tvr identity gtri
TRANSCRIPT
Cybersecurity: Identity and Access Control
Federal Identity and Access
What is Cisco’s Role?
Disciplines of Security: Identity Is the Base
Information Sharing
Encryption
Threat Migration
Policy/Governance
Access Control
Forensics
Data Leakage
Non-Repudiation
Audit
Threat Mitigation
Availability
Inventory
Customer Challenge in Building an Access Policy in a Borderless Network
Authorized Access
How can I restrict access to my network?
Can I manage the risk of using personal PCs?
Common access rights when on-prem, at home, on the road?
Endpoints are healthy?
Guest
Access Can I allow guests
Internet-only access?
How do I manage guest access
Can this work in wireless and wired?
How do I monitor guest activities?
Non-User Devices
How do I discover non-user devices?
Can I determine what they are?
Can I control their access?
Are they being spoofed?
Common questions organizations ask
Five Aspects of Identity
Who are you? What is on your Network?
Are you compliant?
What service level do you receive?
What are you doing?
Where can you go?
Federal Government Requirements
DISA STIG on access control in Support of Information Systems (Dec 2008)
(AC34.025: CAT 1) The IAO/NSO will ensure either MAC security with profiling) or 802.1X port authentication is used on all network access ports and configured in accordance with the Network Infrastructure STIG.
Recommended Security Controls for Federal Information Systems (NIST 800-53)
“The information system typically uses either shared known information … or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication)”
Why 802.1X?
15
Industry-standard
approach to identity
Most secure user/machine authentication
solution
Complements other switch
security features
Easier to deploy
Provides foundation for
additional services (e.g., posture)
Request for Service(Connectivity)
Back-End AuthenticationSupport
Identity StoreIntegration
AuthenticatorSwitch, router, WAP
Layer 2
How Does 802.1X Work?
Layer 3
Identity Store/ManagementActive directory, LDAP
Supplicant
Authentication ServerRADIUS server
Cisco Identity Differentiators Cisco-only Features
Open Mode – Wake-on-LAN support, PXE boot, Ease of Deployment Flexible Authentication (Flex-Auth) – Legacy Device Support Multi-Domain Authentication (MDA) – Securely daisy-chain systems
behind VoIP phones ACS 5 Scalability - Top-Down Visibility & Centralized Reporting for
Authentication and Authorization TrustSec – Security Group Tags
Other Enhancements 802.1AE – Hop-by-hop encryption included in TrustSec More Robust Supplicant than built-in Windows supplicant Identity-Aware Product Roadmaps – more to come! HBSS support and provides a layered-approach to endpoint
security
Identity Deployment Phases
Monitor Mode Low Impact Mode High Security Mode
Primary Features
Traditional Closed Mode
Dynamic VLANs
Benefits
Strict Access Control
Primary Features
Open mode
Multi-Auth
Flex Auth (Optional)
Benefits
Unobstructed Access
No Impact on Productivity
Gain Visibility AAA Logs
Primary Features
Open mode
Multi-Domain
Port & dACLs
Benefits
Maintain Basic Connectivity
Increased Access Security
Differentiated Access
Building on the Foundation of Identity
Identity-Enabled
Networks
Network Admission
Control
TrustSec
Role-Based Access Control
Network topology-independent
Scalability via tagging
Data Integrity and Confidentiality
Hop-to-hop data protection Preserves network L4–L7
service value
Network Virtualization
Path Isolation Central Policy Enforcement
Profiling Services
Device profiling Behavioral monitoring Device reporting
Guest and sponsor portals Role-based AUP Provisioning and reporting
Managed device posture Unmanaged device scanning Remediation
Guest Services Posture Services
User and device authentication Control network access (L2 and L3)
Device mobility in the network
Identity Infrastructure
