Secure VPN ConnectivitySecure Mobility Solution Ben Fischer AnyConnect Product Manager befische@cisco.com The Cisco produc...
“Many of the products and features described herein remain in varying stages of development and will be offered on a when-...
Secure VPN Connectivity                                                                         Trends                    ...
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   4
Strong Growth in Devices, Use, and Connectivity                          15 billion                                       ...
Employees Using Their Own Devices at WorkAndroid Is Tops in Smartphones, and Apple Is Tops in Tablets                     ...
Malware Propagates in Vacuum of Neglect by Companies and Users                                              Lack of BYOD p...
Secure Mobility SolutionC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   8
Internationalized                                                                                                         ...
Through Client or Browser   Cisco                                                                         Clientless   Any...
Cisco ASA 5585                Solutions Ranging from the Branch to the Enterprise                                         ...
Management                                                                                                                ...
SHARED License                                                                                                 Premium Lic...
Secure Mobility ClientC97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   14
The Cisco AnyConnect® Secure Mobility Client Consists of the Following Modules:                                           ...
Feature Summary                                                  Latest Feature AdditionsCisco AnyConnect® VPN Client     ...
NSA Suite B Algorithms            ESPv3 with IKEv2            4096-bit RSA key operations            Diffie-Hellman group ...
• Auto-reconnect• Wired Wi-Fi and Wi-Fi 3G• No reauthentication• Suspended on headend• Maximum session timer• VPN profileC...
• Auto-connect when out of office• Auto-disconnect inside office• Based on default domain name or DNS server IP• Profile s...
Profile Settings:    Suspension Time Threshold (hours)                                            Performance Improvement ...
• Cisco AnyConnect™ GUI and installer can  be localized for different languages.• Cisco AnyConnect is supported through  M...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   22
• Enterprise-focused connection manager     – Machine and / or user authentication     – Different credential types for ma...
On AnyConnect Client 3.1• Differentiated Device Access (EAP Chaining)• Mobile broadband (3G) support• Enterprise Connectio...
for Corporate / Personal Devices• Desires:     – End-users want to use the same credentials for corporate       and person...
•      EAP Chaining using EAP-FAST protocol extensions is supported •      EAP Chaining ties both the machine and user cre...
• Problems:     – Separate manager software for mobile broadband / 3G       connections     – Difficult to enforce connect...
• Prevent Users From:     – Connecting to the corporate guest network     – Surfing Internet by connecting to the 1st floo...
On Home Networks•        Needs:     – Support User Group Policies on machines that VPN into the       corporate network fr...
Featuring Suite B Cryptography• Problem:     – Processors are getting faster making it easier to crack       cryptographic...
Across Media Types•        Problem:     – Non-uniform encryption policy across media types (WiFi       and VPN encrypted –...
Featuring:C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   33
Untrusted Network                                                       Trusted Network                                   ...
Cisco                                                                         Cloud Web Security                          ...
for Cisco Cloud Web Security• Cloud service – Always-On and  always protected                                             ...
for Cisco Cloud Web Security• Tunnels HTTP and HTTPS traffic through the Cisco® Cloud Web Security• Fine-tunable web acces...
Mobile Posture &iOS On-DemandC97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   38
• Additional access authorization capabilities           based on endpoint     • Cisco® ASA 8.4.2+ and 8.2.5+     • Androi...
• Auto-launch VPN• Based on domain• Certificate Authority only• Three options:     ̶ Always-Connect     ̶ Connect-if-neede...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   41
Public tunneling                                                       IPv4, IPv6, or dual IPv4 and IPv6  Internal address...
Cisco® ASA             Client IP                                      Assigned IP                    SSL and DTLS   IKEv2 ...
Supported             •    VPN load balancing and Global Site Selector                                •       Trusted netw...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   45
• Auto-renewal• Machine certificate validation• Requirement that CA must be in auto-grant mode• Specific settings needed f...
To Deploy Your Way• Pre-deploy: Standalone software installed after downloading from cisco.com• Web-deploy: Software pushe...
Simplify Profile Configurations                                              VPN                        Network Access Man...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   49
• Submits user credentials to:     ̶ Web servers     ̶ CIFS and FTP servers     ̶ Plug-ins     ̶ Windows OS and IE Smart T...
• Minimal or full customization is possible• Cisco® ASA has a built-in web server• Homepage can be hosted on the ASA or an...
• Citrix Mobile Receiver support     ̶ XenApp     ̶ XenDesktop• Auto-sign-on enhancements     ̶ Templates     ̶ Tool to ca...
Supports iOS and Android                                                                                                  ...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   57
Provide Versatility in Managing Your ASAs              Adaptive Security Device                                           ...
ASDM                                CLI show and                                     Logging                              ...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   60
• Telemetry provides greater visibility into how systems are  infected by identifying the source and applications of  malw...
• Benefits     – Cisco AnyConnect™ usage and quality data collected by Cisco     – Enables Cisco to focus more on customer...
C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved.   Cisco Public   63
Main Points                                                                             User-centric and BYOD enabled     ...
Stay Current on Cisco AnyConnect and Cisco SecurityCisco AnyConnect™                              Twitter:                ...
Thank you.Ben FischerAnyConnect Product Managerbefische@cisco.com
Why do we not sell more AnyConnect Premium licenses?            1.        What are AnyConnect Premium licenses?           ...
Why does Cisco AnyConnect and the ASA lose a Remote Access deal?(choose more than one)            1.        Higher Price t...
Upcoming SlideShare
Loading in...5
×

Cisco

3,400

Published on

Cisco AnyConnect Guide for Ipads and ASA

Published in: Technology, Education
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,400
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
264
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide
  • ASA CX delivers context-aware security that empowers enterprises to finally say yes to applications, devices, and the evolving global workforce while ensuring unprecedented visibility and control. On the industry's most widely deployed and trusted firewall.Meet complex network access demands, without losing operational efficiency.Enable anywhere, any time, any device access, without losing visibility and control.Get “next-generation” capabilities, without having to abandon stateful inspection and classic firewall capabilities.
  • When MOBILE WEB overtakes desktop & WI-FI access traffic surpasses wired And growingAnd growingNo end in sight
  • Phablets to sell 208M devices in 2015, according to ABI ResearchBusiness demands enablement of these devices to enable productivity and provide anytime access to any data by any user anywhere on any devices
  • # Apps increase, perpetuates threats from Apps…Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are using new distribution techniques, such as malvertising and upgrade attacks. On iPhone 33.9% of free applications had the capability to access location and 11.2% had the capability to access contacts.
  • Single endpoint client strategyEasy gui, no hassle
  • Most companies are looking for a basic feature set to provide remote connectivity will need an Essentials license at a min. cost.Companies that are looking for posture assessment or clientless remote access through a browser will need a Premium license, in place of an Essentials license.These licenses serve desktops and laptops, but for those companies looking to enable their mobile workforce, they will require the mobile add-on license (min. cost)Essentials and Premium licenses are typically bound to a specific ASA (security gateway).However, large and globally distributed companies appreciate the efficiency of leveraging out shared licensing model, which applies licenses to the ASA’s that need them.Burst licenses are also available to provide additional capacity at a discounted level, when urgently needed, and can be applied during an emergency situation.Note - All licenses are per concurrent user basis.
  • Prevents malware, Enforces acceptable use policies
  • Be clear about what is available today to sell and what is futures
  • Be clear about what is available today to sell and what is futres
  • For a couple of ASA, ASDM is fine for general management. For numerous ASAs, CSM should be used. CLI is useful when debugging, specifically using “debug dap trace”.
  • Cisco

    1. 1. Secure VPN ConnectivitySecure Mobility Solution Ben Fischer AnyConnect Product Manager befische@cisco.com The Cisco products, service or features identified in this document may not yet be available or may not be available in all areas and may be subject to change without notice. Consult your local Cisco business contact for information on the products or services available in your area. You can find additional information via Cisco’s World Wide Web server at http://www.cisco.com. Actual performance and environmental costs of Cisco products will vary depending on individual customer configurations and conditions.C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
    2. 2. “Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.”C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    3. 3. Secure VPN Connectivity Trends Overview AnyConnect Network Access Manager Web Security Mobile IPv6 Enrollment & Client Deployment Clientless Management & Troubleshooting Telemetry & Quality Improvement SummaryC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    4. 4. C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    5. 5. Strong Growth in Devices, Use, and Connectivity 15 billion 56% networked mobile of information workers devices by 2015 outside the office 3/4 of employees using 95% of companies allow multiple devices personal devices at workC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    6. 6. Employees Using Their Own Devices at WorkAndroid Is Tops in Smartphones, and Apple Is Tops in Tablets 53% Desktops 35% Smartphones 7% Tablets 32% 72% 92% 7% 51% 23% 1% 11% 4% 4%C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Other 2% Other 1% Cisco Public 6
    7. 7. Malware Propagates in Vacuum of Neglect by Companies and Users Lack of BYOD policies • 55% of organizations have no acceptable use policy for employee mobile devices • Of those organizations with policies, only 45% enforce their policies Increasing malware and web threats • Android users are 2.5 times more likely to encounter malware today than 6 months ago • 3 in 10 Android owners will encounter a web-based threat on their Android device each year Dramatic increase in malware-infected apps • Up to 1 million people were affected by Android malware over a 6-month period • Infected Android apps increased from 80 to more than 400 in 6 months Users slow to update • Half of iPhone users do not regularly sync with iTunes and miss critical security updatesC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    8. 8. Secure Mobility SolutionC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    9. 9. Internationalized • IPv6 support • UI translated into major languagesSolution Overview • International sales and support Branch Office Mobile User Home Office Simplified connectivity • Optimal gateway selection • Automatic hotspot negotiation • Enterprise connection enforcement • VDI support Cellular and Wi-Fi Next-generation unified Wired Wi-Fi security • User and device identity Cisco® Cisco • EAP-FAST chaining ASA ASA • Smartcard SSO Site to Site • Posture validation and remediation Secure, • Integrated web security Consistent Access Flexible deployment • Scalability and high availability Partner Corporate HQ HQ • Low TCO and increased productivityC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    10. 10. Through Client or Browser Cisco Clientless AnyConnect™ Broadest support Broadest support • Microsoft Windows, Mac OS X, Linux, • SSL VPN access using any browser Apple iOS, Android, etc. • Smart tunnels: Broad application support • SSL (TLS and DTLS) or IPsec IKEv2 • TCP/IP application support: RDP, Telnet, and • Certificates, tokens, 2FA, LDAP, open source, SSH IEEE 802.1X, MAB, and WebAuth Security and usability Simple persistent connectivity • Single sign-on to many applications • Optimized user interface across platforms • Dynamic access policies present defined • Always-on and transparent connectivity resources to users that users can bookmark • Network access manager for wired, • Citrix Receiver support wireless, and 3G Next-generation security • Suite B cryptography and VDI accessC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    11. 11. Cisco ASA 5585 Solutions Ranging from the Branch to the Enterprise SSP-60 5 Gbps Cisco ASA 5585 10,000 users SSP-40 3 Gbps 10,000 users Cisco ASA 5585 SSP-20Performance and Scalability 2 Gbps Multiservice 10,000 users Cisco ASA 5585 (Firewall, VPN, and IPS) SSP-10 1 Gbps 5000 users Cisco ASA 5555-X Cisco ASA 5000Mbps 700 users 5545-X Cisco ASA 400 Mbps 5525-X 2500 users Cisco ASA 300 Mbps 5515-X 750 users Cisco ASA 250 Mbps 250 users 5512-X 200 Mbps Cisco® 250 users ASA 5505 100 Mbps Firewall and VPN 25 users Appliance SOHO Branch Office Internet Edge Campus Data Center C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    12. 12. Management CLI CSMMany Choices To Meet Varied Needs ASDM Clients Infrastructure Desktop Microsoft Secure + Web Mac OS X Linux Security Windows Connectivity Cisco® ASA Cisco Cloud Web Security Mobile Apple iOS Android iPhone and Cisco ISR* Cisco WSA Smartphones Tablets iPad Identity BB10 (future) • HTC • HTC + and Policy Cisco • Smartphones • Motorola • Lenovo • Playbook • Samsung • Motorola ASR* • Version • Samsung Cisco 4.0+ • Version 4.0+ ISE IEEE 802.1X Switches Cisco Clientless NACC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. *Note: Not all features supported on Cisco IOS® Software routers Cisco Public 12
    13. 13. SHARED License Premium Licenses Shared by Multiple ASAs MOBILE MOBILE ADVANCED License at License at ENDPOINT minimum minimum ASSESSMENT cost cost LicenseESSENTIALS License PREMIUM License at minimum cost at minimum cost Basic Or Clientless, Always-On, Remote-Access Posture Assessment, Connectivity Suite B, & Phone VPN FLEX License Good for Short-Term Periods of High Demand (e.g., Emergencies and Events) C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    14. 14. Secure Mobility ClientC97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    15. 15. The Cisco AnyConnect® Secure Mobility Client Consists of the Following Modules: Windows OS X Linux iOS Android VPN Yes Yes Yes Yes Yes NAM Yes x x x x WebSec Yes Yes x x x Posture Yes x x x x Telemetry Yes x x x x DART Yes Yes x x xC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    16. 16. Feature Summary Latest Feature AdditionsCisco AnyConnect® VPN Client Clientless Cisco AnyConnect 3.1• IPsec and IKEv2 • Rewriter • Common user interface (Windows and OS X)• SSL (TLS and DTLS) • Plug-ins • Deferred update • IPv6• Modules: Network Access • Smart tunnels Manager and Web Security • Network Access Manager module • KCD enhancements• Optimal gateway selection • Customizable • Suite B VPN; Suite B Network Access Manager• Start Before Logon • Quality Improvement Module• Auto reconnect • Virtual desktop support • Updated FIPS compliance• Captive portal detection Network Access Manager • Web Security module enhancements• FIPS compliant • 802.1x Cisco ASA 9.0• Trusted network detection • ASA-Cisco Cloud Web Security integration • MACsec• SCEP • Clientless SSL VPN enhancements OtherHostScan • Clientless access using Citrix Receiver • Dynamic access policies • Clustering and Cluster LACP• Endpoint assessment • Custom policy attributes • Telemetry and remediation • Easy clientless auto sign-on using capturing • DART• Quarantine tool and templates • IPv6• Keystroke logger detection • Mixed context mode• Host emulation detection • Multicontext site-to-site VPN• Cache cleaner • Next-generation encryption (Suite B) • OSPFv3 • Routing in security contextC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. • SSL VPN SMP acceleration Cisco Public 16
    17. 17. NSA Suite B Algorithms ESPv3 with IKEv2 4096-bit RSA key operations Diffie-Hellman group 24 Enhanced SHA2 message digest support (SHA-256 & SHA-384)• Via IPsec on AnyConnect• Premium License required to make AnyConnect Suite B connectionC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    18. 18. • Auto-reconnect• Wired Wi-Fi and Wi-Fi 3G• No reauthentication• Suspended on headend• Maximum session timer• VPN profileC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    19. 19. • Auto-connect when out of office• Auto-disconnect inside office• Based on default domain name or DNS server IP• Profile setting under VPN Group PolicyC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    20. 20. Profile Settings: Suspension Time Threshold (hours) Performance Improvement Threshold (%) London Boston Los Angeles Time = 33 ms Time = 35 ms Time = 26 ms Time = 25 ms Time = 28 ms Time = 23 ms Time = 27 ms Time = 24 ms Time = 25 ms New York Connects to the Most Optimum Headend HTTPS Request Approximated by Fastest Round-Trip TimeC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    21. 21. • Cisco AnyConnect™ GUI and installer can be localized for different languages.• Cisco AnyConnect is supported through MST (Microsoft Transform) format.• Supported languages follow: ̶ Japanese ̶ French (Canadian) ̶ German ̶ Chinese ̶ Korean ̶ Spanish (Latin American) ̶ Czech ̶ Polish• Custom localization can be done.C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    22. 22. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    23. 23. • Enterprise-focused connection manager – Machine and / or user authentication – Different credential types for machine and user authentication – Certificates, tokens, username / password – Pre-logon or post-logon user authentication – Single Sign-On – Locked enterprise profiles for low support cost – Separate user profiles for easy migration• Ethernet, WiFi, and mobile broadband (3G/4G) connectivity• Policy Enforcement – One connection at a time – Session resumption – Credential expiration – Mobile broadband roamingC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    24. 24. On AnyConnect Client 3.1• Differentiated Device Access (EAP Chaining)• Mobile broadband (3G) support• Enterprise Connection Enforcement• IPv6 support (including dual-stack IPv4 and IPv6)• Next Generation Encryption• MACsec (802.1ae) FIPS 140-2 support• VPN Start-Before-Logon on home networks• Usability EnhancementsC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 * Full support in future
    25. 25. for Corporate / Personal Devices• Desires: – End-users want to use the same credentials for corporate and personal devices – IT would like to authenticate the machine and the user in a single transaction• Solution: – Leverage AD machine credential locked to the machine – EAP-FAST v2 (http://tools.ietf.org/id/draft-zhou-emu-eap- fastv2-00.txt)• Solution Requirements: – Cisco® AnyConnect Network Access Manager Version 3.1 or later – Cisco Identity Services Engine (ISE) System 1.1.1 or later – Ethernet switch or Wi-Fi access point configured for 802.1XC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    26. 26. • EAP Chaining using EAP-FAST protocol extensions is supported • EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset • Machine credentials are authenticated to the network using 802.1X • When the user logs onto the device, the session information from the machine authentication and user credentials is sent up to the network as part of the same authentication • If both machine and user credentials are successfully validated, the "owner" is tied to the device, thus deeming it a corporate asset • If both or either of these credentials fail, restricted or denied network access can be given according to the ISE authorization policy Cisco® Identity Service Engine (ISE) 1.1.1 or Later Machine MachineCredentials Authentication Machine and User Credentials RADIUS AnyConnect™ Validated AD Database Network Access Manager Version. 3.1 User User Authentication (includes both user and machine identity types )Credentials User Authentication C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    27. 27. • Problems: – Separate manager software for mobile broadband / 3G connections – Difficult to enforce connection policies (priority order, roaming)• Network Priority Order: – Ethernet – Corporate WiFi – Mobile Broadband (WWAN)• Solution: – Cisco® AnyConnect Network Access Manager Version 3.1 or later – Windows 7 – 3G Adapters supporting Mobile Broadband (NDIS) interfaceC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 * Full support in future
    28. 28. • Prevent Users From: – Connecting to the corporate guest network – Surfing Internet by connecting to the 1st floor coffee shop – Hacking into the competitor’s network on the floor above – Accessing apartment complex access points across the street• Permit Users To: – Connect to their home network – Connect to Hotspots when traveling• Desires: – Connect to the “linksys” SSID at home but not at the office – Solution that does not have to be managed on a location by location basis• Solution: – Connect only to specific corporate SSIDs when in range – Prefer Ethernet over WiFiC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 * Full support in future
    29. 29. On Home Networks• Needs: – Support User Group Policies on machines that VPN into the corporate network from home – Support home WiFi and Ethernet access• Problems: – VPN connections are initiated from the desktop (after logon) – User GPOs are initiated as part of the logon process – AnyConnect Start Before Logon (SBL) assumes network connectivity when the user logs onto the machine – Users want to connect to their home networks using WiFi but the native connection manager does not support WiFi connections prior to logon• Solution: – Cisco AnyConnect Network Access Manager Version 3.1 or later – Cisco AnyConnect Start Before Logon Module Version 3.1 or laterC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    30. 30. Featuring Suite B Cryptography• Problem: – Processors are getting faster making it easier to crack cryptographics – Defcon 2012: New tool and service can decrypt any PPTP and WPA2 wireless sessions using MS-CHAPv2 authentication (http://www.networkworld.com/news/2012/072912-tools- released-at-defcon-can-261242.html)• Next Generation Encryption: – Certificate Keys up to 4,096 bits (previously supported) – US National Security Agency (NSA) Suite B• NSA Suite B: – Elliptic Curve Diffie-Hellman Key Exchange – Elliptic Curve Digital Signature Algorithm• Solution: – Cisco AnyConnect Network Access Manager Version 3.1 or laterC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 * Full support in future
    31. 31. Across Media Types• Problem: – Non-uniform encryption policy across media types (WiFi and VPN encrypted – Ethernet is not) – Possible data leakage through social engineering• Desire: – Encrypt Ethernet data thwarting man in the middle attacks – MACsec (802.1ae) – Conveniently support corporate encrypted and home unencrypted networks• Solution: – Non-FIPS: Cisco AnyConnect Network Access Manager Version 3.0 or later – FIPS: Cisco AnyConnect Network Access Manager Version 3.1 or later – MACsec capable Cisco switchC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 * Full support in future
    32. 32. Featuring:C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    33. 33. Untrusted Network Trusted Network User Identity User Cisco® WCCP Cisco Web Authenticates ASA Security Appliance Social Networking Users Outside Corporate AD Network Corporate Access Device Enterprise Software as a Service (SaaS) Email NewsC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    34. 34. Cisco Cloud Web Security Internet-Bound Web Internal Communications Communications Cisco AnyConnect™ Secure Mobility ClientC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    35. 35. for Cisco Cloud Web Security• Cloud service – Always-On and always protected Cisco AnyConnect• Provides ̶ Acceptable use policies ̶ Malware threat protection ̶ Application usage controls ̶ User choice of towers when traveling (eliminates local language problems)• Can be used in conjunction with Cisco® Web Security Appliance or can stand aloneC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    36. 36. for Cisco Cloud Web Security• Tunnels HTTP and HTTPS traffic through the Cisco® Cloud Web Security• Fine-tunable web access policy management available• Fully localizable and translatable• Replacement for AnyWhere+ standalone client Cisco AnyConnect for Cloud Web SecurityC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    37. 37. Mobile Posture &iOS On-DemandC97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    38. 38. • Additional access authorization capabilities based on endpoint • Cisco® ASA 8.4.2+ and 8.2.5+ • Android 2.4.0 and Apple iOS 2.5.0 • AnyConnect™ 3.1+C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    39. 39. • Auto-launch VPN• Based on domain• Certificate Authority only• Three options: ̶ Always-Connect ̶ Connect-if-needed ̶ Never-Connect• Wild-card support ̶ *.edu, *.net, *.comC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    40. 40. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    41. 41. Public tunneling IPv4, IPv6, or dual IPv4 and IPv6 Internal address assignment IPv4, IPv6, or dual IPv4 and IPv6 VPN Protocol support SSL and IPsec* IKEv2 Split tunneling for IPv6 Yes DNS resolution IPv4 and IPv6 OS support Vista+, OS X 10.6+, and later *Internal v6 tunneling initially for SSL onlyC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    42. 42. Cisco® ASA Client IP Assigned IP SSL and DTLS IKEv2 (IPsec) Headend IPv4 IPv4 IPv4 Yes Yes IPv4 IPv6 IPv4 Yes No IPv4 and IPv6 IPv4 IPv4 and IPv6 Yes Yes IPv4 and IPv6 IPv6 IPv4 and IPv6 Yes No IPv4 and IPv6 IPv4 and IPv6 IPv4 and IPv6 Yes No IPv6 IPv4 IPv6 Yes Yes IPv6 IPv6 IPv6 Yes NoC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    43. 43. Supported • VPN load balancing and Global Site Selector • Trusted network detection and always-on • Session roaming (roaming to a network where the • IP Protocol Bypass ASA resolves to a different IP address may be due to NAT46 or 64) • IP Protocol Fallback (Fallback from 4-6 (or 6-4) during the initial connection when the • Cisco® Secure Desktop HostScan, prelogin check, primary ASA address is not reachable) and open IPv6 ports • IPv6 DNS • Split tunneling - include and exclude • NAT64 To Be Supported Not Supported • Optimal gateway selection • Public proxy • WINS (not supported with IPv6) • Captive portal • Private proxyC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    44. 44. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    45. 45. • Auto-renewal• Machine certificate validation• Requirement that CA must be in auto-grant mode• Specific settings needed for Windows Server 2008 SCEP Request Encrypted ASA Forwards the Request to CA Server. in PKCS7 CA Issues the Certificate. Client Device Cisco® ASA CA Server Certificate Delivered to the ClientC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    46. 46. To Deploy Your Way• Pre-deploy: Standalone software installed after downloading from cisco.com• Web-deploy: Software pushed down from Cisco® ASA• Built-in functions to Cisco products• Third-party stores for mobile devices Pre-deploy Built-In Third-Party Store App Store Web-deploy Formerly Android MarketC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    47. 47. Simplify Profile Configurations VPN Network Access Manager Web Security TelemetryC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    48. 48. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    49. 49. • Submits user credentials to: ̶ Web servers ̶ CIFS and FTP servers ̶ Plug-ins ̶ Windows OS and IE Smart Tunnel apps• Basic, NTLM, and CIFS• SSO to bookmarks created with POST parameters• MS KCD• SAMLC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    50. 50. • Minimal or full customization is possible• Cisco® ASA has a built-in web server• Homepage can be hosted on the ASA or an external serverC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    51. 51. • Citrix Mobile Receiver support ̶ XenApp ̶ XenDesktop• Auto-sign-on enhancements ̶ Templates ̶ Tool to capture form parameters ̶ New file browser ̶ Proxy server support ̶ Server certificate validation ̶ Clientless IPv6• HTML5 rewriter supportC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
    52. 52. Supports iOS and Android Server Farm Published Applications Cisco® ASA 5525 Access Gateway XML Service User Device Firewall Firewall Internet Connected Using Secure Ticket Web Interface Citrix Online Plug- Authority Installed Behind the Ins Access GatewayC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    53. 53. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    54. 54. Provide Versatility in Managing Your ASAs Adaptive Security Device Cisco Security Manager (CSM) Command Line Interface (CLI) Manager (ASDM) for ASA • Single device management • Scalable multi-device management • Single device management • Included with the Cisco® ASA • Manage firewall, IPS, VPN, and Cisco IOS® Software • SSH to the ASA • Browser-launched, Java-based tool ̶ Threat ID and resolution • Limited, thus recommended only ̶ Configuration ̶ Reporting for basic interface configuration ̶ Configuration and monitoring ̶ Event management ̶ Event management ̶ Health and performance • Useful for debugging ̶ Health and performance ̶ License management ̶ License management ̶ MonitoringC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    55. 55. ASDM CLI show and Logging debug DART CommandsC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    56. 56. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    57. 57. • Telemetry provides greater visibility into how systems are infected by identifying the source and applications of malware.• Improves effectiveness of Cisco Web Security (CWS) reputation filtering• Some example of malicious activity include: – Download of file from a URL browser – Copying of files from removable media – Downloading contents from email – File transfers from infected endpoints• Reporting: – Supports AES encryption of file and URL associations – Exempts white-listed internal domains from report – Reported URL depends on CWS sender base participation levelC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    58. 58. • Benefits – Cisco AnyConnect™ usage and quality data collected by Cisco – Enables Cisco to focus more on customer-deployed features – Improves user experience and quality• What Gets Reported? – Cisco AnyConnect™ installations and release number – Cisco AnyConnect™ modules installed and enabled – Distribution of OS platforms using Cisco AnyConnect™ – Number of core dumps of each module (by release, date, & OS platform) – Web threat telemetry data*• Is My Privacy Protected? – Yes; no user information, machine name, MAC address, etc. is collected – Administrator can also turn off this feature *Requires telemetry moduleC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    59. 59. C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    60. 60. Main Points User-centric and BYOD enabled 1 • Supports user devices with client or clientless access • Optimal transparent user experience with always-on connectivity • SCEP proxy and predeployment device identification Extensive support 2 • Broad support for desktop and mobile client OSs and clientless browsers • Broad support for protocols and authentication methods • Broad security gateways (Cisco® ASA, ASR, and ISR) Security focused 3 • Broad authentication options (IEEE 802.1X, certificates, and LDAP) • Posture and vault capabilities to secure client devices • Integrates with Cisco WSA or Cisco ScanSafe Web Security Enterprise proven 4 • Reliable, proven, scalable, load balanced, and highly available • Strong international presence and 24-hours-a-day support • Over 15 years of experience and frequent SC Magazine award winnerC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    61. 61. Stay Current on Cisco AnyConnect and Cisco SecurityCisco AnyConnect™ Twitter: http://twitter.com/#!/anyconnect Facebook: http://www.facebook.com/anyconnectCisco® Security Twitter: http://twitter.com/#!/ciscosecurity Facebook: http://www.facebook.com/ciscosecurity Blog: http://blogs.cisco.com/category/securityCisco Borderless Networks Blog: http://blogs.cisco.com/category/borderless YouTube: http://www.youtube.com/user/CiscoC97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    62. 62. Thank you.Ben FischerAnyConnect Product Managerbefische@cisco.com
    63. 63. Why do we not sell more AnyConnect Premium licenses? 1. What are AnyConnect Premium licenses? 2. AnyConnect Essentials licenses meet all of the customer’s needs. 3. AnyConnect Premium is too expensive compared to competitors? 4. It is hard to convey the value of AnyConnect Premium licenses. 5. Other: ____________Why does Cisco AnyConnect and the ASA win a Remote Access deal?(choose more than one) 1. Lower Price than competition 2. Superior End User Experience 3. Superior Solution Feature Set (if so, which ones?) 4. Better Administrator experience 5. Customer has preference for Cisco 6. Other: ____________C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    64. 64. Why does Cisco AnyConnect and the ASA lose a Remote Access deal?(choose more than one) 1. Higher Price than competition 2. Weaker End User Experience 3. Missing Key Feature: (if so, which one?) _____________ 4. Weak Administrator experience 5. Customer has preference for Competitor 6. Other: ____________How can Cisco help you sell more AnyConnect Premium licenses? 1. Provide marketing collateral describing the benefits of Premium licenses 2. Provide partner training on the value of Premium licenses 3. Make simple bundle SKUs (single SKU) for common quoting configurations 4. Add more Premium only features 5. Other: _______________C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×