Securing Cisco’s Network -...

Securing Cisco’s NetworkInside Cisco IT

Simon Finn, Solutions Architect, Information Security

Oisin MacAlasdair, Member of Technical Staff, Information Technology

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Landscape

Trends Changing the Security Landscape

Architecture Overview

Major Programs Data Center Security – Application Centric Infrastructure (ACI)

Context aware networking – ISE

Agenda

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Cisco Enterprise and What We Must Protect

16 major Internet connections,

~32 TB bandwidth used daily

~3TB Network Data collected p/day

110k Workforce

165 Countries

~3M IP Addresses

2500+ IT Applications

215,000 Infra Devices

275,000 Total Hosts

1820 Labs

160+ Acquisitions

400+ cloud/ASP providers

used (officially)

294 partners using 547 IT extranet

connections into Cisco

312 sites, 450+ buildings

42 Data Centers

5,400 Routers, 5,300 Switches

27,000 Home routers


Trends Elevating the Importance of Security

5

BYOD / Mobile

SaaS / Cloud

Externalizing Data & Apps

Collaboration / Social / Data Analytics

Advanced Threats

Regulations

© 2013 Cisco and/or its affiliates. All rights reserved.BRKSEC-3062 Cisco Public

2000 2005 2013 Next

Industry

Posture

Unprotected

desktops

Unmanaged

desktops

Proliferating

device types

Cloud-connected

ecosystem

Malware Worms Rapidly changing

and proliferating

Sophisticated Beyond Windows

Network

Behavior

Disruptive Compromised hosts

remotely controlled

Opaquely

compromised

hosts exfiltrate

sensitive data

Hidden in e-mail and

social networking

Threat Depth Annoyance Individual host Sensitive

infrastructure

Embedded

Industry

Response

Deploy AV 1) Deploy HIPS

2) Detect botnets

via IDS

1) Detect via

reputation

2) Automate

prevention

3) Detect via

behaviour

1) Augment detection

with intel

2) Detect via

precursors

3) Diversify

intelligence and

methods

The Threats are Evolving


Transformational Principles

Perspectives about security have changed– It’s a roadblock Security enables the business

– It’s not my problem Everyone needs to own security

Technology metamorphoses– Disjointed point solutions Integrated architectural play

– Physical infrastructure – slow to change Virtual infrastructure – flexible, dynamic, change-ready

– The office contains all my stuff My mobile devices are my office (Data, Apps, Voice) Video)

Architecture approach has changed– Perimeters as the control point Identity is the new perimeter

– Focus on protecting the infrastructure Focus on protecting the data

– Capabilities not tightly aligned Services, Service Categories, Service Offerings

The threats have changed– Individuals Hactivism

– Disparate groups Nation State– Capture individual users data Gain access to your Data (and your customer‘s data)


Architecture driving current and future investments

8

DATA SECURITY

PolicyCompliance

(Visibility)

Enforcement

(Control)

• Service Security Prime Role

• Governance Decision Making Model

• Next Generation Policies

• Security-IT OM Integration

• Unified Security Metrics (USM)

• Operational Security Excellence

SECURITY OPERATIONSIT GOVERNANCE

KEY CAPABILITIES AND SERVICES

GOVERNANCE

• Data Inventory

• Data Ownership &

Accountability

• Data Visibility and Control

• Data Monitoring

CAPTURE, DETECT AND CONTAIN

• Data Collection • Forensic Analysis

SECURE INFRA

• Device Profiling, Registration

and Posture Assessment

• Contextual Network/App Access

• DC Zone Segmentation

IDENTITY AND ACCESS

• Foundational SSOT Identity

• Federated Identity

• Fine Grain Access Policy Mgmt

• Strong, Multifactor Authentication

• Anomaly Detection

Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Security Accountability Metrics Model

“99% of all Compromises required moderate-to-little sophistication.”

2013 Verizon Breach Report

Service

OwnerCIO

Service Execs

Vulnerabilities &

PerformanceUnified Service

Metrics

Service Security

Accountability

© 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2640 Cisco Public

Security Analytics

10

CollectLogs and Telemetry

• Syslog

• DNS

• WSA

• Netflow

DetectDetection Tools

• IDS

• Lancope

• Advanced Malware

IntelligenceIndustry Intelligence

• Cisco

• Law Enforcement

• Partners

Analyze Playbook Mitigate Remediate

SDN

ACI

ACL’s

Blackhole

© 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2640 Cisco Public

Policy Managed Network

11


Defining and Applying Network Policy:

Today vs ACI

12

Application-centric networking

EPG: WebEPG: AppEPG: DB CC

Tenant

Application Network Profile

Translate policy

Define policy

Instantiate policy

Define policy

Today ACI

Translate policy

Instantiate policy

Controller

} }Weeks Minutes

Faster Instantiation

Better Visibility

Portability

Re-Usability

permit tcp host XX.XXX.X.XXX host XX.XX.XX.XX eq www

permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 443


permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq www



permit tcp XX.XXX.X.XXX host XX.XXX.X.XXX eq www

App Sec Net

Net

Net

App Sec Net


Why Single Fabric?

Save on capital and operational costs of physically separate DC environments for DMZ and internal (and potentially other security perimeters)

Enable automation and other benefits across the board that ACI is attempting to bring

Faster application deployment

Application health score

Lower complexity for orchestration

Larger resource pools

Spare resources available to me moved to where its needed irrespective of domain

Greater flexibility

Some application architecture visibility enhancements

Service chains

Application health scores


Single Fabric Risks

Large fault domain

Resilience in product architecture

Potential impact from less trusted zones on ‘trusted’ zones

Fabric needs to protect itself from errant nodes/leafs

Logical controls being bypassed (previously physical controls)

User error, use limited fabric consumer privileges via ARBAC

Administrator access too broad, use granular administrative controls

Malicious user, need trust in logical controls, auditing

The Context Aware Network


Why now?

Evolution of the borderless enterprise

– 400 Cisco sites => 29,000+ (including CVO)

– Persistent endpoint connectivity with AnyConnect

– “Work is no longer somewhere you go. It’s something you do”

Emergence of cloud computing

Location of data no longer fixed

Mixture of internal & external cloud services & data repositories BYOD &

proliferation/commoditization of endpoints


16,688 35,251 14,309 Other 8944,642

Cisco’s current device landscape (Dec 31, 2013)

79,969 34,7827,943

122,694

Corporate Provided

Laptops

(CYOD)

67,663

Personally Owned

Mobile

Devices

(BYOD)

724


Identity and Context

+

Identity

Device

Location

Job Role

Context

=

Access


Why the Context Aware Network?

Identity is the new perimeter and Device is the new office

Old model relying upon hardened and clearly defined perimeter no longer viable or secure

Users are productive based on their endpoint, not only their location

No access layer security on our LAN

Particularly concerning in IP Control Zones (ICZ); ie, “heightened risk geographies”

No visibility of users or devices

No ability to confirm compliance (“posture validation”)

ISE allows us to manage access to

Network via 802.1X (ie, user’s identity)

Locations or zones via Secure Group Access (ie, user’s role)

Data or applications

Enables entire future network access strategy

Trusted Device Standard etc


• Identity of a device on the network

• Quantify the risk

1. Profiling

• User and end device attribution

• Identification of end points on Wireless connections

2. Authentication• Device security

posture identification

• Allows for better policy & security decisions

3. Posture

• Ability to enforce policy decisions based on context

• Untrusted devices have restricted access

4. Enforcement

The four stages of the journey

FY13/14 FY14 FY16FY15

ISE 1.2 Profiling

ISE 1.2 802.1X

ISE 1.3 802.1X Auth Mode

MDM

ISE 2.0802.1X Auth Mode

MDM


Cisco IT are delivering multiple capabilities with ISE

Access Control

Authentication

on wired &

wireless

networks

BYOD

Support Trusted

Device

Standard and

enable BYOD

Profiling

Ability to

identify users

and devices on

our network

Endpoint

Protection

Protect the

network from

infected

devices

ION

Restrict

unauthorized

devices & users

to Internet

access only


Cisco IT deployment lessons learned

Avoid the “Big Bang”

Too many new capabilities to enable in a single deployment.

“ISE Deployment Bundle” model

Capabilities have been grouped into bundles to enable targeted & manageable deployments

Multiple clusters consolidated

Partner with the business and tailor deployment to use single cluster where possible

“Start with one cluster and add more if necessary”

Global Infrastructure Foundation

Deploy global VM infrastructure and ISE servers first

Enable features (based on “ISE Deployment Bundles”) theatre by theatre

ION enabled and deployed globally


Q2 FY14 Q3 FY14 Q4 FY14 Q1 FY15 Q2 FY15 Q3 FY15 Q4 FY15

Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul

ION

Current Challenges

Platform OS support

Scalability

MDM integration

Upcoming enhancements

Scalability improvements

Guest enhancements

REST API enhancements

Profiling (Global)

802.1X Monitor Mode (Global)

802.1X Auth Mode (Global Wireless)

CVO Auth on ISE (Global)

EPS Pilot (China ICZ, EIC) Global

802.1X Auth Mode (ICZ’s) 802.1X Auth Mode (ROW)


Complete Your Online Session Evaluation

Give us your feedback and receive a Cisco Live 2014 Polo Shirt!

Complete your Overall Event Survey and 5 Session Evaluations.

Directly from your mobile device on the Cisco Live Mobile App

By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile

Visit any Cisco Live Internet Station located throughout the venue

Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm

Don’t forget to activate your Cisco

Live 365 account for access to all

session material, communities,and on-demand and live activities throughout the year. Log

into your Cisco Live portal and click the "Enter Cisco Live 365"

button. www.ciscoliveaustralia.com/portal/login.ww

25

http://www.ciscoliveaustralia.com/mobile

http://www.ciscoliveaustralia.com/portal/login.ww

Securing Cisco’s Network -...

Documents

Transcript of Securing Cisco’s Network -...