Securing Cisco’s Network -...
Transcript of Securing Cisco’s Network -...
Securing Cisco’s NetworkInside Cisco IT
Simon Finn, Solutions Architect, Information Security
Oisin MacAlasdair, Member of Technical Staff, Information Technology
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Landscape
Trends Changing the Security Landscape
Architecture Overview
Major Programs Data Center Security – Application Centric Infrastructure (ACI)
Context aware networking – ISE
Agenda
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Enterprise and What We Must Protect
16 major Internet connections,
~32 TB bandwidth used daily
~3TB Network Data collected p/day
110k Workforce
165 Countries
~3M IP Addresses
2500+ IT Applications
215,000 Infra Devices
275,000 Total Hosts
1820 Labs
160+ Acquisitions
400+ cloud/ASP providers
used (officially)
294 partners using 547 IT extranet
connections into Cisco
312 sites, 450+ buildings
42 Data Centers
5,400 Routers, 5,300 Switches
27,000 Home routers
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trends Elevating the Importance of Security
5
BYOD / Mobile
SaaS / Cloud
Externalizing Data & Apps
Collaboration / Social / Data Analytics
Advanced Threats
Regulations
© 2013 Cisco and/or its affiliates. All rights reserved.BRKSEC-3062 Cisco Public
2000 2005 2013 Next
Industry
Posture
Unprotected
desktops
Unmanaged
desktops
Proliferating
device types
Cloud-connected
ecosystem
Malware Worms Rapidly changing
and proliferating
Sophisticated Beyond Windows
Network
Behavior
Disruptive Compromised hosts
remotely controlled
Opaquely
compromised
hosts exfiltrate
sensitive data
Hidden in e-mail and
social networking
Threat Depth Annoyance Individual host Sensitive
infrastructure
Embedded
Industry
Response
Deploy AV 1) Deploy HIPS
2) Detect botnets
via IDS
1) Detect via
reputation
2) Automate
prevention
3) Detect via
behaviour
1) Augment detection
with intel
2) Detect via
precursors
3) Diversify
intelligence and
methods
The Threats are Evolving
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transformational Principles
Perspectives about security have changed– It’s a roadblock Security enables the business
– It’s not my problem Everyone needs to own security
Technology metamorphoses– Disjointed point solutions Integrated architectural play
– Physical infrastructure – slow to change Virtual infrastructure – flexible, dynamic, change-ready
– The office contains all my stuff My mobile devices are my office (Data, Apps, Voice) Video)
Architecture approach has changed– Perimeters as the control point Identity is the new perimeter
– Focus on protecting the infrastructure Focus on protecting the data
– Capabilities not tightly aligned Services, Service Categories, Service Offerings
The threats have changed– Individuals Hactivism
– Disparate groups Nation State– Capture individual users data Gain access to your Data (and your customer‘s data)
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Architecture driving current and future investments
8
DATA SECURITY
PolicyCompliance
(Visibility)
Enforcement
(Control)
• Service Security Prime Role
• Governance Decision Making Model
• Next Generation Policies
• Security-IT OM Integration
• Unified Security Metrics (USM)
• Operational Security Excellence
SECURITY OPERATIONSIT GOVERNANCE
KEY CAPABILITIES AND SERVICES
GOVERNANCE
• Data Inventory
• Data Ownership &
Accountability
• Data Visibility and Control
• Data Monitoring
CAPTURE, DETECT AND CONTAIN
• Data Collection • Forensic Analysis
SECURE INFRA
• Device Profiling, Registration
and Posture Assessment
• Contextual Network/App Access
• DC Zone Segmentation
IDENTITY AND ACCESS
• Foundational SSOT Identity
• Federated Identity
• Fine Grain Access Policy Mgmt
• Strong, Multifactor Authentication
• Anomaly Detection
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Accountability Metrics Model
“99% of all Compromises required moderate-to-little sophistication.”
2013 Verizon Breach Report
Service
OwnerCIO
Service Execs
Vulnerabilities &
PerformanceUnified Service
Metrics
Service Security
Accountability
© 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2640 Cisco Public
Security Analytics
10
CollectLogs and Telemetry
• Syslog
• DNS
• WSA
• Netflow
DetectDetection Tools
• IDS
• Lancope
• Advanced Malware
IntelligenceIndustry Intelligence
• Cisco
• Law Enforcement
• Partners
Analyze Playbook Mitigate Remediate
SDN
ACI
ACL’s
Blackhole
© 2014 Cisco and/or its affiliates. All rights reserved.BRKRST-2640 Cisco Public
Policy Managed Network
11
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Defining and Applying Network Policy:
Today vs ACI
12
Application-centric networking
EPG: WebEPG: AppEPG: DB CC
Tenant
Application Network Profile
Translate policy
Define policy
Instantiate policy
Define policy
Today ACI
Translate policy
Instantiate policy
Controller
} }Weeks Minutes
Faster Instantiation
Better Visibility
Portability
Re-Usability
permit tcp host XX.XXX.X.XXX host XX.XX.XX.XX eq www
permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 443
permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 50124
permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq www
permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 443
permit tcp host XX.XXX.X.XXX host XX.XXX.X.XXX eq 50124
permit tcp XX.XXX.X.XXX host XX.XXX.X.XXX eq www
App Sec Net
Net
Net
App Sec Net
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Single Fabric?
Save on capital and operational costs of physically separate DC environments for DMZ and internal (and potentially other security perimeters)
Enable automation and other benefits across the board that ACI is attempting to bring
Faster application deployment
Application health score
Lower complexity for orchestration
Larger resource pools
Spare resources available to me moved to where its needed irrespective of domain
Greater flexibility
Some application architecture visibility enhancements
Service chains
Application health scores
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single Fabric Risks
Large fault domain
Resilience in product architecture
Potential impact from less trusted zones on ‘trusted’ zones
Fabric needs to protect itself from errant nodes/leafs
Logical controls being bypassed (previously physical controls)
User error, use limited fabric consumer privileges via ARBAC
Administrator access too broad, use granular administrative controls
Malicious user, need trust in logical controls, auditing
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why now?
Evolution of the borderless enterprise
– 400 Cisco sites => 29,000+ (including CVO)
– Persistent endpoint connectivity with AnyConnect
– “Work is no longer somewhere you go. It’s something you do”
Emergence of cloud computing
Location of data no longer fixed
Mixture of internal & external cloud services & data repositories BYOD &
proliferation/commoditization of endpoints
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
16,688 35,251 14,309 Other 8944,642
Cisco’s current device landscape (Dec 31, 2013)
79,969 34,7827,943
122,694
Corporate Provided
Laptops
(CYOD)
67,663
Personally Owned
Mobile
Devices
(BYOD)
724
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity and Context
+
Identity
Device
Location
Job Role
Context
=
Access
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why the Context Aware Network?
Identity is the new perimeter and Device is the new office
Old model relying upon hardened and clearly defined perimeter no longer viable or secure
Users are productive based on their endpoint, not only their location
No access layer security on our LAN
Particularly concerning in IP Control Zones (ICZ); ie, “heightened risk geographies”
No visibility of users or devices
No ability to confirm compliance (“posture validation”)
ISE allows us to manage access to
Network via 802.1X (ie, user’s identity)
Locations or zones via Secure Group Access (ie, user’s role)
Data or applications
Enables entire future network access strategy
Trusted Device Standard etc
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Identity of a device on the network
• Quantify the risk
1. Profiling
• User and end device attribution
• Identification of end points on Wireless connections
2. Authentication• Device security
posture identification
• Allows for better policy & security decisions
3. Posture
• Ability to enforce policy decisions based on context
• Untrusted devices have restricted access
4. Enforcement
The four stages of the journey
FY13/14 FY14 FY16FY15
ISE 1.2 Profiling
ISE 1.2 802.1X
ISE 1.3 802.1X Auth Mode
MDM
ISE 2.0802.1X Auth Mode
MDM
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IT are delivering multiple capabilities with ISE
Access Control
Authentication
on wired &
wireless
networks
BYOD
Support Trusted
Device
Standard and
enable BYOD
Profiling
Ability to
identify users
and devices on
our network
Endpoint
Protection
Protect the
network from
infected
devices
ION
Restrict
unauthorized
devices & users
to Internet
access only
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IT deployment lessons learned
Avoid the “Big Bang”
Too many new capabilities to enable in a single deployment.
“ISE Deployment Bundle” model
Capabilities have been grouped into bundles to enable targeted & manageable deployments
Multiple clusters consolidated
Partner with the business and tailor deployment to use single cluster where possible
“Start with one cluster and add more if necessary”
Global Infrastructure Foundation
Deploy global VM infrastructure and ISE servers first
Enable features (based on “ISE Deployment Bundles”) theatre by theatre
ION enabled and deployed globally
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Q2 FY14 Q3 FY14 Q4 FY14 Q1 FY15 Q2 FY15 Q3 FY15 Q4 FY15
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul
ION
Current Challenges
Platform OS support
Scalability
MDM integration
Upcoming enhancements
Scalability improvements
Guest enhancements
REST API enhancements
Profiling (Global)
802.1X Monitor Mode (Global)
802.1X Auth Mode (Global Wireless)
CVO Auth on ISE (Global)
EPS Pilot (China ICZ, EIC) Global
802.1X Auth Mode (ICZ’s) 802.1X Auth Mode (ROW)
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Give us your feedback and receive a Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session Evaluations.
Directly from your mobile device on the Cisco Live Mobile App
By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located throughout the venue
Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm
Don’t forget to activate your Cisco
Live 365 account for access to all
session material, communities,and on-demand and live activities throughout the year. Log
into your Cisco Live portal and click the "Enter Cisco Live 365"
button. www.ciscoliveaustralia.com/portal/login.ww
25