security before during and after clle 2014
DESCRIPTION
TRANSCRIPT
Local Edition
A New Paradigm for Information Security
Tim Ryan, Security Consulting Engineer, Public Sector East
Don Prince, Security Consulting Engineer, Public Sector East
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Agenda
• Threat Continuum – Before, During & After
• Building an Enterprise Access Control System with ISE
• ASA Features and Futures
• Web Security Review
• Q&A
2
Local Edition
Before, During and After Threat Mitigation
3
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
4
Verizon Data Breach Report Statistics
From OVER 850 BREACHES LAST YEAR - 2012
• 98% STEMMED FROM EXTERNAL AGENTS• 81% UTILIZED SOME FORM OF HACKING• 69% INCORPORATED MALWARE• 96% OF ATTACKS NOT HIGHLY DIFFICULT
Malware Detection Methods
• 49% External Party – LE, Fraud Detection Org., Customer etc…1
• 28% Self Detection Passive – Employee, Slow Network etc…1
• 16% Self Detection Active – Security Devices1 How can you increase this number?
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
5
FBI - 2013 Threat Information - By The Numbers From a recent Presentation given to Cisco by an FBI Field agent
63% of victims were notified by an external entity
77% of intrusions used publically available malware
Valid credentials were used in 100% of cases
229 = median number of days that the attackers were present on the network before detection
40% of victims were attacked again after the initial remediation
Details on the SSL Heartbleed Vunlerability: http://www.cisco.com/security
If you knew you were going to be compromised, would you do security differently ?
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
6
CryptoLocker RansomewareReport all Cryptolocker complaints to the FBI via: www.ic3.gov
• Typically delivered via email attachment url link to software download
• Once installed it encrypts files on the victims computer using AES The private key is controlled and kept by the bad guys
• It will also encrypt files on network shares accessible by the victim
• Message popup tells the user to deposit money at MoneyPack or BitCoin or files will be locked forever
• EASY to Prevent – DON’T CLICK !!
• Hard to recover unless you have good backup data
ff
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
7
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
What Device Types, Users & Applications should be on the Network?
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)
Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.
Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective
The Next Generation Security Model
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
8
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
DURING THE ATTACK:Must have the highest efficacy threat detection mechanisms possibleDetection methods MUST be Multi-dimensional and correlatedOnce we detect attacks, NIPGS can block them and dynamically defend the environment
The Next Generation Security Model
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
AFTER THE ATTACK: Cross Device Information Sharing - Evolvinginvariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normalAlso need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud
The Next Generation Security Model
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
10
BEFOREControlEnforceHarden
DURING AFTERDetectBlock
Defend
ScopeContain
Remediate
Attack Continuum
Visibility and Context
Firewall
App Control
Identity Services + NAC
VPN
Vuln Mgmt
Next Gen IPS
Web/Email
Anti-Malware
Malware Tracking & Remediation
Netflow
Forensics
Log Mgmt
SIEM
Mapping Technologies to the Model
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
WWW
EmailGateway
ASA -CXFirewallApp Vis, Web Sec
Web SecurityAppliances
SignaturesWeb Categories
Cloud WebSecurity
Intrusion Preventio
n
Control
WWW Email WebDevices
IPS Sourcefire VRTNetworks
Visibility
Worlds Largest Cloud-Based Threat Intel & Defense SIO – Security Intelligence Operations
VRT- Vulnerability Research Team
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101
1.6M global sensors
75TB of live Data Feeds are received per day
150M+ deployed endpoints
35% worldwide email traffic
13B web requests
Dynamically Updated Security Solutions
5,500+ IPS signatures produced
8M+ rules per day
200+ parameters tracked
70+ publications produced
Info
rmat
ion
Actions
40+ languages 600+ engineers, technicians and researchers
$100M+ spent in dynamic research and development
80+ PH.D.S, CCIE, CISSP, MSCE
24x7x365 operations
Zero-day detection: 3-5 Minute Database Updates
Reputation-based Malware Protection
www.ironport.com/tocwww.cisco.com/security
Cisco SIOSourcefire VRT
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Collective Security Intelligence
12
Local Edition
Building an Enterprise Access Control Architecture with ISE
13
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Cisco Secure Access Architecture & TrustSecIdentity and Context-Centric Security
WHENWHATWHERE
HOWWHO
Identity
Security Policy Attributes
Centralized Policy Engine
Business-Relevant Policies
User and Devices
Dynamic Policy & Enforcement
APPLICATION CONTROLSMONITORING AND
REPORTINGSECURITY POLICY
ENFORCEMENT
14
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
15
•Centralized Policy
•RADIUS Server
•Secure Group Access
•Posture Assessment
•Guest Access Services
•Device Profiling
•Monitoring
•Troubleshooting
•Reporting
ACS
Profiler
Guest Server
NAC Manager
NAC Server
Identity Services Engine
Identity Services EnginePolicy Server Designed for Secure Access
Device Registration
Supplicant and Cert Provisioning
Mobile Device Management
*Certificate Authority
*Identity Resource
*MDM Lite
* Coming Soon
Local Edition
Authentication, Authorization, and Accounting“Who” is Connecting, Access Rights Assigned, and Logging It
16
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ISE is a Standards-Based AAA ServerAccess Control System Must Support All Connection Methods
17
ISE Policy Server
VPN
Cisco Prime
Wired
Wireless
VPN
Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols
RADIUS802.1X = EAPoLAN
802.1X = EAPoLAN
SSL / IPsec
WebAuth & MAC Bypass
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
18
Separation of Authentication and Authorization
18
Policy Groups
Authentication
Authorization
Policy Set Condition
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Authentication RulesObtaining & Validating Credentials
19
RADIUS AttributesService type
NAS IPUsername SSID …
EAP TypesEAP-FASTEAP-TLS
PEAPEAP-MD5
Host lookup …
Identity SourceInternal/CertificateActive Directory
LDAPv3RADIUS
Identity Sequence
Authentication Options
RADIUS
802.1X / MAB / WebAuth
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
20 20
RADIUS
RADIUS
802.1X / MAB / WebAuth Return standard IETF RADIUS / 3rd-Party Vendor Specific Attributes (VSAs):
• ACLs (Filter-ID)
• VLANs (Tunnel-Private-Group-ID)
• Session-Timeout
• IP (Framed-IP-Address)
• Vendor-Specific including Cisco, Aruba, Juniper, etc.
Authorization Rules
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
21
ISE Authorization Policy Definition Customized
Device Type LocationUser Posture Time Access Method Custom
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
What About That 3rd “A” in “AAA”?Accounting - Reporting
22
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Detailed Visibility into System Operations
23
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ISE Session Log – Session Tracking & Searching
Disconnect Device Search: user / device
Local Edition
Profiling – “What” is Connecting to My Network?
25
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
26
PCs Non-PCsUPS Phone Printer AP
PCs Non-PCs
UPS Phone Printer AP
How?
Profiling
• What ISE Profiling is:– Dynamic classification of every device that connects to network using the infrastructure.
– Provides the context of “What” is connected independent of user identity for use in access policy decisions
What Profiling is NOT:‒ An authentication mechanism.
‒ An exact science for device classification.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Profiling Policy OverviewProfile Policies Use a Combination of Conditions to Identify Devices
27
Is the MAC Address from Apple
DHCP:host-name CONTAINS iPad
IP:User-Agent CONTAINS iPad
Profile Library
Assign this MAC Address to ID Group “iPad”
I am fairly certain this device is an
iPad
CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS
HTTP/DHCP/RADIUS
Future Sourcefire Feed
Passive OS/App Fingerprinting
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
How Is Profile Library Kept Current With Latest Devices?
• Dynamic Feed Service
– Live Update Service for New Profiles and OUI Files
– Cisco and Cisco Partners contribute to service
– Opt In Model: New profiles automatically downloaded from Cisco.com and applied to live system.
28
Local Edition
Web Authentication
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
30
Network Access for Guests and Employees
• Unifying network access for guest users and employees
On wireless: Using multiple SSIDs Open SSID for Guest
On wired: No notion of SSID Unified port: Need to use different auth
methods on single port
SWITCHPORT
Employee Desktop
Printer
GuestContractor
IP Phone
Corporate
Guest
SSIDCorp
SSIDGuest
► Enter Flex Auth
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
31
Flex Auth For Wired PortsConverging Multiple Authentication Methods on a Single Wired Port
802.1X
Timeout/failure
MAB
Timeout/Failure
WebAuth
interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ! authentication event fail action next-method authentication order dot1x mab authentication priority dot1x mab
Interface Config
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Building the Architecture in Phases
32
Wired Deployment Models Access-Prevention Technology
– A Monitor Mode is necessary– Must have ways to implement and see who will succeed and who will fail
Determine why, and then remediate before taking 802.1X into a stronger enforcement mode.
Solution = Phased Approach to Deployment:– Monitor Mode ( Low Security – Connectivity over Security)– Low-Impact Mode ( Medium Security – Balanced Security )
-or-– Closed Mode ( High Security – Security over Connectivity )
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
33
Monitor ModeA Process, Not Just a Command
interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator
Interface Config • Enables 802.1X authentication on the switch, but even failed authentication will gain access
• Allows network admins to see who would have failed, and fix it, before causing a Denial of Service
AuthC = AuthenticationAuthZ = Authorization
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
34
Low-Impact ModeIf Authentication Is Valid, Then Specific Access!
• Limited access prior to authentication• AuthC success = Role-specific access
• dVLAN Assignment / dACLs• Secure Group Access
• Still allows for pre-AuthC access for Thin Clients, WoL & PXE boot devices, etc…
interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ip access-group default-ACL in
Interface Config
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
35
Closed ModeNo Access Prior to Login, Then Specific Access!
• Default 802.1X behavior• No access at all prior to AuthC• Still use all AuthZ enforcement types
• dACL, dVLAN, SGA• Must take considerations for Thin Clients,
WoL, PXE devices, etc…
interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator
Interface Config
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Condition is to match RADIUS AttributeService Type = 10 (Call-Check)
AND[NAS-Type = 15 (Ethernet)
ORNAS-Type= 19 (Wireless IEEE 802.11)]
By default, use Internal Endpoints DB for ID Source if MAC Address is found in DB
If MAC address lookup fails, reject the request and send access-reject.
If MAC address lookup returns no result, continue the process and move to authorization
ISE Central Web Auth (CWA)- uses url Re-Direction
• MAB Requests from Failed Auth user or Timed out user can still be processed to return specific authorization rule (VLAN, dACL, URL-Redirect, and SGT)
• By default, ‘If user not found’ value is set to ‘Reject’
36
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
URL Redirection
ISE uses URL Redirection for:
Central Web Auth
Client Software Provisioning
Posture Discovery / Assessment
Device Registration WebAuth
BYOD On-Boarding
Certificate Provisioning
Supplicant Configuration
Mobile Device Management
External Web Pages
Local Edition
Integrated Guest Services and Lifecycle Management
38
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
39
Provisioning: Guest accounts via sponsor portalNotify: Guests of account details by print, email, or SMS
Manage: Sponsor privileges, guest accounts and policies, guest portal
Report: On all aspects of guest accounts
Guests
Components of a Full Guest Lifecycle Solution
Authenticate/Authorize guest via a guest portal on ISE
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
40
Guest Self-ServiceFor Your
Reference
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
41
Sponsor Portal – Create Guest Accounts
Customizable fields
• Define if mandatory (*) or optional• Can add up to 5 other custom
attributes with custom labels
Guest roles and time profiles
• Pre-defined by admin
Language templates
• Customizable guest notifications by language and general preferences
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
42
ISE – Multiple Guest Portals• Several portals may be needed to support
different groups/users based on:– Location / country– Type of device: WLC, switches– Local language support
• ISE can hold several portals
• Multiple portals can be used simultaneously for authentication
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
43
Guest Deployment and Path Isolation
• Isolation at access layer (port, SSID)
• Layer 2 path isolation:
CAPWAP & VLANs for wireless
L2 VLANs for wired
• Layer 3 path isolation:
VRF (Virtual Routing and Forwarding) to Firewall guest interface
Various tunnel methods• GRE• VPN• MPLS
L3 Switches with VRF
Cisco ASA Firewall
Outside
CAPWAP
Internet
CorporateAccess Layer
Corporate
Guest
Corporate Intranet
Inside
DMZ
Guest DMZ
WLC
Global
Employee VRF
Guest VRF
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ISE 1.2: Guest Access with Anchor Controller
PSN has dedicated Guest Portal interface (GE1) connected to DMZ:
interface Gigabit Ethernet 0 ip address 10.1.1.10 255.255.255.0!interface Gigabit Ethernet 1 ip address 192.168.1.10 255.255.255.0!ip host 192.168.1.10 guest.abc.com
If GE1 is first CWA-enabled interface, then URL redirect sent to guest.abc.com:8443
Client needs to resolve guest.abc.com to 192.168.1.10 via local or Internet DNS server.
PSN Dedicated Guest Interface on DMZ
ISE Policy Services Node
Wireless LANAnchor Controller
DMZ
Cisco Wireless LAN Controller
url-redirect=https://guest.abc.com:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Public DNS Server
Internet
Corporate LAN
GE 1
GE 0
10.x.x.x
192.168.x.x
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Guest Tracking Leverages Network Logging
45
ISE Policy Server
VPN
Log interesting activity from Guest user and forward to ISE for correlation.
Guest IP accessed http://www.google.com
Guest IP accessed http://facebook.com
Guest IP triggered network AV alert
Guest IP triggered Infected endpoint event
Guest IP …
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Create Service Policy in ASA to inspect HTTP
traffic for guest subnet
ISE shows accessed URLs
in reports
Guest Activity Tracking Integrates Network Logs
Local Edition
BYOD Extending Network Access to Personal Devices
47
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
48
Onboarding Personal DevicesRegistration, Certificate and Supplicant Provisioning
DeviceOnboarding
Certificate Provisioning
SupplicantProvisioning
Self-Service Model
iOSAndroid
WindowsMAC OS
MyDevicesPortal
Provisions device Certificates.‒ Based on Employee-ID & Device-ID.
Provisions Native Supplicants:‒ Windows: XP, Vista, 7 & 8‒ Mac: OS X 10.6, 10.7, 10.8, 10.9‒ iOS: 4, 5, 6, 7 ‒ Android – 2.2 and above‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
Employee Self-Service Portal‒ Lost Devices are Blacklisted‒ Self-Service Model reduces IT burden
Single and Dual SSID onboarding.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
49
Single Versus Dual SSID Provisioning
• Single SSID– Start with 802.1X on one SSID
using PEAP
– End on same SSID with 802.1X using EAP-TLS
• Dual SSID ( Most Common Method) – Start with CWA on one SSID
– End on different SSID with 802.1Xusing PEAP or EAP-TLS
SSID = BYOD-Open (MAB / CWA)
SSID = BYOD-Closed (802.1X)
WLAN ProfileSSID = BYOD-ClosedPEAP or EAP-TLS(Certificate=MyCert)
SSID = BYOD-Closed (802.1X)
WLAN ProfileSSID = BYOD-ClosedEAP-TLSCertificate=MyCert
Local Edition
Mobile Device Management (MDM)Extending “Posture” Assessment and Remediation to Mobile Devices
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ISE Integration with 3rd-PartyMDM Vendors MDM device registration via ISE
– Non registered clients redirected to MDM registration page
Restricted access– Non compliant clients will be given restricted
access based on policy Endpoint MDM agent
– Compliance– Device applications check
Device action from ISE– Device stolen -> wipe data on client
v2.3v6.2v5.0 v7.1
MCMS
51
v7.0 SP3 v4.1.10 v13.2 Patch 5v1.0
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
52
MDM Compliance Checking
• Compliance based on:– General Compliant or ! Compliant status
OR
– Disk encryption enabled– Pin lock enabled– Jail broken status
• MDM attributes available for policy conditions
• “Passive Reassessment”: Bulk recheck against the MDM server using configurable timer.
– If result of periodic recheck shows that a connected device is no longer compliant, ISE sends a CoA to terminate session.
Compliance and Attribute Retrieval via API
Micro level
Macro level
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
MDM Enrollment and ComplianceUser Experience Upon MDM URL Redirect
53
MDM Enrollment MDM Compliance
MDM:DeviceRegistrationStatus EQUALS UnRegistered
MDM:DeviceCompliantStatus EQUALS NonCompliant
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
54
ReportingMobile Device Management Report
Local Edition
TrustSec and Pervasive Policy Enforcement
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
TrustSec Authorization and Enforcement
dACL or Named ACL
• Less disruptive to endpoint (no IP address change required)
• Improved user experience
• Increased ACL management
VLANS
• Does not require switch port ACL management
• Preferred choice for path Isolation
• Requires VLAN proliferation and IP refresh – Optional VRF
Security Group Access
• Simplifies ACL management
• Uniformly enforces policy independent of topology
• Fine-grained access control
GuestVLAN 4VLAN 3
Remediation
EmployeesContractor
EmployeeIP Any
Security Group Tag
Security Group Access—SXP, SGT(Secure Group TAG),
SGACL, SGFW
56
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
TrustSec Enabled Network SegmentationCampus and Branch Segmentation
Business Drivers includePCI for Financial data, HIPAA Medical DataMedical Device Separation within VLANAccess Control with
Secure Group Access
• Rules defined by business function & Roles
• 80% + reduction over manual rules
• Simple to add/remove rules Enterprise Wide
• Topology-independent
• Scalable
• One Policy for Wired or Wireless
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Secure Group Access Simplifies Security Enforcement
User-Access Control to DC
Business drivers include: Employee vs Guest, BYOD vs managed device
v
Secure Group Tag Enforcement Access List
ASA, Nexus or Catalyst SwitchAccess Lists with SGT’s
Local Edition
What’s Coming Next?
59
Next Slides contain some Forward Looking Features…..All standard Legal Disclaimers apply here……. It’s all about the information…………….blah, blah, blah, blah
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ISE 1.3 Key Features (1 of 2)
Feature Description
1. Multiple AD Forest support Ability to connect to multiple active directory domainsfor authentication and authorization
2.TrustSec • Improved scale of IP-SGT Mapping• SG-ACL policy refresh for Non-CoA capable platforms• Allow TrustSec Configurations to be Exported / Imported
3. ERS • Guest and Network Device Support• Bulk operation support
4. Serviceability Multiple features to ease administration and troubleshooting of an ISE system
5. Network Access Miscellaneous Network Access Features
6.MDM (Limited Availability) Lite Native MDM support in ISE leveraging the AnyConnect client
7. Guest Rewrite of guest functionality and enhancements
8. Profiler Endpoint purge functionality and other enhancements
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ISE 1.3 Key Features (2 of 2)
Feature Description
9. pxGrid • APIs to facilitate sharing of network information with external applications
• New persona for pxGid services• Integration of WMI interface for session tracking
10. CA Services Built in Certificate Authority for BYOD and MDM solutions
11. Infrastructure Ability to run ISE services as non rootUpgrade, database and other enhancements
12. Licensing Introduction of intermediate and premium licensesConsumption to be based on Daily Max – Not real time
13. Admin WebApp Miscellaneous features including IE11 support
14. CP/Posture OSX Provisioning / non Java client
15. Unified Agent AnyConnect / posture combined agent support (HoneyBadger)
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Native MDM with ISE & AnyConnect – ISE 1.3SetupSet Wi-Fi settings
Push VPN settings
Configure Email & Calendar
Push and install Certs
ISE Built in CA – 1.3
ConfigurationSet the PIN lock
Enforce encryption on device
Detect Jail-broken device
Restrict camera usage
Apps Management from Apple
App Store/Google Play
ManagementGeo-query location
Lock & Unlock
Un-enroll from MDM
Wipe data on device
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
ASA Firewall – Recent Innovations
• ASA Clustering with Etherchannel LB • Cisco® Cloud Web Security integration
• Next-generation encryption
• IPv6 support enhancements
• Multi-context - Routing & S2S VPN
• EtherChannel – with VSS & VPC support
• Mix Transparent & Routed Modes
• ISE control of VPN via CoA – Sept 2014
• VMware versions coming – Later in 2014
• Sourcefire Feature Integration – 2014 & Beyond
Clu
ste
r C
on
tro
l L
ink
Multi SwitchEtherChannel
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 64
VMware Hypervisor (vSwitch & dvSwitch)
Non-vPATH enablement
Term-based licensing (vCPU, not socket)
SDN management for both ASA and ASAv
10 Interfaces (VMware Limitation)
200 VLAN sub-interfaces
1000 VxLANs – SDN/ACI support
1-2 Gbps Performance
Hyper-V coming late 2014
Virtual ASA - May 2014 – ver 9.2
Security for the Virtual World
UCSVirtual AccessStorage
Data security authenticate & access control
Port security authentication, QoS features
Virtual FirewallReal-time MonitoringFirewall Rules
Virtual FirewallVirtual IPS
Remote VPN to ASAv
© 2014 Cisco/Sourcefire and/or its affiliates. All rights reserved. Cisco Confidential
A Commitment to Our Customers
• Choices to bring Next Generation Security into your environment• (1) FirePower NGS on ASA*
• (2) NGFW/NGIPS Services within FirePower NGS
• (3) Centralized Management• System-Level Management
• Threat-level Management
• Manager of Managers (MoM)
• Integration with Network Security Services• Identity / Access Control / ISE & TrustSec
• Strongest Data Center Capabilities
Gartner MQ Leaders in (NG)IPS, SSLVPN, VPN, Identity/NAC, Web Security, Email Security, Data Center
Leader in Data Center Security (Infonetics 2013)
*Refers to the Cisco Sourcefire NGS platform – Sourcefire running on ASA
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Cisco Web Security Options
• Inline: Next Gen IPS - Multi-port GE/10GE/40GE
• Anti-Malware- Network & Agent based
• Web filtering
• Application control across all ports
• VRT- Threat Protection
• Defense Center- Threat Detection Correlation view
• Internet B/w from 50Mbps - 60 Gbps – High Performance Platform
• Inline - Next Gen firewall plus Web filtering
• Anti-Virus, IPS (Snort)
• Cloud Managed
• Application control across all ports
• Traffic Shaping
• Simple Configuration & Monitoring
• CIPA- SafeSearch, YouTube for EDU
• Internet B/W less than 1 Gbps
• Transparent Re-direct Network Connector or Device Agent (Win, mac)
• Port 80/443
• Anti Malware from Sourcefire
• Granular Filtering using Cisco Web usage control
• Web security for mobile users without the need for VPN
• Multiple Malware Scanners for Threat Protection
• Dynamic Web Categorization
• CIPA- SafeSearch, YouTube for EDU - per policy
• Internet B/w – no Limit
• Transparent Re-direct via WCCP or Browser Proxy
• Port 80/443
• Anti Malware from Sourcefire
• DLP for Web
• Granular Filtering using Cisco Web usage control
• Central Logging or Splunk
• Video/Audio bandwidth throttling
• SIO – IP Reputation Filtering & Threat Protection
• Dynamic Web Categorization
• CIPA- SafeSearch, YouTube for EDU – global
• Internet B/w – Depends on # of WSA’s & Requests / Sec.
• In ASA-CX Limited B/W
MerakiCloud Web Security
(aka –ScanSafe)
IronPort(Web Security Appliance)
Physical or VirtualSourcefire
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Complete Your Online Session Evaluation
• Give us your feedback and youcould win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
67
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
Register for CiscoLive! – San Francisco
68
CiscoLive! – San FranciscoMay 18 – 22, 2014www.ciscolive.com/us
Local Edition
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
70
Links
• Secure Access, TrustSec, and ISE on Cisco.com– http://www.cisco.com/go/security– http://www.cisco.com/go/ise– http://www.cisco.com/go/isepartner
• TrustSec and ISE Deployment Guides:– http://
www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
• YouTube: Fundamentals of TrustSec:– http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew
Threat spreads and attempts to
exfiltrate valuable data
ENTERPRISE
DATA CENTER
Anatomy of a Modern Threat
Infection entry point occurs outside of
the enterprise
Internet and Cloud Apps
PUBLIC NETWORK
Advanced cyber threat bypasses
perimeter defense
CAMPUS
PERIMETER
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
72
A Systems ApproachSwitch/Controller is the Enforcement Point
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
74
MDM IntegrationRegistration and Compliance
Jail BrokenPIN Locked
EncryptionISE Registered PIN LockedMDM Registered Jail Broken
For YourReference
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicLocal Edition
75
MDM Integration
• User / Administrator can issue remote actions on the device through MDM server (Example: remote wiping the device) – My Devices Portal (User Interface)– ISE Endpoints Directory (Admin Interface)
Remediation
• Edit• Reinstate• Lost?• Delete• Full Wipe• Corporate Wipe• PIN Lock
Options
Admin Interface
User Interface