secure network access, principles of ise implementation...ise supports distributed log collection...

Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo

Cisco Expo

2012

Secure network access, principles of ISEimplementationGyörgy Ács

Consulting Systems Engineer, C|EH – Cisco

T-SECA1

2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo

• Twitter www.twitter.com/CiscoCZ

• Talk2cisco www.talk2cisco.cz/dotazy

• SMS 721 994 600

http://www.twitter.com/CiscoCZ

http://www.talk2cisco.cz/dotazy


Agenda

What is TrustSec

What is ISE

ISE Design

High Availability

Migration


• Identity Based Network Services (IBNS):

802.1X for wired access

Profiling by NAC Profiler

Guest = NGS

• Cisco NAC Appliance:

VLAN control via SNMP Control Plane

Profiling by NAC Profiler

Guest = NGS

Wired

IBNS

ACS

802.1X

Wired

NAC

SNMP

NAC

Multiple Options for Wired Access


• Wireless Access

802.1X controlled by WLC

WLC has local enforcement

Separate Policies on ACS

• Remote Access VPN

Policy controlled by ASA, or:

Policy controlled by in-line NAC

Separate Policies on ACS

VPN

Policy

Wireless and VPN Access

Wireless

802.1X

ACS


TrustSec Brings it all Together

TrustSec

WiFi

NACIBNS

ISE


Complete System for Network Access Control & Enforcement

Nexus® 7K, 5K and 2K

Data Center

Cisco

ISE

Wireless

user

Campus

NetworkWired

user

Cat 6K

Egress Enforcement

MACsec

Profiler

Posture

Guest Services

RADIUS

Ingress Enforcement

Ingress Enforcement

WLC

SXP

802.1X


• Centralized Policy

• RADIUS Server

• Posture Assessment

• Guest Access Services

• Device Profiling

• Monitoring

• Troubleshooting

• Reporting

ACS

NAC

Profiler

NAC

Guest

NAC

Manager

NAC

Server

Identity

Services

Engine

Policy Server Designed for TrustSec


NADPAP

Admin

User

Policy Administration Point

All Management UI Activities

Synchronizing all ISE Nodes

PSN

All Policy is Synchronized from PAP to PSNs

Policy Service Node

The “Work-Horse”

RADIUS, Profiling, WebAuth

Posture, Sponsor Portal

Client Provisioning

SWITCHPORT

M&T

User

Network Access Device

Access-Layer Devices

Enforcement Point for all Policy

RADIUS From NAD to Policy Service Node

RADIUS From PSN to NAD w/ Enforcement Result

Logging

Monitoring and Reporting

Logging and Reporting Data

Logging

AD

PSN Queries AD

Directly

RADIUS Accounting


May be a Single ISE Appliance for all Functions…

Campus A

Campus B

Branch A

AP

WLC

AP

Switch

802.1X

WLC

Admin

M&T PSN

AP

Switch

802.1X

Branch B

Switch

802.1X

AP

Switch

802.1X


… or Fully Distributed System where all functions are broken out.

Campus A

Branch A

AP

WLC

AP

ASA VPN

Switch

802.1X

WLC

AP

Switch

802.1X

Branch B

Switch

802.1X

AP

Switch

802.1X

HA Inline

Posture Nodes

Pri. Admin

Campus B

PSN

PSN

PSN

PSNSec. Admin

Pri. MNT

Sec. MNT


• Interface to configure and view policies

• Responsible for policy sync across all nodes

• Provides: Licensing

Admin authentication & authorization

Admin audit

• Each ISE deployment must have at least one PAPOnly 1x Primary and 1x Backup PAP possible

Primary Management Appliance


PSN

PSN

PSN

PAP (Primary)

PAP (Secondary)

M&T(Primary)

M&T(Secondary)

Policy Sync

Policy Sync

Logging

Admin

User

• Changes made via Primary PAP DB are automatically synced to Secondary PAP and all PSNs.


• Evaluates and makes policy decisions This IS the RADIUS Server for your Network Access Devices

• Per policy decision, responsible for: Network access (such as AAA RADIUS services) Posture Guest access (web portals) Profiling Client Provisioning

• Each ISE deployment must have one or more PSNs Up to 40 PSNs

• Node Groups may be used for Load-Balanced Clusters More on this later in presentation

The “Work Horse”


ISE supports distributed log collection across all nodes to optimize local data collection, aggregation and centralized correlation and storage.

Each ISE node collects logs locally from itself; Policy Service nodes running Profiler Services may also collect log (profile) data from NADs.

Each node transports its Audit Logging data to each Monitoring node as Syslog: Profiler events are buffered and forwarded to primary Admin node to update db.

NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity logging, diagnostics, and troubleshooting.

NADs Policy Service

Nodes

Monitoring

Nodes

Netflow,

SNMP Traps,

RADIUS

External Log

Servers

Syslog (UDP/20514)

Alarm-triggered

SyslogSyslog

(UDP/20514)

HTTP SPAN,

DHCP

SPAN/Helper/Proxy

External Log Targets: Syslog (UDP/20514)

Profiler Syslog

(UDP/30514)

(Buffered)

(Not Buffered)


* VM Design guidance is to match or exceed the ISE physical appliance specifications upon which node sizing is based.

Hard disks with 10K or higher RPM are highly recommended.

Policy Service Sizing and Performance

Form

Factor

Platform

Size

Appliance Maximum

Endpoints

Profiler Events Posture Auths

Physical

Small ISE 3315 / 1121 3000 500/sec 70/sec

Medium ISE 3355 6000 500/sec 70/sec

Large ISE 3395 10,000 1200/sec 110/sec

Virtual S/M/L VM 10,000 * TBD TBD


• Major TrustSec component that enforces network policies.

• NAD sends request to the PSN for implementing authorization decisions for resources.

• Common enforcement mechanisms:

VLAN Assignment

dACLs

Security Group Access (SGA)*

• Basic NAD types

Cisco Catalyst Switches

Cisco Wireless LAN Controllers

Cisco ASA “VPN Concentrator”


Inline Enforcement:

Dedicated Inline solution where infrastructure does not support RADIUS Change of Authorization (RFC 5176/3576, dACL, etc.)

Only needed in posture/profiling use cases

Acts as a RADIUS Proxy in Bridged or Routed Gateway mode

*Inline Enforcement can not be combined with other services

Special Case: ISE Becomes an in-line Appliance

VPN RADIUS RADIUS

iPeP PSN


Data Center 1

Node A

10.1.100.3

Data Center 2

Replication over Layer 3

• If a single box fails then all runtime services continue using another box

RADIUS Services

Guest Services

Profiling Services

-Posture Services

-etc etc

• NADs are configured with multiple RADIUS servers

PAP/PSN/M&T PAP/PSN/M&T

radius-server host 10.1.100.3 key Cisco123

radius-server host 10.1.200.3 key Cisco123

Node B

10.1.200.3

X


PSN

PAP (Primary)

PAP (Secondary

-> Primary) Policy Sync

Logging

Admin

User

• Upon failure of Primary PAP, admin user can connect to Secondary PAP; all changes via backup PAP are automatically synced to all PSNs.

• Admin must first manually promote Secondary PAP to be Primary.

XPSN

PSN

M&T(Primary)

M&T(Secondary)


• NADs can be configured with redundant RADIUS servers (PSN nodes).

• PSNs can also be configured in a cluster, or “node group”, behind a load balancer. NADs send requests to LB virtual IP for PSN services.

• PSNs in node group maintain heartbeat to verify member health.

Switch

PAP (Primary)

PSN Node Group

Load Balancers

Network

Access

Devices

PAP (Secondary)

Policy

Replication

AAA connection


• In HA mode, two ISE appliances are deployed in an Active/Standby configuration; mutual interfaces share a common Service IP for user/management traffic; active iPEP responds to Service IP.

• Each active interface requires L2 connectivity to its mutual peer: trusted (eth0), untrusted (eth1), and HA (eth2 or eth3)

Internal

Network

Internet

AP WLC

ISE iPEP

ACTIVE

L3 Switch

ISE iPEP

STANDBY

L3 SwitchASA

Wireless

User

VPN User

eth1 eth0

eth1 eth0

eth2

eth2

Service IP

eth1

Service IP

eth0

Heartbeat

Link

VLAN 11 VLAN 12


Logging

• Up to Two (2) M&T Nodes per ISE Deployment

• All PSNs will automatically Sync logs with both M&T nodes.The PAP displays dashboard and reporting from the Primary PAP to Admin

User.

PSN

PSN

PSN

M&T(Primary)

M&T(Secondary)

PAP

Admin

User


Node HA Scheme Auto Failover? Notes

PAP Active/Standby No Secondary PAP must be

manually promoted

PSN • Node Groups (PSN

Clusters)

• Redundant PSN

config on NADs

Yes for established

sessions; sessions

in process of setup

may require re-auth

Node group: group together PSN

nodes that reside in a single

location behind a load balancer

and share a common multicast

address

NAD NAD-Specific NAD-Specific Examples: Redundant Wireless

Controllers

iPEP Active/Standby Yes, but stateless Clients must re-auth to backup

iPEP node upon failover

M&T Active/Active Yes One node serves as Primary; all

ISE logs automatically sent to

both HA M&T nodes

Any external loggers must be

configured to log to both nodes.


DEMO


Campus A

Campus B

Branch A

AP

WLC

AP

ASA VPN

Switch

802.1X

WLC

• All Services run on both ISE Nodes

• Set one for Primary Admin / Secondary M&T

• Set other for Primary Monitoring / Sec. Admin

• No more than 2000 Endpoints Supported

Maximum Endpoints = 2,000

Admin

M&T PSN

AP

Switch

802.1X

Branch B

Switch

802.1X

AP

Switch

802.1X

Admin

M&T PSN

HA Inline

Posture Nodes

Pri. Admin Pri. M&T


Campus A

Branch A

AP

WLC

AP

ASA VPN

Switch

802.1X

WLC

• Dedicated Management Appliances

• Pri. Admin / Sec MNT

• Pri MNT / Sec Admin

• Dedicated Policy Service Nodes

• Up to 5 PSNs

• No more than 10,000 Endpoints Supported

Maximum Endpoints = 10,000 / Maximum 5 PSNs

AP

Switch

802.1X

Branch B

Switch

802.1X

AP

Switch

802.1X

HA Inline

Posture Nodes

Pri. Admin

Sec. M&T

Pri. M&T

Sec. Admin

Campus B

PSN

PSN

PSN

PSN


Campus A

Branch A

AP

WLC

AP

ASA VPN

Switch

802.1X

WLC

• Dedicated Management Appliances

• Pri. Admin

• Sec. Admin

• Pri MNT

• Sec Admin

• Dedicated Policy Service Nodes

• Up to 40 PSNs

• Up to 100,000 Endpoints Supported

Maximum Endpoints = 100,000 / Maximum 40 PSNs

AP

Switch

802.1X

Branch B

Switch

802.1X

AP

Switch

802.1X

HA Inline

Posture Nodes

Pri. Admin

Campus B

PSN

PSN

PSN

PSNSec. Admin

Pri. MNT

Sec. MNT


ISE will Join the Domain

PAP Policy Service Nodes

Domain Computers

PAP

PSN01

PNS02

PSN03

AD

Each ISE Node will join and Query AD separately,

and have it’s own Computer Account in AD


Multiple Domains

• Then only need to join one domain.

If Trust Relationship(s) Exist

• Join one Domain

• LDAP to query the others

If no Trust Relationships


• Is Infrastructure running 802.1X today?

ACS 4.x or 5.x is policy engine

It IS possible to migrate NADs and User Accounts to ISE

• If Infrastructure is NAC Appliance:

No migration today

Future version of ISE will allow migration.

• NAC Guest Server (NGS):

No migration today (planned for future release)

• NAC Profiler:

No migration Possible

Migration Paths do Exist


• Standalone ISE ONLY

Then do your Distributed ISE Deployments

• ACS Migration Tool (Windows w/ Java)

512 GB

TrustSec 1.99 or IBNS


• We tried @ First, but there were problems.

• Policy Migration ability removed from 1.0 MR (1.0.4.x)

• It is supposed to come back in the future.

Policies cannot be migrated at this time.

Local Administrator Accounts

Any Security Group Access (SGA) Data

• No dVLAN data in AuthZ Profiles

Authorization Results

• Posture Checks

• Etc…

NAC Framework

Bad news first


• Identity Attribute Dictionaries

• RADIUS VSA Dictionaries

Dictionaries

• Local Users

• Local Endpoints

• Certificate Authentication Profiles

Identities

• Network Access Devices (NADs)

• Network Device Groups (NDGs)

Network Devices

Now the Good News


Migration Tool

Users

NDGsNADs

Get it all organized in ACS 5 prior to using the tool.


Shows: Counts, Successes, Failures and Warnings


• TrustSec is a Systems Approach to Network Access Control, utilizing the network infrastructure to accomplish what used to be only available in overlays.

• ISE provides the first and only Policy Engine Solution that fully converges: Authentication, Authorization, Profiling, Guest and Posture.

• All ISE nodes will maintain a full copy of the database, providing a fully redundant Authentication infrastructure.

• Best Practice: Do not use < 500GB of storage with your VM’s

• You can Migrate NAD’s, NDG’s, Users and Devices from ACS. But not policies, AuthZ results, or SGA data today.

TrustSec and ISE Design


• Twitter www.twitter.com/CiscoCZ

• Talk2Cisco www.talk2cisco.cz/dotazy

• SMS 721 994 600

• Zveme Vás na Ptali jste se… v sále LEO 1.den 17:45 – 18:302.den 16:30 – 17:00

http://www.twitter.com/CiscoCZ

http://www.talk2cisco.cz/dotazy


Prosíme, ohodnoťtetuto přednášku.

T-SECA1

secure network access, principles of ise implementation...ise supports distributed log collection...

Documents