While the challenge has become multi-dimensional, the policy issues remain the same:There is a need to apply access controls to ensure the right people have access to the right parts of the network and applications.Acceptable Use controls for compliance and productivity, to ensure employees are using the web resources appropriately. Threat Protection to block all the bad stuff like malware, botnets, intrusions and spam from coming into the network.And finally data protection to ensure that confidential information is not getting out into the open or into wrong hands, either inadvertently or with a malicious intent.
AnyConnect Authenticates and Establishes a VPN Tunnel to the ASAASA Extracts Username from Certificate or AAA ServerASA Forwards Username and Tunneled IP Address to the WSAWSA Verifies Username and Group Membership against Active DirectoryWSA Applies Policies based on Username or Group MembershipCisco’s on-premise solution is focused on enabling a seamless end-to-end user experience…transparently inserting security into every transaction. The two major components of this are the AnyConnect Secure Mobility Client and information exchange between the ASA (termination point for AnyConnect session) and WSA (policy enforcement & Web security).AnyConnect can be configured to provide an Always-On VPN, meaning that the user must have a secure VPN connection in order to access the Internet. Always-On VPN provides the foundation for changing from the occasionally-protected model (The “captive portal” case—providing access to login to a hotspot at a hotel or coffee shop—is fully supported. ) Rather than forcing the user to manually select the head-end, the optimal headend is detected and AnyConnect connects securely to it. If certificates are in use, then the user doesn’t even need to do anything to authenticate…the connection just happens.The ASA head-end then communicates to the WSA, providing information on who the user is (avoiding any additional authentication step for the user to access their web content) as well as the fact that they’re mobile. The WSA uses this information to apply location-aware policy—maybe both enforcing acceptable use and protecting from malware in the office, but just protecting from malware while mobile.
The next attribute of the enforcement array is the ability to bring full context awareness for policy writing and enforcement. User identity and application or destination identity are the foundation of this but we don’t stop here. We also bring in location awareness – whether the user is in the network or outside the network and in the future the geo-location of the user as well. Next is knowing the priority of the traffic – things like throttling YouTube but allowing WebEx streams and other business critical applications without any restrictions. We also bring content awareness for files and other data traversing the internet edge to apply the right scanning policies, like DLP, malware scanning etc. Finally we also bring device awareness which allows one to deploy devise specific policies.Bringing all these policy elements together allows customers to create policies that best meet their needs, giving flexibility and greater control. Basic Application Control is available on the Firewall as well as the Web Security Appliance. By mid-2010, we will have advanced application control features on the Web Security Appliance. Since most of the applications tunnel over the Web, we will introduce this advanced application control using application signatures on the Web appliance first and then extend this capability on the Firewall and IPS in future releases. The application control capability will allow us to dynamically add new application types and applications allowing us to quickly respond to market demands as applications get popular and customer need greater control over these.
The Cisco Secure remote access solution is recognized as the world’s widest-deployed solution, offering the richest range of connectivity options (IPsec, SSL/TLS, DTLS, L2TP/IPsec (L2TP over IPsec) and Secure UC (Unified Communications) access) in a single, versatile appliance, with a single set of access policies.Depending on your user needs, you may choose to leverage one protocol versus the other, or a combination of them. This versatility also enables your business to, for instance, smoothly migrate any existing IPsec or site to site VPN deployments to an hybrid IPsec and SSL remote access and site to site solution.Additionally the ASA also support the requirements of your increasingly mobile workforce as support for the latest powerful mobile devices becomes strategic for business needing to enable their users to access critical applications and data from anywhere. Cisco provides connectivity to Apple iPhone & Windows Mobile devices.Finally, the Cisco Secure Remote Access solution also enables your remote access deployment to flexibly grow with your business, without major service disruptions or operational hurdles. For instance, as your business requirements evolve, you may wish to add clientless access for business partners or to support business continuity planning, You might also decide to deploy secure UC access as an additional remote access option for some of your user groups. The ASA Secure Remote Access Solution is the best investment choice for your current and future remote access connectivity requirement.
Transcript:PETE DAVIS: So Kevin was talking about a converged approach where everything converges on an IOS headend . The other approach is something that we call purpose optimized and the example here would be you utilize your site-to-site VPN and CVO talking to an IOS headend , but you also use an ASA headend to connect up those AnyConnect secure mobility clients to the headend connection.
Tvr secure mobilitygtri
Cybersecurity: <br />Secure Mobility<br />
Empowering a Mobile Workforce<br />Whatis Cisco’s Role?<br />
Federal Secure Mobility<br /><ul><li>The Problem
Enterprise Mobility: The power of the smart phone and our ability to securely connect to the network and information needed to perform our jobs is expanding exponentially. This is freeing our workforce from the Industrial Age model of the "desk" and allowing us to securely work from anywhere. (Rob Carey, DON CIO, Blog)
Web Application Controls<br />Granular Control over Application Usage<br />Access Control Policy<br />Access Control Violation<br />Breadth of Applications: Collaboration | Evasive | Media <br />Soldier stateside<br />File Transfer over IM<br />Instant Messaging<br />
Cisco Secure Remote Access Widest Range of Connectivity Options<br />SSL VPN<br />Tunneling<br />DTLS (voice/video)<br />Tunneling<br />Clientless<br />VPN Access<br />IPsec VPN<br />Tunneling<br />Mobile Access<br />Powered by the Cisco ASA<br />
Windows XP, Vista, 7 & Mac OS X</li></ul>Trusted Network Detection<br />In Office<br />Out of Office<br />AnyConnect 2.4<br />
Persistent Security and Policy EnforcementChoice of Form Factor: Cloud or On-Premise<br />Anywhere+<br />(Transitioning to AnyConnect)<br />News<br />Email<br />Information Sharing Between ASA and WSA<br />ASA<br />AnyConnect<br />Cisco Web Security Appliance <br />Social Networking<br />Enterprise SaaS<br />Corporate AD<br />
Across SSL Connection<br />ASA WSA<br />AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA<br />ASA Extracts Username from Certificate or AAA Server<br />ASA Forwards Username and Tunneled IP Address to the WSA<br />WSA Verifies Username and Group Membership against Active Directory<br />WSA Applies Policies based on Username or Group Membership<br />Cisco AnyConnect Secure MobilityASA–WSA Communication<br />User Identity & Tunneled IP<br />News<br />Email<br />facebook.com<br />User Authenticates<br />VPN Tunnel <br />Established<br />Adaptive Security Appliance<br />Web Security Appliance<br />VPN Tunnel<br />Authentication<br />User & Group<br />Authorization<br />Active Directory LDAP, NTLMSSP, Basic<br />
Secure MobilityWSA Remote/Mobile User Reports<br />
MobileUser<br />Extend Trusted Network to Home and Branch Offices with CVO and ISR<br />AnyConnect<br />Secure Mobility Client<br />AnyConnect<br />Cellular<br />CVO/ISR<br />Public Internet<br />Wi-Fi<br />Wired<br />Purpose-Optimized Head Ends: ASA and IOS VPN<br />Corporate<br />Network<br />ASA<br />IOS VPN<br />CVO = Cisco Virtual Office<br />Applications<br /> and Data<br />Cisco Secure Connectivity SolutionOptimized for Security and Policy Enforcement<br />
Case Study – Secure Remote AccessUS Government Customer<br /><ul><li>Customer Problem – Customer is a service provider and required a VPN architecture that offered multiple options for their customers