Download PowerPoint Presentation - Defense-in

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Airborne Networking wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Network tap wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Distributed firewall wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cisco Systems wikipedia , lookup

Virtual LAN wikipedia , lookup

Transcript
Defense-in-Depth
using Network
Virtualization and
Network Admission
Control
Steven Carter – [email protected]
Susan Stewart – [email protected]
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Agenda
 Background/Overview
 Network Virtualization Techniques
 Network Access Control
 Securing the Wild, Wild, West
 Q&A
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Background
 The term “Defense-in-Depth” refers to leveraging the defensive
capability of every device in the network from the border of the
network through the core, distribution, and access portions of the
network and into the host itself.
 This can be done by combining the following capabilities:
– Firewall/IDS at the border to ward of threats before they enter the
network
– Network virtualization to segregate the physical network into multiple
virtual networks to support multiple security levels and services
– Network Access Control to authenticate user/hosts onto the network,
check their security posture, and place them into the network that
matches their requirements
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Agenda
 Background/Overview
 Network Virtualization Techniques
 Network Access Control
 Securing the Wild, Wild, West
 Q&A
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Network Virtualization
 Provide several networks to support varying security postures,
applications, etc.
 One physical network supports many virtual networks
 End-user perspective is that of being connected to a dedicated network
(independent security policies, routing decisions, etc.)
Visitor
Virtual Network
Internal
Virtual Network
Voice
Virtual Network
Actual Physical Infrastructure
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Network Device Virtualization
 Switch Virtualization:
– Data Plane – 802.1q VLANs
– Control Plane – Per VLAN Spanning Tree
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Network Device Virtualization (Cont.)
 Router Virtualization:
– Data Plane - Virtual Routing/Forwarding (VRFs)
– Control Plane – Multiple instances of routing protocols (OSPF,
EIGRP, etc) per routed plane.
802.1q, GRE, LSP,
Physical Int, Others
802.1q or Others
VRF
VRF
Global
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Data Path Virtualization
 Tags:
Single Hop Data Path Virtualization
802.1q
Tags
Multi-Hop Data Path Virtualization
802.1q
Tags
 Tunnels (connection oriented)
GRE/mGRE
IP
Label Switched Paths—LSP (MPLS)
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Putting it Together
Edge Network
Policy Enforcement Layer: Color Networks
Core Network
Distribution Network
VRF
VRF
VRF
VRF
dsr02
Access/Building Network
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
Agenda
 Background/Overview
 Network Virtualization Techniques
 Network Access Control
 Securing the Wild, Wild, West
 Q&A
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Network Access Control (NAC)
 NAC can mean different things to different people, but
for the purposes of this presentation, it should provide
three important functions:
– User/Host Authentication – The network should be able to
authenticate the user (or at least the host) onto the network.
– Host Posture Verification – The ability to make sure that the
host posture (virus definitions, patches, firewalls, etc.) match
the policy of the network for which it is destined.
– Host Remediation – The placement of the host into the correct
network
 NAC provides that connection between Network
Security and Host Security
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Network Access Control (NAC) (Cont.)
First, establish ACCESS POLICIES. Then:
Authenticate & Authorize
Quarantine & Enforce
 Enforces authorization
policies and privileges
 Isolate non-compliant devices
from rest of network
 Supports multiple
user roles
 MAC and IP-based quarantine
effective at a per-user level
Scan & Evaluate
 Agent scan for required
versions of hotfixes, AV, etc
 Network scan for virus
and worm infections and
port vulnerabilities
Update & Remediate
 Network-based tools
for vulnerability and
threat remediation
 Help-desk integration
LIMITED COMPLIANCE = LIMITED NETWORK ACCESS
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
What about the exceptions?
 Hosts that do not support the mechanisms can be dealt
with in various ways (external scanning, web
authentication, etc.), but in general garner a lower level
of trust and can be segregated from the general
population
 Because of their very nature, Research and Education
networks have a number of hosts (upwards of 25%)
that do not fit a supported configuration
 There must be a credible option for these hosts,
otherwise, you diminish much of the effect of
implementing NAC in the first place
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Addressing the Outliers
 One option is to put a firewall in front of each and every
host that cannot comply. This can be done with physical
firewalls (i.e. a small firewall in front of every host):
– Pros - Straight-forward and easy for the policy
people to understand and buy into; Depending on the
situation, could be more cost-effective
– Cons – Logistically difficult and hard to administer;
not scalable to large number
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Addressing the Outliers (Cont.)
 You can also do it (yes, you guessed it) VIRTUALLY
 Difficult to do with a standard 802.1q VLANs because it
is not scalable and difficult to avoid needing proper
subset addresses per VLAN
 Difficult to do with ACLs because of the shear number
needed. Also not scalable and is difficult to maintain
 Solution: Use sufficient security techniques to obviate
the need for real firewalls
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Agenda
 Background/Overview
 Network Virtualization Techniques
 Network Access Control
 Securing the Wild, Wild, West
 Q&A
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Securing the Wild, Wild, West
 Overview:
– Private VLANs to separate broadcast domains
– Port Security prevents MAC spoofing
– DHCP snooping prevents client attack on the switch and
server
– Dynamic ARP Inspection adds security to ARP using DHCP
snooping table
– IP Source Guard adds security to IP source address using
DHCP snooping table
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Securing the Wild, Wild, West (Cont.)
Primary VLAN
 Private VLANs
– PVLANs allow segregating
broadcast segment into a nonbroadcast multi-access-like
segment.
– Traffic that comes to a switch
from a promiscuous port is able to
go out on all the ports that belong
to the same primary VLAN.
Secondary VLANs
Distribution
Access
– Traffic that comes to a switch
from a port mapped to a
secondary VLAN (it can be either
an isolated, a community, or a
two-way community VLAN) can be
forwarded to a promiscuous port
or a port belonging to the same
community VLAN.
Secondary VLAN (isolated)
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Secondary VLAN (community)
18
Securing the Wild, Wild, West (Cont.)
 Port Security
– Restrict a port's ingress traffic
by limiting the MAC addresses
that are allowed to send traffic into
the port
– Number of address on the port
is configurable
Only 1 MAC
Address
Allowed on
the Port:
Shutdown
– Dynamically learned MAC
address cuts down on
administrative overhead
– “sticky” and non-”sticky” variants
give the option of retaining
learned address across port-down
events
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Securing the Wild, Wild, West (Cont.)
 DHCP Snooping
– Acts like a firewall between untrusted hosts and trusted DHCP
servers
– Validates and Rate-Limits DHCP messages received from untrusted
sources and filters out invalid messages.
– Builds and maintains the DHCP snooping binding database, which
contains information about untrusted hosts with leased IP addresses to
validate subsequent requests from untrusted hosts
DHCP Snooping
DHCP Requests
Untrusted
DHCP Responses
Trusted
DHCP
Server
Unauthorized DHCP
Response
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Securing the Wild, Wild, West (Cont.)
 Dynamic Arp Inspection
– Intercepts, logs, and discards ARP packets with invalid IP-to-MAC
address bindings
– Valid ARP packets based upon DHCP snooping binding database or
from user-configured ARP access control lists (ACLs)
– Configurable to drop ARP packets when either the IP address or the
the MAC address in the body does not match the Ethernet header
DHCP Snooping
DHCP Requests
Untrusted
Unauthorized DHCP
Response
Presentation_ID
I’m your GW:
10.1.1.1
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
DHCP Responses
Trusted
Not by my
binding
table
DHCP
Server
21
Securing the Wild, Wild, West (Cont.)
 IP Source Guard
– IP source guard prevents IP spoofing by allowing only the IP
addresses that are obtained through DHCP snooping on a particular
port.
–This process restricts the client IP traffic to those source IP addresses
that are obtained from the DHCP server; any IP traffic with a source IP
address other than that in the PACLs permit list is filtered out
DHCP Snooping
DHCP Requests
Untrusted
Unauthorized DHCP
Response
Presentation_ID
I’m your GW:
10.1.1.1
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
DHCP Responses
Trusted
Not by my
Port ACL
DHCP
Server
22
The End
Questions? Comments? Criticisms?
For more information:
Steven Carter – [email protected]
Susan Stewart – [email protected]
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23