iPads on your network? Take Control with Unified Policy and Management


Published on

Employee's are bringing tablets and smartphones onto corporate networks, increasing IT workload without adding resources. See how the Cisco Identity Services Engine and Cisco Prime Network Control System will help IT take control of the onslaught of mobile devices entering the network. Learn more: http://cisco.com/go/wireless

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

iPads on your network? Take Control with Unified Policy and Management

  1. 1. RenuUpadhyay, Marketing Manger, Cisco<br />Dan Larkin, Director, Strategic Operations, NCFTA<br />Matt Schmitz, Senior Product Manager, Cisco<br />SaurabhBhasin, Senior Product Line Manager, Cisco<br />May 4, 2011<br />iPads on Your Network?Establish Visibility and Management Control<br />
  2. 2. Mobile Security Assessment<br />Agenda<br />1<br />2<br />3<br />Unified Policy management for Any Device<br />Unified User and Access Management for Any Network<br />
  3. 3. Users Have New ExpectationsThe Evolving Workplace Landscape<br />Old School<br />New School<br /><ul><li>Enterprise provided mobile devices
  4. 4. Work is a place you go to—limited off-campus access
  5. 5. IT visibility and control into user deices and applications
  6. 6. Anywhere, anytime, any device usage
  7. 7. Work is a function—globally dispersed, mixed device ownership
  8. 8. Change in IT control and management paradigm</li></ul>Executive<br />Employee<br />IT<br />
  9. 9. The User to Device Ratio Has Changed<br />IT Resources Stay the Same<br />Fixed User<br /><ul><li>Wired access
  10. 10. One user, one device</li></ul>Mobile User<br /><ul><li>Wireless access
  11. 11. One user, local devices</li></ul>Borderless User<br /><ul><li>Anytime, anywhere access
  12. 12. One user, many devices</li></ul>Access Evolution<br />Early 90s <br />Late 90s<br />Today<br />Effectively Support Users with Box Management<br />Need for Policy and Control<br />Need for Operational Efficiency<br />
  13. 13. Some Questions to Consider<br />Enterprises Are Trying to Embrace Mobility While Addressing Security<br />Do I have the WLAN capacity and reliability to support increase in mobile devices?<br />How do I enforce security policies on noncompliant devices?<br />How do I grant different levels of access to protect my network?<br />How do I ensure data loss prevention on devices where I don’t have visibility?<br />How should I address the employee (tech savvy) who trade up to new devices? New policy?<br />How do I protect my intellectual property/personal information?<br />How do I monitor and troubleshoot user and client connectivity issues on my access (wired/wireless) network?<br />
  14. 14. Dan LarkinDirector, Strategic OperationsNational Cyber Forensics Training Alliance <br />
  15. 15. Executive Webinar<br />May 4, 2011<br />I-Pad’s & similar products<br />Coming to a network- near you…<br />
  16. 16. Regardless of how you define the Threat…..<br />It’s all about the “People”<br />as…<br />Assets…. Or…<br />Liabilities!<br />
  17. 17. Fundamentals always in play….<br /><ul><li> The need for speed
  18. 18. Novelty – new technology – gadgets
  19. 19. The world is flat – outsourcing – supply chain – subcontracting
  20. 20. Mergers/acquisitions –
  21. 21. Taking on new threats
  22. 22. Knowing your new customer
  23. 23. Who has the best Intel (regarding threats) & how do we leverage that?</li></li></ul><li>“I’ve seen the enemy – and it is us”<br /><ul><li>Malware Delivery Methods – Social Engineering
  24. 24. Targeting High Value customers/Social Networks
  25. 25. Bad guys are walking through the front door..
  26. 26. Laptops
  27. 27. Thumb drives
  28. 28. I-Pads </li></li></ul><li>Emerging Global Cyber Threats<br /><ul><li> Mobile Banking & Mobile apps overlap
  29. 29. Who gets to play – who has to pay?
  30. 30. Expanding services = expanding opportunity for exploits
  31. 31. Similar pattern/opportunity for I-Pads (and similar products)
  32. 32. Real world examples, and what we can expect next</li></li></ul><li>Partnerships<br />
  33. 33. Partnerships—Global & Growing<br />Support from International Law Enforcement and Industry in 34 nations…<br />TDY..and in-country model<br />Australia<br />Canada<br />U.K.<br />Germany<br />Romania<br />Italy<br />India<br />Turkey<br />
  34. 34. Historical<br />Gaps/Obstacles<br />Lack of “Trusted” Two-Way information sharing relationships with SME’s<br />Compelled information sharing vs Voluntary - triggers legal issues,<br />Lack of Neutral setting to analyze/triage open source or Industry owned intelligence (Meet in the middle space)<br />
  35. 35. We all need “a better environment”<br />
  36. 36. PRO-ACTIVE EFFORTS<br />Criminal On-Line FORUMS<br />Carding-Credentials<br />Tools/Techniques<br />UCO Deep Penetration<br /> UCO’s<br /> Past & Ongoing <br />Subject Attribution - engagement<br />Forecasting the Future<br />
  37. 37. International Carding Alliance (ICA) Data Base <br />NCFTA/CIRFU/USPIS<br />
  38. 38. Telco Threat Areas<br />Mobile<br />Smartphone applications<br /><ul><li>Mobile finance
  39. 39. Infection (malware, spyware, trojans)</li></ul>SMS <br /><ul><li>SMiShing</li></ul>Technology<br /><ul><li>Check imaging deposit
  40. 40. Near field communication
  41. 41. Scan and pay
  42. 42. Bluetooth</li></ul>VoIP/Cable<br />Vishing<br /><ul><li>Call centers and customers</li></ul>Known Router hacking lines<br />Video Conferencing lines<br />Traffic pumping<br />PBX Hacking<br />Cable Modem Cloning<br />Overlap<br />Automated Calling Services<br />Number Testing<br />SIM cards<br />TDoS attacks<br />Spoofing<br />
  43. 43. CyFin Trends: January 2011-Present<br /><ul><li>Relay Services Exploit
  44. 44. Conference Bridge Compromises
  45. 45. Number Testing for PBX hacking
  46. 46. Automated Calling utilizing caller ID spoofing</li></li></ul><li>Overlap to tablets?<br />
  47. 47. Underground Forums Trends<br />Popular Topics<br /><ul><li>Educational tutorials on PBX hacking/War Dialing
  48. 48. Smartphone malware coders
  49. 49. Discussion of Near Field Communication</li></ul>….Say you hear a lot of Audix mailbox recordings, then you are dealing with an Avaya PBX (which is a very popular VoIP PBX)….<br />
  50. 50. Vulnerabilities exposed- I-Pads-Tablets…<br />
  51. 51. Criminal Forums focus on I-Pad/Tablets<br />TheHammer<br /> I HAVE Iphones/Ipad SERIALS need methods!!!!  I have Iphone 3g/4g serials and Ipad as well. They are working i test them but i need the person who knows how to do the methods. I will pay him for the work and i have drops. If anyone knows it or know how to do it im ready and i dont like to waiste my time only if you are seriouse. Reply. <br />
  52. 52. Other Forum chatter- Exploits….<br />“Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution”<br />“Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution… memory corruption issue existed in QuickLook's handling of Microsoft Office as well.”<br />Cert weakness: “An attacker with a privileged network position may intercept user credentials or other sensitive information”….”man-in-the-middle”<br />
  53. 53. Mobile Malware: March 2011<br />
  54. 54.
  55. 55.
  56. 56. Smartphone Applications: Who is involved?<br /><ul><li>Technical vulnerabilities
  57. 57. Service
  58. 58. Billing
  59. 59. Other areas affected by </li></ul> mobile finance?<br /><ul><li>Mobile banking same legal responsibility as online banking
  60. 60. Monitor transactions?
  61. 61. Consumer education
  62. 62. Accepted risk
  63. 63. Contracted by financial institutions
  64. 64. Maintain apps or sell product?</li></li></ul><li> Mobile Finance – vs – tablets..<br />Mobile Banking<br />Applications<br />Browser Use<br />SMS Texting<br />Customer does mobile banking utilizing application<br />Bank receives activity from application software <br />Transaction Completed<br />Who is monitoring? Who are stakeholders within the Digital Tablet world?– beyond Mfg <br />
  65. 65.
  66. 66.
  67. 67.
  68. 68. Why to get Plugged in<br />Financial Srvs<br />Partners<br />DB’s<br />ISP’s<br />DB’s<br />IDS Co’s<br />ie Symantec<br />DB’s<br />L.E<br />DBs<br />Software Co <br />DB’s via<br />BSA<br />NCFTA - CIRFU<br /> Space<br />FBI Secure<br />Space<br />Other Fusion<br />Centers <br />Intel<br />Merchants <br />via MRC <br />DB’s<br />Other <br />DB<br />DPN<br />DB<br />SPAM<br />DB<br />US CERT<br />DHS<br />US Postal &<br />Internat’l– L.E<br />Referral to Law Enforcement & Coordination<br />
  69. 69. What is next??<br /><ul><li> Telecom & Mobile Exploits continue...
  70. 70. Social Networking Sites – Tied to tablets.
  71. 71. Education, Education, Education…(where are the best early warning signs? Who owns them?)
  72. 72. Policy/Procedures vs. Taking away choices
  73. 73. Getting ahead of regulations (they will come)
  74. 74. Re-defining your team—to fight the good fight….
  75. 75. Questions? Dan Larkin dlarin@ncfta.net</li></li></ul><li>Mobility Introduces New Security Challenges<br />How do I identify a device - corporate or person that is on my network but has already been botted?<br />How do I prevent end users from going to inappropriate sites?<br />How do I protect end users from going to legitimate websites that have already been compromised?<br />How do I know if an end user is logged on locally and remotely at the same time?<br />
  76. 76. Evolving Policies in a Mobile World<br />“Printers should only ever communicate internally.”<br />Internet<br />“Employees should be able to access everything but have no access on personal devices.”<br />Cisco Switch<br />Internal Resources<br />Campus Network<br />“Guest and partners are only allowed bandwidth constrained Internet access via wireless.”<br />Cisco Access<br />Point<br />Cisco Wireless<br />LAN Controller<br />Policy Services <br />
  77. 77. BYOT: Bring Your Own Technology Access Challenges<br />IT Is Struggling With:<br />Classifying managed vs.. unmanaged endpoints<br />ID devices that cannot authenticate<br />User  host association<br />But There Barriers:<br />Certificates<br />Endpoint certainty <br />No automated way to discover new endpoints<br />User<br />Location<br />Time<br />Device<br />Attribute X<br />PC and Non-PC Devices<br />
  78. 78. Typical BYOT Policy Options<br />“Employees can access everything from either corporate or personal devices. But non-employees are blocked.”<br />Internet<br />“Employees are required to use corporate devices. Personal devices are not allowed and there is no guest access.”<br />Internal Resources<br />Campus Network<br />Limited Resources<br />“Employees can access everything from corporate devices. Employees on personal devices and partners have restricted access.”<br />Really Important!<br />Policy Services <br />
  79. 79. Current Options<br />Infrastructure <br />Homegrown<br /><ul><li>Basic capability (e.g. HTTP)
  80. 80. No user logic
  81. 81. Authentication/Authorization integration
  82. 82. Siloed (wireless only)
  83. 83. Devoid of authentication/authorization
  84. 84. Care and feeding</li></ul>X<br />
  85. 85. Unified Policy Management for Any Device<br />
  86. 86. Introducing Identity Services EnginePart of the TrustSec Network Service<br />Consistent policy<br />Management integration<br />Easier deployment<br />Troubleshooting<br />Monitoring<br />Reporting<br />Wired<br />Wireless<br />VPN<br />Employees<br />Devices<br />Guests<br />
  87. 87. Migration from Existing Policy Solutions<br />ACS<br />NAC Guest<br />NAC Profiler<br />NAC Manager<br />NAC Server<br /><ul><li>Current hardware is software upgradeable (1121/3315/3355/3395)
  88. 88. Migration program for older hardware
  89. 89. License migration program for all software licenses
  90. 90. Data and configurations migration tools available*</li></ul>Identity Services Engine<br />*Available over multiple releases<br />Existing Investments Protected<br />
  91. 91. Comprehensive Policy Solution for Any Device<br />Purpose-Built, Complete, and Reliable Profiling<br />Cisco ISE uses SNMP, NetFlow, DNS, RADIUS, HTTP, and DHCP to increase accuracy, reduce spoofability <br />Works across wired and wireless<br />Completely integrated with RADIUS/AAA<br />Includes additional services (posture, guest/portal, etc.)<br />Scalable Policy Enforcement<br />Switch, WLAN controller, and VPN as an enforcement point<br />Flexible control (VLAN, dACL/ACL, QoS, SGA, etc.) based on any contextual attributes (user, device, group, location, time, etc.)<br />Unified Management<br />ISE detailed reports and troubleshooting tools (user, device, session, etc.) can be accessed from within NCS 1.0 providing a single pane of glass into user, device, and network across wired and wireless infrastructure<br />User<br />Location<br />Time<br />Device<br />Attribute X<br />
  92. 92. ISE Demo<br />
  93. 93. Identity Services Engine Offers a Robust Set of Capabilities<br />Consolidated Services, Software Packages<br />Session Directory<br />Flexible Service Deployment<br />ACS<br />All-in-One HA Pair<br />Admin Console<br />M&T<br />User ID<br />Access Rights<br />NAC Manager<br />NAC Profiler<br />ISE<br />NAC Server<br />Distributed PDPs<br />NAC Guest<br />Device (and IP/MAC)<br />Location<br />Tracks Active Users and Devices<br />Optimize Where Services Run<br />Simplify Deployment and Admin<br />Policy Extensibility<br />Manage Security Group Access<br />Systemwide Monitoring and Troubleshooting<br />SGT<br />Public<br />Private<br />Staff<br />Permit<br />Permit<br />Guest<br />Deny<br />Permit<br />Keep Existing Logical Design<br />Consolidate Data, Three-Click Drill-In<br />Link in Policy Information Points<br />
  94. 94. Unified User and Access Management for Any Network<br />
  95. 95. Client Devices: Top Contributor to Network Performance Problems <br />Contributors to Wireless Network Problems<br />400<br />350<br />300<br />250<br />Number of Customers<br />200<br />150<br />100<br />50<br />0<br />Client Devices (Drivers, Connections, Authentication, or Other Issues) <br />RF Interference from Wi-Fi and/or Non-Wi-Fi Sources<br />Unexpected Demand for Increase Coverage of Capacity<br />Faulty Wireless Network Design Implementation<br />Old or Outdated Wireless Technology<br />Insufficient IT Administrator Expertise<br />Other<br />Major Issues Contributing to Wireless Network Problems<br />A Recent Survey Shows That Respondents View Client Devices as the TOP Contributor to Wireless Network Performance Problems<br />
  96. 96. Introducing Cisco Prime Network Control System<br />Converged Access Management for Wired and Wireless Networks<br />Wireless | Wired | Security Policy | Network Services<br />Unified Management<br />Operations<br />Users<br />Policy<br />Improved Network Visibility | Faster Troubleshooting | Eliminate Configuration Errors<br />
  97. 97. Single Integrated User and Access Dashboard<br />High-Level View of Key Metrics with Contextual Drill-Down to Detailed Data<br />Flexible platform: Accommodates new and experienced IT administrators<br />Simple, intuitive user interface: Eliminates complexity<br />User-defined customization: Display the most relevant information<br />
  98. 98. Unified User and Endpoint Services <br />Correlated and focused wired/wireless client visibility <br />Client health metrics<br />Client posture and profile<br />Client troubleshooting <br />Client reporting<br />Unknown device ID input<br />Clear view of the end user landscape<br />Who is connecting<br />Using which device<br />Are they authorized<br />
  99. 99. Integrated Access Infrastructure Visibility<br />Wired and wireless discovery and inventory<br />Add/detect infrastructure devices such as switches, WLAN controllers, and access points <br />Comprehensive access infrastructure reporting <br />View the access infrastructure as a whole or as discrete technologies<br />Stolen asset notification<br />Track when devices presumed stolen come back online<br />
  100. 100. Identity Services Engine Integration for True User and Access Management <br />Converged Security and Policy Monitoring and Troubleshooting<br />Enhance Infrastructure Security<br />Streamline Service Operations<br />Enforce Compliance<br />Shows where security and policy problems exist<br />Retrieves information directly from clients: Wired, wireless; authenticated, unauthenticated<br />Reduces the time to troubleshoot security and policy problems<br />Client posture status and client profiled views<br />Drill deeper into security and policy issue details<br />Direct linkage from Cisco NCS to Cisco ISE with contextual filtering<br />
  101. 101. Comprehensive Wireless Lifecycle Management<br />Full Range of Lifecycle Capabilities<br />Plan<br />Deploy<br />Optimize<br />Monitor and Troubleshoot<br />Remediate<br />
  102. 102. NCS Demo<br />
  103. 103. One Access Network: One Solution<br />Converged Access Management for Borderless Networks<br />Single Unified View<br />Improve IT Productivity<br />Enable the Workforce<br /><ul><li>Single viewpoint for wired, wireless, security, and policy management
  104. 104. Unprecedented visibility and control
  105. 105. Direct access to Cisco support and services
  106. 106. Empower first-tier to address issues without escalation
  107. 107. Resolve problems faster with logical workflows
  108. 108. Improve resource productivity, lower TCO
  109. 109. Provide reliable access to network services
  110. 110. Visibility at the access layer as networks become borderless
  111. 111. Address problems where most issues occur: the endpoint</li></li></ul><li>Delivered by the Borderless Network ArchitectureEnabling Mobility—Securely, Seamlessly and Reliably<br />Architecture for Agile Delivery of the Borderless Experience<br />BORDERLESS END-POINT/USER SERVICES<br />Securely, Reliably, Seamlessly:AnyConnect<br />POLICY<br />App Performance: App Velocity<br />Energy Management: EnergyWise<br />Multimedia Optimization: Medianet<br />Mobility:Motion<br />Security:TrustSec<br />BORDERLESS NETWORK SERVICES<br />MANAGEMENT<br />BORDERLESS NETWORK SYSTEMS<br />APIs<br />Core<br />Fabric<br />Extended Cloud<br />ExtendedEdge<br />Unified<br />Access<br />Application Networking/ Optimization<br />BORDERLESSINFRASTRUCTURE<br />Switching<br />Security<br />Routing<br />Wireless<br />SMART PROFESSIONAL AND TECHNICAL SERVICES: Realize the Value of Borderless Networks Faster<br />
  112. 112. Key Resources<br />March 22ndCIN Webinar: iPad. Galaxy. Cius. Best Practices to Support the influx of Mobile Devices<br />Dec 2ndCIN Webinar: Preparing the WLAN for mobile devices/tablets. <br />Technical White Paper: Optimize the Cisco Unified Wireless Network to Support Wi-Fi Enabled Phones and Tablets<br />White Paper: The Future of Network Security: Cisco SecureX Architecture<br />
  113. 113. Cisco’s Borderless Networks Solutions Prepare Your Enterprise Network for Mobile Devices <br />The mobile security landscape is evolving<br />Enabling mobility requires a comprehensive, consistent approach to user/ device access and network management<br />Meet User Demand for Mobility<br />