April 20, 2017 at 12:09How Cisco TrustSec Software Defined Network Segmentation Can Help Business
The article discusses network segmentation - an important tool for ensuring information security (IS), which can significantly reduce the likelihood of security incidents and related damage even if intruders enter the perimeter of the corporate network.
The traditional approach to segmentation and its limitations are analyzed. A new approach to segmentation based on Cisco TrustSec technology is considered, which eliminates these restrictions.
A series of typical IT and IS tasks related to segmentation is considered, and solutions to these problems proposed by traditional and new approaches are compared.
It analyzes in detail the new business opportunities and benefits offered by Cisco TrustSec.
The corporate network has become a critical business tool for many companies, since it is it that provides the work of many business processes related to the transfer of information. At the same time, threats to information security are constantly evolving, and the need for effective remedies is growing every day.
For a long time, the attention of information security specialists was mainly focused on protecting the network perimeter. But in modern networks, the classical concept of the perimeter is gradually eroded. Users connect to the network in a variety of ways, including access via wired and wireless segments, as well as VPN connections. At the same time, within the organization’s IT infrastructure, as a rule, there are many types of users and devices that require access to different network resources to perform their work. Implementing proper access control in today's distributed and dynamic IT infrastructures is a daunting task. Given the large number of attack vectors that allow attackers and malware to penetrate the corporate IT infrastructure,
One of the most popular measures aimed at reducing the damage caused by an intruder penetrating the corporate IT infrastructure is network segmentation. An implied preliminary stage of segmentation is the separation of users and network resources into isolated groups (closed groups of users and resources). Communication between these groups is monitored or even blocked depending on the requirements of the organization’s security policy.
The principles used to divide users into groups are determined by the organization’s security policy. As one of the typical options for dividing users and devices into categories, one can cite the following: employees, temporary staff, guests, users with devices that do not comply with corporate policy (quarantine), engineering subsystems of buildings, and so on. In addition, employees may not be placed in one group, but divided into several groups, for example, ordinary employees, management, top management, accounting, etc.
Network segmentation helps
information security by limiting the ability of attackers to inflict damage if they penetrate the protected perimeter.
Dividing users into groups and network segmentation is not an end in itself, but can be very important for improving the security of business processes. In this sense, such business processes rely on segmentation. An organization’s security policy may require employees of different categories to gain access only to those corporate resources that they need to have access to do their job. For example, access to a group of ERP system servers with confidential business information can be provided only to management, and access to confidential HR databases - only to employees of the HR department and, possibly, management. At the same time, lower-level personnel or temporary employees can access only a limited set of corporate applications, for example, the corporate CRM system and e-mail,
The influence of segmentation on business processes in the described cases is that segmentation is important for ensuring information security, and since information security incidents can lead to disruption of accessibility, segmentation also helps to increase the availability of business processes.
In addition, there is a whole group of business processes whose implementation in the absence of segmentation is highly undesirable. For example, this group includes processes associated with access to the corporate network of users who are not employees of the organization. A typical example is the provision of access to a network (or the Internet) by so-called guest users. Other options include access to partner company employees, access to auditors, connecting devices belonging to other organizations to the network, such as ATMs, digital signage, payment terminals. Another scenario in which the use of segmentation is recommended is the restriction of access between employees of affiliated structures using the same network.
There can be many similar scenarios, but all of them lead to the problem of realizing
segmentation in practice.
When implementing network segmentation, it is necessary to solve 3 key tasks:
Problem 1 is usually solved by authentication and authorization using the 802.1x protocol on a RADIUS server (often using data from a corporate directory service, such as Active Directory). It is possible to use other methods - static user premises depending on the connection port, VLAN, IP subnet, authorization by MAC address, and so on, depending on the capabilities of the AAA server and equipment used.
Problem 2 is traditionally solved by creating separate virtual topologies for each user group. As a rule, this is done with the help of various means of network virtualization. In the case of small networks, these tools are usually VLANs and 802.1Q trunks. Level 3 technologies, such as Multi-VRF CE (VRF-Lite), are also often used. Large networks are characterized by the use of MPLS VPN.
Problem 3, as a rule, is solved by packet filtering based on IP addresses. Access control can be implemented using such “crude” means as access control lists (ACLs) on network infrastructure elements, and fine filtering on new generation security systems (NGFW, NGIPS), but the fundamental principle remains the same - the basic criterion to make a decision on admission / non-admission is the IP address. Filtering is carried out in one or several places intended for traffic exchange between user groups.
Sometimes packet filtering is used without creating virtual topologies, i.e. packet filters simultaneously serve to solve both problem 2 and task 3.
Traditional methods for solving problems (2) and (3) can lead to a significant amount of manual work, especially during network operation.
This circumstance becomes more tangible, the more dynamics in the segmentation environment, for example:
Segmentation support becomes more difficult the more you have to deal with a large number of closed user groups.
The situation is aggravated by the fact that access control rules are based on IP addresses. Such rules are hard to work with and easy to make mistakes. In addition, the use of IP addresses as a basic criterion for access control significantly limits the ability to make changes to the addressing scheme, and in some cases makes changes practically impossible. In addition, the IP address cannot identify the user / device / status and is easily replaced.
Often there are so many access control lists, and so many lines (Access Control Entries, ACE) in the lists themselves that administrators find it difficult to remember what a particular line is for, and they are afraid to change or delete these lines. With time, lists grow and their maintenance becomes even more complicated. This is because the number of ACE lines is determined by the product ACE = S ∗ D ∗ P, where S is the number of source addresses (sources), D is the number of destinations (destinations), and P is the number of access permissions (permit). For example, even in the case of a relatively small network in which access rules relate to 4 VLANs, from which access to 30 subnets to 4 applications is allowed (which requires at least 4 permit entries in the ACL), administrators deal with at least 4 ∗ 30 ∗ 4 = 480 lines.
The high complexity of working with access control lists sometimes leads to the fact that some organizations do not use segmentation at all or refuse it in the process of network growth. But those who use segmentation are often forced to spend a lot of time and effort on coordination between the departments of IT, information security, business, on the exchange of applications, etc.
As a result, the staff of IT and IS services have a significant burden, occupying working hours with routine, but responsible and demanding a lot of attention operations. Typical Consequences:
TrustSec is a segmentation technology developed by Cisco that overcomes the difficulties discussed above through automation.
As in the case of traditional methods, Cisco TrustSec involves solving the problem of placing the user in the right group (task 1, in the terminology of TrustSec - Classification, classification) by authenticating and authorizing the user using the 802.1x protocol using the access control server, which is Cisco Identity Services Engine ( Cisco ISE) The Cisco ISE server can authenticate and authorize using both the internal user database and external directories, such as Active Directory. TrustSec does not require the use of any specific types of user credentials - options are possible, for example, MSCHAPv2, Generic Token Card (GTC), RSA one-time password, and so on. Alternative methods are also possible, such as MAC Authentication Bypass, Web Authentication, Passive Identity (Easy Connect) based on AD, etc. In addition, static methods are available - based on VLANs, IP addresses, interfaces, etc.
But further approaches differ fundamentally. Cisco TrustSec provides for the assignment of the traffic of each closed user group to the corresponding 16-bit security label (Security Group Tag, SGT) when connecting to the network, more precisely, when entering the TrustSec domain. This is usually done on an access switch or other device on the edge of the corporate network.
The wealth of classification and labeling capabilities for user groups and all types of connections - wired, wireless, VPN, server connections in the data center and other organizations - allows you to create a single, comprehensive access policy for all types of devices and connections on the basis of TrustSec (see Fig. 1) .
Fig. 1. Cisco TrustSec allows you to create a single, comprehensive access policy for
all types of devices and connections.
SGT Label Assigned
a Cisco ISE server or a static network infrastructure element, and then TrustSec works with labels.
This is the fundamental difference between solving the traffic isolation problem (task 2, in the terminology of TrustSec - Propagation, distribution). In the traditional approach, this requires the creation of a virtual topology for each group. In TrustSec, this is not necessary, since TrustSec provides for the assignment of SGT label to the traffic of each group. This eliminates the need to create virtual topologies and greatly simplifies the network: all closed user groups can work on the basis of a single network topology.
Further, TrustSec offers a fundamentally different, simpler and more effective solution to the access control problem (task 3, in the terminology of TrustSec - Enforcement, application of policies). The traditional approach involves the use of IP-based access control lists (ACLs). TrustSec works with access control lists based not on IP addresses, but on SGT labels. These lists are called the Cisco TrustSec Security Group ACL (SGACL). Using SGACL can significantly simplify the work: instead of numerous and difficult to maintain ACLs based on IP addresses, administrators deal with SGACLs based on group labels and independent of either addresses or virtual topologies.
This concept is implemented in the Cisco ISE Server TrustSec Policy matrix. Instead of many disparate access control lists, the administrator works with a centralized matrix (see Figure 2). Matrix rows are traffic source groups, columns are destinations. Access policies are defined in intersection cells as SGACL. Both simple rules (permit / deny) for any traffic are possible), as well as more complex SGACLs with details of allowed and forbidden traffic, similar to how it is done in ACLs, only sources and destinations are determined by SGT labels, not IP addresses.
Fig. 2. Cisco TrustSec Policy Management Matrix Access Matrix Concept Illustration
It is not necessary to fill in all the cells of the matrix — unfilled cells follow the Default Policy, which can prohibit or allow all traffic by default. The filled cells follow the rules configured in SGACL, after which the Default Policy is executed.
The concept of the access matrix and the dynamic assignment of labels allow you to implement
the access policy centrally, conveniently, consistently. TrustSec distributes this
policy across the network by dynamically passing SGT labels and SGACL rules.
SGT tags can be distributed across the network in three ways - from
as part of frame headers or packets of transmitted traffic (this is the inline method), using the SGT Exchange Protocol (SXP) running over TCP, or using Cisco Platform Exchange Grid ( pxGrid ) technology .
The first method provides very high scalability and convenience, because tags are transmitted along with traffic, but the device must be able to work with tags embedded in frames or packets. This is not always available, especially when working with tags in Ethernet frames that require hardware implementation in integrated circuits (ASICs). In addition, not all network devices may have TrustSec implementation, and then the task of combining TrustSec “isolated areas” among themselves may arise. In such cases, you can use the second method - the transfer of labels via SXP. The third method, based on pxGrid, provides integration with other information security solutions from Cisco and its partners.
Currently, Cisco has implemented TrustSec technology in dozens of lines.its products, including switches for corporate and industrial networks, data centers, firewalls, routers, WLAN controllers, etc. In addition, although TrustSec is a proprietary development of Cisco, in 2014, Cisco published the IETF information draft describing the Source-group tag eXchange Protocol (SXP) to open TrustSec functionality to other vendors.
Regarding the propagation of SGACL rules, network infrastructure elements automatically download them from the Cisco ISE server. When an administrator makes changes to TrustSec policies, he can immediately distribute them over the network using the push commandin the Cisco ISE interface. In addition, it is possible to update the TrustSec policy locally on the device using a command in the CLI. Devices also periodically update policies as their expiry timeout expires.
Fig. 3. An example of applying the TrustSec policy
Consider the application of the TrustSec policy as an example (see Figure 3). User Alice connected to the network, passed authentication and authorization on the Cisco ISE server, and according to the authorization results, she was assigned to group 5 (Marketing). The access switch assigns packets to the network from its computer the label SGT 5. For simplicity, suppose that all the switches shown in the figure are covered by the TrustSec domain, and TrustSec policies are applied on the interfaces of the Nexus_SGACL switch, to which the Nexus1 and Nexus2 switches are connected (although policies can apply on other routed and switched interfaces of the TrustSec domain). The administrator configured Cisco ISE and distributed the access policy in the TrustSec domain, which is shown in the table in Fig. 3.
Suppose Alice's computer sends an IP packet to an HR group server belonging to the HR group. The packet is transmitted through the network and arrives at the Nexus_SGACL switch, which applies the policy already downloaded from the Cisco ISE server. As we recall, the access matrix must be read according to the “left-right-bottom-up” mnemonic rule, therefore the policy presented in the example provides Deny for all traffic of the Marketing group (label 5) directed to the recipients of the HR group (label 20). Since the HR server with the address 10.1.100.52 belongs to the HR group, the switch deletes Alice's packet, thus fulfilling the segmentation policy requirement.
Switches use SGACL in hardware at the link speed, so label-based filtering does not affect switching performance.
You can familiarize yourself with the details of configuring TrustSec policies on the Cisco ISE server in the technical documentation . You can also find detailed information on configuring TrustSec on network infrastructure elements, such as Catalyst switches, in the documentation . Design Guides on TrustSec are also available on the Cisco website .
Thus, Cisco TrustSec offers the dynamic distribution of access control policies throughout the network, including the ability to cover all types of network access - wired, wireless, VPN - within a single, centralized policy.
Cisco TrustSec covers more than just the network infrastructure and the Cisco ISE server. Thanks to the pxGrid interfaceTrustSec integrates with other Cisco (and partner) solutions, such as Cisco Firepower , Cisco Web Security Appliance (WSA), Cisco Stealthwatch , etc. In particular, this integration allows the creation of very thin and granular access policies for applications and micro-applications based on SGT tags, using the arsenal of the next-generation Cisco Firepower firewall features. Another example is the application of different privileges of access to web resources using the Cisco WSA based on SGT labels. The third example is the development of Stealthwatch policies to combat targeted threats, taking into account the user's membership in a particular SGT group. Fourth Example — A Special Case of Cisco Rapid Threat Containment Solution Capabilities. In this example, Cisco Stealthwatch or Cisco Advanced Malware Protection identifies an IS threat (for example, an infected computer) and sends a request to Cisco ISE to restrict access to this computer using TrustSec tools (dynamic quarantine).
In addition, TrustSec, essentially a software-defined segmentation technology, integrates with the architecture of the software-defined data center Cisco Application Centric Infrastructure (ACI). Integration Establishes Mutual Compliancebetween closed user groups segmented using SGT tags and applications with their components segmented into ACI endpoint groups (EPGs). As a result, it becomes possible to create end-to-end software-defined security policies covering both the network and the data center.
Both technologies - TrustSec and ACI - are aimed at optimizing and automating processes in the areas of security and data centers. In this sense, technologies are mutually reinforcing and, when used together, offer additional synergistic benefits.
Consider a number of typical tasks of IT and IS departments and compare the expected results from solving these problems in network scenarios in which segmentation is implemented on the basis of traditional methods (let's call it AS-IS network) and networks with segmentation based on Cisco TrustSec technology (TO- network BE).
For definiteness, suppose that in both scenarios users are placed in the desired group (task 1) as a result of authentication and authorization of 802.1x on a RADIUS server using the Active Directory directory service. Thus, the solution to this problem in both scenarios is not fundamentally different.
But isolation of user traffic (task 2) is implemented in the AS-IS network by creating virtual topologies or using ACLs, and in the TO-BE network by assigning SGT labels to frames.
Access control (task 3) in the AS-IS network scenario is implemented using the ACL, and in the TO-BE network scenario, it is implemented using the Security Group ACL (SGACL), which are dynamically distributed over the network from the Cisco ISE server.
We assume that the network equipment in the AS-IS scenario supports the necessary virtualization technologies, and in the TO-BE scenario - TrustSec functionality.
Consider these typical tasks.
5.1. Routine operations to create / modify / delete
The tasks of this type include operations related to controlling the access of existing users to network resources.
In the case of the source network (AS-IS), the problem is solved by manually editing the access control lists (ACLs) configured on one or many elements of the network infrastructure. Especially many edits may be required in the case when ACLs are used both for isolating traffic (instead of virtual topologies) and for access control.
To cope with a large number of ACLs as part of the traditional approach, you can try to centralize their application to traffic. This will require, firstly, to implement virtual topologies to isolate the traffic of closed user groups (solution to Problem 2), and secondly, to implement traffic exchange between these topologies and the use of ACLs (solution to Problem 3) in the minimum acceptable number of network points.
Such centralization of traffic exchange can help reduce the number of ACLs, but does not completely eliminate the problems of the traditional approach. In addition, it contributes to the emergence of additional “bottlenecks” in the network, as well as reducing the optimality of traffic routes between groups. Non-optimal traffic paths between groups may appear because traffic must pass through an exchange point, which may not be on the shortest path. The difference between the shortest and the actual paths in some English literature is called
In general, applying policies typically increases network stretch.
In a network with TrustSec (TO-BE), the solution to the problem is automated. Resource access control is implemented by configuring the TrustSec Policy Management Matrix centralized on the Cisco ISE access control server. Access policies are dynamically distributed across network infrastructure elements and are implemented in SGACL.
There is also no need to set specific ACLs on the corresponding interfaces, as was the case in the AS-IS network. Instead, TrustSec policies are activated on the interfaces, but the devices themselves receive the SGACL rules dynamically. Therefore, it is no longer necessary to centralize the exchange of traffic between groups; it can be made distributed. As a result, it becomes possible to reduce network stretch, optimize traffic exchange between groups, and reduce the number of bottlenecks.
Thus, TrustSec offers:
5.2. Create / modify / delete resources and private
Tasks of this type can be associated with the creation or removal of closed user groups, the launch or removal of network resources that rely on segmentation in their work, and the change in the geographical coverage of user groups. Such tasks may arise, including in the framework of the concept of “agile office”.
In an AS-IS network scenario, closed user groups are implemented by creating virtual topologies using tools such as VLAN, VRF, MPLS VPN, tunnels, etc. An alternative is to use ACLs for both segmentation and access control.
Adding new groups or deleting old ones requires a significant investment of time and manual labor, and is also often associated with configuration errors and downtime of business processes due to the “human factor”.
In a TrustSec (TO-BE) network scenario, adding or removing a closed user group is accomplished by creating or removing a group label (SGT) on the Cisco ISE server and assigning users to the desired groups. However, changes to the network configuration, as a rule, are not required.
As a result, TrustSec provides:
The scenario involves changing the geographical coverage of closed user groups. For example, the inclusion in the group of users from another building, office in another city, the physical movements of user groups when moving or changes in the composition of departments, within the concept of “agile office”, etc.
In the AS-IS network scenario, it is not enough to perform a series of segmentation work once — combine VLANs and VRFs into virtual topologies, apply ACLs (possibly on numerous network interfaces), etc. Similar work needs to be carried out in the future, with changes in the segmentation policy.
Therefore, if you initially implement segmentation for all groups throughout the network, you will have to pay for it with an even higher complexity of operation. It would seem that you can reduce the severity of the problem if you introduce segmentation in the network only partially, laying virtual topologies only in those parts of the network and for those groups that are needed there at the moment. But when the requirements for the geography of the groups change, you will have to pay extra time and labor for introducing segmentation in the desired area of the network — laborious configuration changes and associated configuration errors and downtime of business processes.
TrustSec in the network scenario (TO-BE) allows administrators to reduce labor costs to almost zero. TrustSec is implemented on the network once, even at this stage requiring much less labor than creating virtual topologies and / or multiple ACLs on elements of the network infrastructure. And TrustSec does not require hardware reconfiguration with policy changes. Therefore, considerations of the complexity of operation do not interfere with the implementation of TrustSec throughout the network from the very beginning, when it is created or upgraded.
But nevertheless, if, when changing the geography of user groups, it turns out that for some reason TrustSec is not initially implemented in the right part of the network, this can be done faster than in the AS-IS scenario by applying a set of commands that is the same for all user groups and is not depending on their quantity.
If TrustSec is already implemented in the right part of the network, then the administrators do not need to take any action to reconfigure the equipment, because TrustSec policies are distributed dynamically across the network.
TrustSec allows you to implement user segmentation and access control with much higher speed and granularity than the basic facilities of the AS-IS network.
The effect of the implementation of TrustSec is greater, the greater the dynamics in the configuration of closed user groups of the company, because TrustSec automates these changes instead of time-consuming manual work.
Also, the effect of TrustSec is greater, the granularity of user segmentation into groups is more in demand. In the case of traditional segmentation based on virtual topologies, the more user groups, the more topologies and the higher the complexity. As a result, the number of topologies (and user groups) may not be optimal from a security point of view, but less - to achieve a compromise between security and complexity. In turn, such a compromise is no longer in the best interest of security. Thanks to automation, TrustSec eliminates this limitation and allows you to divide users into just as many groups as would be optimal from a security point of view.
TrustSec allows you to create a single, comprehensive access policy for all types of devices and connections, thereby helping to ensure a high level of security. Integration of TrustSec with other information security solutions thanks to pxGrid technology opens up very serious additional opportunities.
In addition, TrustSec provides an increased level of security due to strong mutual authentication of network infrastructure elements and the ability to encrypt traffic at the data link layer.
With these benefits, Cisco TrustSec can significantly reduce the likelihood and damage associated with information security incidents.
Thanks to the benefits described in Section 5.3, TrustSec also offers significant gains in troubleshooting and investigating information security incidents.
Since TrustSec allows users to segment users into closed groups much more granularly than traditional methods, in the event of an information security incident (for example, when an intruder penetrates or infects an infection into the network), the expected damage will be much less than in the AS-IS network.
In addition, for this reason TrustSec will save staff time in resolving the consequences of the incident.
Another advantage - TrustSec will allow eliminating the consequences of the incident, while maintaining user access to the network by transferring them to a separate isolated group. This is especially important when it comes to VIP users. For example, it becomes possible to eliminate the consequences of infection of top management computers by maintaining their access to the network, and with minimal risk to uninfected computers.
Because TrustSec allows for much more granular user segmentation than the AS-IS network, incident investigation will require analysis of fewer devices. As a result, the investigation of information security incidents can be significantly accelerated and facilitated.
Modern business is characterized by ever-increasing dynamics. The network, as well as the policies implemented in it, must be quickly adapted to the changing requirements of the business. Changes in security policies that require days or weeks for their implementation are becoming less and less convenient for a business.
The proper functioning of network-based and segmentation-dependent business processes is also critical. Any changes to the segmentation policy must be implemented not only quickly, but also reliably.
Therefore, the traditional means of segmentation, discussed in the article, no longer meet the needs of the business of today and tomorrow. These requests can be supported with the help of modern network segmentation technology - Cisco TrustSec.
TrustSec meets modern business requirements and offers tools that implement changes in the segmentation environment quickly and reliably through automation and minimizing the "human factor".
As a result, Cisco TrustSec offers business
in at least three areas:
The traditional approach to segmentation and its limitations are analyzed. A new approach to segmentation based on Cisco TrustSec technology is considered, which eliminates these restrictions.
A series of typical IT and IS tasks related to segmentation is considered, and solutions to these problems proposed by traditional and new approaches are compared.
It analyzes in detail the new business opportunities and benefits offered by Cisco TrustSec.
1. Why network segmentation?
The corporate network has become a critical business tool for many companies, since it is it that provides the work of many business processes related to the transfer of information. At the same time, threats to information security are constantly evolving, and the need for effective remedies is growing every day.
For a long time, the attention of information security specialists was mainly focused on protecting the network perimeter. But in modern networks, the classical concept of the perimeter is gradually eroded. Users connect to the network in a variety of ways, including access via wired and wireless segments, as well as VPN connections. At the same time, within the organization’s IT infrastructure, as a rule, there are many types of users and devices that require access to different network resources to perform their work. Implementing proper access control in today's distributed and dynamic IT infrastructures is a daunting task. Given the large number of attack vectors that allow attackers and malware to penetrate the corporate IT infrastructure,
One of the most popular measures aimed at reducing the damage caused by an intruder penetrating the corporate IT infrastructure is network segmentation. An implied preliminary stage of segmentation is the separation of users and network resources into isolated groups (closed groups of users and resources). Communication between these groups is monitored or even blocked depending on the requirements of the organization’s security policy.
The principles used to divide users into groups are determined by the organization’s security policy. As one of the typical options for dividing users and devices into categories, one can cite the following: employees, temporary staff, guests, users with devices that do not comply with corporate policy (quarantine), engineering subsystems of buildings, and so on. In addition, employees may not be placed in one group, but divided into several groups, for example, ordinary employees, management, top management, accounting, etc.
Network segmentation helps
significantly reduce risks
Quotes:
- Digital Guardian: “Eataly's network segmentation prevented a POS compromise at one store from compromising systems at the chain's 26 other locations across the globe”.
- US-CERT: “Effective network segmentation ... reduces the extent to which an adversary can move across the network”.
- Australian Government, Department of Defense, Intelligence and Security: “Network segmentation ... is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement."
information security by limiting the ability of attackers to inflict damage if they penetrate the protected perimeter.
Dividing users into groups and network segmentation is not an end in itself, but can be very important for improving the security of business processes. In this sense, such business processes rely on segmentation. An organization’s security policy may require employees of different categories to gain access only to those corporate resources that they need to have access to do their job. For example, access to a group of ERP system servers with confidential business information can be provided only to management, and access to confidential HR databases - only to employees of the HR department and, possibly, management. At the same time, lower-level personnel or temporary employees can access only a limited set of corporate applications, for example, the corporate CRM system and e-mail,
The influence of segmentation on business processes in the described cases is that segmentation is important for ensuring information security, and since information security incidents can lead to disruption of accessibility, segmentation also helps to increase the availability of business processes.
In addition, there is a whole group of business processes whose implementation in the absence of segmentation is highly undesirable. For example, this group includes processes associated with access to the corporate network of users who are not employees of the organization. A typical example is the provision of access to a network (or the Internet) by so-called guest users. Other options include access to partner company employees, access to auditors, connecting devices belonging to other organizations to the network, such as ATMs, digital signage, payment terminals. Another scenario in which the use of segmentation is recommended is the restriction of access between employees of affiliated structures using the same network.
There can be many similar scenarios, but all of them lead to the problem of realizing
segmentation in practice.
2. Traditional network segmentation methods
When implementing network segmentation, it is necessary to solve 3 key tasks:
- Determine whether the user belongs to the desired group when he connects to the
network (task 1). - Isolate the user traffic of this group from the traffic of users of other
groups during transmission over the network (task 2). - Provide user access to those resources to which he should have access
and, as a rule, block access to all other resources (task 3).
Problem 1 is usually solved by authentication and authorization using the 802.1x protocol on a RADIUS server (often using data from a corporate directory service, such as Active Directory). It is possible to use other methods - static user premises depending on the connection port, VLAN, IP subnet, authorization by MAC address, and so on, depending on the capabilities of the AAA server and equipment used.
Problem 2 is traditionally solved by creating separate virtual topologies for each user group. As a rule, this is done with the help of various means of network virtualization. In the case of small networks, these tools are usually VLANs and 802.1Q trunks. Level 3 technologies, such as Multi-VRF CE (VRF-Lite), are also often used. Large networks are characterized by the use of MPLS VPN.
Problem 3, as a rule, is solved by packet filtering based on IP addresses. Access control can be implemented using such “crude” means as access control lists (ACLs) on network infrastructure elements, and fine filtering on new generation security systems (NGFW, NGIPS), but the fundamental principle remains the same - the basic criterion to make a decision on admission / non-admission is the IP address. Filtering is carried out in one or several places intended for traffic exchange between user groups.
Sometimes packet filtering is used without creating virtual topologies, i.e. packet filters simultaneously serve to solve both problem 2 and task 3.
3. Limitations of traditional segmentation methods
Traditional methods for solving problems (2) and (3) can lead to a significant amount of manual work, especially during network operation.
This circumstance becomes more tangible, the more dynamics in the segmentation environment, for example:
- The network may change access control rules - both in connection with updating security service requirements, and with changes in the composition of resources and users.
- The network may change the composition of user groups - for example, in connection with reorganizations within the company, changes in the composition of network resources, etc.
- Changes in the geography of user groups are possible, which may require the extension of segmentation to new parts of the network.
Segmentation support becomes more difficult the more you have to deal with a large number of closed user groups.
The situation is aggravated by the fact that access control rules are based on IP addresses. Such rules are hard to work with and easy to make mistakes. In addition, the use of IP addresses as a basic criterion for access control significantly limits the ability to make changes to the addressing scheme, and in some cases makes changes practically impossible. In addition, the IP address cannot identify the user / device / status and is easily replaced.
Often there are so many access control lists, and so many lines (Access Control Entries, ACE) in the lists themselves that administrators find it difficult to remember what a particular line is for, and they are afraid to change or delete these lines. With time, lists grow and their maintenance becomes even more complicated. This is because the number of ACE lines is determined by the product ACE = S ∗ D ∗ P, where S is the number of source addresses (sources), D is the number of destinations (destinations), and P is the number of access permissions (permit). For example, even in the case of a relatively small network in which access rules relate to 4 VLANs, from which access to 30 subnets to 4 applications is allowed (which requires at least 4 permit entries in the ACL), administrators deal with at least 4 ∗ 30 ∗ 4 = 480 lines.
The high complexity of working with access control lists sometimes leads to the fact that some organizations do not use segmentation at all or refuse it in the process of network growth. But those who use segmentation are often forced to spend a lot of time and effort on coordination between the departments of IT, information security, business, on the exchange of applications, etc.
As a result, the staff of IT and IS services have a significant burden, occupying working hours with routine, but responsible and demanding a lot of attention operations. Typical Consequences:
- Information security risks are growing due to possible errors and "holes" that arise as a result of manual access control list editing.
- The risks of business process failures are growing due to errors arising from changes to equipment configurations.
- A lot of time is spent only on maintaining segmentation up to date. There is no time to deal with important, but not urgent matters, and often they are not done. Time is spent on a routine that could be used to solve strategic, creative tasks - for example, those related to network development, planning, optimizing support for business processes, optimizing network performance, etc. As a rule, there is not even time left to keep the documentation up to date, which again increases the risks of information security and business process failures!
- Longer time-to-market: it takes more time to launch new applications or
achieve business results, to one degree or another, related to
network segmentation .
4. What is Cisco TrustSec and what is the difference from the traditional approach to segmentation?
TrustSec is a segmentation technology developed by Cisco that overcomes the difficulties discussed above through automation.
As in the case of traditional methods, Cisco TrustSec involves solving the problem of placing the user in the right group (task 1, in the terminology of TrustSec - Classification, classification) by authenticating and authorizing the user using the 802.1x protocol using the access control server, which is Cisco Identity Services Engine ( Cisco ISE) The Cisco ISE server can authenticate and authorize using both the internal user database and external directories, such as Active Directory. TrustSec does not require the use of any specific types of user credentials - options are possible, for example, MSCHAPv2, Generic Token Card (GTC), RSA one-time password, and so on. Alternative methods are also possible, such as MAC Authentication Bypass, Web Authentication, Passive Identity (Easy Connect) based on AD, etc. In addition, static methods are available - based on VLANs, IP addresses, interfaces, etc.
But further approaches differ fundamentally. Cisco TrustSec provides for the assignment of the traffic of each closed user group to the corresponding 16-bit security label (Security Group Tag, SGT) when connecting to the network, more precisely, when entering the TrustSec domain. This is usually done on an access switch or other device on the edge of the corporate network.
The wealth of classification and labeling capabilities for user groups and all types of connections - wired, wireless, VPN, server connections in the data center and other organizations - allows you to create a single, comprehensive access policy for all types of devices and connections on the basis of TrustSec (see Fig. 1) .
Fig. 1. Cisco TrustSec allows you to create a single, comprehensive access policy for
all types of devices and connections.
SGT Label Assigned
dynamically
Dynamic tagging is the easiest and most effective way to achieve consistent tags across the network.
a Cisco ISE server or a static network infrastructure element, and then TrustSec works with labels.
This is the fundamental difference between solving the traffic isolation problem (task 2, in the terminology of TrustSec - Propagation, distribution). In the traditional approach, this requires the creation of a virtual topology for each group. In TrustSec, this is not necessary, since TrustSec provides for the assignment of SGT label to the traffic of each group. This eliminates the need to create virtual topologies and greatly simplifies the network: all closed user groups can work on the basis of a single network topology.
Further, TrustSec offers a fundamentally different, simpler and more effective solution to the access control problem (task 3, in the terminology of TrustSec - Enforcement, application of policies). The traditional approach involves the use of IP-based access control lists (ACLs). TrustSec works with access control lists based not on IP addresses, but on SGT labels. These lists are called the Cisco TrustSec Security Group ACL (SGACL). Using SGACL can significantly simplify the work: instead of numerous and difficult to maintain ACLs based on IP addresses, administrators deal with SGACLs based on group labels and independent of either addresses or virtual topologies.
This concept is implemented in the Cisco ISE Server TrustSec Policy matrix. Instead of many disparate access control lists, the administrator works with a centralized matrix (see Figure 2). Matrix rows are traffic source groups, columns are destinations. Access policies are defined in intersection cells as SGACL. Both simple rules (permit / deny) for any traffic are possible), as well as more complex SGACLs with details of allowed and forbidden traffic, similar to how it is done in ACLs, only sources and destinations are determined by SGT labels, not IP addresses.
Fig. 2. Cisco TrustSec Policy Management Matrix Access Matrix Concept Illustration
It is not necessary to fill in all the cells of the matrix — unfilled cells follow the Default Policy, which can prohibit or allow all traffic by default. The filled cells follow the rules configured in SGACL, after which the Default Policy is executed.
The concept of the access matrix and the dynamic assignment of labels allow you to implement
the access policy centrally, conveniently, consistently. TrustSec distributes this
policy across the network by dynamically passing SGT labels and SGACL rules.
SGT tags can be distributed across the network in three ways - from
node to node
In the Cisco Meta Data (CMD) field of frame headers or traffic packets. Ethernet technologies are supported (including with MACsec IEEE 802.1ae), IPSec VPN, DMVPN, GETVPN.
as part of frame headers or packets of transmitted traffic (this is the inline method), using the SGT Exchange Protocol (SXP) running over TCP, or using Cisco Platform Exchange Grid ( pxGrid ) technology .
The first method provides very high scalability and convenience, because tags are transmitted along with traffic, but the device must be able to work with tags embedded in frames or packets. This is not always available, especially when working with tags in Ethernet frames that require hardware implementation in integrated circuits (ASICs). In addition, not all network devices may have TrustSec implementation, and then the task of combining TrustSec “isolated areas” among themselves may arise. In such cases, you can use the second method - the transfer of labels via SXP. The third method, based on pxGrid, provides integration with other information security solutions from Cisco and its partners.
Currently, Cisco has implemented TrustSec technology in dozens of lines.its products, including switches for corporate and industrial networks, data centers, firewalls, routers, WLAN controllers, etc. In addition, although TrustSec is a proprietary development of Cisco, in 2014, Cisco published the IETF information draft describing the Source-group tag eXchange Protocol (SXP) to open TrustSec functionality to other vendors.
Regarding the propagation of SGACL rules, network infrastructure elements automatically download them from the Cisco ISE server. When an administrator makes changes to TrustSec policies, he can immediately distribute them over the network using the push commandin the Cisco ISE interface. In addition, it is possible to update the TrustSec policy locally on the device using a command in the CLI. Devices also periodically update policies as their expiry timeout expires.
Fig. 3. An example of applying the TrustSec policy
Consider the application of the TrustSec policy as an example (see Figure 3). User Alice connected to the network, passed authentication and authorization on the Cisco ISE server, and according to the authorization results, she was assigned to group 5 (Marketing). The access switch assigns packets to the network from its computer the label SGT 5. For simplicity, suppose that all the switches shown in the figure are covered by the TrustSec domain, and TrustSec policies are applied on the interfaces of the Nexus_SGACL switch, to which the Nexus1 and Nexus2 switches are connected (although policies can apply on other routed and switched interfaces of the TrustSec domain). The administrator configured Cisco ISE and distributed the access policy in the TrustSec domain, which is shown in the table in Fig. 3.
Suppose Alice's computer sends an IP packet to an HR group server belonging to the HR group. The packet is transmitted through the network and arrives at the Nexus_SGACL switch, which applies the policy already downloaded from the Cisco ISE server. As we recall, the access matrix must be read according to the “left-right-bottom-up” mnemonic rule, therefore the policy presented in the example provides Deny for all traffic of the Marketing group (label 5) directed to the recipients of the HR group (label 20). Since the HR server with the address 10.1.100.52 belongs to the HR group, the switch deletes Alice's packet, thus fulfilling the segmentation policy requirement.
Switches use SGACL in hardware at the link speed, so label-based filtering does not affect switching performance.
You can familiarize yourself with the details of configuring TrustSec policies on the Cisco ISE server in the technical documentation . You can also find detailed information on configuring TrustSec on network infrastructure elements, such as Catalyst switches, in the documentation . Design Guides on TrustSec are also available on the Cisco website .
Thus, Cisco TrustSec offers the dynamic distribution of access control policies throughout the network, including the ability to cover all types of network access - wired, wireless, VPN - within a single, centralized policy.
Cisco TrustSec covers more than just the network infrastructure and the Cisco ISE server. Thanks to the pxGrid interfaceTrustSec integrates with other Cisco (and partner) solutions, such as Cisco Firepower , Cisco Web Security Appliance (WSA), Cisco Stealthwatch , etc. In particular, this integration allows the creation of very thin and granular access policies for applications and micro-applications based on SGT tags, using the arsenal of the next-generation Cisco Firepower firewall features. Another example is the application of different privileges of access to web resources using the Cisco WSA based on SGT labels. The third example is the development of Stealthwatch policies to combat targeted threats, taking into account the user's membership in a particular SGT group. Fourth Example — A Special Case of Cisco Rapid Threat Containment Solution Capabilities. In this example, Cisco Stealthwatch or Cisco Advanced Malware Protection identifies an IS threat (for example, an infected computer) and sends a request to Cisco ISE to restrict access to this computer using TrustSec tools (dynamic quarantine).
In addition, TrustSec, essentially a software-defined segmentation technology, integrates with the architecture of the software-defined data center Cisco Application Centric Infrastructure (ACI). Integration Establishes Mutual Compliancebetween closed user groups segmented using SGT tags and applications with their components segmented into ACI endpoint groups (EPGs). As a result, it becomes possible to create end-to-end software-defined security policies covering both the network and the data center.
Both technologies - TrustSec and ACI - are aimed at optimizing and automating processes in the areas of security and data centers. In this sense, technologies are mutually reinforcing and, when used together, offer additional synergistic benefits.
5. How can Cisco TrustSec help the business?
Consider a number of typical tasks of IT and IS departments and compare the expected results from solving these problems in network scenarios in which segmentation is implemented on the basis of traditional methods (let's call it AS-IS network) and networks with segmentation based on Cisco TrustSec technology (TO- network BE).
For definiteness, suppose that in both scenarios users are placed in the desired group (task 1) as a result of authentication and authorization of 802.1x on a RADIUS server using the Active Directory directory service. Thus, the solution to this problem in both scenarios is not fundamentally different.
But isolation of user traffic (task 2) is implemented in the AS-IS network by creating virtual topologies or using ACLs, and in the TO-BE network by assigning SGT labels to frames.
Access control (task 3) in the AS-IS network scenario is implemented using the ACL, and in the TO-BE network scenario, it is implemented using the Security Group ACL (SGACL), which are dynamically distributed over the network from the Cisco ISE server.
We assume that the network equipment in the AS-IS scenario supports the necessary virtualization technologies, and in the TO-BE scenario - TrustSec functionality.
Consider these typical tasks.
5.1. Routine operations to create / modify / delete
access control lists (ACLs)
The tasks of this type include operations related to controlling the access of existing users to network resources.
In the case of the source network (AS-IS), the problem is solved by manually editing the access control lists (ACLs) configured on one or many elements of the network infrastructure. Especially many edits may be required in the case when ACLs are used both for isolating traffic (instead of virtual topologies) and for access control.
To cope with a large number of ACLs as part of the traditional approach, you can try to centralize their application to traffic. This will require, firstly, to implement virtual topologies to isolate the traffic of closed user groups (solution to Problem 2), and secondly, to implement traffic exchange between these topologies and the use of ACLs (solution to Problem 3) in the minimum acceptable number of network points.
Such centralization of traffic exchange can help reduce the number of ACLs, but does not completely eliminate the problems of the traditional approach. In addition, it contributes to the emergence of additional “bottlenecks” in the network, as well as reducing the optimality of traffic routes between groups. Non-optimal traffic paths between groups may appear because traffic must pass through an exchange point, which may not be on the shortest path. The difference between the shortest and the actual paths in some English literature is called
network stretch.
White, Russ and Tantsura, Jeff. Navigating Network Complexity: Next-generation Routing
with SDN, Service Virtualization, and Service Chaining. (Chapter 5. Design Complexity).
Indianapolis, IN: Addison-Wesley Professional, 2016. Print.
with SDN, Service Virtualization, and Service Chaining. (Chapter 5. Design Complexity).
Indianapolis, IN: Addison-Wesley Professional, 2016. Print.
In general, applying policies typically increases network stretch.
In a network with TrustSec (TO-BE), the solution to the problem is automated. Resource access control is implemented by configuring the TrustSec Policy Management Matrix centralized on the Cisco ISE access control server. Access policies are dynamically distributed across network infrastructure elements and are implemented in SGACL.
There is also no need to set specific ACLs on the corresponding interfaces, as was the case in the AS-IS network. Instead, TrustSec policies are activated on the interfaces, but the devices themselves receive the SGACL rules dynamically. Therefore, it is no longer necessary to centralize the exchange of traffic between groups; it can be made distributed. As a result, it becomes possible to reduce network stretch, optimize traffic exchange between groups, and reduce the number of bottlenecks.
Thus, TrustSec offers:
- A significant reduction in labor costs and time for making changes.
- A significant reduction in the unavailability of applications, related
business process failures and information security incidents arising from ACL configuration errors and other manifestations of the “human factor”. - Immediate entry into force of new access policies.
- Change of static access control to dynamic.
- Automated network segmentation.
- Indirect optimization of traffic transmission paths between user groups.
5.2. Create / modify / delete resources and private
user groups
Tasks of this type can be associated with the creation or removal of closed user groups, the launch or removal of network resources that rely on segmentation in their work, and the change in the geographical coverage of user groups. Such tasks may arise, including in the framework of the concept of “agile office”.
5.2.1. Create / delete private user groups
In an AS-IS network scenario, closed user groups are implemented by creating virtual topologies using tools such as VLAN, VRF, MPLS VPN, tunnels, etc. An alternative is to use ACLs for both segmentation and access control.
Adding new groups or deleting old ones requires a significant investment of time and manual labor, and is also often associated with configuration errors and downtime of business processes due to the “human factor”.
In a TrustSec (TO-BE) network scenario, adding or removing a closed user group is accomplished by creating or removing a group label (SGT) on the Cisco ISE server and assigning users to the desired groups. However, changes to the network configuration, as a rule, are not required.
As a result, TrustSec provides:
- Significant gain in time for staff, which can be used not for routine, but for solving more creative, strategic tasks, which often do not have enough time (for example, planning network development, preparing and updating documentation, optimizing network equipment settings, etc.) .
- Significantly accelerated launch of a new closed user group or a new
business process based on network segmentation. - Prevention of errors that may occur when performing a large number of routine operations. Checking the access matrix (both in working order and during the formal audit process) is much easier than hundreds of ACEs distributed among dozens of ACLs.
5.2.2. Change the geographic reach of user groups
The scenario involves changing the geographical coverage of closed user groups. For example, the inclusion in the group of users from another building, office in another city, the physical movements of user groups when moving or changes in the composition of departments, within the concept of “agile office”, etc.
In the AS-IS network scenario, it is not enough to perform a series of segmentation work once — combine VLANs and VRFs into virtual topologies, apply ACLs (possibly on numerous network interfaces), etc. Similar work needs to be carried out in the future, with changes in the segmentation policy.
Therefore, if you initially implement segmentation for all groups throughout the network, you will have to pay for it with an even higher complexity of operation. It would seem that you can reduce the severity of the problem if you introduce segmentation in the network only partially, laying virtual topologies only in those parts of the network and for those groups that are needed there at the moment. But when the requirements for the geography of the groups change, you will have to pay extra time and labor for introducing segmentation in the desired area of the network — laborious configuration changes and associated configuration errors and downtime of business processes.
TrustSec in the network scenario (TO-BE) allows administrators to reduce labor costs to almost zero. TrustSec is implemented on the network once, even at this stage requiring much less labor than creating virtual topologies and / or multiple ACLs on elements of the network infrastructure. And TrustSec does not require hardware reconfiguration with policy changes. Therefore, considerations of the complexity of operation do not interfere with the implementation of TrustSec throughout the network from the very beginning, when it is created or upgraded.
But nevertheless, if, when changing the geography of user groups, it turns out that for some reason TrustSec is not initially implemented in the right part of the network, this can be done faster than in the AS-IS scenario by applying a set of commands that is the same for all user groups and is not depending on their quantity.
If TrustSec is already implemented in the right part of the network, then the administrators do not need to take any action to reconfigure the equipment, because TrustSec policies are distributed dynamically across the network.
5.3. Information Security Incident Prevention
TrustSec allows you to implement user segmentation and access control with much higher speed and granularity than the basic facilities of the AS-IS network.
The effect of the implementation of TrustSec is greater, the greater the dynamics in the configuration of closed user groups of the company, because TrustSec automates these changes instead of time-consuming manual work.
Also, the effect of TrustSec is greater, the granularity of user segmentation into groups is more in demand. In the case of traditional segmentation based on virtual topologies, the more user groups, the more topologies and the higher the complexity. As a result, the number of topologies (and user groups) may not be optimal from a security point of view, but less - to achieve a compromise between security and complexity. In turn, such a compromise is no longer in the best interest of security. Thanks to automation, TrustSec eliminates this limitation and allows you to divide users into just as many groups as would be optimal from a security point of view.
TrustSec allows you to create a single, comprehensive access policy for all types of devices and connections, thereby helping to ensure a high level of security. Integration of TrustSec with other information security solutions thanks to pxGrid technology opens up very serious additional opportunities.
In addition, TrustSec provides an increased level of security due to strong mutual authentication of network infrastructure elements and the ability to encrypt traffic at the data link layer.
With these benefits, Cisco TrustSec can significantly reduce the likelihood and damage associated with information security incidents.
5.4. IB incident investigation / investigation
Thanks to the benefits described in Section 5.3, TrustSec also offers significant gains in troubleshooting and investigating information security incidents.
5.4.1. Limit damage / spread of infection
Since TrustSec allows users to segment users into closed groups much more granularly than traditional methods, in the event of an information security incident (for example, when an intruder penetrates or infects an infection into the network), the expected damage will be much less than in the AS-IS network.
In addition, for this reason TrustSec will save staff time in resolving the consequences of the incident.
Another advantage - TrustSec will allow eliminating the consequences of the incident, while maintaining user access to the network by transferring them to a separate isolated group. This is especially important when it comes to VIP users. For example, it becomes possible to eliminate the consequences of infection of top management computers by maintaining their access to the network, and with minimal risk to uninfected computers.
5.4.2. Acceleration of investigation of information security incidents
Because TrustSec allows for much more granular user segmentation than the AS-IS network, incident investigation will require analysis of fewer devices. As a result, the investigation of information security incidents can be significantly accelerated and facilitated.
6. Conclusion
Modern business is characterized by ever-increasing dynamics. The network, as well as the policies implemented in it, must be quickly adapted to the changing requirements of the business. Changes in security policies that require days or weeks for their implementation are becoming less and less convenient for a business.
The proper functioning of network-based and segmentation-dependent business processes is also critical. Any changes to the segmentation policy must be implemented not only quickly, but also reliably.
Therefore, the traditional means of segmentation, discussed in the article, no longer meet the needs of the business of today and tomorrow. These requests can be supported with the help of modern network segmentation technology - Cisco TrustSec.
TrustSec meets modern business requirements and offers tools that implement changes in the segmentation environment quickly and reliably through automation and minimizing the "human factor".
As a result, Cisco TrustSec offers business
win
Further information can be found in the Forrester Consulting report analyzing the overall economic effect of TrustSec implementation, published in September 2016.
in at least three areas:
- Money. Expressed in money, the effect of Expected Value by reducing the risk of information security and the risk of downtime of business processes.
- Man hours. Expressed in man-hours, the gain in staff time by reducing the volume of routine work. There is an opportunity to focus on solving strategic, creative tasks that are often delayed or not performed at all.
- Time. Expressed in weeks or days, the overall acceleration of the launch of new services / applications and the receipt of business results, to one degree or another based on network segmentation.