Cybersecurity: <br />Secure Mobility<br />
Empowering a Mobile Workforce<br />Whatis Cisco’s Role?<br />
Federal Secure Mobility<br /><ul><li>The Problem
Enterprise Mobility: The power of the smart phone and our ability to securely connect to the network and information neede...
Continuity of Operations across the Navy
Pandemic / Humanitarian Relief Efforts
Productivity (work anywhere, anytime securely)
Across branches and coalitions
Sharepoint, OWA, citrix services back to cloud
Any device
Increased threat via the web
Upcoming SlideShare
Loading in …5

Tvr secure mobilitygtri


Published on

Cisco Security

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • While the challenge has become multi-dimensional, the policy issues remain the same:There is a need to apply access controls to ensure the right people have access to the right parts of the network and applications.Acceptable Use controls for compliance and productivity, to ensure employees are using the web resources appropriately. Threat Protection to block all the bad stuff like malware, botnets, intrusions and spam from coming into the network.And finally data protection to ensure that confidential information is not getting out into the open or into wrong hands, either inadvertently or with a malicious intent.
  • AnyConnect Authenticates and Establishes a VPN Tunnel to the ASAASA Extracts Username from Certificate or AAA ServerASA Forwards Username and Tunneled IP Address to the WSAWSA Verifies Username and Group Membership against Active DirectoryWSA Applies Policies based on Username or Group MembershipCisco’s on-premise solution is focused on enabling a seamless end-to-end user experience…transparently inserting security into every transaction. The two major components of this are the AnyConnect Secure Mobility Client and information exchange between the ASA (termination point for AnyConnect session) and WSA (policy enforcement &amp; Web security).AnyConnect can be configured to provide an Always-On VPN, meaning that the user must have a secure VPN connection in order to access the Internet. Always-On VPN provides the foundation for changing from the occasionally-protected model (The “captive portal” case—providing access to login to a hotspot at a hotel or coffee shop—is fully supported. ) Rather than forcing the user to manually select the head-end, the optimal headend is detected and AnyConnect connects securely to it. If certificates are in use, then the user doesn’t even need to do anything to authenticate…the connection just happens.The ASA head-end then communicates to the WSA, providing information on who the user is (avoiding any additional authentication step for the user to access their web content) as well as the fact that they’re mobile. The WSA uses this information to apply location-aware policy—maybe both enforcing acceptable use and protecting from malware in the office, but just protecting from malware while mobile.
  • The next attribute of the enforcement array is the ability to bring full context awareness for policy writing and enforcement. User identity and application or destination identity are the foundation of this but we don’t stop here. We also bring in location awareness – whether the user is in the network or outside the network and in the future the geo-location of the user as well. Next is knowing the priority of the traffic – things like throttling YouTube but allowing WebEx streams and other business critical applications without any restrictions. We also bring content awareness for files and other data traversing the internet edge to apply the right scanning policies, like DLP, malware scanning etc. Finally we also bring device awareness which allows one to deploy devise specific policies.Bringing all these policy elements together allows customers to create policies that best meet their needs, giving flexibility and greater control. Basic Application Control is available on the Firewall as well as the Web Security Appliance. By mid-2010, we will have advanced application control features on the Web Security Appliance. Since most of the applications tunnel over the Web, we will introduce this advanced application control using application signatures on the Web appliance first and then extend this capability on the Firewall and IPS in future releases. The application control capability will allow us to dynamically add new application types and applications allowing us to quickly respond to market demands as applications get popular and customer need greater control over these.
  • The Cisco Secure remote access solution is recognized as the world’s widest-deployed solution, offering the richest range of connectivity options (IPsec, SSL/TLS, DTLS, L2TP/IPsec (L2TP over IPsec) and Secure UC (Unified Communications) access) in a single, versatile appliance, with a single set of access policies.Depending on your user needs, you may choose to leverage one protocol versus the other, or a combination of them. This versatility also enables your business to, for instance, smoothly migrate any existing IPsec or site to site VPN deployments to an hybrid IPsec and SSL remote access and site to site solution.Additionally the ASA also support the requirements of your increasingly mobile workforce as support for the latest powerful mobile devices becomes strategic for business needing to enable their users to access critical applications and data from anywhere. Cisco provides connectivity to Apple iPhone &amp; Windows Mobile devices.Finally, the Cisco Secure Remote Access solution also enables your remote access deployment to flexibly grow with your business, without major service disruptions or operational hurdles. For instance, as your business requirements evolve, you may wish to add clientless access for business partners or to support business continuity planning, You might also decide to deploy secure UC access as an additional remote access option for some of your user groups. The ASA Secure Remote Access Solution is the best investment choice for your current and future remote access connectivity requirement.
  • Transcript:PETE DAVIS: So Kevin was talking about a converged approach where everything converges on an IOS headend . The other approach is something that we call purpose optimized and the example here would be you utilize your site-to-site VPN and CVO talking to an IOS headend , but you also use an ASA headend to connect up those AnyConnect secure mobility clients to the headend connection.
  • Tvr secure mobilitygtri

    1. 1. Cybersecurity: <br />Secure Mobility<br />
    2. 2. Empowering a Mobile Workforce<br />Whatis Cisco’s Role?<br />
    3. 3. Federal Secure Mobility<br /><ul><li>The Problem
    4. 4. Enterprise Mobility: The power of the smart phone and our ability to securely connect to the network and information needed to perform our jobs is expanding exponentially. This is freeing our workforce from the Industrial Age model of the "desk" and allowing us to securely work from anywhere. (Rob Carey, DON CIO, Blog)
    5. 5. Continuity of Operations across the Navy
    6. 6. Pandemic / Humanitarian Relief Efforts
    7. 7. Productivity (work anywhere, anytime securely)
    8. 8. Across branches and coalitions
    9. 9. Sharepoint, OWA, citrix services back to cloud
    10. 10. Any device
    11. 11. Compliance
    12. 12. Increased threat via the web
    13. 13. Access to DoD resources from non-DoD systems
    14. 14. The Solution – Cisco Secure Mobility</li></li></ul><li>More Complex, But Same Policy Concerns<br />Acceptable Use Control<br />Spam<br />Access Control<br />Threat Protection<br />Policy<br />Malware Infections<br />Data-Loss Prevention<br />Intrusions<br />
    15. 15. Traditional Remote Access VPN<br />Limited<br />Predominantly PC-based <br />Client Support<br />Manual<br />Numerous “clicks”<br />Non-persistent Connection<br />No Security or Visibility<br />Security<br />Rarely-On<br />Only connected if / when<br />absolutely necessary<br />Intranet<br />Corporate File Sharing<br />
    16. 16. Traditional Mobile Web Security<br />Limited Clients<br />Predominantly PC-based <br />Client Support<br /><br />Limited Security<br />URL-filtering client unable <br />to address key use cases<br />Data Loss Prevention<br />Acceptable Use<br />Threat Prevention<br />Access Control<br />No Access<br />Access<br />No Access<br />Not integrated, requires<br />separate VPN client<br />Intranet<br />Corporate File Sharing<br />–<br />–<br />
    17. 17. Cisco AnyConnect Secure Mobility Web Security with Next Generation Remote Access<br />Choice<br />Diverse EndpointSupport for Greater Flexibility<br /><br /><br /><br /><br />Security<br />Rich, Granular SecurityIntegrated Into the network<br />Acceptable Use<br />Data Loss Prevention<br />Threat Prevention<br />Access Control<br />Experience<br />Always-on IntelligentConnection for SeamlessExperience andPerformance<br />Access Granted<br />Intranet<br />Corporate File Sharing<br />
    18. 18. Cisco AnyConnect Secure MobilityA Next Generation Solution<br />Combined Solution<br />End-to-End Seamless Security<br />3<br />1<br />2<br />Web Security Appliance Richer Web Controls<br />AnyConnectSecure Mobility Client<br />Information Sharing Between Cisco ASA and Cisco WSA<br /><ul><li>Simplified remote access
    19. 19. Connection and app persistence
    20. 20. Always-on VPN enforcement
    21. 21. Enhanced device support
    22. 22. Remote-specific policy
    23. 23. Application controls
    24. 24. SaaS Access Control
    25. 25. Multi-Layer Threat Defense</li></ul>News<br />Email<br />AnyConnect<br />ASA<br />Cisco Web Security Appliance <br />Corporate AD<br />Social Networking<br />Enterprise SaaS<br />
    26. 26. Full Context Awareness<br />Application<br />Identity<br />Job Sites<br />Human Resource<br />Instant Message<br />No FileTransfer <br />Streaming <br />Media<br />100 kbps/User<br />Device<br />Location<br />P2P<br />All<br />Priority<br />Object<br />
    27. 27. Web Application Controls<br />Granular Control over Application Usage<br />Access Control Policy<br />Access Control Violation<br />Breadth of Applications: Collaboration | Evasive | Media <br />Soldier stateside<br />File Transfer over IM<br />Instant Messaging<br />
    28. 28. Cisco Secure Remote Access Widest Range of Connectivity Options<br />SSL VPN<br />Tunneling<br />DTLS (voice/video)<br />Tunneling<br />Clientless<br />VPN Access<br />IPsec VPN<br />Tunneling<br />Mobile Access<br />Powered by the Cisco ASA<br />
    29. 29. Cisco AnyConnect VPN ClientSecure Network Access<br />Cisco® ASA 8.2<br />Cisco AnyConnect Essentials<br /><ul><li>Automatically downloadable
    30. 30. Access to almost any application or resource
    31. 31. Automatic updates
    32. 32. Robust, easy connections
    33. 33. Optimized for mobile users
    34. 34. IPv4 and IPv6 network access
    35. 35. Voice friendly (DTLS)</li></ul>Cisco AnyConnect Premium<br /> Enhances AnyConnect Essentials features<br /><ul><li>Clientless SSL support
    36. 36. Cisco Secure Desktop Vault for secure access from unmanaged endpoints
    37. 37. Cisco Secure Desktop Host Scan for pre-connect posture checks</li></ul>12<br />
    38. 38. Net<br />Net<br />Comprehensive ConnectivityShared and Flex Licensing<br />Shared and flexible licensing moves VPN connectivity to “management friendly” <br />Shared Licensing<br />Flex Licensing<br />Shared License Server<br />Clients<br />Atlanta<br />Dallas<br />Anticipate business continuityrequirements with licensed session-count increases <br />Dynamically share sessions across Cisco® ASA appliances and geography<br />
    39. 39. Cisco ASA Phone Proxy Remote Access and Voice/Data Segmentation<br />Trusted (Un-secured)<br />Un-trusted<br />Unencrypted/encrypted<br />Encrypted (TLS/SRTP)<br />Cisco IP phone (remote)<br />Internet<br />Cisco IP Phone<br />Secure Remote Access: <br /><ul><li>Leverage native Cisco IP Phone encryption (TLS/SRTP) to enable secure calls from IP Phones on untrusted, remote networks
    40. 40. Seamless deployment and operation with minimal impact on existing UC infrastructure
    41. 41. Simplified user experience – Plug and play
    42. 42. A Remote Access UC Solution for UC devices</li></li></ul><li>Trusted Network Detection (TND)Intelligent Mobility<br /><ul><li>Automatically connects or disconnects under the following conditions:
    43. 43. In Office
    44. 44. Out of Office
    45. 45. Location determination made by Default Domain Name or DNS server IP
    46. 46. Other checks likely in future
    47. 47. Certificate authentication for seamless reconnection
    48. 48. Administratively controlled policy
    49. 49. Windows XP, Vista, 7 & Mac OS X</li></ul>Trusted Network Detection<br />In Office<br />Out of Office<br />AnyConnect 2.4<br />
    50. 50. Persistent Security and Policy EnforcementChoice of Form Factor: Cloud or On-Premise<br />Anywhere+<br />(Transitioning to AnyConnect)<br />News<br />Email<br />Information Sharing Between ASA and WSA<br />ASA<br />AnyConnect<br />Cisco Web Security Appliance <br />Social Networking<br />Enterprise SaaS<br />Corporate AD<br />
    51. 51. Across SSL Connection<br />ASA WSA<br />AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA<br />ASA Extracts Username from Certificate or AAA Server<br />ASA Forwards Username and Tunneled IP Address to the WSA<br />WSA Verifies Username and Group Membership against Active Directory<br />WSA Applies Policies based on Username or Group Membership<br />Cisco AnyConnect Secure MobilityASA–WSA Communication<br />User Identity & Tunneled IP<br />News<br />Email<br /><br />User Authenticates<br />VPN Tunnel <br />Established<br />Adaptive Security Appliance<br />Web Security Appliance<br />VPN Tunnel<br />Authentication<br />User & Group<br />Authorization<br />Active Directory LDAP, NTLMSSP, Basic<br />
    52. 52. Secure MobilityWSA Remote/Mobile User Reports<br />
    53. 53. Remote Access Specific<br />URL Categories<br />Secure MobilityWSA Remote/Mobile User Reports<br />
    54. 54. Remote Access Specific<br />URL Categories<br />Blocked URL Categories<br />Secure MobilityWSA Remote/Mobile User Reports<br />
    55. 55. Remote Access Specific<br />URL Categories<br />Blocked URL Categories<br />Bandwidth Savings<br />Secure MobilityWSA Remote/Mobile User Reports<br />
    56. 56. Remote Access Specific<br />Top Threat Types<br />Secure MobilityWSA Remote/Mobile User Reports<br />
    57. 57. Remote Access Specific<br />Top Threat Types<br />Top Application Types<br />Secure MobilityWSA Remote/Mobile User Reports<br />
    58. 58. MobileUser<br />Extend Trusted Network to Home and Branch Offices with CVO and ISR<br />AnyConnect<br />Secure Mobility Client<br />AnyConnect<br />Cellular<br />CVO/ISR<br />Public Internet<br />Wi-Fi<br />Wired<br />Purpose-Optimized Head Ends: ASA and IOS VPN<br />Corporate<br />Network<br />ASA<br />IOS VPN<br />CVO = Cisco Virtual Office<br />Applications<br /> and Data<br />Cisco Secure Connectivity SolutionOptimized for Security and Policy Enforcement<br />
    59. 59. Case Study – Secure Remote AccessUS Government Customer<br /><ul><li>Customer Problem – Customer is a service provider and required a VPN architecture that offered multiple options for their customers
    60. 60. Site-to-Site for branch office connections
    61. 61. Traditional IPSec VPN for managed devices
    62. 62. SSL VPN for unmanaged assets (home PC’s, etc)
    63. 63. Required single management option for all solutions – one vendor solution preferred
    64. 64. Cisco Solution – Secure Remote Access
    65. 65. Utilize Cisco routers for Dynamic Site-to-Site secure connectivity
    66. 66. Cisco Adaptive Security Devices for both Client based and Clientless access
    67. 67. Secure Access to resources from unmanaged assets (home PC’s, SmartPhones)
    68. 68. Built in Policy checks prior to access (Cisco NAC, ASA Hostchecker, Secure Vault)
    69. 69. Cisco Security Manager serves as single console for all options
    70. 70. Cisco Benefits
    71. 71. Customer is replacing competitor as the standard for all VPN requirements
    72. 72. Cisco NAC and Profiler solutions being considered for future use
    73. 73. With successful deployment we are viewed as a trusted partner for additional requirements (Identity and potential replacement of all Foundry)
    74. 74. Estimated Revenue ($1.5M initial and will continue to grow each year</li></li></ul><li>