You are on page 1of 61

Examining Cisco TrustSec

Natalie Timms

nat@natalietimms.com

2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Abstract


! The session is targeted at network and security architects who want to know
more about the TrustSec solution and use this information to help prepare for
the CCIE Security Exam where TrustSec is a component of the Exam Topics
List (Blueprints).
3
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Agenda

! TrustSec SGT Overview
! SGT Classification
! SGT Propagation
! Policy Enforcement
! Putting the solution together - Simple TrustSec use case
! Is it working? - Monitoring
! Summary

4
TrustSec SGT Overview
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Adding destination Object
Adding source Object based on location subnet
ACL for each src subnet to a dest object
Traditional Security Policy Maintenance
permit NY to SRV1 for HTTPS
deny NY to SAP2 for SQL
deny NY to SCM2 for SSH
permit SF to SRV1 for HTTPS
deny SF to SAP1 for SQL
deny SF to SCM2 for SSH
permit LA to SRV1 for HTTPS
deny LA to SAP1 for SQL
deny LA to SAP for SSH
Permit SJC to SRV1 for HTTPS
deny SJC to SAP1 for SQL
deny SJC to SCM2 for SSH
permit NY to VDI for RDP
deny SF to VDI for RDP
deny LA to VDI for RDP
deny SJC to VDI for RDP
Traditional ACL/FW Rule
Source Destination
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
NY
10.2.34.0/24
10.2.35.0/24
10.2.36.0/24
10.3.102.0/24
10.3.152.0/24
10.4.111.0/24
!.
SJC
DC-RTP (VDI)
Production
Servers
6
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
TrustSec Security Policy Maintenance
Source SGT:
Employee (10)
BYOD (200)
Destination SGT:
Production_Servers (50)
VDI (201)
Permit Employee to Production_Servers eq HTTPS
Permit Employee to Production_Servers eq SQL
Permit Employee to Production_Servers eq SSH
Permit Employee to VDI eq RDP
Deny BYOD to Production_Servers eq SSH
Deny BYOD to VDI eq RDP
Security Group
Filtering
NY
SF
LA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
SJC
DC-RTP (VDI)
Employee
Production
Servers
VDI Servers
BYOD
7
Location and IP address Independent -> flexible policy application and gives context.
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
TrustSec Concept
Users, Devices


Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation


Fin Servers
SGT = 4
SGT = 10
ISE Directory
Classification
SGT:5
! Classification of systems/users based on context
(user role, device, location, access method)
! The context-based classification propagates via a SGT
! SGT used by firewalls, routers and switches to make intelligent
forwarding or blocking decisions
8
SGT Classification
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
How a SGT is Assigned
DC Access
WLC
FW
Enterprise
Backbone
SRC: 10.1.100.98
Hypervisor SW
Campus Access Distribution Core DC Core DC Dist.
End User, Endpoint is
classified with SGT
SVI interface is
mapped to SGT
Physical Server is
mapped to SGT
VLAN is mapped
to SGT
BYOD device is
classified with
SGT
Virtual Machine is
mapped to SGT
10
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Dynamic Classification Static Classification
IP Address
VLANs
Subnets
L2 Interface
L3 Interface
Virtual Port Profile
Layer 2 Port Lookup
Common Classification for Mobile
Devices
Common Classification for Servers,
Topology-based policy, etc.
802.1X Authentication
MAC Auth Bypass
Web Authentication
SGT
Classification Summary
11
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
ISE Dynamic SGT Assignments
12
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Dynamic Classification Process in Detail
Layer 2
Supplicant Switch / WLC ISE
Layer 3
EAP Transaction
Authorisation
DHCP
EAPoL Transaction RADIUS Transaction
Authentication
Authorised
SGT
0
Policy
Evaluation
DHCP Lease:
10.1.10.100/24
ARP Probe IP Device
Tracking
Authorised MAC:
00:00:00:AB:CD:EF
SGT = 5
Binding:
00:00:00:AB:CD:EF = 10.1.10.100/24
1
2
3
SRC: 10.1.10.1 = SGT 5
00:00:00:AB:CD:EF
cisco-av-pair=cts:security-group-tag=0005-01
Make sure that IP
Device Tracking
is TURNED ON
3560X#show cts role-based sgt-map all details
Active IP-SGT Bindings Information

IP Address Security Group Source
=============================================
10.1.10.1 3:SGA_Device INTERNAL
10.1.10.100 5:Employee LOCAL
13
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Static Classification
IP to SGT mapping
cts role-based sgt-map A.B.C.D sgt SGT_Value
VLAN to SGT mapping*
cts role-based sgt-map vlan-list VLAN sgt SGT_Value
Subnet to SGT mapping
cts role-based sgt-map A.B.C.D/nn sgt SGT_Value
L3 ID to Port Mapping**
(config-if-cts-manual)#policy dynamic identity name
L3IF to SGT mapping**
cts role-based sgt-map interface name sgt SGT_Value
L2IF to SGT mapping*
(config-if-cts-manual)#policy static sgt SGT_Value
IOS CLI Example
* relies on IP Device Tracking
** relies on route prefix snooping
14
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGT Migration Strategy VLAN-SGT
15
802.1k
Cat6500/Sup2T
3K-X
Contractor
ISE 1.1
kADIUS
VLAN 10 -> Lmp|oyee: SG1 (10]000A)
VLAN 11 -> Contractor: SG1 (11]0008)
MAC:0050.56BC.14AE
11.11.11.11/32
Traffic
IP Device Tracking (ARP/DHCP inspection)
MAC Address Port SGT IP Address VLAN
0050.56BC.14AE Fa2/1 11/000B 11.11.11.11 11
0070.56BC.237B Fa2/1 10/000B 10.1.10.100 10
SXP Binding Table
N7K
Cat6500/Sup2T
3K-X
SRC: 11.11.11.11
11.11.11.11 SG1 (11]0008)
Tagging
3
rd
Party or Legacy
Switches/APs
Trunk Connection
MAC:0070.56BC.237B
10.1.10.100/32
SRC: 10.1.10.100
10.1.10.100 SG1 (10]000A)
Tagging
* - There are limits of the number of VLANs supported
Employee
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Layer 3 Interface to SGT Mapping
(L3IF-SGT) Sup2T introduced in 15.0(1)SY
Business
Partners
DC Access
Hypervisor SW
EOR
VSS-1#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
========================================
11.1.1.2 2 INTERNAL
12.1.1.2 2 INTERNAL
13.1.1.2 2 INTERNAL
17.1.1.0/24 8 L3IF
43.1.1.0/24 9 L3IF
49.1.1.0/24 9 L3IF

Route Updates
17.1.1.0/24

cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8
cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9
Joint Ventures
Route Updates
43.1.1.0/24
49.1.1.0/24

g3/0/1
g3/0/2
! Route Prefix Monitoring on a specific Layer 3 Port mapping to a SGT
! Can apply to Layer 3 interfaces regardless of the underlying physical interface:
Routed port, SVI (VLAN interface) , Tunnel interface
16
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Nexus 1000V 2.1 SGT Assignment
! Port Profiles assigned to VMs
17
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGT Classification Binding Source Priority
The current priority enforcement order, from lowest (1) to highest (7), is as follows:
1. VLANBindings learned from snooped ARP packets on a VLAN that has VLAN-SGT
mapping configured.
2. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map
global configuration command.
3. Layer 3 Interface(L3IF) Bindings added due to FIB forwarding entries that have paths
through one or more interfaces with consistent L3IF-SGT mapping or Identity Port
Mapping on routed ports.
4. SXPBindings learned from SXP peers.
5. IP_ARPBindings learned when tagged ARP packets are received on a CTS capable
link.
6. LOCALBindings of authenticated hosts which are learned via EPM and device tracking.
This type of binding also include individual hosts that are learned via ARP snooping on L2
[I]PM configured ports.
7. INTERNALBindings between locally configured IP addresses and the device own SGT.
18
SGT Propagation
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Propagation Option 1: Inline Tagging
! SGT embedded within Cisco Meta
Data (CMD) in Layer 2 frame
! Capable switches understands and
process SGT at line-rate
! Optional MACsec protection
! No impact to QoS, IP MTU/
Fragmentation
! L2 Frame Impact: ~40 bytes
! Recommend L2 MTU~1600 bytes
! N.B. Incapable devices will drop
frames with unknown Ethertype

CRC
PAYLOAD
ETHTYPE


CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame


CMD EtherType


Version


Length


SGT Option Type
Cisco Meta Data


SGT Value


Other CMD Option
CRC
PAYLOAD
ETHTYPE


CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame


802.1AE Header


802.1AE Header
A
E
S
-
G
C
M

1
2
8
b
i
t

E
n
c
r
y
p
t
i
o
n

ETHTYPE:0x88E5
ETHTYPE:0x8909
20
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGT Link Authentication and Authorization
Mode MACSEC MACSEC Pairwise
Master Key (PMK)
MACSEC Pairwise
Transient Key (PTK)
Encryption Cipher
Selection
(no-encap, null, GCM,
GMAC)
Trust/Propagation
Policy for Tags
cts dot1x Y Dynamic Dynamic Negotiated Dynamic from ISE/
configured
cts manual
with encryption
Y Static Dynamic Static Static
cts manual no
encryption
N N/A N/A N/A Static
CTS Manual is strongly recommended configuration for SGT propagation
cts dot1x takes link down with AAA down. Tight coupling of link state and
AAA state
Some platforms (ISRG2, ASR1K, N5K) only support cts manual/no encryption
21
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Configure Links for SGT Tagging
interface TenGigabitEthernet1/5
cts manual
policy static sgt 2 trusted
C6K2T-CORE-1#sho cts interface brief
Global Dot1x feature is Enabled
Interface GigabitEthernet1/1:
CTS is enabled, mode: MANUAL
IFC state: OPEN
Authentication Status: NOT APPLICABLE
Peer identity: "unknown"
Peer's advertised capabilities: ""
Authorization Status: SUCCEEDED
Peer SGT: 2:device_sgt
Peer SGT assignment: Trusted
SAP Status: NOT APPLICABLE
Propagate SGT: Enabled
Cache Info:
Expiration : N/A
Cache applied to link : NONE


L3 IPM: disabled.
Always shut and no shut and interface for any cts manual or cts dot1x change
CTS Manual no encryption
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Propagation Option 2: SGT eXchange Protocol (SXP)
! Control plane protocol that conveys the IP-
SGT map of authenticated hosts to
enforcement points
! SXP uses TCP as the transport layer
! Accelerate deployment of SGT
! Support Single Hop SXP & Multi-Hop SXP
(aggregation)
! Two roles: Speaker (initiator) and Listener
(receiver)
! SXPv4 Loop detection and Bi-directional
connections
SW
SW RT
SW
SXP
(Aggregation) SXP
SXP
Speaker Listener
23
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Propagation Option 2: SGT eXchange Protocol
! SXP accelerates deployment of SGTs
Allows classification at the access edge without hardware upgrade
Allows communication from access edge to enforcement device
! SXP also used to traverse networks/devices without SGT capabilities
! Uses TCP for transport protocol
! TCP port 64999 for connection initiation
! Use MD5 for authentication and integrity check
! Two roles: Speaker (initiator) and Listener (receiver)
24
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SXP Flow
25
ISE 1.1
TCP SYN
TCP SYN-ACK
TCP ACK
CTS7K
10.1.3.1
CTS6K
10.1.3.2
Speaker Listener
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x02 (SYN)
IP Src: 10.1.3.1 Dst: 10.1.3.2
TCP Src Port: 64999 Dst Port: 16277
Flags: 0x12 (SYN, ACK)
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x10 (ACK)
SXP OPEN
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x10 ( ACK)
SXP Type: Open
Version: 1
Device ID: CTS6K
SXP OPEN_RESP
IP Src: 10.1.3.1 Dst: 10.1.3.2
TCP Src Port: 64999 Dst Port: 16277
Flags: 0x18 (PSH, ACK)
SXP Type: Open_Resp
Version: 1
Device ID: CTS7K
SXP UPDATE
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x10 (ACK)
SXP Type: Update
Update Type: Install
IP Address: 10.1.10.100 SGT: 6
10.1.10.100 (SGT6)
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SXP Informational Draft
! SXP now published as an Informational Draft to the IETF, based on customer
requests
! Draft called Source-Group Tag eXchange Protocol because of likely uses
beyond security
! Specifies SXP v4 functionality with backwards compatibility to SXP v2
! http://www.ietf.org/id/draft-smith-kandula-sxp-00.txt
26
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SXP Connection Types
27
Single-Hop SXP
Non-TrustSec Domain
SXP
SXP Enabled Switch/WLC
SGT Capable HW
Multi-Hop SXP
SXP
SGT Capable HW SXP
Enabled SW
Speaker Listener
Speaker
Speaker Listener Listener
SXP
Speaker
SXP
SXP Enabled SW/WLC
SXP Enabled SW/WLC
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
IOS SXP Configuration
28
3750
cts sxp enable
cts sxp connection peer 10.1.44.1 source
10.1.11.44 password default mode local
! SXP Peering to Cat6K

6K
cts sxp enable
cts sxp default password cisco123
!
cts sxp connection peer 10.1.11.44 source
10.1.44.1 password default mode local listener
hold-time 0 0
! ^^ Peering to Cat3K
cts sxp connection peer 10.1.44.44 source
10.1.44.1 password default mode local listener
hold-time 0 0
! ^^ SXP Peering to WLC

C3750#show cts role-based sgt-map all details
Active IP-SGT Bindings Information

IP Address Security Group Source
======================================================================
10.10.11.1 2:device_sgt INTERNAL
10.10.11.100 8:EMPLOYEE_FULL LOCAL

C6K2T-CORE-1#show cts sxp connections brief
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running

-----------------------------------------------------------------------------
Peer_IP Source_IP Conn Status Duration
-----------------------------------------------------------------------------
10.1.11.44 10.1.44.1 On 11:28:14:59 (dd:hr:mm:sec)
10.1.44.44 10.1.44.1 On 22:56:04:33 (dd:hr:mm:sec)

Total num of SXP Connections = 2
C6K2T-CORE-1#show cts role-based sgt-map all details
Active IP-SGT Bindings Information

IP Address Security Group Source
======================================================================
10.1.40.10 5:PCI_Servers CLI
10.1.44.1 2:Device_sgt INTERNAL
--- snip ---
10.0.200.203 3:GUEST SXP
10.10.11.100 8:EMPLOYEE_FULL SXP
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
WLC SXP Configuration
29
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Inline Tagging vs. SXP Tag Propagation
DC Access
WLC
FW
Inline SGT Tagging
CMD Field
ASI
C
ASI
C
Optionally Encrypted
SXP
SRC: 10.1.100.98
IP Address SGT SRC
10.1.100.98 50 Local
Hypervisor SW
SXP IP-SGT Binding Table
ASI
C
L2 Ethernet Frame
SRC: 10.1.100.98
Inline Tagging: If Device supports SGT in ASICs
SXP: If there are devices are not SGT-capable
IP Address SGT
10.1.100.98 50
Campus Access Distribution Core DC Core EOR
SXP
Enterprise
Backbone
30
Policy Enforcement
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Cat3750X Cat6500
Policy Enforcement - Security Group ACL (SGACL)
Nexus 2248
WLC5508
ASA5585
Enterprise
Backbone
Nexus 2248
Cat6500 Nexus 7000
Nexus 5500
Mary authenticated
Classified as Marketing (5)
FIB Lookup
Destination MAC/Port SGT 20
DST: 10.1.100.52
SGT: 20
SRC: 10.1.10.220
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
DST: 10.1.200.100
SGT: 30
Web_Dir
CRM
SRC\DST
Web_Dir
(20)
CRM (30)
Marketing (5) SGACL-A SGACL-B
BYOD (7) Deny Deny
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
32
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Centralized SGACL Policy Management in ISE
permit tcp dst eq 443
permit tcp dst eq 80
permit tcp dst eq 22
permit tcp dst eq 3389
permit tcp dst eq 135
permit tcp dst eq 136
permit tcp dst eq 137
permit tcp dst eq 138
permit tcp des eq 139
deny ip

Portal_ACL
33
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGACL Egress Policy Enforcement
! Extended ACL syntax, without IP
addresses
! Avoids TCAM impact, can be IPv6
agnostic*
! Can be applied anywhere (no IP
dependency)
! Switches that classify servers only
download SGACLs they need from
ISE
! No device-specific ACL configs
34
Prod_Server
(SGT=7)
Dev_Server
(SGT=10)
S
G
T
=
3

S
G
T
=
4

S
G
T
=
5

SGACL
Enforcement
* Currently only Cat6k Sup 2T supports IPv6 SGACL
permit tcp dst eq 443
permit tcp dst eq 80
permit tcp dst eq 22
permit tcp dst eq 3389
permit tcp dst eq 135
permit tcp dst eq 136
permit tcp dst eq 137
permit tcp dst eq 138
permit tcp des eq 139
deny ip

Portal_ACL
Prod_Servers Dev_Servers
34
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Configuring an IOS Switch for SGT
! Following CLI is required to turn on NDAC (to authenticate device to ISE and
receive policies including SGACL from ISE)
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#aaa new-model
Switch(config)#radius-server host <ISE_PDP_IP> pac key <RADIUS_SHARED_SECRET>
Switch(config)#aaa authentication dot1x default group radius
Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius
Switch(config)#cts authorization list <AUTHZ_List_Name>
Enabling AAA
Defining RADIUS server with PAC keyword
Define authorization list name for SGA policy download
Use default AAA group for 802.1X and defined authz list for authorization
35
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Configuring an IOS Switch for SGT(cont.)
Switch(config)#radius-server vsa send authentication
Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD>
Switch(config)#dot1x system-auth-control
Configure RADIUS server to use VSA in authentication request
Enable 802.1X in system level
Define device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration
Note: remember that device credential under IOS is configured in Enable mode, not in
config mode. This is different CLI command level between IOS and NX-OS, where you
need to configure device credential in config mode
36
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Verification - PAC
TS2-6K-DIST#show cts pacs
AID: 04FB30FE056125FE90A340C732ED9530
PAC-Info:
PAC-type = Cisco Trustsec
AID: 04FB30FE056125FE90A340C732ED9530
I-ID: TS2-6K-DIST
A-ID-Info: ISE PAP
Credential Lifetime: 00:54:33 UTC Dec 21 2011
PAC-Opaque:
000200B0000300010004001004FB30FE056125FE90A340C732ED95300006009400030100980BC43B8BDAB7ECC3B12C04D2D3CA6
E000000134E7A69FD00093A80AD1F972E0C67757D29DBF9E8452EDC3E0A46858429C8E4714315533061DAD4FB2F31346FE44085
79D4F55B3813ADA9876F04ACC1656DE2F476ED3CBC96A0DB937403AC3B0CAB64EEC15A1BD6E351A005A8DE6E6F894DEE619F4EF
FF031BC7E7BD9C8B230885093FF789BAECB152E3617986D3E0B
Refresh timer is set for 12w0d
Use show cts pac to verify whether PAC is provisioned or not. Key points are that A-ID matches to
one that is found in environment data with IP address. Also check to see your I-ID is the one you
setup in Device ID, and A-ID-Info matches one you configured on ISE (EAP-FAST configuration)
37
The PAC is provisioned during EAP-FAST phase 0. It allows a TLS tunnel to
be built between ISE and CTS device. This secures later transactions.
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Downloading Policy on IOS Switch
TS2-6K-DIST#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00
Server List Info:
Installed list: CTSServerList1-0004, 3 server(s):
*Server: 10.1.100.3, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.4, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.1.100.6, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530
Status = ALIVE
auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0001-22 :
7-98 : 80 -> FIN_SRV
6-98 : 80 -> HR_DB
5-98 : 80 -> HR_ADMIN_SRV
4-98 : 80 -> FIN_ADMIN
3-98 : 80 -> HR_CONTRACTOR
2-98 : 80 -> Device_SGT
unicast-unknown-98 : 80 -> Unknown
Any : 80 -> ANY
Transport type = CTS_TRANSPORT_IP_UDP
Environment Data Lifetime = 86400 secs
Last update time = 22:50:57 UTC Mon Sep 26 2011
Env-data expires in 0:23:59:49 (dd:hr:mm:sec)
Env-data refreshes in 0:23:59:49 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
Verify Environment Data
38
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Activating SGACL Enforcement on IOS Switch
! After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement
on IOS switch
Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5
Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6
Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7
Defining IP to SGT mapping for servers
Switch(config)#cts role-based enforcement
Switch(config)#cts role-based enforcement vlan-list 40
Enabling SGACL Enforcement Globally and for VLAN
39
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Downloading SGACL Policy on IOS Switch
Verify SGACL Content
TS2-6K-DIST#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 3 to group 5:
Deny IP-00
IPv4 Role-based permissions from group 4 to group 5:
ALLOW_HTTP_HTTPS-20
IPv4 Role-based permissions from group 3 to group 6:
ALLOW_HTTP_SQL-10
Permit IP-00
IPv4 Role-based permissions from group 4 to group 6:
Deny IP-00
IPv4 Role-based permissions from group 3 to group 7:
Deny IP-00
IPv4 Role-based permissions from group 4 to group 7:
Permit IP-00
SGACL Mapping Policy should
match to one on ISE
40
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Policy Enforcement on Firewalls: ASA SG-FW
Can still use Network Object (Host,
Range, Network (subnet), or FQDN)
AND / OR the SGT
Switches inform the ASA of
Security Group membership
Security Group definitions from
ISE
Trigger other services by SGT
41
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Using SG-FW and SGACL Enforcement Together
! Consistent Classification/enforcement between Firewalls and switching.
! SGT Names will be synchronized between ISE and ASDM
! Policy administrators need to ensure SGACL and SG-FW rules are in sync
42
Campus Network
Data Centre
SXP
IP Address SGT
10.1.10.1 PCI (10)
SG-FW on ASA
SGACL on
Switches
ISE SGACL
Policies
CSM/ASDM
Policies
SGT Name Download
SGT 10 = PCI_User
SGT 100 = PCI_Svr
SXP
PCI
Server
Use Case: Campus and Branch Segmentation
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Campus and Branch Segmentation
POLICY VIEW
LOGICAL VIEW
Switch Router
Enforcement
ISE
Classification
S
o
u
r
c
e

*LoB = Line of Business
LoB1
Developers
Guests Internet Access
DENY PERMIT DENY Malware Block
DENY PERMIT DENY Malware Block
DENY DENY PERMIT Malware Block
LoB1 Production
Users
Malware Block
Malware Block
DENY
DENY PERMIT DENY DENY DENY
LoB2
Employees
LoB1 Production
Users
LoB1 Developers
LoB2 Employees
Guest
Protected Assets
Malware Blocking ACL

Deny tcp dst eq 445 log
Deny tcp dst range 137 139 log
Permit all
44
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
45
Implementing Wireless User User Policy Enforcement
45
Permit
Deny
WLAN
Controller
interface Vlan2
ip local-proxy-arp
ip route-cache same-interface
!
cts role-based enforcement
cts role-based enforcement vlan-list 2
6500
ISE
Vlan 2
SXP
! Apply user-user policies as defined in ISE
on traffic from the WLC
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Extending Inline Tagging Across WAN to Branches
! Inline tagging across WAN :
ISR G2 IOS 15.4(1)T &
ASR1000 15.4(1)S
! Inline tagging on built-in ISRG2 &
ASR 1000 Ethernet interfaces (all
except 800 series ISR)
! Carries SGT inline across GET-
VPN and IPsec VPN
46
Cat3750-X
Cat3750-X
Branch B
SGT over
GET-VPN or
IPsec VPN
HQ
Inline SGT
ASR1000
Router
Branch A
ISRG2
ISRG2
e.g. 2951/3945
! Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge
for reasons like PCI compliance
! SGT allows more dynamic classification in the branch and DC WAN edge
! SGT is a source criteria only in ISR FW, Source or Dest in ASR 1000
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
BO-2921#
cts role-based sgt-map 9.9.9.1 sgt 5000
cts role-based sgt-map 11.11.11.1 sgt 65533
!
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy policy1
proposal p1
!
crypto ikev2 keyring key
peer v4
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
!
crypto ikev2 cts sgt
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
! ..
SGT capability negotiation for IPsec inline tagging
CTS infra CLI used to configure IP->SGT mapping
IKEv2/IPsec and Inline Tagging
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
KS can enable SGT tagging on a per-SA basis
crypto gdoi group GDOI
identity number 12345
server local
sa ipsec 1
tag cts sgt
match address ipv4 ACL_GETVPN_SGT
sa ipsec 2
no tag
match address ipv4 ACL_GETVPN_NO_SGT

SHOWS SGT Capability
is enabled on KS
If the KS is configured for tagging, GMs must be registering
using GETVPN software version 1.0.5 or higher to be accepted.
GETVPN and Inline Tagging
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
!
class-map type inspect match-any partner-services
match protocol http
match protocol icmp
match protocol ssh
class-map type inspect match-any partner-sgts
match security-group source tag 2001
match security-group source tag 2002
match security-group source tag 2003
class-map type inspect match-all partner-class
match class-map partner-services
match class-map partner-sgts
class-map type inspect match-any guest-services
match protocol http
class-map type inspect match-any guest-sgts
match security-group source tag 5555
class-map type inspect match-all guest-class
match class-map guest-services
match class-map guest-sgts
class-map type inspect match-any emp-services
match protocol http
match protocol ftp
match protocol icmp
match protocol ssh
class-map type inspect match-any emp-sgts
match security-group source tag 1001
match security-group source tag 1002
match security-group source tag 1003
class-map type inspect match-all emp-class
match class-map emp-services
match class-map emp-sgts
match-all filter for specifying services
that are allowed for partners
match-all filter for specifying services
that are allowed for guests
match-all filter for specifying services
that are allowed for employees
ZFW on ISR G2
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
!
policy-map type inspect branch-policy
class type inspect emp-class
inspect
class type inspect partner-class
inspect
class type inspect guest-class
inspect
class class-default
drop
!
zone security lan
zone security ho
zone-pair security lan-ho source lan destination ho
service-policy type inspect branch-policy
!
interface GigabitEthernet0/1
description ***branch lan network***
ip address 10.0.0.1 255.255.255.0
zone-member security lan
!
!
interface GigabitEthernet0/2
description ***connection to head-office***
ip address 172.16.0.1 255.255.255.252
zone-member security ho
!

Specific class filters are
defined inside policy maps
for each sgt group
ZFW on ISR G2
SGACL Monitoring
51
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Verifying SGACL Enforcement
Use show cts role-based counter to show traffic drop by SGACL
TS2-6K-DIST#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitted HW_Permitted
* * 0 0 48002 369314
3 5 53499 53471 0 0
4 5 0 0 0 3777
3 6 0 0 0 53350
4 6 3773 3773 0 0
3 7 0 0 0 0
4 7 0 0 0 0
From * to * means Default Rule
show command displays the content statistics of RBACL enforcement.
Separate counters are displayed for HW and SW switched packets. The user
can specify the source SGT using the from clause and the destination SGT
using the to clause.

52
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGACL Monitoring
C6K2T-CORE-1#sho cts role-based permissions
IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL:
Malware_Prevention-11
C6K2T-CORE-1#sho ip access-list
Role-based IP access list Deny IP-00 (downloaded)
10 deny ip
Role-based IP access list Malware_Prevention-11 (downloaded)
10 deny icmp log-input (51 matches)
20 deny udp dst range 1 100 log-input
30 deny tcp dst range 1 100 log-input
40 deny udp dst eq domain log-input
*May 24 04:50:06.090: %SEC-6-IPACCESSLOGDP: list Malware_Prevention-11 denied icmp
10.10.18.101 (GigabitEthernet1/1 ) -> 10.10.11.100 (8/0), 119 packets
53
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Monitoring SGACL Packet Drops with
Flexible NetFlow
flow record cts-v4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter bytes
collect counter packets

flow exporter EXP1
destination 10.2.44.15
source GigabitEthernet3/1

flow monitor cts-mon
record cts-record-ipv4
exporter EXP1

Interface vlan 10
ip flow monitor cts-mon input
ip flow monitor cts-mon output

Interface vlan 20
ip flow monitor cts-mon input
ip flow monitor cts-mon output

Interface vlan 30
ip flow monitor cts-mon input
ip flow monitor cts-mon output

Interface vlan 40
ip flow monitor cts-mon input
ip flow monitor cts-mon output

cts role-based ip flow mon cts-mon dropped
*Optional will create flows for only Role-based ACL drops
54
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Monitoring SGACL Packet Drops with
Flexible Netflow
SJC01#show flow mon cts-mon cache
Cache type: Normal
Cache size: 4096
Current entries: 1438
High Watermark: 1632
Flows added: 33831
Flows aged: 32393
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 32393
- Event aged 0
- Watermark aged 0
- Emergency aged 0

IPV4 SOURCE ADDRESS: 192.168.30.209
IPV4 DESTINATION ADDRESS: 192.168.200.156
TRNS SOURCE PORT: 60952
TRNS DESTINATION PORT: 80
FLOW DIRECTION: Output
FLOW CTS SOURCE GROUP TAG: 30
FLOW CTS DESTINATION GROUP TAG: 200
IP PROTOCOL: 6
counter bytes: 56
counter packets: 1

IPV4 SOURCE ADDRESS: 192.168.20.140
IPV4 DESTINATION ADDRESS: 192.168.200.104
TRNS SOURCE PORT: 8233
TRNS DESTINATION PORT: 80
FLOW DIRECTION: Output
FLOW CTS SOURCE GROUP TAG: 20
FLOW CTS DESTINATION GROUP TAG: 200
IP PROTOCOL: 6
counter bytes: 56
counter packets: 1
55
Summary
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Summary
57
! TrustSec can be deployed for multiple use-cases
Can start with specific use-cases with minimal platform dependencies
Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the
policy matrix
! TrustSec SGT can mean
Centralised policy for complete network
Distributed enforcement and scale
No device-specific ACLs or rules to manage - one place to audit
Servers can cycle through Dev>UAT> Prod without readdressing
! Operational benefits
SGACLs avoid VLAN/dACL efforts and admin
Security policy managers/auditors do not need to understand the topology or the underlying
technology to use the policy matrix
Firewall rule simplification and OpEx reduction
Faster and easier deployment of new services
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Links
! For more info:
http://www.cisco.com/go/trustsec
! TrustSec platform support matrix
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/
trustsec_matrix.html
! TrustSec and ISE Deployment Guides:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/
landing_DesignZone_TrustSec.html
! PCI Scope Reduction with Cisco TrustSec QSA (Verizon) Validation:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/
trustsec_pci_validation.pdf
! IETF SXP Draft:
http://tools.ietf.org/html/draft-smith-kandula-sxp-00
58
Q & A
2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Thank You for Joining Us Today
60
Download a copy of todays slides using the link in the chat.


Todays webcast will be available on-demand within 48hrs.


Please complete the survey after closing the WebEx event.