Gaining Visibility by Using the Network

Transcription

1 Gaining Visibility by Using the Network Daniel Braine CCIE R/S:24663 Security/Wireless CSE Dec 2012

2 Fly By the Seat of Your Pants Network Management Management & Security Who's actually on my network? What's actually on my network? Where are these device plugged in? Where have the devices been? Have there been security violations? Operations Team Access Core Data Center SQL Server Print Server Analyst Server Black Net Access Core Data Center SQL Server Gray Net Print Server Analyst Server User-Based Decision Red Net Access Core Data Center SQL Server Print Server Analyst Server

3 ANempt at Enforcement Port Security Classification Mechanisms: Types of Identity (Device Only) Syslog Server Configuration Permitted MACs: 00:40:3F:55:E3:04 04:53:32:EA:35:9F 67:8B:C4:C6:75:32 04:53:32:EA:33:63 MAC MAC MAC MAC Configuration Permitted MACs: 00:23:3F:3E:E3:36 57:53:32:EA:35:72 3C:8B:C4:C6:75:93 12:53:32:3B:AA:CA MAC MAC MAC MAC Configuration: Manual Moves, Adds, and Changes Decentralized Approach Identity Verification: None Differentiated Access: None (Permit Access Only) Roaming Abilities: None Recovery From Failure: Manual/Time- Based (Err-Disable) Scalability: Not scalable, headache to manage = SECURED?!...SOMEWHAT

4 Why Not Network Access Policy? - Admins not able to monitor live connections to the network -Forced to scroll through application logs SESSION PRESENTATION Default: Open DHCP SSH TFTP HTTPS SWITCHPORT TRANSPORT NETWORK - Server Admins left holding the keys to security. - Functionality and Availability at the forefront. Visibility is an afterthought

5 The Vision: God Mode Enabled Network Management Employee Device IP: Employee Device Location: - East Wing Rm:402 Port 21 of Cisco 3750X Switch -West Wing Rm:109 Port 45 of Cisco 3750X Switch -North Wing Rm: 800 Port 3/30 of Cisco 6500 Switch Employee Device Type: - Windows XP SP3 Dell - Windows 7 HP Application Use: - HTTPS 60% - Collaboration 25% -Video 5% - Voice 10% VLAN Access: Authorized Permissions: - Allow HTTPS - Allow Collaboration - Allow Video -Allow Voice -Deny Analyst Database Access On Network Off Network

6 Exploring the SoluVon: The First Step Towards Visibility

7 Monitoring for Visibility (Find the who ) Enables 802.1X Authentication on the Switch But: Even failed Authentication will gain Access Allows Network Admins to see who would have failed, and the who attribute for visibility Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT DHCP TFTP DHCP TFTP KRB5 HTTP KRB5 HTTP EAPoL Permit All EAPoL Permit All Traffic always allowed Most Important Note: WE DON T WANT TO BLOCK AuthenVcaVon is opvonal, but can be transparent

8 AuthenVcaVon Overview IdenVfying a User or Endpoint Active Directory, Generic LDAP, PKI User AND/OR Machine EAPoL RADIUS Visibility Center RADIUS, e.g. Safeword Token Server local DB user1 C#2!ç@_E( RSA SecureID User/Password CerVficate Token Identity Source Sequences Backend Database

9 Authentication Credentials Creden8al Type Why You Might Use It Why You Might Not Use it Example EAP- Type Username Password Familiar concept Everyone already has one (e.g. AD) Can re- use exisvng pwds, pwd mgmt techniques Passwords can be stolen Single factor authenvcavon Needs to be sent in encrypted tunnel PEAP- MSCHAPv2 Sod cervficates (stored on hard drive) Two- factor auth Auto- enrollment simplifies PKI Extensive PKI (server certs, user certs, machine certs) requires dedicated IT/ admin EAP- TLS Hard cervficates (USB, TPM) PAC (Protected Access CredenVal) Up to three- factor auth Significant overhead EAP- TLS Faster processing SVll need password or cert for inival provisioning EAP- FAST

10 Exploring the SoluVon: The Second Step Towards Visibility

11 Device ClassificaVon Visibility PCs Non-PCs UPS Phone Printer AP Additional benefits of Profiling - Visibility: A view of what is truly on your network Tracking of where a device has been, what IP Addresses it has had, and other historical data. An understanding of WHY the device was profiled as a particular type (what profile signatures were matched)

12 Understand Network Probes Probes Available In order to figure the what, we need to use the informavon we have available. RADIUS HTTP DHCPSPAN DHCP DNS SNMP Neelow NMAP

13 Classifying Endpoints ConsideraVons For Your Reference Passive assessment or acvve polling/scanning? What is performing the data collecvon and what can be collected? Dedicated collecvon devices or exisvng infrastructure? Must traffic pass inline? SNMP data? DHCP? RADIUS? Packet capture for deeper analysis? Which anributes consvtute device type X? Is MAC OUI alone good enough? What about DHCP data, locavon, connecvon protocols, or network traffic? Can I collect the needed anributes to make a decision? Will addivonal collecvon devices need to be deployed? What is the network or endpoint load impact? How is my profile for Device X created, maintained, updated?

14 Select Data Probes for a Wired Network Best PracVce For a wired network we recommend using a combinavon of RADIUS, DHCP, DNS and SNMP : RADIUS DNS DHCP SNMP NMAP Scan OUI prefix), IP Hostname DHCP class idenvfier, Client IdenVfier, parameters, req list CDP/ LLDP/ Mac Move OS and Common Ports HTTP NetFlow User agent (OS type/version) Traffic idenvficavon HTTP, and NetFlow could also be used as additional methods when required.

15 Probe Data Flow for a Wired Network SNMP Query, SNMP Trap, RADIUS, DHCP Helper Device Authenticator Visibility Center Initial Attempt Open Mode: Time when MAC address is moved to FWD state MAC-Notification Trap is sent if configured Link-State trap if configured MAC-Notification Trap 30 sec to start SNMP Query DCHP Discovery / Request EAPOL / ID-Req (max-reauth-req +1) x tx-timer 802.1X times out 802.1X MAB Authorized DHCP Helper Username:00:11:22:33:44:55:66 Password: 00:11:22:33:44:55:66 Access-Accept Primary Key: 00:11:22:33:44:55:66 Attributes Switch IP Port ID CDP Info VLAN Data Session Data DHCP Options SNMP Query SNMP Response Point of Profiling

16 Probe ImplementaVon Using Profiling Base on RADIUS, DNS, DHCP in a Wired Network radius- server key xxxx ip device tracking EAP-OL DHCP RADIUS Oui, IP DNS DNS probe (reverse- lookup) Visibility Center DHCP probe DHCP class idenvfier, hostname req anributes Dot1x Selec8ve Open Mode Only DHCP is permited Si interface Vlan20 ip helper- DHCP server ip helper- DHCP Server

17 Probe ImplementaVon Cont. SNMP/CDP/LLDP, NetFlow snmp- server community xxxxxx RW snmp- server enable traps snmp linkdown linkup snmp- server enable traps mac- novficavon change move snmp- server version 2c xxxxxx SNMP CDP/ LLDP/ Mac novficavon CDP / LLDP ISE Queries following mibs: - system - cdpcacheentry - clapentry (If device is WLC) - cldccliententry (If device is WLC) LinkUp/Mac No8fica8on/RADIUS Acct Start event queries: - interface data (ifindex, ifdesc, etc) - Port and Vlan data - Session Data (if interface type is Ethernet) - CDP data (if device is Cisco) Si Neelow v5 or v9 ip flow- export ISE ip flow- export source FastEthernet 0/1 ip flow- export version 9

18 NMAP AcVve Scan Manual Scan For manual scan Specify subnet then «Run Scan» Click to see scan results Devices will be added to the database only if the real MAC address is known Use alternate probe to discover (eg RADIUS or SNMP probe) Large network scan could be very Vme consuming and could add a heavy load to ISE service node

19 Switch Sensor Low touch deployment Profiling Base on CDP/LLDP or DHCP Centralize visibility without big ISE sensor investment AutomaVc discovery for most common devices (Printers, Cisco devices, phones) Topology independent Switch Sensor Distributed Probes

20 Switch Sensor: Endpoint Profiling Policy Assignment: Indicates matched profiling policy Calling-Station-ID: Indicates Endpoint MAC Address Device IP Address: Indicates Switch CDP and DHCP information used for profiling.

21 ISE Profiling result Switch Sensor in AcVon Switch Device Sensor Cache Cisco IP Phone 7945 SEP002155D60133 Cisco Systems, Inc. IP Phone CP- 7945G SEP002155D60133

22 Device Attributes More attributes And more attributes

23 Determining required profile anributes Profiling

24

25 Feeds OUI s, Profiles, Posture and BootStraps Has approval / publish process

26 Exploring the SoluVon: The Final Step Towards Visibility

27 Live AuthenVcaVons and Correlated Sessions. Send CoA right from here!

28

29

30

31 Contextual ApplicaVon based informavon from one view What are the Top Server and Top Clients in my network that are having worst transacvon Vme Assessed by looking at the Worst Clients by transac<on <me and Applica<on Server Performance Which of my Sites are experiencing worst transacvon Vme for any given applicavon Obtained by looking at Worst Sites by transac<on <me Which of my Clients are using the most bandwidth- Top N Clients (In and Out) How is my ApplicaVon Traffic stavsvcs over Vme- ApplicaVon Traffic Analysis dashlet

32 Beyond Visibility: Looking Ahead

33 Enforcement Mode If AuthenVcaVon is Valid, then Specific Access! Interface Config interface GigabitEthernet1/0/1 authenvcavon host- mode mulv- auth authenvcavon open authenvcavon port- control auto mab dot1x pae authenvcator ip access- group default- ACL in Pre-AuthC AuthC Success = Role Specific Access dvlan Assignment / dacls Specific dacl, dvlan Secure Group Access SVll Allows for pre- AuthC Access for Thin Clients, PXE, etc WebAuth for non- AuthenVcated Post-AuthC SWITCHPORT SWITCHPORT DHCP KRB5 EAPoL TFTP HTTP Permit Some DHCP KRB5 EAPoL RDP HTTP Role-Based ACL SGT

34 Closed Mode No Access prior to Login, then Specific Access! Interface Config interface GigabitEthernet1/0/1 authenvcavon host- mode mulv- auth authenvcavon port- control auto mab dot1x pae authenvcator Default 802.1X Behavior No access at all prior to AuthC SVll use all AuthZ Enforcement Types dacl, dvlan, SGA Must take consideravons for Thin Clients & PXE, etc Pre-AuthC Post-AuthC SWITCHPORT SWITCHPORT DHCP KRB5 EAPoL TFTP HTTP Permit EAP DHCP KRB5 EAPoL TFTP HTTP Permit All - or - SGT Role-Based ACL

35 User Device Type Location Posture Time Access Method Custom

36