Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD
|
|
- Meagan Sparks
- 6 years ago
- Views:
Transcription
1
2 Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD Kanu Gupta, Technical Marketing Engineer, CCIE (Wireless) BRKEWN-2005
3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkewn Cisco and/or its affiliates. All rights reserved. Cisco Public
4 Session Objectives Inbuilt Securing AP-WLC communication 802.1x AP port security Default Best Practices Base WIPS Rogue Detection Clean Air w Client Access Methods (802.1x, ipsk, WebAuth) Native Policy Management Application Visibility & Control URL Filtering Advanced APIC Plug n Play awips ISE Guest & BYOD Management TrustSec NetFlow/StealthWatch Cisco Umbrella Harden Infrastructure Protect the Air Secure Client Access Solution Level Protection We wont talk about ISE in detail Configuration details Version discrepancies IPV6 Fabric Roadmap BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 4
5 For your reference For your reference There are slides in your PDF that will not be presented, or quickly presented. They are valuable, but included only For your reference. For your reference BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Agenda Infrastructure Hardening Over the Air Security Secure Access Solution Level Security Enterprise Use Case
7 Cisco Digital Network Architecture for mobility Open APIs: Modular Aps with Restful APIs Principles Cloud Service Management CMX 10.x with Context and Guest Automation Plug n Play EasyQOS ISE:.1x, BYOD and Guest Assurance Restful APIs on WLC Netflow Export Apple Network Optimization & FastLane Platforms & Virtualization Modular AP s with Restful API s DNA Optimized Controllers: 3504, 5520, 8540 Various VM Models: ESXi, KVM, HyperV, AWS Outcomes Insights and Experiences Automation and Assurance Security and Compliance BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 8
8 Trustworthy Systems Protect the Device Embedded Security Built for Today s Threats Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions There has never been a greater need to improve network infrastructure security Alert TA16-251A, September 2016 Evidence of Trust Security Expertise and Innovation Learn more: Visit trust.cisco.com See: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security Meet the Engineer: Topic: Security and Trust Architecture BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 9
9 Cisco Trustworthy Systems Levels Enterprise Wireless Protects the Network Protections Against Attack Solution Level Attack Protection DHCP Snooping Secure Transport WIPS/Rogue w,r,i IP Source Guard ACLs TrustSec Umbrella ISE Stealthwatch Netflow Platform Integrity Secure Boot Image Signing Counterfeit Protections Hardware Trust Anchor Modern Crypto Secure Device Onboarding Security Culture Supply Chain Management Open Source Registration Security Training Threat Modeling Product Security Baseline PSIRT Advisories Learn more: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 10
10 Secure the Infrastructure
11 Infrastructure Hardening Encryption Plug n Play MFP, W Best Practices 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
12 AP control at the access layer 802.1X credentials for the AP Access Point (AP) Supplicant Layer 2 Point-to-(Multi)Point EAP over LAN (EAPoL) Authenticator Layer 3 Link RADIUS AuthC Server AP# capwap ap dot1x username [USER] password [PWD] * Not supported today on 1800/2800/3800 APs. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 13
13 BRKEWN-2010 Securing the AP-WLC communication CAPWAP tunnels CAPWAP Control encrypted by default CAPWAP Data encapsulated but not encrypted by default Support for DTLS Data encryption between AP and WLC DTLS, UDP 5246 CAPWAP Control CAPWAP Data (DTLS) UDP 5247 (Cisco Controller) >config ap link-encryption enable all/[ap-name] BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 14
14 Securing the AP-WLC communication Local Significant Certificate (LSC) Your PKI CAPWAP Example: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 15
15 APIC-EM Plug-n-Play (PnP) For secure provisioning of Access Points WLC APIC-EM AP SN #123 > Config. File (WLC IP, Vegas AP Group, etc.) AP SN #456 > Not in any Project list > Claim list APIC-EM IP in DHCP option 43 or DNS resolution for pnpserver.<dhcp-domain-option> AP (SN #123) Vegas AP Group AP (SN #456) AP PnP Deployment Guide: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 16
16 Securing the AP-WLC communication Out-of-Box AP Group and RF Profile (v7.3+) Out-of- Box Out-of-Box AP Group > Radios Disabled Vegas AP Group > Radios Enabled Out-of-Box Vegas Out-of-Box AP Group Out-of-Box Example: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 17
17 End to End Encryption of Mobility Tunnel 8.5 CAPWAP v4 with DTLS encryption between Wireless LAN Controllers BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 18
18 Over the Air Security and Threat Mitigation
19 Over the Air Security awips, ELM Rogue Detection Cisco CleanAir EDRM FRA Radio Off-Channel Scanning 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
20 wireless Intrusion Prevention System (wips) Ad-hoc Wireless Bridge HACKER Evil Twin/Honeypot AP HACKER S AP Reconnaissance HACKER Client-to-client backdoor access Rogue Access Points HACKER Denial of Service Seeking network vulnerabilities Cracking Tools HACKER BLUETOOTH AP Service disruption Non Attacks Detected by CleanAir and tracked by MSE Backdoor access Service disruption Sniffing and eavesdropping MICROWAVE BLUETOOTH RF-JAMMERS RADAR BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 25
21 wips Process Flow and Component Interactions Solution Components Functions Licensing Base IDS WLC, AP and Prime Infrastructure (optional) Supports 17 native signatures. Supports rogue detection & containment Does not require any licensing Adaptive WIPS WLC, AP, MSE and Prime Infrastructure Offers comprehensive over the air threat detection & mitigation Licensed feature on MSE CAPWAP NMSP SNMP trap wips AP Wireless Controller wips MSE 8.x Prime Infrastructure BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 26
22 wips with Cisco Mobility Services Engine (MSE) 8.0 Prime SOAP/XML over HTTP/HTTPS WLC MSE WLC AP AP AP AP BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 27
23 Classification Notification Mitigation Management AWIPS: Accurate Detection & Mitigation Threats Cracking Recon DoS Rogue AP/Clients Ad-Hoc Connections Over-the-Air Attacks Detection On/Off Channel Scanning Signature & Anomaly Detection Network Traffic Analysis Device Inventory Analysis Default tuning profiles Customizable event auto-classification Wired-side tracing Physical location Unified PI security dashboard Flexible staff notification Device location Wired port disable Over-the-air mitigation Auto or manual Uses all APs for superior scale Role-based with audit trails Customizable event reporting PCI reporting Full event forensics BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 28
24 Supported AP modes for wips Data on 2.4 and 5 GHz Data on 2.4 and 5 GHz Data on 5GHz Data on 2.4 and 5 GHz wips on all channels wips on all channels wips on all channels wips on all channels best effort Cisco Adaptive wips Deployment Guide: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 30
25 Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference Good Better Best Features ELM Monitor Mode AP ELM with FRA Monitor Mode Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs Client Serving with Security Monitoring wips Security Monitoring Y N Y 50 ms off-channel scan on selected channels on 2.4 and 5 GHz 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz Enhanced Local Mode Access Point GOOD 2.4 GHz 5 GHz Serving channel Serving channel Off-Ch Off-Ch Serving channel Serving channel Off-Ch Off-Ch t t Monitor Mode Access Point BETTER 2.4 GHz 5 GHz Ch1 Ch36 Ch2 Ch38 Ch11 Ch1 Ch2 Ch11 Ch1 Ch157 Ch2 Ch161 Ch36 Ch38 Ch11 t t t ELM with FRA Wireless Security Monitoring BEST 2.4 GHz Ch1 Ch2 Ch11 Ch36 Ch38 5GHz. / 2.4GHz..5GHz. / Security 5 GHz Serving channel Off-Ch Serving channel Off-Ch t t Ch157 Ch161 5 GHz 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
26 Rogue Access Points What are they? A rogue AP is an AP that does not belong to our deployment. I don t know it. Me neither. We might need to care (malicious/on network) or not (friendly). Sometimes we can disable them, sometimes we can mitigate them. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 33
27 Rogue Detection and Mitigation Rogue Classification and Containment Rogue Rules Manual Classification Friendly/Malicious Manual and Auto Containment FRA with MM Data Serving AP CleanAir with Rogue AP Types WiFi Invalid Channel WiFi Inverted Rogue Location Real-time with PI, MSE, CleanAir Location of Rogue APs and Clients, Ad-hoc Rogue, Non-wifi interferers Serve Client Scan 1.2s on dedicated 5 per channel GHz Scan 1.2s per channel Serve Client on 2.4 GHz 50 ms offchannel Serve Clients on 5 GHz 50 ms offchannel Monitor Mode AP BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 34
28 Optimize Wi-Fi with CleanAir Quickly Identify and Mitigate Wi-Fi Impacting Interference RRM BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 36
29 Optimize Wi-Fi with CleanAir Quickly Identify and Mitigate Wi-Fi Impacting Interference RRM BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 37
30 Optimize Wi-Fi with CleanAir Quickly Identify and Mitigate Wi-Fi Impacting Interference RRM 11 X 6 1 BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 38
31 CleanAir detectable Attacks Some examples BRKEWN-3010 IP and Application Attacks & Exploits Traditional IDS/IPS Layer 3-7 WiFi Protocol Attacks & Exploits wips Layer 2 Dedicated to L1 Exploits RF Signaling Attacks & Exploits CleanAir Layer 1 Rogue Threats undetectable rogues Wi-Fi Jammers 2.4 GHz classic interferers 5 GHz BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 40
32 Secure Access to Corporate Network ISE Access methods Guest Management
33 Secure Access to Corporate Network 802.1x Webauth Guest Access MAC Auth Classification BYOD NAC RADIUS BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 46
34 Identity Services Engine
35 Cisco Identity Services Engine (ISE) BRKSEC-3697 BRKSEC-3699 ACS NAC Profiler Guest Server NAC Manager NAC Server Identity Services Engine Centralized Policy RADIUS Server Posture Assessment Guest Access Services Device Profiling Client Provisioning MDM Monitoring & Troubleshooting Device Admin / TACACS+ BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 48
36 Authentication and Authorization What are they? It tells who/what the endpoint is X /ipsk/ MAB / WebAuth Policy Elements VLAN Access Control List Quality of Service Application Control It tells what the endpoint has access to. Bonjour Service Policy URL Redirect BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 49
37 URL Redirect Central Web Auth, Client Provisioning, Posture Url-Redirection: for CWA, Client Provisioning, Posture and MDM, URL value is returned as a Cisco AV-pair RADIUS attribute. e.g. cisco:cisco-av-pair=url-redirect= action=cwa Url-Redirect-Acl: this ACL specifies traffic to be permitted (bypass redirection) or denied (trigger redirection). The ACL is returned as a named ACL on the WLC. e.g. cisco-av-pair=url-redirect-acl=acl-posture-redirect ACL entries defined traffic subject to redirection (deny) and traffic to bypass redirection (permit) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 50
38 Client attributes and traffic for Profiling How RADIUS, HTTP, DNS, DHCP (and other traffic) are used to classify clients 1 The MAC address is checked against the known vendor OUI database. DHCP HTTP 2 DHCP/ HTTP Sensor The Client s DHCP/HTTP Attributes are captured by the AP and provided in RADIUS Accounting messages by the WLC. The ISE uses multiple attributes to build a complete picture of the end client s device profile. Information is collected from sensors which capture different attributes. HTTP UserAgent RADIUS 3 Mobile devices are quite chatty for web applications, or they can also be redirected to one of ISE s portals. ISE BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 56
39 Profiling Example from ISE Is the MAC Address from Apple DHCP:host-name CONTAINS ipad IP:User-Agent CONTAINS ipad I have some certainty that this device is an ipad BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 57
40 Local (WLC) Device Classification Collection 1 MAC address checked against vendor OUI database DHCP HTTP 2 Client s DHCP attributes captured by AP 3UserAgent payload on custom HTTP port inspected by HTTP Sensor Analysis Pre-Defined Device Signatures and in-built MAC OUI Dictionary MAC OUI and device profiles can be dynamically updated on WLC independent of controller image BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 58
41 Profile based Policy Enforcement Practical Examples of Policies Corporate laptop Product Bookings x Employee Facebook.com Personal ipad User Role Device Service Action Employee Corporate Asset Product Bookings/ Facebook.com Permit Employee ipad Facebook.com Permit Employee ipad Product Bookings Deny BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 59
42 Methods Client Access 802.1x Identity PSK MAB WebAuth
43 Device Awareness- Identity is the Base Various Authentication Mechanisms Security Benefits Drawback IP network 802.1x Robust Industry standard strong encryption and authentication Requires 802.1x supplicant Complex to configure, implement and manage ISE Identity PSK Easy to configure Strong encryption Works with existing infrastructure Manually key in the passphrase for client 802.1x Identity PSK Web auth Web authentic ation Used with MAB and profiler to trigger guest process for secure onboarding and resources for guest access Web auth by itself offers per client access rather than group level. Authorized Users IP Phones IoT Devices Guests Managed Devices/Users Non Devices Non Users BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 61
44 802.1X Why 802.1X? Industry standard approach to identity Most secure user/device authentication Complements other switch security features Various deployment options Foundation for services like posture, policy implementation How does it work? Supplicant Authenticator Authentication Server EAPoL AP, WLC RADIUS ISE BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 62
45 EAP Authentication Types Different Authentication Options Leveraging Different Credentials Tunnel-Based Certificate-Based EAP-PEAP EAP-FAST Inner Methods EAP-GTC EAP-TLS EAP-MSCHAPv2 EAP-TLS Tunnel-based Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate. This provides security for the inner method, which may be vulnerable by itself. Certificate-based For more security EAP-TLS provides mutual authentication of both the server and client. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 64
46 RADIUS Change of Authorization (CoA) RADIUS protocol is initiated by the network devices (NAD) No way to change authorization from the ISE (config)#aaa server radius dynamic-author client {PSN} server-key {RADIUS_KEY} Now I can control ports when I want to! RADIUS CoA (UDP:1700/3799) Now the network device listens to CoA requests from ISE Re-authenticate session Terminate session Terminate session with port bounce Disable host port BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 65
47 Identity PSK: Multiple PSKs per SSID allows for advanced security encryption across all devices 8.5 Increased demand for IoT devices Identity security without 802.1x Simple Operations High Scale Cost Effective Private PSK with RADIUS integration Per client AAA override (VLAN / ACL etc) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 67
48 Identity PSK 8.5 IOT Devices aabbcc PSK WLAN MAC Filtering AAA Override Sensors xxyyzz Access Point Wireless LAN Controller ISE Cisco-AVPair No PSK += "psk-mode=ascii attributes Cisco-AVPair += "psk=aabbcc" "psk=xxyyzz" Device MAC Group Private PSK IOT Devices aabbcc Sensors xxyyzz Employees --- Employees WLAN PSK BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 68
49 Central Web Authentication (CWA) AP-WLC DHCP/DNS ISE Server CWA is a URL-Redirect scenario Redirection. URL and the redirect ACL are centrally configured on ISE and communicated to WLC via RADIUS Open SSID with MAC Filtering enabled Host Acquires IP Address, Triggers Session State 5 First authentication session AuthC success; AuthZ for unknown MAC returned: Redirect/filter ACL, portal URL Host Opens Browser WLC redirects browser to ISE web page Host Sends Username/Password 3 Login Page 6 Web Auth Success results in CoA 7 MAB re-auth MAB Success Session lookup policy matched Authorization ACL/VLAN returned. Server authorizes user BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 70
50 Other URL-Redirect scenarios (Posture, MDM) AP-WLC DHCP/DNS ISE Server 1 SSID configured for 802.1X / MAB Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB. 2 4 First authentication session Host Acquires IP Address, Triggers Session State 3 AuthC success; AuthZ returned: Redirect/filter ACL, URL for posture/mdm/etc. Host Opens Browser WLC redirects browser to ISE for other services 5 Posture check, MDM check, client provisioning, etc. 6 RADIUS CoA X/MAB re-auth 802.1X/MAB Success Session lookup policy matched Authorization ACL/VLAN returned. Server authorizes user BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 72
51 MDM Integration ISE Registered MDM Registered Encryption PIN Locked Jail Broken Jail Broken PIN Locked 2015 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 73
52 Guest Management
53 Managing Guest User Lifecycle with ISE PROVISIONING Create Guest Accounts NOTIFICATION Give Accounts to Guests Create Single Guest Account Import CSV file for multiple Guest Accounts Print Account Details Send Account Details via Send Account Details via Text Manage Guest Accounts View, edit, suspend Guest Accounts Manage batches of created accounts MANAGEMENT Report on Guests View, audit reports on Individual Guest accounts Display Management reports on Guest Accounts REPORTING BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 75
54 ISE Sponsor Portal Customizable sponsor pages Sponsor privileges tied to defined sponsor policy o Roles sponsor can create o Time profiles can be assigned o Management of other guest accounts o Single or bulk account creation BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 76
55 ISE Guest Self-Service BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 77
56 Network Based Security
57 Solution Level Attack Protection TrustSec SXP Inline Tagging AVC/ Netflow Local Policy w/ AVC, Umbrella URL Filtering AAA Override VLAN, ACL, QoS 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
58 Integrating Security IN the Network Network as a Security Sensor (NaaS) Network as a Security Enforcer (NaaE) Detect Anomalous Traffic Detect User access violations Obtain broad Visibility of Network Traffic Software Defined Segmentation to contain attack Dynamic User Groups and consistent Policy Across the Network, Users and Devices Access Control to protect resources BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 81
59 Network as a Sensor Application Visibility & Control NetFlow
60 The Network Gives Deep and Broad Visibility Network: key asset for threat detection and control Discover and Classify Assets Active Monitoring Network Segmentation Understand Behavior Enforce Policy Design and Model Policy BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 83
61 How AVC Works on Cisco Wireless Network Visibility, Control, Context and Analytics AireOS 8.1 App Visibility & User Experience Report Static Netflow App BW Transaction Time WebEx 3 Mb 150 ms Citrix 10 Mb 500 ms High Med Low NBAR on AP Deep Packet Inspection Perf. Collection & Exporting Reporting Tool Control DPI engine (NBAR2) identifies applications using L7 signatures Collect application info and exports to controller every 90 seconds Cisco Prime Infrastructure StealthWatch, Live Action and others Use QoS Rate Limiting to control application bandwidth usage for performance BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 84
62 8.1 AVC on FlexConnect Access Points Real time information for last 90 seconds Stateful context transfer on roam BRANCH Gen2 AP WAN NetFlow Export from AP to WLC WLC AVC supported on Gen 2 FlexConnect Access Points (AireOS 8.1). Protocol Pack 14 with upgraded NBAR engine 23 Stateful context transfers supported for Intra Flexconnect Group roams BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 85
63 NetFlow- The heart to network as a sensor record Client MAC Client IP Who Where SSID Access Point MAC Packet Count NetFlow Byte Count ToS- DSCP Value Application Tag Netflow statistics sent at an interval of 30 seconds Netflow record sent even for unclassified applications Username sent for dot1x authentication What When BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 86
64 Network as an Enforcer Wireless StealthWatch Integration TrustSec for Policy Enforcement Policy Management with ISE Native Policy Management on WLC
65 Wireless StealthWatch Integration Network as a Sensor, Network as an Enforcer BRKSEC-3014 AireOS 8.2 on 5520/8510/8540 WLC pxgrid notifications StealthWatch Flow Collectors CoA ISE Quarantine Flow Telemetry from Network Devices (collect and analyze) Netflow v9 records WLC Identity, MAC Address, Device Type StealthWatch Management Console (upto 25 Flow Collectors) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 88
66 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 Cisco TrustSec Enabled Network Segmentation Simplifying Enforcement 8.4 Traditional Security Policy Data Center Internet Intranet Identity-enabled Infrastructure TrustSec Security Policy Employee Supplier App Server Shared Server Dynamic Policy & Enforcement Non Compliant 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
67 Wireless TrustSec Support 5 Employee 6 Voice 7 Partner Classification A Propagation B Enforcement (Assigning SGTs) Static & Dynamic Assignments Inline SGT & SXP Security Group ACL SXPv4 on AP Inline Tagging on AP SGACL Enforcement Topology, location independent Policy (SGT) stays with endpoint. Simplifies ACL management traffic Local NO NO YES Flex YES YES YES Mesh NO NO YES (Indoor only) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 90
68 Egress Policy Matrix Default Rule, Can be Permit or Deny BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 91
69 Ingress classification, Egress Enforcement Lookup Destination SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248 SRC: DST: SGT: 5 5 Enterprise Backbone Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 WLC5508 DST SRC Web_Dir (20) CRM (30) Marketing (5) Permit Deny User authenticated Classified as Marketing (5) BYOD (7) Deny SGACL-A BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 92
70 TrustSec East-West Traffic Use Case Role Based Segmentation Data Center Access control based on the Role of the user Shared Services Remediation Application Servers DC Switch Enterprise Backbone ISE Wired/Wireless Wired/Wireless TrustSec enabled WLC & AP receives policy for only what is connected Employee Tag Supplier Tag Supplier Employee Employee Supplier VLAN: Data-2 VLAN: Data-1 BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 93
71 TrustSec Demo
72 How about policies? Differentiating user groups Keeping untrusted devices out Basic access vs Full Access BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 96
73 ISE for Network-Wide Unified Policy Enforcement Profiling Posture Guest Access WHO WHAT WHERE WHEN HOW CONTEXT KG Employee 2 pm TonyS Consultant 6 pm Franklo Guest 9 am Personal ipad Employee Owned 802.1X ipsk MAB WebAuth IDENTITY WIRELESS LAN CONTROLLER, ACCESS POINTS, SWITCHES, ROUTERS BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 97
74 Client Context and Policies Control and Enforcement IDENTITY X EAP Machine/User Authentication ISE PROFILING HTTP NETFLOW SNMP HQ Company asset 2 Profiling to identify device Policy Decision 4 Corporate Resources DNS RADIUS DHCP 2:38pm Access Point Wireless LAN Controller Internet Only Personal asset 3 5 Posture of the device Unified Access Management Enforcement dacl, VLAN, SGT 6 Full or partial access granted BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 100
75 Local Profiling and Policy on WLC Build BYOD: Native WLC Options Inputs: Conditions Access Method User Role Device Type Results: Enforcement Elements VLAN VLAN Access Control List Quality of Service Time of Day AVC Authentication Type Bonjour Service Policy ISE and Wireless LAN Controller Profiling Support ISE Profiling using RADIUS probes, DHCP probes, HTTP, SNMP, DNS, NETFLOW Multiple attributes for Policy action supported Profiling rules can be customized WIRELESS LAN CONTROLLER Profiling based on MAC OUI, DHCP, HTTP based User-Agent Policy action attributes - VLAN, ACL, Session Timeout, QoS Default profiling rules BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 101
76 Policies for Applications and Services 1. Cisco Umbrella 2. URL Filtering 3. AVC 4. mdns and Bonjour Services BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 106
77 WLC integration with Cisco Umbrella Policy tie-in to Cisco Umbrella
78 Cisco Umbrella for Content Filtering 8.4 Why care about DNS? CLOUD BASED WEB FILTERING THREAT MANAGEMENT INSIGHTFUL REPORTING Low cost architecture Data analysis methods Uses Recursive DNS Powerful reporting and analytics Network Mobile Virtual Endpoint Cloud Apps BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 108
79 Cisco Umbrella with WLC Internet ACME Policies block gaming sites DNS Query DNS Response DNS Server (or external DNS proxy to) WLC intercepts DNS packet, redirects query to Umbrella cloud server at Content filtering and whitelisting at DNS layer at WLAN, AP Group, Policy level ACME BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 109
80 Role Based Policy with Cisco Umbrella OpenDNS Profile Mapping in Local Policy Contractor Policy Employee Policy AAA user role Contractor Employee BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 110
81 Role Based Policy with Cisco Umbrella Cisco Umbrella Cloud DNS query DNS response BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 111
82 Role Based Policy with Cisco Umbrella BRKSEC-2980 LABSEC-2006 DNS query DNS response BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 112
83 Location Based Policy with Cisco Umbrella OpenDNS Profile Mapping in AP Group Corporate Policy Branch Policy Corporate HQ Branch Office BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 113
84 Cisco Umbrella Demo
85 Application Visibility and Control Policy tie-in to AVC
86 Granular Filtering with Policy tie-in to AVC ROLE BASED APPLICATION POLICY Alice(Sales) and Bob(IT Admin) are both employees Both Alice and Bob are connected to the same SSID Alice can access certain applications (YouTube), Bob cannot ROLE BASED + DEVICE TYPE APPLICATION POLICY Alice can access inventory info on an IT provisioned Windows Laptop Alice cannot access inventory info on her personal ipad ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY Alice has limited access (rate limit) to Jabber on her iphone 7.4 AVC 7.5 Dynamic protocol pack update 7.6 Jabber, Lync 2013 support 8.0 User and device aware policies Ability to classify Apple ios, Windows, Android upgrades 8.1 User & device aware policies Ability to classify Apple ios, Windows, Android upgrades 8.2 Wi-Fi calling Skype for business UserId + IPFlow for Netflow export Stealthwatch Collector BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 121
87 AVC (Application Visibility and Control) Per-user profiles via AAA WLC RADIUS cisco-av-pair = avc-profile-name = AVC-Employee cisco-av-pair = avc-profile-name = AVC-Contract Employee Contractor YouTube Facebook Skype BitTorrent Facebook Skype Employee Contractor BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 122
88 mdns Bonjour Service Policy tie-in to mdns
89 mdns and Bonjour Services Filter by WLAN and VLAN mdns Profiles Select services mdns Profile with Local Policy Services per-user and per-device mdns Policies Services based on AP Location and user role Teacher Service Profile AirPrint AirPlay File Share Teacher Service Instance List Apple TV1 Student Service Instance List Apple TV1 itunes Sharing Student Service Profile AirPlay File Share AirPrint Teacher Network Apple TV2 mdns Service Instances Groups Student Network BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 124
90 Consolidate, Secure and Segment Enterprise Use Case for Workforce, IoT and Guest Access
91 Consolidate, Secure, Segment Wireless Security for Workforce Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices IOT devices like Sensors, Robots etc. Guest users Security L2/L x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network SGT TrustSec Segmentation by function for eg. Marketing, Sales, HR SGT override for IOT device groups Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 126
92 Enterprise SSID Security and Segmentation Category-Based Filtering Based on Umbrella Policy Role Based Access Control Based on Scalable Group Tags and SGACLs Marketing Marketing Sales Contractor s Server Sales SGT = 4 SGT = 5 Contractors Server 802.1x Enterprise Backbone SGT = 6 Access Point Enterprise SSID WLC ISE AAA Override VLAN-Based Segmentation Using AAA Override Apple devices Controlled access via mdns Profile Employee VLAN ID = 10 Policy Classification Engine Contractor VLAN ID = 20 Umbrella User role VLAN Application Apple devices Policy user-role = Marketing Mark Webex, Apple TV, Marketing 10 Block ebay Jabber Printer, itunes user-role = Contractor Mark Webex, Apple TV, Sales 10 Block ebay Jabber Printer, itunes user-role = Sales Contractor 20 Drop Youtube Printer Only Block ebay, CNN, BBC Facebook Micro-segmentation using Cisco TrustSec SGT Backend Servers PERMIT PERMIT DENY 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
93 Consolidate, Secure, Segment Wireless Security for IOT Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices IOT devices like Sensors, Robots etc. Guest users Security L2/L x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network SGT TrustSec Segmentation by function for eg. Marketing, Sales, HR SGT override for IOT device groups Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 128
94 IOT SSID Security and Segmentation IOT Sensors IOT Lighting Smart Devices IOT Sensors IOT Lighting Smart Devices SGT = 4 SGT = 5 IPSK Enterprise Backbone SGT = 6 Access Point IOT SSID WLC ISE AAA Override IOT Sensors IOT Sensors PSK = aabbcc Identity VLAN ID = 30 VLAN PSK IOT Lighting IOT PSK Sensors = eeffgg aabbcc IOT Lighting 30 VLAN ID = 10 IOT Lighting eeffgg 10 Smart devices Smart Devices PSK Smart = xxyyzz xxyyzz Devices VLAN = ACL PERMIT PERMIT DENY SGT Backend Servers 4 PERMIT 5 DENY 6 DENY BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 129
95 Consolidate, Secure, Segment Wireless Security for Guest Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices Mission-specific IOT devices like Sensors, Robots etc. Guest users Security L2/L x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network Segmentation TrustSec assignment by function for eg. Marketing, Sales, HR TrustSec override for IOT device groups Cisco Umbrella Policy based on SSID, AP Group, Local Policy Segmentation using Anchoring traffic to DMZ StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria (CC), Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 130
96 Guest SSID Security and Segmentation Category-Based Filtering Based on Umbrella Policy VLAN 50 SGT = 7 Anchor WLC Employee Server Guest Role Based Access Control Based on Scalable Group Tags and SGACLs Employee Server Guest Web auth Enterprise Backbone Access Point Guest SSID WLC ISE AAA Override Policy Classification Engine Guest VLAN ID = 50 User role VLAN Application QoS Umbrella Policy SGT Backend Servers Guest 50 Mark Webex, Jabber Drop Youtube Rate-limit Block news, sports 7 DENY 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
97 Key Takeaways for an End to End Wireless Security Solution Take a defense in depth approach to security. Add security layers that complement one another and at difference places in the IT network. What one misses, the other catches. Complexity and security are inversely proportional. Take a simple approach to design network security policy. Break your overall policy into smaller managed pieces to simplify creating an efficient policy. BYOD strategy must consider all mobile worker types and functions before deploying solutions. Give it a try (e.g. PoC) before network wide implementation. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 132
98 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public
99 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 134
100 Thank you
101
2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013 Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration How ISE is Used Today
More informationSecuring Cisco Wireless Enterprise Networks ( )
Securing Cisco Wireless Enterprise Networks (300-375) Exam Description: The 300-375 Securing Wireless Enterprise Networks (WISECURE) exam is a 90minute, 60-70 question assessment that is associated with
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationWireless LAN Security & Threat Mitigation
Wireless LAN Security & Threat Mitigation Karan Sheth, Sr. Technical Marketing Engineer Abstract Prevention is better than cure an old saying but an extremely important one to defend your enterprise wireless
More informationCertKiller q
CertKiller.500-451.28q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 5.3 500-451 Cisco Unified Access Systems Engineer Exam I just passed today with 89%. My sole focus was the VCE.
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationCisco ISE Features Cisco ISE Features
Cisco ISE Overview, on page 2 Key Functions, on page 2 Identity-Based Network Access, on page 3 Support for Multiple Deployment Scenarios, on page 3 Support for UCS Hardware, on page 3 Basic User Authentication
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationBYOD: Management and Control for the Use and Provisioning of Mobile Devices
BYOD: Management and Control for the Use and Provisioning of Mobile Devices Imran Bashir Technical Marketing Engineer BYOD: Management and Control for the Use and Provisioning of Mobile Devices -- 3:30
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo
Vendor: Cisco Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access Solutions Version: Demo QUESTION 1 By default, how many days does Cisco ISE wait before it purges the expired guest accounts?
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationCisco Unified Wireless Network Software Release 7.4
Product Bulletin Cisco Unified Wireless Network Software Release 7.4 PB722724 Overview Cisco Unified Wireless Network (CUWN) Software Release 7.4 brings advancements to the wireless market with innovative
More informationExam Questions Demo Cisco. Exam Questions
Cisco Exam Questions 300-208 SISAS Implementing Cisco Secure Access Solutions (SISAS) Version:Demo 1. Which functionality does the Cisco ISE self-provisioning flow provide? A. It provides support for native
More informationSwitch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationCCIE Wireless v3 Lab Video Series 1 Table of Contents
CCIE Wireless v3 Lab Video Series 1 Table of Contents Section 1: Network Infrastructure Layer 2 Technologies VLANs VTP Layer 2 Interfaces DTP Spanning Tree- Root Election Spanning Tree- Path Control Spanning
More informationCisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]
s@lm@n Cisco Exam 642-737 Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ] Cisco 642-737 : Practice Test Question No : 1 RADIUS is set up with multiple servers
More informationCisco TrustSec How-To Guide: Monitor Mode
Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationCisco ONE for Access Wireless
Data Sheet Cisco ONE for Access Wireless Cisco ONE Software helps customers purchase the right software capabilities to address their business needs. It helps deliver reduced complexity, simplified buying,
More informationCisco Questions & Answers
Cisco 642-737 Questions & Answers Number: 642-737 Passing Score: 800 Time Limit: 120 min File Version: 25.6 http://www.gratisexam.com/ Cisco 642-737 Questions & Answers Exam Name: Implementing Advanced
More informationP ART 2. BYOD Design Overview
P ART 2 BYOD Design Overview CHAPTER 2 Summary of Design Overview Revised: August 7, 2013 This part of the CVD describes design considerations to implement a successful BYOD solution and different deployment
More informationCloud Mobility: Meraki Wireless & EMM
BRKEWN-2002 Cloud Mobility: Meraki Wireless & EMM Emily Sporl Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationCCIE Wireless v3.1 Workbook Volume 1
CCIE Wireless v3.1 Workbook Volume 1 Table of Contents Diagrams and Tables 7 Topology Diagram 7 Table 1- VLANs and IP Subnets 8 Table 2- Device Management IPs 9 Table 3- Device Credentials 10 Table 4-
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Introduction to The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based
More informationDNA Automation Services Offerings
DNA Automation Services Offerings Jamie Owen, Solutions Architect, Cisco Advanced Services Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationIntegrating Meraki Networks with
Integrating Meraki Networks with Cisco Identity Services Engine Secure Access How-To guide series Authors: Tim Abbott, Colin Lowenberg Date: April 2016 Table of Contents Introduction Compatibility Matrix
More informationCisco Deploying Basic Wireless LANs
Cisco Deploying Basic Wireless LANs WDBWL v1.2; 3 days, Instructor-led Course Description This 3-day instructor-led, hands-on course is designed to give you a firm understanding of the Cisco Unified Wireless
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationWireless LAN Solutions
Wireless LAN Solutions Juniper Networks delivers wireless solutions for enterprises of all sizes and types from small retail installations to the largest campuses Your JUNIPER NETWORKS dedicated Sales
More informationDumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download
DumpsFree http://www.dumpsfree.com DumpsFree provide high-quality Dumps VCE & dumps demo free download Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get
More informationArchitecting Network for Branch Offices with Cisco Unified Wireless
Architecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth - Sr. Technical Marketing Engineer Objective Design & Deploy Branch Network That Increases Business Resiliency 2 Agenda Learn
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationCisco Secure Access Control
Cisco Secure Access Control Delivering Deeper Visibility, Centralized Control, and Superior Protection Martin Briand - Security Escalation VSE Global Virtual Engineering Oriol Madriles Soriano Security
More informationUniversal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series
Universal Wireless Controller Configuration for Cisco Identity Services Engine Secure Access How-To Guide Series Author: Hosuk Won Date: November 2015 Table of Contents Introduction... 3 What Is Cisco
More informationBYOD: BRING YOUR OWN DEVICE.
white paper BYOD: BRING YOUR OWN DEVICE. On-BOaRDING and Securing DEVICES IN YOUR Corporate NetWORk PrepaRING YOUR NetWORk to MEEt DEVICE DEMaND The proliferation of smartphones and tablets brings increased
More informationDeploying Cisco Wireless Enterprise Networks
300-365 Deploying Cisco Wireless Enterprise Networks NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 300-365 Exam on Deploying Cisco Wireless
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationCisco Troubleshooting Cisco Wireless Enterprise Networks WITSHOOT v1.1
Course Overview Provides students information to troubleshoot Cisco wireless networks. The course provides guidelines for troubleshooting Wi-Fi architectures of Cisco wireless components. Who Should Attend
More informationAPIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks
APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks Saurav Prasad Technical Marketing Engineer CTHNMS-1002 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationConfiguring Client Profiling
Prerequisites for, page 1 Restrictions for, page 2 Information About Client Profiling, page 2, page 3 Configuring Custom HTTP Port for Profiling, page 4 Prerequisites for By default, client profiling will
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-208
More informationSupport Device Access
Personal Devices on a Corporate Network (BYOD), on page 1 Personal Device Portals, on page 2 Support Device Registration Using Native Supplicants, on page 8 Device Portals Configuration Tasks, on page
More informationCisco Exam Questions & Answers
Cisco 300-208 Exam Questions & Answers Number: 300-208 Passing Score: 800 Time Limit: 120 min File Version: 38.4 http://www.gratisexam.com/ Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access
More informationCCIE Wireless v3 Workbook Volume 1
CCIE Wireless v3 Workbook Volume 1 Table of Contents Diagrams and Tables 7 Topology Diagram 7 Table 1- VLANs and IP Subnets 8 Table 2- Device Management IPs 9 Table 3- Device Credentials 10 Table 4- Term
More informationThe Context Aware Network A Holistic Approach to BYOD
The Context Aware Network A Holistic Approach to BYOD Trends Bring Your Own Device BYOD at Cisco Cisco BYOD Solution Use Cases Summary Trends #CiscoPlusCA Demand for Mobility 15 billion new networked mobile
More informationCisco ONE for Access Wireless
Data Sheet Cisco ONE for Access Wireless Cisco ONE Software overview Cisco ONE Software helps customers purchase the right software capabilities to address their business needs. It helps deliver reduced
More informationWireless Education Vertical
CISCO VALIDATED PROFILE Wireless Education Vertical April 2016 Table of Contents Profile Introduction... 1 Security...1 Specialized Services...1 Migration to IPv6...1 Mobility...1 High Availability...1
More informationOne Management Realized, with Cisco Prime Infrastructure Manage Complexity. Manage Effectively. Manage Intelligently. Closing
One Management Realized, with Cisco Prime Infrastructure Manage Complexity Manage Effectively Manage Intelligently Closing 2 2013 Cisco and/or its affiliates. All rights reserved. Internet of Things 99%
More informationConverged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3
Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3 Last Updated: November, 2013 Introduction This guide is designed to help you deploy and monitor new features introduced in the IOS
More informationTrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points
TrustSec Configuration Guides TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points Table of Contents TrustSec Capabilities on Wireless
More information8.5 Identity PSK Feature Deployment Guide
8.5 Identity PSK Feature Deployment Guide Product or Feature Overview 2 IPSK solution 3 Configurations Steps for IPSK in 8.5 release 3 Controller Configuration Steps 6 WLC Local Policies Combined with
More informationWhat Is Wireless Setup
What Is Wireless Setup Wireless Setup provides an easy way to set up wireless flows for 802.1x, guest, and BYOD. It also provides workflows to configure and customize each portal for guest and BYOD, where
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo
Vendor: Cisco Exam Code: 642-737 Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0 Version: Demo QUESTION 1 Which statement describes the major difference between PEAP and EAP-FAST
More informationIntelligent Edge Protection
Intelligent Edge Protection Sicherheit im Zeitalter von IoT und Mobility September 26, 2017 Flexible consumption Beacons, sensors and geo-positioning Driven by agile DevOps Mobile users, apps and devices
More informationCisco TrustSec How-To Guide: Phased Deployment Overview
Cisco TrustSec How-To Guide: Phased Deployment Overview For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2
More informationCisco Trusted Security Enabling Switch Security Services
Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1 Enter Identity & Access Management Strategic
More informationISE Version 1.3 Self Registered Guest Portal Configuration Example
ISE Version 1.3 Self Registered Guest Portal Configuration Example Document ID: 118742 Contributed by Michal Garcarz and Nicolas Darchis, Cisco TAC Engineers. Feb 13, 2015 Contents Introduction Prerequisites
More informationConfiguring Hybrid REAP
13 CHAPTER This chapter describes hybrid REAP and explains how to configure this feature on controllers and access points. It contains the following sections: Information About Hybrid REAP, page 13-1,
More informationACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee
ACCP-V6.2Q&As Aruba Certified Clearpass Professional v6.2 Pass Aruba ACCP-V6.2 Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money Back
More informationTHE NETWORK. INTUITIVE. Powered by intent, informed by context. Rajinder Singh Product Sales Specialist - ASEAN August 2017
THE NETWORK. INTUITIVE. Powered by intent, informed by context. Rajinder Singh Product Sales Specialist - ASEAN August 2017 The Network. Intuitive. Constantly learning, adapting and protecting. L E A R
More informationTrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationCisco Exam Questions & Answers
Cisco 300-208 Exam Questions & Answers Number: 300-208 Passing Score: 800 Time Limit: 120 min File Version: 38.4 http://www.gratisexam.com/ Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access
More informationCisco NCS Overview. The Cisco Unified Network Solution CHAPTER
CHAPTER 1 This chapter describes the Cisco Unified Network Solution and the Cisco Prime Network Control System (NCS). It contains the following sections: The Cisco Unified Network Solution, page 1-1 About
More informationArchitecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth Sr. Technical Marketing Engineer
Architecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth Sr. Technical Marketing Engineer BRKEWN-2016 Abstract This session focuses on the architecture concepts of the branch office
More informationMonitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series
Monitor Mode Deployment with Cisco Identity Services Engine Secure Access How -To Guides Series Author: Adrianne Wang Date: December 2012 Table of Contents Monitor Mode... 3 Overview of Monitor Mode...
More informationCisco Exactexams Questions & Answers
Cisco Exactexams 642-737 Questions & Answers Number: 642-737 Passing Score: 800 Time Limit: 120 min File Version: 23.4 http://www.gratisexam.com/ Cisco 642-737 Questions & Answers Exam Name: Implementing
More informationExam : Title : Security Solutions for Systems Engineers. Version : Demo
Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized
More informationCisco Network Admission Control (NAC) Solution
Data Sheet Cisco Network Admission Control (NAC) Solution New: Updated to include the Cisco Secure Network Server (SNS) Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,
More informationSecure Wireless LAN Design and Deployment
Secure Wireless LAN Design and Deployment Mark Krischer CTO, Enterprise Networks Asia Pacific, Japan and Greater China Abstract The proliferation of mobile devices and the rise of BYOD has raised the profile
More informationConfigure Devices Using Converged Access Deployment Templates for Campus and Branch Networks
Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks What Are Converged Access Workflows?, on page 1 Supported Cisco IOS-XE Platforms, on page 3 Prerequisites for
More informationAerohive and IntelliGO End-to-End Security for devices on your network
Aerohive and IntelliGO End-to-End Security for devices on your network Introduction Networks have long used a password to authenticate users and devices. Today, many cyber attacks can be used to capture
More informationITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!
ITCertMaster Safe, simple and fast. 100% Pass guarantee! http://www.itcertmaster.com Exam : 350-050 Title : CCIE Wireless Exam (V2.0) Vendor : Cisco Version : DEMO Get Latest & Valid 350-050 Exam's Question
More informationBEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features
BEST PRACTICE - NAC AUF ARUBA SWITCHES Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features Agenda 1 Overview 2 802.1X Authentication 3 MAC Authentication
More informationSupport Device Access
Personal Devices on a Corporate Network (BYOD), on page 1 Personal Device Portals, on page 2 Support Device Registration Using Native Supplicants, on page 7 Device Portals Configuration Tasks, on page
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationISE Identity Service Engine
CVP ISE Identity Service Engine Cisco Validated Profile (CVP) Series 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents 1. Profile introduction...
More informationCisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer
Cisco.Network.Intuitive FastLane IT Forum Andreas Korn Systems Engineer 12.10.2017 Ziele dieser Session New Era of Networking - Was ist darunter zu verstehen? Software Defined Access Wie revolutioniert
More informationForeScout Extended Module for VMware AirWatch MDM
ForeScout Extended Module for VMware AirWatch MDM Version 1.7.2 Table of Contents About the AirWatch MDM Integration... 4 Additional AirWatch Documentation... 4 About this Module... 4 How it Works... 5
More informationCisco Wireless Release 7.6
Product Bulletin Cisco Wireless Release 7.6 PB730102 Overview The IEEE 802.11ac standard promises to bring wire-like performance to wireless technologies. With Cisco Wireless Release 7.6, customers can
More informationReal4Test. Real IT Certification Exam Study materials/braindumps
Real4Test http://www.real4test.com Real IT Certification Exam Study materials/braindumps Exam : 400-351 Title : CCIE Wireless Vendor : Cisco Version : DEMO Get Latest & Valid 400-351 Exam's Question and
More informationPulse Policy Secure X Network Access Control (NAC) White Paper
Pulse Policy Secure 802.1X Network Access Control (NAC) White Paper Introduction The growing mobility trend has created a greater need for many organizations to secure and manage access for both users
More informationGuest Access User Interface Reference
Guest Portal Settings, page 1 Sponsor Portal Application Settings, page 17 Global Settings, page 24 Guest Portal Settings Portal Identification Settings The navigation path for these settings is Work Centers
More informationCisco Software-Defined Access
Cisco Software-Defined Access Introducing an entirely new era in networking. What if you could give time back to IT? Provide network access in minutes for any user or device to any application-without
More informationConfigure Guest Flow with ISE 2.0 and Aruba WLC
Configure Guest Flow with ISE 2.0 and Aruba WLC Contents Introduction Prerequisites Requirements Components Used Background Information Guest Flow Configure Step 1. Add Aruba WLC as NAD in ISE. Step 2.
More informationSecure IT consumeration (BYOD), users will like you How to make secure access for smart mobile devices
Michal Zlesák Area Sales Manager Michal.zlesak@enterasys.com Secure IT consumeration (BYOD), users will like you How to make secure access for smart mobile devices A Siemens Enterprise Communications Company
More informationSecuring Wireless LANs
Securing Wireless LANs Will Blake Consulting Systems Engineer #clmel Agenda Define terms and approach Enterprise WLANs Threats, Vulnerabilities and Mitigation strategies External threats Detection, Identification
More informationMonitoring and Threat Detection
Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017 AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What
More informationReal time Location Services Overview and Use cases
Real time Location Services Overview and Use cases Ashutosh Malegaonkar, Principal Engineer @amalegaonkar DEVNET-1071 /me Maker Breaker Meditate @amalegaonkar DEVNET-1071 2017 Cisco and/or its affiliates.
More informationexam. Number: Passing Score: 800 Time Limit: 120 min CISCO Deploying Cisco Wireless Enterprise Networks. Version 1.
300-365.exam Number: 300-365 Passing Score: 800 Time Limit: 120 min CISCO 300-365 Deploying Cisco Wireless Enterprise Networks Version 1.0 Exam A QUESTION 1 The customer has deployed C7960 phones with
More informationNext generation branch with SD-WAN and NFV
Next generation branch with SD-WAN and NFV Kiran Ghodgaonkar, Senior Manager, Enterprise Marketing Mani Ganeson, Senior Product Manager PSOCRS-2004 @ghodgaonkar Cisco Spark How Questions? Use Cisco Spark
More informationClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead
ClearPass Ecosystem Tomas Muliuolis HPE Aruba Baltics lead 2 Changes in the market create paradigm shifts 3 Today s New Behavior and Threats GenMobile Access from anywhere? BYOD Trusted or untrusted? Bad
More informationCisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps
Cisco 300-375 Dumps with Valid 300-375 Exam Questions PDF [2018] The Cisco 300-375 Securing Cisco Wireless Enterprise Networks (WISECURE) exam is an ultimate source for professionals to retain their credentials
More information