29. Next Generation Firewall
In five five C we have next generation firewall and next generation firewall. Cisco has acquired a company called Source Fire, governed from Martin Rosa. And you can see the number of dollars that Cisco has spent in 2013. He was actually the actual quoter or developer for the IPS. This north signature and at that time, this many 4200 active members was interest rate was not injured. So that’s the reason Cisco has done the acquisition. But again we’ll go and check the features. What exact reason behind acquisition of next generation firewall? Cisco already have their AC firewall. We know that Asfire is great. It can do up to say, layer one, two, layer three, layer four inspection.
We can create VPN. It is very stable. We have CLI, we have CSM, we have ASDM, as the GUI option means we have both the CLI and GUI option, but it is not doing the IPS related task. So the firewall, although you can insert some module on as a firewall, some external module, or the embedded module inside the ASA firewall, and then it can inspect the signature. But you have to update the signature in very traditional fashion. The AC firewall then integrated with this firepower and we’ll see that more about the history and what is the present and the future scope. But here you can see that apart from FTT firepower threat defense, we have as a firewall, we have next generation IPS devices, we have as a firewall with firepower services.
Okay, so you have a standalone, that means the product is a standalone Ipsids device. And then you have mix of ASF firewall plus IPS IDs device. You have a standalone as a firewall as well. Now, as a firewall, they can’t do much of the signature inspection. That’s the Ipsid inspection. That’s one main reason that Cisco has acquired this company. Not only that they can go and check the signature, but we’ll see that I have that list.
I’ll show you that. So here in the diagram you can see that Asfirewall, and then you have the acquisition of fire power. And in between you can see that the AC firewall you can insert with Ipsids module. And then you have standalone FTD who can do ASAP plus Ipsids. So although the product seems quite confusing, but you can think now that you have perimeter firewalls. For example, FTD 2100, that’s quite popular at this moment. But FTD 4100 FTD nine 30 et cetera. These are the standalone boxes with the capability of L Twelve, L Seven, content filtering or the firewall capability plus IPS ideas, plus some next generation firewall capabilities. Okay, so no need to use as a firewall.
Rather directly we can go and purchase FTD. Again, they have both the form factor, either the hardware or the software. So virtual form factor is there for FTD as well. Now here you can see that what is the main use of ASA. They can do L two to l four state full firewall filtering. They can go and create a car routing application inspection and what IPS can do, they can go and do this signature inspection. They have application visibility control, you are filtering advanced small bite protection. And now both best breed has been combined inside FTD. So whatever capability that ASI has and the firepower has now FTD will provide you all with full fledged services.
Correct? And again you can see the ladder here is the evolution. So you have the AC firewall that was quite popular and most of the you can see still that as if AC firewall is in use. Almost all the companies they start using Pix Firewall and then as a firewall again from Pix to ASA there was one generation and again from ASA to next generation firewall wall, there is a generation. So here you can see that the next generation is the firepower 414-140-9300, etc. And then you have the virtual form factor as well. All right, so let’s just stop here. I hope you can understand this evolution of next generation firewall.
30. TrustSec & MACsec 01
Let’s understand what is trust sake. Now, what’s problem we have at this point of time? The problem we have that we have so many division in a network, so so many division means say for example, with respect to users in terms of user, you may have employees, contractors, guest, say VRF, ABCD, et cetera, et cetera, correct? Now, at this point of time we know that what is the problem? So the main problem is this that you have multiple segments. The other problem we have is that since we have multiple segments but still we are using some sort of a static ACL at this point of time our main problem is that users are mobile. They are moving from one place to other place and what we want at the moment they are coming and they are connecting to the network.
All the policy should come and attach with that or in Ice term it should be enforced to those users. So at the moment you come and connect to the network as per your category, as per your segment, as per your designation, you will get that policy. Now, suppose if you use such type of arrangement in a static network or in a static world, it’s not possible because everything is already predefined, everything is already coded and you have to follow that. On other hand, what we are doing is that it’s on demand at the moment you need it, the policy will come and enforce to you and that’s a big difference. And the advantage we have, while we are doing the network segment, we have issue to overcome from this we have the concept of trust SEC. So what we can do here, like we are doing in the MPLS world, we are doing some sort of level switching.
So here also instead of what IP and what IP range these devices have or what network segment these devices are in, what we can do that we can categorize the employee or the contractor or the BYOD means we can have some category and then we can do some sort of color code or level. So for example, BYOD can be denoted by yellow, supplier, green, employee, orange, et cetera. Now, as per their color coding instead of dynamic policy.
So what will happen as per your identity, what identity you have in the organization, once you will go and get the authentication and authorization from the Ice, ice will go and push, as per your identity, how much authority you have, or how much network access you have, or which servers you can access, et cetera. So that’s the reason here you can see that Ice is dividing this complete dynamic segmentation or this complete dynamic arrangement in three portion. Classification propagation enforcement classification means you can think like this color coding propagation means that from user till identity services you may have switches, you may have firewalls, you may have any other network device. So how those labels or you can think that how those requests will go and reach to Ice, that will happen with help of propagation and there are several techniques for that we’ll see. And then finally enforcement that what type of policies you are pushing, what type of ACLs you are pushing, what type of VLANs you are pushing to the users who have the labels. Right now here you can understand a little bit more that I have one employee whose label is five. And here you can see on top, let me try to highlight here. So here you can see that employee can access the app server, app server can access the app server, prod server can access the prod server.
So the border story is that employee can access the app server, but employee can’t access the prod server and this is dynamic. So here you have done the classifications or classification, then the propagation and finally the rule will go and get pushed to the nearby network device that these devices or these users actually are part of. So that’s the power we have. Again, with this power we have so many advantages. First of all, it is giving us the mobility feature. Second thing, it is giving us the policy based network feature or policy based infra feature rather than IP or VLAN based infrared feature because everything is dynamic. Another thing is that it is increasing the security as well because things are dynamic and on demand. All right, so what we are going to do now that let’s understand more about this classification, propagation and the enforcement.
Again, the same table you can see here that we have the source and destination and who has the permission to do what not and what. And here in the bottom you can see that different, different, same ply has a color blue, supplier has green, and then the non compliant has a trustees that’s the label actually is a red. And then you can see the access label. So who can access what? Obviously you have done the classification in between the propagation will happen and then finally the enforcement of the rule will happen with respect to Ice. And whenever you are pushing such type of Ackle to the switches or to the DC switches.
So these ACLs are termed as a SG Ackle, that is ACL or security group tagging seals, et cetera. All right, so now we reach up to this point and this point we know that you have the networking devices as an end DAC, you have the labels as a security group tagging Sgt, or you have a security group Ackles. Now, how these devices are going to work, what is the methodology here?
31. TrustSec & MACsec 02
Let us understand more that behind the scene how this is working, how it just is working. As we know that we have three method classification, propagation and enforcement. Now when we are talking about classification, we have option, we can do the strategic assignment of the labels and the dynamic assignment as well. Then we have the propagation. Again, you can see we have inline security group tagging, we have SXP security exchange, protocol, van options, enforcement. That where and what we are going to enforce. So we have the security group ACL, we have the security group Firewalls as well in between.
Now starting with classification here you can see that we can have the dynamic classification as one X, MAB weboth or we can have the static classification as well. Remember this thing that these devices should support security group tagging where we can go and enable Cisco trustee and then we have to map with the tagged value. So either it’s a router or switch or firewall. We can go and enable for example in case of distribution switch VLAN, two Sgt mapping in case of routers subnet Sgt or over the Svi we can have the Sgt. We can have L, two port Sgt when we are talking about the MacBook security Sgt. So that’s a term MACsec is coming into the picture.
Then we have the VM port profile Sgt as well for the data center. So that means overall to each and every place we can go and assign this security group tagging. Now once we go and assign this, obviously this tag should propagate inside the network. So for that for example Ice and a device they want to propagate this, there should be some communication or for example from one device to another device, one is the listener, one is the speaker. Suppose firewall and one switch, the switch is the speaker and firewall is the listener. So in between that you have to go and enable for example SXP. So you have to go and enable and do the configuration for SXP so that tags can be propagated. So whatever you have done, the classification can propagate from one place to another place. And then finally we have to go and apply the enforcement as well. Again here you can see a little bit deep inside this Sgt propagation, how and why and what are the constraint as well.
Here you can see in the list that faster and most scalable way to propagate this is Sgt actually the inline tagging, how it is in line tagging. So inside Ethernet frame you have say for example metadata. This is again Cisco metadata. Inside the Cisco metadata you have first value. So that means that you are sending the frame as a native frame and inside that frame you have one field for metadata and inside that metadata, obviously with the metadata and other options you have the Sgt value as well. Now here you can see that Sgt value will be of 16 bit. So that means you have long number or long labels that you can go and put.
So here you can see that 16 bitfield gives you 6400 tagspace and that’s a huge so the advantage with inline tagging is that this is fast and because this is happening in line so we don’t have much constraint here regarding that whatever devices you are propagating, they should support this issue. Now next we have the security group tagging exchange protocol Http. This is also very popular in this you have to go and define who is the listener, who is the speaker and then the labels will go and propagate correct again, if you want to learn more you can go and check this IETF draft Odo supported TCP port. Here you can see and again you have to go and do the same type of configuration on these devices. The configuration is say for example, the only difference between the speaker and listener is that one will be a role having the listener, one will be the role having a speaker.
That’s it. Okay, great. So this way we can go and do the propagation. Again, here you can see that I have SXP in between the switch. Here you can see and the other switch. So maybe layer two switch and maybe layer three switch. We have the propagation. And here you can see the tag SXP tag with tag five is going here. Again here you can see that dot one x tag again doing authentication with Ice and going here. And in this way they will go and push the tag as well. So what will happen that once you do the classification and once your SXP is propagating the tag, once you push the policy, the final stage is enforcement. In case of enforcement it will go and dynamically push the policy to the interfaces and that’s the end goal. Again we have multiple support for propagation. So here you can see either it’s a land network or it’s a data center or van network game VPN get VPN et cetera. Everywhere the CCR SEC or the labels are getting propagated.
The final phase is that we have to go and do the enforcement security group ACL and SG Firewalls. Now here you can see that obviously you have the list so who is the source, who is the destination, where you are doing the permission and where you are going to put the rule. Okay, so as per our defined rule it will go and push this. Again, if you want to see this inside the ice you can go and check the ice GUI inside the policy section you can go and check the metrics. So who is permitted, who is denied, you can go and check there finally how it will look like inside the Asfire wall ASDM so here you can see that once you push the policy from the ice so from here to Asfire wall it will look like this inside the ASTM. Obviously you can go and check inside the SR CLI as well. All right, so this is the way that Trussec is working. When it is related to layer II, we can go and map the trusteek with the MACsec mac level security as well.
32. 802.1X MAB WebAuth Easy Connect
Let us discuss about eight zero twenty one x, MAB, web auth and easy connect. Now, what is the definition of it’s a port based access control using authentication. So what does it mean? It simply means that it’s a user based authentication where you have username and password assigned to the the adapter and then it will authenticate. Once it will authenticate, that change of authorization COA will happen. And according to that you will get dblan, you will get the ACLs and those authorization things you will get and then you are able to access. Now we have option either we can have over WLAN as well. Okay, so let’s move to the next section.
Next section we have the map Mac authentication bypass. So we have supplicant, we have authenticator, we have authentication server say in case of because you have the username password set at the nick so you can do this user based authentication. But what about the devices? They don’t have nick or they don’t have username password. At that time you will rely only upon the Mac addresses, correct? So in this case these endpoints, this is the endpoint say with respect to Mac addresses. And these are the endpoints say with respect to users. So in this case endpoints with respect to Mac addresses. These Mac addresses should registered inside the authenticated server or Ice. So what is the flow here? Bypassing the known Mac addresses.
First of all, three retry failure will happen for EP. Then the Mac request will go, it will request for say Radius access request. Radius service type is a call check in the response. If you have the change of authorization means your authentication is successful, you are getting authorization successful. After that you can access. No problem on that. The only problem here that it may cause some delay. Why? Because of this three e time out. And also you can note that we need Mac address database as well. For eight zero twenty one x, you need some endpoint user database for this map authentication you need Mac databases. Now, next we have the web authentication. Very important here to understand that web authentication we are doing typically for guest user authentication.
All right, now doesn’t require a supplicant this particular method. Now, how this method will happen and what are the types? We have two types. We have local web authentication, we have central web authentication and what is the major difference between the local and the central web authentication is that here the method is Https between the user and the authenticator. Here it is using radius. But in case of centralized web authentication we have Https method. Apart from that, you can see here the Radius service type is outbound. This is centralized administration authenticator host the web pages. This is also important here the central server hosts the web pages.
So this is the third type of authentication method. And once you’ve done the authentication properly, then obviously you have change of authorization and in the upcoming slide we’ll learn more about this. Change of authorization means what type of authorization we are getting once the authentication is successful. We’ll see that. Now let’s discuss more about central web authentication flow in terms of wired. So what will happen? Authorized for URL redirect on map failure, limited access until authentication success. Change of authorization for full access. So obviously, first of all, your authentication will happen at that time you have limited access. Once your authorization is successful, once you get this message, then you will get the full access or whatever access that is there in this successful message or what is configured in this.
Now bypassing the unknown Mac addresses. So what will happen? First of all, it will time out three EP. So we have eight, two, one, x timeout. Then we have the map. Now here in the map we can see that radius access accept ice redirect URL deck limited access. So this downloadable ACL has limited access. Once we are done with the web authentication, then change of authorization will happen and this downloadable SEL will provide us full access. Okay? All right, so suppose now in case of wireless we have WLC in between. In that case also you will see the points will be the same. Only thing here that once you’ve done the authorization means once you’ve done the full authentication, full authorization according to the authorization policies, you will get full access. Okay? So that is a change in the authorization we’ll see here in the authorization. What are the options we have? Before that, let’s discuss about easy connect architecture. Now this is the architecture that will be used inside the corporate. So here I have one user and this is the authenticator and is connected with the authentication server.
Here I am using external database ad service as well. So let me show you the flow. First of all, ad login. Once it is successful, my monitoring device will log that. Okay, ad has logged in. That’s correct because my I server, they are integrated with the ad server. Now second the radius. Now in the service node we have the successful message. Okay, radius login is successful. Now, once your username and password will authenticated or authorized means they will bypass the authentication and the authorization policies. After that your change of authorization will come. And now this user, this particular user, it will get all those authorized services. Now here you can see that we have SXP as well in between my switch firewall. So here we have SXP running on, okay.
Now with help of this SXP services, what will happen? Let me show you that as well in the flow. Now you can see that a public session topic to pixelate. So whatever context that you are learning about this user from the monitoring device, it is going to the pixel grid controller. And now suppose if this Pixie grid controller is connected with some other device. They will learn all those attributes, all those behavior of that user. That is one thing. The second important thing, that update Sxpper with the Sgt mapping from Radius plus EZC. So, what are these things? What is the Sgt mapping? Let me show you in the next slide. So, here you will understand more about authentication and authorization. So, what will happen, say, you may have users, say map of these type of users you have. You may have wired or wireless media or authenticator service.
Now, what is happening here, once your authentication is successful, after that you have change of authorization authentication methods. We have passive identity, like Mac address, easy connect. And then we have activated identity like 800:20 VPN access, web access. But here in COA, change of authorization. We may have tackle, downloadable SEL, aerospace SEL VLAN segment security group tags. That was the thing I was referring in the last slide. Then URL, redirection port configuration, service templates. So all these things will come under COA. That is change of authorization. Okay. All right, so you can refer this particular architecture. This is the flow that you are going and logging to the ad server. That is the external database for my eyes.
Then Ice will log all those things inside the monitoring server. Then once you get authorized, you will get the access. You have the DACL downloadable say ACL. You have VLAN assignment. So, everything will be assigned here. So, if you go to the switch, if you type show IP access list, you’ll find that access list. If you type show villain, you will find that VLAN that is configured or that will be authorized for this particular user. Okay? Now, change of authorization will happen. If you have SXP connection between your switch and your firewall, you need to enable SXP XP connection. Then they will show you SXP who is the listener, who is the speaker, like that. And then everything will be monitored inside the inside the monitoring tool. Okay, so this is all those methods.
