Ise 1 2-bdm-v4

C97-726694-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
End-User Behaviors IT Trends
• Over 15 billion devices by
2015, with average worker
with 3 devices
• New workspace:
anywhere, anytime
• 71% of Gen Y workforce
do not obey policies
• 60% will download
sensitive data on a
personal device
• Must control the multiple
devices and guests
• Security: Top concern for
BYOD
• Mobile malware has
doubled (from 2010 to
2011)
• IT consumed with network
fragmentation
Reduce
Security Risk
Improve End-User
Productivity
Increase Operation
Efficiency

Comprehensive Secure Access
More Productive
Workers and End Users
Lower Operating Costs

Retail Healthcare Education
Financial Manufacturing Government
BYOD Guest Access Secure Access

Who What Where When How
Virtual machine client, IP device, guest, employee, and remote user
Cisco® ISE
Wired Wireless VPN
Business-Relevant
Policies
Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Security Policy Attributes
Identity
Context

BYOD
Users get safely on the
Internet fast and easy
Guest Access
It is easy to provide
guests limited-time and
limited- resource access
Secure Access on
Wired and Wireless
Network and VPN
Control with one policy across
wired, wireless, and remote
infrastructure
Cisco TrustSec®
Network Policy
Rules written in business
terms control access

Get users on the net in minutes,
not hours
Simple self-service portal for any user
to get quickly on the net without help
or hassle
Reduce burden on IT and
help desk staff
Reliable automation reduces
user problems to near zero so…
Immediate secure access
Rigorous identity and
access policy enforcement

Near-zero IT and help desk burden
• Employee hosted
• Full guest lifecycle
Accommodate and control
• Limited to Internet
• Time sensitive
Streamlined system
• Integrated into the all-in-one enterprise
policy control—Cisco® ISE console

Automated onboarding and device security
Policy-governed unified access
Enforcement embedded in the intelligent
network
Dependable anywhere access
Increase IT Productivity
Wired RemoteWireless

Distributed Enforcement Throughout Network
Switch Router DC Firewall DC Switch
Distributed Enforcement Throughout Network
Network
Context Classification
Security Group TagTag

Main Features and Benefits
Comprehensive
Secure Access
Operation
Efficiency
More
Productivity
Device Profiling and Posture
Contextual Identity (Intelligent Identity)
Policy Management
Network Enforcement and Control Point
Device Profiling and Posture

Initial Posture Validation
MS Patches
Av and AS Installation
Application and Process
Running State
MDM Integration
Corporate and Personal Device Posture Check and MDM Remediation
New
Feature
MDM Policy Check
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number

Cisco Device Sensor
Device Sensor
(Network Based)
Active
Endpoint
Scanning
Device Feed*
Cisco ISE
Active scanning:
Enhanced accuracy
Integrated profiling:
Visibility in scale
Device feed —
identity in scale
Cisco® ISE augments passive network
insight with active endpoint data
Network infrastructure provides local
sensing function
Manufacturers and ecosystem provide
constant updates to new devices
* Scheduled for Spring 2013
New
Feature

Identity (IEEE 802.1X)-Enabled Network
CONTEXT
IDENTITY
Vicky Sanchez
Frank LeeSecurity Camera Gateway
Francois Didier
Personal iPad
Employee, Marketing
Wireline
3 p.m.
Guest
Wireless
9 a.m.
Agentless Asset
Chicago Branch
Consultant
HQ - Strategy
Remote Access
6 p.m.
Employee Owned
Wireless HQ
Guest access
Profiling
Posture
IEEE 802.1X
MAB
WebAuth Cisco Switches, Routers, and Wireless Access Points

Centralized management
Across wired and wireless
network and VPN
Simplified troubleshooting
Operation Efficiency

Policy-Based
Access Control
Scalable Enforcement
VLANs
Access Control Lists
*
Device Sensing
Identity and
Context-Aware
Network
Remote VPN
User
Wireless
User
Wired User Devices Virtual Desktop
Data Center Intranet Internet Security Zones
Increased Operation Efficiency

NY VPN UK CA
DC-MTV (SRV1)
DC-MTV (SAP1)
DC-RTP (SCM2)
DC-RTP (ESXix)
Security Group
Filtering
Cisco
Distinction
Employee Firewall Rules = 10 Production Server Rules = 50
• Customer managed > 500,000 firewall rules with 24 people
• Cisco TrustSec® and Cisco® ASA reduced that to 6 people

More Productivity
Trusted
Wi-Fi
Onboarding
 Authenticate user
 Fingerprint device
 Apply corporate configuration
 Enterprise applications
 Automatic policies
Secure and customizable
captive portal
Self-registration for any device
Remediate actions

“Instrumental in giving
us visibility to enforce access
policy, perform remediation,
and improve compliance level”
“Now students and faculty can
collaborate with ease, working
anywhere, anytime on campus”
Positioned as leader in Gartner NAC
Magic Quadrant
December 2012
“Cisco TrustSec and Cisco ISE are
consistent with our view of identity-
centric end-to-end security that is both
needed and lacking in the enterprise
today.”
Forrester 2011

Source: Gartner NAC Magic Quadrant 2012
Gartner: "Magic Quadrant for Network Access Control," by Lawrence Orans and John Pescatore, December 8, 2011

• Required enhanced global
security for security-conscious
company; customer service
offering.
• Used Cisco® ISE to manage
multiple systems and devices,
segmenting infrastructure
• Profiling services for business
units, individuals, contractors,
and complete guest lifecycle
wired or wireless.
• Always-on secure remote
access with Cisco AnyConnect®
Challenge Solution
”Cisco ISE provides a best-in-class access control solution
for Diebold, enabling unmatched granularity and insight
about our users,”
—David Kennedy, Vice President, Former CSO, Diebold

Winning combination of network
and device intelligence to help
ensure the most comprehensive
secure unified access
Most extensive and efficient
enforcement to achieve
exceptional operation efficiency

An Architectural Approach For…
Professional and Technical Services, Compliance, and Cisco® Validated Designs
Context-Based Policy and Management
Cloud-Based Intelligence
Cloud
Securing the Transition to
Virtualization and Cloud
Collaboration
10110100
Securing Applications,
Content, and Traffic
BYOD
Secure Access for the
Distributed Workforce
SwitchesAppliances WirelessVirtual RoutersPrivate Cloud
Email Firewall WebVPNPolicy IPS
Network-Enforced Policy

Cisco Prime™
Cisco® ISE
Third-Party
MDM Appliance
MDM Manager
Cisco
WLAN
Controller
Cisco ASA
Firewall and IPS
Cisco CSM
and ASDM
Cisco Web
Security
Wired
Network
Devices
Cisco
Catalyst®
Switches
Cisco AnyConnect®
Cisco AnyConnect Cisco AnyConnect
Office Wired Access Office Wireless Access Remote Access

Identity and Device Context
Cisco ISE
Virtual machine client, IP device, guest, employee, and
remote user
Wired Wireless VPN
Business-Relevant
Policies
Policy Management
Increases Operational
Efficiency
Onboarding &
Remediation
Increases Productivity and
Improves User Experience
Device Profiling &
Posture
Provides Comprehensive
Secure Access
Intelligent Identity
Ensures Consistent Policies
Network Enforcement
Decreases Operational Costs
• Consistent source of
identity
• Endpoint device-type
awareness
• Posture, access level,
network location context
• Enable ecosystem partner
platform to share context
for use in ISE network
policy
• Enable ecosystem partner
to take network actions
via ISE
Benefits
• Allows deeper network
and security insight
• Allows more detailed
control over BYOD and
sensitive users and
groups
• Helps clarify which
network and security
events are important
and helps make them
actionable
• Unifies policy silos
Cisco® ISE
Context Sharing
IT Infrastructure
Network
Management
Network
Control
Cisco Network

Security Information and Event Management (SIEM) and Threat Defense
Mobile Device Management
Prioritize Events, User/Device-Aware Analytics, Expedite Resolution
• ISE provides user and device context to SIEM and Threat Defense partners
• Partners utilize context to identify users, devices, posture, location and
network privilege level associated with SIEM/TD security events
• Partners may take network action on users/devices via ISE
Ensure Device Enrollment and Security Compliance
• ISE serves as policy gateway for mobile device network access
• MDM provides ISE mobile device security compliance context
• ISE assigns network access privilege based on compliance context

More Productive
Workers and End Users

Location-based
personalized
promotions
Better patient care
with tablet-based
medical data
Variety of learning
options for online and
onsite student
experience
Retail EducationHealthcare

Efficiency Time Money= or

NCS
Prime
ISE
Cisco
WLAN
Controller
Wired
Network
Devices
Cisco
Catalyst
Switches
3rd Party
MDM
Appliance
MDM
Manager
IronPort WSA
Dependable anywhere
access
Enforcement embedded in
the network
Automated onboarding
and device security

Internet
Services 1Campus Cloud
Data Center
Policy
Services 2
POLICYPOLICYPOLICYPolicy
SGT
Inter
net
Open
Net
Serv
Net
Data
Center
Restr
ict
DC
Exec, IT
Laptop
Wired
Net
Permit Permit Permit Permit Permit
All,
iPad
Internal
Permit Permit Permit Deny Deny
Exec,
iPad
VPN
Permit Permit Permit Permit Deny
Guest
Any
Permit Deny Deny Deny Deny
John
IT Administrator
Restricted
Data
Center
John updates Cisco® ISE for
BYOD and guest access
policies, which are pushed to
the network.
IT
Confidential. Product is planned, features are not committed.

Internet
Data Center
Services 2
Wired
Restricted
Data
Center
John
IT Administrator
Brice logs onto wired
network on IT-issued laptop.
Cisco® ISE authenticates,
identifies context, and applies
wired execution policy.
Wired
Brice
CFO

Internet
Data Center
Device
Identity
AAADID
Wireless
Restricted
Data
Center
John
IT Administrator
• Brice connects his new iPad to
the WLAN and logs on.
• While Cisco® ISE performs
AAA check of his ID, Cisco ISE
Profiler identifies his device.
Onboarding
Wired
Brice
CFO
Services 2

Internet
Data Center
Wired
Wireless
?
R DIR
REG
John
IT Administrator
• Cisco® ISE authenticates Brice,
but does not recognize the iPad.
• Cisco ISE redirects Brice to the
onboarding portal to register
his iPad.
Onboarding
Services 2
Restricted
Data
Center
Brice
CFO

Internet
Data Center
Services 2
Wired
Wireless
Policy
Policy
Restricted
Data
Center
John
IT Administrator
• Cisco® ISE forms a contextual
identity: Brice + iPad + location.
• Cisco ISE assigns a policy
based on the context and
grants it role-based access.
Onboarding
Contextual
Identity
Brice
CFO

Internet
Data Center
Services 2
Wired
VPN
Wireless
Restricted
Data
Center
John
IT Administrator
• Brice uses the same iPad from
a hotel room. Cisco® ISE
recognizes the context change
and applies execution VPN
policy..
VPN
Brice
CFO

Internet
Data Center
Services 2
Wired
VPN
Wireless
John
IT Administrator
Restricted
Data
Center
• Sarah receives password through text
message. She selects GuestWiFi, and
Cisco ISE directs her to the guest portal
to register and obtain Internet access.
• Brice enters Cisco® ISE guest
hotspot portal and sponsors
Sarah for 1-day access.
Sponsor
Guest
Brice
CFO
Sarah
Vendor

Internet
Data Center
Wired
Wireless
BYOD
Guest
Policy Management
Restricted
Data
Center
John
IT Administrator
Brice
CFO
Sarah
Vendor
VPN
Services 2

Comprehensive Wired, Wireless,
and VPNSecureAccess
More Productive Workers Lower Operating Costs
Rigorous Identity Enforcement
Extensive Policy Enforcement
Security Compliance
Automated Onboarding
Automated Device Security
Dependable-Anywhere
Access
Operation Efficiency
Use Cisco® Infrastructure
Next-Generation Policy
Networking
Control
devices
everywhere
Control
Precisely
Who & what
Is allowed
Maintain &
validate
compliance
Secure every
device
Get quick
access with
little IT
intervention
Provide
consistent
service
Get the most
from
investments
Save time
End VLAN,
ALC & FW
Rule pain
ISE
That’s it.

Limited AdvancedEnhancedBasic
Environment requires tight
controls
Company-only device
• Manufacturing
environment
• Trading floor
• Classified government
networks
• Traditional enterprise
Focus on basic services
and easy access for almost
anybody
Broader device types but
Internet only
• Education environments
• Public institutions
• Simple guests
Enable differentiated
services and onboarding
with security both onsite
and offsite
Multiple device types plus
access methods
• Healthcare
• Early BYOD adopters
• Contractor enablement
Company-native
applications, new services,
and full control
Multiple device types,
company issued
• Innovative enterprises
• Retail on demand
• Mobile sales services
(video, collaboration, etc.)

Wireless Upgrade License (ATP)
Extend Policy for Wired and VPN Endpoints
Platforms
Small: Cisco® ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355
Large: Cisco ISE 3395 and 3495* | Virtual Appliance * New
Wireless License
Policy for Wireless Endpoints: 5-Year Term Licensing
• Authentication and authorization
• Guest provisioning
• Link-encryption policies
• Device profiling
• Host posture
• Security group access
Base License (ATP)
Policy for Wired, Wireless, and VPN Endpoints
Advanced License (ATP)
Policy for Wired, Wireless, and VPN Endpoints
Perpetual Licensing 3- or 5-Year Term Licensing
+

Internet
AP Third-
Party
Controller
Layer 3
Switch
Policy ServicesCisco ISE Inline
Posture Node
Layer 3
Switch
Wireless
User
VPN
User
VPN
Wireless Wired
Wired
eth1 eth0
eth1 eth0
VPN Infra
Trusted
Network
Cisco ISE Inline
Posture Node
Entry Point for Third Party Wireless Infra
• RADIUS authorization for
Cisco ASA
• Authorization and posture
for Inline posture node
Policy Services
• IEEE 802.1X
authorization for WLC
• Authorization and posture
for Inline posture node
Cisco®
ASA

Ise 1 2-bdm-v4

More Related Content

What's hot

Similar to Ise 1 2-bdm-v4

Recently uploaded

Ise 1 2-bdm-v4