Brksec 2748

Download as pdf or txt
Download as pdf or txt
You are on page 1of 47

Taking Authentication to the

Next Level with Cisco


Secure Access by Duo
Stefan Dürnberger
Technical Solutions Architect
CCIE Security #16458

BRKSEC-2748
Session Objectives
We are all looking for a secure and easy way to authenticate users
when accessing applications. This session is about how Duo makes
this process convenient and inherently secure. We will have a closer
look at how Duo Passwordless works, explore new product
enhancements like OIDC (OpenID Connect) and risk-based
authentication to name just a few. This intermediate session is
targeted at Security Architects and Security Admins that want to get a
deeper understanding of various AuthN flows supported by Duo
Security.

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Authentication methods
• FIDO2
• OpenID Connect & Duo CloudSSO
Agenda • Recent, major Duo enhancements
• Risk-based Authentication
• User Attribute Transformation

• Wrap Up

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2748

Cisco Webex App

Questions?
Use Cisco Webex App to chat Stefan Dürnberger

with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated


until February 24, 2023.

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About me
• Stefan Dürnberger –
[email protected]
• 23 years in IT, 18 years in IT Security
• 15+ years at Cisco

• A so and so football player & coach, love


rock music, like to be outside, craftsman
(not qualified but ambitious), being a poor
programmer

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Graphic: https://danielmiessler.com

MFA Methods

• Risk based Auth


• Step Up
• Verified Push

• Phishing is a low-skill, low-


cost attack You just order a
service
• Regardless what you do, you
share a secret
• Password reset cost ~70$

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Graphic: https://danielmiessler.com

MFA Methods

• Risk based Auth


• Step Up
• Verified Push
Evilproxy is a Proxy
as a Service for
phishing

• Phishing is a low-skill, low-


cost attack You just order a
service
• Regardless what you do, you
share a secret
• Password reset cost ~70$

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Graphic: https://danielmiessler.com

MFA Methods Take care of backup


authentication method.
Think about a single, lost
authenticator.

• Risk based Auth


• Step Up
• Verified Push
Evilproxy is a Proxy
as a Service for
phishing

• Phishing is a low-skill, low-


cost attack You just order a
service
• Regardless what you do, you
share a secret
• Password reset cost ~70$

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
FIDO2 & Duo
Fast IDentity Online (FIDO2)
Overview
• FIDO2 provides secure, phishing resistant and convenient way of
authentication to web services supporting the standard.
• CISA urges to implement phishing resistant authentication like FIDO2:
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-
resistant-mfa-508c.pdf

• The goal is to have an open authentication standard which offers something


you have & something you know and/or something you are.
• FIDO2 authentication can be used as a 2nd factor, or being used for passwordless, or name &
passwordless authentication

CTAP2 WebAuthn
Authenticator Client Relying party

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Fast IDentity Online (FIDO2)
Registration Ceremony (simplified) Relying Party

Built-in, NFC, BLE, USB

Initial User Authentication

Challenge: User Info, RP_ID, Attestation optional: Authenticator Selection

Make Cred Call: RP_ID,


UserID, Options + originID

POST HTTP1.1 Signed Challenge

RP_ID PrivateKey PublicKey CredID Attestation Private Key

example.com ABCDEF 12345 XYZ AEI89AG UserName UserID PublicKey CredID

Stefan AG87AR 12345 XYZ

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Fast IDentity Online (FIDO2)
Authentication Ceremony (simplified) Relying Party

Built-in, NFC, BLE, USB

Initial User Authentication

Challenge: RP_ID, Cred_ID

RP_ID, CredID, clientData No CredID for


name&passwordless login
Signed Assertion

RP_ID PrivateKey PublicKey CredID Attestation Private Key

example.com ABCDEF 12345 XYZ AEI89AG UserName UserID PublicKey CredID

Stefan AG87AR 12345 XYZ

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Fast IDentity Online (FIDO2)
• Duo supports FIDO2 authentication for Passwordless
and 2FA
• Platform & Roaming authenticators
• No Attestation Certificate validation, nor Enterprise Attestation
validation

• User Presence vs User Verification

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
FIDO2 authentication –
use cases
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Risk-Based
Authentication
User Attributes, Device Attributes
Offline Risk Detection Risk Attributes

Risk-Based Authentication
• Detects known attack patterns
Data
Engine
• Push harassment, Push fatigue, Push spray as well as high risk
login location

• Processes historical statistics


Action
• Device IP, Browser Agent String, Time of Day, Wi-Fi Fingerprint

• Risk-Based Remembered Device & Factor


Selection

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Risk-Based Authentication
Push Harassment

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Risk-Based Authentication
Country code mismatch detection

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Risk-Based Authentication
Country code mismatch detection

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
HASH, SALT, SSID, BSSID

Risk-Based Authentication
Wi-Fi Fingerprint
• Anonymized Wi-Fi network data provides
a strong signal of novel location. Takes
advantage of Duo Device Health During testing, I
Application (DHA) was certainly at a
different place ☺
• Client-side hashing
• Unique key eliminates reply-attacks

• A deviation from the familiar/usual


working location towards an unfamiliar
location triggers a step-up in the sense of
using only “more secure AuthC factors”
• Familiar Wi-Fi fingerprint reduce the step-ups, while
unfamiliar Wi-Fi fingerprints increase them
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
OpenID Connect
(OIDC)
OIDC
Fundamentals
• Differences between SAML, OAuth
• Filling missing gaps of OAuth2.0 (OAuth2)

• In OIDC, scopes are used by clients to authorize access to user´s


resources
• Claims are attributes about the identity itself

• OIDC uses access tokens and ID tokens (JSON web token, JWT)
• OIDC flows support a variety of use cases
• Identifies users from mobile applications, SPA. Support for Machine to Machine
Authentication & Authorization. Duo supports Authorization Code flow & Client
Credentials in Early Access Mode

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
OIDC
Roles
• Resource Owner
• That´s you!

• Client/Relying Party
• Application i.e., Browser, App

• OpenID Provider/Authorization Server


• Duo CloudSSO

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Actors in an OIDC dance
Authorization Code Flow

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
OIDC Demo
Postman

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
User Attribute
Transformation
User Attribute Transformation
• User Attribute Transformation is a Duo CloudSSO feature
• Available for Generic SAML SP applications
• Performs attribute modification before SAML assertion gets send out
• Using an expression language
• $RULE_NAME $OPTION="$OPTION_VALUE"
• Processing a list of rules from top to bottom

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
User Attribute Transformation
Use-Cases
• Appending/Prepending a suffix to a username, mapping it to a SAML SP role

• Character transformation
• Uppercase, Lowercase

• Cisco Anyconnect RAVPN group-policy can be specified by a SAML


assertion attribute
• When an attribute "cisco_group_policy" is received by the Secure Firewall, the corresponding
value is used to select the connection group-policy
• Optional: Can be used as part of Dynamic Access Policy

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco Anyconnect & User Attribute Transformation
Group-Policies & Dynamic Access Policies (DAP)
• A group policy is a set of user-oriented attribute/value pairs for
RAVPN connections
• Group policies let you apply whole sets of attributes to a user or a group of users, rather than
having to specify each attribute individually for each user

• DAP allows granular access control to resources based on


authentication method & authentication parameters
• Users can be assigned to a single Group-Policy but can use
multiple DAP´s
• DAP´s are aggregated

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Reference:
BRKSEC-2287

SAML Overview – Cisco Anyconnect ext. Browser

User Attribute
Transformation
happens at this
stage!

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
FP2120# show running-config dynamic-access-policy-

SAML AuthZ
record Frontend-Access
dynamic-access-policy-record Frontend-Access
user-message "Access to Frontend granted"
network-acl FrontendACL
A practical use-case Duo CloudSSO
FP2120# more disk0:/dap.xml
<dapRecordList>
<dapRecord>
<dapName>
<value>Frontend-Access</value>
</dapName>
<dapViewsRelation>
<value>and</value>
</dapViewsRelation>
<dapBasicView>
<dapSelection>
<dapPolicy>
aaa["saml"]["memberOf"][“1"]="Sales“ <value>match-all</value>
</dapPolicy>
aaa["saml"]["memberOf"][“2"]="GlobalEmployees“ <attr>
<name>aaa.saml.cisco_group_policy</name>
aaa["saml"]["cisco_group_policy"]="GlobalEmployees“ <operation>EQ</operation>
<value>GlobalEmployees</value>
aaa["saml"]["_cisco_saml_uid_"][email protected] </attr>
[email protected], dap_concat_fcn: [Access to Frontend granted] 26 490 <attr>
Classifying FrontendACL: priority=0, sense=0(White), Denies=0, Permits=1 <name>aaa.saml.memberOf</name>
<operation>EQ</operation>
<value>Sales</value>
</attr>
FP2120# show vpn-sessiondb anyconnect

Username : [email protected]
Group Policy : GlobalEmployees
Tunnel Group : SAML_SingleCert_CloudSSO

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Duo CloudSSO FP2120# show running-config dynamic-access-policy-

SAML AuthZ
record Backend-Access
dynamic-access-policy-record Backend-Access
user-message "Access to Backend granted"
network-acl BackendACL
A practical use-case priority 10

FP2120# more disk0:/dap.xml


<dapRecord>
<dapName>
<value>Backend-Access</value>
</dapName>
<dapViewsRelation>
<value>and</value>
</dapViewsRelation>
<advancedView>
<value>assert(function()&#13;
if ( (type(aaa.saml.distinguishedName) ==
aaa["saml"]["distinguishedName"]="CN=Whiskey,OU=Engineering,DC=gold-dust-lab,DC=de“ "string") and&#13;
(string.find(aaa.saml.distinguishedName,
aaa["saml"]["memberOf"]["1"]="SystemsEngineering" "OU=Engineering,DC=gold%-dust%-lab,DC=de$") ~= nil) )
aaa["saml"]["memberOf"]["2"]="GlobalEmployees“ then&#13;
return true&#13;
aaa["saml"]["cisco_group_policy"]="GlobalEmployees“ end&#13;
return false&#13; Expert Tip: %
aaa["saml"]["_cisco_saml_uid_"]="[email protected]" end)()</value> needs to be before
[email protected], dap_concat_fcn: [Access to Backend granted] 25 490 </advancedView> the special
Classifying BackendACL: priority=10, sense=0(White), Denies=0, Permits=1 <dapBasicView> character
<dapSelection>
<dapPolicy>
FP2120# show vpn-sessiondb anyconnect
<value>match-all</value>
</dapPolicy>
Username : [email protected]
<attr>
Group Policy : GlobalEmployees
<name>aaa.saml.memberOf</name>
Tunnel Group : SAML_SingleCert_CloudSSO
<operation>EQ</operation>
<value>SystemsEngineering</value>
</attr>

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Hidden slide – only
visible in handout
version

Use-Case: Map Attributes


• Dynamic assignment of RAVPN group-
policy based on directory attributes like
department, city,...
• Independent of Attribute Transformation!

• If an attribute with the name


cisco_group_policy is received by the VPN
headend, the corresponding value is used
to select the connection group-policy
• No match -> Default Group-Policy get´s assigned

<saml:Attribute Name="cisco_group_policy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" >


<saml:AttributeValue xsi:type="xs:string">Duo_Prod</saml:AttributeValue>

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Hidden slide – only
visible in handout
version

Role attributes
Use-Case
• Dynamic assignment of RAVPN group-
policy w/o processing directory attributes
• Independent of Attribute Transformation!

• If an attribute with the name Name of the


Local significant
group to Duo
cisco_group_policy is received by the VPN Secure
Firewall Group
headend, the corresponding value is used Policy

to select the connection group-policy


• No match -> Default Group-Policy get´s
assigned

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SAML Authentication
Anyconnect & Duo CloudSSO
• SAML authentication happens at an early stage
• In case of Duo CloudSSO (IdP), this is where Duo policies gets
processed, as well as where user attribute transformation happens

Note: Extraction
of Duo´s Policy
attributes but
not limited to
Device Compliancy (Posture, managed
vs unmanaged)
Device Cookie

Client Device & Browser

L3 information (CIDR, Geo Info, Anonymizer, … )

Step-up Authentication

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
When processing high-value data, we have
to have best in class security products for
protection, a high-level assurance of who is
accessing the data, continuously verifying
the risk, and being able to control a session
whenever a contextual change happens

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Continue Your Education

Visit the Cisco Showcase for related demos.

Book your one-on-one Meet the Engineer meeting.


Meet the Speaker: Area 1 | 02/09/23 | 11:00 AM

Attend any of the related sessions at the DevNet,


Capture the Flag, and Walk-in Labs zones.

Visit the On-Demand Library for more sessions


at ciscolive.com/on-demand.

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
A bit too early for beverages,
but in case they serve later
today in the World of
Solutions, you can find me
there!

BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Thank you

You might also like