Secure Unified Access


[PDF]Secure Unified Access - Rackcdn.com249459ec2cf8839ca4b8-2690f879103214107f979ba5105d745b.r47.cf2.rackcdn.co...

19 downloads 129 Views 9MB Size

SECURE   NETWORK   ACCESS  

The Security Problem

Changing Business Models

©2014    Cisco  and/or  its  affiliates.  All  rights  reserved.  

Dynamic Threat Landscape

Complexity & Fragmentation

Cisco  Confiden5al  

3  

Mobility is a Ripple, IoT is a Tidal Wave Growing  Need  for  Secure   Access  due  to  Larger  AWack   Surface  Area  

Internet     of  Everything   Enterprise   Mobility    

Guest  Access  

Explosion  of  Network   Enabled  Devices  

Procured  &  BYOD  Mobile   Device  Use  

Simple  Guest  Access  

Gen  1  

Managed  Endpoints   IT  Procured  and   Managed  

2003  

2007  

2012  

2015+  

1Ponemon  Research  h=p://www.ponemon.org/news-­‐2/48  

 

#1  in  Market   6500+  Customers   80%  F25,  50%  F500   Leader  NAC  MQ  

Cisco Identity Services Engine (ISE) Secure Unified Access

IdenMty  Context  

Policy Management Increases Operational Efficiency

Who  

What  

Where  

When  

How  

Onboarding & Remediation Increases Productivity and Improves User Experience

Cisco®  ISE   Device Profiling & Posture

Business-Relevant Policies

Provides Comprehensive Secure Access  

Intelligent Identity

Wired  

Wireless  

VPN  

Ensures Consistent Policies  

Network Enforcement Decreases Operational Costs  

Virtual  machine  client,  IP  device,  guest,  employee,  and  remote  user     Replaces  AAA  and  RADIUS,  NAC,  guest  management,  and  device  iden5ty  servers  

Cisco ISE is Core to Cisco Security AWack  Con5nuum  

BEFORE

DURING

AFTER

Control   Enforce   Harden  

Detect   Block   Defend  

Scope   Contain   Remediate  

Firewall  

VPN  

NGIPS  

NGFW  

UTM  

Web  +  Email  Security  

IdenMty  Services  +  NAC  

Advanced  Malware  Protec5on   Network  Behavior  Analysis  

pxGrid  +  TrustSec  

ISE  Provides  Visibility,  Context,  and  Control  Across  the  En#re  ConMnuum  

How Cisco ISE is Used Today BYOD  

Guest  Access  

Manage  risk  by  providing  different   levels  of  access  for  mobile  devices  

It  is  easy  to  provide  guests  limited-­‐5me   and  limited-­‐resource  access  

Secure  Access  on  Wired  and   Wireless  Network  and  VPN  

Cisco  TrustSec®     Network  Policy  

Control  with  one  policy  across  wired,   wireless,  and  remote  infrastructure    

Rules  wriWen  in  business     terms  control  access  

BYOD Automated  Self-­‐Service  Portal       Get  Users  on  the  Net  in     Minutes,  Not  Hours   • 

Simple  self-­‐service  portal  for  any  user  to  get  quickly  on   the  net  without  help  or  hassle  

Reduce  Burden  on  IT  and  Help  Desk  Staff   • 

Reliable  automa5on  reduces  user  problems  to  near  zero   so…  

Immediate  Secure  Access   • 

Rigorous  iden5ty  and     access  policy  enforcement  

Key Capability: Motivated MDM Partners Unify  Endpoint  and  Network  Policies  

1  

BUY     NEW  DEVICE  

2  

ONBOARD  AND   REGISTER  

3  

CHOOSE  PRIVILEGES   Guest  

Business  

Increased  producMvity  through  user   self-­‐provisioning  

Assured  security  posture  with  MDM  integraMon   NEW

•  Automates  MDM  registra5on  

•  Zero-­‐touch  IT  support  

•  Quaran5nes  non-­‐compliant  devices    

•  Rapid  user  on-­‐boarding  

•  Users  can  elect  to  not  register  and  be  allowed  

guest  services  

ISE  1.3  

Simplifying BYOD Onboarding Improved  Device  Recogni5on     Branded  Experiences       Out-­‐of-­‐the-­‐Box  On-­‐Boarding  User  Experience     Personalized  Device  Portal       Mobile-­‐  and     Desktop-­‐Ready  

Reduce  Unknown  Devices  by  74%  

Internal  Cer5ficate  Authority  

ISE  1.3  

 

Simplifying  Cer5ficate  Management  for  BYOD  Devices

NaMve  CerMficate  Authority  

No  addiMonal  burden  to  PKI    

Simplified  Device  Onboarding    

Simplified  Proof  of  Concepts    

Cisco  Confiden5al  

AC  4.0  

Intelligently Transport Application Over VPN With AnyConnect 4.0, the Unified Agent

Selec5vely  Tunnels   Traffic  Through  VPN  

WWW  

•  Provides  unified  agent  that  improves  VPN  

bandwidth  management  in  place  of  using   mul5ple  parallel  VPN  agents  

VPN  

Local     Network  

•  Leverages  Cisco  ASA  and  Cisco  TrustSec  to  

provide  end-­‐to-­‐end  applica5on  traffic   segmenta5on    

•  Extends  tradi5onal  VPN  edge  to  mobile  to   Corporate     Network  

prevent  non-­‐business  apps  from  gaining   corporate  access  

Per-­‐App  VPN  Support:  iOS  7+,  Samsung  Knox  2.0+  

ISE  1.3   AC  4.0  

AC 4.0 is the ISE 1.3 Posture Agent Network   change  

Full  Access  /   Remedia5on  

Posture   Assessment  

Starts   Discovery  

Invoke   Downloader  

Enhanced  in  ISE   1.3  

Streamlining and Customizing Guest Experiences Branding  with  Themes  

Streamlined  Guest  Crea5on  

Create  Accounts   Print                    Email                    SMS  

Your  creden5als   username:  trex42   password:    liWlearms    

Mobile  Guest  Sponsorship   SMS  No5fica5ons  

Set-­‐Up  Secure  Guest  Access  ~10  Minutes  (Not  Days)    

ISE Ecosystem Partners

Hi-Touch, Customer-Focused Partnerships PrioriMze  Events,  User/Device-­‐Aware  AnalyMcs,  Expedite  ResoluMon   SIEM  &     Threat  Defense  

•  ISE  provides  user  and  device  context  to  SIEM  and  Threat  Defense  partners   •  Partners  u5lize  context  to  iden5fy  users,  devices,  posture,  loca5on  and  network  privilege  level   associated  with  SIEM/TD  security  events   •  Partners  may  take  network  ac5on  on  users/devices  via  ISE  

Ensure  Device  Enrollment  and  Security  Compliance     Mobile  Device    Management  

•  ISE  serves  as  policy  gateway  for  mobile  device  network  access   •  MDM  provides  ISE  mobile  device  security  compliance  context   •  ISE  assigns  network  access  privilege  based  on  compliance  context  

Single-Purpose APIs are Great for One Purpose …Integrating One System to One Other System

I  have  reputaMon  info!   I  need  threat  data…  

I  have  applicaMon  info!  

SIO  

I  need  locaMon  &  auth-­‐group…  

I  have  sec  events!  

I  have  NBAR  info!  

I  need  reputaMon…  

I  have  NetFlow!   I  need  enMtlement…  

I  have  threat  data!  

I  need  idenMty…   Proprietary  

We   need   APIs   aren’t  to      the  soluMon   share   data  

I  have  locaMon!   I  need  idenMty…  

I  have  MDM  info!   I  need  locaMon…  

I  need  reputaMon…  

I  have  firewall  logs!  

I  have  app  inventory  info!  

I  need  idenMty…  

I  need  posture…  

I  have  idenMty  &  device-­‐type!   I  need  app  inventory  &  vulnerability…  

Cisco Platform Exchange Grid – pxGrid

Enabling the Potential of Network-Wide Context Sharing SIO  

INFRASTRUCTURE  FOR  A  ROBUST   ECOSYSTEM  

Direct,  Secured   Interfaces  

pxGrid  

•  Single  framework  –  develop  once,  

instead  of  mul5ple  APIs  

•  Customize  and  secure  what  context  

gets  shared  and  with  which  plalorms  

Context   Sharing  

•  Bi-­‐direc5onal  –  share  and  consume  

Single,  Scalable   Framework  

•  Enables  any  pxGrid  partner  to  share  

context  

with  any  other  pxGrid  partner  

•  Integra5ng  with  Cisco  ONE  SDN  for  

broad  network  control  func5ons  

ISE Ecosystem in Fall 2014 Context  

Policy  

IAM  &  SSO  

`  

SIEM  &   Threat  Defense  

Mobile  Device   Management  

ISE  1.3  

pxGrid   APIs  

?  

WHITE  =  Announcing  or   Updates  in  1.3  Launch  

Vulnerability   Assessment  

CISCO  ISE   Packet  Capture   &  Forensics  

IoT  Policy   Management  

Cisco  WSA  

Policy-­‐based     Security  Ac5ons  

Policy-­‐based   Service  Levels  

(e.g.  inves5ga5on)    

                                               (e.g.  QoS)  

Control  

Ini5al  pxGrid  Uses  Cases  &  Partners  

ISE  1.3  

Use-­‐Case  

DescripMon  

Partner  

Device/Access-­‐Aware  Applica5on   Access  

ISE  device,  posture  context  to  IAM  to  control  applica5on  access  

Ping  

Escalated  Auth  &  SSO  via  Network   Auth  

ISE  user,  group,  access,  device  context  to  drive  escalate  auth  policy.    ISE  auth  state  to  SSO  for   network-­‐to-­‐applica5on  SSO  UX.  

Ping  

Priori5ze  Endpoint  Vulnerabili5es  

ISE  iden5ty  and  user  role  to  vulnerability  assessment  plalorm  to  priori5ze  endpoint   vulnerability  remedia5on  and  drive  DNC/EPS  quaran5ne  ac5ons  

Tenable  

Simplify  Packet  Capture  Forensics  

ISE  IP:user:device  binding  &  related  context  to  packet  capture  system  to  aWribute  user,   device,  role,  etc.  to  packet  capture  

Emulex  

Network  Access  Policy  for  IoT   Devices  

Associate  TrustSec  policy  with  IoT  devices.    DNC/EPS  for  quaran5ning  non-­‐compliant  devices.  

Bayshore   Networks  

SIEM/ThreatDefense  Integra5on   Using  pxGrid  

Same  use-­‐cases  as  exis5ng  SIEM/TD  ecosystem,  but  u5lizing  pxGrid  for  context  and  DNC/EPS.  

NetIQ,  Lancope,   Splunk  

Fire+ISE  

SF  using  pxGrid  DNC/EPS  to  take  mi5ga5on  ac5ons  on  threat  events.  

Sourcefire  

Cisco  TrustSec    

Community  Supported  Network  Segmenta5on  and  Access  Enforcement  

Business  Asset  Mapped  to  Access   Policy   Employee  

Email  

Finance  

Internet  

Employee  

Malware  ACL  

Permit  

Deny  

Permit  

Execu5ve  

Malware  ACL  

Permit  

Permit  

Permit  

Deny  

Permit  

Deny  

Permit  

Source/Des5na5on  

BYOD   Guest  

Policy   Enforced   Across   Network  

Switch  

Router  

VPN  &     Firewall  

DC  Switch  

Wireless   Controller  

Flexible  and  Scalable  Policy  Enforcement  

  Deny  

©2014    Cisco  and/or  its  affiliates.  All  rights  reserved.  

Deny  

Deny  

Permit  

Cisco  Confiden5al  

20  

How  Does  TrustSec  Work?   TrustSec  Extends  Control  from  Access  to  DC   ClassificaMon    Result:  

Device  Type:  Apple  iPad   User:  Mary   Group:  Employee   Corporate  Asset:  No  

Personal  Asset  SGT  

Along  with  authen5ca5on,  various  data   is  sent  to  ISE  for  device  profiling  

ISE  Profiling  

ID  and     Profiling  Data  

SGT  

Company  asset   AP  

Employee  

Personal  asset  

ISE  (Iden5ty  Services  Engine)   Security  Group  Policy   DC  Resource   Access  

NetFlow   DCHP   DNS   HTTP   OUI   NMAP   RADIU

S  

SNMP  LAN   Wireless   Controller  

Restricted     Internet  Only  

Distributed  Enforcement     based  on  Security  Group  

TrustSec  Plalorm  Support   Tagging Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup6E/7E) Catalyst 4500E (8E) Catalyst 6500E (Sup720/2T), 6880X Wireless LAN Controller 2500/5500/WiSM2 Nexus 7000 Nexus 6000 Nexus 5600 Nexus 5500 Nexus 1000v (Port Profile) ISR G2 Router, CGR2000 IE2000/3000, CGS2000 ASA5500X, ASAv (VPN RAS)

Propagation Catalyst 2960-S/-C/-Plus/-X/-XR

SXP

Catalyst 3560-E/-C/, 3750-E

SXP SXP

SGT

Catalyst 3560-X, 3750-X

SXP

SGT

Catalyst 3650, 3850

SGACL

SGACL

Catalyst 4500E (Sup6E)

SXP SXP

SGT

Catalyst 4500E (Sup 7E), 4500X

SXP

SGT

Catalyst 4500E (Sup 8E) Catalyst 6500E (Sup720)

SXP SXP

Enforcement

SGT

SXP

SGT

WLC 5760

SXP

SGT

Nexus 1000v

SXP

SGT

Nexus 5500/22xx FEX**

SXP

SGT

Nexus 5600/6000

SXP

SGT

Nexus 7000/22xx FEX

SXP

SGT

GETVPN

IPSec

ISRG2, CGR2000

SXP

SGT

GETVPN

IPSec

ASR1000

SXP

SGT

SGACL

SGACL

SGFW

ASA5500(X)

•  All ISRG2 Inline SGT (except C800): Today

Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup7E) Catalyst 4500E (Sup8E) Catalyst 6500E (Sup2T) / 6880X Nexus 7000

SGACL

Catalyst 6500E (Sup 2T)**** / 6880X WLC 2500, 5500, WiSM2**

SXP

SGACL

Catalyst 3560-X Catalyst 3750-X

SGFW

SGFW

Nexus 6000 Nexus 5600 Nexus 5500 Nexus  1000v   ISR G2 Router, CGR2000 ASR 1000 Router ASA 5500/5500XFirewall ASAv Firewall

IOT  Demands  Soqware  Defined  Segmenta5on   Data Network

Internet

Guest DMZ

Voice Network

Quarantine

Bootstrap

Employees

PERMIT

PERMIT

DENY

DENY

DENY

DENY

Guests

PERMIT

PERMIT

PERMIT

DENY

DENY

DENY

IP Phones

DENY

PERMIT

DENY

PERMIT

DENY

DENY

Non-Compliant PCs

DENY

PERMIT

DENY

DENY

PERMIT

DENY

BYOD

DENY

PERMIT

PERMIT

DENY

DENY

PERMIT

BioMed Sensors Consumer Gadgets Power Controls Process Controls … …







Cyber  Lifecycle  –  Where  Cisco  is  Going   AFTER  

DURING  

BEFORE  

Visibility  to   Improve   Decision    

Dynamic  Tune   Control  Policy  

Network-­‐wide   Mi5ga5on  

Control  to   Mi5gate  &   Remediate  

3   Accelerated  &  improved  decisioning   1  

Reduce   threat  surface   area   ISE  as     Secure  Access  

2   Collect  

FireSight,  Lancope,  SIEM…  

real  5me   context   ISE  as     Context     Directory  

5   Update  policy  to  minimize  repeat  aWack  risk  

4  

Quaran5ne     in  network   ISE  as     Network     Controller