Cisco Austria Partner Summit 2016

TrustSec in der PraxisThomas Vavra, Mondi & Manfred Brabec, Cisco

TrustSecMondi‘s Umstieg auf ein segmentiertes, globales, transportunabhängiges und sicheres WAN

Thomas Vávra, Manager Communication Networks, Mondi AGManfred Brabec, Consulting Systems Engineer Security, Cisco GSSO

● Introduction

● Mondi overview

● Mondi current network

● TrustSec fundamentals

● TrustSec in WAN

● Conclusion

3

Agenda

Mondi overview

5

Our history

1967 Founding of Mondi

1793• Founding of the Neusiedler paper mill, Austria

1881• Founding of the pulp and paper mill

Frantschach, Austria

1997• Acquisition of Świecie, one of Poland’s largest

paper mills

2000• Acquisition of majority of Frantschach• Acquisition of 50% of the Ružomberok UFP & pulp mill, Slovak Republic

• Acquisition of the kraft paper, industrial bags and extrusion coatings businesses of AssiDomän

• Start-up of Extrusion Coatings, Release Liner and Consumer Packaging

2002• Increased ownership of the Syktyvkar mill,

Russia, to over 90%

2010• Acquisition of the Western European

industrial and consumer bags businesses of Smurfit Kappa

• Completion of the extension and modernisation of Syktyvkar, Russia

2007• Demerger of the Mondi Group from Anglo

American plc• Acquisition of majority stake in

Tire Kutsan, Turkey

2009• Start of new lightweight recycled

containerboard machine ECO7 and corrugated box plant in Świecie, Poland

2012• Acquisition of

NORDENIA INTERNATIONAL AG• Acquisition of Duropack operations in

Germany and Czech Republic

2014• Acquisition of the industrial bags and kraft

paper business of Graphic Packaging International, USA

2013–2016• Over €500 million allocated to major strategic

capital projects

6

Expertise across markets

Food & BeveragesBuilding & Construction

Home & Personal Care

Office & Professional Printing Paper

Paper & Packaging Converting

7

Expertise across markets

Medical & Pharmaceutical Automotive Pet Care

Chemicals & Dangerous Goods

Graphic & Photographic

Mondi current network

9

Mondi global MPLS network

*

Donald Rumsfeld

United States Secretary of Defense

…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”

11

The Problems we wanted to solve

Internal troublemakers Malware Segmentation prevents lateral movement for scanning

botnets, worms

Creative/Malicious users Certain highly secured areas were protected additionally

Human error The right PC in the wrong segment also shouldn’t cause any problems

External troublemakers Suppliers Suppliers providing support should only be able to access

the relevant resources

Guests Guests shouldn’t be able to access anything but the Internet in a controlled manner

Suspicious Threats from intentional attacks should be minimized

Datacenterprotection

Application security

Certain applications should only be accessible to certain people

TrustSec fundamentals

TrustSec Tags Everything

Employee

Distinguished?

Suspicious

ServerRoles

Enforcement is based on TAGs

Proceedwithyour SGT

Propagation EnforcementClassification Classification

Policies between TagsPCI Device PCI Servers

MedicalDevice BYOD Device

SuspiciousPC Admin PC

POS POS

ProductManager DTME Lab

TrustSec in Action

EnforcementClassification Propagation

Routers

ISE

DC Firewall

ApplicationServers

Wireless

RemoteAccess

SwitchDC Switch Application

Servers

Directory

Users

Network5 SGT

8 SGT

7 SGT

ISE Automates Policy Provisioning with TrustSec

CONSISTENT POLICY ACROSS WIRED, WIRELESS and VPN

SGT & Policy

pxGrid

SWContext Info

Abstraction

BYOD

FinanceServer

Open TrustSecSXP and full SGT frame format submitted to IETF

18

Difference to original Cisco TrustSec:

https://datatracker.ietf.org/doc/draft-smith-kandula-sxp

Cisco pre-Standard IETF informational draft

SGT Security Group Tag Source Group Tag

SXP Security Group TAG (SGT) eXchange Protocol

Source Group Tag (SGT) eXchange Protocol

TrustSec Use-cases at Mondi

Implementing Business Policy through Segmentation

Security Framework

Identify / Trust

Visibility

Policy Enforcement

Isolation

Segmentation

ISE

TrustSec

NetFlow

SW

Simplifying Network Segmentation with SGTs

Access Layer

EnterpriseBackbone

VoiceVLAN

Voice

DataVLAN

Employee

Aggregation Layer

Supplier

GuestVLAN

BYOD

BYODVLAN

Non-Compliant

QuarantineVLAN

VLANAddress

DHCP ScopeRedundancy

RoutingStatic ACL

VACL

Security Policy based on TopologyHigh cost and complex maintenance

VoiceVLAN

Voice

DataVLAN

Employee Supplier BYODNon-Compliant

Use existing topology and automate security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee TagSupplier TagNon-Compliant Tag

Access Layer

EnterpriseBackbone

DC Firewall

DC Servers

Policy

TrustSecTraditional Segmentation

Automating Firewall Access Policies with SGTs

Who: GuestWhat: iPadWhere: Office

Who: DoctorWhat: LaptopWhere: Office

Who: DoctorWhat: iPadWhere: Office

EnterpriseBackbone

ASA FirePower

Doctors

BYOD

Guest

Service

EHR

ISEWireless

Switch

VPN User to Data Center Access

Pool-A

Data Center Firewall

Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers

TrustSec simplifies VPN Address / Filtering management

RASEMEA

Pool-B

Partner-A Supplier-B

SSL-VPN

Employee Tag

Partner-A Tag

Supplier-B Tag

Biz Server

Dev Apps

Data Center

Campus Core

Internet RASUS

EmployeeEmployee

Simplifying Firepower Threat Defense Access

Note: Security Groups used for source criteria only currently

TrustSec in WAN

26

Why TrustSec over WANDrivers Category

Corporate Growth Mondi frequently acquires companies and the integration of these companies is a major success factor

Flexibility Any technology might be present on newly acquired sites, only VLAN can be assumed as a given minimum technology

Environmental Cost MPLS is a luxury transport for mostly mundane applications

Speed High-speed Internet is available in most geographies, at a fraction of the cost with very good reliability

Technical Availability With the availability of TrustSec the game has changed

IoEAttitude change of users towards consumerisation has brought more and more device types into the corporate

environment

27

Components

Transport Layer DMVPNInternet High-bandwidth, low cost transport for low-priority traffic

DMVPNMPLS

Low-bandwidth, high cost transport for e.g. SAP, Voice and Video traffic

ZScaler Cloud proxy service as a reasonably secure method for offloading the local surf-traffic

Routing layer BGP Used as base-routing on MPLS

EIGRP Used for the overlay routing on the encryption layer

PfRv3 Used to determine link loads, congestion, availability and service based link selection

Security layer TrustSec For Security enforcement, segmentation, categorization and CoS qualification

Authorization on Trunk PortsSGT assignment for MAB over Trunk Ports and segmentation

28

Considerations:(1) The access switch MAC address too must be in the list of known MAC addresses(2) For every MAC address seen on the Distribution switch there will be two entries of the

endpoint MAC address

Employee /Endpoint

Server / Destination

Access VLAN802.1X Trunk(multi-auth)Static Trunk

Access SwitchDistribution Switch

Native VLAN

Source Classification and enforcement (SGACL)

29

Device Sensor and ISE Integration

ISE

RADIUS Probe 1

23

4

5

CDPLLDPDHCPMAC

Device connects to the network1

Switch gleans device identity from control packets (CDP, LLDP, DHCP, MAC OUI)2

Switch sends “Device info” to ISE after parsing through filters (configurable)Notifications are sent only if a changes in device info are detected

3

ISE analyzes the data and identifies device using profile library & conditions4

Based on the ISE configuration, the Device(s) get(s) appropriate authorization5

Traffic Redirection based upon SGTAvailable on ASA, ASR1000, ISR4000, CSR-1000v

VRF-GUEST

EnterpriseWAN

Inspection Router

Router / Firewall

Network A

Policy-based Routing based on SGT

SGT-based VRF Selection

User B

Suspicious

ü Redirect traffic from malware-infected hosts• Contain threats• Pass traffic through centralized analysis

and inspection functions

Security Example

ü To map different user groups to different WAN service - Segment in a site with TrustSec- SGT routes traffic to correct WAN/VRF

Other Example

User C

Guest

User A

Employee

Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)

DMVPN and TrustSec integration

31

MPLS

Internet

Site A Site B (Datacenter)

Primary DMVPN, PfR

Master Controller,

Border Router

Backup DMVPN, PfR Border Router

Primary DMVPN, PfR

Master Controller,

Border Router

Backup DMVPN, PfR Border Router

Distribution switches

Distribution switches

Internet Router

Internet Router

MPLS router MPLS router

Internet traffic of sites via GRE

tunnel to ZScaler

Access switches

32

+ -

Deployment over ANY transport layer Supplier knowledge is limited

Profiling even if LANs are “Wild West” situation

Just a few other vendors fully support it

Sensor technology is currently a game-changer in the market

Not supported by every Cisco device and software

Centralized security administration once the rollout is complete SGT-based PfR would be nice

Published open IETF informational draft

SGT-based traffic redirection (PBR) and CoS now available

Is TrustSec the right approach?

33

Yes if BYOD or IoE arrive

Yes if partners have access to your network

Yes if you’ve got guests at any of your offices

Yes if you have any important asset in your network

Yes if you think that IPv6 will arrive one day and you want to be prepared

Yes if you’ve got a growth environment where acquisitions bring you the flotsam and jetsam of 30 years of Ethernet

Yes if you’re a bank and have to do PCI DSS audits (segmentations will limit the audit scope)

TrustSec is the way to go for WAN segmentation

Our design specificsWhat Mondi did and didn‘t take from the IWAN ‘‘kit“

34

● PfRv3

○ Implemented, working

● SGT based QoS/PBR

○ Prepared, but not implemented yet.

● CWS

○ Not used – OpenDNS being investigated.

● WAAS

○ Not used due to lack of requirement in our environment

● AVC

○ Not used due to complexity of our environment.

Our design specificsWhat Mondi did and didn‘t take from the IWAN ‘‘kit“

35

● Duplicate DMVPN partnership

○ Primary and backup router are part of ‘MPLS DMVPN‘ AND ‘Internet DMVPN‘

- Cisco standard design permits only one DMVPN per router

● Primary and backup router each have tunnels to primary and backup cloud-proxy

○ Fivefold backup for Internet access

● SAML-based two-factor authentication on ASA

○ SecureAuth integration

● SGT based firewalling on Cisco FP 9300

○ Integration of Active Directory, ISE and FP 9300 to provide remote access segmentation based on SGTs

● Technical

○ Product readyness is better than we expected but still it‘s NEW

○ Allignment between MPLS providers and ‘‘Overlay providers“ is critical

○ Stability in failover situations is much better than expected

○ PfR normally considers European Internet quality to be better than business grade MPLS

○ Management software environment for TrustSec and PfR is limited. LiveAction is probably best at the moment

- Logging of TrustSec drops on SGACLs isn‘t there, „half open TCP sessions“ currently the only way

36

Findings

● Organisational

○ Know your applications before you start

○ Keep your SGTs to the absolute, bare minimum. (10 SGTs per site x 100 sites = matrix with 1.000.000 fields to fill)

○ LAN projects will start wherever you start to rollout

○ Having a competent partner willing to learn during the project is necessary

○ Acceptance tests are drastically more complex than on an MPLS network (if done thoroughly)

37

Findings

38

Conclusion

• Cisco TrustSec integrates seamlessly with switches, access points, and firewalls• It provides a true end-to-end security architecture at our new headquarters and

beyond• It allows us to place users and endpoints in the right category and have the right

policy to match information security demands• TrustSec will help cut time to market for new acquisitions• It allows us to reduce our overall level of risk exposure

Thank You!