SECURE NETWORK ACCESS

Transcription

1

2 SECURE NETWORK ACCESS

3 The Security Problem Changing Business Models Dynamic Threat Landscape Complexity & Fragmentation 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confiden5al 3

4 Mobility is a Ripple, IoT is a Tidal Wave Growing Need for Secure Access due to Larger AWack Surface Area Gen 1 Managed Endpoints IT Procured and Managed Guest Access Simple Guest Access Enterprise Mobility Procured & BYOD Mobile Device Use Internet of Everything Explosion of Network Enabled Devices Ponemon Research h=p:// 2/48

5 #1 in Market Customers 80% F25, 50% F500 Leader NAC MQ Cisco Identity Services Engine (ISE) Secure Unified Access IdenMty Context Policy Management Increases Operational Efficiency Who What Where When How Onboarding & Remediation Increases Productivity and Improves User Experience Cisco ISE Device Profiling & Posture Business-Relevant Policies Provides Comprehensive Secure Access Intelligent Identity Wired Wireless VPN Ensures Consistent Policies Network Enforcement Decreases Operational Costs Virtual machine client, IP device, guest, employee, and remote user Replaces AAA and RADIUS, NAC, guest management, and device iden5ty servers

6 Cisco ISE is Core to Cisco Security AWack Con5nuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protec5on NGFW UTM Web + Security Network Behavior Analysis IdenMty Services + NAC pxgrid + TrustSec ISE Provides Visibility, Context, and Control Across the En#re ConMnuum

7 How Cisco ISE is Used Today BYOD Manage risk by providing different levels of access for mobile devices Guest Access It is easy to provide guests limited- 5me and limited- resource access Secure Access on Wired and Wireless Network and VPN Control with one policy across wired, wireless, and remote infrastructure Cisco TrustSec Network Policy Rules wriwen in business terms control access

8 BYOD Automated Self- Service Portal Get Users on the Net in Minutes, Not Hours Simple self- service portal for any user to get quickly on the net without help or hassle Reduce Burden on IT and Help Desk Staff Reliable automa5on reduces user problems to near zero so Immediate Secure Access Rigorous iden5ty and access policy enforcement

9 Key Capability: Motivated MDM Partners Unify Endpoint and Network Policies 1 BUY NEW DEVICE 2 ONBOARD AND REGISTER 3 CHOOSE PRIVILEGES Guest Business Increased producmvity through user self- provisioning Zero- touch IT support Rapid user on- boarding NEW Assured security posture with MDM integramon Automates MDM registra5on Quaran5nes non- compliant devices Users can elect to not register and be allowed guest services

10 Simplifying BYOD Onboarding ISE 1.3 Improved Device Recogni5on Branded Experiences Out- of- the- Box On- Boarding User Experience Personalized Device Portal Mobile- and Desktop- Ready Reduce Unknown Devices by 74%

11 Internal Cer5ficate Authority Simplifying Cer5ficate Management for BYOD Devices ISE 1.3 NaMve CerMficate Authority No addimonal burden to PKI Simplified Device Onboarding Simplified Proof of Concepts Cisco Confiden5al

12 Intelligently Transport Application Over VPN With AnyConnect 4.0, the Unified Agent AC 4.0 Selec5vely Tunnels Traffic Through VPN Corporate Network VPN WWW Local Network Provides unified agent that improves VPN bandwidth management in place of using mul5ple parallel VPN agents Leverages Cisco ASA and Cisco TrustSec to provide end- to- end applica5on traffic segmenta5on Extends tradi5onal VPN edge to mobile to prevent non- business apps from gaining corporate access Per- App VPN Support: ios 7+, Samsung Knox 2.0+

13 AC 4.0 is the ISE 1.3 Posture Agent ISE 1.3 AC 4.0 Network change Full Access / Remedia5on Starts Discovery Posture Assessment Invoke Downloader

14 Streamlining and Customizing Guest Experiences Enhanced in ISE 1.3 Branding with Themes Streamlined Guest Crea5on Create Accounts Print SMS Mobile Guest Sponsorship Your creden5als username: trex42 password: liwlearms SMS No5fica5ons Set- Up Secure Guest Access ~10 Minutes (Not Days)

15 ISE Ecosystem Partners Hi-Touch, Customer-Focused Partnerships SIEM & Threat Defense PrioriMze Events, User/Device- Aware AnalyMcs, Expedite ResoluMon ISE provides user and device context to SIEM and Threat Defense partners Partners u5lize context to iden5fy users, devices, posture, loca5on and network privilege level associated with SIEM/TD security events Partners may take network ac5on on users/devices via ISE Ensure Device Enrollment and Security Compliance Mobile Device Management ISE serves as policy gateway for mobile device network access MDM provides ISE mobile device security compliance context ISE assigns network access privilege based on compliance context

16 Single-Purpose APIs are Great for One Purpose Integrating One System to One Other System I have reputamon info! I need threat data I have sec events! I need reputamon I have NetFlow! I need enmtlement I have threat data! I need reputamon I have firewall logs! I need idenmty SIO Proprietary APIs aren t the solumon We need to share data I have applicamon info! I need locamon & auth- group I have NBAR info! I need idenmty I have locamon! I need idenmty I have MDM info! I need locamon I have app inventory info! I need posture I have idenmty & device- type! I need app inventory & vulnerability

17 Cisco Platform Exchange Grid pxgrid Enabling the Potential of Network-Wide Context Sharing SIO Direct, Secured Interfaces pxgrid Context Sharing Single, Scalable Framework INFRASTRUCTURE FOR A ROBUST ECOSYSTEM Single framework develop once, instead of mul5ple APIs Customize and secure what context gets shared and with which plalorms Bi- direc5onal share and consume context Enables any pxgrid partner to share with any other pxgrid partner Integra5ng with Cisco ONE SDN for broad network control func5ons

18 ISE Ecosystem in Fall 2014 Context Policy IAM & SSO ` SIEM & Threat Defense Mobile Device Management ISE 1.3 pxgrid APIs? WHITE = Announcing or Updates in 1.3 Launch Vulnerability Assessment CISCO ISE Packet Capture & Forensics IoT Policy Management Cisco WSA Policy- based Security Ac5ons Policy- based Service Levels (e.g. inves5ga5on) (e.g. QoS) Control

19 Ini5al pxgrid Uses Cases & Partners ISE 1.3 Use- Case DescripMon Partner Device/Access- Aware Applica5on Access Escalated Auth & SSO via Network Auth Priori5ze Endpoint Vulnerabili5es ISE device, posture context to IAM to control applica5on access ISE user, group, access, device context to drive escalate auth policy. ISE auth state to SSO for network- to- applica5on SSO UX. ISE iden5ty and user role to vulnerability assessment plalorm to priori5ze endpoint vulnerability remedia5on and drive DNC/EPS quaran5ne ac5ons Ping Ping Tenable Simplify Packet Capture Forensics Network Access Policy for IoT Devices SIEM/ThreatDefense Integra5on Using pxgrid ISE IP:user:device binding & related context to packet capture system to awribute user, device, role, etc. to packet capture Associate TrustSec policy with IoT devices. DNC/EPS for quaran5ning non- compliant devices. Same use- cases as exis5ng SIEM/TD ecosystem, but u5lizing pxgrid for context and DNC/EPS. Emulex Bayshore Networks NetIQ, Lancope, Splunk Fire+ISE SF using pxgrid DNC/EPS to take mi5ga5on ac5ons on threat events. Sourcefire

20 Cisco TrustSec Community Supported Network Segmenta5on and Access Enforcement Business Asset Mapped to Access Policy Source/Des5na5on Employee Finance Internet Employee Execu5ve BYOD Malware ACL Malware ACL Deny Permit Permit Permit Deny Permit Deny Permit Permit Permit Policy Enforced Across Network Switch Router VPN & Firewall DC Switch Wireless Controller Flexible and Scalable Policy Enforcement Guest Deny Deny Deny Permit 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confiden5al 20

21 How Does TrustSec Work? TrustSec Extends Control from Access to DC Device Type: Apple ipad User: Mary Group: Employee Corporate Asset: No ClassificaMon Result: Personal Asset Along with authen5ca5on, various data is sent to ISE for device profiling ISE Profiling Employee Company asset Personal asset AP ID and Profiling Data NetFlow DCHP DNS HTTP OUI RADIU NMAP S Wireless SNMP LAN Controller ISE (Iden5ty Services Engine) Security Group Policy Distributed Enforcement based on Security Group DC Resource Access Restricted Internet Only

22 TrustSec Plalorm Support Tagging Propagation Enforcement Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup6E/7E) Catalyst 4500E (8E) Catalyst 6500E (Sup720/2T), 6880X Wireless LAN Controller 2500/5500/WiSM2 Nexus 7000 Nexus 6000 Nexus 5600 Nexus 5500 Nexus 1000v (Port Profile) ISR G2 Router, CGR2000 IE2000/3000, CGS2000 ASA5500X, ASAv (VPN RAS) Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3650, 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup 7E), 4500X Catalyst 4500E (Sup 8E) Catalyst 6500E (Sup720) Catalyst 6500E (Sup 2T)**** / 6880X WLC 2500, 5500, WiSM2** WLC 5760 Nexus 1000v Nexus 5500/22xx FEX** Nexus 5600/6000 Nexus 7000/22xx FEX GETVPN IPSec GETVPN IPSec ASA5500(X) ISRG2, CGR2000 ASR1000 SGACL SGACL SGACL SGACL SGACL SGACL SGFW SGFW SGFW Catalyst 3560-X Catalyst 3750-X Catalyst 3850, 3650 WLC 5760 Catalyst 4500E (Sup7E) Catalyst 4500E (Sup8E) Catalyst 6500E (Sup2T) / 6880X Nexus 7000 Nexus 6000 Nexus 5600 Nexus 5500 Nexus 1000v ISR G2 Router, CGR2000 ASR 1000 Router ASA 5500/5500XFirewall ASAv Firewall All ISRG2 Inline (except C800): Today

23 IOT Demands Soqware Defined Segmenta5on Data Network Internet Guest DMZ Voice Network Quarantine Bootstrap Employees PERMIT PERMIT Guests PERMIT PERMIT PERMIT IP Phones PERMIT PERMIT Non-Compliant PCs PERMIT PERMIT BYOD PERMIT PERMIT PERMIT BioMed Sensors Consumer Gadgets Power Controls Process Controls

24 Cyber Lifecycle Where Cisco is Going BEFORE Dynamic Tune Control Policy DURING Visibility to Improve Decision Network- wide Mi5ga5on AFTER Control to Mi5gate & Remediate 3 Accelerated & improved decisioning 1 Reduce threat surface 2 Collect real 5me FireSight, Lancope, SIEM 4 Quaran5ne in network area ISE as Secure Access context ISE as Context Directory ISE as Network Controller 5 Update policy to minimize repeat awack risk

25