Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166

Published byJohnathon Holes Modified over 10 years ago

Similar presentations

Presentation on theme: "© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166"— Presentation transcript:

1 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166 peruzick@cisco.com

2 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 2 Evolution to Network Access Control Topology Aware to Role Aware Network Address-based Access Control  ACL, VACL, PACL, PBACL etc Network Admission Control (NAC)  Posture validation endpoint policy compliance Cisco TrustSec  Network-wide role-based access control  Network device access control  Consistent policies for wired, wireless and remote access Identity-Based Access Control  Flexible authentication options: 802.1x, MAB, WebAuth, FlexAuth  Comprehensive post-admission control options: dACL, VLAN assignment, URL redirect, QoS…

3 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 3 Authorized Port Enabled Port Status Campus Access Security Vulnerability & Countermeasure Authenticator ACS Wall Jack in Conference Room Or Cubical Area Wiring Closet Switch Campus LAN Authentication Server EAPOL Start EAP Request Port Status Un-Authorized EAP Response (w/ Credentials) Relay Credentials to AAA via RADIUS RADIUS-Accept Supplicant Miscreant User Can Spoof MAC Address of the Authenticated User and gain network access undetected 802.1AE/SAP Enabled Authenticator ACS Wall Jack in Conference Room Or Cubical Area Wiring Closet Switch Campus LAN Authentication Server EAPOL StartEAP Request EAP Response (w/ Credentials) Relay Credentials to AAA via RADIUS RADIUS-Accept (w/ PMK) 802.1AE/SAP Capable Supplicant Miscreant User Can’t Spoof MAC Address of encrypted packets, if encryption is not enable the user’s packets don’t contain integrity information (SA or ICV) and are blocked. PMK used to initiate 4-Way SAP exchange Authorized Encrypted Port Enabled Port Status Cisco TrustSec (CTS) Extends 802.1X to provide continuous data protection Holistic Prevention of: MiM, Spoofing, Tampering & Replay Attacks Prevents Shadow Hosts Attacks Port Status Un-Authorized Countermeasure TrustSec (802.1AE/SAP)

4 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 4 Benefits of Hop-by-Hop Link Encryption In Campus Secure Hop-by-hop Communications Preserves IT Tools For Network Management  Layer 3+ end-to-end encryption for IP traffic and payload  No packet visibility => Prevents IT IDS, Network analysis tools  Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing) E2E  Hop-by-hop security prevents layer 2 attacks  IT has network control, using familiar network tools (IDS, anti-virus, …)  Allows incremental deployment over most vulnerable domains HxH LinkSec

5 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 5 Cipher DataIn the ClearCipher DataIn the ClearCipher Data Link Layer Encryption TrustSec /802.1 AE Encrypted  Hop-by-Hop packet confidentiality and integrity via IEEE 802.1AE  “Bump-in-the-wire” model Packets are encrypted on egress Packets are decrypted on ingress Packets are in the clear in the device  Allows the network to continue to perform all the packet inspection features currently used  Can be incrementally deployed depending on link vulnerability Decrypt On Ingress Interface DecryptIncrypt Encrypt On Egress Interface Packets in the Clear Inside the System

6 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 6 Internet EnterpriseCampus Example Authorization Rule: Authorization Rule : if ((user Role = CRM) then apply SGT = Confidential Authorization Rule : if ((user Role = Finance) then apply SGT = Confidential Authorization Rule : if ((user Role = Portal Y) then apply SGT = Unrestricted Authorization Rule : if ((user Role = Portal Z) then apply SGT = Unrestricted Authorization Rule : if ((user Role = Intranet Portal) then apply SGT = Sensitive Authorization Rule : if ((user Role = ERP) then apply SGT = Confidential Authorization Rule : if ((user Role = Portal Y) then apply SGT = Unrestricted Authorization Rule : if ((user Role = Campus Edge) then apply SGT = Ent. Campus Authorization Rule : if ((user Role = Internet Edge) then apply SGT = Internet Authorization Rule : if ((user Role = Storage Class A) then apply SGT = Data Confidential Dynamic SGT & SGACL Assignment Finance CRMEPRPortal Y Storage Class A Intranet Portal Portal Z D U C CCCCCCCS D U I EE 2. Link Up or Port Enabled – Initiates Endpoint Authentication & Authorization 3. Host Identity Acquired (802.1X, MAB or Pre-provisioned Identity to Port Mapping (IPM)) and relayed via RADIUS to ACS Pre-provisioned Identity to Port Mapping (IPM) 802.1X, MAB or IPM 4. Identity credentials are authenticated and then Authorization Rules are processed, SGTs assigned and SGACLs applied Legend Unauthenticated Campus to DC Port Identity = Campus Edge Port Identity = Internet Edge Server Identity = * 1. Ensure Identities are pre-provisioned (host and or port mapping)

7 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 7 Internet I EnterpriseCampus Example 1: Bi-Directional Enterprise Campus & Unrestricted Servers Finance CRMEPRPortal Y Storage Class A Intranet Portal Portal Z All packets entering the data center from the campus edge are tagged as Ent. Campus Packets from Portal Y server are tagged as Unrestricted Legend Unauthenticated Campus to DC D U C CCCCCCCS D U EE

8 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 8 Unauthenticated Campus to DC Internet Finance CRMEPRPortal Y Storage Confidential Intranet Portal Portal Z I EE EnterpriseCampus D U All packets entering the data center from the campus edge are tagged as Ent. Campus Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Ent. Campus All illustrated; communication from Ent. Campus are Denied to Data Confidential Example 2: Enterprise Campus to Data Confidential Legend C CCC D UCCCCS

9 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 9 IntraDC Use Case Internet Finance CRMEPRPortal Y Storage Confidential Intranet Portal Portal Z I EE EnterpriseCampus All packets from Portal Z are classified as Unrestricted Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Unrestricted All illustrated; communication from Ent. Campus are Denied to Data Confidential Example 3: Unrestricted to Data Confidential Legend D U C CCCCCCCS D U

10 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 10 Data Center Use Case Internet Finance CRMEPRPortal Y Storage Confidential Intranet Portal Portal Z I EE EnterpriseCampus All packets from Storage Confidential are classified as Data Confidential Egress Filtering on the Internet tagged/filtered port denies access from Data Confidential Example 4: Data Confidential to Internet Legend D U C CCCCCCCS D U

11 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 11 Source: Ken Hook Comparison of encryption models Traffic Visibility & Network Manageability Single SA per Link - No Complex Key Management Server Required Hop-by-hop security – Prevents layer 2 attacks Transparent to hosts, applications and servers Packets remain in the clear inside the box preserving the Intelligent Information Network IT has network control, using familiar network tools (IDS, anti-virus, …) Allows incremental deployment over most vulnerable domains Layer 3+ end-to-end encryption for IP traffic and payload No packet visibility => Prevents IT IDS, Network analysis tools Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing) Complex Security Association maintenance E2E* HxH* Host to Server IPSec Negatively Impacts :Host to Server IPSec Negatively Impacts : Deep Packet Inspection Extended ACLs (port/protocol) Full Netflow (port/protocol) Limits QoS (ports) Dramatic reduction of Content & SLB capabilities Increased Network Latency Increased Host/Server CPU/Memory utilization for Header insertion/removal & SAs Weighted Fair Queuing (WFQ) - priority & other flow-based traffic prioritization Breaks NAT (Requires NAT-T) Core Network LinkSec Catalyst Catalyst Catalyst TrustSec Network LinkSec Cisco TrustSec preserves IT tools for network management * E2E = End-to-End, HxH = Hop-by-Hop

12 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 12 Data Center Confidentiality & Integrity  CTS - Network Device Admission Control (NDAC) Mutual Device Authentication (EAP-FAST) Confidential & Authenticated Data Communications CTS Data Center EAP-Fast EAPOL Start EAP_Fast EAPoL Request EAP Response (w/ Device Credentials) Relay Credentials to AAA via RADIUS RADIUS-Accept (w/ Env Data & PMK) PMK used to initiate 4-Way SAP exchange Authorized Encrypted Port Enabled Port Status ACS 5.0 EAPOL StartEAPoL RequestEAP Response (w/ Host Credentials) PMK used to initiate 4-Way SAP exchange Servers w/ 802.1AE NICs Relay Credentials to AAA via RADIUS RADIUS-Accept (w/ PMK) Port Status Un-Authorized Server w/ 802.1AE NICs  CTS - Endpoint Admission Control (EAC) –802.1X Machine Authentication –Confidential & Authenticated Data Communications

13 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 13 Cisco TrustSec Overview Identification and Authorization L2/L3 TrustSec Confidentiality and Integrity Scalable Topology Independent Access Control  Builds a Trusted Network Infrastructure with Network Device Admission Control (NDAC)  Extends IBNS and NAC by adding Topology Independent Ingress Security Group Assignment  Wire-rate Encryption and Data Integrity on L2 Ethernet Switch Ports  Preserves all network based accounting, deep packet inspection, and intelligent services  Uniform encryption—transparent to application, protocols, etc.  Centralized Access Control Policy Administration  Consistent Policy for Wired, Wireless and Remote Access VPNs  Network Access Control Policy is decoupled from Network Topology providing unparalleled scale

14 © 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 14

Download ppt "© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166"

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.

Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco TrustSec Security Solution Overview

Cisco TrustSec Security Solution Overview

Similar presentations

Ads by Google