[PDF]Secure Unified Access - Rackcdn.com249459ec2cf8839ca4b8-2690f879103214107f979ba5105d745b.r47.cf2.rackcdn.co...
19 downloads
129 Views
9MB Size
SECURE NETWORK ACCESS
The Security Problem
Changing Business Models
©2014 Cisco and/or its affiliates. All rights reserved.
Dynamic Threat Landscape
Complexity & Fragmentation
Cisco Confiden5al
3
Mobility is a Ripple, IoT is a Tidal Wave Growing Need for Secure Access due to Larger AWack Surface Area
Internet of Everything Enterprise Mobility
Guest Access
Explosion of Network Enabled Devices
Procured & BYOD Mobile Device Use
Simple Guest Access
Gen 1
Managed Endpoints IT Procured and Managed
2003
2007
2012
2015+
1Ponemon Research h=p://www.ponemon.org/news-‐2/48
#1 in Market 6500+ Customers 80% F25, 50% F500 Leader NAC MQ
Cisco Identity Services Engine (ISE) Secure Unified Access
IdenMty Context
Policy Management Increases Operational Efficiency
Who
What
Where
When
How
Onboarding & Remediation Increases Productivity and Improves User Experience
Cisco® ISE Device Profiling & Posture
Business-Relevant Policies
Provides Comprehensive Secure Access
Intelligent Identity
Wired
Wireless
VPN
Ensures Consistent Policies
Network Enforcement Decreases Operational Costs
Virtual machine client, IP device, guest, employee, and remote user Replaces AAA and RADIUS, NAC, guest management, and device iden5ty servers
Cisco ISE is Core to Cisco Security AWack Con5nuum
BEFORE
DURING
AFTER
Control Enforce Harden
Detect Block Defend
Scope Contain Remediate
Firewall
VPN
NGIPS
NGFW
UTM
Web + Email Security
IdenMty Services + NAC
Advanced Malware Protec5on Network Behavior Analysis
pxGrid + TrustSec
ISE Provides Visibility, Context, and Control Across the En#re ConMnuum
How Cisco ISE is Used Today BYOD
Guest Access
Manage risk by providing different levels of access for mobile devices
It is easy to provide guests limited-‐5me and limited-‐resource access
Secure Access on Wired and Wireless Network and VPN
Cisco TrustSec® Network Policy
Control with one policy across wired, wireless, and remote infrastructure
Rules wriWen in business terms control access
BYOD Automated Self-‐Service Portal Get Users on the Net in Minutes, Not Hours •
Simple self-‐service portal for any user to get quickly on the net without help or hassle
Reduce Burden on IT and Help Desk Staff •
Reliable automa5on reduces user problems to near zero so…
Immediate Secure Access •
Rigorous iden5ty and access policy enforcement
Key Capability: Motivated MDM Partners Unify Endpoint and Network Policies
1
BUY NEW DEVICE
2
ONBOARD AND REGISTER
3
CHOOSE PRIVILEGES Guest
Business
Increased producMvity through user self-‐provisioning
Assured security posture with MDM integraMon NEW
• Automates MDM registra5on
• Zero-‐touch IT support
• Quaran5nes non-‐compliant devices
• Rapid user on-‐boarding
• Users can elect to not register and be allowed
guest services
ISE 1.3
Simplifying BYOD Onboarding Improved Device Recogni5on Branded Experiences Out-‐of-‐the-‐Box On-‐Boarding User Experience Personalized Device Portal Mobile-‐ and Desktop-‐Ready
Reduce Unknown Devices by 74%
Internal Cer5ficate Authority
ISE 1.3
Simplifying Cer5ficate Management for BYOD Devices
NaMve CerMficate Authority
No addiMonal burden to PKI
Simplified Device Onboarding
Simplified Proof of Concepts
Cisco Confiden5al
AC 4.0
Intelligently Transport Application Over VPN With AnyConnect 4.0, the Unified Agent
Selec5vely Tunnels Traffic Through VPN
WWW
• Provides unified agent that improves VPN
bandwidth management in place of using mul5ple parallel VPN agents
VPN
Local Network
• Leverages Cisco ASA and Cisco TrustSec to
provide end-‐to-‐end applica5on traffic segmenta5on
• Extends tradi5onal VPN edge to mobile to Corporate Network
prevent non-‐business apps from gaining corporate access
Per-‐App VPN Support: iOS 7+, Samsung Knox 2.0+
ISE 1.3 AC 4.0
AC 4.0 is the ISE 1.3 Posture Agent Network change
Full Access / Remedia5on
Posture Assessment
Starts Discovery
Invoke Downloader
Enhanced in ISE 1.3
Streamlining and Customizing Guest Experiences Branding with Themes
Streamlined Guest Crea5on
Create Accounts Print Email SMS
Your creden5als username: trex42 password: liWlearms
Mobile Guest Sponsorship SMS No5fica5ons
Set-‐Up Secure Guest Access ~10 Minutes (Not Days)
ISE Ecosystem Partners
Hi-Touch, Customer-Focused Partnerships PrioriMze Events, User/Device-‐Aware AnalyMcs, Expedite ResoluMon SIEM & Threat Defense
• ISE provides user and device context to SIEM and Threat Defense partners • Partners u5lize context to iden5fy users, devices, posture, loca5on and network privilege level associated with SIEM/TD security events • Partners may take network ac5on on users/devices via ISE
Ensure Device Enrollment and Security Compliance Mobile Device Management
• ISE serves as policy gateway for mobile device network access • MDM provides ISE mobile device security compliance context • ISE assigns network access privilege based on compliance context
Single-Purpose APIs are Great for One Purpose …Integrating One System to One Other System
I have reputaMon info! I need threat data…
I have applicaMon info!
SIO
I need locaMon & auth-‐group…
I have sec events!
I have NBAR info!
I need reputaMon…
I have NetFlow! I need enMtlement…
I have threat data!
I need idenMty… Proprietary
We need APIs aren’t to the soluMon share data
I have locaMon! I need idenMty…
I have MDM info! I need locaMon…
I need reputaMon…
I have firewall logs!
I have app inventory info!
I need idenMty…
I need posture…
I have idenMty & device-‐type! I need app inventory & vulnerability…
Cisco Platform Exchange Grid – pxGrid
Enabling the Potential of Network-Wide Context Sharing SIO
INFRASTRUCTURE FOR A ROBUST ECOSYSTEM
Direct, Secured Interfaces
pxGrid
• Single framework – develop once,
instead of mul5ple APIs
• Customize and secure what context
gets shared and with which plalorms
Context Sharing
• Bi-‐direc5onal – share and consume
Single, Scalable Framework
• Enables any pxGrid partner to share
context
with any other pxGrid partner
• Integra5ng with Cisco ONE SDN for
broad network control func5ons
ISE Ecosystem in Fall 2014 Context
Policy
IAM & SSO
`
SIEM & Threat Defense
Mobile Device Management
ISE 1.3
pxGrid APIs
?
WHITE = Announcing or Updates in 1.3 Launch
Vulnerability Assessment
CISCO ISE Packet Capture & Forensics
IoT Policy Management
Cisco WSA
Policy-‐based Security Ac5ons
Policy-‐based Service Levels
(e.g. inves5ga5on)
(e.g. QoS)
Control
Ini5al pxGrid Uses Cases & Partners
ISE 1.3
Use-‐Case
DescripMon
Partner
Device/Access-‐Aware Applica5on Access
ISE device, posture context to IAM to control applica5on access
Ping
Escalated Auth & SSO via Network Auth
ISE user, group, access, device context to drive escalate auth policy. ISE auth state to SSO for network-‐to-‐applica5on SSO UX.
Ping
Priori5ze Endpoint Vulnerabili5es
ISE iden5ty and user role to vulnerability assessment plalorm to priori5ze endpoint vulnerability remedia5on and drive DNC/EPS quaran5ne ac5ons
Tenable
Simplify Packet Capture Forensics
ISE IP:user:device binding & related context to packet capture system to aWribute user, device, role, etc. to packet capture
Emulex
Network Access Policy for IoT Devices
Associate TrustSec policy with IoT devices. DNC/EPS for quaran5ning non-‐compliant devices.
Bayshore Networks
SIEM/ThreatDefense Integra5on Using pxGrid
Same use-‐cases as exis5ng SIEM/TD ecosystem, but u5lizing pxGrid for context and DNC/EPS.
NetIQ, Lancope, Splunk
Fire+ISE
SF using pxGrid DNC/EPS to take mi5ga5on ac5ons on threat events.
Sourcefire
Cisco TrustSec
Community Supported Network Segmenta5on and Access Enforcement
Business Asset Mapped to Access Policy Employee
Email
Finance
Internet
Employee
Malware ACL
Permit
Deny
Permit
Execu5ve
Malware ACL
Permit
Permit
Permit
Deny
Permit
Deny
Permit
Source/Des5na5on
BYOD Guest
Policy Enforced Across Network
Switch
Router
VPN & Firewall
DC Switch
Wireless Controller
Flexible and Scalable Policy Enforcement
Deny
©2014 Cisco and/or its affiliates. All rights reserved.
Deny
Deny
Permit
Cisco Confiden5al
20
How Does TrustSec Work? TrustSec Extends Control from Access to DC ClassificaMon Result:
Device Type: Apple iPad User: Mary Group: Employee Corporate Asset: No
Personal Asset SGT
Along with authen5ca5on, various data is sent to ISE for device profiling
ISE Profiling
ID and Profiling Data
SGT
Company asset AP
Employee
Personal asset
ISE (Iden5ty Services Engine) Security Group Policy DC Resource Access
NetFlow DCHP DNS HTTP OUI NMAP RADIU
S
SNMP LAN Wireless Controller
Restricted Internet Only
Distributed Enforcement based on Security Group
TrustSec Plalorm Support Tagging Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup6E/7E) Catalyst 4500E (8E) Catalyst 6500E (Sup720/2T), 6880X Wireless LAN Controller 2500/5500/WiSM2 Nexus 7000 Nexus 6000 Nexus 5600 Nexus 5500 Nexus 1000v (Port Profile) ISR G2 Router, CGR2000 IE2000/3000, CGS2000 ASA5500X, ASAv (VPN RAS)
Propagation Catalyst 2960-S/-C/-Plus/-X/-XR
SXP
Catalyst 3560-E/-C/, 3750-E
SXP SXP
SGT
Catalyst 3560-X, 3750-X
SXP
SGT
Catalyst 3650, 3850
SGACL
SGACL
Catalyst 4500E (Sup6E)
SXP SXP
SGT
Catalyst 4500E (Sup 7E), 4500X
SXP
SGT
Catalyst 4500E (Sup 8E) Catalyst 6500E (Sup720)
SXP SXP
Enforcement
SGT
SXP
SGT
WLC 5760
SXP
SGT
Nexus 1000v
SXP
SGT
Nexus 5500/22xx FEX**
SXP
SGT
Nexus 5600/6000
SXP
SGT
Nexus 7000/22xx FEX
SXP
SGT
GETVPN
IPSec
ISRG2, CGR2000
SXP
SGT
GETVPN
IPSec
ASR1000
SXP
SGT
SGACL
SGACL
SGFW
ASA5500(X)
• All ISRG2 Inline SGT (except C800): Today
Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup7E) Catalyst 4500E (Sup8E) Catalyst 6500E (Sup2T) / 6880X Nexus 7000
SGACL
Catalyst 6500E (Sup 2T)**** / 6880X WLC 2500, 5500, WiSM2**
SXP
SGACL
Catalyst 3560-X Catalyst 3750-X
SGFW
SGFW
Nexus 6000 Nexus 5600 Nexus 5500 Nexus 1000v ISR G2 Router, CGR2000 ASR 1000 Router ASA 5500/5500XFirewall ASAv Firewall
IOT Demands Soqware Defined Segmenta5on Data Network
Internet
Guest DMZ
Voice Network
Quarantine
Bootstrap
Employees
PERMIT
PERMIT
DENY
DENY
DENY
DENY
Guests
PERMIT
PERMIT
PERMIT
DENY
DENY
DENY
IP Phones
DENY
PERMIT
DENY
PERMIT
DENY
DENY
Non-Compliant PCs
DENY
PERMIT
DENY
DENY
PERMIT
DENY
BYOD
DENY
PERMIT
PERMIT
DENY
DENY
PERMIT
BioMed Sensors Consumer Gadgets Power Controls Process Controls … …
…
…
…
Cyber Lifecycle – Where Cisco is Going AFTER
DURING
BEFORE
Visibility to Improve Decision
Dynamic Tune Control Policy
Network-‐wide Mi5ga5on
Control to Mi5gate & Remediate
3 Accelerated & improved decisioning 1
Reduce threat surface area ISE as Secure Access
2 Collect
FireSight, Lancope, SIEM…
real 5me context ISE as Context Directory
5 Update policy to minimize repeat aWack risk
4
Quaran5ne in network ISE as Network Controller