Transcription
Network as an Sensor & EnforcerLeveraging the network to control threatsJaromír Pilařjpilar@cisco.comMay, 2016
Agenda Overview of Network as a Sensor and Enforcer Network as a Sensor Network as an Enforcer Summary and resources
Network as a Sensor andEnforcer Overview
Security ChallengesGrowing AttackSurfaceDynamicThreat LandscapeComplexityand Fragmentation
How Data Breaches HappenMalware dropped via backdoorVictim clicks phishing email linkReconnaissanceLateral Movement to find AdminEscalate Privilege to become AdminData Exfiltration using Admin privilegeInformation monetized after breach
You Can’t Protect What You Don’t See60%of data is stolen inHOURS85%of point-of-sale intrusionsaren’t discovered forWEEKS54%of breaches remainundiscovered forMONTHS51%increase of companiesreporting a 10M lossor more in the last 3YEARS“A community that hides in plain sight avoids detection and attacks swiftly”- “Cisco Security Annual Security Report”
A Threat-Centric Security ModelAttack ectBlockDefendAssessContainRemediateNetwork as a SensorNetwork as an Enforcer
Network with Only Perimeter Visibility192.168.19.310.4.51.510.200.21.110Many devices in your networkwithout 92.168.132.99Visibility available for traffictransiting through perimeter10.43.223.221Internet10.85.232.4
Enabling Visibility Inside Your Network192.168.19.310.4.51.510.200.21.110Cryptic network addresses thatmay change 92.168.132.99Difficult to manage policywithout any context10.43.223.221Internet10.85.232.4
Context based Visibility and ControlAllowed TrafficDenied TrafficEmployeeSupplierServerClear understanding of trafficflow with contextEasier to create & apply policybased on such contextNetwork FabricQuarantineHigh RiskSegmentSharedServerInternetEmployee
Network as a Sensor - Cisco ISE, Netflow andvisualization and mitigation toolsContext InformationNetFlowCisco ISEMitigation ActionReal-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident responseIntegration options Cisco Platform Exchange Grid (pxGrid)– open to 3rd party API/script – for example APIC-EM andFlowmon integration
102102permitpermitpermitpermittcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467Network as an Enforcerwith TrustSecTraditional Security PolicySecurity Control AutomationSimplified Access ManagementImproved Security Efficacysoftware definedsegmentationTrustSec Security PolicyNetwork FabricSwitchRouterWirelessDC FWDC SwitchFlexible and Scalable Policy Enforcement
Network as a Sensor
Introduction to NetFlow10.1.8.3172.168.134.2SwitchesNetFlow provides Trace of every conversation in your network An ability to collect record everywhere in yournetwork (switch, router, or firewall) Network usage measurement An ability to find north-south as well as east-westcommunication Light weight visibility compared to SPAN based trafficanalysis Indications of Compromise (IOC) Security Group InformationRoutersFlow InformationPacketsSOURCE CE PORT47321DESTINATION PORT443INTERFACEGi0/0/0IP TOS0x00IP PROTOCOL6NEXT HOP172.168.25.1TCP FLAGS0x1ASOURCE SGT100:APPLICATION NAME:NBAR SECUREHTTPInternet
Cisco Network Empowers NetFlow in ScaleComprehensive viewinto all activitiesUnsampled NetFlow on Ciscodevices allows all traffic to becollectedFundamental capabilities built-into Cisco Routers and Switchesplus UCS vNICEven on routers full 1-to-1NetFlow introduced littleoverhead, typically around 5% butupwards of 15% in the worst casedepending on prior CPU utilizationUsageTimePortUtilizationQoS Packet count Byte count Source IP address Destination IP addressFrom/To Start sysUpTime End sysUpTime Packet count Byte countApplication Routing andPeering Input ifIndex Output ifIndex Type of Service TCP flags ProtocolNext hop addressSource AS numberDest. AS numberSource prefix maskDest. prefix mask
NetFlow TerminologyFlowTraffic set defined by a set ofKEY fieldsEx. Source IP, Destination IP, SourcePort, Destination Port, Protocol, TOS,InterfaceFlow RecordNetFlow Protocol Data Unit exportedfrom a NetFlow generatorContains a collection of KEY and NONKEY fields relating to a flowNon-KEY fieldsEx. Bytes, Packets, TCP Flags, APMAC and Client MACFlow CollectorA device that receives NetFlowrecords from a NetFlow generatorFlow TemplateA flexible (v9) feature that advertisesthe record format to the collectorFlow ExporterA NetFlow configuration of where(Collector) the flows are going to besent, including IP address andprotocol/portNetFlow GeneratorA NetFlow enabled network device
Myths about NetFlow GenerationMyth #1: NetFlow impacts performance Hardware implemented NetFlow has no performance impact Software implementation is typically significantly 15%processing overheadMyth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly 1% of total trafficper exporting device17
NetFlow in MotionNetFlowGeneratorSourceNetFlow Key FieldsDestination1Source IP AddressNetFlow CacheDestination IP AddressFlow InformationSource Port2Destination PortDestination PortTOS byte (DSCP)3Input InterfaceFlowCollectorPacketsBytes / packetAddress, ports 110001528
NetFlow Supported PlatformsNetFlow CapableWANUserSwitchRouterRouterFirewallDC SwitchServerNetFlow ExportersCatalyst 2960-X (NetFlow Lite) - Sampled OnlyCatalyst 3560-X (SM-10G module only)Catalyst 3750-X (SM-10G module only)Catalyst 3850/3650 (FNF v9 SGT support)Catalyst 4500E (Sup7E/7LE)Catalyst 4500E (Sup8) (FNF v9 SGT support)Catalyst 6500E (Sup2T) (FNF v9 SGT support)Catalyst 6800 (FNF v9 SGT support)Cisco ISR G2 (FNF v9 SGT support)Cisco ISR 4000 (FNF v9 SGT support)Cisco ASR1000 (FNF v9 SGT support)Cisco CSR 1000v (FNF v9 SGT support)Cisco WLC 5760 (FNF v9)Cisco WLC 5520, 8510, 8540 (v9) *ASA5500, 5500-X (NSEL)Nexus 7000 (M Series I/O modules – FNF v9)Nexus 1000v (FNF v9)Cisco NetFlow Generation Appliance (FNF v9)Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)Cisco AnyConnect Client (IPFIX) *ISE
Network as an Enforcer
102102permitpermitpermitpermittcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467Network as an EnforcerSoftware-Defined Segmentation with TrustSecTraditional Security PolicySecurity Control AutomationSimplified Access ManagementImproved Security EfficacyTrustSec Security PolicyNetwork FabricSwitchRouterWirelessDC FWDC SwitchFlexible and Scalable Policy Enforcement
Network Segmentation with TrustSecEnforcementSecurity Group: ManagerSegmentation based on RBAC Independent from address based topologyRole based on context AD, LDAP attributes, device type, location, time,access methods, etc Use Tagging technology To represent logical group (Classification) To enforce policy on switch, router, and firewallSoftware Defined Policy managed centrally Policy provisioned automatically on demand Policy invoked anywhere on the networkdynamicallySwitchesRoutersFirewallDC SwitchHypervisor SWUsername: johndGroup: Store ManagersLocation: Store OfficeTime: Business HourAUTHORIZEDPERSONNELONLYResource
How TrustSec Simplifies Network SegmentationTraditional SegmentationDC ServersTrustSecDC Firewall / SwitchStatic ACLRoutingMicro/Macro SegmentationEnterpriseBackboneCentral Policy ProvisioningRedundancyDHCP ScopeNo Topology ChangeAggregation EPolicyNo VLAN ChangeAccess LayerAccess erBYODDataVLANGuestVLANBYODVLANSecurity Policy based on TopologyHigh cost and complex maintenanceVoiceEmployee TagVoiceVLANSupplier TagNon-Compliant TagNon-Compliant EmployeeSupplierBYODDataVLANUse existing topology and automatesecurity policy to reduce OpEx
TrustSec in ActionISERemoteAccess5 SGTWirelessDC FirewallDC SwitchSwitchClassificationApplicationServers8 SGTApplicationServers7 ent
TrustSec FunctionsClassificationPropagationEnforcement5 Employee6 Supplier8 ZBFW
TrustSec Supported nRouterSwitchPropagationClassificationCatalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-X/-CXCatalyst 3750-E/-XCatalyst 3850/3650Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)Catalyst 6800WLC 2500/5500/5400/WiSM2/8510/8540WLC 5760Nexus 7000Nexus 6000Nexus 5500/2200Nexus 1000vISRG2, CGR2000, ISR4000IE2000/3000/CGR2000ASA5500 (RAS VPN)RouterFirewallPropagationPropagationCatalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X/3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (Sup, 7E, 7LE, 8E)Catalyst 4500XCatalyst 6500E (Sup720)Catalyst 6500/Sup2T, 6800WLC 2500/5500/5400/WiSM2/8510/8540WLC 5760Nexus 7000Nexus 6000Nexus 5500/2200Nexus 0DC st 3560-XCatalyst 3750-XCatalyst 3850/3650WLC 5760Catalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800Nexus 7000Nexus 6000Nexus 5500/5600Nexus 1000vISR G2, ISR4000, CGR2000ASR 1000 RouterCSR-1000v RouterASA 5500 FirewallASAv FirewallWeb Security Appliance
Summary & Resources
Network as a Sensor and Enforcer SummaryThe network is a keyasset for threat detectionand controlNetFlow, Cisco ISE andvisualisatioin andmitigation tools providevisibility and intelligenceTrustSec providessoftware defined (micro)segmentation
To learn more td
Cisco ISR G2 (FNF v9 SGT support) Cisco ISR 4000 (FNF v9 SGT support) Cisco ASR1000 (FNF v9 SGT support) Cisco CSR 1000v (FNF v9 SGT support) NetFlow Capable ISE Cisco WLC 5760 (FNF v9) Cisco WLC 5520, 8510, 8540 (v9) * ASA5500, 5500-X (NSEL) Nexus 7000 (M Series I/O modules –FNF v9) Nexus 1000v (FNF v9) Cisco NetFlow Generation Appliance .
