AnyConnect Secure Mobility


Published on

Increasing mobile usage and device choice have exposed the unnecessary complexity and limited device support of legacy Remote Access solutions. It has also left a security hole as users circumvent corporate policy in a borderless network. This session will focus on how the AnyConnect Secure Mobility solution combines Cisco's web security and next-generation remote access technology to deliver a robust and secure enterprise mobility solution. Customers will benefit from context-aware, comprehensive and preemptive security policy enforcement, an intelligent, seamless and always-on connectivity and secure mobility across today's proliferating managed and unmanaged mobile devices. At the end of the session, attendees will have an in-depth understanding of the Cisco AnyConnect Secure Mobility solution, which integrates the Cisco AnyConnect Client, the Cisco Adaptive Service Appliance (ASA) and the Cisco Web Security Appliance (WSA). Attendees will understand recommended AnyConnect Security Mobility architectures and understand the implementation of the new solution based on current security installations.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Organizations that deliver the experience we just described, are truly borderless - Connecting anyone - employees, partners and customers, to anything, anywhere anytime. Delivering the same productivity, the same access to the information and the same responsiveness. We call it the borderless experience. …securely, reliably, and seamlesslyLet’s take a look [CLICK – Transition] at how Borderless Networks delivers on that vision.
  • AnyConnect Secure Mobility

    1. 1. AnyConnect Secure Mobility<br />Presented by Tim Davidson<br />#CNSF2011<br />
    2. 2. Agenda<br />Solution Overview<br />Deployment Scenarios<br />Feature Highlights<br />Q & A<br />Wrap Up<br />
    3. 3. Solution Overview<br />3<br />
    4. 4. X<br />as a Service<br />Platform<br />as a Service<br />Infrastructure<br />as a Service<br />Software<br />as a Service<br />Security in the Borderless World<br />Policy<br />Corporate Border<br />Applications and Data<br />Corporate Office<br />Branch Office<br />Airport<br />Home Office<br />Mobile User<br />Attackers<br />Coffee Shop<br />Customers<br />Partners<br />
    5. 5. Personal Choice vs Corporate Policy<br />Business<br />Personal<br />
    6. 6. Traditional Remote Access VPN<br />Limited<br />Predominantly PC-based <br />Client Support<br />Manual<br />Numerous “clicks”<br />Non-persistent Connection<br />No Security or Visibility<br />Security<br />Rarely-On<br />Only connected if / when<br />absolutely necessary<br />Intranet<br />Corporate File Sharing<br />
    7. 7. Traditional Mobile Web Security<br />Limited Clients<br />Predominantly PC-based <br />Client Support<br /><br />Limited Security<br />URL-filtering client unable <br />to address key use cases<br />Data Loss Prevention<br />Acceptable Use<br />Threat Prevention<br />Access Control<br />No Access<br />Access<br />No Access<br />Not integrated, requires<br />separate VPN client<br />Intranet<br />Corporate File Sharing<br />–<br />–<br />
    8. 8. Web Security with Next GenerationRemote Access<br />Choice<br />Diverse EndpointSupport for Greater Flexibility<br />Security<br />Rich, Granular SecurityIntegrated Into the network<br />Acceptable Use<br />Data Loss Prevention<br />Threat Prevention<br />Access Control<br /><br /><br /><br /><br />Experience<br />Always-on IntelligentConnection for SeamlessExperience andPerformance<br />Access Granted<br />Intranet<br />Corporate File Sharing<br />
    9. 9. AnyConnect Secure Mobility ClientNetwork and Security Follows User—It Just Works<br />Corporate Office<br />Mobile User<br />Home Office<br />Broad Mobile Support<br /><ul><li>Fixed and semi-fixed platforms
    10. 10. Mobile platforms</li></ul>Persistent Connectivity<br /><ul><li>Always-on connectivity
    11. 11. Optimal gateway selection
    12. 12. Automatic hotspot negotiation
    13. 13. Seamless connection hand-offs</li></ul>Wi-Fi<br />Wired<br />Cellular/Wi-Fi<br />Next-Gen Unified Security<br /><ul><li>User/device identity
    14. 14. Posture validation including Managed vs Un Managed Assets
    15. 15. Integrated web security for always-on security (hybrid)
    16. 16. Clientless and desktop virtualization</li></ul>Secure, Consistent Access<br />Voice—Video—Apps—Data <br />
    17. 17. Enabling the New Borderless Organization<br />Anyone<br />Anything<br />Anywhere<br />Anytime<br />Securely, Reliably, Seamlessly<br />
    18. 18. Secure Borderless Network ArchitectureEnabling Mobility, Extending Security<br />Outside the Corp Environment<br />Inside the Corp Environment<br />Always-On Integrated Security and Policy<br />802.1X, TrustSec, MACsec<br />SECURITY and POLICY<br />Customers<br />Coffee Shop<br />Home Office<br />Local Data Center<br />X<br />as a Service<br />Software<br />as a Service<br />Platform<br />as a Service<br />Infrastructure<br />as a Service<br />Corporate Office<br />Branch Office<br />Airport<br />Mobile User<br />Attackers<br />Partners<br />CORP DMZ BORDER<br />
    19. 19. Deployment Scenarios<br />
    20. 20. User<br />Authenticates<br />Internet<br />SSL VPN <br />Tunnel All Traffic<br />Cisco AnyConnect Secure Mobilitywith Web Security Appliance<br />Trusted Network<br />News<br />Email<br />User Identity<br /><br />ASA<br />WCCP<br />Cisco Web Security Appliance <br />Corporate AD<br />Social Networking<br />Enterprise SaaS<br />Untrusted Network<br />ASA  WSA<br /><ul><li>Authentication handoff (SSO)
    21. 21. Identity and location aware policy enforcement
    22. 22. Location-aware reporting</li></ul>AnyConnect<br /><ul><li>Always-on VPN (admin configurable)
    23. 23. Optimal head end auto-detect
    24. 24. Transparent auth (certificate)</li></li></ul><li>Transparent Redirection – Single ASA(WCCP on Router)<br />ASA Config<br />route inside tunneled<br />route inside<br />IOS Config<br />ipwccp 80 redirect-list redirect-acl<br />interface eth0<br />ipwccp 80 redirect in<br />
    25. 25. Transparent Redirection – Single ASA(WCCP on ASA)<br />ASA Config<br />route inside tunneled<br />route inside<br />wccp 80 redirect-list redirect-acl<br />wcppiterfaceinside 80 redirect in<br />
    26. 26. Transparent Redirection(Alternate Egress)<br />ASA-1 Config<br />route inside tunneled<br />route inside<br />IOS Config<br />ipwccp 80 redirect-list redirect-acl<br />interface eth0<br />ipwccp 80 redirect in<br />
    27. 27. Explicit Proxy Redirection<br />
    28. 28. Explicit Proxy Redirection<br />
    29. 29. IPSec / SSL VPN<br />Internal Data<br />Internet<br />Cisco AnyConnect Secure Mobilitywith Cloud Web Security<br />Trusted Network<br /><br />ASA<br />Untrusted Network<br />ScanSafe<br /><ul><li>Web 2.0 Content Control
    30. 30. Dynamic Web Classification
    31. 31. Search Ahead
    32. 32. Outbreak Intelligence
    33. 33. Real-time Content Analysis</li></ul>AnyConnect<br /><ul><li>Always-on VPN (admin configurable)
    34. 34. Optimal head end auto-detect
    35. 35. Transparent auth (certificate)</li></li></ul><li>AnyConnect 3.0Web Security with ScanSafe<br />ScanSafe<br />Internet bound web communications<br />Internal communications<br />AnyConnect Secure Mobility Client<br />
    36. 36. AnyConnect 3.0Web Security with ScanSafe<br />ScanSafe<br />Internet bound web communications<br />Internal communications<br />AnyConnect Secure Mobility Client<br />
    37. 37. Feature Highlights<br />
    38. 38. Cisco AnyConnect Secure Mobility Features<br />Web Security<br />Appliance<br />Cloud Web Security<br />AnyConnect<br />ASA Firewall<br /><ul><li>Trusted Network Detection
    39. 39. Session Persistence
    40. 40. Optimal Gateway Selection
    41. 41. Always-on VPN
    42. 42. Enhanced Device Support
    43. 43. IPSec IKEv2
    44. 44. Network Access Manager
    45. 45. Telemetry
    46. 46. SCEP Enrollment
    47. 47. Remote Specific Policy
    48. 48. Application Controls
    49. 49. SaaS Access Control
    50. 50. Multi-layer malware defense
    51. 51. URL filtering & Dynamic Categorization
    52. 52. Data Security
    53. 53. Application Visibility and Control
    54. 54. AnyConnect Secure Mobility Head End Support
    55. 55. Optimized WSA Traffic handoff
    56. 56. Simplified Management
    57. 57. Enterprise firewall
    58. 58. Remote Access Head End
    59. 59. BotNet Filter
    60. 60. Web 2.0 Content Control
    61. 61. Dynamic Web Classification
    62. 62. HTTP/s Scanning
    63. 63. Search Ahead
    64. 64. Outbreak Intelligence
    65. 65. Real-Time Content Analysis
    66. 66. Acceptable Use / Control
    67. 67. Malware Defense</li></li></ul><li>Cisco AnyConnect Secure MobilityAlways On<br /><ul><li>Always On VPN extends the virtual perimeter to the endpoint
    68. 68. Security Persistence and policy are administratively controlled
    69. 69. If ASA head-end is unreachable,
    70. 70. fail-open (direct network access) </li></ul>or <br /><ul><li>fail-close (no network access)</li></ul>Security Enforcement Array<br />Location-aware<br />Captive portal<br />nearest headend<br />Auth persistence<br />Security Persistence with Always On VPN(Fail Closed or Fail Open)<br />
    71. 71. Cisco AnyConnect Secure Mobility Session Persistence<br /><ul><li> Always-On, Failed Closed
    72. 72. No Network Access Available
    73. 73. Manual URL Entry is not Allowed
    74. 74. Connection Status</li></li></ul><li>AnyConnect Always-OnASDM Profile Configuration <br />
    75. 75. Trusted Network DetectionIntelligent Mobility<br /><ul><li>Automatically connects or disconnects under the following conditions:
    76. 76. In Office
    77. 77. Out of Office
    78. 78. Location determination made by Default Domain Name or DNS server IP
    79. 79. Other checks likely in future
    80. 80. Certificate authentication for seamless reconnection
    81. 81. Administratively controlled policy
    82. 82. Windows XP, Vista, 7 & Mac OS X</li></ul>Trusted Network Detection<br />In Office<br />Out of Office<br />
    83. 83. Trusted Network Detection<br />DHCPRequest<br />Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity <br /><ul><li>Trusted Network Detection is Configurable VIA the AnyConnect Profile
    84. 84. Trusted Networks can be Defined as DNS Suffixes or DNS Server IP Addresses
    85. 85. DNS Suffixes and DNS Server IP Addresses must be defined on the Client Workstation Dynamically (DHCP)
    86. 86. If Both the Trusted DNS Suffix and DNS Server IP Address are Defined, the Entries will be ANDed to Determine the Trusted Network</li></ul>Corporate Headquarters<br />Home Office<br />
    87. 87. Trusted Network Detection<br />ASDM Profile Configuration<br />
    88. 88. Optimal Gateway Selection<br />Feature Parameters:<br /><ul><li> Suspension Time Threshold (hours)
    89. 89. Performance Improvement Threshold (%)</li></ul>London<br />Los Angeles<br />Boston<br />Time = 33ms<br />Time = 35ms<br />Time = 26ms<br />Time = 25ms<br />Time = 28ms<br />Time = 23ms<br />Time = 27ms<br />Time = 24ms<br />Time = 25ms<br />New York<br />Connects to the Most Optimum Head-end<br />HTTPS Request Approximated by Fastest Round Trip Time<br />
    90. 90. Optimal Gateway Selection<br />ASDM Profile Configuration<br />
    91. 91. Captive Portal Detection<br /><ul><li>Always-On enforces VPN connectivity.
    92. 92. If AnyConnect fails to connect, its endpoint can fail closed, preventing network connectivity to and from the endpoint.
    93. 93. Always-On allows AnyConnect users to remediate their Captive Port prior to required VPN establishment.</li></li></ul><li>Captive Portal Detection<br />User Experience<br /><ul><li> Captive Portal Remediation Required</li></li></ul><li>Captive Portal<br />ASDM Profile Configuration<br />
    94. 94. AnyConnect Session Persistence<br />Network Follows Users – It Just Works<br /><ul><li>VPN session remains connected
    95. 95. While user migrates between networks (3G, WiFi, LAN, etc)
    96. 96. During loss of network connectivity
    97. 97. During system hibernation / standby
    98. 98. Administratively controlled policy
    99. 99. Compatible with all auth methods</li></ul>User does not re-authenticate after hibernation/standby <br />Auto-detect and connect <br />Transparent handoff<br />Session persistence<br />Persistent<br />Connectivity<br />
    100. 100. Session Persistence<br />User Experience: User Indicator<br /><ul><li> Connection State: Reconnecting</li></li></ul><li>Cisco AnyConnect Secure Mobility<br />Across SSL Connection<br />ASA-WSA Communication<br />User Identity & Tunneled IP<br />News<br />Email<br /><br />User Authenticates<br />Adaptive Security Appliance<br />Web Security Appliance<br />VPN Tunnel <br />Established<br />VPN Tunnel<br />Authentication<br />User & Group<br />Authorization<br />Active Directory LDAP, NTLMSSP, Basic<br />ASA WSA<br />AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA<br />ASA Extracts Username from Certificate or AAA Server<br />ASA Forwards Username and Tunneled IP Address to the WSA<br />WSA Verifies Username and Group Membership against Active Directory<br />WSA Applies Policies based on Username or Group Membership<br />
    101. 101. ASA > WSA Configuration<br />ASA to WSA Communication<br /><ul><li>ASA & WSA Communication Network
    102. 102. Enable Secure Mobility Solution
    103. 103. Services Port
    104. 104. WSA Access Password</li></li></ul><li>WSA > ASA Configuration<br />ASA to WSA Communication<br /><ul><li>Enable Secure Mobility Solution
    105. 105. Enable Cisco ASA Integration
    106. 106. ASA Hostname or IP Address & Service Port & Access Password</li></li></ul><li>ASA > WSA Configuration<br />Communication Test<br /><ul><li> Verify ASA > WSA Communication
    107. 107. Verify WSA > ASA Communication</li></li></ul><li>Policy EnforcementControl / Security<br />
    108. 108. Internet<br />Cisco IronPort Web Security ApplianceIndustry Leading Secure Web Gateway<br />Security<br />Malware Defense<br />Data Security<br />Secure Mobility<br />Control<br />Acceptable Use Controls<br />SaaS Access Controls<br />Centralized Management and Reporting<br />
    109. 109. Controls in Action<br />
    110. 110. Bandwidth Control: Corporate Approved<br />Full Bandwidth<br />
    111. 111. Web Security Appliance Configuration<br />Allow Business Relevant Video<br />
    112. 112. Bandwidth Control: Restricted<br />Marketing<br />Finance<br />Legal<br />
    113. 113. Web Security Appliance Configuration<br />Restrict Media<br />
    114. 114. Bandwidth Control: Customized<br />Marketing<br />Finance<br />Legal<br />
    115. 115. Web Security Appliance Configuration<br />Override Restrictions<br />
    116. 116. Facebook Controls<br />
    117. 117. Facebook Controls<br />
    118. 118. Web Security Appliance Configuration<br />Facebook Control<br />
    119. 119. Facebook Controls<br />DENIED<br />PERMISSION<br />
    120. 120. Web Security Appliance Configuration<br />Override Restrictions<br />
    121. 121. SaaS Access Control<br />Regaining Visibility and Control Through Identity<br />SaaSSingle Sign On<br />Corporate Office<br />Redirect @ Login<br />Branch Office<br />SaaSSingle Sign On<br />Home Office<br />AnyConnect Secure Mobility Client<br />User Directory<br />No Direct Access<br />X<br />Visibility | Centralized Enforcement | Single Source Revocation<br />
    122. 122. SaaS Single Sign On<br />Seamless Single Sign-on<br />No login needed<br />
    123. 123. SaaS Single Sign-On<br />User Accesses Web Site<br />Connection Proxied<br />Redirect to SAML SSO URL<br />Redirect to SAML SSO URL<br />Browser Requests SSO URL<br />Javascript POST ACS URL<br /> + SAML response<br />POSTS SAML response<br />POST proxied to website<br />User Logged Into Service<br />Delivers Web User’s Portal <br />Authenticate<br />(if unknown)<br />
    124. 124. Secure Mobility Reporting<br />WSA Mobile User Reports<br />
    125. 125. Secure Mobility Reporting<br />Simple investigative tool<br />Track User activity /<br />Search by IP ranges<br />Track a web site<br /><ul><li>Know who is going to which web site
    126. 126. Know who went to a specific web site
    127. 127. And more…</li></li></ul><li>Cisco AnyConnect Secure Mobility <br />Web Security with Next Generation Remote Access<br />Choice<br />Diverse EndpointSupport for Greater Flexibility<br />Security<br />Rich, Granular SecurityIntegratedinto the network<br />Acceptable Use<br />Data Loss Prevention<br />Threat Prevention<br />Access Control<br />Experience<br />Always-on IntelligentConnection for SeamlessExperience andPerformance<br />Access Granted<br />Intranet<br />Corporate File Sharing<br />
    128. 128. Questions<br />
    129. 129. Final Thoughts<br />
    130. 130. A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.<br />Winston Churchill <br />