440 likes | 745 Views
UA Roadshows— One Policy : ISE and TrustSec. Nov 8 , 2012 Bob Sayle Principal Systems Engineer. Session Agenda. Need for Contextual Access Policy. BYOD with Cisco ISE. Security Group Access and TrustSec. Cisco Access Device. ISE Under the Hood. The Need For Contextual Access Policy.
E N D
UA Roadshows—One Policy:ISE and TrustSec Nov 8, 2012 Bob Sayle Principal Systems Engineer
Session Agenda Need for Contextual Access Policy BYOD with Cisco ISE • Security Group Access and TrustSec Cisco Access Device • ISE Under the Hood
Top of Mind Concerns to enable BYOD The Burden Falls on IT • How do we simplify the security in the BYOD process? • How do we control and segment the device and users? • How do we provide consistent policy across the network?
Policy Access Control - Enabling BYOD • Getting BYOD Devices On-Net Without Wasting Their Time • Zero-touch portal automates identity, profiling & provisioning to a users’ identity to get them quickly & securely on-net while saving IT time. • BYOD On-Boarding • Zero touch registration &provisioning of employee/guest devices • Unified Policy-based Management • Policy-based governance , contextual control, guest lifecycle mgmt • Consistent Network-wide Security • Compliance including 802.1X ports, untrusted device access denial • Allowing Users To Safely Go Where They Are Allowed To Go -- From Anywhere • Visibility & contextual control across the network while blocking untrusted access -- • user authentication, device profiling, posture, location, access method • Applying Network Policy to Users from Entry to Destination (E2E) • Control plane from access layer thru data center that is topology independent • Policy platform for unified access, DC switches & FWs with ecosystem APIs Technology Utility Energy Healthcare Higher Ed Secondary Ed
Meet Cisco ISE* • Policy Management Solution • Unified Network Access Control • Turnkey BYOD Solution • 1st System-wide Solution • Deep network integration • System-wide Policy Control from One Screen • Award winning product! • ’12 Cisco Pioneer Award • Over 400 Trained & Trusted ATP Partners * Pronounced ‘ICE’. Stands for identity services engine, but just call it Cisco ISE
One Policy Platform: Components Policy Management Policy Context Policy Information Policy Enforcement Identity Services Engine (ISE) Prime Infrastructure Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers , Posture from NAC/AnyConnect Agent User Directory Profiling from Cisco Infrastructure Non-User Devices Personal Devices User Identity Corporate Assets
One Policy Platform: Use Cases I only want to allow the “right” users and devices on my network One Network Authentication Services I want user and devices to receive appropriate network services Authorization Services I want to allow guests into the network and control their behavior Guest Lifecycle Management One Policy I need to allow/deny iPads in my network (BYOD) Profiling and BYOD Services I want to ensure that devices on my network are clean Posture Services I need a scalable way of enforcing access policy across the network TrustSec SGA One Management
Simplified BYOD with Cisco ISE • Device On-boarding • Self Registration • Certificate and Supplicant Provisioning • Reduced Burden on IT Staff Reduced Burden on Help Desk Staff • Seamless intuitive end user experience • Support Windows, MAC OS X, iOS, Android Intuitive Management for End Users • My Devices Portal—register, blacklist, manage • Guest Sponsorship Portal
But What About MDM?* MDM cannot ‘see’ non-registered devices to enforce device security – but the network can! Best Practice MDM Mobile Device Security Control ISE Device Access Control Device Compliance Mobile Application Management Data Security Controls Device Identity BYOD On-boarding Device Access Control * Mobile Device Manager
New BYOD FlowSingle SSID • User connects to Secure SSID • PEAP: Username/Password • Redirected to Provisioning Portal • User registers device • Downloads Certificate • Downloads Supplicant Config • User reconnects using EAP-TLS Personal Asset BYOD-Secure Access Point Wireless LAN Controller ISE AD/LDAP
New BYOD FlowDual SSID • User connects to Open SSID • Redirected to WebAuth portal • User enters employee or guest credentials • Guest signs AUP and gets Guest access • Employee registers device • Downloads Certificate • Downloads Supplicant Config • Employee reconnects using EAP-TLS Personal Asset BYOD-Secure BYOD-Open Access Point Wireless LAN Controller ISE AD/LDAP
BYOD Demo A Retail Environment
User and Device Roles Any Device Registered Device Corporate Device General Web Server Employee News Portal Manager Portal Credit Card Server Employee Time Card Application User and Device Role Unregistered Device Employee Management Credit Card Scanners
Policy Definition for Roles Any Device Corporate Device Registered Device Policy Definition Manager Portal General Web Server Employee News Portal Employee Time Card Application Credit Card Server User and Device Role Public SSID Corporate SSID Member ofgroup “Employee” Certificate matches endpoint Unregistered Device Corporate SSID Member of group Employee and Manager Certificate matches endpoint Employee Credit_Card SSID Member of group “Credit_Scanners” Profiled as “iphone” Management Credit Card Scanners
Inside ISE: Management Policy Employee Registered SSID Access: Corporate-wifi AD Group: “Management”
Inside ISE: Credit Card Scanner Policy Profiled as an iPhone Certificate Required SSID Access: cc-secure-wifi AD Group: “Credit Card Scanners”
Enforcement:VLANs or ACLs VLAN ArchitectureScaling Concerns Highly topology dependent ACL ArchitectureHard to Maintain 100s-1000s of ACEs 802.1X
Enforcement: Security Group Access (SGA) SGA TAG - Policy User and Device RoleIngress Tag Public SSID Unregistered Device(Unregist_Dev_SGT) Corporate SSID Member ofgroup “Employee” Certificate matches endpoint who what where when how Corporate SSID Member of group Employee and Manager Certificate matches endpoint Employee(Employee_SGT) Credit_Card SSID Member of group “Credit_Scanners” Profiled as “iphone” Cisco ISE Management(Management_SGT) Credit Card Scanners(CC_Scanner_SGT) Finance Employee Manager
SGA Inside ISE Employee TAG Manager TAG Credit Card Scanner TAG
SGA Enforced at ASA Firewall Manager TAG Credit Card Scanner TAG
SGA Policy Enforcement Flow • Security Group Based Access Control SGT = 100 SGACL I registered my device I’m a manager Time Card (SGT=4) Credit card scanner (SGT=10) Manager SGT = 100 Cisco ISE • ISE maps tags (SGT) with user identity • ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC) • ISE Authorization policy pushes ACL (SGACL) to egress NAD (ASA or Nexus)
Cisco Innovation Migrating to Security Group AccessSGTeXchange Protocol (SXP) SXP SGACL I registered my device I’m a manager Time Card (SGT=4) Credit card scanner (SGT=10) 10.1.100.3 Manager SGT = 100 Cisco ISE • Security Group Access Protocol • For transport through a non SGT core
Cisco Access DevicesLeading the Industry by Providing Added Value
Cisco Innovation Industry Leading Identity Featuresa Authentication Features Identity Differentiators • Monitor Mode • Unobstructed access • No impact on productivity • Gain visibility • Flexible Authentication Sequence • Enables single configuration for most use cases • Flexible fallback mechanism and policies Cisco Catalyst Switch Rich and Robust 802.1X • IP Telephony Supportfor Virtual Desktop Environments • Single host mode • Multihost mode • Multiauth mode • Multidomain authentication • Critical Data/Voice Authentication • Business continuity in case of failure Authorized Users Tablets IP Phones Network Device Guests • 802.1X • MAB • WebAuth
EAP Chaining • EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset • Use Cases: • Restrict use of personal laptops on a corporate network • Corporate mandates where a corporate asset must be used and the user must be authorized. Machine Credentials Machine Authentication Machine and User Credentials Validated AD Database RADIUS User Credentials User Authentication (includes both user and machine identity types ) User Authentication
Cisco Innovation Device Sensor Automated Device Classification Using Cisco Infrastructure DEVICE PROFILING Supported Platforms: IOS 15.0(1)SE1 for Cat 3K IOS 15.1(1)SG for Cat 4K WLC 7.2 MR1 - DHCP data only ISE 1.1.1 Access Point For wired and wireless networks CDP LLDP DHCP MAC POLICY Printer Personal iPad ISE Access Point Printer Policy PersonaliPadPolicy [place on VLAN X] [restricted access] CDP LLDP DHCP MAC CDP LLDP DHCP MAC ` The Solution • DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS Efficient Device Classification Leveraging Infrastructure • CLASSIFICATIONISE Classifies Device, Collects Flow Information and Provides Device Usage Report • AUTHORIZATIONISE Executes Policy Based on User and Device • COLLECTIONSwitch Collects Device Related Data and Sends Report to ISE
Posture Tying it All TogetherContextual Access Control Device Type Location User Custom Access Method Time
What’s the Cisco Advantage? Fun Fact: Cisco has 4X more dedicated BYOD engineers than our competitors! Market Leader • NAC, AAA, VPN, FW – we know security Systems Solution vs. Overlay • Deep integration vs. band aids Commitment • Extensive engineering is funded We are Ready • Over 400 ATP partners vigorously trained “TrustSec and ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise today.” Forrester 2011 Leader in Gartner NAC Magic Quadrant Dec 2011
ISE – Securely Enabling BYOD Removes the IT Burden User Self Onboarding Easy BYOD Contextual Policy & Access Control for Users & Guests Unified Policy Access Control Compliance: Regulatory, Government, Corporate Consistent Security
Resources - Customers • ISE Information: http://www.cisco.com/go/ise • Cisco TrustSec:www.cisco.com/go/trustsec • Application Notes and How-To Guides:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html