Transcript Solving (not only) L2 Security Problems

Solving (not only) L2
Security Problems
Petr Růžička, CSE
CCIE #20166
[email protected]
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Evolution to Network Access Control
Topology Aware to Role Aware
Cisco TrustSec
 Network-wide role-based access control
 Network device access control
 Consistent policies for wired, wireless
and remote access
Identity-Based Access Control
Network Admission Control (NAC)
 Posture validation endpoint policy compliance
 Flexible authentication options:
802.1x, MAB, WebAuth, FlexAuth
 Comprehensive post-admission control options:
dACL, VLAN assignment, URL redirect, QoS…
Network Address-based Access Control
 ACL, VACL, PACL, PBACL etc
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Campus Access Security
Vulnerability & Countermeasure
Port Status
Authorized
Un-Authorized
Port Enabled
Cisco TrustSec (CTS)
• Extends 802.1X to provide continuous data protection
EAPOL Start
Relay Credentials to AAA via RADIUS
EAP Request
EAP Response (w/ Credentials)
Campus LAN
Holistic Prevention of:
• MiM, Spoofing, Tampering & Replay Attacks
Supplicant
Authenticator
• Prevents Shadow Hosts Attacks
Wall Jack in
Conference Room
Or Cubical Area
RADIUS-Accept
ACS
Wiring Closet Switch
Authentication
Server
Miscreant User Can Spoof MAC Address of the Authenticated User and gain
network access undetected
Port Status
Authorized
Un-Authorized
Encrypted Port Enabled
Relay Credentials to AAA via RADIUS
Countermeasure
EAPOL
Request
Start
PMK usedEAP
to initiate
EAP
Response
4-Way SAP(w/
exchange
Credentials)
Campus LAN
RADIUS-Accept (w/ PMK)
802.1AE/SAP
Capable
Supplicant
TrustSec
Wall Jack in
Conference Room
Or Cubical Area
Wiring Closet Switch
TrustSec (802.1AE/SAP)
© 2008 Cisco Systems, Inc. All rights reserved.
802.1AE/SAP
Enabled
Authenticator
ACS
Authentication
Server
Miscreant User Can’t Spoof MAC Address of encrypted packets, if encryption is not enable the
user’s packets don’t contain integrity information (SA or ICV) and are blocked.
3
Cisco Public
Benefits of Hop-by-Hop Link Encryption In
Campus
E2E
 Layer 3+ end-to-end encryption for IP traffic and payload
 No packet visibility => Prevents IT IDS, Network analysis tools
 Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing)
HxH
LinkSec
LinkSec
 Hop-by-hop security prevents layer 2 attacks
 IT has network control, using familiar network tools (IDS, anti-virus, …)
 Allows incremental deployment over most vulnerable domains
Secure Hop-by-hop Communications Preserves
IT Tools For Network Management
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Link Layer Encryption
 Hop-by-Hop packet confidentiality and integrity via IEEE 802.1AE
 “Bump-in-the-wire” model
Packets are encrypted on egress
Packets are decrypted on ingress
Packets are in the clear in the device
 Allows the network to continue to perform all the packet inspection
features currently used
 Can be incrementally deployed depending on link vulnerability
In the Clear
TrustSec /802.1
AE Encrypted
Cipher Data
In the Clear
TrustSec /802.1
AE Encrypted
Encrypt On
Egress Interface
Decrypt On
Ingress Interface
Decrypt
Cipher Data
TrustSec /802.1
AE Encrypted
Incrypt
Packets in the Clear Inside the System
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Unauthenticated Campus to DC
Enterprise
Campus
Dynamic SGT & SGACL Assignment
Port Identity = Campus Edge
1. Ensure Identities are pre-provisioned (host and or port mapping)
Pre-provisioned
Identity to Port
Mapping (IPM)
2. Link Up or Port Enabled – Initiates Endpoint Authentication &
Authorization
E
3. Host Identity Acquired (802.1X, MAB or Pre-provisioned Identity to
Port Mapping (IPM)) and relayed via RADIUS to ACS
E
Port Identity = Internet Edge
4. Identity credentials are authenticated and then Authorization Rules are
processed, SGTs assigned and SGACLs applied
Internet
I
Example Authorization Rule:
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
Authorization Rule :
if ((user Role = CRM) then apply SGT = Confidential
if ((user Role = Finance) then apply SGT = Confidential
if ((user Role = Portal Y) then apply SGT = Unrestricted
if ((user Role = Portal Z) then apply SGT = Unrestricted
if ((user Role = Intranet Portal) then apply SGT = Sensitive
if ((user Role = ERP) then apply SGT = Confidential
if ((user Role = Portal Y) then apply SGT = Unrestricted
if ((user Role = Campus Edge) then apply SGT = Ent. Campus
if ((user Role = Internet Edge) then apply SGT = Internet
if ((user Role = Storage Class A) then apply SGT = Data Confidential
C
C
C
U
C
D
D
C
C
C
C
S
U
802.1X, MAB or IPM
Legend
CRM
Finance
Portal Y
Storage Class A
Server Identity = *
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
EPR
Finance
Intranet
Portal
Portal Z
6
Unauthenticated Campus to DC
Enterprise
Campus
Example 1: Bi-Directional Enterprise Campus & Unrestricted Servers
• All packets entering the data center from the
campus edge are tagged as Ent. Campus
E
E
• Packets from Portal Y server are tagged as
Unrestricted
Internet
I
C
C
C
U
C
D
D
C
C
C
C
S
U
Legend
CRM
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Finance
Portal Y
Storage Class A
EPR
Finance
Intranet
Portal
Portal Z
7
Unauthenticated Campus to DC
Enterprise
Campus
Example 2: Enterprise Campus to Data Confidential
• All packets entering the data center from the
campus edge are tagged as Ent. Campus
• Egress Filtering for Storage Array is tagged Data
Confidential and the policy (SGACL) denies
access from Ent. Campus
E
E
• All illustrated; communication from Ent. Campus
are Denied to Data Confidential
Internet
I
C
C
C
U
C
D
D
C
C
C
C
S
U
Legend
CRM
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Finance
Portal Y
Storage
Confidential
EPR
Finance
Intranet
Portal
Portal Z
8
IntraDC Use Case
Enterprise
Campus
Example 3: Unrestricted to Data Confidential
• All packets from Portal Z are classified as
Unrestricted
• Egress Filtering for Storage Array is tagged Data
Confidential and the policy (SGACL) denies
access from Unrestricted
E
E
• All illustrated; communication from Ent. Campus
are Denied to Data Confidential
Internet
I
C
C
C
U
C
D
D
C
C
C
C
S
U
Legend
CRM
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Finance
Portal Y
Storage
Confidential
EPR
Finance
Intranet
Portal
Portal Z
9
Data Center Use Case
Enterprise
Campus
Example 4: Data Confidential to Internet
• All packets from Storage Confidential are
classified as Data Confidential
E
• Egress Filtering on the Internet tagged/filtered port
denies access from Data Confidential
E
Internet
I
C
C
C
U
C
D
D
C
C
C
C
S
U
Legend
CRM
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Finance
Portal Y
Storage
Confidential
EPR
Finance
Intranet
Portal
Portal Z
10
Comparison of encryption models
Traffic Visibility & Network Manageability
• Host to Server IPSec
Negatively Impacts:
E2E*
• Deep Packet Inspection
• Extended ACLs (port/protocol)
• Full Netflow (port/protocol)
•
•
•
•
Layer 3+ end-to-end encryption for IP traffic and payload
No packet visibility => Prevents IT IDS, Network analysis tools
Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing)
Complex Security Association maintenance
• Limits QoS (ports)
• Dramatic reduction of Content &
SLB capabilities
• Increased Network Latency
• Increased Host/Server
CPU/Memory utilization for
Header insertion/removal & SAs
Core
Network
• Weighted Fair Queuing (WFQ) priority & other flow-based traffic
prioritization
• Breaks NAT (Requires NAT-T)
HxH*
TrustSec Network
LinkSec
LinkSec
Catalyst
•
•
•
•
•
•
Catalyst
Catalyst
Single SA per Link - No Complex Key Management Server Required
Hop-by-hop security – Prevents layer 2 attacks
Transparent to hosts, applications and servers
Packets remain in the clear inside the box preserving the Intelligent Information Network
IT has network control, using familiar network tools (IDS, anti-virus, …)
Allows incremental deployment over most vulnerable domains
Hook
Cisco TrustSec preserves IT Source:
toolsKenfor
network management
* E2E = End-to-End, HxH = Hop-by-Hop
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Data Center
Confidentiality & Integrity

CTS - Network Device Admission Control (NDAC)
Mutual Device Authentication (EAP-FAST)
Confidential & Authenticated Data Communications
ACS 5.0
 CTS - Endpoint Admission Control (EAC)
– 802.1X Machine Authentication
– Confidential & Authenticated Data Communications
CTS
Data Center
EAP-Fast EAPOL Start
EAP Response
EAPoL
EAPOL
(w/
Request
Host
Start Credentials)
PMK used to initiate 4-Way SAP exchange
EAP_Fast EAPoL Request
EAP Response (w/ Device Credentials)
PMK used to initiate 4-Way SAP exchange
Server w/
802.1AE NICs
Port Status
Authorized
Un-Authorized
Encrypted Port Enabled
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Servers w/
802.1AE NICs
12
Cisco TrustSec Overview
Identification and
Authorization
L2/L3 TrustSec
Confidentiality
and Integrity
 Builds a Trusted Network Infrastructure with Network
Device Admission Control (NDAC)
 Extends IBNS and NAC by adding Topology Independent
Ingress Security Group Assignment
 Wire-rate Encryption and Data Integrity on L2 Ethernet
Switch Ports
 Preserves all network based accounting, deep packet inspection,
and intelligent services
 Uniform encryption—transparent to application, protocols, etc.
Scalable Topology
Independent Access
Control
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
 Centralized Access Control Policy Administration
 Consistent Policy for Wired, Wireless and Remote Access VPNs
 Network Access Control Policy is decoupled from Network
Topology providing unparalleled scale
Cisco Public
13
TrustSec
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
14