零信任：保護不斷發展的工作場所.pdf

1、#CiscoLive#CiscoLiveDarrin Miller Distinguished Technical Marketing Engineer(TME)vancsprBRKSEC-2053Securing the Evolving WorkplaceZero TrustAgenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCisco Live HousekeepingIntroduction to Zero TrustEvolving Workplace Use CasesSecuring th

2、e WorkplaceSummaryBRKSEC-20533Objectives:Understand Zero Trust Principles and their application to evolving workplace networks.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout MeDarrin MillerSecurity focused Technical Marketing EngineerFocused on Architecture,Policy,a

3、nd ThreatAuthor of Books,CVDs,Whitepapers,Patents,etc.Cisco Live Distinguished Speaker Hall of Fame Elite20+years at Cisco:Research,Development,TMEBRKSEC-20536 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco

4、 Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12347https

5、:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-20537Introduction to Zero Trust 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust means different things to differentpeopleIts endpoint securityIts firewallIts identityIts ZTNAIts segmentat

6、ionBRKSEC-20539 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat Zero Trust Means to UsNever assume trust.Always verify.Enforce least privilege.BRKSEC-205310 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco believes Zero Trust must be defined holi

7、sticallyZero TrustFeaturesCapabilitiesStrategyPlatformPrinciplesTechnologiesBRKSEC-205311 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStrong Strong SecuritySecurityDrags down execution(users bogged down by access requirements)High High ProductivityProductivityCreates r

8、isk exposure(no constraints on the users)Greater Business SecurityGreater User ProductivityTodays trade-off is holding back Zero TrustSecurity vs.productivityBRKSEC-205312 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust Zero Trust“Sweet Spot”“Sweet Spot”Strong s

9、ecurity AND high productivityempower users to do the right thing security is everyones businessStrong Strong SecuritySecurityDrags down execution(users bogged down by access requirements)High High ProductivityProductivityCreates risk exposure(no constraints on the users)Greater Business SecurityGrea

10、ter User ProductivityEliminate the trade-offFrustrate attackers,not usersHigh Risk/High Risk/High FrictionHigh FrictionBRKSEC-205313 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat it takes to get Zero Trust rightZero Trust requirementsEstablish TrustEnforce Trust-Bas

11、ed AccessContinuously Verify TrustRespond to Change in TrustBRKSEC-205314Evolving Work Place Use Cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEvolving PerimeterMajor Shift in IT LandscapeUsers,devices and apps are everywhereRemote UsersPersonal&Mobile DevicesIoT D

12、evicesCloud ApplicationsHybrid InfrastructureCloud InfrastructureBRKSEC-205316 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust StateTransition from Flat Network to Zero Trust SegmentationFlat ArchitectureFlat ArchitectureCurrent StateZero Trust Zero Trust Archit

13、ectureArchitectureAs Published by Cisco Press Book:“Zero Trust Architecture”BRKSEC-205317Let me tell you a story of a breach.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIts about a Casino 19 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRK

14、SEC-2053 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThey had a fish tank with smart thermometer in the lobby20 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2053 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

15、oLiveA hacker noticed this networked thermometer21 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2053 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveand took control by exploiting vulnerabilities on it22 2023 Cisco and/or its affiliates

16、.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2053 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveand then,through the thermometer he got access to the casinos customer database23 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2053 2

17、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive.and then exfiltrated high-rollers data over days to a remote server 24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2053End of the story 2023 Cisco and/or its affiliates.All rights reserve

18、d.Cisco Public#CiscoLiveWhat is said about(ZT)Making it realityZero Trust Network Access(ZTNA)can remove all network controlsAssumes there is only a single use case to be solved.Users on smart devices accessing modern applications.Company breakdown of users on smart devices and application infrastru

19、cture may or may not allow thisZTNA can simplify network securityI want a caf like experience for all my usersEasier on boarding for devicesSeamless Wi-Fi experience.Few have adopted unencrypted totally open networksBRKSEC-205326 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

20、oLiveWhat is said about ZT Making it realityUse the same user/device least privilege on prem as off premDepends on company and use casesApplication performance considerations depending on architecture.Hair-pining in CloudLatency sensitive applicationsUsers interactions to non ZTNA capable deviceWe c

21、an get rid of networksHybrid work may move cost of networking to the employeeSmaller offices may simplify what the Network doesDramatic rise of IOT and Smart buildings might change primary focus of the network“Gartner:Zero Trust Is Not a Security Panacea” article January 25th2023BRKSEC-205327 2023 C

22、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIaaSOff Prem AccessInternetAccessSDWANSIGACITraditional DCSaaSBRKSEC-205328 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIaaSOn Prem AccessInternetAccessSDWANSIGACITraditional DCSaaSBRKSEC-205329Securi

23、ng the Workplace 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero Trust StateTransition from Flat Network to Zero Trust SegmentationFlat ArchitectureFlat ArchitectureCurrent StateZero Trust Zero Trust ArchitectureArchitectureAs Published by Cisco Press Book:“Zero Trust

24、 Architecture”BRKSEC-205331 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveService DeskZero Trust Success More than Technology(Layer 8)Business GovernanceAnd Executive SponsorshipITIL ManagementSecurityInfrastructurePolicyService OwnerOperational NeedsPolicyDefinitionDefi

25、nitionExecutionBusiness DriversRegulatory(Federal/Industry)Availability(Factories must run)Others Drivers?Execution of Policy RulesConfiguration of infrastructure to enforce the policyApplication Owner”Policy Decision Maker”Approves and drives policyGives the command to block communicationsOwns serv

26、ice impact Users/Application/IOT DeviceWhat does it need to talk to?Where do endpoints and host reside?Availability/Business Continuance RequirementsNetwork OperationsNetwork EngineeringPolicyAudit&ComplianceEvent ManagementOperational NeedsBRKSEC-205332 2023 Cisco and/or its affiliates.All rights r

27、eserved.Cisco Public#CiscoLiveCiscos Zero Trust capabilitiesUser/device/service identity Posture+contextRisk-based authentication Micro-segmentationUnified access controlLeast privilege+explicit trustRe-assessment of trustIndicators of compromiseShared signalsBehavior monitoring threat and non-threa

28、t activityVulnerability managementPrioritized incident responseOrchestrated remediationIntegrated+open workflowsEstablish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in TrustUser&DeviceSecurityNetwork&Cloud SecurityApplication&Data SecurityBRKSEC-205333Establish Trust 2

29、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISE Provides Zero Trust for the Workplace Cisco ISEStandalone ISEMulti-node ISEVM/ApplianceCloud ImagesEndpointsUsersDevicesThingsCisco DNA Center Security ServicesNetwork AnalyticsSecure FirewallPartnersSecurityEnterpriseIden

30、tity ServicesAzure/AD/LDAPMDMSAML/MFANetwork DevicesSwitchesWLCs/APsVPNISEBRKSEC-205335 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContext Build,Summarize,ExchangeVisibility and Access ControlISE builds context and applies access control restrictions to users and devi

31、cesContext Reuseby eco-system partners for analysis&controlSecure Network AnalyticsSecure FirewallDNAC+3rdParty PartnerspxGridREST APISyslogWhoWhatWhenWhereHowPostureEndpointsMobility Services EngineVulnerability ScannersThreat IntelligenceThreatVulnerabilityMobile Device ManagersDirectory ServicesS

32、ystem managersSecurity GroupISEBRKSEC-205336 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveML AnalyticsML AnalyticsEndpointEndpointProfilingProfilingDataDataAggregationAggregationNetwork Telemetry ProbesEasy Onboarding ToolsRF Fingerprinting(Roadmap)DPI-based Fingerprint

33、/BehaviorCMDB Connector3rd Party Visibility ToolImproving Profiling AI Endpoint Analytics on Cisco DNA Center?Rapidly reducing the unknowns to gain visibility on the pathway to Zero TrustBRKSEC-205337 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClassification based on

34、Deep Packet InspectionDHCPClass-IDMSFTProbesProbesGE Optima GE Optima CT Scanner 540CT Scanner 540(Runs Windows 7)L7L6DICOM:GE CT540 Deep Packet Deep Packet InspectionInspectionEndpoint Type:CT ScannerCT ScannerOperating System:MS Windows 7MS Windows 7Manufacturer:General Electric(GE)General Electri

35、c(GE)Model:Optima CT 540Optima CT 540Multifactor ClassificationML AnalyticsML AnalyticsEndpointEndpointProfilingProfilingDataDataAggregationAggregationPowered by NBAR Powered by NBAR(SD(SD-AVC Agent)AVC Agent)ML AnalyticsDPICMDBConnector3rdParty Visibility ToolBRKSEC-205338 2023 Cisco and/or its aff

36、iliates.All rights reserved.Cisco Public#CiscoLiveBetter Classification reduces unauthorized accessCisco ISECisco ISEDNACDNACSGT 10SGT 10SGT 11SGT 11SGT 12SGT 12ML AnalyticsML AnalyticsEndpointEndpointProfilingProfilingDataDataAggregationAggregationEndpoint Type:CT ScannerCT ScannerOperating System:

37、MS Windows 7MS Windows 7Manufacturer:General Electric(GE)General Electric(GE)Model:Optima CT 540Optima CT 540Multifactor ClassificationCisco DNA CenterCisco DNA CenterBRKSEC-205339 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRule creationRule creationCreates a rule tha

38、t uniquely groups together endpoint clustersML analyticsDPICMDBconnectorThird-party Visibility toolClusteringClusteringML groups different endpoints into clusters based on attribute dataKnownEA on DNA CenteriPhonesDevice data lakeUnknownEndpoint dataCisco ISE Third partySD-AVCNetFlowAttribute BAttri

39、bute ACluster 2Cluster 1=done in cloudEndpoint Endpoint l labelingabelingScenario 1:Scenario 1:Customer teaches ML what the endpoints are.These are Bosch Coffee MachinesThese are Apple Watches.Active learningActive learningML learns new labels and validates existing labels.New labelsNew labelsBosch

40、Coffee Machine=Apple Watch=Reducing unknowns when using MLMust forward endpoint attributes to ML cloud(available 3.2p1)Air gapped environments not supportedBRKSEC-205340 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCrowdsourcing using MLDPICMDBconnectorThird-party visib

41、ility toolActive learningActive learningML learns new ML learns new labelslabelsBosch Coffee Machine=AI cloudAI cloudCustomer ACustomer ACustomer BCustomer BClassification Classification suggestionsuggestionClusteringClusteringML groups endpoints into clusters based on attribute dataAttribute BAttri

42、bute ACluster These are Bosch Coffee Machines.Confirm?ML analyticsBRKSEC-205341 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultiMulti-Factor Classification Factor Classification(MFC)on ISE 3.3(MFC)on ISE 3.3Current endpoint profiles in ISE are simple strings,making it

43、 hard to filter endpoints on simple attributes and set consistent authorization policyProblemProfiles are now made up of four factors:MFC-Manufacturer,MFC-Model,MFC-OS,and MFC-Endpoint Type.Benefits include easily setting policy based on these four MFC attributes,as well as compatibility with Ciscos

44、 AI/ML profiling engineSolutionNot turned on by defaultDoes not work with current custom profilesCaveats/PrerequisitesFeed Service(Online/Offline)Device TypeModelOSManufacturerCiscoArloAppleLenovoIP-PhoneCameraLaptopLaptopIP Phone 7980Pro wireless Cam MacBook ProThinkpad 540iOSLinuxmacOS 12.0.1 Wind

45、ows EnterpriseISEBRKSEC-205342 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse WiUse Wi-Fi Edge Analytics data for ISE 3.3Fi Edge Analytics data for ISE 3.3Apple,Samsung,and Intel devices are sharing rich data with WLCs that can improve profiling but was not usable in

46、the pastProblem9800 WLCs will now pass endpoint specific attributes to ISE,enabling for fast,accurate,and simple profiling of Samsung,Apple,and Intel devicesSolutionMust have 9800 WLCsIOS-XE 17.10Caveats/PrerequisitesModel NumberOS VersionFirmware VersionCountry CodeDevice formISERADIUS AcctModel=Ga

47、laxy S1OUI=Samsung=Samsung Galaxy S1Model=iPadOUI=Apple=Apple iPadModel=MacBook ProOUI=Apple=Apple MacBook ProBRKSEC-205343Enforce Trust-Based Access 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTwo Level Hierarchy Macro LevelBuilding Management Building Management VNVN

48、NetworkCampus Users Campus Users VNVNFirst level Segmentation that ensures zerozero communication between specific groups.Ability to consolidate multiple networks into one management plane.Virtual Network(VN)/Virtual Network(VN)/Virtual Private Network(VPN)/Virtual Private Network(VPN)/VRF/ZonesVRF/

49、ZonesBRKSEC-205345 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTwo Level Hierarchy Micro LevelBuilding Management Building Management VNVNNetworkCampus Users Campus Users VNVNSecond level Segmentation ensures ensures role based access controlrole based access control(l

50、east privilege)between two groups within or between Virtual Network(s).Provides the ability to segment the network into either line of businesses or functional blocks.Group Based Policy(SGT)Group Based Policy(SGT)Finance SGEmployee SGBRKSEC-205346 2023 Cisco and/or its affiliates.All rights reserved

51、.Cisco Public#CiscoLiveGroup Based Policy Simplifies Trust Based PolicyUse existing topology and automate security policy to reduce OpExVoiceVLANVoiceTraditional SegmentationAccess LayerAggregationLayerVACLSecurity Policy based on TopologyHigh cost and complex maintenanceEmployee TagSupplier TagNon-

52、Compliant TagGroup Based PolicyStatic ACLRoutingRedundancyDHCP ScopeAddressVLANMicro/Macro SegmentationCentral Policy ProvisioningNo Topology ChangeNo VLAN ChangeQuarantineVLANNon-CompliantVoiceVLANGuestVLANDataVLANBYODVLANEnterpriseBackboneVoiceEmployeeSupplierBYODDataVLANBYODEmployeeSupplierNon-Co

53、mpliantPolicyAccess LayerDC ServersEnterpriseBackboneISEISEBRKSEC-205347 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Value of Group-Based PoliciesEnhanced simplicity for better enforcement and managementIndividual users in campusand branchIndividual servers indata

54、centerSampleSampleuser groupsuser groupsEmployeePartnerContractorGuest unknownSample Sample server groupsserver groupsNDAconfidentialSensitiveGeneral accessCompanyconfidentialSource Source policy policy entities are entities are enormously enormously reducedreducedDestination Destination policy poli

55、cy entities are entities are also also enormously enormously reducedreducedGBPGBPBRKSEC-205348 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveView/Model PolicyAnalyze the NetworkVisualize traffic flowsCreate groups Identify policiesTrust-Based Policy WorkflowMonitorEnforc

56、eDetect123Establish PolicyEstablish the policiesEstablish Group-Based Segmentation PolicyTrial/Monitor group-basedpoliciesApply group-based PolicyVerify PolicyContinuous Trust MonitoringMonitor Policies effectiveness Detect Policy violationsDeduce policy updates requirements BRKSEC-205349View/Model

57、Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGroup-Based Policy Analytics(GBPA)Application on Cisco DNA Center(Netops)Policy ModelingPolicy EnforcementPolicy DiscoveryGroup-GroupActivityEndpoint AnalyticsMFCISE Scalable Groups and ProfilesSecure Network Analytics

58、 Host GroupsFlow InfoCisco DNA CenterBRKSEC-205351 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGroup to Group Activity(GBPA App on Cisco DNA Center)BRKSEC-205352 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetecting Ports/Protocols Betwee

59、n Groups(GBPA App on Cisco DNA Center)Ports 104,1550 and 11112 detected between Scanners and Storage groups,all used for DICOM interactionN.B.DICOM:Digital Imaging and Communications in MedicineIdentify the specific ports/protocols needed in access control policiesBRKSEC-205353 2023 Cisco and/or its

60、 affiliates.All rights reserved.Cisco Public#CiscoLiveContract and Discovered Information Side-by-Side(GBPA App on Cisco DNA Center)BRKSEC-205354 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCreate/Edit Contract Easily Based on Discovered Flows(GBPA App on Cisco DNA Cen

61、ter)BRKSEC-205355 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Network Analytics:Visualizing communications between SGTs(NetSecOps)Report on all observed SGT group communicationsQuickly see which SGTs are communicatingClick on a cell todisplay amounts of data tra

62、nsmittedView up to 300 SGTs BRKSEC-205356Establish Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive?SDSD-WANWANSDSD-WANWANNOW:Context retained in the transitNOW:Context retained in the transitBEFORE:Context Lost in the transitBEFORE:Context Lost in the transitMacro

63、segmentation with VNs and Macro segmentation with VNs and MicroMicro-segmentation with SGTssegmentation with SGTsVisibilityVisibilitySegmentationSegmentationContainmentContainmentPolicy ApplicationRetain policy contextRetain policy contextExchange the rich context at scale across distributed trusted

64、 domainsUniform security policyUniform security policyHaving same rich context everywhere enables uniform policy application without having to reclassify endpointsController IntegrationController IntegrationFully Automated,flexible deployment models between SDA and SD-WANRequires endpoint reclassifi

65、cationMultidomain:Integration for ScalingConnecting distributed trusted domains at scale ISEDNA-CentervManageMeraki58 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGroup-Based Policy in Operation-StatelessEnforcementDynamicClassificationPropagationRoutersProductionServer

66、sWirelessRemoteAccessSwitchDC SwitchApplicationServersUser-B8SGT7SGTGroup-AApp_ServProd_ServApp_ServProd_ServPermit AllPermit AllDeny AllPermit AllDeny AllDeny AllSourceDestinationEgress PolicyVPVPN NCisco ISENetwork6SGT59StaticClassificationUser-A5SGTGroup-AGroup-BGroup-AGroup-BPermit AllPermit All

67、Deny AllDeny AllSourceDestinationEgress PolicyDeny AllPermit AllBRKSEC-205359 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGroup-Based Policy in Operation StatefulEnforcementDynamicClassificationPropagationRoutersNGFWProductionServersWirelessRemoteAccessSwitchDC SwitchA

68、pplicationServersUser-B8SGT7SGTGroupr-AGroup-BProd_ServApp_ServApp_ServPermit AllPermit AllPermit SQLDeny AllSourceNGFW ManagerAccess Control PolicyVPVPN NCisco ISENetwork6SGT60StaticClassificationUser-A5SGTGroup-AGroup-BGroup-AGroup-BPermit AllPermit AllDeny AllDeny AllSourceDestinationEgress Polic

69、yDeny AllPermit AllpxGridProd_ServActionDestinationBRKSEC-205360 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGroup-Based Policy in Operation Lateral movementEmployee SGT(5)10.1.100.1Contractor SGT(10)10.2.200.6Cisco ISEAuthc/AuthzContractorDeny AllPermit AllDeny AllEmp

70、loyeePLCContractorEmployeePermit AllPermit AllDeny AllSourceDestinationEgress PolicyBRKSEC-205361 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutonomousCatalyst SiteGroup Based Policy Integrated Domains-PolicyCisco Zero Trust Extension of Policy to Private/Public Cloud

71、sSD-WAN FabricWAN EdgeSD-Access Fabric SiteSD-Access Fabric SiteWAN EdgePublic CloudWAN EdgeWAN EdgeWAN EdgePrivate CloudMeraki SitesBRKSEC-205362 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISE/Cisco SD-WAN IntegrationRel.17.10 Dec22ContractorDeny AllPermit AllDeny Al

72、lEmployeePLCContractorEmployeePermit AllPermit AllDeny AllSourceDestinationZBFW PolicyIAAS,SAASPrivate AppsISEEmployeeEmployeeContractorContractorPxGridPxGridZBFW policyOMP-IP to SGT mappingGranular Security Control at User/Group LevelUnified Security policy and intentActive Directory/LDAP/CMDBUser/

73、Device to SGT mappingBRKSEC-205363 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGrouped Based Policy SD-WAN Group(SGT)IntegrationBRKSEC-205364 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki Adaptive Policy(SGT)and ISE SyncSGACL Enforce

74、ment(Adaptive Policy)Policies provisioned by DashboardAll Meraki MS390 switchesC9K CoreInline SGTs passed inline802.11ac wave 2 and Wi-FI 6 MR Policies downloaded From ISEISECisco DNA Center(optional)SGT Policies syncd to MerakiISE 3.2 p1BRKSEC-205365 2023 Cisco and/or its affiliates.All rights rese

75、rved.Cisco Public#CiscoLiveISE Meraki Policy SyncBRKSEC-205366 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpen Implementations3rd parties support SGTs via pxGrid-IETF proposal for Security Automation and Continuous Monitoring(SACM)Checkpoint amongst othersSXP publishe

76、d as an Informational Draft to the IETF,based on customer requestsshipping partner implementationsOpen Source SXP Implementations Java in OpenDaylight,C on Includes the Cisco Meta Data(CMD)format for inclusion of the SGT with Ethernet frames(detailed on the next slides)https:/datatracker.ietf.org/do

77、c/draft-smith-kandula-sxp/All Major NGFW Vendors are interoperable via pxGridSD-WAN competitors are interoperable via inline tagging and pxGridSwitching and Wireless Competitors have implemented SGT3rdParty ASIC Vendors are publishing CMD/SGT supportBRKSEC-205367Verify Policy 2023 Cisco and/or its a

78、ffiliates.All rights reserved.Cisco Public#CiscoLivePolicy Counters Cisco DNA Center-NetopsTable ViewPermits and Denies per policy108670847231BRKSEC-205369 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSNA:Validate ISE policy is being observed-near real time network tele

79、metry(NetSecOps)BRKSEC-205370 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSGACL Logging Open Telemetry16.3 Initial support in C9K17.3 Performance optimization for CPU protection*Jan 27 13:33:43.355:%RBM-6-SGACLHIT:ingress_interface=GigabitEthernet1/0/24 sgacl_name=Deny

80、IP_Log-01 action=Deny protocol=tcp src-vrf=default src-ip=10.10.18.101 src-port=64382 dest-vrf=default dest-ip=10.10.35.201 dest-port=80 sgt=4 dgt=4 logging_interval_hits=1BRKSEC-205371 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSGT/DGT Hit Counters via Open Telemetry

81、NCC https:/ cisco-p nbv_1234-x/trustsec-state-period 50-callback sample trustsec-state.txtSubscription Result:notif-bis:okSubscription Id :2147483648-Event time :2019-01-27 22:26:46.910000+00:00Subscription Id:2147483648Type :1Data :datastore-contents-xml:trustsec-state:cts-rolebased-policies:cts-ro

82、lebased-policy:dst-sgt:4,hardware-deny-count:145,hardware-monitor-count:0,hardware-permit-count:0,last-updated-time:1548631492542928,monitor-mode:false,num-of-sgacl:1,policy-life-time:86400,sgacl-name:dev_emp_deny_log-02;,software-deny-count:0,software-monitor-count:0,software-permit-count:0,src-sgt

83、:8,total-deny-count:145,total-permit-count:0,BRKSEC-205372 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpen Telemetry Example SGACL MonitoringBRKSEC-205373Continuously Verify 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSharing signals acr

84、oss all control pointsUser&DeviceSecurityNetwork&Cloud SecurityApplication&Data SecurityDuoSecure EndpointKenna SecurityIdentity Services Engine(ISE)UmbrellaSecure FirewallSecure Network AnalyticsSecure WorkloadSecure Cloud AnalyticsEnforce zero trust policies across the broadest set of control poin

85、tsCisco XDREstablish TrustEnforce Trust-Based AccessContinuously Verify TrustRespond to Change in TrustBRKSEC-205375 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDNAC Trust Analytics:Continuous validation of endpoints(Netops)3 3Trust ScoreSecure authentication and Postu

86、re Impersonation attacksLow reputation IP ConnectionsVulnerability/Threat Metrics MML LContinuously monitor Risk/Trustworthiness and restrict accessEAEASupportedUnauthorized ports and weak credentialsEmbedded/Machine LearningSecurity EcosystemRoadmapDNAC and ISEBRKSEC-205376 2023 Cisco and/or its af

87、filiates.All rights reserved.Cisco Public#CiscoLiveSecure Network Analytics(SNA)(NetSecOps)Customer Security Event(CSE)using TrustSec(SGT)and Geo-IP AttributesBRKSEC-205377Respond to Trust 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive8 88 81010Endpoint Analytics:Trust S

88、core after MABNetwork devicesCisco ISEMABMAB802.1X(PEAP)802.1X(PEAP)EAEAEndpoint Type:IP CameraOS Type:LinuxManufacturer:Camera_MfgModel:X255ZPassword Compliance:CompliantMAC Spoofing:Non Compliant802.1X(EAP802.1X(EAP-TLS)+TLS)+AnyconnectAnyconnect PosturePostureQuarantineQuarantine5 5Adaptive Netwo

89、rk Control(ANC)API CallBRKSEC-205379 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThreat Visibility Rapid Threat Containment(RTC)1Threat from Jims device3AMP on Endpoint notifies the cloud24JimHarryAlice5Cisco ISEBRKSEC-205380 2023 Cisco and/or its affiliates.All rights

90、 reserved.Cisco Public#CiscoLiveVulnerability Assessment(Threat-Centric NAC)On-prem Scanner1Scan Jims Endpoint2Scans3Scan report4CVSS=105CVSS:Common Vulnerability Scoring SystemAuthorization PolicyIfCVSS is Greater than 5Quarantine=true,thenJimHarryAlice6Cisco ISEBRKSEC-205381 2023 Cisco and/or its

91、affiliates.All rights reserved.Cisco Public#CiscoLiveRADIUS CoANetFlow&ETAISE PxGrid ANCTrigger CoACoA via ISETelemetryTelemetry provided by network devices network devices to Secure Network Analytics(SNA)Flexible outcomes:Flexible outcomes:Policy ViolationThreat Detection and ResponseBRKSEC-205382S

92、ummary 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummaryCiscos Zero Trust Architecture is a comprehensive approach to securing all access across your network,applications,and environmentCisco Zero Trust Architecture provides a scalable layered approach to Zero Trust

93、that allows it to evolve with the customers needsAs use cases evolve for Zero Trust,Cisco is innovating with products to provide least privilege access with Cisco Zero Trust for the workplaceCisco Zero Trust for the Workplace provides unrivaled visibility,segmentation and containment BRKSEC-205384 2

94、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLearning MapBRKSEC-205385 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get

95、Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-205386 2023 Cisco and/or its affiliates.All rights r

96、eserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or

97、its affiliates.All rights reserved.Cisco Public#CiscoLive89Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123489 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2053#CiscoLive