Sécurisation de l'accès au réseau

download Sécurisation de l'accès au réseau

of 110

  • date post

    19-Jan-2015
  • Category

    Technology

  • view

    499
  • download

    0

Embed Size (px)

description

Les firewalls ne sont efficaces que si l'on contrôle qui est derrière une adresse IP! Si personne ne songe à se passer de firewall, on constate encore beaucoup de déploiements pour lesquels l'accès n'est pas complètement protégé (absence de contrôle d'accès sur les ports des commutateurs, de mécanisme permettant d'éviter le vol d'adresse…). Au cours de cette présentation, nous ferons le point sur les techniques de sécurisation de l'accès au réseau (802.1X, MAB, First Hop Security, ACL…), et aborderons les dernières innovations en la matière (Security Group Tags, profilage, EAP chaining, MACsec, Identity Service Engine…). Nous verrons également, comment la mise en place de configurations de sécurité peut simplifier le réseau et son exploitation.

Transcript of Sécurisation de l'accès au réseau

  • 1. Petit-djeuner 20 mai 2014 Scurisation de l'accs au rseau Jrme Durand Consulting Systems Engineer, Enterprise Networking Solutions Federico Ziliotto Consulting Systems Engineer, CCIE 23280 (Wireless, R&S)

2. Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved. ! 802.1X sur le filaire : mythe ou ralit ? ! Contrle daccs avanc et dmo ! First hop security Agenda 3. Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved. 802.1X sur le filaire : mythe ou ralit ? 4. Cisco Confidential 4 2013-2014 Cisco and/or its affiliates. All rights reserved. Short History of Identity Services In the Dark Ages, there was IEEE 802.1X Then we had MAB, Auth-Fail VLAN, Guest VLAN, Deployment Modes, We will be finally walking upright with the help of the new version of the Identity Engine for TrustSec: Session Aware Networking Where do we come from, where do we go to? 5. Cisco Confidential 5 2013-2014 Cisco and/or its affiliates. All rights reserved. Legos and Identity / IEEE 802.1X Rolling out Identity can be a Tedious Task We Deliver a Ton of useful and very specific Features Deployment Scenarios address 80% but the remaining 20% are the most complex Wheres my individual Assembly Instruction? What do I do if Im missing a specific brick (feature)? 6. Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved. ACS / ISE Cisco Secure ACS: TACACS+ / RADIUS Veteran Supports RADIUS and TACACS+ Two major versions: Windows based (< 5.0) and Linux based (>= 5.0) As software only (< 5.0) and appliance (4.x and 5.x) Identity Services Engine (ISE): New Kid on the Block Complete re-write (no TACACS+ as of today) Focusing on access control / identity / TrustSec Integrating formerly separate modules / products (profiler, guest services, RADIUS server, NAC) Recommended going forward for Identity Projects Brief History 7. Cisco Confidential 7 2013-2014 Cisco and/or its affiliates. All rights reserved. Authorization Authentication Policy Teamwork & Organization Credentials, DBs, EAP, Supplicants, Agentless, Order / Priority Windows GPO, machine auth, PXE, WoL, VM Network, IT, Desktop Desktops Multiple Endpoints Confidentiality Thinking About Authentication 8. Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved. EAPoL Start EAP-Response Identity: Alice EAPoL Request Identity RADIUS Access Request [AVP: EAP-Response: Alice] EAP-Request: PEAP EAP-Response: PEAP EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dACL-n] RADIUS Access-Challenge [AVP: EAP-Request PEAP] RADIUS Access Request [AVP: EAP-Response: PEAP] Multiple Challenge- Request Exchanges Possible Beginning Middle End Layer 2 Point-to-Point Layer 3 Link Authenticator Authentication ServerSupplicant EAP over LAN (EAPoL) RADIUS IEEE 802.1X Provides Port-Based Access Control Using Authentication (Switch) (AAA /RADIUS Server)(Client) 9. Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved. Choosing Credentials for 802.1X Username / Password Directory alice c1sC0L1v Certificate Authority Token Server Common Types Passwords Certificates Tokens Deciding Factors Security Policy Validation Distribution & Maintenance 10. Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved. Mutual Authentication Server must validate clients identity and vice versa Security Client credentials cannot be snooped or cracked. How To Submit Credentials Server CA Server Cert Authentication: "Signed by trusted CA "Belongs to allowed server Encrypted Tunnel Client Authentication: "Known Username "Valid password Server CA Server Cert Authentication: "Signed by trusted CA "Belongs to allowed server Client CA Client Cert Authentication: "Signed by trusted CA "Additional checks PEAP-MSCHAPv2 EAP-TLS Username Password 11. Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved. Users and Machines Can Have Credentials Machine Authentication User Authentication hostwin7 ! Enables Devices To Access Network Prior To (or In the Absence of) User Login ! Enables Critical Device Traffic (DHCP, NFS, Machine GPO) ! Is Required In Managed Wired Environments ! Enables User-Based Access Control and Visibility ! If Enabled, Should Be In Addition To Device Authentication alice 12. Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved. Example 1: Call Center Objective: Differentiated Access for Agents Conditions: Shared Use PCs (desktop) Method: PEAP Business Case & Security Policy Determines Whether You Need User Auth Machine + User Example 2: Enterprise Campus Objective: Access for Corporate Assets Only Conditions: One Laptop = One User Method: EAP-TLS Machine Only Bonus Question: Could this customer enable password-based user authentication if they wanted to? 13. Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved. Massive Outage After OS Upgrade Understanding Your Supplicant is Essential Best Practice: Make Friends With Your Desktop Team! XP SP2: single service & profile for all 802.1X (wired / wireless) XP SP3 / Vista / Win 7 / Win 8: separate services and profiles for wired and wireless. wired service is disabled by default http://support.microsoft.com/kb/953650 Switch expects 3 failures by default XP SP3, Vista, Win 7, Win 8: 20 minute block timer on first EAP failure http://support.microsoft.com/kb/957931 (config-if)#authentication event fail retry 0 Auth Fail VLAN Doesnt Work Open Source Hardware Native Premium 14. Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved. Machine and User Authentication With the native Windows 802.1X supplicant: The same EAP method is used for both machine and user. Once logged in to Windows, since the users identity is available, only user authentication is triggered. With Cisco AnyConnect NAM: Different, separate EAP methods can be used for the machine and the user. EAP Chaining supports authenticating both the machine and the user, in the same session, whenever 802.1X is triggered. How to force a user to authenticate from an already authenticated machine? 15. Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved. Machine Access Restriction (MAR) Supplicant agnostic. The network access device (NAD) sends the endpoints MAC in the RADIUS attribute [31] Calling-Station-ID. ISE caches the MAC address of the authenticated machine in the MAR cache. When the user authenticates from the same device, ISE can tell its from the previously authenticated machine thanks to the MAR cache. Machine Access Restriction 16. Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved. EAP Chaining Supported with AnyConnect 3.1 and ISE. It relies on advanced options of EAP-FAST to authenticate both the machine and the user in the same EAP(-FAST) session. If no user information is available (logged out), only machine credentials are used. If also the users identity is available, both machine and user information will be used for 802.1X authentication. EAP Chaining 17. Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved. Unauthenticated Real Networks Cant Live on 802.1X Alone Default Access Control is Binary SWITCHPORT DHCP SWITCHPORT TFTP KRB5 HTTP EAPoL KRB5 HTTP EAPoL DHCP TFTP 802.1X Passed Employee (bad credential) 1X enabled Guest Managed Assets Rogue Employee 18. Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved. EAPoL: EAP Request-Identity Any Packet RADIUS Access-Accept RADIUS Access-Request [AVP: 00.0A.95.7F.DE.06 ] Switch RADIUS Server IEEE 802.1X Timeout 1 MAB EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity MAC Authentication Bypass (MAB) Authentication for Clientless Devices 00.0A.95.7F.DE.06 How Are MACs Authenticated ? 19. Cisco Confidential 19 2013-2014 Cisco and/or its affiliates. All rights reserved. MAC Databases: Device Discovery Find It Leverage Existing Asset Database e.g. Purchasing Department, CUCM Build It Bootstrap methods to gather data e.g. SNMP, Syslog, Accounting Buy It Automated Device Discovery e.g. ISE 20. Cisco Confidential 20 2013-2014 Cisco and/or its affiliates. All rights reserved. Profiler ACS SNMP, DHCP, MAC OUISNMP, DHCP, MAC OUI Building Your MAB Database Profiling Tools Are Evolving RADIUS Access-Request LDAP RADIUS Accounting Device Sensor 15.0(1)SE1 ISE 1.1 21. Cisco Confidential 21 2013-2014 Cisco and/or its affiliates. All rights reserved. To Fail or Not to Fail MAB? Two options for unknown MAC addresses 1)No Access 2)Switch-based Web-Auth 3)Guest VLAN RADIUS-Access Request (MAB) RADIUS-Access Reject MAB Fails control of session passes to switch RADIUS-Access Request (MAB) RADIUS-Access Accept Guest Policy Unknown MACApply Guest Policy MAC is Unknown but MAB passes AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy) Good for centralized control & visibility of guest policy (VLAN, ACL) 22. Cisco Confidential 22 2013-2014 Cisco and/or its affiliates. All rights reserved. Authorization Authentication Policy Teamwork & Organization Pre-Auth, VLAN, ACL, Failed Auth, AAA down Desktops Multiple Endpoints Phones, Link State, VMs, Desktop Switches Confidentiality Thinking About Authorization 23. Cisco Confidential 23 2013-2014 Cisco and/or its affiliates. All rights reserved. Default: Closed Authorization Options: Pre-Authentication SWITCHPORT DHCP ? SWITCHPORT SWITCHPORT TFTP KRB5 HTTP EAPoL DHCP TFTP KRB5 HTTP EAPoL DHCP TFTP KRB5 HTTP Open Selectively Open EAPoL switch(config-if)#authentication open switch(config-if)#ip access-group PRE-AUTH in switch(config-if)#authentication open 24. Cisco Confidential 24 2013-2014 Cisco and/or its affiliates. All rights reserved. SWITCHPORT Authori