iPads on your network? Take Control with Unified Policy and Management

RenuUpadhyay, Marketing Manger, Cisco
Dan Larkin, Director, Strategic Operations, NCFTA
Matt Schmitz, Senior Product Manager, Cisco
SaurabhBhasin, Senior Product Line Manager, Cisco
May 4, 2011
iPads on Your Network?Establish Visibility and Management Control

Mobile Security Assessment
Agenda
1
2
3
Unified Policy management for Any Device
Unified User and Access Management for Any Network

Users Have New ExpectationsThe Evolving Workplace Landscape
Old School
New School
Enterprise provided mobile devices
Work is a place you go to—limited off-campus access
IT visibility and control into user deices and applications
Anywhere, anytime, any device usage
Work is a function—globally dispersed, mixed device ownership
Change in IT control and management paradigm
Executive
Employee
IT

The User to Device Ratio Has Changed
IT Resources Stay the Same
Fixed User
Wired access
One user, one device
Mobile User
Wireless access
One user, local devices
Borderless User
Anytime, anywhere access
One user, many devices
Access Evolution
Early 90s
Late 90s
Today
Effectively Support Users with Box Management
Need for Policy and Control
Need for Operational Efficiency

Some Questions to Consider
Enterprises Are Trying to Embrace Mobility While Addressing Security
Do I have the WLAN capacity and reliability to support increase in mobile devices?
How do I enforce security policies on noncompliant devices?
How do I grant different levels of access to protect my network?
How do I ensure data loss prevention on devices where I don’t have visibility?
How should I address the employee (tech savvy) who trade up to new devices? New policy?
How do I protect my intellectual property/personal information?
How do I monitor and troubleshoot user and client connectivity issues on my access (wired/wireless) network?

Dan LarkinDirector, Strategic OperationsNational Cyber Forensics Training Alliance

Executive Webinar
May 4, 2011
I-Pad’s & similar products
Coming to a network- near you…

Regardless of how you define the Threat…..
It’s all about the “People”
as…
Assets…. Or…
Liabilities!

Fundamentals always in play….
The need for speed
Novelty – new technology – gadgets
The world is flat – outsourcing – supply chain – subcontracting
Mergers/acquisitions –
Taking on new threats
Knowing your new customer
Who has the best Intel (regarding threats) & how do we leverage that?

“I’ve seen the enemy – and it is us”
Malware Delivery Methods – Social Engineering
Targeting High Value customers/Social Networks
Bad guys are walking through the front door..
Laptops
Thumb drives
I-Pads

Emerging Global Cyber Threats
Mobile Banking & Mobile apps overlap
Who gets to play – who has to pay?
Expanding services = expanding opportunity for exploits
Similar pattern/opportunity for I-Pads (and similar products)
Real world examples, and what we can expect next

Partnerships

Partnerships—Global & Growing
Support from International Law Enforcement and Industry in 34 nations…
TDY..and in-country model
Australia
Canada
U.K.
Germany
Romania
Italy
India
Turkey

Historical
Gaps/Obstacles
Lack of “Trusted” Two-Way information sharing relationships with SME’s
Compelled information sharing vs Voluntary - triggers legal issues,
Lack of Neutral setting to analyze/triage open source or Industry owned intelligence (Meet in the middle space)

We all need “a better environment”

PRO-ACTIVE EFFORTS
Criminal On-Line FORUMS
Carding-Credentials
Tools/Techniques
UCO Deep Penetration
UCO’s
Past & Ongoing
Subject Attribution - engagement
Forecasting the Future

International Carding Alliance (ICA) Data Base
NCFTA/CIRFU/USPIS

Telco Threat Areas
Mobile
Smartphone applications
Mobile finance
Infection (malware, spyware, trojans)
SMS
SMiShing
Technology
Check imaging deposit
Near field communication
Scan and pay
Bluetooth
VoIP/Cable
Vishing
Call centers and customers
Known Router hacking lines
Video Conferencing lines
Traffic pumping
PBX Hacking
Cable Modem Cloning
Overlap
Automated Calling Services
Number Testing
SIM cards
TDoS attacks
Spoofing

CyFin Trends: January 2011-Present
Relay Services Exploit
Conference Bridge Compromises
Number Testing for PBX hacking
Automated Calling utilizing caller ID spoofing

Overlap to tablets?

Underground Forums Trends
Popular Topics
Educational tutorials on PBX hacking/War Dialing
Smartphone malware coders
Discussion of Near Field Communication
….Say you hear a lot of Audix mailbox recordings, then you are dealing with an Avaya PBX (which is a very popular VoIP PBX)….

Vulnerabilities exposed- I-Pads-Tablets…

Criminal Forums focus on I-Pad/Tablets
TheHammer
I HAVE Iphones/Ipad SERIALS need methods!!!! I have Iphone 3g/4g serials and Ipad as well. They are working i test them but i need the person who knows how to do the methods. I will pay him for the work and i have drops. If anyone knows it or know how to do it im ready and i dont like to waiste my time only if you are seriouse. Reply.

Other Forum chatter- Exploits….
“Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution”
“Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution… memory corruption issue existed in QuickLook's handling of Microsoft Office as well.”
Cert weakness: “An attacker with a privileged network position may intercept user credentials or other sensitive information”….”man-in-the-middle”

Mobile Malware: March 2011

Smartphone Applications: Who is involved?
Technical vulnerabilities
Service
Billing
Other areas affected by
mobile finance?
Mobile banking same legal responsibility as online banking
Monitor transactions?
Consumer education
Accepted risk
Contracted by financial institutions
Maintain apps or sell product?

Mobile Finance – vs – tablets..
Mobile Banking
Applications
Browser Use
SMS Texting
Customer does mobile banking utilizing application
Bank receives activity from application software
Transaction Completed
Who is monitoring? Who are stakeholders within the Digital Tablet world?– beyond Mfg

Why to get Plugged in
Financial Srvs
Partners
DB’s
ISP’s
DB’s
IDS Co’s
ie Symantec
DB’s
L.E
DBs
Software Co
DB’s via
BSA
NCFTA - CIRFU
Space
FBI Secure
Space
Other Fusion
Centers
Intel
Merchants
via MRC
DB’s
Other
DB
DPN
DB
SPAM
DB
US CERT
DHS
US Postal &
Internat’l– L.E
Referral to Law Enforcement & Coordination

What is next??
Telecom & Mobile Exploits continue...
Social Networking Sites – Tied to tablets.
Education, Education, Education…(where are the best early warning signs? Who owns them?)
Policy/Procedures vs. Taking away choices
Getting ahead of regulations (they will come)
Re-defining your team—to fight the good fight….
Questions? Dan Larkin dlarin@ncfta.net

Mobility Introduces New Security Challenges
How do I identify a device - corporate or person that is on my network but has already been botted?
How do I prevent end users from going to inappropriate sites?
How do I protect end users from going to legitimate websites that have already been compromised?
How do I know if an end user is logged on locally and remotely at the same time?

Evolving Policies in a Mobile World
“Printers should only ever communicate internally.”
Internet
“Employees should be able to access everything but have no access on personal devices.”
Cisco Switch
Internal Resources
Campus Network
“Guest and partners are only allowed bandwidth constrained Internet access via wireless.”
Cisco Access
Point
Cisco Wireless
LAN Controller
Policy Services

BYOT: Bring Your Own Technology Access Challenges
IT Is Struggling With:
Classifying managed vs.. unmanaged endpoints
ID devices that cannot authenticate
User  host association
But There Barriers:
Certificates
Endpoint certainty
No automated way to discover new endpoints
User
Location
Time
Device
Attribute X
PC and Non-PC Devices

Typical BYOT Policy Options
“Employees can access everything from either corporate or personal devices. But non-employees are blocked.”
Internet
“Employees are required to use corporate devices. Personal devices are not allowed and there is no guest access.”
Internal Resources
Campus Network
Limited Resources
“Employees can access everything from corporate devices. Employees on personal devices and partners have restricted access.”
Really Important!
Policy Services

Current Options
Infrastructure
Homegrown
Basic capability (e.g. HTTP)
No user logic
Authentication/Authorization integration
Siloed (wireless only)
Devoid of authentication/authorization
Care and feeding
X

Unified Policy Management for Any Device

Introducing Identity Services EnginePart of the TrustSec Network Service
Consistent policy
Management integration
Easier deployment
Troubleshooting
Monitoring
Reporting
Wired
Wireless
VPN
Employees
Devices
Guests

Migration from Existing Policy Solutions
ACS
NAC Guest
NAC Profiler
NAC Manager
NAC Server
Current hardware is software upgradeable (1121/3315/3355/3395)
Migration program for older hardware
License migration program for all software licenses
Data and configurations migration tools available*
Identity Services Engine
*Available over multiple releases
Existing Investments Protected

Comprehensive Policy Solution for Any Device
Purpose-Built, Complete, and Reliable Profiling
Cisco ISE uses SNMP, NetFlow, DNS, RADIUS, HTTP, and DHCP to increase accuracy, reduce spoofability
Works across wired and wireless
Completely integrated with RADIUS/AAA
Includes additional services (posture, guest/portal, etc.)
Scalable Policy Enforcement
Switch, WLAN controller, and VPN as an enforcement point
Flexible control (VLAN, dACL/ACL, QoS, SGA, etc.) based on any contextual attributes (user, device, group, location, time, etc.)
Unified Management
ISE detailed reports and troubleshooting tools (user, device, session, etc.) can be accessed from within NCS 1.0 providing a single pane of glass into user, device, and network across wired and wireless infrastructure
User
Location
Time
Device
Attribute X

ISE Demo

Identity Services Engine Offers a Robust Set of Capabilities
Consolidated Services, Software Packages
Session Directory
Flexible Service Deployment
ACS
All-in-One HA Pair
Admin Console
M&T
User ID
Access Rights
NAC Manager
NAC Profiler
ISE
NAC Server
Distributed PDPs
NAC Guest
Device (and IP/MAC)
Location
Tracks Active Users and Devices
Optimize Where Services Run
Simplify Deployment and Admin
Policy Extensibility
Manage Security Group Access
Systemwide Monitoring and Troubleshooting
SGT
Public
Private
Staff
Permit
Permit
Guest
Deny
Permit
Keep Existing Logical Design
Consolidate Data, Three-Click Drill-In
Link in Policy Information Points

Unified User and Access Management for Any Network

Client Devices: Top Contributor to Network Performance Problems
Contributors to Wireless Network Problems
400
350
300
250
Number of Customers
200
150
100
50
0
Client Devices (Drivers, Connections, Authentication, or Other Issues)
RF Interference from Wi-Fi and/or Non-Wi-Fi Sources
Unexpected Demand for Increase Coverage of Capacity
Faulty Wireless Network Design Implementation
Old or Outdated Wireless Technology
Insufficient IT Administrator Expertise
Other
Major Issues Contributing to Wireless Network Problems
A Recent Survey Shows That Respondents View Client Devices as the TOP Contributor to Wireless Network Performance Problems

Introducing Cisco Prime Network Control System
Converged Access Management for Wired and Wireless Networks
Wireless | Wired | Security Policy | Network Services
Unified Management
Operations
Users
Policy
Improved Network Visibility | Faster Troubleshooting | Eliminate Configuration Errors

Single Integrated User and Access Dashboard
High-Level View of Key Metrics with Contextual Drill-Down to Detailed Data
Flexible platform: Accommodates new and experienced IT administrators
Simple, intuitive user interface: Eliminates complexity
User-defined customization: Display the most relevant information

Unified User and Endpoint Services
Correlated and focused wired/wireless client visibility
Client health metrics
Client posture and profile
Client troubleshooting
Client reporting
Unknown device ID input
Clear view of the end user landscape
Who is connecting
Using which device
Are they authorized

Integrated Access Infrastructure Visibility
Wired and wireless discovery and inventory
Add/detect infrastructure devices such as switches, WLAN controllers, and access points
Comprehensive access infrastructure reporting
View the access infrastructure as a whole or as discrete technologies
Stolen asset notification
Track when devices presumed stolen come back online

Identity Services Engine Integration for True User and Access Management
Converged Security and Policy Monitoring and Troubleshooting
Enhance Infrastructure Security
Streamline Service Operations
Enforce Compliance
Shows where security and policy problems exist
Retrieves information directly from clients: Wired, wireless; authenticated, unauthenticated
Reduces the time to troubleshoot security and policy problems
Client posture status and client profiled views
Drill deeper into security and policy issue details
Direct linkage from Cisco NCS to Cisco ISE with contextual filtering

Comprehensive Wireless Lifecycle Management
Full Range of Lifecycle Capabilities
Plan
Deploy
Optimize
Monitor and Troubleshoot
Remediate

NCS Demo

One Access Network: One Solution
Converged Access Management for Borderless Networks
Single Unified View
Improve IT Productivity
Enable the Workforce
Single viewpoint for wired, wireless, security, and policy management
Unprecedented visibility and control
Direct access to Cisco support and services
Empower first-tier to address issues without escalation
Resolve problems faster with logical workflows
Improve resource productivity, lower TCO
Provide reliable access to network services
Visibility at the access layer as networks become borderless
Address problems where most issues occur: the endpoint

Delivered by the Borderless Network ArchitectureEnabling Mobility—Securely, Seamlessly and Reliably
Architecture for Agile Delivery of the Borderless Experience
BORDERLESS END-POINT/USER SERVICES
Securely, Reliably, Seamlessly:AnyConnect
POLICY
App Performance: App Velocity
Energy Management: EnergyWise
Multimedia Optimization: Medianet
Mobility:Motion
Security:TrustSec
BORDERLESS NETWORK SERVICES
MANAGEMENT
BORDERLESS NETWORK SYSTEMS
APIs
Core
Fabric
Extended Cloud
ExtendedEdge
Unified
Access
Application Networking/ Optimization
BORDERLESSINFRASTRUCTURE
Switching
Security
Routing
Wireless
SMART PROFESSIONAL AND TECHNICAL SERVICES: Realize the Value of Borderless Networks Faster

Key Resources
March 22ndCIN Webinar: iPad. Galaxy. Cius. Best Practices to Support the influx of Mobile Devices
Dec 2ndCIN Webinar: Preparing the WLAN for mobile devices/tablets.
Technical White Paper: Optimize the Cisco Unified Wireless Network to Support Wi-Fi Enabled Phones and Tablets
White Paper: The Future of Network Security: Cisco SecureX Architecture

Cisco’s Borderless Networks Solutions Prepare Your Enterprise Network for Mobile Devices
The mobile security landscape is evolving
Enabling mobility requires a comprehensive, consistent approach to user/ device access and network management
Meet User Demand for Mobility

http://blogs.cisco.com	287
http://localhost	12
http://paper.li	3
https://remote.tympaniinc.com	1
http://us-w1.rockmelt.com	1
http://67.192.93.180	1

iPads on your network? Take Control with Unified Policy and Management

by Cisco Wireless

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 305

Statistics

iPads on your network? Take Control with Unified Policy and Management Presentation Transcript