static Connection Dynamic Connection


NAD

Policy

Enforcement

Point

SXP

ISE PSN 1

ISE PSN 2

ISE PSN 3

52BRKCOC-2279

IP <-> SGT Mapping Via SXP

Speaker Listener

Speaker

Tip 1: SXP pushes IP-SGT mapping immediately upon configuration

Tip 2: IP-SGT mapping is lost if SXP connection drops!


ISE

Reflector

Reflector

Enforcement

Point

53BRKCOC-2279

Best Of Both Alternatives – SXP Reflectors

Hybrid IP <-> SGT mapping via SSH and SXP

Speaker

Listener

Listener

Speaker

Speaker

Posture Based Differentiated Access


What is Posture?

Security configuration of the device

Posture

Measure and check against

Company requirements

Assessment

Device Manager


Guiding Principles

Enablement MinimiseImpact

Remediationis key

Expect Complexity


Trusted Device Standard

• Device to user attribution

• Encryption (Cisco Data)

• 6 character PIN / password

• 10 Minute Auto screen lock (Max)

• Jailbreak / Rooted device detection

• Approved Anti-malware

• Minimum OS version

• Software patching within 4 weeks.

• Remote Wipe for proprietary data

• Hardware/Software Inventory

57BRKCOC-2279


Policy Mapping

Anti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

Application Condition

Compound Condition

Disk Encryption Condition

File Condition

Patch Management Condition

Registry Condition

Service Condition

USB Condition

Windows Update Condition

Device to user attribution

Encryption (Cisco Data)

6 character PIN / password

10 Minute Auto screen lock (Max)

Jailbreak / Rooted device detection

Approved Anti-malware

Minimum OS version

Software patching within 4 weeks.

Remote Wipe for proprietary data

Hardware/Software Inventory

Is device under Company Management?

Device Management

ISE AnyConnect


Issues for Posture – Desktop Example

Detection of Management Agent after device start-up

PWR

Windows Startup

AnyConnect PostureCheck

SCCM Service not detected. NOT COMPLIANT !


Issues for Posture – Wired MAC address

60BRKCOC-2279

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Mobile Device Posture

Device

Management

Security

Policies

Pushed

Status and

Inventory

Read

Managed? Compliant?

Remediation

Processes

ISE

Get all non compliant devices

Actively

ManagedNot Actively

Managed

Internet

BRKCOC-2279


ISE vs MDM Deployment

AER

RTP

ALN

MTV

SNG

TYO

HKG

BGL

Many to One Relationship

MDM Server


Managing Scale

Device

Management

Security

Policies

Pushed

Status and

Inventory

Read

Remediation

Processes

ISE


Actively

ManagedNot Actively

Managed

Internet

Enrollment job

Detects new devices

Managed? Compliant?

BRKCOC-2279


Managing Scale

Device

Management

Security

Policies

Pushed

Status and

Inventory

Read

Remediation

Processes

ISE


Actively

ManagedNot Actively

Managed

Internet

Indicates Managed

Device.Set Custom

Attribute in ISEEnrollment job

Detects new devices

Managed? Compliant?

BRKCOC-2279


User Remediation Issues to Consider

When a device is not compliant and has restricted access:

• Is Device Management system accessible

• How to enrol a new device in management?

• How to re-image a device?

• How does a user remediate a restricted device?

• How does a user gets access after remediation?

• How to re-initiate a posture check?

• How do you ensure the change is recognised immediately?


Evolving Our Capabilities – Future State?

123XXX

123XXX 123XXX + Status

123XXX ISE Query: Device ID & Status

AuthorisationAccessDecision

Device Management

Device Identity Store

ISE

Unique

ID

ISE Deployment Takeaways

• Focus on user experience first not technical capabilities

• Consider each platform type separately

• Phase your deployment - learn small and scale quickly.

• Speed and automation are critical to meeting challenges

• Work closely with your device teams

• Don’t forget remediation


Come talk to our Cisco IT Experts!Cisco on Cisco will have 5 demo booths placed around the Cisco Campus showcasing how Cisco IT designs, deploys, and manages our own solutions. Through these IT success stories you’ll see how Cisco solutions are driving transformational business benefits.

CollaborationAppDynamics

ACI & TA

NSO

vBranch

World of Solutions


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-2279


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

72BRKCOC-2279

Thank you

inside cisco it: how cisco it deploy ise and trustsec ... · inside cisco it: how cisco it deploy...

Documents