CNSF2011- AnyConnect Secure Mobility- Tim Davidson

AnyConnect Secure Mobility
Presented by Tim Davidson
#CNSF2011

Agenda
Solution Overview
Deployment Scenarios
Feature Highlights
Q & A
Wrap Up

Solution Overview
3

X
as a Service
Platform
as a Service
Infrastructure
as a Service
Software
as a Service
Security in the Borderless World
Policy
Corporate Border
Applications and Data
Corporate Office
Branch Office
Airport
Home Office
Mobile User
Attackers
Coffee Shop
Customers
Partners

Personal Choice vs Corporate Policy
Business
Personal

Traditional Remote Access VPN
Limited
Predominantly PC-based
Client Support
Manual
Numerous “clicks”
Non-persistent Connection
No Security or Visibility
Security
Rarely-On
Only connected if / when
absolutely necessary
Intranet
Corporate File Sharing

Traditional Mobile Web Security
Limited Clients
Predominantly PC-based
Client Support

Limited Security
URL-filtering client unable
to address key use cases
Data Loss Prevention
Acceptable Use
Threat Prevention
Access Control
No Access
Access
No Access
Not integrated, requires
separate VPN client
Intranet
–
–

Web Security with Next GenerationRemote Access
Choice
Diverse EndpointSupport for Greater Flexibility
Security
Rich, Granular SecurityIntegrated Into the network
Acceptable Use
Threat Prevention
Access Control




Experience
Always-on IntelligentConnection for SeamlessExperience andPerformance
Access Granted
Intranet

AnyConnect Secure Mobility ClientNetwork and Security Follows User—It Just Works
Corporate Office
Mobile User
Home Office
Broad Mobile Support
Fixed and semi-fixed platforms
Mobile platforms
Persistent Connectivity
Always-on connectivity
Optimal gateway selection
Automatic hotspot negotiation
Seamless connection hand-offs
Wi-Fi
Wired
Cellular/Wi-Fi
Next-Gen Unified Security
User/device identity
Posture validation including Managed vs Un Managed Assets
Integrated web security for always-on security (hybrid)
Clientless and desktop virtualization
Secure, Consistent Access
Voice—Video—Apps—Data

Enabling the New Borderless Organization
Anyone
Anything
Anywhere
Anytime
Securely, Reliably, Seamlessly

Secure Borderless Network ArchitectureEnabling Mobility, Extending Security
Outside the Corp Environment
Inside the Corp Environment
Always-On Integrated Security and Policy
802.1X, TrustSec, MACsec
SECURITY and POLICY
Customers
Coffee Shop
Home Office
Local Data Center
X
as a Service
Software
as a Service
Platform
as a Service
Infrastructure
as a Service
Corporate Office
Branch Office
Airport
Mobile User
Attackers
Partners
CORP DMZ BORDER

Deployment Scenarios

User
Authenticates
Internet
SSL VPN
Tunnel All Traffic
Cisco AnyConnect Secure Mobilitywith Web Security Appliance
Trusted Network
News
Email
User Identity
facebook.com
ASA
WCCP
Cisco Web Security Appliance
Corporate AD
Social Networking
Enterprise SaaS
Untrusted Network
ASA  WSA
Authentication handoff (SSO)
Identity and location aware policy enforcement
Location-aware reporting
AnyConnect
Always-on VPN (admin configurable)
Optimal head end auto-detect
Transparent auth (certificate)

Transparent Redirection – Single ASA(WCCP on Router)
ASA Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
IOS Config
ipwccp 80 redirect-list redirect-acl
interface eth0
ipwccp 80 redirect in

Transparent Redirection – Single ASA(WCCP on ASA)
ASA Config
route inside 10.10.10.0 255.0.0.0 192.168.1.2
wccp 80 redirect-list redirect-acl
wcppiterfaceinside 80 redirect in

Transparent Redirection(Alternate Egress)
ASA-1 Config
route inside 10.10.10.0 255.0.0.0 192.168.1.2
IOS Config
ipwccp 80 redirect-list redirect-acl
interface eth0
ipwccp 80 redirect in

Explicit Proxy Redirection

IPSec / SSL VPN
Internal Data
Internet
Cisco AnyConnect Secure Mobilitywith Cloud Web Security
Trusted Network
facebook.com
ASA
Untrusted Network
ScanSafe
Web 2.0 Content Control
Dynamic Web Classification
Search Ahead
Outbreak Intelligence
Real-time Content Analysis
AnyConnect
Always-on VPN (admin configurable)
Optimal head end auto-detect
Transparent auth (certificate)

AnyConnect 3.0Web Security with ScanSafe
ScanSafe
Internet bound web communications
Internal communications
AnyConnect Secure Mobility Client

Feature Highlights

Cisco AnyConnect Secure Mobility Features
Web Security
Appliance
Cloud Web Security
AnyConnect
ASA Firewall
Trusted Network Detection
Session Persistence
Optimal Gateway Selection
Always-on VPN
Enhanced Device Support
IPSec IKEv2
Network Access Manager
Telemetry
SCEP Enrollment
Remote Specific Policy
Application Controls
SaaS Access Control
Multi-layer malware defense
URL filtering & Dynamic Categorization
Data Security
Application Visibility and Control
AnyConnect Secure Mobility Head End Support
Optimized WSA Traffic handoff
Simplified Management
Enterprise firewall
Remote Access Head End
BotNet Filter
Web 2.0 Content Control
Dynamic Web Classification
HTTP/s Scanning
Search Ahead
Outbreak Intelligence
Real-Time Content Analysis
Acceptable Use / Control
Malware Defense

Cisco AnyConnect Secure MobilityAlways On
Always On VPN extends the virtual perimeter to the endpoint
Security Persistence and policy are administratively controlled
If ASA head-end is unreachable,
fail-open (direct network access)
or
fail-close (no network access)
Security Enforcement Array
Location-aware
Captive portal
nearest headend
Auth persistence
Security Persistence with Always On VPN(Fail Closed or Fail Open)

Cisco AnyConnect Secure Mobility Session Persistence
Always-On, Failed Closed
No Network Access Available
Manual URL Entry is not Allowed
Connection Status

AnyConnect Always-OnASDM Profile Configuration

Trusted Network DetectionIntelligent Mobility
Automatically connects or disconnects under the following conditions:
In Office
Out of Office
Location determination made by Default Domain Name or DNS server IP
Other checks likely in future
Certificate authentication for seamless reconnection
Administratively controlled policy
Windows XP, Vista, 7 & Mac OS X
In Office
Out of Office

DHCPRequest
Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
Trusted Network Detection is Configurable VIA the AnyConnect Profile
Trusted Networks can be Defined as DNS Suffixes or DNS Server IP Addresses
DNS Suffixes and DNS Server IP Addresses must be defined on the Client Workstation Dynamically (DHCP)
If Both the Trusted DNS Suffix and DNS Server IP Address are Defined, the Entries will be ANDed to Determine the Trusted Network
Corporate Headquarters
Home Office

ASDM Profile Configuration

Feature Parameters:
Suspension Time Threshold (hours)
Performance Improvement Threshold (%)
London
Los Angeles
Boston
Time = 33ms
Time = 35ms
Time = 26ms
Time = 25ms
Time = 28ms
Time = 23ms
Time = 27ms
Time = 24ms
Time = 25ms
New York
Connects to the Most Optimum Head-end
HTTPS Request Approximated by Fastest Round Trip Time

Captive Portal Detection
Always-On enforces VPN connectivity.
If AnyConnect fails to connect, its endpoint can fail closed, preventing network connectivity to and from the endpoint.
Always-On allows AnyConnect users to remediate their Captive Port prior to required VPN establishment.

Captive Portal Detection
User Experience
Captive Portal Remediation Required

Captive Portal

AnyConnect Session Persistence
Network Follows Users – It Just Works
VPN session remains connected
While user migrates between networks (3G, WiFi, LAN, etc)
During loss of network connectivity
During system hibernation / standby
Administratively controlled policy
Compatible with all auth methods
User does not re-authenticate after hibernation/standby
Auto-detect and connect
Transparent handoff
Session persistence
Persistent
Connectivity

Session Persistence
User Experience: User Indicator
Connection State: Reconnecting

Cisco AnyConnect Secure Mobility
Across SSL Connection
ASA-WSA Communication
User Identity & Tunneled IP
News
Email
facebook.com
User Authenticates
Adaptive Security Appliance
Web Security Appliance
VPN Tunnel
Established
VPN Tunnel
Authentication
User & Group
Authorization
Active Directory LDAP, NTLMSSP, Basic
ASA WSA
AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA
ASA Extracts Username from Certificate or AAA Server
ASA Forwards Username and Tunneled IP Address to the WSA
WSA Verifies Username and Group Membership against Active Directory
WSA Applies Policies based on Username or Group Membership

ASA > WSA Configuration
ASA to WSA Communication
ASA & WSA Communication Network
Enable Secure Mobility Solution
Services Port
WSA Access Password

WSA > ASA Configuration
ASA to WSA Communication
Enable Secure Mobility Solution
Enable Cisco ASA Integration
ASA Hostname or IP Address & Service Port & Access Password

ASA > WSA Configuration
Communication Test
Verify ASA > WSA Communication
Verify WSA > ASA Communication

Policy EnforcementControl / Security

Internet
Cisco IronPort Web Security ApplianceIndustry Leading Secure Web Gateway
Security
Malware Defense
Data Security
Secure Mobility
Control
Acceptable Use Controls
SaaS Access Controls
Centralized Management and Reporting

Controls in Action

Bandwidth Control: Corporate Approved
Full Bandwidth

Web Security Appliance Configuration
Allow Business Relevant Video

Bandwidth Control: Restricted
Marketing
Finance
Legal

Restrict Media

Bandwidth Control: Customized
Marketing
Finance
Legal

Override Restrictions

Facebook Controls

Facebook Control

Facebook Controls
DENIED
PERMISSION

Override Restrictions

SaaS Access Control
Regaining Visibility and Control Through Identity
SaaSSingle Sign On
Corporate Office
Redirect @ Login
Branch Office
SaaSSingle Sign On
Home Office
AnyConnect Secure Mobility Client
User Directory
No Direct Access
X
Visibility | Centralized Enforcement | Single Source Revocation

SaaS Single Sign On
Seamless Single Sign-on
No login needed

SaaS Single Sign-On
User Accesses Web Site
Connection Proxied
Redirect to SAML SSO URL
Redirect to SAML SSO URL
Browser Requests SSO URL
Javascript POST ACS URL
+ SAML response
POSTS SAML response
POST proxied to website
User Logged Into Service
Delivers Web User’s Portal
Authenticate
(if unknown)

Secure Mobility Reporting
WSA Mobile User Reports

Secure Mobility Reporting
Simple investigative tool
Track User activity /
Search by IP ranges
Track a web site
Know who is going to which web site
Know who went to a specific web site
And more…

Cisco AnyConnect Secure Mobility
Web Security with Next Generation Remote Access
Choice
Diverse EndpointSupport for Greater Flexibility
Security
Rich, Granular SecurityIntegratedinto the network
Acceptable Use
Threat Prevention
Access Control
Experience
Always-on IntelligentConnection for SeamlessExperience andPerformance
Access Granted
Intranet

Questions

Final Thoughts

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.
Winston Churchill

CNSF2011- AnyConnect Secure Mobility- Tim Davidson

by Cisco Canada on May 18, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

CNSF2011- AnyConnect Secure Mobility- Tim Davidson — Presentation Transcript