Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© 2013 Cisco and/or its affiliates. All rights reserved.
The Changing Landscape of Identity: Is 802.1X Enough?
Aaron T. Woland, Cisco Systems
© 2013 Cisco and/or its affiliates. All rights reserved.
• This session will explore the evolution of Identity and access control in a network. Where 802.1X makes sense, where it needs to be extended and how IT can create and use contextual identity, apply and enforce granular access control regardless of origin of access.
© 2013 Cisco and/or its affiliates. All rights reserved.
How Do I Control Who Gains Access to the Network?
© 2013 Cisco and/or its affiliates. All rights reserved.
Employee
Production
Servers
VDI Servers
Policy
RADIUS 802.1X
• 802.1X Provides the User or Device
Credential
• User allowed to Connect to Network
• Enforcement may be VLAN or ACL
• Who:
• Employee / Contractor
• Guest?
© 2013 Cisco and/or its affiliates. All rights reserved.
802.1X
(Identity)
Late
1990’s
© 2013 Cisco and/or its affiliates. All rights reserved.
• Quarantine VLAN for Remediation • Extend 802.1X Capabilities to Check:
• Identity (Who)
• Anti-X, Patches (What)
Desktop
Authentication and policy check of client
Quarantine VLAN
Remediation
Client attempts connection
SiSi
© 2013 Cisco and/or its affiliates. All rights reserved.
802.1X
(Identity)
Anti-X
Patches
(NAC)
2001 2004
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
BYOD NEXT GENERATION
WORKFORCE DEVICE
PROLIFERATION
DEVICE PROLIFERATION
that Will Be
Connecting to Your Network
On Average Every Person Has
that Connects to the Network
Are Bringing
Their
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
BYOD NEXT GENERATION
WORKFORCE DEVICE
PROLIFERATION
NEXT GENERATION WORKFORCE
Work Is No Longer a
Place You Go to Work
People Are Willing to Take a
Pay Cut as Long as They
Are Able to Work from Home
70% percent of end users
admit to breaking IT policy
to make their lives easier
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
BYOD NEXT GENERATION
WORKFORCE DEVICE
PROLIFERATION
BYOD
BYOD is Personal
“Allow me to use the device(s) that
make me more productive for you!”
People identify with the devices they
use, and pride themselves on being
productive with them.
© 2013 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved.
TYPICAL DEPLOYMENT SCENARIO
Multitude of Devices on the Network, Wired and Wireless
Need to Have Policy Control for Each Device Type
Device Proliferation
and Identification for
Policy Enforcement
The Challenge TYPICAL USE CASES
• Visibility
• Differentiating Policy
© 2013 Cisco and/or its affiliates. All rights reserved.
802.1X
(Identity)
Identity
and
Device Type
(Profiling) Anti-X
Patches
(NAC)
2001 2004 2007
© 2013 Cisco and/or its affiliates. All rights reserved.
My Machine can Authenticate… My User can Authenticate…
© 2013 Cisco and/or its affiliates. All rights reserved.
Employee
Production
Servers
VDI Servers
Policy
RADIUS 802.1X
• Allows User and Machine Identities to
be Authenticated and Authorized
• How:
• User Succeed / Mach Failed
• User and Machine Succeed
• User Failed / Mach Succeed
• User and Machine Failed
CorpAsset
802.1X RADIUS
Machine
User
© 2013 Cisco and/or its affiliates. All rights reserved.
• IETF working group is in process of standardizing on Tunneled EAP (TEAP).
• Next-Generation EAP method that provides all benefits of current EAP Types.
• Also provides EAP-Chaining.
• http://datatracker.ietf.org/doc/draft-ietf-emu-eap-tunnel-method/?include_text=1
19
© 2013 Cisco and/or its affiliates. All rights reserved.
70% organizations have a formalized BYOD
program or plan to
15 Billion Network Connected Devices by 2015
50% allow executives to bring their own device
with or without restrictions
© 2013 Cisco and/or its affiliates. All rights reserved.
Mobile devices are profiled as they access network
Is Device Managed by MDM or is it Guest Device?
Policy server queries MDM Disk Encryption | Jail broken?
Device is assigned network access based on MDM results
MDM
Policy
© 2013 Cisco and/or its affiliates. All rights reserved.
802.1X
(Identity)
MDM Integration
JailBroken?
Encryption?
EAP-Chaining? Identity
and
Device Type
(Profiling) Anti-X
Patches
(NAC)
2001 2004 2007 2013
© 2013 Cisco and/or its affiliates. All rights reserved.
© 2013 Cisco and/or its affiliates. All rights reserved.
802.1X
(Identity)
MDM Integration
JailBroken?
Encryption?
EAP-Chaining? Identity
and
Device Type
(Profiling) Anti-X
Patches
(NAC)
Location
GeoLocation
Badged-In?
2001 2004 2007 2013 ~2013
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 © 2012 Cisco and/or its affiliates. All rights reserved. 22
Example use of Contextual Identity Global Retailer
© 2013 Cisco and/or its affiliates. All rights reserved.
Security Policy
Attributes
Centralized Policy Engine
Business-Relevant
Policies
User and Devices
Dynamic Policy & Enforcement
APPLICATION
CONTROLS
MONITORING AND
REPORTING
SECURITY POLICY
ENFORCEMENT
WHEN WHAT
WHERE
HOW WHO
Identity
© 2013 Cisco and/or its affiliates. All rights reserved.
Systems Integration Nightmare…
FTP
Syslog
SDEE
SNMP SSH
HTTP
Problem 1: Many different transport mechanisms used to access security information
Real Time
On Demand
Weekly
Per Hour
Per Year
Events
Correlation
Results
Reports
Statistics State
Information
Configuration
Packet
Capture Access
Control
Network
Assessment
Policy
Configuration
Vulnerability
Assessment
Compliance
Network
Management
SIEM
Problem 2: Many different traffic characteristics Problem 3: Many different types of data contribute to security information Problem 4: Many different systems consume and produce security information
Problem 5: The data and methodology are still not effective in answering very basic questions
Is my network secure?
Are my systems compliant?
Have I been breached?
What does my network look like
right now?
Can I adapt to new technologies and
threats?
Is there anyway to make this easier?
Problem 6: The complexity and resultant costs are a huge problem
© 2013 Cisco and/or its affiliates. All rights reserved.
• Need an Industry Standard means of Securely and Efficiently Communicating Contextual Identity for Policy Enforcement Demands:
ecurity
change Ok, we need a
better name
© 2013 Cisco and/or its affiliates. All rights reserved.
Scalable Enforcement
© 2013 Cisco and/or its affiliates. All rights reserved.
L3 Distribution
VLAN Segmentation
L2 Access
Data VLAN Voice VLAN Quarantine VLAN
Subnet DHCP Scope IP Address
Design
STP HSRP VACL PBR
Traditional Ingress Authorizations
dACL based ingress Filtering
Distribution L2 Access
Data VLAN Voice VLAN
• Access topology independent (Source Substitution)
• Centrally managed policy (Dynamic assignment)
• All protected destination needs to be defined
• Challenge to support many ACEs in TCAM
• Need to keep up with all destination changes
permit ip any 10.1.100.0/24 deny udp any 192.1.23.0/24 eq 445 permit tcp any 192.1.23.0/24 eq 80 ….
• Standard based (vendor agnostic)
• Easy implementation
• Hidden implementation costs
• Need new VLANs to everywhere
• Policy definition point and ACLs are still static
• Need to keep up with all destination change
© 2013 Cisco and/or its affiliates. All rights reserved.
Adding destination Object
Adding source Object
ACL for 3 source objects & 3 destination objects
High OPEX Security Policy Maintenance
permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH
Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP
A Global Bank dedicated 24 global resources
to manage Firewall rules currently
Complex Task and High OPEX continues
Traditional ACL/FW Rule
Source Destination
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
NY
10.2.34.0/24
10.2.35.0/24
10.2.36.0/24
10.3.102.0/24
10.3.152.0/24
10.4.111.0/24
…. SJC DC-RTP (VDI)
Production
Servers
© 2013 Cisco and/or its affiliates. All rights reserved.
Reduced OPEX in Policy Maintenance
Source SGT:
Employee (10)
BYOD (200)
Destination SGT:
Production_Servers (50)
VDI (201)
Permit Employee to Production_Servers eq HTTPS Permit Employee to Production_Servers eq SQL Permit Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP
Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP
Policy Stays with Users / Servers regardless of location or topology
Simpler Auditing Process (Low Opex Cost)
Simpler Security Operation (Resource Optimization)
(e.g. Bank now estimates 6 global resources)
Clear ROI in OPEX
Security Group
Filtering
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2) SJC DC-RTP (VDI)
Employee
Production
Servers
VDI Servers
BYOD
© 2013 Cisco and/or its affiliates. All rights reserved.
Mass adoption of TEAP for EAP-Chaining Capabilities
Standard approach to communicating the Contextual Identity
• Allowing services to make decision based on full context of endpoint
Standardize on Security Group Tagging or similar function
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
All in Name of Improved Productivity!
Thank you
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Questions ?