Back to Home

DNA Security - Integrated Network Security / Cisco Blog

Cisco · DNA · Digitalization · Digitalisation · StealthWatch · ISE · Trustsec

DNA Security - Integrated Network Security

    Introduction:

    Considering the security built into the network infrastructure and speaking of concepts such as DNA, we mean something very deeply integrated and embedded in the essence itself, in this case the essence of the network. But we will begin, in principle, with the very concept of DNA and how Cisco sees it for the network as a whole and what role information security plays here.

    The DNA:

    DNA concept is Cisco’s new infrastructure approach that brings with it the ability to provide the technologies and approaches that can give a modern business the benefits and drivers that a modern enterprise needs to do business effectively in the Digital Age.




    Figure No. 1

    Integral components of this approach are programmability.infrastructure, the flexibility to automate operations, the rapid implementation of services, abstraction and reduce operating costs both to support the current infrastructure, and to introduce innovations and services. The network must be flexible and in this we come to the aid of the capabilities of the SDN architecture, software APIs that give flexibility in integrating systems, quickly adapting to your needs of the system infrastructure.

    Virtualization supplemented by software interfaces gives flexible opportunities for the deployment of ready-made infrastructures and their rapid replication, change and adaptation to changing business needs.

    AnalyticsA smart modern network should be not only a tool for deploying services and ensuring business operations, but also a source of important information and analytics that can provide real leverage for making decisions and adjusting business processes.

    The deep integration of cloud services, applications and infrastructure with services deployed on the customer’s site erases the line and provides transparent and convenient mechanisms for the development and implementation of hybrid infrastructures, which is one of the key requirements of modern digital business.

    In view of the risks currently experienced by growing cyber threats that present real risks to business, especially in an era when we are increasingly dependent on telecommunications, the Internet of things and online operations, more and more attention needs to be paidinformation security and this DNA concept includes information security tools and mechanisms as a fundamental component of the entire infrastructure. Whatever we introduce, what service we do not launch, it must be deployed, operated and maintained safely, and this process of ensuring information security should be automated as much as possible thereby not reducing, but only increasing the efficiency of the business and its processes. The main pillars of this concept are shown in Figure 1.

    Network as a security tool:

    At the current time, the classical approach to segmentation and providing access to the network creates many blank spots in the infrastructure, the lack of deep control and visibility inside the infrastructure. We cannot fully see what is happening inside our network infrastructure, in fact we are blind to those activities that occur in the protected segments of our network infrastructures, because the only way to get detailed information on network activities is through these connections through specialized filtering or analytics tools, such such as firewalls (ITUs), intrusion prevention systems (IPS), and other devices that conduct in-depth packet analysis and protocol inspection. Thus, if we take the vast majority of networks where such solutions are located at a minimum, namely, on the perimeter of access to external networks and on access to the data center - we do not have a picture of what is happening inside our campus network and inside the data center. Active scanning, compromise, denial of service attacks, attempts to output data of a distributed type with their previous collection, etc., can occur inside the network, however, we will be blind to this. Installing an ITU or IPS on each floor switch is an impossible financial task, and the performance required for deep packet analysis, required for access / distribution / core level is a very, very expensive pleasure. As a result, we detect an attack only when the network traffic reaches the control point, for example, the network perimeter, unfortunately, all the underlying infrastructure at that time can already be compromised.



    Figure №2

    Imagine that you can see and constantly monitor all transactions within the network and have their full history, but what will it give us in your database?

    • The chaos of dynamic IP addresses and anonymous transactions search in which any significant events brings even more confusion
    • IP addresses are constantly changing and the binding to the host and user topology at time A and B can be completely different, but what if the incident occurred three months ago?
    • How to understand which user and device at each moment of time was tied to the data stream, what was their role and method of accessing the network, how to determine the harmfulness of the connection behavior or to predict the harmfulness of the behavior on a long-term basis?
    • What control methods can we apply if necessary?
    • How to recognize malicious behavior and integrate the network with high-level enterprise information security systems?
    • How to clearly monitor all of these devices and their activities, which are likely to violate security policies?

    These and other questions are answered by the DNA Security built-in network security concept.

    The modern Cisco intelligent network of a digital enterprise can be an effective means of information security and can be flexibly integrated into existing information security systems of an enterprise by exchanging with it all the wealth of existing knowledge about the connected infrastructure and activities in it. After all, the Cisco intelligent network has a wide range of knowledge, such as:

    • What is connected to it and can determine the type of connected devices.
    • Which users are behind the terminal devices at specific times.
    • It can provide an analysis of the state of the device in the most convenient and transparent way.
    • He sees all the transactions passing through it and can transfer this knowledge through the Flexible Netflow protocol, enriching the data fields with additional knowledge and context.
    • Attribute data streams and personify them.
    • Carry out automatic role-based segmentation of access according to a centralized security policy, taking into account the context and transparently apply it throughout the infrastructure.
    • It can block the intruder directly at the point of connection to the network, whether it is a wired network, wireless or access via VPN.
    • It is transparent to authorize access based on context, without reference to the topology and addressing, regardless of the point and method of connection.
    • Provide integration software interfaces for third-party systems for operational automation, including information security.

    Thus, the network turns not only into a full-fledged sensor, but also into an effective means of monitoring information security.

    The key components to achieve more from our network infrastructure and turn it into an effective information security tool are the Cisco Identity Services Engine with the Cisco Trustsec and Cisco StealthWatch security architectures, see Figure 3.



    Figure №3

    Network as a control tool:

    The core of the architecture is the network access control and accounting system - Cisco Identity Services Engine (ISE) , whose tasks include:

    • Authentication of user and non-user network connections in wired / wireless / VPN directions.
    • Determining the type of connecting devices using the analysis of network activities of terminal devices using a number of protocols. For this, the Device Sensor function in Cisco intelligent Switches / WLANs and the tree-like heuristic definition database in Cisco ISE itself are used.
    • Integration with custom catalog systems and both active and passive connection authentication.
    • Role-based authorization of each network connection with the assignment of the Security Group Tag (SGT), depending on the context, for individual functional roles in the network, see Figure 4. Transparent automatic access segmentation using the Cisco Trustsec architecture using a single SGT tag access matrix, see Figure 5.
    • Assess the status of connecting devices and their compliance with the company’s security policy.
    • Exchange of the accumulated context through the program interface with other solutions that make up the Cisco network security architecture, as well as with third-party information security systems with the ability to quickly change the authorization of the connected device in the event of an information security incident.


    Figure # 4


    Figure # 5

    Using Trustsec programmable segmentation, our devices / users on the network are assigned the SGT label depending on their functional role in the network defined by us (the business). Having an access matrix in ISE, we clearly indicate which roles (SGT labels) can have access to which roles (SGT labels) and how this access should be in a simple and understandable matrix-type interface. As soon as the device, connecting to the network, receives this label, all associated access policies from the specified matrix are automatically applied to all transactions directed from the source label to the destination labels of other functional roles in the enterprise network.

    As a result of the integration of ISE into the infrastructure, we precisely understand who, what (see Figure 6) and with what rights does the connection to our network have, we performed automatic role segmentation of our network and now the issue of attribution of gray IP addresses in the past becomes resolved - we got an accurate picture of who / where / when / how to connect with and with what rights. Next, we will examine how we will get a deeper look at what is happening in our protected segments and see what was hidden in the past for us.



    Figure 6

    Network as a security sensor:

    Cisco has pioneered the implementation of Netflow features on campus infrastructure equipment. Classically, the Netflow protocol was used to evaluate network performance and search for problems / debugging, however, being able to receive a complete (not sampled) Netflow directly from access level devices allows us to get the visibility of all connections up to transactions between access ports on the same switch. The convenience of NetFlow is that we collect only the descriptive part of network connections, which provides the following advantages:

    • We do not overload the communication channels to transfer large volumes of analytics, Netflow traffic is incomparably small compared to the data itself, which it describes, in fact it is metadata.
    • There is no need to change the topology, because we can collect these statistics, like syslog, from the entire infrastructure at a single point.
    • Using analytics algorithms and mathematical behavioral models of malicious behavior, we can detect signs of malicious behavior.
    • By accumulating analytics, you can perform long-term analysis and track abnormal behavior in the infrastructure.

    The analysis of the NetFlow data collected, behavioral analysis, monitoring abnormal behavior and monitoring the implementation of security policies for organization traffic is performed by Cisco StealthWatch , with more than 90+ algorithms and mathematical models for determining malicious behavior of various categories on board, see Figure 7.



    Figure 7

    But can Netflow be of any use to us, the network and its individual components can give us a large amount of telemetry, which, when aggregated, gives an even deeper context to the ongoing activities and allows them to be more clearly identified. Having a complete picture of network activities, we can bind real-time data from such subsystems as (see Figure 8):

    • Firewalls with Address Translation (NAT) and Filtering Solution (permit / deny) (NSEL / Netflow)
    • Proxy Servers with Associated Web Transaction Logs (Syslog)
    • Information from identification systems, access control control - AD / ISE (API / PXGRID)
    • End user hosts for tracing network activities up to the process and privileges of the user who generated them (IPFIX / Netflow)
    • Apply global Threat Intelligence to identify malicious host connections (SLICs)



    Figure 8

    Let us consider several examples of how telemetry can be useful for us in attributing data streams. We will search for data streams according to criteria of interest to us or simply respond to the threat by looking at the associated transactions (see Figures 9, 10, 11).

    In Figure 9, we clearly see an example of data stream attribution:

    • Which user was behind the workstation that generated the network activity.
    • Parameters of the network activity itself.
    • The name of the process on the workstation that generated the activity.
    • The hash of the file that was the parent of this process.
    • Privileges of the user under which this process was started.
    • When using the TrustSec architecture, you can see the SGT labels of the source and destination of the traffic.



    Figure No. 9

    In Figure No. 10 we see the device profile, it also indicates:

    • What alarms on this device worked, when and from which categories.
    • You can delve into the flows associated with an alarm message.
    • Search for any transactions on this host.
    • See the timeline of user activity on this host.
    • Analyze traffic patterns for the last 24 hours, broken down by protocols in the outgoing and incoming traffic directions.
    • Quarantine your device when integrating with Cisco ISE.



    Figure No. 10

    In Figure No. 11 we see the result of integration with the corporate WEB-Proxy and receiving telemetry from it. This telemetry provides detailed information on WEB requests associated with HTTP / HTTPS transaction traffic, with additional attributes provided by WEB-Proxy, such as:

    • The IP address of a specific Proxy from the farm that processed the request.
    • The IP address of the machine that made the request and the IP address that was resolved by DNS at the time of the request to the domain.
    • The requested domain.
    • The full requested URL.
    • The user, as he was associated with the transaction on the proxy server.


    Figure 11

    Network factory and integration:

    As we can see, collecting rich telemetry from our network, we received a very high level of visibility and attribution of all network activities within the network (see Figure 12). Our network has become a real network factory with clear role segmentation and transparency of all transactions with the detection of malicious behavior, which allows us to bring our information security system to a new level.


    Figure 12

    API APIs make it possible to transparently integrate this architecture into the enterprise’s information security infrastructure and how to exchange context with ISE about the attributes of each terminal device in the network with firewall, intrusion detection, anti-malware, content filtering systems, SIEM systems for acceptance filtering decisions based on the knowledge provided, and be an effective control lever to block threats directly at the sub network access - quarantine a compromised device or intruder using ISE in either automatic or manual mode.

    Conclusion:

    In conclusion, I want to say that the network of a modern digital enterprise should help businesses be more successful, help faster and more efficiently implement innovations, automating the routine manual operations of deploying services and supporting infrastructure, providing automated and deep information security tools in their very essence, in their DNA, giving deep analytics and understanding of ongoing processes for the possibility of rapid decision-making.

    The described architecture takes to a whole new level the capabilities of the network infrastructure to actually reduce operating costs and provide opportunities for:

    • The introduction of new services without changing the topology and associated labor.
    • The flexibility and mobility of employees and devices on the network with transparent access authorization.
    • Automatically maintain role segmentation and enforce security policies in a simple and straightforward manner from a single interface.
    • Monitoring the status of connected devices and correcting it until the complete automation of this process.
    • Deep visibility and analysis of everything that happens on the network, the detection and blocking of malicious activity in those areas that were previously a blind spot.
    • Integration with enterprise information security systems to build a seamless transparent enterprise information security system.
    • Getting rich context about the network and its components and historical tracking to enable detailed incident investigation.

    The Cisco DNA architecture enables you to get more out of your Cisco intelligent network and take full advantage of its capabilities to move to a modern digital enterprise.

    Useful Links:
    Article - Cisco DNA Architecture

    Read Next