《零信任:利用思科软件定义接入保护工作场所.pdf》由会员分享,可在线阅读,更多相关《零信任:利用思科软件定义接入保护工作场所.pdf(69页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveBrandon FriedrichTechnical Solutions Architect BRKENS-1851Secure The Workplace With Cisco Software-Defined AccessZero Trust 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to c
2、hat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco a
3、nd/or its affiliates.All rights reserved.Cisco PublicBRKENS-1851Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicZero Trust OverviewSoftware-Defined Access OverviewSoftware-Defined Access Fabric 101Policy Driven SegmentationBRKENS-18514Zero Trust Overview 2023 Cisco and/or its
4、 affiliates.All rights reserved.Cisco Public#CiscoLive6BRKENS-1851What is Zero Trust?2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat Zero Trust Means to UsNever assume trust.Always verify.Enforce least privilege.7BRKENS-1851 2023 Cisco and/or its affiliates.All rights reserved.
5、Cisco Public#CiscoLive8BRKENS-1851Zero TrustFeaturesCapabilitiesStrategyPlatformPrinciplesTechnologiesCisco believes Zero Trust must be defined holistically 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero-Trust AccessUse segmentation and verification to proactively st
6、op breaches9BRKENS-1851Multi-Cloud Data CenterCorporate NetworkAnywhereServers,VMs&ContainersApplicationsWired and Wireless AccessAWS,Azure,Google Cloud,Private Cloud and SaaS AccessMulti-Factor AuthenticationPosture AssessmentManagedBrowserOS StatusIoT DevicesWANRoutingApplicationAccessSecure YourS
7、ecure Your WorkloadsWorkloadsSecure the WorkplaceSecure the WorkplaceSecure the WorkforceSecure the WorkforceUser&DevicesSession FocusSession Focus 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicForrester-The Definition of Modern Zero TrustThe broad theme of Zero Trust is the reduc
8、tion of implicit trust.As a model for information security,Zero Trust translates to network and security architecture.123January 2022 The Definition of Modern Zero TrustBRKENS-185110 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKENS-185111 2023 Cisco and/or its affili
9、ates.All rights reserved.Cisco Public12BRKENS-1851CISA Zero Trust Maturity ModelApril 2023Zero Trust Maturity Model 2.0 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Zero Trust RequirementsWhat it takes to get Zero Trust rightUser/device/service identity Posture+co
10、ntextRisk-based authenticationEliminate implicit trustMicro-segmentationUnified access controlLeast privilege+explicit trustRestrict lateral movementReduce the attack surfaceRe-assessment of trustIndicators of compromiseShared signalsBehavior monitoring threat and non-threat activityVulnerability ma
11、nagementBreach mentalityPrioritized incident responseOrchestrated remediationIntegrated+open workflowsReduce TTD and TTCDynamic segmentationEstablish TrustEnforce Trust Based AccessContinuously Verify TrustRespond to Change in TrustUser&DeviceSecurityNetwork&Cloud SecurityApplication&Data SecurityBR
12、KENS-185113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCan you see the business intent here?14BRKENS-1851 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCan you spot the business intent here?15BRKENS-1851DMZ-Pod1#show cts role-based permiss
13、ionsIPv4 Role-based permissions default:Permit IP-00IPv4 Role-based permissions from group 4:Employees to group 12:Development_Servers:Deny IP-00IPv4 Role-based permissions from group 8:Developers to group 12:Development_Servers:Permit IP-00 2023 Cisco and/or its affiliates.All rights reserved.Cisco
14、 Public#CiscoLiveSGT_Contractor SGT_BuildingManagementSGT_EmployeeSGT_FinanceServerSGT_PrintersContractor 1Contractor 2Contractor 3Contractor 4Contractor 5Temperature Device 1Temperature Device 2SurveillanceDevice 150SurveillanceDevice 3Temperature Device 350SurveillanceDevice 2Employee 1Employee 2E
15、mployee 3Employee 4Fin 3Fin 4Fin 1Fin 2Printer 1Printer 2Printer 3DENYDENYDENYDENYDENYPERMITPERMITBetter Visibility leads to better SegmentationDENYDENY50BRKENS-185116SDA Overview 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA CenterCommand and control center fo
16、r intent-based networkingCisco DNA CenterCisco DNA Center ApplianceImprove network performance and spend less time troubleshooting withAI and machine learningCreate user and group policies and increase security threat protectionAutomate provisioning,device updates,and device lifecycle managementAuto
17、mationSecurityand policyAnalyticsand assuranceAI/MLPhysical and virtual infrastructureCisco and third partyBRKENS-185118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntroducing Cisco Software-Defined Access(SDA)Cisco DNA CenterCisco DNA CenterAutomationSegmentationAssu
18、ranceIoT networkIoT networkEmployee networkEmployee networkUser mobilityUser mobilityPolicy stays with userPolicy stays with userIdentityIdentity-based policy based policy and segmentationand segmentationDecoupled security policy definition from VLAN and IP addressAutomated network fabricAutomated n
19、etwork fabricSingle fabric for wired and wireless with workflow-based automationInsights and telemetry Insights and telemetry Analytics and insights into user and application behaviorBRKENS-185119 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBehavior based classificatio
20、nsEmployeesStreamingAlertsMAC/IP Address?Endpoint Context(Type,Model,OS,OEM)Identity&Groups(Owner,Dept.)Risk Score(Posture,CVE,Threat.)?Classification based on endpoint attributesEndpoint Endpoint ClassificationClassificationPolicy Policy AnalyticsAnalyticsPolicy Policy EnforcementEnforcementPolicyP
21、olicyAssuranceAssuranceCameras(Scalable Group)Log ServersMedia ServersClassify Assets into Context-based Scalable GroupsBRKENS-185120 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSSHWEBEmployeesStreamingAlertsMedia ServersLog Servers?CamerasEndpoint Endpoint Classificat
22、ionClassificationPolicy Policy AnalyticsAnalyticsPolicy Policy EnforcementEnforcementPolicyPolicyAssuranceAssuranceCamerasRTPWWWSyslogAnyPolicy Modeling Policy Modeling With traffic patternsNo policy on the network,yetUnearth critical access that must be allowed/deniedFine Tune and Model Policies wi
23、th Business ContinuityBRKENS-185121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSSHWEBEmployeesStreamingAlertsMedia ServersLog Servers?CamerasEndpoint Endpoint ClassificationClassificationPolicy Policy AnalyticsAnalyticsPolicy Policy EnforcementEnforcementPolicyPolicyA
24、ssuranceAssuranceCamerasRTPWWWSyslogAnyGroupGroup-based Policies based Policies for segmentationNo policy on the network,yetDeployDeployCamerasRTPWWWSyslogAnyPolicy downloadEnforce Policies with ConfidenceBRKENS-185122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCamera
25、sSSHWEBStreamingAlerts2.Define PolicyGroup-based PolicyContext-based Scalable Group assignmentsLog ServersEmployeesMedia ServersCameras3.Policy Enforcement1.Endpoint Classification4.Policy AssuranceCisco DNAC and ISEMAC/IP Address?Endpoint ContextIdentity&Group Risk ScoreBringing it togetherLMECLog
26、ServersMedia Servers EmployeesCamerasVisibility Driven SegmentationBRKENS-185123SDA Fabric 101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive25BRKENS-1851The TraditionalTraditional Enterprise NetworkNetwork 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
27、c#CiscoLive26BRKENS-1851The Core LayerThe Aggregation LayerThe Access Layer 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive27BRKENS-1851Over the years NetworksNetworks were ConfiguredConfigured with numerous NetworkNetworkProtocols 2023 Cisco and/or its affiliates.All rig
28、hts reserved.Cisco Public#CiscoLive28BRKENS-1851Layer 3 NetworkLayer 2 Network 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive29BRKENS-1851MPLS VPLS Pseudo Wire MP-BGP LDP SXP Sub InterfacesVRF VRF Lite 802.1w(PVST+)802.1s(Rapid STP)BPDU Guard Root Guard Loop Guard VLANs
29、VTP EtherChannel SVIs HSRP VSS 802.1QPort fast VSL Dual Active Detection SGT Port Channel IGMPThe Traditional Enterprise ProtocolProtocol Stack 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive30BRKENS-1851UniqueUnique ConfigurationsConfigurations Drive Up Complexity 2023 C
30、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive31BRKENS-1851Next Generation DesignRouted Routed Layer 3Layer 3 NetworkNetwork 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive32BRKENS-1851Layer 3 Network(No Layer 2 Support)2023 Cisco and/or its affilia
31、tes.All rights reserved.Cisco Public#CiscoLive33BRKENS-1851SDASDA DramaticallySimplifiesSimplifies the NetworkNetwork 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive34BRKENS-1851Layer 3 Network(Wired/Wireless)(With Layer 2 Support)NEWNEW Enterprise Network with SDASDA 202
32、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive35BRKENS-1851ISIS VXLAN-LISPNEWNEW Enterprise Protocol Stack with SDASDA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive36BRKENS-1851Common ConfigurationsConfigurations with SDASDA 2023 Cisco and/or i
33、ts affiliates.All rights reserved.Cisco Public#CiscoLive37BRKENS-1851SDA key componentsControl Plane based on Control Plane based on LISPLISP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive38BRKENS-1851The LISP“Mapping System”“Mapping System”is analogous to a DNS lookupDN
34、S answers the DNS answers the“Who is”“Who is”questionquestionHost Who is ?DNSServer Address is 153.16.5.29 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive39BRKENS-1851LISP resolves location for identityLISP answers the LISP answers the“Where is”“Where is”questionquestionL
35、ISP RouterLISP Map System Where is 153.16.5.29?Locator is 128.107.81.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHost MobilityWithout Stretching VLANs40BRKENS-185110.17.1.10Campus Building 210.18.1.0/2410.17.1.0/2410.17.1.10ISE/ADNDPCBBDNA CenterAPIC-EM10.0.255.310.0
36、.255.1Edge Node Routing Table10.17.1.0/16 LISP010.18.0.0/16 Local210.17.1.10/32-Local Control-Plane Node Database10.17.0.0/16 10.0.255.110.18.0.0/16 10.0.255.310.17.1.10/32 10.0.255.33410.17.1.10/32 10.0.255.1Map RegisterEndpoint 10.17.1.10/32Edge Node:10.0.255.1Edge Node Routing Table10.17.1.0/16 L
37、ocal10.17.1.10/32 LISP010.17.1.10/32 Local5Anycast Gateway 10.17.1.11BRKENS-1851 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive41BRKENS-1851SDA key componentsData Plane based on Data Plane based on VXLANVXLAN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
38、lic#CiscoLive42BRKENS-1851Overlay and Underlay10.10.10.0/2410.10.20.0/241.1.1.254/242.2.2.254/24GRE Logical-OverlayUnderlayTun 02.2.2.0/24 via Tun 0ICMP Host 2ICMPGRE10.10.10.110.10.20.1Tun 0 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive43BRKENS-1851Traditional vs Overl
39、ayHostBIP:192.168.56.12/24MAC:B:B:BVLAN-10HostAIP:192.168.56.11/24MAC:A:A:AVLAN-10HostAIP:192.168.56.11/24MAC:A:A:AVLAN-10HostBIP:192.168.56.12/24MAC:B:B:BVLAN-10No-VXLANVXLANTTTICMP-B56.1156.12IP?L2A:A:AARPMemoryS Mac/IPARPD Mac/IPL2A:A:AF:F:FVlan 100/1A:A:ACAMARP ReqDot1q=10ARP ReplyARP ReplyVlan
40、100/2B:B:BL0:10.0.0.1L0:10.0.0.2L3L3L3No Dot1qNo ARP56.1156.12?A:A:AARPMemoryS Mac/IPARPD Mac/IPL2A:A:AF:F:FVXLANVlan 10VNI10.0.0.1?IPHost B?Host B10.0.0.2B:B:B10.0.0.2ECMPA:A:A56.11L0 10.0.0.1ARP ReplyB:B:B56.12L0 10.0.0.2A:A:A56.11L0 10.0.0.1B:B:B56.12L0 10.0.0.2 2023 Cisco and/or its affiliates.A
41、ll rights reserved.Cisco Public#CiscoLive44BRKENS-1851SDA key componentsPolicy Plane based on Policy Plane based on VN and TrustsecVN and Trustsec 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive45BRKENS-1851SDA PolicyPolicy defined CentrallyCentrally onISEISE Policy Engin
42、es(For bothboth Wired and Wireless users)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive46BRKENS-1851ISEISEIn SDA,SDA,ISEISE is used to Authenticate/AuthorizeAuthenticate/Authorizethe onboarding of Users in a FabricFabric(and also Devices and IOT based Things)2023 Cisco a
43、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLive47BRKENS-1851ISEISEWhen Users connectconnect to the NetworkThey are Authenticated/Authorized by ISE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive48BRKENS-1851ISEISEISEISEUsers are placed into a Virtual Netwo
44、rk(VN)Virtual Network(VN)(A Related Group of Authorized Users)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public49BRKENS-1851Default VNSecuritySecurity PostureDeny ALL Access ALL Access betweenVirtual NetworksNote:Access can then be changed 2023 Cisco and/or its affiliates.All rights
45、reserved.Cisco Public#CiscoLive50BRKENS-1851You get this Security by defaultWithoutWithout Defining ANY Security PoliciesDefining ANY Security Policies 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive51BRKENS-1851This is calledMacroMacro SegmentationSegmentation 2023 Cisco
46、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLive52BRKENS-1851There is a Second Level of SegmentationMicroMicro SegmentationSegmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive53BRKENS-1851ISE assigns PolicyPolicyBased on IDENTITYIDENTITYAdminAdmin
47、AccessAccessAdminAdminTagTagISEISEUser AUser BUser XUser Y.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive54BRKENS-1851Virtual NetworkMicroMicro Segmentation(using IdentityIdentity)Defines AccessAccess Rules inside a Virtual Network 2023 Cisco and/or its affiliates.All ri
48、ghts reserved.Cisco Public#CiscoLive55BRKENS-1851Segmentation Operation in SD-Access FabricEmployee SGT(5)10.1.100.1Contractor SGT(10)10.2.200.6Authc/AuthzContractorDeny AllPermit AllDeny AllEmployeePLCContractorEmployeePermit AllPermit AllDeny AllSourceDestinationEgress PolicyPolicy downloadPolicy
49、downloadClassification:Dynamic/ISEPropagation:SGT in VXLANEnforcement:Egress Fabric EdgeCisco ISEDemoPolicy Driven Segmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD Access solution for Zero Trust for Workplace58BRKENS-1851AI/ML based multi-factor endpoint cla
50、ssification for IoT VisibilityTraffic analysis for granular policy discovery Flexible Macro/Micro segmentationAI/ML-led network behavioral anomaly detection.Identifying endpoint weaknesses,vulnerabilities etc.Automated threat isolation and remediation1 12 23 34 45 5Eliminate implicit trustLeast-priv
51、ileged accessIsolate detected threats 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive59BRKENS-1851SD-Access performs behavior analyticsfor continued trust verificationTrust scoreTrust scoreEndpoint analytics10105 51 1FirewallFirewallUmbrellaUmbrellaSecureSecure-X X3 3rdrd
52、party party and othersand othersSecurity incidentsSuspicious domain accessMalware activityThreat metricsDeny Access1-3Limited Access4-7Full Access7-10PolicyPolicyCisco ISECisco ISETrustTrust-based policiesbased policiesDemo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveS
53、D-Access Campus ArchitectureIntegrated network and security architectureCorporate VNCorporate VNLightingLightingCamerasCamerasEmployeeEmployeeContractorContractorITITCisco DNA CenterCisco DNA CenterAnalyticsAutomationPolicyCisco Cisco ISE ISE Fusion DeviceFusion DeviceIoT VNIoT VNAI/ML cloudUmbrella
54、 DNS securityEndpoint&Trust AnalyticsEstablish TrustEstablish TrustUser trustDevice trustVisibility who and whats on the networkEnforce TrustEnforce TrustPolicy driven segmentationMulti-level segmentationVisibility how are devices communicatingContinuously Verify TrustContinuously Verify TrustThreat
55、 containmentDetect attacker behaviorVisibility threat detection Secure XSecure Network AnalyticsBGP w/CMDBRKENS-185161 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive62BRKENS-1851Multi-level Segmentation IntegrationLeast Privileged AccessCorporateSGTsSGTs:T1-EmployeeT1-Co
56、ntractorIOTSGTsSGTs:T1-CamerasT1-HVACGuestSGTsSGTs:T1-GuestsSDASDAInternetInternetCiscoCiscoAzureAzureAWSAWSGoogleGoogleCloud ACICloud ACIEnterprise Data CentersEnterprise Data CentersCorporateSGTsSGTs:T2-EmployeeT2-ContractorIOTSGTsSGTs:T2-CamerasT2-HVACGuestSGTsSGTs:T2-GuestsSDASDASDSD-WANWANDNA C
57、enterCloudCloudSAASSAASPolicy PropagationService EdgeService EdgeCorporateIOTGuestCorporateIOTShared ServicesPEPPEPPEPCisco Secure Cisco Secure WorkloadsWorkloadsPEPPEPEstablish TrustEstablish TrustEnforce TrustEnforce TrustContinuously Verify Continuously Verify TrustTrustIdentity Services EngineRo
58、le Based Access ControlSecure XSecure Network Analytics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive63BRKENS-1851Keys To Zero Trust Success Start with a plan 1Understand traffic flows and where you want to enforce policy2Start with macro-segmentation 3Slowly build micr
59、o-segmentation 4Dont overcomplicate the policies5 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive64BRKENS-1851NetworkNetworkSimplificationSimplificationReduces network protocol stack from 15-20 down to THREE!THREE!ConvergenceConvergenceUnified PolicyPolicy for Wired/Wirel
60、essZTNZTNZero Trust Zero Trust NetworkingNetworkingBuilt in Network SegmentationSeamless Seamless and SimpleSimpleL2 MobilityL2 MobilityAcross ENTIRE Campus Fabric End-to-EndIT/OT IT/OT ConvergenceConvergenceBaked into SDA ArchitectureHAHAImproved HA throughL3 ProtocolsAutomationAutomationDNAC simpl
61、ifies Network OperationsLISPLISPSCALE SCALE compared to EVPN Fabric Solutions Summary of SDA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco L
62、ive-branded socks(while supplies last)!65BRKENS-1851These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.
63、Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affi
64、liates.All rights reserved.Cisco Public#CiscoLive68Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123468 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-1851#CiscoLive