Cisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant

Similar documents
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

New Features for ASA Version 9.0(2)

Web Security Deployment. Ryan Wager Technical Marketing Engineer

Cisco Passguide Exam Questions & Answers

Cisco AnyConnect Secure Mobility & VDI Demo Guide

Policing The Borderless Network: Integrating Web Security

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

Cisco s Appliance-based Content Security: IronPort and Web Security

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cisco ASA Next-Generation Firewall Services

Cisco - ASA Lab Camp v9.0

Cisco Exam Questions & Answers

Expressway for Mobile and Remote Access Deployments, page 1 Cisco AnyConnect Deployments, page 9 Survivable Remote Site Telephony, page 17

Cisco Next Generation Firewall Services

CCNP Security VPN

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Borderless Networks. Tom Schepers, Director Systems Engineering

Implementing Cisco Edge Network Security Solutions ( )

Implementing Core Cisco ASA Security (SASAC)

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Cisco Network Admission Control (NAC) Solution

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Identity Firewall. About the Identity Firewall

Cisco.Realtests v by.TAMMY.29q. Exam Code: Exam Name: CXFF - Cisco Express Foundation for Field Engineers

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Partner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014

Cisco Virtualization Experience Media Engine Overview

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo

Cisco NAC Network Module for Integrated Services Routers

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Cisco Cloud Web Security

Implementing Cisco Network Security (IINS) 3.0

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

Vendor: Juniper. Exam Code: JN Exam Name: Junos Pulse Access Control, Specialist (JNCIS-AC) Version: Demo

Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.

High Availability Options

CISCO EXAM QUESTIONS & ANSWERS

Question: 1 An engineer is using the policy trace tool to troubleshoot a WSA. Which behavior is used?

Cisco Exam Questions & Answers

TECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple

Exam A QUESTION 1 An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales de

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com

Cisco ASA Software Release 8.2

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Networks with Cisco NAC Appliance primarily benefit from:

Cloud Security Best Practices

Cisco Security Solutions for Systems Engineers (SSSE) Practice Test. Version

About This Guide. Document Objectives. Audience

Clientless SSL VPN Overview

The Context Aware Network A Holistic Approach to BYOD

Stonesoft Next Generation Firewall

Stonesoft Next Generation Firewall. Release Notes Revision C

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Network. Arcstar Universal One

2012 Cisco and/or its affiliates. All rights reserved. 1

Gigabit SSL VPN Security Router

Cisco Exam Questions & Answers

Licenses: Product Authorization Key Licensing

Enhancing VMware Horizon View with F5 Solutions

Configuring High Availability (HA)

Systems Manager Cloud-Based Enterprise Mobility Management

FW- 525B Quick Start Guide

ISE Primer.

High Availability Synchronization PAN-OS 5.0.3

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Cisco Exam Questions & Answers

About FIPS, NGE, and AnyConnect

Cisco Secure Access Control

Q&As Implementing Cisco Network Security

What Is Wireless Setup

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Deploying Cisco ASA VPN Solutions v2.0 (VPN)

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Citrix SSO for Mac OS X. User Guide

Symbols. Numerics I N D E X

jetnexus Virtual Load Balancer

Stonesoft Management Center. Release Notes Revision A

Ciprian Stroe Senior Presales Consultant, CCIE# Cisco and/or its affiliates. All rights reserved.

jetnexus Virtual Load Balancer

AccessEnforcer Version 4.0 Features List

Cisco Identity Services Engine

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Introduction. The Safe-T Solution

Stonesoft Next Generation Firewall. Release Notes Revision B

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Stonesoft Management Center. Release Notes Revision B

Integrating Wireless into Campus Networks

Network Computing Trends and Technology Cisco and/or its affiliates. All rights reserved. 1

Configuring L2TP over IPsec

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

NSG100 Nebula Cloud Managed Security Gateway

TechTalk: Implementing Citrix Receiver from Windows to iphone. Stacy Scott Architect, Worldwide Technical Readiness

Who We Are.. ideras Features. Benefits

Transcription:

Cisco AnyConnect Secure Mobility Solution György Ács Regional Security Consultant

Mobile User Challenges Mobile and Security Services Web Security Deployment Methods Live Q&A 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Mobile User Challenges

Manual Tunnel Setup Limited Roaming Client only connected if necessary Remote User w/ VPN Client Internet Corporate Network 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Different Enduser Devices iphone Partner Remote User w/ VPN Client Different Levels of Access required ipad Internet User on Linux / MAC Corporate Network 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Many Applications use HTTP as the transport Applications can no longer be identified on Network Layer Communication with aggressive advertising sites or phishing sites 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Criminals targeting Facebook 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Services are moving to the Cloud Can be access directly No Control from Corporate Policy Direct Access Internet Remote User w/ VPN Client Corporate Network 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Maximum of usability for the Enduser Connect from anywhere, with any device, at any time Minimum of administration from corporate side Consistent control of security policy Same policy if in the office or outside the office Same policy regardless if connected Wired, Wireless or via VPN 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Tunnel is always on User is always connected Anyconnect Client provides maximum usability Easy, quick, transparent ASA and WSA can exchange userinfo for SSO WSA protects webtraffic Cisco ASA Internet Corporate Network Remote User w/ AnyConnect Client Cisco WSA 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Mobile and Security Services

Architecture Overview AnyConnect User Interface Services AnyConnect Platform Interfaces Management Head-ends Service Provider Integration Architecture Head End Devices Trustsec and Cisco Medianet Wired switches and Wireless controllers NAC Appliances ASA Remote Access ISRs Web Security Cloud Web Security 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Remote User with AC ASA as VPN Gateway Using TLS on Port TCP/443 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Realtime Reliable delivery 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Remote User with AC ASA as VPN Gateway Using TLS on Port TCP/443 and DTLS on Port UDP/443 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

1. SSL connection (TLS) TCP/443 2. Negotiate DTLS tunnel 4. Control traffic + DTLS backup 3. DTLS: use for data UDP/443 Send on the tunnel Most recently used by the client 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Failover AnyConnect with SSL and VPN Client with IPSec failover is stateful 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Load-Balancing Master ASA redirects the connections Distribute the load in 1% increments 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Combine the benefits 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Supported on Windows 32-bit & 64 bit, XP, Vista, W7 Linux w 2.6 Kernel Mac OSX 10.5 & 10.6 Windows Mobile 5,6 & 6.1 iphone OS 4.1 (version 2.4) ipad OS 4.2 Samsung Galaxy S II - Android Encryption SSL with DTLS IPSEC with IKEv2 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Features for Secure Mobility Optimal Gateway Selection AlwaysON Location awareness Captive Portal Detection Personal Firewalling No Personal Firewall integrated OS Firewalls can be configured & managed centrally through ASA Windows & Mac 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Profile is loaded automatically on the Client during connect At connect, checksum of profile is verified Tampered Profile gets replaced 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Client Connection is kept both on ASA and on the Client If PC is coming back from Standby or is changing network, Client re-authenticates silently using a signed Cookie User does not need to manually reconnect 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Trusted Network Detection is Configurable via the AnyConnect Profile Trusted Networks can be Defined as DNS Suffixes or DNS Server IP Addresses Office DNS Suffixes and DNS Server IP addresses must be defined dynamically (DHCP) on the client If both, the trusted DNS Suffix and DNS Server IP address are defined, the entries will be ANDed to determine the Trusted Network Home Office, HotSpot 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Captive Portal Detection allows User to authenticate to a HOTSPOT Portal AnyConnect discovers CaptivePortal User has option to authenticate via Browser Connection of AnyConnect is resumed after successful authentication 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Administrator Managed Feature Client determines the nearest ASA (a.k.a fastest response) OGS will initiate upon the following conditions: Prior to initial connection Upon reconnects (ex. coming out of standby) 4 hours have elapsed since last connection Will not switch ASA s when results are not faster by > 20% London? New York If ASA switch occurs, this results in a disconnect/connect 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Public Any physical interface that has direct connectivity to a network other than the VPN Only applied with a split tunneling configuration If public rules can not be applied -> full tunneling will be applied. Private The Virtual Adapter interface Rules are independent of the public interface 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

For Your Reference 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Windows-7 style GUI floating from right side of taskbar Supported on Windows 32-bit and 64-bit OS Versions (XP, Vista, W7, 2003/2008) Other OS Versions don t have new GUI, but still have AC 3.0 Mac OS X, Linux 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Components displayed are modular Components can be centrally distributed from ASA, at initial install or at later point of time Some Components are OS dependant Anywhere+ Telemetry Network Access Manager 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Integrated in ASDM on ASA Profile for VPN is ported from previous Versions Profiles for ScanSafe, NAM and Telemetry are new 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Connection Management for Layer 2 Windows XP (32 bits) Windows Vista and 7 (32/64 bits) Wired (802.3) and wireless (802.11) connectivity Layer-2 user and device authentication: 802.1X, 802.1X-REV (wired key establishment) 802.1AE (MACSec: wired encryption) Supports numerous EAP types 802.11i (Robust Security Network) Supports both Admin (office) and User (home) network configurations. 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

AnyConnect 3.0 provides Unified access interface for SSL- VPN, IPSec and 802.1X for LAN / WLAN Supports MACsec / MKA data encryption in software (Performance CPU-dependent) MACsec capable hardware (network interface) enhances performance MACsec-ready hardware: Intel 82576 Gigabit Ethernet Controller Intel 82599 10 Gigabit Ethernet Controller Intel ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenovo, Fujitsu, and HP have desktops shipping with this LOM) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 34

Using AnyConnect 3.0 Finance Admin MACSec in Action Finance Admin = Must Encrypt &^*RTW#(*J^*&*sd#J$%UJ&( LAN ACS5.2 AC3.0 802.1X Cat3750 X Authentication Successful! Using Normal Supplicant No MACsec Supplicant Finance Admin Normal Supplicant on Personal Laptop Fall Back to Insecure VLAN LAN Everything is sent in clear therefore you can see everything on wire 802.1X Cat3750 X Finance Admin = Must Encrypt Authentication Successful! ACS5.2 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Web Security Deployment Methods

Anywhere+ (Transitioning to AnyConnect) News Email Information Sharing Between ASA and WSA AnyConnect ASA Cisco Web Security Appliance Social Networking Enterprise SaaS Corporate AD 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Seamless User Experience Always-On VPN Internet Trusted Network facebook.com User Identity News Email SSL User VPN Tunnel Authenticates All Traffic ASA WCCP Cisco Web Security Appliance Corporate AD Untrusted Network Social Networking Enterprise SaaS AnyConnect Always-on VPN (admin configurable) Optimal head end auto-detect Transparent auth (certificate) ASA WSA Authentication handoff (SSO) Identity and location aware policy enforcement Location-aware reporting 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Anyconnect VPN User Internet Always-on VPN tunnel ASA All VPN Traffic Non HTTP/S Traffic Internet Traffic L3 Device L2 Redirect of Web Traffic Subnet Web Security Appliance ASA has tunnel default gateway to WCCP Router ASA performs NAT, acting as Internet Gateway WCCP Router forwards WEB traffic to WSA Non-Web traffic is sent to ASA WSA must have route to VPN Client IP Pool 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Web Proxy incl. caching Rich security functionalities Reputation filtering Malware scanning Application visibility & control HTTPS inspection Authentication Reporting and tracking 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Cisco SIO gathers statistical (telemetry) informations from Cisco Products and other resources Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10 Outbreak Intelligence External feeds AnyConnect 3 - Telemetry Web Email ASA IPS 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Known Botnet or Phising Site Agressive Advertising 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Filtering the URLs based on predefined Categories Possible Actions : Block, Monitor, Warn, Time-Based 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Different Applications are detected by special Signatures Those Signatures are downloaded dynamically via SIO Updates No reboot or manual installation required! 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Good Website Bad Website 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Functional Description Works with Cisco ASA and Cisco AnyConnect Client Cisco ASA authenticates the user at WSA WSA can use different policies for local and remote users WSA can use SAML 2.0 for Single Sign On to Webservices Authentication at WSA SSO with SAML 2.0 AnyConnect 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Functional Description Corporate Network Internet Web server Web Security Appliance Cleaned URL Request Internet Router ASA Always-on VPN tunnel URL Request Anyconnect VPN User ASA passes user information to WSA for authentication AnyConnect user attempts to access internet webserver via always-on VPN Traffic routed to inside router URL Request redirected to Web Security Appliance (WSA). Traffic is checked by WSA against policy Cleaned traffic forwarded to internet webserver 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Keeps malware from getting to your system in the first place Tunnels HTTP/HTTPS traffic through ScanSafe cloud Fully localizable and translatable Fine-tunable web access policy management available Replacement for AnyWhere+ standalone client Does not need VPN connection! 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

ScanSafe Scalability & Reliability Reliability 15 data centers Top tier certification Thousands of devices deployed 100% availability Scale Billions of Web requests/day Highly Parallel processing Average <50 ms latency 10Gb connectivity Redundant network providers 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Reference Slide Centrally managed via the ScanSafe web portal Rule based policies allowing for a default policy while creating custom exceptions for particular users or groups Policies are composed of the following attributes: Action Block, Warn or Allow Group Who the Policy will match Directory Group (Active Directory or LDAP) Custom Group matching either username or IP address. 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Internet traffic secure through websecurity cloud service Corporate traffic secure through tunnel and WSA Consistent Policy and Monitoring Cisco ASA Internet Cisco WSA Remote User w/ AnyConnect Client 3.0 Corporate Network 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Live Q and A

Wide Operating Systems support Security and Mobility together Intelligent and seamless VPN (AlwaysON, DTLS, IKEv2) Context-aware policy and web security ScanSafe and Cisco IronPort collaboration Authentication (IEEE 802.1X supplicant) with data Publicity and integrity (IEEE 802.1AE, MACSec) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback