Always-on Endpoint Remote Access and Protection with Cisco AnyConnect

Transcription

1

2 Always-on Endpoint Remote Access and Protection with Cisco AnyConnect Dan Stotts, Security Product Marketing Manager PSOSEC-1900

3 Agenda Introduction Works Everywhere Expanded Visibility User Experience Threat Conclusion

4 Enterprise networks are going mobile More users, in more places ~70% of mobile workers will conduct work on personal devices by 2018 More applications, across more devices 15B devices by 2015, with 3 devices per worker More security threats 75% say their mobile devices were targeted by malware in the last 12 months PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Putting pressure on every IT department Provide Anytime Access Increase Visibility & Control Improve Usability Impenetrable Security Users want to access their information anytime, anywhere in the world IT departments need full visibility into user behavior and device status Users want a seamless experience Admins need simplified management across users and devices Companies need to ensure every user and device is always protected PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 What if you could Ensure access from anywhere Gain greater visibility Deliver a solution that s easy to use Keep users and devices secure Enable secure access to the enterprise network for any user, from any device, at any time, in any location Provide IT with full visibility into user behavior and device status across the extended enterprise Provide a seamless user experience across devices, without creating a headache for your IT teams Protect users and devices from threats, no matter where they are, without impacting productivity PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 You can with Cisco AnyConnect Secure Mobility Client Ensure access from anywhere Enable secure access to the enterprise network for any user, from any device, at any time, in any location Works everywhere Gain greater visibility Provide IT with full visibility into user behavior and device status across the extended enterprise Expands visibility Cisco AnyConnect Deliver a solution that s easy to use Provide a seamless user experience across devices, without creating a headache for your IT teams Easy to use Keep users and devices secure Protect users and devices from threats, no matter where they are, without impacting productivity Protects systematically PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Cisco AnyConnect: Way More Than VPN Cisco AnyConnect Features Basic VPN Advanced VPN Endpoint Compliance Inspection Services Enterprise Access Threat Protection Network Visibility Off-Network Protection Cisco AnyConnect Integration with Other Cisco Solutions Adaptive Security Appliance (ASA) Integrated Services Router (ISR) Aggregation and Cloud Services Routers (ASR/CSR) Identity Services Engine (ISE) Web Security Switches and Wireless Controllers NetFlow Collectors Umbrella Services PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Manage with one agent that does it all Save time and effort with a flexible, effective solution from a single vendor, reducing the hassles of multi-vendor support Streamline management using a single agent for: VPN Threat detection and Device compliance remediation Web content inspection Contextual behavior data Simple client software deployment and updates both on and off premises Simplify operations through seamless integration with other Cisco solutions and 3 rd party device management offerings Improve control by providing additional context for consistent access and security policies PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Cisco AnyConnect Secure Mobility Client Cisco AnyConnect Works everywhere Expands visibility Easy to use Protects systematically PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Get simple persistent connectivity Always-On and transparent connectivity with Trusted Network Detection User Off Premise Untrusted VPN Required ASA User On Premise No VPN Required Capabilities Always-On VPN prevents access to Internet resources when not on a trusted network Automatically disconnect or pause a VPN connection when the user is inside the corporate network Auto-reconnect (Session Persistence) transparently recovers VPN session disruptions Benefits Streamline remote and on-prem access management with simple control over client behavior Stay secure by enforcing off-prem VPN connectivity Auto-recover from network disruptions PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Enterprise network connection from anywhere Connect through VPN with full-tunneling, split-tunneling or per-app Per App VPN Corporate Connection Social Media App Z Video Streaming App B Internal App X External App Y Internet Split Tunneling External Resource (IP, App, Etc.) Internal DNS / IP Address Full Tunneling Internal Resource ASA Capabilities Leverage per app policy by creating per-app VPN policies using the dedicated app selector Expand mobile platform support including: Windows macos Linux Chrome OS Apple ios full and per-app VPN Android Windows 10 Mobile Blackberry 10 Samsung Knox Benefits Provide highly secure remote access from mobile endpoints Extend narrow remote access for partners and contractors PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Cisco AnyConnect Secure Mobility Client Cisco AnyConnect Works everywhere Expands visibility Easy to use Protects systematically PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Gain a comprehensive view across the network Issue Data silos prevent a full view of the network Solution AnyConnect s Network Visibility Module helps you leverage endpoint and user context to address range of different use cases Identity store Network policy Device management Impairing visibility and limiting security operations VPN/Split Tunnel Activity SaaS Use Exfiltration Application Troubleshooting? Users? Devices? Applications For example, with split-tunnel activity You can collect flow data about what's going down a split tunnel as well as the data outside the tunnel. Enabling visibility as well as cost savings on bandwidth PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Drive greater business insight With the AnyConnect Network Visibility Module (NVM) Endpoint Context IPFIX-Based Record (Source, Destination IP, etc) Unique Device ID (correlate records from same endpoint device) Device Name (bsmith-win) and OS Version (Window 7) Domain\User Name (Amer\bsmith) Local DNS (starbucks.com) Target DNS ( amceco.box.com) Interface (Intel Dual Band Wireless) Process/Container Name (iexplorer.exe) Process ID (hash) Parent Process Name (foobar.exe) Parent ID (hash) Netflow Collector Collection & Analytics Services Capabilities Benefits Granular app visibility including common containers running Windows and OS X (srvhost, java, etc) Lockdown ensures NVM is always working Caching flexibility for admins to define the off net capacity amount for visibility Extensive endpoint details include SSID for detailed pictures of endpoint behavior Anonymization with unique hashes for tracking data while maintaining end-user privacy Deep insight into user behavior from a holistic view Effective security with richer forensic information Streamlined network operations with contextdriven analysis PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Policy Option ParentProcessHash DestinationHostname Flexible Collection Policy DNSSuffix L4ByteCountIn L4ByteCountOut VirtualStationName OSName OSVersion OSEdition SystemType SystemManufacturer ModuleNameList ModuleNameHash InterfaceIndex InterfaceIndexType InterfaceIndexName Anonymization Options Complete Attribute List PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Gain greater visibility across all applications Configure AnyConnect with ISE for superior security and visibility Identity Services Engine (ISE) Leverage ISE to automatically configure your system and deliver superior: Visibility Posture capabilities Threat response Across the entire network Capabilities Integrated visibility across all endpoints enables detailed analysis of software inventory App report delivers a complete list of running and installed apps on PCs Continuously update application inventory including collecting applications installed when disconnected from network Benefits Simplified IT with all-in-one endpoint inventory functionality Expanded security controls driven by greater endpoint assessment data Reduced exposure via endpoint compliance enforcement or network policy actions PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Cisco AnyConnect Secure Mobility Client Cisco AnyConnect Works everywhere Expands visibility Easy to use Protects systematically PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Provide a hassle-free user experience Other SaaS And many more Secure mobile Recognize roaming users or endpoints and automatically extend mobile security services Streamline access Simplify user and device authentication, removing the need to remember credentials Minimize disruption Decrease disruption to users with automatic reconnection whenever network access is lost or transitioned Enable flexibility Give users more options with support for multiple devices and platforms PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Get the right solution to the right user type AnyConnect flexible deployment and operations Off-Prem Deploy On-Prem Deploy Pre-Deploy App Stores Adaptive Security Appliance (ASA) Identity Services Engine (ISE) Identity Services Engine (ISE) Capabilities Distribute across user roles at time of access using AnyConnect from ASA and ISE Deploy with enterprise software management systems to govern software endpoints Utilize OS-specific installers to download manually across different devices, or Install directly from mobile app stores Benefits Deploy flexibly across a range of platforms and users Activate quickly with customized packages preconfigured to specific modules Dynamically update endpoint software and policies PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Cisco AnyConnect Secure Mobility Client Cisco AnyConnect Works everywhere Expands visibility Easy to use Protects systematically PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Flexible AAA options Standards based Authentication/Authorization/Accounting OTP RADIUS Mobile User IPsec or SSL VPN SAML 2.0 Customize for your business HTTP Form Kerberos ASA LDAP Single / Multi-Cert Authentication PC User Capabilities Flexible authentication options: Software Certificate or Smart Card User or Machine Certificates or Both Username and Password / One-Time Password Single, Multiple or Mix and Match Simple certificate enrollment protocol (SCEP Proxy) Compatible with LDAP over SSL with most LDAPv3 servers and Native SDI Built-in accounting logs user session statistics and usage information to measure resources consumed by during access Benefits Improved protection and control over remote access Extended use of credentials for access allowing for simple off-premise usability Superior policy controls with fine grain and flexible authentication PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Better roaming security Pair Cisco AnyConnect and Umbrella VPN Off User Umbrella VPN Capabilities Intercepts DNS / IP/ Web traffic and redirects to cloud proxies Options for on premises or VPN connected Benefits Extend security to roaming users Defend against malware Safeguard web usage PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Streamline endpoint compliance Integrated posture assessment Agent Options AnyConnect OR Deployment Stand-alone VPN with Posture Host Scan SSL VPN Integrated Wired, Wireless and VPN with Posture Adaptive Security Appliance (ASA) Firewall Anti-Malware Anti-Spyware Anti-Virus Assessment Posture condition checks Disk Encryption File check Patch Mgmt. Registry Evaluate Application Service USB Compound Stealth Agent ISE Posture Wired / Wireless Identity Services Engine (ISE) or Non-Compliant Compliant Remediate Automatic or Manual Capabilities Comprehensive posture checks Automatic and manual remediation on Windows and OS X Watermark devices with file, registry, process, service and app checks Ongoing posture libraries are updated by feed with ISE Full app inventory and remediation actions with ISE Benefits Enforce endpoint compliance access methods to reduce security operations load Simplified management from one agent Reduce user impact with behind-the-scenes posturing PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Defend across the entire attack continuum Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Network Endpoint Mobile Virtual Cloud and Web Point in Time Continuous PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Only Cisco delivers Enjoy additional value from your investments with Cisco security offerings AnyConnect + Identity Services Engine (ISE) Adaptive Security Appliance (ASA) Umbrella Service Advance Malware Protection (AMP) W SA Lancope Stealthwatch Cloud Web Security (CWS) Web Security Appliance (WSA) Advanced security For every device and every user, everywhere they go PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Reduce risk with comprehensive security services Always-on protection Rest assured with constant protection for remote users, including data encryption Deeper visibility into security Enable additional analytics for deeper threat insight by integrating AnyConnect with 3rd-party behavioral tools Proactive threat defense Leverage Cisco AMP for Endpoints for continuous threat monitoring and malware prevention Integrated compliance Validate users and devices and prevent non-compliant devices from accessing the network when used with Cisco ISE Unmatched web protection Filter web threats automatically, and redirect for further inspection when used with Cisco CWS or WSA Multiple access options Control access using multiple authentication options PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 AnyConnect Continuing to Evolve 1HCY16 2HCY16 Release & Commit Status AnyConnect 4.3 (Ironman) AnyConnect 4.4 (Justice League) Technology Leadership & Innovation Network Visibility Module (NVM) Phase 2 Umbrella Roaming Security & Cloud downloader (Encrypted DNS, DNS Content / Malware protection / IP Blocking Windows) Network Visibility Module (NVM) Phase 3 Umbrella Roaming Security Phase II (IP Blocking Mac OS) Common Criteria Certification (W and Android 4.0.x on Samsung Galaxy S7) FIPS Re-cert Advanced VPN Ease of Use and Enhancements Split tunneling 1000 networks (req. ASA Nov 2016) Posture enhancements (USB, OPSWAT v4) OCSP for Android Host exclusion (CWS) ios 10 Per App VPN (network extension client) ios/android Touch ID VPN security ios Force touch Double Certificate Auth (ASA dependent) Prompt prior to max connect timeout (ASA dependent) Android Always On (Android N) Posture enhancements (Installed/Running Apps, FW) Simplified AnyConenct onboarding and interactions with ISE Headless AnyConnect for posture Endpoint Compliance Network Visibility Future Releases Architecture & Solution Integration Updated platform support (inc, but not limited to Windows 10, Linux, Android, ios, etc) Public IPv6 ios Continuation of IPv6 & DSCP gaps Updated Platform Support: Windows 10, Android N SAML 2.0 Clientless & AnyConnect Inspection & Protection PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Licensing model Offers greater flexibility Plus License* Apex License* Endpoint licensing portable across any hardware platforms, simplifying transfer Two-tiered licensing structure to allow customers to grow based on new enterprise mobility needs VPN Perpetual or term-based Mobile per-app VPN Web and roaming security** Network access manager Encryption Plus License + Term-based Compliance** Clientless Simple migration Essentials to Plus Premium to Apex *Per user (with their multiple devices) **Requires additional licensing when using ISE PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Join the thousands of customers worldwide who rely on Cisco AnyConnect 150+ million endpoints delivering the most comprehensive set of security services to more than 80,000customers worldwide PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions Deploying AnyConnect SSL VPN with ASA5500 Technical Level: Intermediate Session ID: BRKSEC-2501 Hakan Nohre, CSE, Cisco Distinguished Speaker PSOSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Q & A

34 Thank You

35