430 likes | 600 Views
Break-1659 – Building and Managing a Secure BYOD Environment Tuesday, Mar 12, 9:45 AM - 10:45 AM. Timothy Guy- Solutions Architect Brad Garczynski -Systems Engineer. Building and Managing a Secure BYOD Environment .
E N D
Break-1659 – Building and Managing a Secure BYOD EnvironmentTuesday, Mar 12, 9:45 AM - 10:45 AM Timothy Guy- Solutions Architect Brad Garczynski -Systems Engineer
Building and Managing a Secure BYOD Environment One to one initiatives have flooded k-12 classrooms with new devices. The cost associated with these devices continues to pose a large financial burden. It is widely thought that allowing students to bring his or her device into the classroom (BYOD) would dramatically reduce this burden. The challenge is to incorporate a management solution that provides a secure and effective BYOD environment • Discussion Topics: • How to properly secure a BYOD environment • How to deliver educational content across various devices • Allowing secure device access to district applications
Topics • How did we get here Story • Right Priority, Unpopular Message • Identity Service Engine (ISE) 101 • Live ISE Demo of ISE - Dynamic ACL/Dynamic Vlans/Web Auth/Reporting/User Integration • Mobile Device Management Solutions (MDM) • Live CX Next Generation of firewalls for applications • Questions
Right Priority, Unpopular Message • Solid, switched, virtualized network • Pervasive RF in all areas where students will be focused, with Central Web Authorization • Internet capacity to allow consumption without frustration & ensure filtering is accurate • High capacity virtualized server environment for applications • Add Identity Services posture and profile services to Authorization with NCS Prime for Management • Utilize an MDM for rapid deployment
What we have done so far…. StartHere Single Service no Access-Reject yes Access-Accept
What is the flow of a Policy in ISE… Start Here Registered Guest Student No No Access-Reject Yes Yes i-Device RegisteredDevice No Yes No Yes Access-Accept Internet Only
Live Demo of ISE • Dynamic ACL • Dynamic Vlans • Web Authentication • Reporting • User Integration
ISE Personas Administration Node • Interface to configure policies Monitoring Node • Interface for logging and report data Policy Service Node (PSN) • Engine that makes policy decisions Network Access Device (NAD)/Inline Posture Node • Interface that queries Policy Service node and enforces policy External Attribute Stores • Interface to retrieve policy or policy information
Basic 2-Node ISE Deployment (Redundant) • Maximum endpoints – 2000 • Redundant sizing - 2000 ISE Node ISE Node Admin Admin Secondary Admin Primary Admin Monitoring Monitoring Primary Monitoring Secondary Monitoring PolicyService PolicyService
Distributed Deployment • Administration + Monitoring on same appliance; Policy Service on dedicated appliance Admin Mon Admin Mon Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs 2 x Admin+Monitor Max 5 PSNs Max 10k endpoints
Typical ISE DeploymentExample Small School District A/S Admin, Monitoring, Policy Service nodes AD/LDAP (External ID/ Attribute Store) HA Inline Posture Nodes ASA VPN Campus A WLC 802.1X Switch 802.1X AP Branch A Branch B Switch 802.1X Switch 802.1X AP AP
Typical ISE Deployment Example Medium 2 Building Campus A/S Admin + Monitoring nodes Policy Service Cluster Distributed Policy Service node AD/LDAP (External ID/ Attribute Store) HA Inline Posture Nodes Distributed Inline Posture Node Campus B ASA VPN Campus A WLC Switch 802.1X WLC Switch 802.1X AP AP Branch A Branch B Switch 802.1X Switch 802.1X AP AP
Unified Access ArchitectureOne Network, One Policy, One Management CiscoPrime Infrastructure w/ Assurance Mobile Device Management Identity Services Engine (ISE) Mobility Services Engine (MSE) CatalystSwitches Cisco WLC Cisco AnyConnect Wired Network Wireless Network Remote AccessNetwork
ISE & MDM Are Complimentary AUP Enterprise Software Distribution Mobile + PC Management (Backup, Remote Wipe, etc.) Classification/ Profiling Registration User <-> Device Ownership Policy Compliance (Jailbreak, Pin Lock, etc.) Cert + Supplicant Provisioning Secure Network Access (Wireless, Wired, VPN) Secure Data Containers Context-Aware Access Control (Role, Location, etc.) Inventory Management = Mobile Device Management = Network Enablement (ISE)
Multiple Context’s -One Firewall BYOD Segments Student Wired Segments Guest Segments
Closing discussion • Topics to take away and respond to
Leave you with these questions • What is your BYOD policy? • Where are your BYOD roadmap? • How do you know what is on your network any given time? And what they are doing? • How do you allow contractors access to your network? • How do you profile devices? • How do you ensure data loss prevention in devices? • How would you minimize the risk of your rollout of 802.1X implementation without risking outages? • How would you segment data center access?
Solution: Cisco TrustSec Remote VPN User Wireless User VPN User Devices Devices Netech Demo at End of Presentation VLANs Guest Access Identity-Enabled Infrastructure Profiling dACLs Posture SGTs Scalable Enforcement Policy-Based Access and Services: Identity Services Engine (ISE) Data Center Intranet Internet Security Zones
Device Profiling – 1st defense • Allows different access levels to be automatically applied to different devices, even when using the same credentials. • For example: • Mobile devices = Internet + AirPlay • Laptops allowed full access with posture assessment • No need for certificates, etc. • Can isolate or deny access to certain device types as well
Posture assessment – 2nd defense • Performs additional checks to verify the workstation is yours before allowing full network access • Can validate just about anything on the device before allowing network access
Inline Posture Node High AvailabilityRemote Access Example ISE Inline ACTIVE ASA HA: A/S or VPN Cluster VLAN 11 eth2 (HB Link) eth1 eth0 VLAN 12 Internet Router External Switch ASA vpn VPN Client HA: VPN to single ASA HA IP or VPN Cluster IP outside inside VLAN 15 ISP A L3 Switch VLAN 14 Inline Service IP eth1 Inline Service IP eth0 Trunk: VLANs 11-15 InternalNetwork FO Link State Link VPN User ISP B inside outside Internet Internet Router vpn External Switch L3 Switch ASA VLAN 12 • VLANS • VLAN 11: (ASA VPN; Inline node untrusted) • VLAN 12: (Inline node trusted) • VLAN 13: (Inline Heartbeat Link) • VLAN 14: (ASA Inside) • VLAN 15: (Internal Network) eth1 eth0 eth2 (HB Link) VLAN 11 ASA Redundant Links ISE Inline STANDBY
School Issues Addressed by CS School Issue Student
Mobile Device Management on Cloud • For Cloud Based Solutions, Bandwidth and Latency will need to be considered. • Scalability = 30 Calls per second. • Survivability: • If the MDM is not available, the rule will not match. • Will (by default) stick the user in the “Register with MDM” state. • Ability for administrator and user in ISE to issue remote actions on the device through • the MDM server (eg: remote wiping the device) • MyDevicesPortal • Endpoints Directory in ISE
Mobile Device Management API • With the API, we can query on: • General Compliant or ! Compliant (Macro level) -or- • Disk encryption is one • Pin lock • Jail broken • Bulk re-check against the MDM every 4 hours. • But we are not using the cached data in the AuthZ • If result of Bulk Re-check shows that a device is no longer compliant – we will send a CoA Change of Authorization to terminate session. • Works same with all 4 vendors.
Mobile Device Management Solutions • Cisco Published Specs to 4 vendors • AirWatch 6.2 • Mobile Iron 5.0 • ZenPrise 7.1 • Good Version 2.3 • Require API to be open • Only one MDM at a time
Monitoring - Distributed Log Collection • ISE supports distributed log collection across all nodes to optimize local data collection , aggregation, and centralized correlation and storage. • Each ISE node collects logs locally from itself; Policy Service nodes running Profiler Services may also collect log (profile) data from NADs. • Each node buffers and transports collected data to each Monitoring node as Syslog • NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity logging, diagnostics, and troubleshooting. Monitoring Nodes Policy Service Nodes Syslog (UDP/20514), Profiler Syslog (UDP/30514) NADs External Log Servers HTTP SPAN, DHCP SPAN/Helper/Proxy Netflow, SNMP Traps, RADIUS Alarm-triggered Syslog External Log Targets: Syslog (UDP/20514) Syslog (UDP/20514)
Administration HA and Synchronization • Changes made via Primary Administration DB are automatically synced to Secondary Administration and all Policy Service nodes. Policy Service Node Admin Node (Secondary) Policy Sync Policy Service Node Admin Node (Primary) Policy Sync Policy Service Node Admin User Logging Monitoring Node (Primary) Monitoring Node (Secondary)