ise 1 2-bdm-v4

Cisco Confidential 1C97-726694-00 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Identity Services EngineAll-in-One Enterprise Policy Control

C97-726694-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Access TodayConnected Experiences

End-User Behaviors IT Trends

• Over 15 billion devices by 2015, with average worker with 3 devices

• New workspace: anywhere, anytime

• 71% of Gen Y workforce do not obey policies

• 60% will download sensitive data on a personal device

• Must control the multiple devices and guests

• Security: Top concern for BYOD

• Mobile malware hasdoubled (from 2010 to 2011)

• IT consumed with network fragmentation

Reduce Security Risk

Improve End-User Productivity

Increase Operation Efficiency


Cisco Identity Services EngineAll-in-One Enterprise Policy Control

Comprehensive Secure Access

More Productive Workers and End Users

Lower Operating Costs


Proven: Over 2000 Deployments

Retail Healthcare Education

Financial Manufacturing Government

BYOD Guest Access Secure Access


Cisco Identity Services Engine (ISE)All-in-One Enterprise Policy Control

Who What Where When How

Virtual machine client, IP device, guest, employee, and remote user

Cisco® ISE

Wired Wireless VPN

Business-Relevant Policies

Replaces AAA and RADIUS, NAC, guest management, and device identity servers

Security Policy Attributes

Identity Context


How Cisco ISE Is Used Today

BYOD

Users get safely on the Internet fast and easy

Guest Access

It is easy to provide guests limited-time and limited- resource access

Secure Access on Wired and Wireless Network and VPNControl with one policy across wired, wireless, and remote infrastructure

Cisco TrustSec® Network Policy

Rules written in business terms control access


BYODAutomated Self-Service Portal

Get users on the net in minutes, not hours

Simple self-service portal for any user to get quickly on the net without help or hassle

Reduce burden on IT and help desk staff

Reliable automation reduces user problems to near zero so…

Immediate secure access

Rigorous identity and access policy enforcement


Guest ServicesVisitors Access in Minutes

Near-zero IT and help desk burden

• Employee hosted• Full guest lifecycle

Accommodate and control

• Limited to Internet • Time sensitive

Streamlined system

• Integrated into the all-in-one enterprise policy control—Cisco® ISE console


Secure AccessScalable Enforcement Across the Network

Automated onboarding and device security

Policy-governed unified access

Enforcement embedded in the intelligent network

Dependable anywhere access

Increase IT Productivity

Wired RemoteWireless


Cisco TrustSec Network PolicyTurning Business Policy into Network Policy Efficiently in the Network

Distributed Enforcement Throughout Network

Switch Router DC Firewall DC Switch

Distributed Enforcement Throughout Network

Network

Context Classification

Security Group TagTag


Delivering the Cisco ISE PromiseEnterprise All-in-One Policy Control

Main Features and Benefits


Operation Efficiency

More Productivity

Device Profiling and Posture

Contextual Identity (Intelligent Identity)

Policy Management

Network Enforcement and Control Point

Device Profiling and Posture


Automated Device SecurityPosture Assessment and Compliance Check


Initial Posture Validation

MS Patches

Av and AS Installation

Application and Process Running State

MDM Integration

Corporate and Personal Device Posture Check and MDM Remediation

New Feature

MDM Policy CheckDevice registration status

Device compliance status

Disk encryption status

Pin lock status

Jailbreak status

Manufacturer

Model

IMEI

Serial number

OS version

Phone number


Rigorous Identification and EnforcementMany Layers of Identification Provide Deeper and Better Intelligence


Cisco Device Sensor

Device Sensor(Network Based)

Active Endpoint Scanning

Device Feed*

Cisco ISE

Active scanning: Enhanced accuracy

Integrated profiling: Visibility in scale

Device feed — identity in scale

Cisco® ISE augments passive network insight with active endpoint data

Network infrastructure provides local sensing function

Manufacturers and ecosystem provide constant updates to new devices* Scheduled for Spring 2013

New Feature


Extensive Policy EnforcementComprehensive Contextual Identity


Identity (IEEE 802.1X)-Enabled Network

CONTEXT

IDENTITY

Vicky Sanchez

Frank LeeSecurity Camera Gateway

Francois Didier

Personal iPad

Employee, MarketingWireline3 p.m.

GuestWireless9 a.m.

Agentless AssetChicago Branch

ConsultantHQ - StrategyRemote Access6 p.m.

Employee OwnedWireless HQ


Guest access

Profiling

Posture

IEEE 802.1X

MAB

WebAuth Cisco Switches, Routers, and Wireless Access Points


Policy ManagementStreamlined Visibility to Create and Control Policy

Centralized management

Across wired and wireless network and VPN

Simplified troubleshooting



Policy-Based Access Control

Scalable Enforcement

VLANs

Access Control Lists

*

Device Sensing

Efficient Network EnforcementPolicy-Based Sensing and Dynamic Control Integrated into the Network

Identity and Context-Aware

Network

Remote VPN User

Wireless User

Wired User Devices Virtual Desktop

Data Center Intranet Internet Security Zones

Increased Operation Efficiency


More Efficient Network-Enforced Security


NY VPN UK CA

DC-MTV (SRV1)DC-MTV (SAP1)DC-RTP (SCM2)DC-RTP (ESXix)

Security GroupFiltering

CiscoDistinction

Employee Firewall Rules = 10 Production Server Rules = 50

• Customer managed > 500,000 firewall rules with 24 people

• Cisco TrustSec® and Cisco® ASA reduced that to 6 people


Automated Onboarding

More Productivity

TrustedWi-Fi

Onboarding

Authenticate user

Fingerprint device

Apply corporate configuration

Enterprise applications

Automatic policies

Secure and customizable captive portal

Self-registration for any device

Remediate actions


Proven Success

“Instrumental in giving us visibility to enforce access policy, perform remediation, and improve compliance level”

“Now students and faculty can collaborate with ease, working anywhere, anytime on campus”

Positioned as leader in Gartner NAC Magic QuadrantDecember 2012

“Cisco TrustSec and Cisco ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise today.” Forrester 2011


Industry Recognition for LeadershipCisco Positioned as the Leader!

Source: Gartner NAC Magic Quadrant 2012 Gartner: "Magic Quadrant for Network Access Control," by Lawrence Orans and John Pescatore, December 8, 2011


Customer Reference

• Required enhanced global security for security-conscious company; customer service offering.

• Used Cisco® ISE to manage multiple systems and devices, segmenting infrastructure

• Profiling services for business units, individuals, contractors, and complete guest lifecycle wired or wireless.

• Always-on secure remote access with Cisco AnyConnect®

Challenge Solution

”Cisco ISE provides a best-in-class access control solution for Diebold, enabling unmatched granularity and insight about our users,” —David Kennedy, Vice President, Former CSO, Diebold


Cisco ISE Advantages

Winning combination of network and device intelligence to help ensure the most comprehensive secure unified access

Most extensive and efficient enforcement to achieve exceptional operation efficiency


Cisco SecureXIntegrated, Network-Based Security Architecture

An Architectural Approach For…

Professional and Technical Services, Compliance, and Cisco® Validated Designs

Context-Based Policy and Management

Cloud-Based Intelligence

Cloud

Securing the Transition to Virtualization and Cloud

Collaboration

10110100

Securing Applications, Content, and Traffic

BYOD

Secure Access for the Distributed Workforce

SwitchesAppliances WirelessVirtual RoutersPrivate Cloud

Email Firewall WebVPNPolicy IPS

Network-Enforced Policy


Secure Unified AccessSecuring the Intelligent Platform for the Connected World

Cisco Prime™Cisco® ISE

Third-Party MDM Appliance

MDM Manager

Cisco WLAN

Controller

Cisco ASA Firewall and IPS

Cisco CSM and ASDM

Cisco Web Security

Wired Network Devices

Cisco Catalyst®

Switches

Cisco AnyConnect® Cisco AnyConnect Cisco AnyConnect

Office Wired Access Office Wireless Access Remote Access


Cisco Identity Services EngineUnified Context and Control Makes IT Platforms More Effective


Identity and Device Context

Cisco ISE

Virtual machine client, IP device, guest, employee, and remote user

Wired Wireless VPN

Business-Relevant Policies

Policy Management Increases Operational Efficiency

Onboarding & Remediation

Increases Productivity and Improves User Experience

Device Profiling & Posture

Provides Comprehensive Secure Access

Intelligent Identity

Ensures Consistent Policies

Network Enforcement

Decreases Operational Costs

• Consistent source of identity

• Endpoint device-type awareness

• Posture, access level, network location context

• Enable ecosystem partner platform to share context for use in ISE network policy

• Enable ecosystem partner to take network actions via ISE

Benefits

• Allows deeper network

and security insight

• Allows more detailed

control over BYOD and

sensitive users and

groups

• Helps clarify which

network and security

events are important

and helps make them

actionable

• Unifies policy silos

Cisco Identity Services Engine (ISE)The Unified Directory of User/Device Context & Network Control

Cisco® ISE

Context Sharing

IT Infrastructure

Network Management

NetworkControl

Cisco Network


Cisco ISE Ecosystem Partners

Security Information and Event Management (SIEM) and Threat Defense

Mobile Device Management

Prioritize Events, User/Device-Aware Analytics, Expedite Resolution

• ISE provides user and device context to SIEM and Threat Defense partners

• Partners utilize context to identify users, devices, posture, location and

network privilege level associated with SIEM/TD security events

• Partners may take network action on users/devices via ISE

Ensure Device Enrollment and Security Compliance

• ISE serves as policy gateway for mobile device network access

• MDM provides ISE mobile device security compliance context

• ISE assigns network access privilege based on compliance context


Cisco ISEAll-in-One Enterprise Policy Control


More Productive Workers and End Users



The Vision for the Intelligent NetworkSecuring New Connected Experiences

Location-based personalized promotions

Better patient care with tablet-based

medical data

Variety of learning options for online and

onsite student experience

Retail EducationHealthcare


Cisco ISE Resources

Thank you.

Cisco Confidential 32C97-726694-00 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco ISE DeploymentBackup Slides


Savings and ROINeed to have some validate numbers before we insert

Efficiency Time Money= or

Judith Ziajka

Pls add missing info.


Secure Access in ActionRole-Based, Dynamic ACL Provisioning!

NCS Prime

ISE

Cisco WLAN

Controller

Wired Network Devices

Cisco Catalyst Switches

3rd Party MDM

Appliance

MDM Manager

IronPort WSA

Dependable anywhere access

Enforcement embedded in the network

Automated onboarding and device security


Cisco ISE in ActionPolicy Management

Internet

Services 1Campus Cloud

Data Center

Policy

Services 2

POLICYPOLICYPOLICYPolicy

SGTInter net

Open Net

Serv Net

Data Cente

r

Restrict DC

Exec, IT Laptop Wired Net

Permit Permit Permit Permit Permit

All, iPadInternal

Permit Permit Permit Deny Deny

Exec, iPad VPN

Permit Permit Permit Permit Deny

Guest Any

Permit Deny Deny Deny Deny

JohnIT Administrator

Restricted Data

CenterJohn updates Cisco® ISE for BYOD and guest access policies, which are pushed to the network.

IT

Confidential. Product is planned, features are not committed.


Cisco ISE in ActionCisco ISE for Secure Access

Internet


Data Center

Services 2Wired

Restricted Data

Center


Brice logs onto wired network on IT-issued laptop. Cisco® ISE authenticates, identifies context, and applies wired execution policy.

Wired


BriceCFO


Cisco ISE in ActionCisco ISE for BYOD

Internet



Data Center

Dev

ice

Iden

tity

AAADID

Wireless

Restricted Data

Center


• Brice connects his new iPad to the WLAN and logs on.

• While Cisco® ISE performs AAA check of his ID, Cisco ISE Profiler identifies his device.

Onboarding

Wired

BriceCFO

Services 2



Internet


Data Center

Wired

Wireless

?R DIR

REG


• Cisco® ISE authenticates Brice, but does not recognize the iPad.

• Cisco ISE redirects Brice to the onboarding portal to register his iPad.

Onboarding

Services 2

Restricted Data

Center


BriceCFO



Internet


Data Center

Services 2Wired

Wireless

Policy

Policy

Restricted Data

Center


• Cisco® ISE forms a contextual identity: Brice + iPad + location.

• Cisco ISE assigns a policy based on the context and grants it role-based access.

Onboarding


ContextualIdentity

BriceCFO



Internet


Data Center

Services 2Wired

VPN

Wireless

Restricted Data

Center


• Brice uses the same iPad from a hotel room. Cisco® ISE recognizes the context change and applies execution VPN policy..

VPN


BriceCFO


Cisco ISE in ActionCisco ISE for Guest Access

Internet


Data Center

Services 2Wired

VPN

Wireless


Restricted Data

Center

• Sarah receives password through text message. She selects Guest WiFi, and Cisco ISE directs her to the guest portal to register and obtain Internet access.

• Brice enters Cisco® ISE guest hotspot portal and sponsors Sarah for 1-day access.

Sponsor

Guest

BriceCFO

SarahVendor




Internet


Data Center

Wired

Wireless

BYOD

Guest

Policy Management

Restricted Data

Center


BriceCFO

SarahVendor

VPN


Services 2


Delivering the Promise

Comprehensive Wired, Wireless, and VPN Secure Access

More Productive Workers Lower Operating Costs

Rigorous Identity Enforcement

Extensive Policy Enforcement

Security Compliance

Automated Onboarding

Automated Device Security

Dependable-Anywhere Access


Use Cisco® Infrastructure

Next-Generation Policy Networking

Control devices everywhere

Control PreciselyWho & whatIs allowed

Maintain & validate compliance

Secure everydevice

Get quick access with little IT intervention

Provideconsistentservice

Get the most from investments

Save time

End VLAN, ALC & FW Rule pain

ISEThat’s

it.

ktrahan

It seems onboarding is a bigger benefit to IT vs End user


BYOD SpectrumWhere Is Your Customer on This BYOD Spectrum?

Limited AdvancedEnhancedBasic

Environment requires tight controls

Company-only device• Manufacturing

environment• Trading floor• Classified government

networks• Traditional enterprise

Focus on basic services and easy access for almost

anybody

Broader device types but Internet only

• Education environments

• Public institutions

• Simple guests

Enable differentiated services and onboarding with security both onsite

and offsite

Multiple device types plus access methods

• Healthcare• Early BYOD adopters• Contractor enablement

Company-native applications, new services,

and full control

Multiple device types, company issued

• Innovative enterprises• Retail on demand• Mobile sales services

(video, collaboration, etc.)


Wireless Upgrade License (ATP)Extend Policy for Wired and VPN Endpoints

Cisco ISE Packaging and Licensing

Platforms

Small: Cisco® ISE 3315 and 3415* | Medium-Sized: Cisco ISE 3355 Large: Cisco ISE 3395 and 3495* | Virtual Appliance * New

Wireless LicensePolicy for Wireless Endpoints: 5-Year Term Licensing

• Authentication and authorization• Guest provisioning• Link-encryption policies

• Device profiling• Host posture• Security group access

Base License (ATP)Policy for Wired, Wireless, and VPN Endpoints

Advanced License (ATP)Policy for Wired, Wireless, and VPN Endpoints

Perpetual Licensing 3- or 5-Year Term Licensing+


Cisco ISE Inline Posture NodeLogical Topology Examples

Internet

AP Third-Party

Controller

Layer 3 Switch

Policy ServicesCisco ISE Inline Posture Node

Layer 3 Switch

Wireless User

VPN User

VPN

Wireless Wired

Wired

eth1 eth0

eth1 eth0

VPN Infra

Trusted Network

Cisco ISE Inline Posture Node

Entry Point for Third Party Wireless Infra

• RADIUS authorization for Cisco ASA

• Authorization and posture for Inline posture node

Policy Services• IEEE 802.1X

authorization for WLC• Authorization and posture

for Inline posture node

Cisco® ASA

ise 1 2-bdm-v4

Design

cisco andor

cisco confidential 1c97

access policy enforcement

resource access secure

access increase

easy guest access

comprehensive secure

wireless network