Mobile Devices & BYOD Security – Deployment & Best Practices

7,411 views

Published on

Subjects covered will include mobile devices OS security, state of malware on mobile devices, data loss prevention, VPN and remote access, 802.1x and certificate deployment, profiling, posture, web security, MDMs and others. For more information please visit our website: http://www.cisco.com/web/CA/index.html

Published in: Technology
  • Be the first to comment

Mobile Devices & BYOD Security – Deployment & Best Practices

  1. 1. Mobile Devices and BYOD Security: Deployment and Best Practices BRKSEC-2045 Sylvain Levesque Security Consulting Systems Engineer slevesqu@cisco.com
  2. 2. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Agenda  Test bed Used  State of Malware on Mobile Devices  802.1X Network Authentication  Device Profiling with the Identity Services Engine  Digital Certificates Usage and Provisioning Methods  Remote Access VPN  Web Security  Recommendations and Conclusion 3
  3. 3. Test bed Used
  4. 4. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Test bed Used  A number of tests were conducted for this session to document the behavior of mobile devices with different Cisco security solutions.  A group of devices under test was used to represent the major mobile platforms on the market today. Recent releases of operating systems were used and therefore the behavior documented in this presentation might vary with older OS releases. 5 Toshiba AT300 Tab/Android ICS 4.0.3 Samsung Galaxy Tab2 4.1+ Samsung: Nexus/Google Android JB 4.4+ Galaxy S2/SS Android JB 4.1.2 RIM/Blackberry: Bold 9900 7.1.0 Z10 10.0.10+ Microsoft Surface Windows 8 RT+ Apple iPad3 tablet/ iOS 6.1.2+ Anyconnect 3.xASA 9.1(4) WSA 7.5(0)-833 ISE 1.2 Airwatch Cloud-Based MDM 6.3.1.2 *ICS=Ice Cream Sandwich *JB=Jelly Bean Microsoft Certificate Services Windows 2008 Enterprise R2
  5. 5. State of Malware on Mobile Devices
  6. 6. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Mobile Devices Market  Android currently dominates the Mobile OS market followed by iOS  While iOS devices are pretty current, a large percentage of Android devices still uses outdated releases that could be subject to security vulnerabilities 7 Source: IDC Source: developer.android.com iOS Versions Android Versions
  7. 7. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public State of Malware Interesting statistics can be found on malware, exploits and mobile devices in this report: • Malware on Android up 2,577% • 99% of mobile malware target Android • Encounters with web malware: 70% Android, Apple iOS 22% percent • Malware on mobile devices: 1.2% of all web malware found (up from 0.42%) • Most exploits with Java: sparse support on mobile devices  The Cisco 2014 Annual Security Report describes the evolution of exploits and malware and is a great reference for any IT or Security professional: http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html 8
  8. 8. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Other Interesting Facts and Conclusions 9 25%+ of malware on mobile devices come from porn sites… • Phishing: still a major malware infection vector as with PCs • Users click on a link in an email that has them installing an App from an untrusted application store Typical exploits on Android: • subscription to premium SMS services • botnet infection and remote control • banking information theft 2012 -> first Android botnet in the wild 2013 -> large Android botnets observed in China (1 million + devices) The use of non-managed mobile devices could expose your organization to infection or data theft (Android or others)
  9. 9. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Other Interesting Facts and Conclusions 10 25% of malware on mobile devices come from porn sites… • Phishing: still a major malware infection vector as with PCs • Users click on a link in an email that has them installing an App from an untrusted application store Typical exploits on Android: • subscription to premium SMS services • botnet infection and remote control • banking information theft 2012 -> first Android botnet in the wild 2013 -> large Android botnets observed in China (1 million + devices) The use of non-managed mobile devices could expose your organization to infection or data theft (Android or others) Cisco Annual Security Report: “The impact of BYOD and the proliferation of devices cannot be overstated, but organizations should be more concerned with threats such as accidental data loss, ensuring employees do not “root” or “jailbreak” their devices, and only install applications from official and trusted distribution channels”
  10. 10. Secure Access with 802.1X, Remote Access VPN and Web Security
  11. 11. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public  802.1x is used to provide authentication of a user or a device to the network  3 main components are involved in a 802.1x authentication: - Supplicant: Provides Identity Information to the network. Supplicant software is embedded in all modern Operating Systems. Ex: Apple iOS, Android, Windows 8, etc. - Authenticator: Device that controls access to the network, participates in the initial EAP (Extensible Authentication Protocol) exchange and acts as a relay between the Supplicant and the Authentication Server. Ex: Switch, Wireless Controller - Authentication Server: RADIUS Server that validates the identity information provided and sends authorization attributes such as a VLAN, Access-List, Session timeout, URL for redirection. The identity can be optionally validated by an external Identity Store. Ex: ISE, ACS Network-Based Authentication using 802.1X - Review Authentication Server (RADIUS) Supplicant Authenticator EAP over RADIUSEAP/WPA2 EAP session 12
  12. 12. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public 802.1x Identity Information Types Different types for different mobility use cases: 1. Username/Password Combination - User authentication (also Machine Auth for Windows) - Active Directory/LDAP/RADIUS ID Stores - EAP types: PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST 2. Two-Factor Authentication - Something you know, you have, you are - Mostly for user authentication - RSA SecurID and other token-based ID Systems - EAP types: PEAP-GTC, EAP-FAST/EAP-GTC 3. Digital Certificates - Signed/emitted by a public or private Certificate Authority - Can be used for user and/or device authentication - Microsoft AD Certificate Services, Entrust, Verisign, etc. - EAP types: EAP-TLS, EAP-FAST EAP Extensible Authentication Protocol PEAP Protected EAP GTC Generic Token Card FAST Flexible Authentication via Secure Tunneling TLS Transport Layer Security 13
  13. 13. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Device & User Authentication/Authorization 14 Machine AuthC PEAP-MSCHAPv2* EAP-TLS host/MTLLAB-W500 User AuthC PEAP-MSCHAPv2 EAP-TLS CISCOslevesqu2 1 21 + 2 PHASES POSSIBLE Same EAP Type with Native Supplicant *Windows RT/Phone can not join Active Directory and can not use PEAP-MSCHAPv2 for Machine Authentication 1 PHASE ONLY AuthC=AuthentiCation AuthZ=AuthoriZation CN=Common Name SAN=Subject Alternate Name = Certificate PEAP-MSCHAPv2 EAP-TLS slevesqu User AuthC User AuthZ Hybrid AuthZ Device AuthZ CN=slevesqu SAN=00:21:6A:AB:0C:8E CN=slevesqu SAN=00:21:6A:AB:0C:8E
  14. 14. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public 2-Factor Authentication Workaround with 802.1X and Central Web Authentication 802.1X EAP-TLS authentication with Certificate 1 Central Web Authentication with User AD Account 2 Factor 1: Device Certificate!!! Factor 2: Employee User Credentials!!! ISE
  15. 15. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public EAP-Type Win 8 Pro/Enter prise Win RT Apple iOS Android BB7/10 ACS 5.x ISE 1.x AD LDAP EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes PEAP MSCHAPv2 Yes Yes Yes Yes Yes Yes Yes Yes No PEAP EAP-GTC No1 No Yes Yes Yes Yes Yes Yes Yes EAP-FAST No1 No Yes2 No3 Yes Yes Yes Yes No Common 802.1X EAP Types and Compatibility 1. Supported through 3rd-party supplicants such as Anyconnect NAM 2. Configuration required through Apple Configuration Utility or MDM 3. No native support. Supported through Cisco Compatible Extensions (CCX) with specific mobile devices manufacturers. More information: http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html No native support for token based systems such as RSA SecurID 16 BRKSEC-2691: Identity Based Networking: IEEE 802.1X and beyondMore on 802.1X!
  16. 16. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public 802.1X Configuration: PEAP-MSCHAPv2 User Authentication Example Touch-hold 1 2 3 4 1 2 3 1 2 3 4 6 5
  17. 17. Device Profiling with the Identity Services Engine
  18. 18. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public ISE Profiler Review  The ISE Profiler service uses a number of probes to capture the traffic generated by an endpoint device  It then extracts information from this traffic and compares patterns with profiling rules that are either pre- defined or custom-built to match an endpoint type and a profile  An Authorization rule can then use this information to assign network access privileges based on the device profile (iPhone/iPad vs Android vs Blackberry vs Windows) Probe Data Provided RADIUS OUI, MAC Address DHCP DHCP attributes, hostname DNS FQDN, hostname HTTP User-Agent NMAP OS fingerprint NETFLOW TCP/UDP ports used SNMP MIB strings Probes Currently Used to Profile Mobile Devices BRKSEC-3698: Advanced ISE and Secure Access Deployment 19 More on Profiling!!
  19. 19. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Example of Profiling Rules for iPad
  20. 20. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Analyzing HTTP User Agents Compatibility with Mozilla’s Rendering Engine OS and Version Device Model HTML Layout Engine Browser and Extensions Mozilla/5.0 (Linux; Android 4.0.3; AT300 Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari/535.19 21
  21. 21. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Sample HTTP User Agents Apple iPad Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53 Windows RT Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; ARM; Trident/6.0; Touch) Android Samsung Tab2 tablet Mozilla/5.0 (Linux; U; Android 4.1.2; en-ca; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Android LG Google Nexus 5 smartphone Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Mobile Safari/537.36 Blackberry Z10 smartphone Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.2.1.1925 Mobile Safari/537.35+ 22 View your own user-agent at: http://whatsmyuseragent.com!!
  22. 22. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Viewing Endpoint Profiling Data 23 Profiling data Profiling data
  23. 23. Digital Certificates Usage and Provisioning Methods
  24. 24. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Certificates, Trust and 802.1X  Public Key Cryptography (PKI) uses the concept of trusted Certification Authorities (CA). A list of public CAs on the Internet is embedded in the certificate store as Trusted Roots in every device  Many organizations typically deploy a private enterprise Certification Authority that allow them better control and scalability. The Root Certificate and certification chain of this private CA has to be provisioned in corporate devices in order for them to trust it  Non-corporate mobile devices will not trust by default the certificates generated by a private CA and the 802.1X behavior of mobile devices in this scenario will vary: – Apple iOS: User notification-> users might refuse to install the certificate and call the help desk – Android: Will accept non-trusted certificates by default without warning! – Windows RT/8: User notification -> users might refuse it as well – Blackberry 7: No notification -> Access rejected – Blackberry 10: Will accept non-trusted certificates by default without warning!  Windows RT/8 and BB 7: Validation of the server certificate can be disabled for PEAP/EAP-TLS. Useful for lab testing or proof-of-concept, but not recommended for production where we should use certificates from Public CAs to avoid end user issues 25
  25. 25. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Certificates Installation and Enrollment Non-trusted Root and user/device Certificates can be created and provisioned on mobile devices using a number of methods that can be manual or automated:  Copy it to the device. Ex: Corporate mobile devices  Push computer or user certificates through Group-Policy Objects (GPOs) for Windows corporate devices  The administrator can create the certificate or email it to the user the device. Ex: BYOD personal device  Certificate Server web portal (administrator or user)  The certificate creation and provisioning can be automated the Simple Certificate Enrollment Protocol (SCEP). A few options are available: – SCEP from the mobile device itself (support vary by mobile platform) – SCEP with the Anyconnect VPN client – SCEP Proxy with the Anyconnect VPN client and the ASA – Identity Services Engine (ISE) with the Onboarding service for 802.1x, SCEP with Mobile Device Management solutions 26
  26. 26. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Anyconnect Profile: SCEP Host = myCA.bn- lab.local Certificate Enrollment using SCEP and VPN SCEP with Anyconnect: SCEP Proxy with Anyconnect and the ASA: IPSec/SSL tunnel SCEP Request IPSec/SSL tunnel SCEP Request SCEP Request 1. ASA performs policy enforcement 2. ASA inserts machine device-id from posture • Initiated by the user • No Certificate renewal • Needs direct access to CA • Requires Anyconnect 2.4+ASA ASA SCEP Proxy • Controlled by the head-end (ASA) • Pre-enrollment policy enforcement • Device-ID for Authorization • Automatic Certificate renewal • Only ASA communicates with CA • Requires Anyconnect 3.0+
  27. 27. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Onboarding with ISE on Wired/WLAN Access Point ISE Mary User Name = Mary Password = ******* 1 Mary connects to Secure SSID 3 Register Device Provision Certificate Configure Supplicant Mary Reconnects to Secure SSID 2 Redirect to Self Provisioning Portal 2 BYOD-Secure SSID’sPersonal asset Wireless LAN Controller AD/LDAP N.B.: A dual-SSID option can also be used where the 2nd Open SSID is used for the onboarding process 28 CA
  28. 28. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public ISE Authorization Using Certificate Attributes Registered Devices: Indicates the device went through the BYOD onboarding process Network Access only allows EAP-TLS authentication with Certificate The Radius attribute Calling-Station-ID contains the MAC address of the device which is compared against the SAN in the Certificate The AD username is read from the Subject- Name and sent to AD where its attributes are retrieved for authorization Different Permissions Assigned (VLAN, ACLs, etc) 29
  29. 29. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Method Win 8 Pro/Enterp rise Win RT Apple iOS Android BB7 BB10 Email Yes Yes Yes No1 Yes No Copy To Device Yes Yes Yes2 Yes Yes Yes Web (CA Server) Yes Yes Yes Yes Yes No Anyconnect SCEP Yes No Yes Yes No No SCEP Proxy Yes No Yes Yes No No ISE Onboarding3 Yes No Yes Yes No No Certificates Installation Summary 1. Can not be installed from email directly but can be saved and installed from storage 2. Via the iPhone Configuration Utility or an MDM 3. More details on supported platforms: http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321 30
  30. 30. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Certificate Management 1 2 3 4 1 2 3 1 3 4 5 Swipe-In 5 2 4 6 7
  31. 31. Remote Access VPN
  32. 32. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public ASA Remote Access VPN Options review Clientless SSL Basic Web, Email and CIFS Access Customized User Screen Thin-Client SSL Plugins (SSH,VNC, Telnet,RDP, Citrix) Smart Tunnels Client-Based SSL or IPSec AnyConnect 33
  33. 33. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Citrix Mobile Receiver Support  ASA release 9.0 introduces the support of the Citrix Mobile Receiver application directly in clientless SSLVPN for most desktop OSes and for Apple iOS and Android ̶ Allows the ASA to communicate directly to XenApp 6.5 or XenDesktop 5.5, 5.6 Access GatewayFirewall User Device Connected Using Citrix Online Plug-Ins Internet Web Interface Installed Behind the Access Gateway Server Farm Firewall Cisco® ASA 34
  34. 34. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Websockets HTML5 Access  ASA release 9.1(4) introduces the support of Websockets and HTML5 proxy  Enables a “fully clientless” solution homogeneously across differents OSes using a browser that supports HTML5 – No more dependencies on Java and ActiveX!  Uses 3rd-party Websockets gateways that converts HTML5 to a client protocol such as RDP/VNC/etc  The HTML5 resource is a simple bookmark accessed on the ASA clientless Web Portal Mobile Device with an HTML5 browser Internet 35 ASA SSL SSL RDP, VNC, CIFS, etc ApplicationWebsockets Gateway/Ser ver Intranet Data Center
  35. 35. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Method Win 8 Pro/Enterprise Win RT/Phone Apple iOS Android BB7/10 Anyconnect – SSL transport Yes No1 Yes Yes No1 Anyconnect – IPSec/IKEv2 Yes No1 Yes Yes No1 Websockets – HTML5 Yes Yes Yes Yes Yes Native VPN support Yes Yes Yes Yes No Clientless/Smartunnels/Plugins/ Yes No No No No Clientless – Mobile Citrix Receiver No No Yes (v4+) Yes (v2+) No Mobile Devices VPN Support Summary 1. RIM/BB and Microsoft do now allow the development of Anyconnect (or other VPN clients) on BBOS and Windows RT/Phone • For more detailed information on device/OS support, please consult the ASA Supported VPN Platforms document: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp177602 • For more information on features supported on Anyconnect with Android and Apple iOS, please consult their respective release notes: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-android.html http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html#wp1148532 36
  36. 36. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Corporate vs BYOD 2 methods can be used to match device-specific identity information that will allow a differentiation of policies: 1. Use of certificates for authentication and authorization: Certificate attributes can be defined for uses cases like Corporate & BYOD. These attributes can be matched to different authorization policies in the ASA and ISE 2. With posture: The posture service on the ASA for VPN and ISE can gather information on the device that can include the device type, OS type, processes/services running, Windows registry information, file information, certificate information. – If a corporate device is for example only a Windows PC domain member, the posture service could look for a specific piece of information like the registry entry defining the AD Domain, something that a mobile device would not have – If no mobile devices are to be allowed to connect, the posture service could use rules that would deny access to all mobile devices types How can I apply different access policies to a corporate device and a personal BYOD? How can I prevent a personal BYOD from connecting to my network? 37
  37. 37. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Mobile Posture with Anyconnect  ASA Release 8.2(5) introduced the ability to pass posture endpoint attributes from Anyconnect to ASA Dynamic Access Policies (DAP)  Can be used to control VPN connections from mobile endpoints and assign them specific access policies.  Posture is also used with SCEP proxy in ASA 9.0 to embed unique device identity in certificate enrollment requests  The Mobile Endpoint attributes include: ‒ Version of the Anyconnect client (e.g. “3.0.x”) ‒ Client Platform (“apple-ios”, “android”, etc) ‒ Client OS version (e.g. “5.0”) ‒ Type of device (varies per client platform but can be used to differentiate iPad from iPhone) ‒ Device UniqueID (varies per client platform, consists of Device UDID for iOS, opaque hash of IMEI/MEID/ESN or MAC+AndroidID for Android mobiles) 38
  38. 38. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Mobile Posture Configuration 39
  39. 39. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Mobile Posture Configuration 40 Choose Anyconnect as the Endpoint Attribute Type
  40. 40. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Mobile Posture Configuration 41 Select an Access Policy for the DAP defined
  41. 41. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Mobile VPN Authorization with Certificates • Certificate maps can be used with the ASA to allow matching of received certificate DN values and then map them to a Connection Profile. • Can be used with IPSec VPN and SSL VPN • Can be used with the Local CA feature on the ASA or with certificates generated from a 3rd-party CA • The following values from the certificate can be used for mapping: 1. Alt-subject-name 2. Subject-name 3. Issuer-name 4. Extended Key Usage (EKU) extensions BRKSEC-2053: Practical PKI for VPN More on Certificates for VPN 42
  42. 42. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public ASA Certificate Matching Configuration for VPN 43
  43. 43. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Licensing on the ASA  AnyConnect Essentials enables the use of Anyconnect for a full-tunnel VPN with SSL or IPSec IKEv2. One license if required per ASA  Anyconnect Premium activates advanced features such as the Clientless Portal, Smartunnels, Plugins, Posture and Mobile Posture. One license per concurrent user is required.  Anyconnect Essentials and Premium are mutually exclusive on an ASA  The Anyconnect Mobile license is required on top of Anyconnect Essentials or Anyconnect Premium licenses for mobile devices to establish a VPN tunnel with the ASA!! One license is required per ASA  For ASA releases 8.2 and below, 2 licenses per failover pair are required. Starting from ASA release 8.3, only one license is required per failover pair  Recommendation: Always include the Anyconnect Mobile License when purchasing a new ASA for VPN 44
  44. 44. Web Security
  45. 45. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Web Security Gateway - Deployment Methods  Web Security Gateways such as the Cisco Web Security Appliance (WSA) provide a number of security services at an organization’s perimeter such as URL Filtering, Web Reputation Filtering, Anti-Malware Filtering, Granular Application Control, Data Loss Prevention and others  These gateways typically do not sit inline the traffic and therefore Web user traffic must be redirected to these gateways  3 methods can be used for this redirection: ‒ Explicit Forward Mode: A proxy server entry is configured manually or automatically with the Web- Proxy Auto-configuration Protocol (WPAD) in the web browser to redirect its traffic to the Web Security Gateway ‒ Transparent Mode: The Web Cache Control Protocol (WCCP) is used between the Web Security Gateway and a network or security device to redirect user traffic to the Web Security Gateway ‒ Load-Balancers: For larger deployments. A Load-Balancer redirects the user traffic to the Web Security Gateway farms 46
  46. 46. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Web Security Gateway – User Authentication  Organizations typically require users to authenticate to an enterprise directory such as Active Directory before accessing Internet resources to allow for enforcement of Acceptable Use Policies per role and to provide auditing for reporting and compliance purposes  3 methods can be used to authenticate users: ‒ Basic Browser Authentication: The user is prompted to enter his credentials which can be sent to Active Directory/LDAP for authentication. Credentials can be cached by the browser to prevent the user to be prompted in the future. The user’s AD/LDAP attributes are also fetched for authorization and mapping to Access Policies. Appropriate for BYOD, guests or consultants. ‒ NTLMSSP Browser Authentication: The user’s Windows login credentials are fetched transparently from the browser using an NTLM challenge-response authentication and sent to Active Directory for authentication. The user’s AD attributes are also fetched for authorization and mapping to Access Policies. Appropriate for Windows corporate assets. ‒ Passive Identification: The Web Gateway uses the user’s IP address and sends a request to the Active Directory/Novell Directory Server that maintains the mapping of usernames/IP addresses seen when users log in. The Web Gateway then fetches the user’s AD/LDAP attributes for authorization and mapping to Access Policies. Appropriate for Windows corporate assets. 47
  47. 47. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Feature Win 8 Pro/Enter prise Win RT Apple iOS Android BB7 BB10 Proxy Configuration Yes Yes Yes Yes No1 Yes PAC-WPAD Yes Yes Yes No No Yes PAC-GPO Yes No No No No No PAC-MDM3 Yes No Yes No No No Basic Authentication Yes Yes Yes Yes Yes Yes NTLMSSP Yes Yes 2 Yes2 Yes2 No Yes2 Passive Identification Yes No No No No No Proxy and Authentication Methods Support 1. No support on native browser on Wifi. Supported with the Opera mini-browser and 3rd-party applications (not tested) 2. No Single Sign-On 3. Using the Airwatch MDM. Other MDMs may have different capabilities 48 BRKSEC-3771: Advanced Web Security Deployment with WSA and ASA-CXMore on WSA
  48. 48. Recommendations and Conclusion
  49. 49. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public  Security policies relative to the use of personal devices in the corporate environment should be created before a BYOD deployment  Business units owners should be involved to define the requirements and uses cases that will drive the architecture of the solution for mobile devices  User education and awareness is key! A BYOD deployment should include training and guidelines for users on how to use their personal mobile device to lower the risk of having their device compromised and exploited  A private Certification Authority should be considered for deployments requiring differentiation of access privileges between corporate and personal mobile devices  Profiling and VPN posture can be used to differentiate mobile devices from laptops/desktops and are great tools for device identification and inventory  A Virtual Desktop Infrastructure (VDI) architecture can help reduce the risk of data leakage and improve the user experience Deployment Recommendations 50
  50. 50. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com. Complete Your Online Session Evaluation  Give us your feedback and you could win fabulous prizes. Winners announced daily.  Receive 20 Passport points for each session evaluation you complete.  Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Note: This slide is now a Layout choice 51

×