the “bring your own device” conversation · basic mobilitybyod-guest byodbasic byod-student...
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
The “Bring Your Own Device” Conversation
Prapankorn Wongmaytha ([email protected])
Systems Engineer
26 October, 2012
Cisco Systems
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
“I need to improve my customer service”
“My staff needs the latest information at their devices”
“My staff needs to collaborate…from wherever they are”
“I need to monitor/manage/enable task-specific devices”
“I want to stay ahead of Single Policy ”
“My users are demanding BYOD and I need to get ahead of the curve”
“I need to allow Student, Faculty, Guest access to my network”
“I have a specific use case, not on this list”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Higher Education - Drivers
• Majority of new network devices will have no wired port
• Users are starting to bring 5+ or more WLAN devices each
• Mobile devices have become an extension of an individuals personality
• Users will change devices more frequently than in the past
• Guest access with accountability has become a must do
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Trends 2014 1997
BYOD / Unified Access
BYOD / Unified Access
Mobility / WLAN
Mobility / WLAN
Mobility / WLAN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
600 Mbps
450 Mbps
802.11
1999 2003 2007
2 Mbps
11 Mbps
802.11b
54 Mbps
802.11ag
24 Mbps
300 Mbps
65 Mbps
802.11n
6900 Mbps
1300 Mbps
870 Mbps
290 Mbps
6900 Mbps
3500* Mbps
1730* Mbps
290 Mbps
2013
Wave 1
802.11ac
2014
Wave 2
802.11ac
* Assumes 160MHz channel width is available and usable
802.11ac = game changer
802.11n 802.11ac
Band 2.4GHz & 5.0GHz 5.0GHz only
PHY Rate 65 Mbps – 600 Mbps 290 Mbps – 6.9 Gbps
MAC
Throughput 45 Mbps – 420 Mbps 194 Mbps – 4.8 Gbps
Spatial Streams 4 8
Modulation 64 QAM 256 QAM
Channel Width 20 or 40 MHz 20, 40, 80, *80+80, 160
MHz 1
Spatial
Streams
3
Spatial
Streams
8
Spatial
Streams
Key benefits:
• Increased speed
• Improved battery life
Gig
ab
it E
the
rne
t U
pli
nk
2 G
igab
it E
thern
et
Up
lin
ks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• A field-upgradable 802.11ac module add-on to the AP3600
• 802.11ac Wave 1 – 5 GHz AP3600 Module
5 GHz radio module
Supporting 802.11a and n clients along with ac clients
1.3 Gbps PHY / ~1 Gbps MAC (throughput)
3 Spatial Streams, 80 MHz, 256 QAM
Explicit Beamforming support as per the 802.11ac standard
• AP3600 maintains dual-band support 2.4 and 5 GHz
Supporting b/g/n on 2.4 GHz and a/ac/n on 5 GHz
• Power requirement with the 802.11ac Module installed
Power draw with 802.11ac Module exceeds 15.4 Watts (802.3af) , and will require either:
Enhanced PoE, 802.3at PoE+, Local Supply or Power Injector 4
• Universal Mounting Brackets (Bracket-2) required, or Ceiling Mounting Brackets (Bracket-3)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Smartphones from 210 Mbps
Tablets from 460 Mbps
High End Laptops from 680 Mbps
802.11ac Performance Table
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Authenticate User
Fingerprint the Device
Apply District
Configuration
Education Apps
Automatic Policies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Contextual Policy: Onsite
No Yes Student
Student Information
System
Learning Management
System
WebEx, Personal TP
District Portal
Digital Textbooks
Email, IM
Internet
Access Limited
Restricted
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Contextual Policy: Onsite
No Yes Faculty
Student Information
System
Learning Management
System
Webex, Personal TP
District Portal
Digital Textbooks
Email, IM
Internet
Access Full
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Contextual Policy: Onsite
No Yes Guest
Student Information
System
Learning Management
System
Webex, Personal TP
Communications
Systems
District Portal
Digital Textbooks
Email, IM
Internet
Access Limited
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Ms. Blair
There will be a quiz
tomorrow on this
chapter.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Access: Limited
No Yes Student
Student information
System
Learning Management
System
Learning Content
Management System
District Portal
Digital Textbooks
Email, IM
Internet
Restricted
Cisco Confidential 16 © 2010 Cisco and/or its affiliates. All rights reserved.
No Yes Student
Student Information
System
Learning Management
System
Learning Content
Management System
District Portal
Digital Textbooks (web
with user name and pw)
Email, IM
Internet
Restricted
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Pervasive wireless within the enterprise Wireless Access for fixed devices
Limited Access
Integration of guests / Student / Faculty
Sample.. Internet Access, Guest Network Service
Basic
User needs workspace access to application plus confidential information based on location
Enhanced
The Next Generation Workspace Built on an Intelligent Network
User needs full workspace regardless of location IT needs to control and manage data
Advanced
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A
How Do I Control Who and What Access the Network?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A
• The Burden Falls on IT
Top of Mind Concerns
DEVICE PROLIFERATION
• How do I ensure consistent experience on all devices?
• How do I implement multiple security policies per user, device?
• How and What do I support?
• How do I manage the risk of Student bringing their own devices?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A
• The Burden Falls on IT
Top of Mind Concerns
• Am I hindering my workforce from being competitive?
• How do I retain top talent?
• How do I ensure compliance with SOX, HIPAA, etc?
• Can I handle Staff, Faculty, Student appropriately?
CHANGING WORKFORCE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A
• The Burden Falls on IT
Top of Mind Concerns
• How do I know who is accessing my
virtual desktop infrastructure?
• How do I secure access to my
data across the cloud… (Pool
Resource) in a scalable way?
• Can I ensure compliance across
geographic boundaries?
VIRTUALIZATION
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A
Comprehensive Visibility Identity and Context Awareness
Identity (802.1X)-Enabled Network
Comprehensive Visibility
IDENTITY
CONTEXT
WHO WHAT WHERE WHEN HOW
Guest Access
Profiling
Posture
802.1X
MAB
WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTS
Vicky Sanchez Frank Lee
Security Camera G/W Francois Didier Personal iPad
Employee, Marketing
Wireline
3 p.m.
Guest
Wireless
9 a.m.
Agentless Asset
Chicago Branch
Consultant
HQ—Strategy
Remote Access
6 p.m.
Employee Owned
Wireless HQ
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
I want user and devices to receive appropriate
network services (dACL, Qos, etc)
I want to allow guests into the network
I want to allow the “right” users and devices on my
network
I need to ensure my endpoints don’t become a
threat vector
I need to allow/deny iPADs in my network (BYOD)
I need a scalable way of authorizing users or
devices in the network
Authorization Services
Guest Lifecycle Management
Profiling Services
Authentication Services
Posture Services
Security Group Access Management
Cisco ISE
(Methodology)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Security
“My users use
multiple devices
including their
own; they are
mobile and need
role-based access
to the Internet
and internal apps.”
Unified VPN Client
Wired Access
Wireless Control
Identity
MDM
Mobile Device Mgmt
Cloud/Mobile Security Cloud/Mobile Services
Unified Management
Configure and enforce consistent policies across the network
Simplify on-boarding and management
Unify wired/wireless/mobile with a single VPN client
Protect against Malware with cloud-connected hybrid web security
Optimize wireless capacity and reliability
Collaborate seamlessly across devices
A Framework for Native Applications
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Fully virtualized desktop keeps all data centralized for audit and security
Consistent user and IT experience on all clients (VXI, Thin) empowers user
Integrated security (SSO, VPN) on all virtual clients
Consistent policies across VXI and non-VXI
Optimized VXI traffic through WAN optimization
Enhanced voice/video on virtual clients
End-to-end infrastructure for virtual desktops— strong partnerships
BRANCH
Virtualization-Aware
Borderless
Network
WAAS
ISR
CDN
MS Office
Desktop Virtualization Software
Virtualized Data Center
Microsoft OS
Hypervisor
Virtual Unified
CM
Cisco Collaboration Applications
Thin Client Ecosystem
Virtualized
Collaborative
Workspace
WAAS
Nexus
ACE
Virtual Quad
“My users need
mobile access and
my organization
needs to meet strict
audit and security
standards, so finding
a solution that
balances both
is important.”
CISCO CLIENTS
Cius Business Tablets
Cisco Desktop Virtualization Endpoints
Cisco
WAN
A Virtual Solution for BYOD
Virtual Experience Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Build on what you already have
VPN External Wi-Fi Internal Wi-Fi Wired
Devices Layer
Smartphones
Desktop/Notebooks
Tablets
Thin/Virtual Clients (VXC)
Connectivity Layer
Limited Access
Firewall Router Wireless Switching ISE NCS Prime
Basic
ISE NCS Prime AnyConnect ScanSafe ESA/WSA
Enhanced
ISE NCS Prime VXI Quad Jabber Webex
Advanced
MDM App Virtualization
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
What’s Next For You?
BYOD is not a product you buy, but a strategy you build
You already have many of the pieces
Different companies are in different places on the “BYOD” spectrum
Cisco has solutions for where you are now, and where you want to be
Only Cisco has the Intelligent Network to help build that strategy
Portfolio breadth, expertise, end-to-end vision and architecture
Let’s get started…
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Advanced BYOD Basic Mobility Basic BYOD BYOD-Faculty BYOD-Guest BYOD-Student
Higher Education - Use Cases
• Campus-wide Wi-Fi
• Wireless BYOD
• Mobilemail
• Internet access
• Personal Mobile Device
with Profiling
• Restricted Campus
Intranet (Proxy HTTPS or
VLAN/ACL filtering)
• Campus-wide Wi-Fi
• Wireless BYOD
• Mobilemail
• Personal Mobile Device with
Profiling and Provisioning
• VPN Access
• Unrestricted Campus
resource access
• Wired BYOD
• Voice / Video everywhere
• VDI / VXI
• MDM(Mobile Device Management)
• Guest Wi-Fi
• Wireless BYOD
• Mobilemail only
• Rate limited Internet
access only
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Policy
Guest
Student
Faculty
Personal Device
Personal Device
Faculty Device
Personal Device
Wireless Classrooms Captive Portal
DMZ Guest Tunnel
Faculty VLAN
5 Dimensions of Policy and Provisioning
Anytime
Anytime
Student VLAN
Student ACL
Wired
Wireless
VPN
Faculty ACL
Guest VLAN
M–F 8 am–6 pm
Time Location Access Method
Device User
Anywhere
Anywhere
Anytime
Anytime
Anytime
Anywhere
Anywhere
Wired
Wireless
IF $Identity AND $Device AND $Access
AND $Location AND $Time THEN $Policy
Library
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Unified Access Management Higher Education
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Who? What? When? Where? How?
Best in Class and Best of Breed
Mobility / RF Innovation (Predictability) Policy & Network
Management
CleanAir
Chip level proactive and automatic
electronic beamforming
Simplified advanced RF management
Chip level wired multicast over a
Wireless network
ClientLink
VideoStream
Chip level proactive and automatic
interference mitigation
Radio Resource
Management
Persistent context-aware VPN connectivity AnyConnect
BandSelect Proactive and automatic band steering
for 5GHz capable clients
ISE (Control)
Prime NCS (Visibility)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Industry’s First Context-Based Wired+Wireless+VPN Policy/Guest Management
Wired | VPN | Wireless Simple | Unified | Automated
Who? What? When? Where? How?
AAA + PP = Secure BYOD
BEFORE Separate policy and guest management
AFTER Unified context-based policy management
for employees and guests across the network
Cisco ISE–Provides Unparalleled Control
Improved
Control
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
All ISE nodes registered to Administration Node
Information Store
Profiled Endpoint Distribution Posture
Compliance
Metric Meters
Authentication Summary
Authentication Failures
Summarized Alarms
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Example Faculty or Student User Walkthrough—Wireless
Policy Engine
Personal Device Profiling and Provisioning
1. AAA—Authentication, Authorization and Accounting (RADIUS)
2. Profile Device using multiple probes (OUI + DHCP + HTTP)
3. User is redirected to “My Device Page” and walked through provisioning
4. Device is provisioned for Campus Wi-Fi Network access
5. Device associates securely to Campus SSID and granted access
Provisioning Profiling
USER
CONFIG
DEVICE
USER
My Device Page CONFIG
OUI DHCP HTTP
DEVICE
OUI DHCP HTTP
Personal Wireless Capable Device
Wireless LAN Controller SSID
Directory PKI CA
DNS NETFLOW SNMP
Corporate Resources
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
USER
CONFIG
DEVICE
Example Faculty User Walkthrough—Wired
Personal Device Profiling and Provisioning
1. AAA - Authentication, Authorization and Accounting (RADIUS)
2. Profile Device using multiple probes (OUI + DHCP)
3. User is redirected to “My Device Page” and walked through provisioning
4. Device is provisioned for Campus Wired Network access
5. Device connects securely with appropriate access policy
Provisioning Profiling
USER
My Device Page CONFIG
DEVICE
OUI DHCP HTTP
Personal Wired Capable Device
Switch
DNS NETFLOW SNMP
Corporate Resources
Internet
Policy Engine
Directory PKI CA
OUI DHCP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Account
Sponsorship
Account Notification
Credentials Automatically Provided to Guest Via Email,
SMS, or Printed Receipt Web Browser Redirects to Login Screen
User Can Manage Access for Their Own Device
Successful Authentication
• Isolated Guest Network on DMZ
• Role Based Policy Applied
• User granted access to Internet
Example Higher Education Walkthrough—Guest
Approved Sponsor Creates Account.
Captive
Portal
Access
Granted
ISE
Policy / Guest Engine
Internal WLC
Anchor WLC
Guest User on DMZ
DMZ
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Single Pane of Glass View and Management of Wired+Wireless+Identity
BEFORE Separated management
AFTER Comprehensive user and access
visibility with advanced troubleshooting
Improved
Visibility
Cisco Prime NCS–Provides Unparalleled Visibility
Wireless
Wired
Identity
Siloed Inefficient Operational Model
Repetitive Manual correlation of data
Error Prone Consumes time and resources
Wireless
Wired
Identity
Simple Improves IT efficiency
Unified Single view of all user access data
Advanced Troubleshooting Less time and resources consumed
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
1. Search on user name
2. Identify wired and wireless devices
associated with the user
3. Display associated and disassociated
devices
4. Use automated client troubleshooting
workflow to resolve the issue
5. Issue resolved
USE CASE: User calls in to help center because they cannot get access to financial data on the network. IT determines if they are authorized to access this area.
Troubleshoot user and access issues based on identity
Speed resolution with intuitive guided workflows
Cisco Prime Network Control System (NCS)
Step by Step Recommendations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
1. User calls and complains about video
problem on his Cius
2. Isolate the end user problem
3. View the application status
4. Quickly identify the source of the
problem
5. Fix the problem (WAN optimization)
USE CASE: End User calls about issues with his Mobile Jabber Video App
Reduces expertise by normalizing and correlating performance data
Quickly identify the source of the problem
Cisco WAAS
VMVMVMVM
Cisco Nexus 1000V
Application Servers
Virtual DC and Cloud
WAN Where is the problem
End-Users Complain
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Unified Access Control (Application Visibility & Control) Higher Education
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
dACL or Named ACL Secure Group Access VLANS
Contractor Guest
VLAN 4
Employee
VLAN 3
Remediation
Employees
IP Subnet
IP/Port Any
Multiple option for policy and segmentation:
• VLANs – interface-based Layer 2 segmentation
• Downloadable ACL (wired) or Named ACL (wireless) – interfaced based Layer 2,3&4 segmentation
• Secure Group Access – user and resource based Layer 2,3&4 segmentation – independent of topology
Secure Group Access:
SXP, SGT, and SGACL
ACL
L2 Segmentation
BEFORE Interface-based segmentation
AFTER User-based segmentation
Finance
Doctor
Finance
Policy
Cisco SGA—User & Resource based Segmentation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Identify, Analyze, and Optimize Application Traffic
FW L4 Session Visibility and Control
View, Control and Troubleshoot - End User Application Experience
BEFORE Application View & Control based on L4 Firewall sessions
AFTER Network Based Application Recognition - NBAR2
Deep Packet Inspection and App ID
Cisco WLAN AVC and Prime Assurance Provides Unparalleled Visibility & Control
Improved
Visibility &
Control
NBAR2 LIBRARY Deep Packet inspection
Traffic
Real Time
Interactive
Non-Real Time
Background
POLICY
Packet Mark
and Drop
Wireless LAN Controller
First
Generation
Firewall
HTTP = 75%
SMTP = 15%
FTP = 2%
Telnet = 1%
SNMP = 3%
Visibility to the port level interaction but not the
applications running within the port
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
AVC Can be enabled on per WLAN basis
You can see a global summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
1000 + applications can be detected by default
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Custom AVC Profiles can created to do traffic shaping
Apply the custom profile per WLAN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Mobility / BYOD / Unified Access Higher Education
Cisco’s Leadership
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
802.11ad (60GHz)
WiGig
802.11af (TVWS)
802.11ac (>1Gb/s)
Wi-Fi VHT5G
802.11y (3.6GHz)
802.11ae (QoS for management)
802.11 amendment
Wi-Fi certification
Blue = complete
Red = in development
Cisco Active
802.11n (>100Mb/s)
Wi-Fi 11n
802.11w (MFP) MFP
802.11u Hotspot 2.0
802.11aa (Video)
802.11v (Manage) WNM
802.11j (Japan)
802.11a/g (54Mb/s)
Wi-Fi 11a/g
802.11i (Security) WPA2
802.11r (Roaming) Voice-Enterprise
802.11h (DFS) Standard Wi-Fi
802.11e (QoS) WMM, WMM-AC
802.11k (Measure) Voice-Enterprise
CONNECTIVITY
SECURITY
SEAMLESS
SPECTRUM
APPLICATIONS
MANAGEMENT
Cisco Driven
CCX Driven
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
• Over 90% of the Mobility/WLAN industry silicon is CCX compatible
• Over seventy-five (75) Partners license CCX in the CDN Program
• Over 350 Devices and Tags are CCX Certified (“Cisco Compatible”)
• Over 730 Companies in the CDN Program across Cisco CDO
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
• Cisco Provided the wireless network for IPv6 World Congress 2012 http://blogs.cisco.com/sp/touch-and-feel-ipv6-wi-fi/
• Network deployment–WLC 5508’s Aironet 1140’s, NCS 1.1 and ISE 1.1 providing unique device profiling
World Congress Wireless Network—“V6 World Congress 2012”
NCS Prime Report Graphics:
• 1068 Unique Clients
• Around 560 simultaneous Clients
• 46.09% Dual-Stack Clients
• 46.41% IPv4-Only Clients
• 7.5% IPv6-Only Clients
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Cisco Confidential 54 © 2010 Cisco and/or its affiliates. All rights reserved.
Q & A
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Thank You