110
Petit-déjeuner – 20 mai 2014 Sécurisation de l'accès au réseau Jérôme Durand Consulting Systems Engineer, Enterprise Networking Solutions Federico Ziliotto Consulting Systems Engineer, CCIE 23280 (Wireless, R&S)

Sécurisation de l'accès au réseau

Embed Size (px)

DESCRIPTION

Les firewalls ne sont efficaces que si l'on contrôle qui est derrière une adresse IP! Si personne ne songe à se passer de firewall, on constate encore beaucoup de déploiements pour lesquels l'accès n'est pas complètement protégé (absence de contrôle d'accès sur les ports des commutateurs, de mécanisme permettant d'éviter le vol d'adresse…). Au cours de cette présentation, nous ferons le point sur les techniques de sécurisation de l'accès au réseau (802.1X, MAB, First Hop Security, ACL…), et aborderons les dernières innovations en la matière (Security Group Tags, profilage, EAP chaining, MACsec, Identity Service Engine…). Nous verrons également, comment la mise en place de configurations de sécurité peut simplifier le réseau et son exploitation.

Citation preview

Page 1: Sécurisation de l'accès au réseau

Petit-déjeuner – 20 mai 2014 Sécurisation de l'accès au réseau Jérôme Durand Consulting Systems Engineer, Enterprise Networking Solutions

Federico Ziliotto Consulting Systems Engineer, CCIE 23280 (Wireless, R&S)

Page 2: Sécurisation de l'accès au réseau

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

!  802.1X sur le filaire : mythe ou réalité ? !  Contrôle d’accès avancé et démo

!  First hop security

Agenda

Page 3: Sécurisation de l'accès au réseau

Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

802.1X sur le filaire : mythe ou réalité ?

Page 4: Sécurisation de l'accès au réseau

Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Short History of Identity Services

•  In the Dark Ages, there was IEEE 802.1X •  Then we had MAB, Auth-Fail VLAN, Guest VLAN, Deployment Modes, … •  We will be finally walking upright with the help of the new version of the

Identity Engine for TrustSec: Session Aware Networking

Where do we come from, where do we go to?

Page 5: Sécurisation de l'accès au réseau

Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Legos and Identity / IEEE 802.1X Rolling out Identity can be a Tedious Task

We Deliver a Ton of useful and very

specific Features

Deployment Scenarios

address 80% but the

remaining 20% are the

most complex

Where’s my individual Assembly Instruction?

What do I do if I’m

missing a specific

brick (feature)?

Page 6: Sécurisation de l'accès au réseau

Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

ACS / ISE

•  Cisco Secure ACS: TACACS+ / RADIUS Veteran •  Supports RADIUS and TACACS+ •  Two major versions: Windows based (< 5.0) and Linux based

(>= 5.0) •  As software only (< 5.0) and appliance (4.x and 5.x)

•  Identity Services Engine (ISE): New Kid on the Block •  Complete re-write (no TACACS+ as of today) •  Focusing on access control / identity / TrustSec •  Integrating formerly separate modules / products (profiler,

guest services, RADIUS server, NAC) •  Recommended going forward for Identity Projects

Brief History

Page 7: Sécurisation de l'accès au réseau

Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Authorization

Authentication

Policy

Teamwork & Organization

Credentials, DBs, EAP,

Supplicants, Agentless, Order / Priority

Windows GPO, machine auth, PXE, WoL, VM

Network, IT,

Desktop Desktops

Multiple Endpoints

Confidentiality

Thinking About Authentication

Page 8: Sécurisation de l'accès au réseau

Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

EAPoL Start

EAP-Response Identity: Alice

EAPoL Request Identity

RADIUS Access Request [AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

EAP Success RADIUS Access-Accept

[AVP: EAP Success] [AVP: VLAN 10, dACL-n]

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

Multiple Challenge-Request Exchanges Possible

Beginning

Middle

End

Layer 2 Point-to-Point Layer 3 Link

Authenticator Authentication Server Supplicant EAP over LAN

(EAPoL) RADIUS

IEEE 802.1X Provides Port-Based Access Control Using Authentication

(“Switch”) (“AAA /RADIUS Server”) (“Client”)

Page 9: Sécurisation de l'accès au réseau

Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Choosing Credentials for 802.1X

Username / Password Directory

alice c1sC0L1v

Certificate Authority

Token Server

Common Types Passwords Certificates

Tokens

Deciding Factors Security Policy

Validation

Distribution & Maintenance

Page 10: Sécurisation de l'accès au réseau

Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Mutual Authentication •  Server must validate client’s identity and vice versa

Security •  Client credentials cannot be snooped or cracked.

How To Submit Credentials

Server CA

Server Cert Authentication: " Signed by trusted CA " Belongs to allowed server

Encrypted Tunnel

Client Authentication: " Known Username " Valid password

Server CA

Server Cert Authentication: " Signed by trusted CA " Belongs to allowed server

Client CA

Client Cert Authentication: " Signed by trusted CA " Additional checks

PEAP-MSCHAPv2 EAP-TLS

Username Password

Page 11: Sécurisation de l'accès au réseau

Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Users and Machines Can Have Credentials

Machine Authentication User Authentication

host\win7

!  Enables Devices To Access Network Prior To (or In the Absence of) User Login

!  Enables Critical Device Traffic (DHCP, NFS, Machine GPO)

!  Is Required In Managed Wired Environments

!  Enables User-Based Access Control and Visibility

!  If Enabled, Should Be In Addition To Device Authentication

alice

Page 12: Sécurisation de l'accès au réseau

Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Example 1: Call Center Objective: Differentiated Access for Agents Conditions: Shared Use PCs (desktop) Method: PEAP

Business Case & Security Policy Determines Whether You Need User Auth

Machine + User

Example 2: Enterprise Campus Objective: Access for Corporate Assets Only Conditions: One Laptop = One User Method: EAP-TLS

Machine Only

Bonus Question: Could this customer enable password-based user authentication if they wanted to?

Page 13: Sécurisation de l'accès au réseau

Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Massive Outage After OS Upgrade

Understanding Your Supplicant is Essential

Best Practice: Make Friends With Your Desktop Team!

•  XP SP2: single service & profile for all 802.1X (wired / wireless)

•  XP SP3 / Vista / Win 7 / Win 8: separate services and profiles for wired and wireless.

•  wired service is disabled by default •  http://support.microsoft.com/kb/953650

•  Switch expects 3 failures by default •  XP SP3, Vista, Win 7, Win 8: 20 minute block timer

on first EAP failure •  http://support.microsoft.com/kb/957931 •  (config-if)#authentication event fail retry 0

Auth Fail VLAN Doesn’t Work

Open Source

Hardware

Native

Premium

Page 14: Sécurisation de l'accès au réseau

Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Machine and User Authentication

With the native Windows 802.1X supplicant:

•  The same EAP method is used for both machine and user.

•  Once logged in to Windows, since the user’s identity is available, only user authentication is triggered.

With Cisco AnyConnect NAM:

•  Different, separate EAP methods can be used for the machine and the user.

•  EAP Chaining supports authenticating both the machine and the user, in the same session, whenever 802.1X is triggered.

How to force a user to authenticate from an already authenticated machine?

Page 15: Sécurisation de l'accès au réseau

Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Machine Access Restriction (MAR)

•  Supplicant agnostic. •  The network access device (NAD) sends

the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID.

•  ISE caches the MAC address of the authenticated machine in the MAR cache.

•  When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache.

Machine Access Restriction

Page 16: Sécurisation de l'accès au réseau

Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

EAP Chaining

•  Supported with AnyConnect 3.1 and ISE. •  It relies on advanced options of EAP-FAST

to authenticate both the machine and the user in the same EAP(-FAST) session.

•  If no user information is available (logged out), only machine credentials are used.

•  If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.

EAP Chaining

Page 17: Sécurisation de l'accès au réseau

Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Unauthenticated

Real Networks Can’t Live on 802.1X Alone

Default Access Control is Binary

SWITCHPORT

DHCP

SWITCHPORT

TFTP

KRB5 HTTP

EAPoL

KRB5 HTTP

EAPoL

DHCP TFTP

802.1X Passed

Employee (bad credential)

1X enabled

Guest

Managed Assets

Rogue

Employee

Page 18: Sécurisation de l'accès au réseau

Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

EAPoL: EAP Request-Identity

Any Packet

RADIUS Access-Accept

RADIUS Access-Request [AVP: 00.0A.95.7F.DE.06 ]

Switch RADIUS Server

IEEE 802.1X Timeout

1

MAB 2

EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity

MAC Authentication Bypass (MAB) “Authentication” for Clientless Devices

00.0A.95.7F.DE.06

How Are MACs “Authenticated” ?

Page 19: Sécurisation de l'accès au réseau

Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

MAC Databases: Device Discovery

Find It • Leverage Existing Asset Database • e.g. Purchasing Department, CUCM

Build It • Bootstrap methods to gather data • e.g. SNMP, Syslog, Accounting

Buy It • Automated Device Discovery • e.g. ISE

Page 20: Sécurisation de l'accès au réseau

Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Profiler

AC

S

SNMP, DHCP, MAC OUI SNMP, DHCP, MAC OUI

Building Your MAB Database Profiling Tools Are Evolving

RADIUS Access-Request

LDAP

RADIUS Accounting

Device Sensor 15.0(1)SE1

ISE 1.1

Page 21: Sécurisation de l'accès au réseau

Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

To Fail or Not to Fail MAB? Two options for unknown MAC addresses

1) No Access 2) Switch-based Web-Auth 3) Guest VLAN

RADIUS-Access Request (MAB)

RADIUS-Access Reject

MAB Fails – control of session passes to switch

RADIUS-Access Request (MAB)

RADIUS-Access Accept Guest Policy

Unknown MAC…Apply Guest Policy

MAC is Unknown but MAB “passes”

•  AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy)

•  Good for centralized control & visibility of guest policy (VLAN, ACL)

Page 22: Sécurisation de l'accès au réseau

Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Authorization

Authentication

Policy

Teamwork & Organization

Pre-Auth, VLAN, ACL, Failed Auth, AAA down

Desktops Multiple

Endpoints

Phones, Link State,

VMs, Desktop Switches

Confidentiality

Thinking About Authorization

Page 23: Sécurisation de l'accès au réseau

Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Default: Closed

Authorization Options: Pre-Authentication

SWITCHPORT

DHCP

?

SWITCHPORT

SWITCHPORT

TFTP

KRB5 HTTP

EAPoL

DHCP TFTP

KRB5 HTTP

EAPoL

DHCP TFTP KRB5 HTTP

Open

Selectively Open

EAPoL

switch(config-if)#authentication open switch(config-if)#ip access-group PRE-AUTH in switch(config-if)#authentication open

Page 24: Sécurisation de l'accès au réseau

Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

SWITCHPORT

Authorization Options: Passed Authentication

SWITCHPORT

DHCP TFTP

KRB5 HTTP

EAPoL

DHCP TFTP

KRB5 Torrent

Default: Open

Dynamic ACL

EAPoL

SWITCHPORT

KRB5 HTTP

EAPoL

DHCP TFTP

Dynamic VLAN

Alice

Page 25: Sécurisation de l'accès au réseau

Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Default: Closed

Authorization Options: Failed 802.1X

SWITCHPORT

DHCP

?

SWITCHPORT

TFTP

KRB5 HTTP

EAPoL

KRB5 HTTP

EAPoL

DHCP TFTP

Auth-Fail VLAN

Next-method*

switch(config-if)#authentication event fail action authorize vlan 50

SWITCHPORT

DHCP TFTP

KRB5 HTTP

Single packet for MAB

switch(config-if)#authentication event fail action next-method

*Final authorization determined by results of next method

Page 26: Sécurisation de l'accès au réseau

Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Default: Closed

Authorization Options: No Client

SWITCHPORT

DHCP

?

SWITCHPORT

TFTP

KRB5 HTTP

EAPoL

KRB5 HTTP DHCP

TFTP

Guest VLAN

Next-method*

switch(config-if)#authentication event no-response action authorize vlan 51

SWITCHPORT

DHCP TFTP

KRB5 HTTP

Single packet for MAB

switch(config-if)#mab

*Final authorization determined by results of next method

Page 27: Sécurisation de l'accès au réseau

Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Default: Closed

Authorization Options: AAA Server Dead

SWITCHPORT

?

SWITCHPORT

TFTP

KRB5 HTTP

EAPoL

KRB5 HTTP DHCP

TFTP

Critical VLAN

switch(config-if)# authentication event server dead action authorize vlan 52

DHCP

Page 28: Sécurisation de l'accès au réseau

Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

•  Multiple MACs not allowed to ensure validity of authenticated session •  Hubs, VMware, Phones,

Gratuitous ARP… •  Applies in Open and

Closed Mode

interface gigabitEthernet 1/0/1 dot1x pae authenticator authentication port-control auto

SWITCHPORT

SECURITY VIOLATION

VM

Default: Single Host Mode

Authorization: Single MAC Filtering

Page 29: Sécurisation de l'accès au réseau

Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

interface gigabitEthernet 1/0/1 dot1x pae authenticator authentication port-control auto authentication host-mode multi-domain

SWITCHPORT

EAPoL

√ Authenticated

√ Authenticated

Multi-Domain Authentication (MDA) Host Mode

Single device per port Single device per domain per port IEEE 802.1X MDA

•  MDA replaces CDP Bypass •  Supports Cisco & 3rd Party Phones •  Phones and PCs use 802.1X or MAB

Data Domain Voice Domain

EAPoL

Modifying Single-MAC Filtering For IP Phones

Page 30: Sécurisation de l'accès au réseau

Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

•  MAC-based enforcement for each device

•  802.1X and / or MAB

interface gigabitEthernet 1/0/1 dot1x pae authenticator authentication port-control auto authentication host-mode multi-auth

SWITCHPORT

VM

Multi-Authentication Host Mode

Modifying Single-MAC Filtering For Virtualized Endpoints

Page 31: Sécurisation de l'accès au réseau

Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Authorization

Authentication

Policy

Teamwork & Organization

Credentials, DBs, EAP,

Supplicants, Agentless, Order/Priority

Pre-Auth, VLAN, ACL, Failed Auth, AAA down

Windows GPO, machine auth, PXE, WoL, VM

Definition, Enforcement, Rollout Network,

IT, Desktop

Desktops Multiple

Endpoints

Phones, Link State,

VMs, Desktop Switches

Confidentiality

Encryption

Thinking About Deployment Scenarios

Page 32: Sécurisation de l'accès au réseau

Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Three Proven Deployment Scenarios

Monitor Mode

•  Authentication without Access Control

Low Impact Mode

•  Minimal Impact to Network and Users

Closed Mode • Logical Isolation • Formerly “High

Security”

Page 33: Sécurisation de l'accès au réseau

Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Monitor Mode: How To !  Enable 802.1X & MAB

!  Enable Open Access ! All traffic in addition to EAP is

allowed ! Like not having 802.1X enabled

except authentications still occur

!  Enable Multi-Auth Host-Mode

!  No Authorization

Monitor Mode Goals !  No Impact to Existing Network

Access

!  See … … what is on the network … who has a supplicant … who has good credentials … who has bad credentials

!  Deterrence through accountability

Scenario 1: Monitor Mode Overview

SSC

Page 34: Sécurisation de l'accès au réseau

Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Monitor Mode Switch Configuration Example

interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator authentication violation restrict

aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default group radius radius-server host 10.100.10.150 auth-port 1812 acct-port 1813 key cisco radius-server vsa send authentication authentication mac-move permit

Basic 802.1X/MAB

Monitor Mode

•  Switch Global Config

•  Switch Interface Config

Page 35: Sécurisation de l'accès au réseau

Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

RADIUS Authentication & Accounting Logs •  Passed / Failed 802.1X

(Who has bad credentials? Misconfigurations?) •  Passed / Failed MAB attempts

(What don’t I know?)

Monitor Mode: Next Steps

Monitor Mode Next Steps !  Improve Accuracy !  Evaluate Remaining Risk !  Leverage Information !  Prepare for Access Control

Page 36: Sécurisation de l'accès au réseau

Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Preparing for Access Control: Fix 802.1X

Observed Failures:

Root Cause: untrusted or self-signed cert on AAA server Fix: Import server cert signed by enterprise CA

Helpful supplicant: AC3.0 NAM / Win7

Not as helpful: XP SP2

Page 37: Sécurisation de l'accès au réseau

Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Preparing for Access Control: Learn MACs Using ACS 5 as an Example

Observed Failure: Fix:

MAC.CSV

Page 38: Sécurisation de l'accès au réseau

Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Low Impact Mode: How-To !  Start from Monitor Mode

!  Add ACLs, dACLs and flex-auth

!  Limit number of devices connecting to port

!  Add new features to support IP Phones

Low Impact Mode Goals !  Begin to control / differentiate

network access

!  Minimize Impact to Existing Network Access

!  Retain Visibility of Monitor Mode

!  “Low Impact” == no need to re-architect your network

Keep existing VLAN design

Minimize changes

Scenario 2: Low Impact Mode

Page 39: Sécurisation de l'accès au réseau

Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 ip access-group PRE-AUTH in authentication open authentication port-control auto mab dot1x pae authenticator authentication violation restrict

Low Impact Mode: Switch

SWITCHPORT

KRB5 HTTP

EAPoL

DHCP TFTP

Block General Access until Successful 802.1X, MAB or

WebAuth

Pinhole explicit TCP / UDP ports to allow desired

access

UDP

ip device-tracking

Switch Interface Config

Pre-Authentication Port Authorization State

From Monitor Mode

For Low Impact

Switch Global Config (add to Monitor Mode)

Page 40: Sécurisation de l'accès au réseau

Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Approach 1: Selectively block traffic Selectively protect certain assets / subnets Low risk of inadvertently blocking wanted traffic Example: Block unauthenticated users from Finance servers

Pre-Auth ACL Considerations

•  Pre-auth port ACL is arbitrary and can progress as you better understand the traffic on your network

•  Recommendation: use least restrictive ACL that you can; time-sensitive traffic is a good candidate for ACL.

Approach 2: Selectively allow traffic More secure, better control May block wanted traffic Example: Only allow pre-auth access for PXE devices to boot

SWITCHPORT

SWITCHPORT

Page 41: Sécurisation de l'accès au réseau

Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Low Impact Mode: AAA Server Configure downloadable ACLs for authenticated users

SWITCHPORT

permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp EAPoL

Pre-Auth ACL

Switch dynamically substitutes endpoint’s address:

• Contents of dACL are arbitrary • Can have as many unique dACLs as there are user permission groups

• Same principles as pre-auth port ACL • TCAM restrictions apply!

Page 42: Sécurisation de l'accès au réseau

Cisco Confidential 42 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Example: Using Low Impact Mode to bootstrap a new phone

• Pre-auth ACL allows just enough access for config, CTL • New config enables 802.1X on phone • After 802.1X, phone has full access

SWITCHPORT

permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000

EAPoL

Pre-Auth ACL

TFTP

CTL, CNF

DHCP

10.100.10.238

Page 43: Sécurisation de l'accès au réseau

Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Closed: How-To !  Return to default “closed” access

!  Timers or authentication order change

!  Implement identity-based VLAN assignment

Closed Mode Goals !  No access before authentication

!  Rapid access for non-802.1X-capable corporate assets

!  Logical isolation of traffic at the access edge

Scenario 3: Closed Mode

Network Virtualization Solution

See BRKCRS-2033 for more on Network Virtualization

Page 44: Sécurisation de l'accès au réseau

Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Closed Mode: AAA Server

•  If no VLAN sent, switch will use static switchport VLAN

•  Configure dynamic VLANs for any user that should be in different VLAN

SWITCHPORT

MAC

Page 45: Sécurisation de l'accès au réseau

Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Key Takeaways

• Monitor mode before access control • Least restrictive ACLs, fewest VLANs

Start Simple and Evolve

• Know where every device & user should / could end up • For troubleshooting: Start at a central point, work outward as required – a

good AAA server is invaluable

Design / Plan / Implement

• Adapt new features where available • Familiarize with new policy model and capabilities

Optimize Deployment Scenarios With New Features

Page 46: Sécurisation de l'accès au réseau

Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Contrôle d’accès avancé et démo

Page 47: Sécurisation de l'accès au réseau

Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Catalyst 3650/3850: Per-Session VLAN Assignment

•  Before Cat3650/Cat3850: One port, one VLAN per access port (1:1)

•  Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)

•  Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.

•  Now with Catalyst 3650/3850: Each session can have individual VLAN assigned

“MAC based VLANs”

160 WIRED-EMPLOYEE active Gi1/0/13

VM

Gi1/0/13 Not a trunk!

170 WIRED-GUEST active Gi1/0/13

http://gblogs.cisco.com/fr-reseaux/2013/08/26/jai-teste-pour-vous-802-1x-et-la-possibilite-dassigner-des-vlans-differents-sur-un-meme-port/

Page 48: Sécurisation de l'accès au réseau

Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Extending the Network Edge

SWITCHPORT

Hubs on an 802.1X network: •  introduce multiple MACs per port •  may not actually be hubs •  are not managed devices

Ideally, extended edge: •  Extends trust and policy •  Uses a managed device •  Works on any access port

Page 49: Sécurisation de l'accès au réseau

Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Network Edge Authentication Topology (NEAT)

SWITCHPORT Supplicant Switch (SSw)

EAP-Response: SSw RADIUS Access Request [AVP: EAP-Response: SSw

RADIUS Access-Accept

[device-traffic-class=switch]

TRUNK

EAP-Response: Alice RADIUS Access Request [AVP: EAP-Response: Alice

RADIUS Access-Accept

[VLAN Orange]

CISP: Allow Alice’s MAC

1)  NEAT-capable sSW authenticates itself to Authenticator Switch (ASw). 2)  ASw converts port to trunk 3)  SSw authenticates users and devices in conference room 4)  ASw learns authenticated MACs via Client Information Signaling Protocol

(CISP)

1)

3)

4)

2)

Page 50: Sécurisation de l'accès au réseau

Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Evolving Deployment Scenarios

•  Popular Deployment Scenarios • Demonstrating Industry Leadership

• Phased Deployments # Clear Plan of Action

• High Visibility + Incremental Access Control

•  Now You Want More! • “What if AAA goes down?”

• What about IPv6 ACLs?

•  The Need for Flexible Authorization • ACL, VLAN, QoS, URL-Redirect, IPv6 enabled identity…

• Flex Authentication plus Flex Authorization

Page 51: Sécurisation de l'accès au réseau

Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Identity Configuration Today

interface FastEthernet2/0/1 switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication control-direction in authentication event fail action authorize vlan 201 authentication event server dead action authorize vlan 201 authentication event no-response action authorize vlan 201 authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast end

Typical Identity Configuration

This list can even get longer!

For Every Interface

Page 52: Sécurisation de l'accès au réseau

Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Introducing: Session-aware Networking In a Nutshell

The new Identity Policy Engine for TrustSec ANY Authentication Method with ANY Authorization Feature using ANY Media Leverages Templates for Sessions and Interfaces

Page 53: Sécurisation de l'accès au réseau

Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Your Every Day Policy Management

E-Mail Policy (aka Inbox Filtering) •  Event: E-Mail arrives •  Class: additional Attributes

•  Sender is Wife •  Mail is Spam •  Mail is addressed to Mail List

•  Action: Result, based on Class •  Wife: 1) Mark Urgent 2) Put in Inbox •  Spam: 1) Mark as Spam 2) Delete •  Marketing 1) Put in Marketing Folder

What’s an Event? What’s a Class? What’s an Action?

Page 54: Sécurisation de l'accès au réseau

Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

From E-Mail Policy to Identity Policy The concept still applies...

Event

session-started

Class

always

Action

authenticate via 802.1X

authorize port

Terminate 802.1X

Assign Guest VLAN

NO-RESPONSE Assign Guest VLAN authentication-failure

AAA-DOWN

1X-FAIL

FIRST

ALL

Page 55: Sécurisation de l'accès au réseau

Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

The SaNet Control Policy Construct Mostly for your Reference $

event

match-all or

match-first

class actions

do-all or

do-until-failure or

do-until-success

aaa-available absolute-timeout agent-found authentication-failure authentication-success authorization-failure inactivity-timeout

session-started tag-added tag-removed template-activated template-activation-failed template-deactivated template-deactivation-failed timer-expiry violation

activated-service-template authorization-failure authorization-status authorization-method-priority client-type current-method-priority ip-address ipv6-address mac-address method port-type result-type service-template tag timer username

“always”

authenticate using deauthorize activate fallback template <name> activate template <name> deactivate template <name> set timer <name> <seconds> clear-session restrict err-disable protect replace shutdown terminate <method> authentication-restart reinitialize-port authorize

Control Policy

Available action depends on the event

which triggered the action

Page 56: Sécurisation de l'accès au réseau

Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

. [...] policy-map type control subscriber POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template VLAN201 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template VLAN201 30 authorize [...] .

Identity Configuration With SaNet

. interface FastEthernet2/0/1 switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication periodic authentication timer reauthenticate server access-session host-mode single-host access-session port-control auto access-session control-direction in mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast service-policy type control subscriber POLICY end

For Every Interface

Global (once)

Remaining Identity Config

New Policy Model

Common Config

Page 57: Sécurisation de l'accès au réseau

Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Configuration Mode Display

•  Existing configurations ‘simply work’ •  Converting in the background to new Policy Mode •  Use CLI to change how configuration is shown:

switch# authentication display ?

legacy Legacy configuration

new-style New style (c3pl) configuration

Bridging the Gap between ‘Old Style’ and ‘New Style’

Tip: Start with known good configuration and see how changes in ‘legacy mode’

change the new configuration!

Page 58: Sécurisation de l'accès au réseau

Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Gi1/0/4 Access Point

Gi1/0/1 User Port

Templates Dynamic Configuration Done the Right Way

Gi1/0/2 User Port

Gi1/0/3 User Port

Configuration by Reference: •  Service Templates

•  will be dynamically assigned to a session •  can be locally defined -or- •  downloaded via RADIUS

•  Interface Templates

•  Cure for the Configuration Bloat •  Generic tool, not restricted to Session / Identity •  Like Port Profiles

Page 59: Sécurisation de l'accès au réseau

Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Applying a Template Similar to Applying a Port ACL via filter-id

Switch RADIUS

•  Can also be triggered via RADIUS CoA

•  Service-Templates activation can be a local Control Policy action

•  If it doesn’t exist, it can be downloaded like an dACL

Access-Accept AV-Pair “subscriber:service-name=TEMPLATE”

Access-Request username=jdoe EAPoL

Enforce

DEFINED ON SWITCH service-template TEMPLATE access-group PERMIT-ANY vlan 100 inactivity-timer 360

Page 60: Sécurisation de l'accès au réseau

Cisco Confidential 60 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

MACsec and NDAC

•  MACsec: Layer-2 Encryption (802.1AE) •  Industry Standard Extension to 802.1X •  Encrypts the links between host and switch and links between switches. •  Traffic in the backplane is unencrypted for inspection, etc. •  Client requires a supplicant that supports MACsec and the encryption key-exchange

•  NDAC: Authenticate and Authorize switches entering the network •  Only honors SGTs from Trusted Peers •  Can retrieve policies from the ACS/ISE Server and “proxy” the trust to other devices.

Media Access Control Security and Network Device Admission Control

Encrypted Link ########

Encrypted Link ######## ########

Encrypted Link

SWITCHPORT SWITCHPORT

Page 61: Sécurisation de l'accès au réseau

Cisco Confidential 61 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Access Policy Based on User and Device Type

WiFi LAN

Internet

Kathy Marketing

Full Access to Marketing Vlan

ISE

•  How can I restrict access to my network?

•  Can I manage the risk of using personal PCs, tablets, smart-devices?

61

Page 62: Sécurisation de l'accès au réseau

Cisco Confidential 62 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Access Policy Based on User and Device Type

WiFi LAN

Internet

Kathy Marketing

Tablet / Smartphone = Limited Access Internet Only

ISE

•  How can I restrict access to my network?

•  Can I manage the risk of using personal PCs, tablets, smart-devices? Named ACL = Internet_Only

62

Page 63: Sécurisation de l'accès au réseau

Cisco Confidential 63 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Use Case: Manage Non-User Devices

WiFi

LAN

Internet

Printers = Print VLAN

ISE

Cameras = Video VLAN

Specific device = Enforce ACL

•  How do I discover non-user devices? •  Can I determine what they are? •  Can I control their access? •  Are they being spoofed?

63

Page 64: Sécurisation de l'accès au réseau

Cisco Confidential 64 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Enpoint profile / Identity Group

ISE Profiler: 3 Steps

Prin

ting

VLA

N

Voic

e VL

AN

SNM

P on

ly

Dyn

amic

VL

AN

s

Vide

o VL

AN

Inte

rnet

O

nly

ISE

64

Page 65: Sécurisation de l'accès au réseau

Cisco Confidential 65 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Device Sensor : Best Practice when available

•  Profiling based on CDP, LLDP & DHCP for switches and DHCP & HTTP for WLC •  Centralize visibility without big ISE sensor investment •  Automatic discovery for most common devices (Printers, Cisco devices, phones) •  Topology independent

Catalyst 3k, 4k, WLC

ISE WLC

Device Sensor Support •  3560/3750 running 15.0(1)SE1 (excludes LAN Base) •  3560C/CG running 15.0(2)SE (excludes LAN Base) •  4500 running 15.1(1)SG (excludes LAN Base) •  4500 running IOS-XE 3.3.0SG (excludes LAN Base) •  Wireless Controllers running 7.2.110.0 (DHCP only) •  Wireless Controllers running 7.3.101.0 (DHCP/HTTP)

Device Sensor not yet supported 2960, 2960SF, 2960XR, 3650, 3850, 6500, WLC 5760

Check Release Notes!

Page 66: Sécurisation de l'accès au réseau

Cisco Confidential 66 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Device Sensor Switch Implementation Device Detection Based on CDP, LLDP or DHCP

MAB or EAP-OL

RADIUS Accounting

ISE

device-sensor filter-list dhcp list my_dhcp_list option name host-name option name class-identifier option name client-identifier device-sensor filter-spec dhcp include list my_dhcp_list

Filter DHCP, CDP, LLDP options/TLV

Enable RADIUS probe

device-sensor filter-list cdp list my_cdp_list tlv name device-name tlv name platform-type device-sensor filter-spec cdp include list my_cdp_list

device-sensor filter-list lldp list my_lldp_list tlv name system-name tlv name system-description device-sensor filter-spec lldp include list my_lldp_list

device-sensor accounting device-sensor notify all-changes ip dhcp snooping ip dhcp snooping vlan <x,y-z,…> lldp run interface <Interface> lldp receive

Page 67: Sécurisation de l'accès au réseau

Cisco Confidential 67 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Sw

itch

Dev

ice

Sen

sor C

ache

Device Sensor in Action

Cisco IP Phone 7945

SEP002155D60133

Cisco Systems, Inc. IP Phone CP-7945G

SEP002155D60133

ISE

Pro

filin

g re

sult

10.100.15.100

# show device-sensor cache all

Page 68: Sécurisation de l'accès au réseau

Cisco Confidential 68 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Device Sensors for Wireless WLC Device Detection Based on DHCP / HTTP

RADIUS Accounting

ISE

!  Local profiling can be Enabled/Disabled per WLAN

!  DHCP (7.2.110.0) •  Hostname, Class Identifier

!  HTTP (7.3) •  User Agent

!  FlexConnect supported

DHCP

WLC

Best Practice for HTTP probe

Page 69: Sécurisation de l'accès au réseau

Cisco Confidential 69 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Segmentation The Challenge of Traditional Security Enforcement

Distribution

Core

Data Center

Identity Service Engine

Directory Service

WLC

permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2

permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 200.1.1.2

permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2

permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 200.1.1.2

permit tcp 1.1.1.1 100.1.1.1 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1

permit tcp 1.1.1.1 100.1.1.1 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1

permit tcp any 200.1.1.1 eq https permit tcp any 200.1.1.1 eq 8081 deny ip all

permit tcp any 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081 permit tcp any 150.1.1.1 eq 445 deny ip all

permit tcp any 100.1.1.1 eq https deny ip all

Access Control with IP Access Control Lists

•  Topology-based •  Manual configurations •  Error prone •  Unscalable •  Difficult to maintain

VLAN 10 IT 3.1.1.1 VLAN 20 Finance

2.1.1.1 VLAN 30 Doctor 1.1.1.1 VLAN 99

Doctor or IT or Finance ? 99.1.1.1

VLAN 99 Doctor or

IT or Finance ? 98.1.1.1

VPN

Page 70: Sécurisation de l'accès au réseau

Cisco Confidential 70 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

VLAN 100

MAB

WebAuth

Agent-less Device

SGT Enforcement

Security Group Access (SGA)

70

3850 / 4500 / 5760 802.1X

Users, Endpoints

IT Portal (SGT 4) 10.1.100.10

IP Address SGT

10.1.10.102 5

10.1.100.10 4

10.1.99.100 12

SGT-IP

Active Directory ISE

SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL

deny%sgt)src%5%sgt)dst%4%

BRKEWN-2022 BRKSEC-2203

Page 71: Sécurisation de l'accès au réseau

Cisco Confidential 71 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

VLAN 100

MAB

WebAuth

Agent-less Device

Campus Network

Untagged Frame Tagged Frame

SGT Enforcement

Security Group Access (SGA)

71

2960S/X or WLC 802.1X

Users, Endpoints

IT Portal (SGT 4) 10.1.100.10

Catalyst 3750-X Cat 6500 Distribution

The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3850)

IP Address SGT

10.1.10.102 5

10.1.10.110 14

10.1.99.100 12

SXP

Speaker Listener

SGT=5 SGT=5

Active Directory ISE

SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL

deny%sgt)src%5%sgt)dst%4%

BRKSEC-2203 BRKSEC-3690

Page 72: Sécurisation de l'accès au réseau

Cisco Confidential 72 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

First hop security

Page 73: Sécurisation de l'accès au réseau

Cisco Confidential 73 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Les réseaux sont des chateaux de sable…

Courtesy of Curt Smith

Attacker

Layer-2

Layer-7 Data and services

Firewall

Page 74: Sécurisation de l'accès au réseau

Cisco Confidential 74 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Pourquoi implémenter de la sécurité dès l’accès ?

Risk and Exposure • Exposed to end users, the access layer is inherently

vulnerable

Infrastructure Protection • Security at the network edge protects the network

infrastructure

Network Intelligence • Key data can only be gathered at the access layer

Page 75: Sécurisation de l'accès au réseau

Cisco Confidential 75 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Vous vous rappelez de CISF ?

Catalyst Integrated Security Features (CISF)

IPv4 vulnerabilities & Countermeasures

Page 76: Sécurisation de l'accès au réseau

Cisco Confidential 76 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Game is changing… Heard of IPv6 ?

Example - CiscoLive Milan 2014 ~9500 MAC addresses seen ~80-90% hosts are dual-stack

Page 77: Sécurisation de l'accès au réseau

Cisco Confidential 77 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

What is different with IPv6? Threats are very much topology dependent: what is specific to IPv6 from topology standpoint ?

• More addresses!

•  More end-nodes allowed on the link (up to 264 !) •  Bigger neighbor cache on end-nodes and on default-router •  May lead to some dramatic topology evolution •  Creates new opportunities for DoS attacks

Threats are also dependent on the protocols in use: what is different ?

• More distributed and more autonomous operations

•  Nodes discover automatically their default router •  Nodes auto-configure their addresses •  Nodes defend themselves (SeND) •  Distributed address assignment creates more challenges for address security

Page 78: Sécurisation de l'accès au réseau

Cisco Confidential 78 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

NDP & SLAAC changent la donne pour IPv6

•  Neighbor solicitation (NS)

•  Neighbor advertisements (NA)

•  Router solicitation (RS)

•  Router advertisements (RA)

•  Neighbor Unreachability Detection (NUD)

•  Duplicate Address Detection (DAD)

•  Redirects

Primary ICMPv6 NDP Messages

All can be used as attack vectors Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”)

NDP

RA RS

NS NA Redirects

NUD DAD

IPv6

SLAAC •  IPv6 Stateless Address Auto Configuration (SLAAC)

Page 79: Sécurisation de l'accès au réseau

Cisco Confidential 79 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Et toujours plus d’adresses IP….

Déjà entendu parler de scan ?

Jusqu’à 264 adresses par lien-local

Page 80: Sécurisation de l'accès au réseau

Cisco Confidential 80 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Page 81: Sécurisation de l'accès au réseau

Cisco Confidential 81 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Rogue Router Advertisement

1.  RS: Data = Query: please send RA

2.  RA: Data= options, prefix, lifetime, A+M+O flags

2. RA 1. RS

RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None) Router Advertisements contains:

•  Prefix to be used by hosts •  Data-link layer address of the router •  Miscellaneous options: MTU, DHCPv6 use, …

2. RA

DoS MITM

Page 82: Sécurisation de l'accès au réseau

Cisco Confidential 82 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Pas uniquement des attaques…

Wireless to Wired – Internet sharing Host on Wireless Network (coffee shop, home etc)

Internet sharing enabled

Host becomes 6to4 gateway

Host moves to wired network

First Hop Switch

RA

Page 83: Sécurisation de l'accès au réseau

Cisco Confidential 83 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Conséquences des Rogue Router Advertisements

!  Dévastatrices !!! !  Denial of service: all traffic sent to a black hole !  Man in the Middle attack: attacker can intercept, listen, modify unprotected

data

!  Also affects legacy IPv4-only network with IPv6-enabled hosts

!  Most of the time from non-malicious users

!  Requires layer-2 adjacency

!  Was the major blocking factor for enterprise intranet IPv6 deployment

Page 84: Sécurisation de l'accès au réseau

Cisco Confidential 84 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Mitigating Rogue RA with RA Guard

RA-guard lite: also dropping all RA received on this port interface GigabitEthernet1/0/2

ipv6 nd raguard

RA-guard ipv6 nd raguard policy HOST device-role host

ipv6 nd raguard policy ROUTER device-role router

ipv6 nd raguard attach-policy HOST vlan 100

interface FastEthernet0/0

ipv6 nd raguard attach-policy ROUTER

RA

RA

RA

RA

RA

Page 85: Sécurisation de l'accès au réseau

Cisco Confidential 85 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Isolated Port

•  Prevent Node-Node Layer-2 communication by using: •  Private VLANs (PVLAN) where nodes (isolated

port) can only contact the official router (promiscuous port)

•  WLAN in ‘AP Isolation Mode’ •  1 VLAN per host (SP access network with

Broadband Network Gateway)

•  Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm

Mitigating Rogue RA with Host Isolation

RA

RA

RA

RA

RA

Promiscuous Port

RA

Page 86: Sécurisation de l'accès au réseau

Cisco Confidential 86 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

DHCP Guard

Même principe que RA guard appliqué à DHCPv6 (auto-configuration avec état) Before DHCP Guard After DHCP Guard

Host First Hop Switch Host First Hop Switch

DHCP Request DHCP Request

DHCP Server DHCP Server

I am a DHCP Server

I am a DHCP Server

I am a DHCP Server

I am a DHCP Server

Page 87: Sécurisation de l'accès au réseau

Cisco Confidential 87 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Page 88: Sécurisation de l'accès au réseau

Cisco Confidential 88 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Address Resolution

ICMP type = 135 (Neighbor Solicitation) Src = A Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is B�s link-layer address? ICMP type = 136 (Neighbor Advertisement)

Src = one B�s IF address Dst = A Data = B Option = link-layer address of B

NS

NA

A and B can now exchange packets on this link

B A C

Resolves IP address into MAC address Creates neighbor cache entry % Messages: Neighbor Solicitation, Neighbor Advertisement

Page 89: Sécurisation de l'accès au réseau

Cisco Confidential 89 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Attack On Address Resolution

Attacker can claim victim's IP address

B

NS Dst = Solicited-node multicast address of B Query = what is B�s link-layer address?

Src = B or any C�s IF address Dst = A Data = B Option = link-layer address of C

NA

A C

&

Page 90: Sécurisation de l'accès au réseau

Cisco Confidential 90 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Duplicate Address Detection

ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already?

NS

Node A can start using address A

B A C

Verify address uniqueness

Probe neighbors to verify nobody claims the address % Messages: Neighbor Solicitation, Neighbor Advertisement

Page 91: Sécurisation de l'accès au réseau

Cisco Confidential 91 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Attack On DAD

Attacker hacks any victim's DAD attempts Victim can't configure IP address and can't communicate

Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS

Src = any C�s IF address Dst = A Data = A Option = link-layer address of C

NA �it�s mine !�

C A &

Page 92: Sécurisation de l'accès au réseau

Cisco Confidential 92 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

•  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard

IPv6 Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

IPv6 Binding Table

IPv6 Source Guard

IPv6 Destination Guard Device Tracking

Page 93: Sécurisation de l'accès au réseau

Cisco Confidential 93 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Address GLEAN

H1

Binding table

NS [IP source=A1, LLA=MACH1]

DHCP-server

REQUEST [XID, SMAC = MACH2]

REPLY[XID, IPA21, IPA22]

H2 H3

data [IP source=A3, SMAC=MACH3]

DAD NS [IP source=UNSPEC, target = A3]

NA [IP source=A1, LLA=MACH3]

IPv6 MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Goal: to monitor address allocation and store bindings

Page 94: Sécurisation de l'accès au réseau

Cisco Confidential 94 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Device tracking

H1

Binding table

IPv6 MAC VLAN IF STATE

A1 MACH1 100 P1 STALE

A21 MACH2 100 P2 REACH

A22 MACH2 100 P2 REACH

A3 MACH3 100 P3 STALE

H2 H3

Address glean

DAD NS [IP source=UNSPEC, target = A1]

DAD NS [IP source=UNSPEC, target = A3]

NA [target = A1LLA=MACH1]

IPv6 MAC VLAN IF STATE

A1 MACH1 100 P1 REACH

A21 MACH2 100 P2 REACH

A22 MACH2 100 P2 REACH

–  Keep track of device state –  Probe devices when becoming stale –  Remove inactive devices from the binding table –  Record binding creation/deletion/changes

Goal: to track active addresses (devices) on the link

Page 95: Sécurisation de l'accès au réseau

Cisco Confidential 95 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Binding Identity Guard

host Binding table

Address glean

–  Arbitrate collisions, check ownership –  Check against max allowed per box/vlan/port –  Record & report changes

Valid?

bridge

Goal: to enforce address ownership and mitigates against address DoS

Page 96: Sécurisation de l'accès au réseau

Cisco Confidential 96 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

IPv6 FHS – Binding Identity Guard

Host A First Hop Switch

NA(::001A,mac - 001A)

I am Host A

Makes sure NA match IPv6 NDP snooping table

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

g1/0/21 ::0021 0021 200 Active

::001A

No you are not!

NA

(::00

1A,m

ac -

002A

)

Page 97: Sécurisation de l'accès au réseau

Cisco Confidential 97 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Attack On Address Resolution

Attacker can claim victim's IP address

B

NS Dst = Solicited-node multicast address of B Query = what is B�s link-layer address?

Src = B or any C�s IF address Dst = A Data = B Option = link-layer address of C

NA

A C

&

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

g1/0/21 ::0021 0021 200 Active

Page 98: Sécurisation de l'accès au réseau

Cisco Confidential 98 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Page 99: Sécurisation de l'accès au réseau

Cisco Confidential 99 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

IPv6 FHS – IPv6 Source Guard

First Hop Switch

I send packet using host A IPv6 address

Makes sure IPv6 source address of all packets matches

::001A

Pac

ket w

ith

sour

ce ::

001A

Page 100: Sécurisation de l'accès au réseau

Cisco Confidential 100 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

IPv6 MAC VLAN IF

A1 MACA1 100 P1

A21 MACA21 100 P2

A22 MACA22 100 P2

A3 MACA3 100 P3

IP-Source Guard

H1

Binding table

H2 H3

Address glean

–  Allow traffic sourced with known IP/SMAC –  Deny traffic sources with unknown IP/SMAC

P1:: data, src= A1, SMAC = MACA1

P2:: data src= A21, SMAC = MACA21

P3:: data src= A1, SMAC = MACA3

Goal: to validate source address of IPv6 traffic sourced from the link

Page 101: Sécurisation de l'accès au réseau

Cisco Confidential 101 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Page 102: Sécurisation de l'accès au réseau

Cisco Confidential 102 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

•  Attacker is off link •  Attacker can be a plain PC, running simple attack tools

•  Attacker goal is to launch Flood-Based DoS attack targeting the last-hop router, the link behind it, and all nodes on the link

•  Attacker method is to “scan” the link prefix to force high resolution attempts rate, exhaust the router resources, slow or deny valid resolutions, load the link with useless multicast packets

Remote address resolution cache exhaustion* - Target deployment model

* Similar attacks exist in IPv4 but at smaller scale

Page 103: Sécurisation de l'accès au réseau

Cisco Confidential 103 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Remote address resolution cache exhaustion– Vulnerability scope

Internet

•  Attacker is anywhere on the internet •  His primary victim is the last-hop Layer 3 device (router) •  He can also harm the link and nodes behind it

Page 104: Sécurisation de l'accès au réseau

Cisco Confidential 104 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

X scanning 2 64 addresses (ping PFX::a, PFX::b, …PFX::z)

Gateway

PFX::/64

NS

Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a ’s link-layer address?

NS

Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b ’s link-layer address?

NS

Dst = Solicited-node multicast address of PFX::z Query = what is PFX::z’s link-layer address?

3 seconds history

Remote address resolution cache exhaustion - Protocol

Page 105: Sécurisation de l'accès au réseau

Cisco Confidential 105 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Where What

Routers −  Address Provisioning Mechanisms −  Allocate addresses by blocks and filter at the edge −  ND resolution algorithm implementation

-  Rate limiting of new resolutions -  Separate cache for confirmed reachable entries -  Circular buffer for new resolution -  Cache boundaries

Layer 3 Switch Destination Guard

Remote address resolution cache exhaustion - Mitigations

Page 106: Sécurisation de l'accès au réseau

Cisco Confidential 106 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

host

Forward packet

•  Mitigate prefix-scanning attacks and Protect ND cache •  Useful at last-hop router and L3 distribution switch •  Drops packets for destinations without a binding entry

Lookup D1

found

B

NO

L3 switch

DST=D1

Internet

Address glean Scanning {P/

64}

DST=Dn

Binding table

Neighbor cache

Destination guard Goal: to validate destination address of IPv6 traffic reaching the link

Page 107: Sécurisation de l'accès au réseau

Cisco Confidential 107 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Pour résumer

Monitor device address assignment with Binding Integrity Guard

Maintain a trustworthy database of IPv6 devices and block illegitimate IPv6 data traffic with Source Guard

IPv6 First Hop Security in the access switch

Block rogue advertisements from illegitimate routers and DHCP servers with RA Guard and DHCPV6 Guard

The Solution IPv6 Snooping and Guard

Data Security at Edge

Authenticated Device SiSi SiSi

SiSi SiSi

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001B 001B 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/15 ::001D 001D 110 Active

g1/0/16 ::001E 001E 200 Verifying

g1/0/17 ::0020 0020 200 Active

g1/0/21 ::0021 0021 200 Active

… … … … …

Pre-configure port roles and dynamically learn a trusted domain of routers/DHCP servers

Track IPv6 devices by snooping neighbor and router solicitations, DHCP requests and query their status when they become inactive

NS ND RS

DAD NS DHCP

RA

Page 108: Sécurisation de l'accès au réseau

Cisco Confidential 108 © 2013-2014 Cisco and/or its affiliates. All rights reserved. IPv6 Snooping

La boîte à outils IPv6 First Hop Security

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rouge or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table

RA Throttler

Facilitates: •  Scale

converting multicast traffic to unicast

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Page 109: Sécurisation de l'accès au réseau

Cisco Confidential 109 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

!  Article reseauxblog

http://gblogs.cisco.com/fr-reseaux/2012/11/19/jai-teste-pour-vous-ipv6-first-hop-security/

!  First Hop Security white paper http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602135.html

!  First Hop Security documentation http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html

Page 110: Sécurisation de l'accès au réseau

Thank you.