![Page 1: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/1.jpg)
Cisco Connect 2019Serbia, 19th March 2019
Local knowledge.
![Page 2: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/2.jpg)
Cisco Connect 2019 Security
![Page 3: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/3.jpg)
COM-4T DOO Belgrade
presenter: Branislav Ostojić
![Page 4: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/4.jpg)
✕ ✕ ✓ ✓ ✕ ✕
✕ ✓ ✓ ✓ ✓ ✕
✓ ✕ ✓ ✓ ✓ ✓Trusted Asset
Trusted User
Partners
Tru
ste
d U
ser
Part
ners
Clo
ud A
pp A
Clo
ud A
pp B
Serv
er
A
Serv
er
B
Cloud
On Prem
Tru
ste
d A
pp /
Serv
ices
Non-T
ruste
d A
pp /
Serv
ices
Improved Visibility and DecisionSoftware-Defined Segmentation,
Service Access & EntitlementLocation-Free App/Service
Access
Vulnerability
Threats
Posture
Behavior
Time
Location
User-Groups Device-type
CISCO IDENTITY SERVICES ENGINE
Connecting trusted users and devices to trusted services
![Page 5: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/5.jpg)
Customer
GUEST
CORPORATE
BYOD
WIRELESS
Use Case
Starts with Wireless
Non-disruptive due to SSIDs
WIRED
Control wired access
802.1X / MAB (with Profiling)
POSTURE
See Apps & HW inventory
Enforce system compliancy
Segmentation
Use SGTs for segmentation
Enforce Group based policies
RTC
Integrate with eco-system partners
Contain threats
COMPLIANCE | PCI, HIPAA, SOX, Financial and other regulations
VISIBILITY | Users, Devices, Location, Applications, Threats, Vulnerabilities
CONTROL | Authorized network access, Segmentation, Threat Containment
Not a standard or recommended approach | Each use case may be the end goal
![Page 6: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/6.jpg)
Device Admin
Threat Control
Segmentation
BYOD Access
Guest Access
Access Control
Asset VisibilityCisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources.
Consistent access control across wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control.
Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience.
Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices
Topology independent Software-defined segmentation policy to contain network threats.
Protection against threats across the attack continuum, before, during and after an attack. Reduce time-to-detection from days to hours.
Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices
Context Exchange Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats.
![Page 7: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/7.jpg)
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)
Cisco ISE
The profiling service in Cisco ISE identifies the devices that connect to your network
ACIDex
Endpoints send
interesting
data, that
reveal their
device identity
DS
DSFeed Service
(Online/Offline)
![Page 8: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/8.jpg)
1 million
# of supported Guest accounts Guest account notification
options
API
Manage guest accounts via REST
EMAIL PRINT SMS
Hotspot Self Registered Sponsored Guest Access
Immediate, un-credentialed Internet access
Self-registration by guests, Sponsors may approve access
Authorized sponsors create account and share credentials
The 3 types of guest access
Portal language customization
Social Media Login support
Facebook Facebook
![Page 9: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/9.jpg)
Simple BYOD(Base License)
Full BYOD(Base + Plus License)
• Guest type ’internet only’ access to personal device Or
• Password based access to BYOD SSID, limited access
• Full automation of BYOD process – Device registration, Native supplicant configuration, Certificate installation, manage.
![Page 10: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/10.jpg)
ISE internal CA for BYOD certificates
Access based on MDM policy
Single / Dual SSID provisioning
Native supplicant & cert provisioning
EMM integrationsDevice Support
Devic
es
Resources
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
PUBLIC
CORPORATE
iDevice
Android
MAC macOS
Windows
ChromeOS
![Page 11: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/11.jpg)
MDM Policy Checks
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number
Posture Compliance assessment for Mobile devices
1. Register with ISE 2. Internet Access
3. Register with MDM 5. Allow Corp access
Cisco ISE
MDM
Internet
Corporate
4. Comply MDM Policy
Personal Device
GOOD SAPAbsolute Software IBM AirWatch
Tangoe MobileIron GloboJamf
softwareSymantec MaaS360
![Page 12: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/12.jpg)
Posture
Remediation Actions
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
File Remediations
Launch Program Remediations
Link Remediations
Patch Management Remediations
USB Remediations
Window Server Update Server
Windows Update Remediations
Posture defines the state of compliance with the company’s security policy
Posture Flow
Authenticate User/DevicePosture: Unknown/Non-Compliant ?
QuarantineLimited Access: VLAN/dACL/SGTs
Posture AssesmentCheck Hotfix, AV, Pin lock, USB Device, etc.
RemediationWSUS, Launch App, Scripts, MDM, etc.
Authorization ChangeFull Access – VLAN/dACL/SGTs.
Antivirus Update
Anti-Virus?
Posture
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
Application Condition
Compound Condition
Disk Encryption Condition
File Condition
Patch Management Condition
Registry Condition
Service Condition
USB Condition
![Page 13: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/13.jpg)
Traditional Segmentation
BYOD
BYODVLAN
Supplier
GuestVLAN
VoiceVLAN
Voice
DataVLAN
Employee
Access Layer
EnterpriseBackbone
Aggregation Layer
Non-Compliant
QuarantineVLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on TopologyHigh cost and complex maintenance
Employee Tag
Supplier Tag
Non-Compliant Tag
VoiceVLAN
Voice
DataVLAN
Employee Supplier BYODNon-Compliant
Access Layer
DC Firewall / Switch
DC Servers
EnterpriseBackbone ISE
Group Based Policy
Use existing topology and automate security policy to reduce OpEx
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Policy
![Page 14: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/14.jpg)
Directory Services
Vulnerability Scanners
System managers
Threat Intelligence
Mobility Services Engine
Mobile Device Managers
ENDPOINTS
CISCO ISE
Visibility and Access ControlISE builds context and applies access control restrictions to users and devices
Context Reuseby eco-system partners for analysis & control
Scalable Group
Who
What
When
Where
How
Posture
Threat
Vulnerability
STEALTHWATCH
FIREPOWER SERVICES
DNAC
+ 3rd PARTY PARTNERS
• pxGrid
• REST API
• Syslog
![Page 15: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/15.jpg)
- Threat events
- CVSS
- IOC
- Vulnerability assessments
- Threat notifications
AMP Qualys
Cisco ISE
Endpoints
Cisco ISE protects your
network from data breaches
by segmenting compromised
and vulnerable endpoints for
remediation.
Compliments PostureVulnerability data tells endpoint’s posture from the outside
Expanded controldriven by threat intelligence and vulnerability assessment data
Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics
Who
What
When
Where
How
Posture
Threat
Vulnerability
Create ISE authorization policies based on the threat and vulnerability attributes
Network Access Policy
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
![Page 16: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/16.jpg)
Employee
Employee
Supplier
Quarantine
SharedServer
Server
High RiskSegment
Internet
StealthWatchFirePower
or 3rd party AppSuch as Splunk
Event: XYZ
Source IP: 10.4.51.5
Role: Supplier
Response: Quarantine
ISE
Change Authorization
Quarantine
Network Fabric
![Page 17: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/17.jpg)
Cisco DNA Center
Cisco DNA™ Center: Simple workflows
Design Provision
PolicyAssurance
Software-Defined Access
APIC-EMNetwork data
platform
Identity Services Engine
Wireless access points
Wireless LAN controllers
SwitchesRouters
![Page 18: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/18.jpg)
Campus Fabric
Authentication
Authorization
Policies
Fabric
ManagementPolicy
Authoring
Workflows
Groups and
Policies
pxGridREST APIs
Cisco Identity Services Engine
Cisco DNA Center
![Page 19: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/19.jpg)
![Page 20: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/20.jpg)
![Page 21: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/21.jpg)
Establishuser trustwith MFA
![Page 22: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/22.jpg)
of breaches leverage stolen or weak passwords
81%
Source: Verizon 2018 Data Breach Investigations Report
● Compromised credentials
is a major security risk
● Cumbersome tokens and
one-time passwords;
not user friendly
![Page 23: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/23.jpg)
![Page 24: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/24.jpg)
REST
APIS
WEB SDK
RADIUS
SAML
OIDC
CustomVPN RA SSO
RRAS
Multicloud Email/MSFT On-Prem
Start Here Then Expand
![Page 25: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/25.jpg)
Automatic Enrollment
Admins can import
users from existing
Azure, LDAP and
AD directories
Self Enrollment
Users can self-enroll
into Duo in less than
1 minute
Import Users
Provision users using
Duo’s REST API or
add users manual
one at a time or
through CSV
![Page 26: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/26.jpg)
● Users can manage their own 2FA
devices during login.
● Add, Remove and Configure
Devices
● Reduce TCO by enabling the user to
easily manage their own device.
Learn more about Device Management
![Page 27: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/27.jpg)
Assess the healthand security postureof any device
![Page 28: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/28.jpg)
of vulnerabilities exploited
will be ones known by security
team for at least one year
(through 2021)
99%
Source: Gartner, Dale Gardner, 2018 Security Summit
● Attackers exploit known
vulnerabilities
● Patching devices (especially user
owned) is complex
● End users continue to access data
from potentially vulnerable devices
● Accessing critical data from
vulnerable devices can be risky
![Page 29: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/29.jpg)
![Page 30: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/30.jpg)
Duo’s Trusted Endpoints
integrates with endpoint
management systems to
detect if the device is
managed by your IT.
Security
Posture Visibility
Endpoint
Management Status
Duo’s Unified Endpoint
Visibility inspects the device at
the time of access without
installing any endpoint agents.
![Page 31: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/31.jpg)
Corp managed asset status Biometrics (Touch/Face) status Screen lock status OS condition (tampered) status Encryption status Platform type Device OS type Device OS version Device owner Duo Mobile version
Corp managed asset status* Device owner OS type OS versions Browser type Browser versions Flash & Java plugins versions OS, browser and plugins status
Mobile Devices Laptops / Desktops
* Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus, etc.
![Page 32: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/32.jpg)
iOS Android Windows Mac ChromeOS
Corporate owned
& managed
Employee owned &
corporate managed
Employee owned &
unmanaged (BYO)
Reliable inventory tracking and reporting of endpoints –>
fundamental requirement for compliance and risk management programs
![Page 33: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/33.jpg)
Native: Microsoft AD, Ivanti (Landesk)
Script based: Symantec Altiris, Chef, Microsoft SCCM, AirWatch, etc.
Alternative: Duo has a generic deployment
Mobile Windows MacOS
Duo: Duo Mobile app can be used to trust mobile devices. (Great for customers w/o MDM)
Native: AirWatch, MobileIron, Google G Suite, Sophos
Native: Jamf
Script based: Symantec Altiris, Chef, Microsoft SCCM, AirWatch, etc.
Alternative: Duo has a generic deployment
![Page 34: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/34.jpg)
Admins can
monitor whether
the devices used
are managed or not.
![Page 35: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/35.jpg)
End users get just-in-time notification
about
out-of-date OS, browsers, Flash and
Java
If users do not update by a certain
day,
the endpoints are blocked
https://demo.duo.com/remediation
![Page 36: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/36.jpg)
Manage and controlwho is allowed toaccess applications
![Page 37: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/37.jpg)
● Customizable security policies
● Global, App & Group Level
controls
● Establishes a level of trust based
on users and devices
https://demo.duo.com/access-control
![Page 40: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/40.jpg)
● Policies are centrally-managed in the Duo Admin panel
Map compliance / security requirements to Duo’s policies. Examples:
○ Block out-of-date and vulnerable devices from accessing any app
○ Step-up authentication for users coming from unknown IP
○ Step-down authentication for users coming from known geolocation
Policies can apply
○ Global → all users and applications
○ Application → only to specific application
○ Group (users) → only to specific group of users
![Page 41: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/41.jpg)
Duo supports hundreds of apps out of the box
![Page 43: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/43.jpg)
Duo Cloud Platform
Web/SSH(Duo Network
Gateway)
Multi-Factor Authentication
VPN, Virtual
Desktop, etc.
Duo Integrated
(azure-ad, rdp,
ssh, Windows,
app, api, etc)
Access Device
MFA Device
or
Cloud Apps
Device Policy Check
Device Visibility
User Policy
User Management
MFAManagement
Primary Auth(AD, Azure-AD, LDAP, etc.)
User
Duo Access
Gateway[SAML/SSO]
Duo Auth
Proxy[Radius/LDAP]
![Page 44: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/44.jpg)
Public Internet
Security Groups
Tier 1
10.0.0.1-4
*.domain.local
192.0.0.1/24
Tier 2
Tier 3
DNG(443)
SSH
Trusted User
Trusted Device
Use Duo Beyond to secure access to internal networks and the public cloud.
![Page 45: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/45.jpg)
• Duo Push
• Mobile Passcode
• Phone, SMS
• HOTP Token
• U2F/WebAuthN• Bypass
Core service and
policy engine is
always in the
cloud
![Page 46: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/46.jpg)
![Page 47: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/47.jpg)
Preferred Optional Limited
Use Duo Access Gateway (SAML) for ASA. Best user experience + Trusted Endpoints soon
Use Duo Auth Proxy (Radius). User receives automatic push. Consider for older versions and FTD.
Use LDAPS. No proxy required. End user experience requires 2nd password field, Device Trust only supported for web based sslvpn.
![Page 48: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/48.jpg)
Requirements:1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read
more here.2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release3. AnyConnect 4.6 or later.
![Page 49: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/49.jpg)
Requirements
1. Cisco ASA 8.3 or later
2. Cisco FTD 6.3 or later
3. Duo Authproxy
Learn more about AnyConnect RADIUS integration
![Page 50: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/50.jpg)
![Page 51: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/51.jpg)
Existing SSO/IdP
AD or SAML Directory
Duo Access Gateway
![Page 52: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/52.jpg)
● Easily access all cloud applications from a single dashboard
● Enable consistent security controls across cloud applications
● Secure every cloud application
Duo SSO for Cloud apps
![Page 53: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/53.jpg)
DAG Authentication SourcesThe DAG is an IdP that verifies authentication requests against an on-premises or cloud identity database.
Cloud Identity ProvidersThe DAG can be configured to use a SAML or OIDC for cloud identities through 3rd party providers.
• Bitium• CA SSO• Radiant Logic• F5• Juniper• Oracle• Many more!
• Shibboleth• Microsoft AD FS• Microsoft Azure
AD• G Suite (Google)• Okta• OneLogin• SecureAuth
• Microsoft Azure• G Suite (Google)
• Microsoft
AD
• Open LDAP
• SAML IdP
• OpenID
Connect
SAML Providers
OIDC Providers
CloudOn-premises
![Page 55: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/55.jpg)
O365, RDP/Windows Logon, and Azure AD use cases
![Page 56: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/56.jpg)
On-premises
Directory
On-premises
Directory
3rd Party
Identity
Provider
Duo Access
Gateway
Native SSO and
IdP Support
Native Azure-AD
Conditional Access
Integration with DAG/Duo SSO
Integration with ADFS Integration with Azure AD
![Page 57: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/57.jpg)
Import users directly into Duo from
Azure without any on-premises software
Import users via LDAP from AD or
OpenLDAP directories. Requires
installation of Duo Authentication proxy
Learn more about directory sync
![Page 59: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/59.jpg)
Executive on a Plane Salesperson at Hotel Vendor at Customer
Users need to authenticate with MFA into their machines before they can access internet / secure portal
![Page 60: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/60.jpg)
Duo Mobile Passcode● Use the smartphone you own● Enter one-time passcode
Universal Second Factor (U2F)● Yubico or other security keys● Just tap the key
![Page 61: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/61.jpg)
● Deploy a Duo Network Gateway in the DMZ using Docker, with both “public” and “internal” access.
● Configure your SAML IdP for primary auth.
● Configure DNG with Duo for secondary auth.
● Configure a web application on the DNG for your protected “internal” application.
● Create public DNS entries for your protected internal web apps to point to the DNG’s public interface.
● Users access the “internal” app using their browser.
![Page 62: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/62.jpg)
https://demo.duo.com/ssh-remote-access
Demo: SSH Access with Duo Beyond
![Page 63: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/63.jpg)
CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.
![Page 64: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/64.jpg)
Duo Traditional 2FADeployment Minimal cost
Duo doesn’t require or charge for professional services
High cost Professional installation required
Integrations Unlimited Support VPNs, RDP, cloud apps, more
Pay per integration May require custom connectors
Token deployment No tokens required Use Duo Mobile on smartphones
Several months Token distribution and shipping
Token replacement Lost, stolen or broken replacements
No token managementMost users prefer Duo Mobile
5-10% lost per month Tokens can also expire or malfunction
On-going maintenance Included Support included
Additional cost Support sold separately
Patches & updates For 2FA appliance
AutomatedUpdated by Duo in the cloud
ManualRequires extensive IT admin support
Help desk calls Average per user per year
1 Easy and intuitive for end-users
4 Clunky and confusing end-user experience
New user enrollment Time per user
2-3 min End-users can self-enroll
1 hour Requires end-user training
Time to authenticate 2 seconds Tap to approve Duo Push request
15-30 seconds Time to type OTP
Device visibility PCs, Macs, & mobile devices, BYOD
Included Requires additional products
Role-based user policies Security policies for various user groups
IncludedRequire more or less security based on user group
Requires additional products “Adaptive auth” needed
![Page 65: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/65.jpg)
Popunite anketu, preuzmite poklon na pultu „Informacije” i učestvujte u izvlačenju nagrada na
zatvaranju konferencije
![Page 66: Cisco Meeting Place Express...will be ones known by security team for at least one year (through 2021) 99% Source: Gartner, Dale Gardner, 2018 Security Summit Attackers exploit known](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec9a46f07024812ea6b2859/html5/thumbnails/66.jpg)