Local Edition
A New Paradigm for Information Security
Tim Ryan, Security Consulting Engineer, Public Sector East
Don Princ...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Agenda
•  Threat Contin...
Local Edition
Before, During and After Threat Mitigation
3
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
4
Verizon Data Breach R...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
FBI 2013 Threat Informa...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
6
BEFORE
Detect
Block
D...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
7
BEFORE
Detect
Block
D...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
BEFORE
Detect
Block
Def...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
9
BEFORE
Control
Enforc...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
WWW
Email
Gateway
ASA -...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Collective Security Int...
Local Edition
Building an Enterprise Access Control
Architecture with ISE
12
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Cisco Secure Access Arc...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
• Centralized Policy
• ...
Local Edition
Authentication, Authorization, and Accounting
“Who” is Connecting, Access Rights Assigned, and Logging It
15
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ISE is a Standards-Base...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition17
Separation of Authent...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Authentication Rules
• ...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
19 19
802.1X / MAB / We...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ISE Authorization Polic...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
What About That 3rd “A”...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Detailed Visibility int...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ISE Session Log – Sessi...
Local Edition
Profiling – “What” is Connecting to My
Network?
24
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
PCs Non-PCs
UPS Phone P...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Profiling Policy Overvi...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
How Is Profile Library ...
Local Edition
Web Authentication
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Network Access for Gues...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Flex Auth For Wired Por...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Building the Architectu...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Monitor Mode
•  A Proce...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Low-Impact Mode
•  If A...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Closed Mode
•  No Acces...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Condition is to match R...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
URL Redirection
ISE use...
Local Edition
Integrated Guest Services and Lifecycle
Management
37
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Provisioning: Guest
acc...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Guest Self-Service
39
F...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Sponsor Portal – Create...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ISE – Multiple Guest Po...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Guest Deployment and Pa...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ISE 1.2: Guest Access w...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Guest Tracking Leverage...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Create Service Policy i...
Local Edition
BYOD
Extending Network Access to Personal Devices
46
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Onboarding Personal Dev...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Single Versus Dual SSID...
Local Edition
Mobile Device Management (MDM)
Extending “Posture” Assessment and Remediation to Mobile Devices
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ISE Integration with 3r...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
MDM Compliance Checking...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
MDM Enrollment and Comp...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Reporting
•  Mobile Dev...
Local Edition
TrustSec and Pervasive Policy Enforcement
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
TrustSec Authorization ...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
DC Access
WLC FW
Enterp...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
TrustSec Enabled Networ...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Secure Group Access Sim...
Local Edition
What’s Coming Next?
59
Next Slides contain some Forward Looking Features…..
All standard Legal Disclaimers a...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Native MDM with ISE & A...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
ASA Firewall – Recent I...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 62
VMware Hypervisor (vSwitch &...
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
A Commitment to Our Customers
•  Ch...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Cisco Web Security Opti...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Complete Your Online Se...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Register for CiscoLive!...
Local Edition
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Links
•  Secure Access,...
Threat spreads
and attempts to
exfiltrate valuable data
ENTERPRISE
DATA CENTER
Anatomy of a Modern Threat
Infection entry ...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
A Systems Approach
•  S...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
Client Provisioning Pol...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
MDM Integration
•  Regi...
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Local Edition
MDM Integration
•  User...
Upcoming SlideShare
Loading in …5
×

Cisco livelocal2014 securitybeforeduringafter

2,568 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,568
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
67
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cisco livelocal2014 securitybeforeduringafter

  1. 1. Local Edition A New Paradigm for Information Security Tim Ryan, Security Consulting Engineer, Public Sector East Don Prince, Security Consulting Engineer, Public Sector East
  2. 2. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Agenda •  Threat Continuum – Before, During & After •  Building an Enterprise Access Control System with ISE •  ASA Features and Futures •  Web Security Review •  Q&A 2
  3. 3. Local Edition Before, During and After Threat Mitigation 3
  4. 4. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition 4 Verizon Data Breach Report Statistics From OVER 850 BREACHES LAST YEAR - 2012 • 98% STEMMED FROM EXTERNAL AGENTS • 81% UTILIZED SOME FORM OF HACKING • 69% INCORPORATED MALWARE • 96% OF ATTACKS NOT HIGHLY DIFFICULT Malware Detection Methods •  49% External Party – LE, Fraud Detection Org., Customer etc…1 •  28% Self Detection Passive – Employee, Slow Network etc…1 •  16% Self Detection Active – Security Devices1 ß How can you increase this number?
  5. 5. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition FBI 2013 Threat Information by the numbers From a recent Presentation given to Cisco by an FBI Field agent 63% of victims were notified by an external entity 77% of intrusions used publically available malware Valid credentials were used in 100% of cases 229 = median number of days that the attackers were present on the network before detection 40% of victims were attacked again after the initial remediation Details on the SSL Heartbleed Vunlerability: http://www.cisco.com/security 5 If you knew you were going to be compromised, would you do security differently ?
  6. 6. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition 6 BEFORE Detect Block Defend DURING AFTER Control Enforce Harden Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Point in time Continuous BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight) Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets. Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective The Next Generation Security Model
  7. 7. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition 7 BEFORE Detect Block Defend DURING AFTER Control Enforce Harden Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Point in time Continuous DURING THE ATTACK: Must have the highest efficacy threat detection mechanisms possible Detection methods MUST be Multi-dimensional and correlated Once we detect attacks, NGS can block them and dynamically defend the environment The Next Generation Security Model
  8. 8. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition BEFORE Detect Block Defend DURING AFTER Control Enforce Harden Scope Contain Remediate Attack Continuum Network Endpoint Mobile Virtual Cloud Point in time Continuous AFTER THE ATTACK: invariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normal Also need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud The Next Generation Security Model
  9. 9. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition 9 BEFORE Control Enforce Harden DURING AFTER Detect Block Defend Scope Contain Remediate Attack Continuum Visibility and Context Firewall App Control VPN Patch Mgmt Vuln Mgmt IAM/NAC IPS Anti-Virus Email/Web IDS FPC Forensics AMD Log Mgmt SIEM Mapping Technologies to the Model
  10. 10. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition WWW Email Gateway ASA -CXFirewall App Vis, Web Sec Web Security Appliances Signatures Web Categories Cloud Web Security Intrusion Preventio n Control WWW Email WebDevices IPS Sourcefire VRTNetworks Visibility SIO – Security Intelligence Operations VRT- Vulnerability Research Team 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 1110100111 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 1110100111 1.6M global sensors 75TB of live Data Feeds are received per day 150M+ deployed endpoints 35% worldwide email traffic 13B web requests Dynamically Updated Security Solutions 5,500+ IPS signatures produced 8M+ rules per day 200+ parameters tracked 70+ publications produced Information Actions 40+ languages 600+ engineers, technicians and researchers $100M+ spent in dynamic research and development 80+ PH.D.S, CCIE, CISSP, MSCE 24x7x365 operations Zero-day detection: 3-5 Minute Database Updates Reputation-based Malware Protection www.ironport.com/toc www.cisco.com/security Cisco SIO Sourcefire VRT
  11. 11. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Collective Security Intelligence 11
  12. 12. Local Edition Building an Enterprise Access Control Architecture with ISE 12 BEFORE DURING AFTER
  13. 13. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Cisco Secure Access Architecture & TrustSec •  Identity and Context-Centric Security WHENWHAT WHERE HOWWHO Identity Security Policy Attributes Centralized Policy Engine Business-Relevant Policies User and Devices Dynamic Policy & Enforcement APPLICATION CONTROLS MONITORING AND REPORTING SECURITY POLICY ENFORCEMENT 13
  14. 14. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition • Centralized Policy • RADIUS Server • Secure Group Access • Posture Assessment • Guest Access Services • Device Profiling • Monitoring • Troubleshooting • Reporting ACS Profiler Guest Server NAC Manager NAC Server Identity Services Engine Identity Services Engine Policy Server Designed for Secure Access 14 Device Registration Supplicant and Cert Provisioning Mobile Device Management *Certificate Authority *Identity Resource *MDM Lite * Coming Soon
  15. 15. Local Edition Authentication, Authorization, and Accounting “Who” is Connecting, Access Rights Assigned, and Logging It 15
  16. 16. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ISE is a Standards-Based AAA Server •  Access Control System Must Support All Connection Methods 16 ISE Policy Server VPN Cisco Prime Wired Wireless VPN Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols RADIUS 802.1X = EAPoLAN 802.1X = EAPoLAN SSL / IPsec WebAuth & MAC Bypass
  17. 17. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition17 Separation of Authentication and Authorization 17 Policy Groups Authentication Authorization Policy Set Condition
  18. 18. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Authentication Rules •  Obtaining & Validating Credentials 18 RADIUS Attributes Service type NAS IP Username SSID … EAP Types EAP-FAST EAP-TLS PEAP EAP-MD5 Host lookup … Identity Source Internal/Certificate Active Directory LDAPv3 RADIUS Identity Sequence Authentication Options 802.1X / MAB / WebAuth
  19. 19. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition 19 19 802.1X / MAB / WebAuth Return standard IETF RADIUS / 3rd-Party Vendor Specific Attributes (VSAs): • ACLs (Filter-ID) • VLANs (Tunnel-Private-Group-ID) • Session-Timeout • IP (Framed-IP-Address) • Vendor-Specific including Cisco, Aruba, Juniper, etc. Authorization Rules
  20. 20. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ISE Authorization Policy Definition •  Customized 20 Device Type LocationUser Posture Time Access Method Custom
  21. 21. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition What About That 3rd “A” in “AAA”? •  Accounting - Reporting 21
  22. 22. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Detailed Visibility into System Operations 22
  23. 23. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ISE Session Log – Session Tracking & Searching Disconnect Device Search: user / device
  24. 24. Local Edition Profiling – “What” is Connecting to My Network? 24
  25. 25. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition PCs Non-PCs UPS Phone Printer AP PCs Non-PCs UPS Phone Printer AP How? Profiling •  What ISE Profiling is: –  Dynamic classification of every device that connects to network using the infrastructure. –  Provides the context of “What” is connected independent of user identity for use in access policy decisions 25 §  What Profiling is NOT: ‒  An authentication mechanism. ‒  An exact science for device classification.
  26. 26. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Profiling Policy Overview •  Profile Policies Use a Combination of Conditions to Identify Devices 26 Is the MAC Address from Apple DHCP:host-name CONTAINS iPad IP:User-Agent CONTAINS iPad Profile Library Assign this MAC Address to ID Group “iPad” I am fairly certain this device is an iPad CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS HTTP/DHCP/RADIUS
  27. 27. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition How Is Profile Library Kept Current With Latest Devices? •  Dynamic Feed Service –  Live Update Service for New Profiles and OUI Files –  Cisco and Cisco Partners contribute to service –  Opt In Model: New profiles automatically downloaded from Cisco.com and applied to live system. 27
  28. 28. Local Edition Web Authentication
  29. 29. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Network Access for Guests and Employees •  Unifying network access for guest users and employees 29 On wireless: §  Using multiple SSIDs §  Open SSID for Guest On wired: §  No notion of SSID §  Unified port: Need to use different auth methods on single port SWITCHPORT Employee Desktop Printer Guest Contractor IP Phone Corporate Guest SSID Corp SSID Guest ► Enter Flex Auth
  30. 30. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Flex Auth For Wired Ports •  Converging Multiple Authentication Methods on a Single Wired Port 30 802.1X Timeout/ failure MAB Timeout/ Failure WebAuth interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ! authentication event fail action next-method authentication order dot1x mab authentication priority dot1x mab Interface Config
  31. 31. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Building the Architecture in Phases 31 Wired Deployment Models §  Access-Prevention Technology –  A Monitor Mode is necessary –  Must have ways to implement and see who will succeed and who will fail §  Determine why, and then remediate before taking 802.1X into a stronger enforcement mode. §  Solution = Phased Approach to Deployment: –  Monitor Mode ( Low Security – Connectivity over Security) –  Low-Impact Mode ( Medium Security – Balanced Security ) -or- –  Closed Mode ( High Security – Security over Connectivity )
  32. 32. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Monitor Mode •  A Process, Not Just a Command 32 SWITCHPORT KRB5 HTTP TFTPDHCP EAPoL Permit All SWITCHPORT KRB5 HTTP TFTPDHCP EAPoL Permit All Traffic always allowed Pre-AuthC Post-AuthC interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator Interface Config •  Enables 802.1X authentication on the switch, but even failed authentication will gain access •  Allows network admins to see who would have failed, and fix it, before causing a Denial of Service J AuthC = Authentication AuthZ = Authorization
  33. 33. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Low-Impact Mode •  If Authentication Is Valid, Then Specific Access! 33 SWITCHPORT KRB5 HTTP TFTPDHCP EAPoL SWITCHPORT KRB5 HTTP RDPDHCP EAPoL Role-Based ACL Permit Some Pre-AuthC Post-AuthC SGT •  Limited access prior to authentication •  AuthC success = Role-specific access •  dVLAN Assignment / dACLs •  Secure Group Access •  Still allows for pre-AuthC access for Thin Clients, WoL & PXE boot devices, etc… interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ip access-group default-ACL in Interface Config
  34. 34. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Closed Mode •  No Access Prior to Login, Then Specific Access! 34 •  Default 802.1X behavior •  No access at all prior to AuthC •  Still use all AuthZ enforcement types •  dACL, dVLAN, SGA •  Must take considerations for Thin Clients, WoL, PXE devices, etc… interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator Interface Config SWITCHPORT DHCP TFTP KRB5 HTTP EAPoL SWITCHPORT KRB5 HTTP EAPoL DHCP TFTP Pre-AuthC Post-AuthC Permit EAP Permit All Role-Based ACL - or - SGT
  35. 35. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Condition is to match RADIUS Attribute Service Type = 10 (Call-Check) AND [NAS-Type = 15 (Ethernet) OR NAS-Type= 19 (Wireless IEEE 802.11)] By default, use Internal Endpoints DB for ID Source if MAC Address is found in DB If MAC address lookup fails, reject the request and send access-reject. If MAC address lookup returns no result, continue the process and move to authorization ISE Central Web Auth (CWA) Configuration •  MAB Requests from Failed Auth user or Timed out user can still be processed to return specific authorization rule (VLAN, dACL, URL-Redirect, and SGT) •  By default, ‘If user not found’ value is set to ‘Reject’ 35
  36. 36. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition URL Redirection ISE uses URL Redirection for: §  Central Web Auth §  Client Software Provisioning §  Posture Discovery / Assessment §  Device Registration WebAuth §  BYOD On-Boarding §  Certificate Provisioning §  Supplicant Configuration §  Mobile Device Management §  External Web Pages
  37. 37. Local Edition Integrated Guest Services and Lifecycle Management 37
  38. 38. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Provisioning: Guest accounts via sponsor portal Notify: Guests of account details by print, email, or SMS Manage: Sponsor privileges, guest accounts and policies, guest portal Report: On all aspects of guest accounts Guests Components of a Full Guest Lifecycle Solution Authen'cate/Authorize  guest  via   a  guest  portal  on  ISE   38
  39. 39. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Guest Self-Service 39 For Your Reference
  40. 40. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Sponsor Portal – Create Guest Accounts 40 Customizable fields • Define if mandatory (*) or optional • Can add up to 5 other custom attributes with custom labels Guest roles and time profiles • Pre-defined by admin Language templates • Customizable guest notifications by language and general preferences For Your Reference
  41. 41. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ISE – Multiple Guest Portals •  Several portals may be needed to support different groups/users based on: –  Location / country –  Type of device: WLC, switches –  Local language support •  ISE can hold several portals •  Multiple portals can be used simultaneously for authentication 41
  42. 42. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Guest Deployment and Path Isolation •  Isolation at access layer (port, SSID) •  Layer 2 path isolation: §  CAPWAP & VLANs for wireless §  L2 VLANs for wired •  Layer 3 path isolation: §  VRF (Virtual Routing and Forwarding) to Firewall guest interface §  Various tunnel methods •  GRE •  VPN •  MPLS 42 L3 Switches with VRF Cisco ASA Firewall Outside CAPWAP Internet Corporate Access Layer Corporate Guest Corporate Intranet Inside DMZ Guest DMZ WLC Global Employee VRF Guest VRF
  43. 43. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ISE 1.2: Guest Access with Anchor Controller §  PSN has dedicated Guest Portal interface (GE1) connected to DMZ: interface Gigabit Ethernet 0 ip address 10.1.1.10 255.255.255.0 ! interface Gigabit Ethernet 1 ip address 192.168.1.10 255.255.255.0 ! ip host 192.168.1.10 guest.abc.com §  If GE1 is first CWA-enabled interface, then URL redirect sent to guest.abc.com:8443 §  Client needs to resolve guest.abc.com to 192.168.1.10 via local or Internet DNS server. •  PSN Dedicated Guest Interface on DMZ ISE Policy Services Node Wireless LAN Anchor Controller DMZ Cisco Wireless LAN Controller url-redirect=https://guest.abc.com:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa Public DNS Server Internet Corporate LAN PSN GE 1 GE 0 10.x.x.x 192.168.x.x
  44. 44. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Guest Tracking Leverages Network Logging 44 ISE Policy Server VPN Log interesting activity from Guest user and forward to ISE for correlation. Guest IP accessed http://www.google.com Guest IP accessed http://facebook.com Guest IP triggered network AV alert Guest IP triggered Infected endpoint event Guest IP …
  45. 45. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Create Service Policy in ASA to inspect HTTP traffic for guest subnet ISE shows accessed URLs in reports Guest Activity Tracking Integrates Network Logs
  46. 46. Local Edition BYOD Extending Network Access to Personal Devices 46
  47. 47. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Onboarding Personal Devices •  Registration, Certificate and Supplicant Provisioning 47 Device Onboarding Certificate Provisioning Supplicant Provisioning Self- Service Model iOS Android Windows MAC OS MyDevices Portal §  Provisions device Certificates. ‒  Based on Employee-ID & Device-ID. §  Provisions Native Supplicants: ‒  Windows: XP, Vista, 7 & 8 ‒  Mac: OS X 10.6, 10.7, 10.8, 10.9 ‒  iOS: 4, 5, 6, 7 ‒  Android – 2.2 and above ‒  802.1X + EAP-TLS, PEAP & EAP-FAST §  Employee Self-Service Portal ‒  Lost Devices are Blacklisted ‒  Self-Service Model reduces IT burden §  Single and Dual SSID onboarding.
  48. 48. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Single Versus Dual SSID Provisioning •  Single SSID –  Start with 802.1X on one SSID using PEAP –  End on same SSID with 802.1X using EAP-TLS •  Dual SSID ( Most Common Method) –  Start with CWA on one SSID –  End on different SSID with 802.1X using PEAP or EAP-TLS 48 SSID = BYOD-Open (MAB / CWA) SSID = BYOD-Closed (802.1X) WLAN Profile SSID = BYOD-Closed PEAP or EAP-TLS (Certificate=MyCert) SSID = BYOD-Closed (802.1X) WLAN Profile SSID = BYOD-Closed EAP-TLS Certificate=MyCert
  49. 49. Local Edition Mobile Device Management (MDM) Extending “Posture” Assessment and Remediation to Mobile Devices
  50. 50. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ISE Integration with 3rd-Party MDM Vendors §  MDM device registration via ISE –  Non registered clients redirected to MDM registration page §  Restricted access –  Non compliant clients will be given restricted access based on policy §  Endpoint MDM agent –  Compliance –  Device applications check §  Device action from ISE –  Device stolen -> wipe data on client v2.3v6.2v5.0 v7.1 MCMS 50 v7.0 SP3 v4.1.10 v13.2 Patch 5v1.0
  51. 51. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition MDM Compliance Checking •  Compliance based on: –  General Compliant or ! Compliant status OR –  Disk encryption enabled –  Pin lock enabled –  Jail broken status •  MDM attributes available for policy conditions •  “Passive Reassessment”: Bulk recheck against the MDM server using configurable timer. –  If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session. •  Compliance and Attribute Retrieval via API 51 Micro level Macro level
  52. 52. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition MDM Enrollment and Compliance •  User Experience Upon MDM URL Redirect 52 MDM Enrollment MDM Compliance MDM:DeviceRegistrationStatus EQUALS UnRegistered MDM:DeviceCompliantStatus EQUALS NonCompliant
  53. 53. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Reporting •  Mobile Device Management Report 53
  54. 54. Local Edition TrustSec and Pervasive Policy Enforcement
  55. 55. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition TrustSec Authorization and Enforcement dACL or Named ACL •  Less disruptive to endpoint (no IP address change required) •  Improved user experience •  Increased ACL management VLANS •  Does not require switch port ACL management •  Preferred choice for path Isolation •  Requires VLAN proliferation and IP refresh – Optional VRF Security Group Access •  Simplifies ACL management •  Uniformly enforces policy independent of topology •  Fine-grained access control Guest VLAN 4VLAN 3 Remediation EmployeesContractor Employee IP Any Security Group Access—SXP, SGT(Secure Group TAG), SGACL, SGFW 55
  56. 56. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition DC Access WLC FW Enterprise Backbone SRC: 10.1.100.98 Hypervisor SW Campus Access Distribution Core DC Core EOR End User, Endpoint is classified with SGT SVI interface is mapped to SGT Physical Server is mapped to SGT VLAN is mapped to SGT BYOD device is classified with SGT Virtual Machine is mapped to SGT SGT Assignments 56
  57. 57. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition TrustSec Enabled Network Segmentation Campus and Branch Segmentation Business Drivers include PCI for Financial data, HIPAA Medical Data Medical Device Separation within VLANAccess Control with Secure Group Access •  Rules defined by business function & Roles •  80% + reduction over manual rules •  Simple to add/remove rules Enterprise Wide •  Topology-independent •  Scalable •  One Policy for Wired or Wireless
  58. 58. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Secure Group Access Simplifies Security Enforcement User-Access Control to DC Business drivers include: Employee vs Guest, BYOD vs managed device Secure Group Tag Enforcement Access List ASA, Nexus or Catalyst Switch Access Lists with SGT’s
  59. 59. Local Edition What’s Coming Next? 59 Next Slides contain some Forward Looking Features….. All standard Legal Disclaimers apply here……. It’s all about the information…………….blah, blah, blah, blah
  60. 60. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Native MDM with ISE & AnyConnect – ISE 1.3 Setup Set Wi-Fi settings Push VPN settings Configure Email & Calendar Push and install Certs ISE Built in CA – 1.3 Configuration Set the PIN lock Enforce encryption on device Detect Jail-broken device Restrict camera usage Apps Management from Apple App Store/Google Play Management Geo-query location Lock & Unlock Un-enroll from MDM Wipe data on device
  61. 61. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition ASA Firewall – Recent Innovations • ASA Clustering with Etherchannel LB à • Cisco® Cloud Web Security integration • Next-generation encryption • IPv6 support enhancements • Multi-context - Routing & S2S VPN • EtherChannel – with VSS & VPC support à • Mix Transparent & Routed Modes • ISE control of VPN via CoA – Sept 2014 • VMware versions coming – Later in 2014 • Sourcefire Feature Integration – 2014 & Beyond ClusterControlLink Multi Switch EtherChannel
  62. 62. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 62 VMware Hypervisor (vSwitch & dvSwitch) Non-vPATH enablement Fabric integration with STS mode Term-based licensing (vCPU, not socket) SDN management for both ASA and ASAv CSM management for ASAv 10 vNIC capacity 200 VLAN sub-interfaces 1000 VxLANs 1-2 Gbps Performance Hyper-V coming late 2014 Mid- 2014ASAv – Virtual ASA
  63. 63. © 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential A Commitment to Our Customers •  Choices to bring Next Generation Security into your environment •  (1) FirePower NGS on ASA* •  (2) NGFW/NGIPS Services within FirePower NGS •  (3) Centralized Management •  System-Level Management •  Threat-level Management •  Manager of Managers (MoM) •  Integration with Network Security Services •  Identity / Access Control / ISE & TrustSec •  Strongest Data Center Capabilities Gartner MQ Leaders in (NG)IPS, SSLVPN, VPN, Identity/NAC, Web Security, Email Security, Data Center Leader in Data Center Security (Infonetics 2013) *Refers to the Cisco Sourcefire NGS platform – Sourcefire running on ASA
  64. 64. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Cisco Web Security Options •  Inline: Next Gen IPS - Multi-port GE/10GE/40GE •  Anti-Malware- Network & Agent based •  Web filtering •  Application control across all ports •  VRT- Threat Protection •  Defense Center- Threat Detection Correlation view •  Internet B/w from 50Mbps - 60 Gbps – High Performance Platform •  Inline - Next Gen firewall plus Web filtering •  Anti-Virus, IPS (Snort) •  Cloud Managed •  Application control across all ports •  Traffic Shaping •  Simple Configuration & Monitoring •  CIPA- SafeSearch, YouTube for EDU •  Internet B/W less than 1 Gbps •  Transparent Re-direct Network Connector or Device Agent (Win, mac) •  Port 80/443 •  Anti Malware from Sourcefire •  Granular Filtering using Cisco Web usage control •  Web security for mobile users without the need for VPN •  Multiple Malware Scanners for Threat Protection •  Dynamic Web Categorization •  CIPA- SafeSearch, YouTube for EDU - per policy •  Internet B/w – no Limit •  Transparent Re-direct via WCCP or Browser Proxy •  Port 80/443 •  Anti Malware from Sourcefire •  DLP for Web •  Granular Filtering using Cisco Web usage control •  Central Logging or Splunk •  Video/Audio bandwidth throttling •  SIO – IP Reputation Filtering & Threat Protection •  Dynamic Web Categorization •  CIPA- SafeSearch, YouTube for EDU – global •  Internet B/w – Depends on # of WSA’s & Requests / Sec. •  In ASA-CX Limited B/W Meraki Cloud Web Security (aka –ScanSafe) IronPort (Web Security Appliance) Physical or VirtualSourcefire
  65. 65. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Complete Your Online Session Evaluation •  Give us your feedback and you could win fabulous prizes. Winners announced daily. •  Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 65
  66. 66. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Register for CiscoLive! – San Francisco 66 CiscoLive! – San Francisco May 18 – 22, 2014 www.ciscolive.com/us
  67. 67. Local Edition
  68. 68. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Links •  Secure Access, TrustSec, and ISE on Cisco.com –  http://www.cisco.com/go/security –  http://www.cisco.com/go/ise –  http://www.cisco.com/go/isepartner •  TrustSec and ISE Deployment Guides: –  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/ landing_DesignZone_TrustSec.html •  YouTube: Fundamentals of TrustSec: –  http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew 68
  69. 69. Threat spreads and attempts to exfiltrate valuable data ENTERPRISE DATA CENTER Anatomy of a Modern Threat Infection entry point occurs outside of the enterprise Internet and Cloud Apps PUBLIC NETWORK Advanced cyber threat bypasses perimeter defense CAMPUS PERIMETER
  70. 70. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition A Systems Approach •  Switch/Controller is the Enforcement Point 70
  71. 71. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition Client Provisioning Policy 71 UserOS Supplicant Posture
  72. 72. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition MDM Integration •  Registration and Compliance 72 Jail BrokenPIN Locked EncryptionISE Registered PIN LockedMDM Registered Jail Broken For Your Reference
  73. 73. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public Local Edition MDM Integration •  User / Administrator can issue remote actions on the device through MDM server (Example: remote wiping the device) –  My Devices Portal (User Interface) –  ISE Endpoints Directory (Admin Interface) •  Remediation 73 •  Edit •  Reinstate •  Lost? •  Delete •  Full Wipe •  Corporate Wipe •  PIN Lock Options Admin Interface User Interface

×