Sécuriser et contrôler les accès au réseau d’entreprise quel que soit le type de device
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Sécuriser et contrôler les accès au réseau d’entreprise quel que soit le type de device

on

  • 532 views

Mettez en place une police de sécurité, quel que soit le type d'accès (filaire, wifi, VPN), pour redonner visibilité et contrôle sur les terminaux. ...

Mettez en place une police de sécurité, quel que soit le type d'accès (filaire, wifi, VPN), pour redonner visibilité et contrôle sur les terminaux.

Politique de sécurité unifiée, gestion du BYOD, Mobile Device Management, propagation des droits grâce aux tags de sécurité jusqu'au datacenter : cette approche permettra de gérer l'explosion des terminaux mobiles, tout en se préparant à la prochaine déferlante de terminaux.

Venez découvrirez Dans cette présentation comment la solution leader du marché « Cisco Identity Service Engine » vous permettra de déployer une politique de contrôle adaptée à vos besoins ?

Statistics

Views

Total Views
532
Views on SlideShare
524
Embed Views
8

Actions

Likes
0
Downloads
63
Comments
0

1 Embed 8

http://www.slideee.com 8

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sécuriser et contrôler les accès au réseau d’entreprise quel que soit le type de device Presentation Transcript

  • 1. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Identity Service Engine Version 1.2
  • 2. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 • All-in-One Enterprise Policy Control Qui Quoi Ou Quand Comment Virtual machine client, IP device, guest, employee, and remote user Cisco® ISE Wired Wireless VPN Politiques d’entreprise Replaces AAA and RADIUS, NAC, guest management, and device identity servers Security Policy Attributes Contexte
  • 4. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 VPN WIfi Lan Bureautique VPN Nadeige Marketing Alban Développement I.S.E
  • 5. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Cas d’usage pour le 802.1x Lan Intranet1 Imprimante = Vlan impression ISE camera = vlan video Equipment spécifique = Mise en place ACL
  • 6. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Profiling des Equipements Gestion des invités Contrôle de conformité (NAC) ISE Authentification / Authorisation
  • 7. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 9. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 9 Policy Groups Authentication Authorization Policy Set Condition
  • 10. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 ISE Policy Server VPN Cisco Prime Wired Wireless VPN Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols RADIUS 802.1X = EAPoLAN 802.1X = EAPoLAN SSL / IPsec
  • 11. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 ISE Node • Maximum endpoints – 10,000 (platform dependent) • Redundant sizing – 10,000 (platform dependent) ISE Node Primary Admin Primary Monitoring Secondary Admin Secondary Monitoring PSN MnT PAN PSN MnT PAN 11
  • 12. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 • Architecture redondante • Jusqu’à 40 PSN • 250 000 devices par cluster Data Center A DC B Site A Site B AP APAP WLC 802.1X AP ASA VPN Switch 802.1X Switch 802.1X Switch 802.1X WLC 802.1X Switch 802.1X Admin (P) Admin (S) Monitor (P) Monitor (S) Policy Services Cluster HA Inline Posture Nodes Distributed Policy Services AD/LDAP (External ID/ Attribute Store) AD/LDAP (External ID/ Attribute Store) MnTPAN PAN MnT PSN PSN PSN PSN PSNPSN IPN IPN PSN Site C AP Switch 802.1X PSN
  • 13. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Certificates EAP-TLS 13 Encrypted Tunnel PEAP EAP-FAST EAP-TTLS (not supported by ISE) User Credentials EAP-MSCHAPv2 user/passwd EAP-GTC user/passwd or OTP  Non Tunneling Standards: EAP-MD5, EAP-TLS  Tunneling Methods: Inner Supplicant AAA Server
  • 14. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 • Intégration des bases externes ISE Policy Server VPN Cisco Prime • Ms Active Directory (2003, 2008, 2012) • Serveurs LDAPv3 • Serveur Radius Externe • RSA et serveur RFC-2865 (One-Time Password/Token) • Serveur de certificats d’entreprise • Password • Certificats • OTP
  • 15. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Solutions possibles : 1. Etablir une relation d’approbation bi-directionnelle entre mycorp.com et mycorp.fr 2. Utiliser un proxy RADIUS proxy pour renvoyer les requête *.mycorp.com à l’ISE des US 3. Utiliser des certificats de la CA globale de l’entreprise et faire de l’autorisation LDAP domain.com domain.fr1) Two-way trust 2) Proxy RADIUS alice.domain.com 3) mycorp root CA alice c1sC0L1v √ Cause principale : Alice n’est pas dans le domaine mycorp.fr Alice, directrice des ventes US, n’a pas d’accès au site de Paris 15
  • 16. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Postes CorporatesGroupe IT Posture conforme + + = Accès illimité Ipad ou Tablette AndroidGroup Marketing Non jailbreaké + + = Accès Web + Email SmartPhone CorpEmployés Politique mdm conforme + + = Accès Email + intranet SmartPhone non CorpEmployés + = Deny AccessSite de Lyon
  • 17. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Utilisateurs CustomEmplacementType de Devices Date/heurePosture Méthode d’accès
  • 18. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 dACL or Named ACL • Less disruptive to endpoint (no IP address change required) • Improved user experience • Increased ACL management VLANS • Does not require switch port ACL management • Preferred choice for path isolation • Requires VLAN proliferation and IP refresh Security Group Access • Simplifies ACL management • Uniformly enforces policy independent of topology • Fine-grained access control Guest VLAN 4VLAN 3 Remediation EmployeesContractor Employee IP Any Security Group Access—SXP, SGT, SGACL, SGFW
  • 19. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19  Classification of systems/users based on context (ex: user role, device, location, access method)  TrustSec allows context info from ISE to be shared between switches, routers, WLCs and firewalls to make real-time decisions  Allows forwarding, filtering or inspection decisions to be based upon intelligent tags  Tags can be applied to individual users, servers, networks or network connections  Provides virtual network segmentation, flexible access control and FW rule automation Users, Device Switch Router DC FW DC Switch HR Servers Enforcement SGT Transport Fin Servers SGT = 4 SGT = 10 ISE DirectoryClassification SGT:5 SGA Overview
  • 20. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 DC Access WLC FW Inline SGT Tagging CMD Field ASIC ASIC Optionally Encrypted SXP SRC: 10.1.100.98 IP Address SGT SRC 10.1.100.98 50 Local Hypervisor SW SXP IP-SGT Binding Table ASIC L2 Ethernet Frame SRC: 10.1.100.98 (No CMD)  Inline Tagging (data plane): If Device supports SGT in its ASIC  SXP (control plane): Shared between devices that do not have SGT-capable hardware IP Address SGT 10.1.100.98 50 Campus Access Distribution Core DC Core EOR SXP Enterprise Backbone
  • 21. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Cat3750X Cat6500 Nexus 2248 WLC5508 ASA5585 Enterprise Backbone Nexus 2248 Cat6500 Nexus 7000 Nexus 5500 End user authenticated Classified as Employee (5) FIB Lookup Destination MAC/Port SGT 20 DST: 10.1.100.52 SGT: 20 ISE SRC: 10.1.10.220 5 SRC:10.1.10.220 DST: 10.1.100.52 SGT: 5 DST: 10.1.200.100 SGT: 30 Web_Dir CRM SRCDST Web_Dir (20) CRM (30) Employee (5) SGACL-A SGACL-B BYOD (7) Deny Deny Destination Classification Web_Dir: SGT 20 CRM: SGT 30
  • 22. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 2 1 3
  • 23. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Mktg-server AD, LDAP directories ASA 9.01 SXP Corp-servers Sgt = 003 ISE AAA Users, Endpoints Name to SGT table
  • 24. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Security Group SGT received from ISE
  • 25. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 26. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Profiling Fonction Profiler ISE Equipements connectés au réseau Vlan Impression VlanVoix SNMPonly Vlan dynamique VlanVideo surveillance Internet uniquement
  • 27. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 2 ISE Policy Server VPN Cisco Prime CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS HTTP/DHCP/RADIUS SNMP DNS NMAP/SNMP NMAP DHCP/NetFlow
  • 28. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 • Profiling des Devices via CDP, LLDP ou DHCP MAB or EAP-OL RADIUS Accounting ISE device-sensor filter-list dhcp list my_dhcp_list option name host-name option name class-identifier option name client-identifier device-sensor filter-spec dhcp include list my_dhcp_list Filter dhcp, cdp or lldp options/TLV Acivation Probe Radius device-sensor filter-list cdp list my_cdp_list tlv name device-name tlv name platform-type device-sensor filter-spec cdp include list my_cdp_list device-sensor filter-list lldp list my_lldp_list tlv name system-name tlv name system-description device-sensor filter-spec lldp include list my_lldp_list device-sensor accounting device-sensor notify all-changes ip dhcp snooping ip dhcp snooping vlan <x,y-z,…> lldp run interface <Interface> lldp receive
  • 29. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 • Device Detection Based on DHCP and HTTP RADIUS Accounting ISE  Per Wlan Enable/Disable device profiling  DHCP (7.2.110.0) • Hostname, Class Identifier  HTTP / Both (7.3) • User Agent  FlexConnect with Central Switching supported: DHCP WLC
  • 30. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Profiling Windows (User agent et/ou DHCP) Profiling Windows 7 (User agent)
  • 31. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Profile Policies Use a Combination of Conditions to Identify Devices Is the MAC Address from Apple DHCP:host-name CONTAINS iPad IP:User-Agent CONTAINS iPad Profile Library Assign this MAC Address to ID Group “iPad” I am fairly certain this device is an iPad
  • 32. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 RADIUS DHCP IP SNMP Netflow NMAP LLDP CDP
  • 33. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  • 34. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 35. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 ISE : Contrôle de posture Analyse de la politique de sécurité du poste patches de sécurité, Antivirus, Antispyware, FW personnels, process …..
  • 36. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Téléchargement automatique de la liste des éléments de posture AV/AS supportés -> http://www.cisco.com/en/US/docs/security/ise/1.0.4/release_notes/win-avas-3-4-26-1.pdf
  • 37. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 ISE éléments de posture Fichiers Clé de registre Applications Service Conditions multiples AntiVirus AntiSpyware Conditions custom
  • 38. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 ISE : Contrôle de posture Poste conforme à la politique de sécurité
  • 39. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 ISE : Contrôle de posture poste non conforme Mise en quarantaine Remédiation
  • 40. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Posture remédiation Mise à Jour AV/AS Installation Fichier Exécution programme URL de remédiation Serveur Windows Update
  • 41. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Exemple de rapport ISE User2, poste windows 7 64 bits, Av McAfee, Antispyware, MS et McAfee, poste conforme à la politique de sécurité
  • 42. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 43. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Wifi Lan Internet Portail Wireless et Filaire
  • 44. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Etape 1: Connexion sur le compte de création de comptes invités Etape 2: Donner les informations sur l’invité: nom, prenom, email, société, raison de la visite Etape 3: Impression, Email ou sms des paramètres du compte temporaire ISE : Création de comptes invités
  • 45. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
  • 46. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 47. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 “Je dois améliorer mon service client” “Les membres de l’equipe doivent rester connecté avec leur Smartphone” “Je veux offrir de nouveaux outils de collaboration” “Je dois gérer un parc de smartphones et tablettes” “Je dois garder une avance sur la compétition” “Mes utilisateurs veulent utiliser leur devices et je doit proposer une solution” “Je dois offrir aux partenaires, consultants et clients un accès réseau” “J’ai un cas d’usage spécifique”
  • 48. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 Déploiement du Wifi dans l’entreprise Accès limité Intégration des invités / partenaires/ clients Politique d’accès pour gérer l’accès au contenu Basique Infrastructure mobile pour tous les équipements, de n’importe ou, gestion du parc et des applications standard “Next Generation Workspace” sur un réseau intelligent Advancé
  • 49. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 Le BYOD: un projet d’entreprise qui implique plusieurs départements Ressources humaines Finance et Régulation Equipe Sécurité Applications Systèmes Poste de Travail Bureautique Equipe réseau et ouvre la porte à de multiples possibilités …
  • 50. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 ISE Authentification WLC Ceci est un iPad profiling Serveur de Certificats Enregistrement Equipement Provisionning Certificat / profile Equipement non enregistré : Accès limité Equipement enregistré et provisionné Accès complet au réseau d’entreprise MDM / ISE API
  • 51. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 Enterprise Software Distribution Inventory Management Management (Backup, Remote Wipe, etc.) AUP Classification/ Profiling Registration Secure Unified Access (Wireless, Wired, VPN) Context-Aware Access Control (Role, Location, etc.) Cert + Supplicant Provisioning User <-> Device Ownership Mobile + PC Policy Compliance (Jailbreak, Pin Lock, etc.) Secure Data Containers User/IT Co-Managed Device Device and Network-Based IT Control User Managed Device Network-Based IT Control NETWORK ENABLEMENT (ISE) FULL MANAGEMENT (MDM) Cost Management
  • 52. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
  • 53. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 ProfileEncryptionJailBrokenRegistered
  • 54. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 • User / Administrator can issue remote actions on the device through MDM server (Example: remote wiping the device) My Devices Portal (User Interface) ISE Endpoints Directory (Admin Interface) • Edit • Reinstate • Lost? • Delete • Full Wipe • Corporate Wipe • PIN Lock Admin Interface
  • 55. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 • Rapports ISE pour les MDMs
  • 56. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
  • 57. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 Données additionnelles en provenance d’ISE
  • 58. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 • User 360° Apple iPhone Microsoft Workstation Utilisateur Equipement Politique d’accès Applications
  • 59. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 Syslog, Netflow Telemetry Switches, Router Cisco et ASA 5500, IPS et autre équipements de sécurité Vue unifiée Analyse des menaces & Contexte ISE envoie les informations du contexte à l’equipement SIEM partenaire. (Utilisateur, Device, …) Logs, NetFlow Cisco ISE
  • 60. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 Mettre ces idées en action • Quel est le “next step”? BYOD n’est pas un produit mais une stratégie à Batir Vous disposez déjà de beaucoup d’éléments Chaque société a une vision différente du spectrum BYOD Cisco peut vous accompagner dans le changement Cisco dispose de l’ensemble des composants Portfolio de produits, expertise, Vision architecturale Let’s get started…
  • 61. Thank you.