Upload
cisco-public-sector
View
5.792
Download
0
Embed Size (px)
DESCRIPTION
Cisco’s Next-Generation Network Access Control Solution Identity Market Drivers 802.1X Overview ISE Overview Posture Services Profiling Services Guest Services By: George Nazarey
Citation preview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1
Identity Services Engine Cisco’s Next-Generation Network Access Control Solution
George Nazarey Security Consulting Systems Engineer
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 2
Agenda
Identity Market Drivers
802.1X Overview
ISE Overview
Posture Services
Profiling Services
Guest Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 3
Identity Market Drivers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 4
Disciplines of Security: Identity Is the Base
Information Sharing
Encryption
Threat Migration
Policy/ Governance
Access Control
Forensics
Data Leakage
Non-Repudiation
Audit
Threat Mitigation
Availability
Inventory
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 5
Today’s Network Is Not Like Yesterday’s Network
Laptop Managed asset Main Laboratory 11 a.m.
Security Camera G/W Agentless asset MAC: F5 AB 8B 65 00 D4
Vicky Sanchez Employee Marketing Wireline 3 p.m.
Frank Lee Guest Wireless 9 a.m.
Rossi Barks Employee HR Wireline 11 a.m.
IP Phone G/W Managed asset Finance dept. 12:00 p.m.
Printer Agentless asset MAC: B2 CF 81 A4 02 D7
Francois Didier Consultant HQ - Strategy Remote Access 6 p.m.
Sergei Balazov Contractor IT Wireline 10 a.m.
Susan Kowalski Employee CEO Remote Access 10 p.m.
Diverse Environment
Employees, contractors, guests, and non-PCs
Mission-Critical Technologies
Network, devices, and applications
Multiple Access Methods
Different devices, locations, and times
All need policies and controls
Bill Graves Employee R&D Wireless 2 p.m.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 6
Five Aspects of Identity
Who are you? 802.1X authenticates (or other methods) the user
Are you healthy? Using NAC, the end-station and network can check whether device complies with corporate host security policy
What service level do you receive? User can be given a per-user access control list or given specific QoS priority on the network
What are you doing? Using the identity and location of the user, tracking and accounting can be better managed
Where can you go? Based on authentication, user is placed in correct workgroup or VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 7
Policy: Areas of Focus Context-Based
Security
Gartner: “We are seeing a shift to context-aware,
adaptive security infrastructure across all
areas of information security today.”
User, Device, Location, Server, Data
Service Personalization
Media Energy
Mobile Access
Video Conf
Laptop Security
Services automatically delivered to appropriate
users, devices, applications.
Virtualization & Cloud
Virtual application and infrastructure policy
vDC Capabilities
Tenant Reqs
Resource Policies
Network & Application Policies
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 8
802.1X Overview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 9
Why 802.1X?
9
Industry-standard
approach to identity
Most secure user/machine authentication
solution
Complements other switch
security features
Easier to deploy
Provides foundation for
additional services (e.g., posture)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 10
Request for Service (Connectivity)
Back-End Authentication Support
Identity Store Integration
Authenticator Switch, router, WAP
Layer 2
How Does 802.1X Work?
Layer 3
Identity Store/Management Active directory, LDAP
Supplicant
Authentication Server RADIUS server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 11
Who (or What) Can Be Authenticated?
alice
User Authentication Device Authentication
host\XP2 host\XP2
• Enables Devices To Access Network Prior To (or In the Absence of) User Login
• Enables Critical Device Traffic (DHCP, NFS, Machine GPO)
• Is Required In Managed Wired Environments
• Enables User-Based Access Control and Visibility
• If Enabled, Should Be In Addition To Device Authentication
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 12
Various Authorization Mechanisms
802.1X provides various authorization mechanisms for policy enforcement
Three major enforcement / segmentation mechanisms: • Dynamic VLAN assignment – Ingress • Downloadable per session ACL – Ingress • Security Group Access Control List (SGACL) - Egress
Three different enforcement modes: • Monitor Mode • Low Impact Mode (with Downloadable ACL) • High-Security Mode
Session-Based on-demand authorization: • Change of Authorization (RFC3576 RADIUS Disconnect Messages)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 13
Putting it All Together: “Flex-Auth” One Configuration Fits Most
Multiple Methods Configurable order and priority of methods
Configurable behavior after 802.1X timeout and failure
Configurable behavior when AAA server dies / recovers
Flex-Auth enables most use cases
with a single configuration
• 802.1X: managed devices/users • MAB: non-802.1X devices • WebAuth: non-802.1X users
Unknown MAC
EAP 1X
MAB MAB
URL
802.1x times out or fails
WEB
802.1X Client
Valid Host Asset
Guest User
Employee Partner
Faculty
Sub Contractor
Valid MAC Address
Guest User
802.1X Client Valid MAC Addr
Known MAC - Access Accept
Port Authorized
Host Change
EAP Credentials Sent & Validated
Port Authorized
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 14
ISE Overview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 15
Cisco TrustSec
Cisco TrustSec is a security solution that provides policy-based access control, identity-aware networking, and data integrity and confidentiality services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 16
NAC Manager NAC Server
NAC Profiler
NAC Guest Server NAC Agent
Device Profiling & Provisioning + Identity
Monitoring
Identity & Access Control + Posture
Guest Lifecycle Management
NAC Collector Standalone appliance or licensed as a module on
NAC Server
Identity & Access Control
Access Control Solution
Identity Services Engine Next Generation PMBU Solution Portfolio
ISE
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 17
A single appliance deployment
Single ISE Node providing all services
For smaller environments
2 boxes for resiliency
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 18
A multi-box deployment
Multiple ISE Nodes in a system
More than 1 box for medium to large environments, or distributed organization.
Services can be turned on or off on each individual node as necessary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 19
HQ
Division X
Branch A
AP
AP
WLC
AP
ASA VPN
Switch 802.1X
Switch 802.1X
Switch 802.1X
WLC
• Active/Standby PAP/M&T
• Centralized Wired 802.1X Services for HQ and Branches
• Distributed PDP services in Division X
• VPN (non-CoA) support via HA iPEPs
Admin and Logging nodes
PDP Cluster
HA IPEPs
Distributed PDP
Branch B
AP Switch 802.1X
Example ISE Deployment
PAP M&T
PAP M&T
PDP
PDP PDP
PEP
PEP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 20
Advanced Package Profiler | Posture | SGA
Base Package Basic Network Access | Guest
Platforms Small | Medium | Large | VM
Are my endpoints authenticated?
Are my endpoints secure?
Packaging / Licensing Specifics
Perpetual License
Term License
Software license model
Licenses based on concurrent # endpoints counted centrally (not tied to HW)
Floating (active) device/user based pricing
3 different hardware appliances or VMware-based appliance
Small = 3315/1121 appliances
Medium = 3355 appliances
Large = 3395 appliances ESX v4.x, ESXi v4.x and
Server 2.0
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 21
UX: Login
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 22
UX: Dashboard
All ISE nodes registered to PAP
All Attribute Sources
Search
Now called ISE!
Compliance Stats & Failures
Error Rates and
Distributions
Metric Meters Feedback!
Endpoint Distributio
ns
Profile Distributio
ns
Summarized Alarms
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 23
In-context configuration of Identity Groups
Object Selector pop-up with search and filtering capabilities
New Identity Groups can be created without leaving Policy
screen
Robust UI Tabular View is also available
Reusable simple and compound ‘Condition’
objects
Drag-and-Drop functionality for re-ordering rules
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 24
Developing Authorization Policy – Adding Rules
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 25
UX: Authentications “Live” Authentications!
Filters
Passed / Failed
row colors
© 2009 Cisco Systems, Inc. All rights reserved. PositronWiki Presentation_ID 26
Posture Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 27
Posture Services Overview
Must have advanced licensing enabled on your ISE devices Must enable Posture Services on your ISE Policy server. Same Posture evaluation as in NAC Appliance Passive Re-Assessment Support Remediation Actions same as NAC Appliance Posture automatic updates available with advanced licensing
Posture Runtime Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 28
Posture Conditions
File
Registry
AV/AS
Service
Compound Conditions (Pre-Configured)
AV/AS Compound Conditions
Policy > Policy Elements > Conditions > Posture
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 29
Posture Policy Posture Policies tie the Requirements to Identity Groups and
other Conditions together to make a Policy
Once a User is Authenticated, Posture Policy is checked for the Identity Group/User
If Posture passes, users will be assigned a new Authorization Policy
© 2009 Cisco Systems, Inc. All rights reserved. PositronWiki Presentation_ID 30
Profiling Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 31
NAC Gap: Non-PC Endpoint Devices
Do you have a full record of devices on the network?
Enterprises without VoIP Wired Endpoints Distribution
50% Windows
50% Other
33% Windows
33% IP phones
33% Other
Enterprises with VoIP Wired Endpoints Distribution
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 32
Printers
Fax Machines
IP Phones
IP Cameras
Wireless APs
Managed UPS
Hubs
Cash Registers
Medical Imaging Machines
Alarm Systems
Video Conferencing Stations
Turnstiles
HVAC Systems
RMON Probes
Vending Machines
. . . and many others
Examples of Non-PC Endpoints
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 33
UX: Profiling
Many built-in profiles for Cisco and other common devices!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 34
MAC Authentication – Endpoints List Administration > Identity Management > Identities > Endpoints
Find your MAC Address in list of endpoints
Use the Filter!
Static ?
© 2009 Cisco Systems, Inc. All rights reserved. PositronWiki Presentation_ID 35
Guest Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 36
Managing the Guest User Lifecycle
PROVISIONING
MANAGEMENT
NOTIFICATION
REPORTING
Create Guest Accounts
Manage Guest Accounts
Give Accounts to Guests
Report on Guests
Create a single Guest Account
Create multiple Guest Accounts by Importing a CSV file
Print Account and Access Details Send Account Details via Email Send Account Details via SMS
View, edit or suspend your Guest Accounts
Manage batches of accounts you have created
View audit reports on individual Guest accounts
Display Management reports on Guest Access
Increased Productivity, Operational Efficiency
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 37
ISE Guest Server – Overview
ISE Guest Server can provide :
- Self-Registration - Full Sponsored Access - Device Registration
ISE Guest Server has : – Multiple Portal Options – Guest User Policies – Sponsor Groups & Policies – Guest User Policies – Sponsor Portal Settings
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 38
ISE Sponsored Guests – Sponsor Portal
Customizable Web Portal for Sponsors as well
Authenticate Sponsors with corporate credentials – Local Database – Active Directory – LDAP – RADIUS – Kerberos
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 39
ISE Sponsored Guest Creation
Sponsor can create One or Multiple Accounts
Sponsor Sets which Group Role/Identity Store Guests will be placed
Different Time Profiles can be used for Access
User Accounts can be provided by different means of notification (Email,Print,SMS)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 40
Guest User Account Detail Delivery
Send account information via print-out, email, or SMS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 41
Guest Verification
Monitor > Authentications window will show all Authentications including Guests
Identity and Authorization can be found for Guests
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 42