AnyConnect Secure Mobility

  • 2,752 views
Uploaded on

Increasing mobile usage and device choice have exposed the unnecessary complexity and limited device support of legacy Remote Access solutions. It has also left a security hole as users circumvent …

Increasing mobile usage and device choice have exposed the unnecessary complexity and limited device support of legacy Remote Access solutions. It has also left a security hole as users circumvent corporate policy in a borderless network. This session will focus on how the AnyConnect Secure Mobility solution combines Cisco's web security and next-generation remote access technology to deliver a robust and secure enterprise mobility solution. Customers will benefit from context-aware, comprehensive and preemptive security policy enforcement, an intelligent, seamless and always-on connectivity and secure mobility across today's proliferating managed and unmanaged mobile devices. At the end of the session, attendees will have an in-depth understanding of the Cisco AnyConnect Secure Mobility solution, which integrates the Cisco AnyConnect Client, the Cisco Adaptive Service Appliance (ASA) and the Cisco Web Security Appliance (WSA). Attendees will understand recommended AnyConnect Security Mobility architectures and understand the implementation of the new solution based on current security installations.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,752
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
88
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Organizations that deliver the experience we just described, are truly borderless - Connecting anyone - employees, partners and customers, to anything, anywhere anytime. Delivering the same productivity, the same access to the information and the same responsiveness. We call it the borderless experience. …securely, reliably, and seamlesslyLet’s take a look [CLICK – Transition] at how Borderless Networks delivers on that vision.

Transcript

  • 1. AnyConnect Secure Mobility
    Presented by Tim Davidson
    #CNSF2011
  • 2. Agenda
    Solution Overview
    Deployment Scenarios
    Feature Highlights
    Q & A
    Wrap Up
  • 3. Solution Overview
    3
  • 4. X
    as a Service
    Platform
    as a Service
    Infrastructure
    as a Service
    Software
    as a Service
    Security in the Borderless World
    Policy
    Corporate Border
    Applications and Data
    Corporate Office
    Branch Office
    Airport
    Home Office
    Mobile User
    Attackers
    Coffee Shop
    Customers
    Partners
  • 5. Personal Choice vs Corporate Policy
    Business
    Personal
  • 6. Traditional Remote Access VPN
    Limited
    Predominantly PC-based
    Client Support
    Manual
    Numerous “clicks”
    Non-persistent Connection
    No Security or Visibility
    Security
    Rarely-On
    Only connected if / when
    absolutely necessary
    Intranet
    Corporate File Sharing
  • 7. Traditional Mobile Web Security
    Limited Clients
    Predominantly PC-based
    Client Support

    Limited Security
    URL-filtering client unable
    to address key use cases
    Data Loss Prevention
    Acceptable Use
    Threat Prevention
    Access Control
    No Access
    Access
    No Access
    Not integrated, requires
    separate VPN client
    Intranet
    Corporate File Sharing


  • 8. Web Security with Next GenerationRemote Access
    Choice
    Diverse EndpointSupport for Greater Flexibility
    Security
    Rich, Granular SecurityIntegrated Into the network
    Acceptable Use
    Data Loss Prevention
    Threat Prevention
    Access Control




    Experience
    Always-on IntelligentConnection for SeamlessExperience andPerformance
    Access Granted
    Intranet
    Corporate File Sharing
  • 9. AnyConnect Secure Mobility ClientNetwork and Security Follows User—It Just Works
    Corporate Office
    Mobile User
    Home Office
    Broad Mobile Support
    • Fixed and semi-fixed platforms
    • 10. Mobile platforms
    Persistent Connectivity
    • Always-on connectivity
    • 11. Optimal gateway selection
    • 12. Automatic hotspot negotiation
    • 13. Seamless connection hand-offs
    Wi-Fi
    Wired
    Cellular/Wi-Fi
    Next-Gen Unified Security
    • User/device identity
    • 14. Posture validation including Managed vs Un Managed Assets
    • 15. Integrated web security for always-on security (hybrid)
    • 16. Clientless and desktop virtualization
    Secure, Consistent Access
    Voice—Video—Apps—Data
  • 17. Enabling the New Borderless Organization
    Anyone
    Anything
    Anywhere
    Anytime
    Securely, Reliably, Seamlessly
  • 18. Secure Borderless Network ArchitectureEnabling Mobility, Extending Security
    Outside the Corp Environment
    Inside the Corp Environment
    Always-On Integrated Security and Policy
    802.1X, TrustSec, MACsec
    SECURITY and POLICY
    Customers
    Coffee Shop
    Home Office
    Local Data Center
    X
    as a Service
    Software
    as a Service
    Platform
    as a Service
    Infrastructure
    as a Service
    Corporate Office
    Branch Office
    Airport
    Mobile User
    Attackers
    Partners
    CORP DMZ BORDER
  • 19. Deployment Scenarios
  • 20. User
    Authenticates
    Internet
    SSL VPN
    Tunnel All Traffic
    Cisco AnyConnect Secure Mobilitywith Web Security Appliance
    Trusted Network
    News
    Email
    User Identity
    facebook.com
    ASA
    WCCP
    Cisco Web Security Appliance
    Corporate AD
    Social Networking
    Enterprise SaaS
    Untrusted Network
    ASA  WSA
    • Authentication handoff (SSO)
    • 21. Identity and location aware policy enforcement
    • 22. Location-aware reporting
    AnyConnect
    • Always-on VPN (admin configurable)
    • 23. Optimal head end auto-detect
    • 24. Transparent auth (certificate)
  • Transparent Redirection – Single ASA(WCCP on Router)
    ASA Config
    route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
    route inside 10.10.10.0 255.0.0.0 192.168.1.2
    IOS Config
    ipwccp 80 redirect-list redirect-acl
    interface eth0
    ipwccp 80 redirect in
  • 25. Transparent Redirection – Single ASA(WCCP on ASA)
    ASA Config
    route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
    route inside 10.10.10.0 255.0.0.0 192.168.1.2
    wccp 80 redirect-list redirect-acl
    wcppiterfaceinside 80 redirect in
  • 26. Transparent Redirection(Alternate Egress)
    ASA-1 Config
    route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
    route inside 10.10.10.0 255.0.0.0 192.168.1.2
    IOS Config
    ipwccp 80 redirect-list redirect-acl
    interface eth0
    ipwccp 80 redirect in
  • 27. Explicit Proxy Redirection
  • 28. Explicit Proxy Redirection
  • 29. IPSec / SSL VPN
    Internal Data
    Internet
    Cisco AnyConnect Secure Mobilitywith Cloud Web Security
    Trusted Network
    facebook.com
    ASA
    Untrusted Network
    ScanSafe
    • Web 2.0 Content Control
    • 30. Dynamic Web Classification
    • 31. Search Ahead
    • 32. Outbreak Intelligence
    • 33. Real-time Content Analysis
    AnyConnect
    • Always-on VPN (admin configurable)
    • 34. Optimal head end auto-detect
    • 35. Transparent auth (certificate)
  • AnyConnect 3.0Web Security with ScanSafe
    ScanSafe
    Internet bound web communications
    Internal communications
    AnyConnect Secure Mobility Client
  • 36. AnyConnect 3.0Web Security with ScanSafe
    ScanSafe
    Internet bound web communications
    Internal communications
    AnyConnect Secure Mobility Client
  • 37. Feature Highlights
  • 38. Cisco AnyConnect Secure Mobility Features
    Web Security
    Appliance
    Cloud Web Security
    AnyConnect
    ASA Firewall
    • Trusted Network Detection
    • 39. Session Persistence
    • 40. Optimal Gateway Selection
    • 41. Always-on VPN
    • 42. Enhanced Device Support
    • 43. IPSec IKEv2
    • 44. Network Access Manager
    • 45. Telemetry
    • 46. SCEP Enrollment
    • 47. Remote Specific Policy
    • 48. Application Controls
    • 49. SaaS Access Control
    • 50. Multi-layer malware defense
    • 51. URL filtering & Dynamic Categorization
    • 52. Data Security
    • 53. Application Visibility and Control
    • 54. AnyConnect Secure Mobility Head End Support
    • 55. Optimized WSA Traffic handoff
    • 56. Simplified Management
    • 57. Enterprise firewall
    • 58. Remote Access Head End
    • 59. BotNet Filter
    • 60. Web 2.0 Content Control
    • 61. Dynamic Web Classification
    • 62. HTTP/s Scanning
    • 63. Search Ahead
    • 64. Outbreak Intelligence
    • 65. Real-Time Content Analysis
    • 66. Acceptable Use / Control
    • 67. Malware Defense
  • Cisco AnyConnect Secure MobilityAlways On
    • Always On VPN extends the virtual perimeter to the endpoint
    • 68. Security Persistence and policy are administratively controlled
    • 69. If ASA head-end is unreachable,
    • 70. fail-open (direct network access)
    or
    • fail-close (no network access)
    Security Enforcement Array
    Location-aware
    Captive portal
    nearest headend
    Auth persistence
    Security Persistence with Always On VPN(Fail Closed or Fail Open)
  • 71. Cisco AnyConnect Secure Mobility Session Persistence
    • Always-On, Failed Closed
    • 72. No Network Access Available
    • 73. Manual URL Entry is not Allowed
    • 74. Connection Status
  • AnyConnect Always-OnASDM Profile Configuration
  • 75. Trusted Network DetectionIntelligent Mobility
    • Automatically connects or disconnects under the following conditions:
    • 76. In Office
    • 77. Out of Office
    • 78. Location determination made by Default Domain Name or DNS server IP
    • 79. Other checks likely in future
    • 80. Certificate authentication for seamless reconnection
    • 81. Administratively controlled policy
    • 82. Windows XP, Vista, 7 & Mac OS X
    Trusted Network Detection
    In Office
    Out of Office
  • 83. Trusted Network Detection
    DHCPRequest
    Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
    • Trusted Network Detection is Configurable VIA the AnyConnect Profile
    • 84. Trusted Networks can be Defined as DNS Suffixes or DNS Server IP Addresses
    • 85. DNS Suffixes and DNS Server IP Addresses must be defined on the Client Workstation Dynamically (DHCP)
    • 86. If Both the Trusted DNS Suffix and DNS Server IP Address are Defined, the Entries will be ANDed to Determine the Trusted Network
    Corporate Headquarters
    Home Office
  • 87. Trusted Network Detection
    ASDM Profile Configuration
  • 88. Optimal Gateway Selection
    Feature Parameters:
    • Suspension Time Threshold (hours)
    • 89. Performance Improvement Threshold (%)
    London
    Los Angeles
    Boston
    Time = 33ms
    Time = 35ms
    Time = 26ms
    Time = 25ms
    Time = 28ms
    Time = 23ms
    Time = 27ms
    Time = 24ms
    Time = 25ms
    New York
    Connects to the Most Optimum Head-end
    HTTPS Request Approximated by Fastest Round Trip Time
  • 90. Optimal Gateway Selection
    ASDM Profile Configuration
  • 91. Captive Portal Detection
    • Always-On enforces VPN connectivity.
    • 92. If AnyConnect fails to connect, its endpoint can fail closed, preventing network connectivity to and from the endpoint.
    • 93. Always-On allows AnyConnect users to remediate their Captive Port prior to required VPN establishment.
  • Captive Portal Detection
    User Experience
    • Captive Portal Remediation Required
  • Captive Portal
    ASDM Profile Configuration
  • 94. AnyConnect Session Persistence
    Network Follows Users – It Just Works
    • VPN session remains connected
    • 95. While user migrates between networks (3G, WiFi, LAN, etc)
    • 96. During loss of network connectivity
    • 97. During system hibernation / standby
    • 98. Administratively controlled policy
    • 99. Compatible with all auth methods
    User does not re-authenticate after hibernation/standby
    Auto-detect and connect
    Transparent handoff
    Session persistence
    Persistent
    Connectivity
  • 100. Session Persistence
    User Experience: User Indicator
    • Connection State: Reconnecting
  • Cisco AnyConnect Secure Mobility
    Across SSL Connection
    ASA-WSA Communication
    User Identity & Tunneled IP
    News
    Email
    facebook.com
    User Authenticates
    Adaptive Security Appliance
    Web Security Appliance
    VPN Tunnel
    Established
    VPN Tunnel
    Authentication
    User & Group
    Authorization
    Active Directory LDAP, NTLMSSP, Basic
    ASA WSA
    AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA
    ASA Extracts Username from Certificate or AAA Server
    ASA Forwards Username and Tunneled IP Address to the WSA
    WSA Verifies Username and Group Membership against Active Directory
    WSA Applies Policies based on Username or Group Membership
  • 101. ASA > WSA Configuration
    ASA to WSA Communication
    • ASA & WSA Communication Network
    • 102. Enable Secure Mobility Solution
    • 103. Services Port
    • 104. WSA Access Password
  • WSA > ASA Configuration
    ASA to WSA Communication
    • Enable Secure Mobility Solution
    • 105. Enable Cisco ASA Integration
    • 106. ASA Hostname or IP Address & Service Port & Access Password
  • ASA > WSA Configuration
    Communication Test
    • Verify ASA > WSA Communication
    • 107. Verify WSA > ASA Communication
  • Policy EnforcementControl / Security
  • 108. Internet
    Cisco IronPort Web Security ApplianceIndustry Leading Secure Web Gateway
    Security
    Malware Defense
    Data Security
    Secure Mobility
    Control
    Acceptable Use Controls
    SaaS Access Controls
    Centralized Management and Reporting
  • 109. Controls in Action
  • 110. Bandwidth Control: Corporate Approved
    Full Bandwidth
  • 111. Web Security Appliance Configuration
    Allow Business Relevant Video
  • 112. Bandwidth Control: Restricted
    Marketing
    Finance
    Legal
  • 113. Web Security Appliance Configuration
    Restrict Media
  • 114. Bandwidth Control: Customized
    Marketing
    Finance
    Legal
  • 115. Web Security Appliance Configuration
    Override Restrictions
  • 116. Facebook Controls
  • 117. Facebook Controls
  • 118. Web Security Appliance Configuration
    Facebook Control
  • 119. Facebook Controls
    DENIED
    PERMISSION
  • 120. Web Security Appliance Configuration
    Override Restrictions
  • 121. SaaS Access Control
    Regaining Visibility and Control Through Identity
    SaaSSingle Sign On
    Corporate Office
    Redirect @ Login
    Branch Office
    SaaSSingle Sign On
    Home Office
    AnyConnect Secure Mobility Client
    User Directory
    No Direct Access
    X
    Visibility | Centralized Enforcement | Single Source Revocation
  • 122. SaaS Single Sign On
    Seamless Single Sign-on
    No login needed
  • 123. SaaS Single Sign-On
    User Accesses Web Site
    Connection Proxied
    Redirect to SAML SSO URL
    Redirect to SAML SSO URL
    Browser Requests SSO URL
    Javascript POST ACS URL
    + SAML response
    POSTS SAML response
    POST proxied to website
    User Logged Into Service
    Delivers Web User’s Portal
    Authenticate
    (if unknown)
  • 124. Secure Mobility Reporting
    WSA Mobile User Reports
  • 125. Secure Mobility Reporting
    Simple investigative tool
    Track User activity /
    Search by IP ranges
    Track a web site
    • Know who is going to which web site
    • 126. Know who went to a specific web site
    • 127. And more…
  • Cisco AnyConnect Secure Mobility
    Web Security with Next Generation Remote Access
    Choice
    Diverse EndpointSupport for Greater Flexibility
    Security
    Rich, Granular SecurityIntegratedinto the network
    Acceptable Use
    Data Loss Prevention
    Threat Prevention
    Access Control
    Experience
    Always-on IntelligentConnection for SeamlessExperience andPerformance
    Access Granted
    Intranet
    Corporate File Sharing
  • 128. Questions
  • 129. Final Thoughts
  • 130. A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.
    Winston Churchill