Network as a Sensor and Enforcerd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKSEC-2026.pdf · Path the flow is taking through the network. NetFlow Analysis with StealthWatch: Identify

Network as a Sensor and EnforcerMatthew Robertson - Technical Marketing Engineer

Why are we here today?

Managing the Insider Threat

Insider Threats

About This Session: Building Security into the Network

The Cisco NetworkThe Cisco Network

Security Group TagsNetFlow

Identity Services Engine StealthWatch

THIS SESSION:

Bringing it all together

Building Security into the Network Identify and control policy, behaviour and threats

NetFlow: Transactional dataSGT: Enforce Group Policy

ISE: Discover assets

& direct policy

StealthWatch:

Transactional visibility

& intelligence

Context sharing and dynamic response

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and

Classify AssetsEnforce Policy

Summary

Policy NBAD

Design and

Model Policy

Rapid Threat

Containment

About Me: Your Master Builder for Today

Matt Robertson• Security Technical Marketing Engineer• Focused on Advanced Threat• Author of 3 CVDs • 8 years at Cisco: development, TME, Lancope• Sorry, also Canadian

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmentation begins with visibility

You can’t protect what you can’t see

Who is on the network

and what are they up to?

ISE: Identifying the WhoAuthentication (host supplied):

• User & Device Authentication

• MAC Authentication bypass

• Web portal

Profile (collected):

• Infrastructure provided

• (DHCP, HTTP, etc)

• Signature based

Authenticated Session Table

Attributes

NetFlow: Identifying the what

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH

NetFlow = Transactional Visibility

Router# show flow monitor CYBER-MONITOR cache

…

IPV4 SOURCE ADDRESS: 192.168.100.100

IPV4 DESTINATION ADDRESS: 192.168.20.6

TRNS SOURCE PORT: 47321

TRNS DESTINATION PORT: 443

INTERFACE INPUT: Gi0/0/0

FLOW CTS SOURCE GROUP TAG: 100

FLOW CTS DESTINATION GROUP TAG: 1010

IP TOS: 0x00

IP PROTOCOL: 6

ipv4 next hop address: 192.168.20.6

tcp flags: 0x1A

interface output: Gi0/1.20

counter bytes: 1482

counter packets: 23

timestamp first: 12:33:53.358

timestamp last: 12:33:53.370

ip dscp: 0x00

ip ttl min: 127

ip ttl max: 127

application name: nbar secure-http

…

A single NetFlow Record provides a wealth of information

Components for NetFlow Security Monitoring

Cisco Network

UDP Director

• UDP Packet copier

• Forward to multiple

collection systems

NetFlowStealthWatch FlowSensor (VE)

• Generate NetFlow data

• Additional contextual fields

(ex. App, URL, SRT, RTT)

StealthWatch FlowCollector

• Collect and analyse

• Up to 2000 sources

• Up to sustained 240,000 fps

StealthWatch Management

Console

• Management and reporting

• Up to 25 FlowCollectors

• Up 6 million fps globally

Best Practice: Centralise

collection globally

NetFlow Collection: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Client

IP

Client

Port

Server IP Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

Client

SGT

Server

SGT

Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1

eth0/2

Uni-directional flow records

Bi-directional:

• Conversation flow record

• Allows easy visualisation and analysis

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

NetFlow Collection: De-duplication

Start Time Client

IP

Client

Port

Server

IP

Server

Port

Prot

o

Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

App Client

SGT

Server

SGT

Exporter, Interface,

Direction, Action

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in

Sw1, eth1, out

Sw2, eth0, in

Sw2, eth1, out

ASA, eth1, in

ASA, eth0, out, Permitted

ASA eth0, in, Permitted

ASA, eth1, out

Sw3, eth1, in

Sw3, eth0, out

Sw1, eth1, in

Sw1, eth0, out

10.2.2.2port 1024 10.1.1.1

port 80Sw1

Sw2

Sw3

ASA

Adding Context and Situation Awareness

NATEvents

Known Command

& Control Servers

User

Identity

Application

Application

& URL

URL &

Username

Conversational Flow Record

WhoWhoWhat

When

How

Where

• Highly scalable (enterprise class) collection

• High compression => long term storage

• Months of data retention

More context

Conversational Flow Record: Exporters

Path the flow is taking through the network

NetFlow Analysis with StealthWatch:

Identify additional Indicators of Compromise (IoC)

• Policy & Segmentation

• Network Behaviour & Anomaly Detection (NBAD)

Better understand / respond to an IOC:

• Audit trail of all host-to-host communication

Discovery

• Identify business critical applications and services across the network

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

NetworkDiscover and

Classify Assets

ISE as a Telemetry Source

Authenticated Session Table

Cisco ISE

• Maintain historical session table

• Correlate NetFlow to username

• Build User-centric reports

StealthWatch Management

Console

syslog

• Device/User Authentication

• Device Profiling

Configuration: Logging on ISE1. Create Remote Logging Target on ISE

2. Add Target to Logging Categories1

2

Required Logging categories:

• Passed Authentications

• RADIUS Accounting

• Profiler

• Administrative and Operational Audit

Configuration: Add ISE to SMC1. (Not Shown) Create Admin User on ISE

2. (Not Shown) Configure ISE or CA certificate on SMC

3. (Not Shown) Configure SMC or CA certificate on ISE

4. Add Cisco ISE nodes to SMC Configuration

Order to add nodes:

1. Primary MnT

2. Secondary MnT

3. Any PSN’s

StealthWatch-ISE Attribution Configuration

Lancope published:• http://cs.co/StealthWatch_ISE_Attribution

Cisco published:• http://www.cisco.com/c/dam/en/us/td/docs/security/network_security/ctd/ctd1-

0/design_guides/ctd_1-1_dig.pdf

• http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-

secure-data-center-portfolio/sea_ctd.pdf

• http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/threat-

defense/guide_c07-728137.pdf

Follow these guides

Locate Services and Applications

Search for assets based on transactional data:

• Ex. Protocol (HTTP Servers, FTP Server, etc)

Identify servers

Locate Assets

Find hosts communicating on the network

• Pivot based on transactional data

Host Groups: Applied Situational Awareness

Virtual container of multiple

IP Addresses/ranges that

have similar attributes

Lab servers

Best Practice: classify all

known IP Addresses in one

or more host groups

Classify Assets with Host Groups

• User defined

• Model any Process/Application

Understand Behaviour

List of all hosts communicating

with HTTP Servers

Understand Behaviour Complete list of all hosts

communicating with HTTP Servers:

who, what, when, where, how

Classify Applications Classify business critical applications

Model Business Critical Processes

PCI Zone Map

Overall system profile

Inter-system relationships

Simplifying Segmentation with TrustSec

Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on Topology

High cost and complex maintenance

Voice

VLAN

Voice

Data

VLAN

Employee Supplier BYODNon-Compliant

Use existing topology and automate

security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee Tag

Supplier Tag

Non-Compliant Tag

Access Layer

Enterprise

Backbone

DC Firewall / Switch

DC Servers

Policy

TrustSecTraditional Segmentation

Network Segmentation with TrustSec

Username: johnd

Group: Store

Managers

Location: Store Office

Time: Business Hour

Security Group: ManagerEnforcement

AUTHORISED

PERSONNEL

ONLY

Switches

Routers

Firewall

DC Switch

Hypervisor SW

Resource

Segmentation based on roles

• Not based on IP addresses, VLANs etc

Role based on context

• AD, LDAP attributes, device type, location, time, access methods, etc…

Use Tagging technology

• To represent logical group (Classification)

• To enforce policy on switches, routers, firewalls

Software Defined

• Policy managed centrally

• Policy provisioned automatically on demand

• Policy invoked anywhere on the network dynamically

What TrustSec Provides

Software defined

Network

Segmentation

Context-based

Data Access

Agile Security Policy

Changes and

Simpler

Management

Context based

Service Chaining

TrustSec Functions

Classification

Static

Dynamic

Enforcement

SGACL

SG-FW

WSA

Propagation

Inline

SXP

5 Employee

6 Supplier

8 SuspiciousA B

8 5

Enforcement

TrustSec in Action

Classification Propagation

Application

Servers

Database

Servers

Network

Cisco TrustSec Segmentation

Enterprise

Backbone

Policy

Voice Data

Suppliers Employee

Non

Compliant

Suppliers

Employee

Non

Compliant

• Regardless of topology or location,

policy (Security Group Tag) stays

with users, devices, and servers

• TrustSec simplifies ACL

management for intra/inter-VLAN

traffic

Supplier

Employee

Non Compliant

Policy

Voice Data Voice Data

Campus Segmentation

Suppliers Employee

Non

Compliant

Suppliers

Employee

Non

Compliant

Filtered Access

Supplier

Employee

Non Compliant

• Segmented traffic based on

classified group (SGT), not

based on topology (VLAN, IP

subnet)

• Micro-Segmentation with

single policy (segment devices

even in same VLAN)

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

NetworkDiscover and

Classify Assets

Design and

Model Policy

Starting a TrustSec Design

Policy

Enforcement

Points

Discuss

assets to

protect

Classification

Mechanisms

Example:

Cardholder Data,

Medical Record,

intellectual data

Example:

Dynamic,

Static, etc.

• DC segmentation (DC

virtual/ physical switches

or virtual/physical

Firewalls)

• User to DC access control

• (Identify capable switches

or firewalls in the path)

Propagation

Methods

• Inline Tagging

• SXP

• DM-VPN

• GET-VPN

• IPSec

• OTP etc..

Security Group Initial Considerations

• Unlike traditional segmentation/access control…

• Adding dynamically assigned groups later with TrustSec should be easy

• No configuration impact on infrastructure

• Keep groups as simple as possible whilst still meeting policy requirements

• Should not be necessary to transfer complexity, e.g. extensive AD groups, into Security Groups

• Consider if all roles need a tag assigned?

• Remember that group membership may change

How to Tag Users / Devices?

• TrustSec decouples network topology and security policy to simplify access control and segmentation

• Classification process groups network resources into Security Groups

PC

MAC

802.1X

MAB

Web

Authentication

Profiling

IPv4 Prefix

Learning

IPv6 Prefix

LearningIPv6

Prefix-SGT

IPv4

Subnet-SGT

Address

Pool-SGT

VLAN-SGT

IP-SGT

Port

Profile

Port-SGT

ISE NX-OS/

CIAC/

Hypervisors

IOS/Routing

Data Centre/

VirtualisationUser/Device/

Location Cisco

Access Layer

Campus & VPN Access

non-Cisco & legacy

environment

Business Partners and Supplier Access

Controls

Identify Where SGTs Need to be Assigned

WLC FW

Enterprise

Backbone

Hypervisor SW

Campus Access Distribution Core DC Core DC Dist/Access

Dynamic

Classification

VLAN-SGT Mapping

Dynamic

Classification

SVI (L3 Interface)

to SGTL2 Port to SGT

VM (Port Profile)

to SGTSubnet-SGT

Enabling Classifications

• If per-user authorisation is not in place

• Enabling VLAN, subnet , L3 Interface mappings can provide coarse classification initially

• Per-user authorisation and SXP can then ‘override’ static classification

• Many systems may get ‘Unknown SGT’ assignments initially

• Focus on the explicit classifications needed to meet policy

• Keeping classifications simple can mean days not weeks to enable

Deployment Approach

Catalyst® Switches/WLC

• Users connect to network, Monitor mode allows traffic regardless of authentication

• Authentication can be performed passively resulting in SGT assignments

Enterprise

Network

• Classified traffic traverses the network allowing

monitoring and validation that:

• Assets are correctly classified

• Traffic flows to assets are as predicted/expected

Monitor Mode

SRC \ DSTPCI Server

(2000)

Prod Server

(1000)

Dev Server

(1010)

Employees (100) Permit all Permit all Permit all

PCI User (105) Permit all Permit all Permit all

Unknown (0) Permit all Permit all Permit all

Configuring Inline Tagging

interface TenGigabitEthernet1/5

cts manual

policy static sgt 2 trusted

C6K2T-CORE-1#sho cts interface brief

Global Dot1x feature is Enabled

Interface GigabitEthernet1/1:

CTS is enabled, mode: MANUAL

IFC state: OPEN

Authentication Status: NOT APPLICABLE

Peer identity: "unknown"

Peer's advertised capabilities: ""

Authorization Status: SUCCEEDED

Peer SGT: 2:device_sgt

Peer SGT assignment: Trusted

SAP Status: NOT APPLICABLE

Propagate SGT: Enabled

Cache Info:

Expiration : N/A

Cache applied to link : NONE

L3 IPM: disabled.

Always “shut” and “no shut” interfaces after any cts manual or cts dot1x change

‘cts manual’ config for inline tagging generally used

‘cts dot1x’ alternative depends on AAA reachability - unless new ‘critical auth’ feature used & timers set carefully

Creating The Policy Matrix

Source Group

Destination Group

Action

• How do I know my policy works?

• How do I decide what protocols?

• How do I know if I am tagging?

I can help here

SGT in NetFlow Fields

Source Tag:

• Retrieved from the packet

Destination Tag:

• Derived based on

destination IP Address

Switch Derived Source Tag:

• 4K Only: Value applied on

the packet on egress

SGT Table

• 6K only: export in NetFlow

template data tables mapping

Security Group Tags to

Security Group Names

SGACL Drop Record

• 6k only: Generate a flow

record on a SGACL drop

SGT-NetFlow Device List Device First Release Source

Tag

Destination

tag

Switch-

Derived SGT

SGT

Table

SGACL Drop

Record

Catalyst 6500

(Sup2T)

IOS 15.1(1)SY1 Yes

(match)

Yes

(match)

No Yes Yes

(dedicated monitor)

ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No

Catalyst 3850, 3650 IOS XE 3.7.1E

IOS XE 3.6.3E*

Yes

(match)

Yes

(match)

No No No

Catalyst 4500

(Sup 7-E, 7L-E, 8-E)

IOS XE 3.7.1E

IOS XE 3.6.3E*

Yes

(collect)

Yes

(collect)

Yes No No

ASA 9.1.3 No No No No NSEL Record

StealthWatch

FlowSensor

6.8 Yes No No No No

Considerations: 3850 !

flow monitor cts-cyber-monitor-in

exporter StealthWatch-FC

cache timeout active 60

record cts-cyber-3k-in

!

!

flow monitor cts-cyber-monitor-out

exporter StealthWatch-FC

cache timeout active 60

record cts-cyber-3k-out

!

interface GigabitEthernet1/0/1

ip flow monitor cts-cyber-monitor-in input

ip flow monitor cts-cyber-monitor-out output

!

vlan configuration 100

ip flow monitor cts-cyber-monitor-in input

ip flow monitor cts-cyber-monitor-out output

!

Ingress:• Source Tag Sources:

• Derived from packet header

• DGT Sources:

• Derived based on destination IP lookup

• SGACL enforcement must be enabled

• Trunk link only

Egress:• Source Tag Sources:

• Incoming packet header

• Port configured SGT

• IP to SGT mapping

• Destination Tag Sources:

• Derived based on destination IP lookup

• Requires SGACL enforcement to be enabled

• Trunk link only

Considerations: 3850

!

flow record cts-cyber-3k-in match datalink mac source

address input

match datalink mac destination address input

match ipv4 tos

match ipv4 ttl

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match flow direction

match flow cts source group-tag

match flow cts destination group-tag

collect counter bytes long

collect counter packets long

collect timestamp absolute first

collect timestamp absolute last

!

!

flow record cts-cyber-3k-out

match ipv4 tos

match ipv4 ttl

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match flow direction

match flow cts source group-tag

match flow cts destination group-tag

collect counter bytes long

collect counter packets long

collect timestamp absolute first

collect timestamp absolute last

!

Considerations: 4500 Sup 7-E, 7L-E, 8-ESource Tag:• Packet header

• Maximum 12K distinct SRC-IP’s

Destination Tag:• Derived based on destination IP

Switch Derived Source Tag:• SGT enforced on the packet from the switch

• Policy acquisition

• SGT in the packet

• SGT lookup on source IP

• Port SGT lookup

• SGT on packet at egress

!

flow record cts-cyber-4k

match ipv4 tos

match ipv4 protocol

match ipv4 source address match ipv4 destination

address

match transport source-port

match transport destination-port

match interface input

match flow direction

collect flow cts source group-tag

collect flow cts destination group-tag

collect flow cts switch derived-sgt

collect transport tcp flags

collect interface output

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

Considerations: 6500 Sup 2T !

flow record cts-cyber-6k

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match flow cts source group-tag

match flow cts destination group-tag

collect transport tcp flags

collect interface output

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

TrustSec data table:• Export SGT-SGN mapping in

NetFlow template

SGACL Drop:• Flow record generated on a drop

• Requires dedicated Flow Monitor

Source Tag:• Packet header

• IP-SGT lookup

Destination Tag:

• Derived based on destination IP lookup

http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/appc_cat6k.html

Considerations: 6500 Sup2T

!

flow exporter ise

destination 10.1.100.3

source TenGigabitEthernet2/1

transport udp 9993

option cts-sgt-table timeout 10

!

flow monitor FNF_SGACL_DROP

exporter ise

record cts-record-ipv4

!

cts role-based ip flow monitor FNF_SGACL_DROP dropped

!

flow exporter CYBER_EXPORTER

destination 10.1.100.230

source TenGigabitEthernet2/1

transport udp 2055

option cts-sgt-table timeout 10

!

flow monitor CYBER_MONITOR

exporter CYBER_EXPORTER

cache timeout active 60

record cts-cyber-6k

!

SGACL Drop config: Exporter and monitor:

Considerations: ISR, ASR, CSR !

flow record cts-cyber-ipv4

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match flow direction

match flow cts source group-tag

match flow cts destination group-tag

collect routing next-hop address ipv4

collect ipv4 dscp

collect ipv4 ttl minimum

collect ipv4 ttl maximum

collect transport tcp flags

collect interface output

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

collect application name

!

Source Tag:• Packet header

• IP-SGT lookup

Destination Tag:• Destination IP lookup

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-fnf.pdf

Modeling Policy in StealthWatch

Custom event triggers

on traffic condition

Trigger on traffic in both directions;

Successful or unsuccessful

Source Tag Destination Tag

Rule name and

description

Modeling Policy in StealthWatch

Create flow-based rules for all

proposed policy elements

Policy Violation alarm will trigger if condition

is met. Simulating proposed drop.

Modeling Policy: Alarm Occurrence

Alarm dashboard showing all Policy alarms

Details of “Employee to Productions Servers”

alarm occurrences

Modeled Policy: Flow Details

Who

Who

What

When

How

Where

Destination

Tag

Is this

communication

permissible?

Tune

Yes

Respond

No

Source

Tag

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

NetworkDiscover and

Classify AssetsEnforce Policy

Design and

Model Policy

Enabling Enforcement• Enforcement may be enabled gradually per destination security group basis

• Initially use SGACLs with deny logging enabled (remove log later if not required)

• Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment

Catalyst® Switches/WLC

Monitor Mode

PCI Server

Production Server

Development Server

SRC \ DSTPCI Server

(2000)

Prod Server

(1000)

Dev Server

(1010)

Employees (100) Deny all Deny all Deny all

PCI User (105) Permit all Permit all Deny all

Unknown (0) Deny all Deny all Deny all

ISE

DC Switch

Centralised SGACL Management in ISE

Applying SGACL Policies in ISE (Tree view)

Applying SGACLs (ISE 2.0)

permit tcp dst eq 443permit tcp dst eq 80permit tcp dst eq 22permit tcp dst eq 3389permit tcp dst eq 135permit tcp dst eq 136permit tcp dst eq 137permit tcp dst eq 138permit tcp des eq 139deny ip

SGACL_1

SGACL Downloads

• New Servers provisioned, e.g. Prod Server & Dev Server Roles

• DC switches requests policies for assets they protect

• Policies downloaded & applied dynamically

• What this means:

• All controls centrally managed

• Security policies de-coupled from network

• No switch-specific security configs needed

• Wire-rate policy enforcement

• One place to audit network-wide policies

Prod_Servers Dev_Servers

Dev_Server

(SGT=10)

Prod_Server

(SGT=7)

SG

T=

3

SG

T=

4

SG

T=

5

SGACL

Enforcement

Switches

request policies

for assets they

protect Switches pull

down only the

policies they

need

Enabling Policy Enforcement in Switches

• After setting up SGT/SGACL in ISE, you can now enable SGACL Enforcement on network devices

• Devices need to be defined in ISE and provisioned to talk to ISE (omitted from these slides for brevity)

• If switches have SGT assignments they will download policy for the assets they are protecting

Switch(config)#cts role-based enforcement

Switch(config)#cts role-based enforcement vlan-list 40

Enabling SGACL Enforcement Globally and for VLAN

Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5

Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6

Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7

As example - defining IP to SGT mapping for servers on a switch

Policy Enforcement on Firewalls: ASA SG-FW

Can still use Network Object (Host,

Range, Network (subnet), or

FQDN)

AND / OR the SGT

Switches inform the ASA of

Security Group membership

Security Group definitions from

ISE

Trigger FirePower services

by SGT policies

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and

Classify AssetsEnforce Policy

Policy NBAD

Design and

Model Policy

Active Monitoring

Segmentation Monitoring in StealthWatch

Custom event triggers

on traffic condition

Trigger on traffic in both directions;

Successful or unsuccessful

Source Tag Destination

Tag

Rule name and

description

Segmentation Monitoring with StealthWatch

Alarm dashboard showing all Policy alarms

Segmentation Monitoring with StealthWatch

PCI Zone Map

Define communication

policy between Zones

Monitor for violations

StealthWatch NBAD Model

Algorithm Security

EventAlarm

Track and/or measure behaviour/activity

Suspicious behaviour observed or anomaly detected

Notification of security event generated

Alarm Categories

Each category accrues points.

Example Alarm Category: Concern IndexConcern Index: Track hosts that appear to compromising network integrity

Security events. Over 90 different

algorithms.

StealthWatch: Alarms

Alarms

• Indicate significant behaviour changes and policy violations

• Known and unknown attacks generate alarms

• Activity that falls outside the baseline, acceptable behaviour

or established policies

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and

Classify AssetsEnforce Policy

Policy NBAD

Design and

Model Policy

Rapid Threat

Containment

Rapid Threat Containment: Managing the Threat

Quarantine from StealthWatch

ANC Quarantine: ISE Live Log

Security Group AssignmentEPSStatus check

WAIT!

How did this dark

magic happen?

Adaptive Network ControlExtension of the endpoint monitoring and controlling capabilities

Endpoint control based on IP or MAC address

Three actions:

• Quarantine

• Unquarantine

• Shutdown wired access ports

Enable a change of the authorisation state

• Through administrative action

• Without modification of the overall authorisation policy

• Supported in both wired and wireless environments

ANC Quarantine Flow

PSN

MnT

PAN

1. Endpoint is connected

2. StealthWatch issues quarantine instruction to PAN

3. PAN issues quarantine instruction to MnT

4. MnT instructs PSN

to invoke a CoA

5. Endpoint is disconnected through CoA

7. RADIUS request

6. Endpoint reconnects and authenticates

8. Quarantine check

9. Quarantine profile applied

Configuring ANC on ISE 2.0

1. Enable ANC (EPS)

• Enabled by default on ISE 2.0

2. Create Quarantine authorisation profile

or Security Group

3. Create Quarantine Authorisation Policy

4. Manually quarantine or unquarantine

• Based on IP or MAC address

Exception Authorisation Policy

Assign to SGT

Suspicous_Investigate

and Permit Access

EPSStatus in Session

Best Practice

Configuration of RTC with StealthWatch and ISE1. Enable pxGrid

2. Provision pxGrid server certificate 3. Provision pxGrid client certificate

4. Configure pxGrid node connection

5. Assign SMC to EPS Group in

6. Configure pxGrid node connection

pxGrid Node

Configuration of RTC with StealthWatch and ISE

Lancope published:

• http://cs.co/StealthWatch_ISE_Remediation

Cisco published:

• http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/

HowTo-101-

Deploying_Lancope_StealthWatch_with_pxGrid.pdf

Follow these guides

So now

what?

Suspicous_Investigate Egress Policy

Create an Egress Policy for

the suspicious Security Group

SGACLCreate meaningful SGACL for Suspicious hosts:

• Restrict applications and services

• Block access to Business Critical Processes

• Prevent access to Intellectual Property

SGT Based Policy Based Routing

route-map native_demo permit 10

match security-group source tag Employee

match security-group destination tag Critical_Asset

set interface Tunnel1

!

route-map native_demo permit 20

match security-group source tag Suspicious

match security-group destination tag Critical_Asset

set interface Tunnel2

!

route-map native_demo permit 30

match security-group source tag Guest

set vrf Guest

VRF-GUEST

Enterprise

WAN

Inspection Router

Router /

Firewall

Network A

Policy-based

Routing based

on SGT

SGT-based VRF

Selection

User B

Suspicious

User C

Guest

User A

Employee

Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)

FirePOWER Services Redirect Create service policy to forward suspicious

traffic to FirePOWER Services

Agenda

Introduction Understanding

the

Landscape

Components of

Network Visibility

Segmenting the

Network

Active

Monitoring

Discover and

Classify AssetsEnforce Policy

Summary

Policy NBAD

Design and

Model Policy

Rapid Threat

Containment

Related Sessions:• TECSEC-2666 – TrustSec / NGFW and NGIPS

• Tuesday, March 8, 9:00 AM - 6:00 PM

• BRKSEC-2690 – Deploying Security Group Tags• Kevin Regan – Wednesday, March 9, 4:30 PM – 6:00 PM

• BRKSEC-3690 – Advanced Security Group Tags• Kevin Regan – Friday, March 8, 8:45 AM – 10:45 AM

• BRKCRS-2891 – Enterprise Network Segmentation (with Cisco TrustSec) • Hari Holla – Wednesday, March 9, 4:30-6:00 PM

• BRKSEC-2653 – Cyber Range• Paul Qiu – Wednesday, March 9, 4:30 PM – 6:00 PM

• BRKSEC-2044 – Building an Enterprise Access Control Architecture using ISE and TrustSec• Hosuk Won – Thursday, March 8, 8:30 AM – 10:30 AM

Call to ActionVisit the World of Solutions for:

• Security Zone: • Identity Services Engine

• Cisco Cyber Threat Defence Solution

• Enterprise Networking Zone: • Network as a Sensor / Enforcer

Meet The ExpertMatt Robertson:

• Thursday 12-2 pm

More Reading:

• http://www.cisco.com/go/stealthwatch

• http://www.cisco.com/go/trustsec

• http://www.cisco.com/go/ctd

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.– Directly from your mobile device on the Cisco Live

Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

Key Takeaways

NetFlow and Lancope StealthWatch provides visibility and intelligence

TrustSec is used to dynamically (micro)segment the network

The network is a key asset for threat detection and control

Q & A

Thank you