How to Sell Cisco Trustsec: Network Identity Architecture ......•Employees demand mobility and device choice •Consumerization of access devices •Complex workforce –employees,

Presenter‘s Name

Date

How to Sell Cisco Trustsec: Network Identity Architecture Solutions

© 2010 Cisco Systems, Inc. All rights reserved.

At the end of the session, the participants should be able to:

• Understand Cisco TrustSec relevant to Cisco

Borderless Network

• Understand Security market landscape and

customers need

• Understand Cisco TrustSec key offerings and how to

position the right solution for customer

• Understand migration and opportunities

Session Objectives

© 2009 Cisco Systems, Inc. All rights reserved. 3

Any Person

Any Place

Any Device

Any Resource

A Next Generation Architecture to Deliver the New Workspace Experience

BORDERLESS NETWORKS

The Transformation: The World Is Our New Workspace

Right Person

Right Device

Right Place

Right Resource


Borderless Network Market Drivers

Users

IaaS, SaaS

Applications

DevicesExternal

AppsInternal

Apps

• Employees demand mobility and device choice

• Consumerization of access devices

• Complex workforce – employees, guests, contractors, partners

• Purpose-built devices becoming network enabled

• Increased use of virtualization

• Move to cloud-based access and services


Identity Critical to Borderless Security

Traditional borders are blurred. Access is possible from anywhere

Security Challenges

Where?

Enforce compliance for proliferating consumer and network capable purpose-built devices

What?

Who? Identify users and provide differentiated access in a dynamic, borderless environment

Establish, monitor, and enforce consistent global access policies

How?


Announcing Cisco TrustSec

Cisco TrustSec rebrands our policy-based access control, identity-aware networking, and data integrity and confidentiality services under a single name

The term TrustSec has been

expanded from SGT to include

both switch infrastructure and

appliance-based solutions for

securing network access and

control, including:

• Identity-Based Networking

Services (IBNS) and 802.1x

• Network Admission Control

• Cisco Secure Access Control Server (ACS)


Market Opportunity

Gartner predicts the adoption rate of 802.1x for wired networks will be 70% by 2011. It bases this on the belief that 802.1x implementation will be made simpler and that demand for NAC to control access of guest PCs will continue grow.

Source: Network World, August 2008

http://www.networkworld.com/newsletters/vpn/2008/081808nac1.html


Customer Challenge in Building an Access Policy in a Borderless Network

Authorized Access

How can I restrict access to my network?

Can I manage the risk of using personal PCs?

Common access rights when on-premises, at home, on the road?

Endpoints are healthy?

Guest Access

Can I allow guests Internet-only access?

How do I easily create a guest account?

Can this work in wireless and wired?

How do I monitor guest activities?

Non-Authenticating Devices

How do I discover non-authenticating devices?

Can I determine what they are?

Can I control their access?

Are they being spoofed?

Common questions customers ask


SupportsCompliance

Dynamically

authenticate and

assign access

based on user and

device role and

location

Enforce consistent

security policy,

ensure endpoint

health, deliver a

secure network

fabric

Provides real-time

access visibility

and audit trails for

monitoring,

auditing and

reporting

StrengthensSecurity

Enables SecureCollaboration

Why Do Customers Care?


1

4

2

Who are you?An 802.1x-enabled device or a Network Admission

Control (NAC) appliance authenticates the user

What service level do you receive?The user is assigned services based on role and

policy ( job, location, device, etc.)

What are you doing?The user‘s identity, location, and access history are

used for compliance & reporting

Where can you go?Based on authentication data, the user is placed in

the correct VLAN

3

Enforces Access Policy

IdentifiesAuthorized

Users

PersonalizesThe

Network

Increases Network Visibility

TrustSec Addresses Customer Concerns


Other Conditions

Identity Information

+Group:

Contractor

Group:

Full-TimeEmployee

Group:

Guest

What TrustSec Does

Time and Date

Access Type

LocationPosture

Authorization (Controlling Access)

Broad Access

Limited Access

Guest/Internet

Deny Access

Quarantine

Access ComplianceReporting

Device Type

NAC Appliances 802.1x/Infrastructure

Vicky Sanchez

Employee, Marketing

Wireline

3 p.m.

Frank Lee

Guest

Wireless

9 a.m.

Security Camera G/W

Agentless Asset

MAC: F5 AB 8B 65 00 D4

Francois Didier

Consultant

HQ—Strategy

Remote Access

6 p.m.

© 2010 Cisco Systems, Inc. All rights reserved. 12Cisco Public

Guest Access for NAC and 802.1X Deployments

NAC Guest Server Provision: Guest accounts via sponsor portal

Notify: Guests of account details by print, email, or SMS

Manage: Sponsor privileges, guest accounts and policies, guest portal

Report: On all aspects of guest accounts

NowSupports 802.1X


Non-Authenticating Device Policy for NAC and 802.1X Deployments

NAC Profiler

Device Identification

Determine device type

Centralized device discovery and inventory

Uses network device

tables and analyzes endpoint traffic

Many endpoint devices are undocumented and cannot authenticate to the network

Printers

Fax Machines

IP Cameras

Cash Registers

Alarm Systems

Video Conference

Turnstiles

HVAC Systems

Enterprises withoutVoIP Wired Endpoints Distribution

Enterprises withVoIP Wired Endpoints Distribution

33%PCs

33%IP

Phones

33%Other

50%PCs

50%Other

Control and Audit

Authorize based on device role

Monitor and audit to prevent spoofing

NowSupports 802.1x


New TrustSec Capabilities

Enhanced Switch Features:

• More authentication options: FlexAuth, WebAuth

• Additional deployment capabilities: Open Mode, IP Telephony

Cisco ACS 5.1:

• Improve operations with monitoring and troubleshooting

Cisco NAC Guest and Profiler: • Lower the cost of managing identity and policy in both a

802.1X and NAC appliance environment

MACsec: • Addresses compliance by providing an encrypted link from

the Catalyst® 3750-X, 3560-X, and Nexus® 7000 to the endpoint

Security Group Tagging (SGT) and Security Group ACLs (SGACL) :

• Reduces OPEX and provides topology independence access and enforcement

TrustSec for 802.1X is a long-term, multi-phase opportunity:

1. Migrate the customer to an 802.1X infrastructure to secure their access layer

2. Create user and device posture with ACS, Guest, and Profiler appliances

3. Introduce SGTs and SGACLs to reduce OPEX and extend enforcement


Two TrustSec Options for Any Customer

NAC overlay solution for quick deployment and/or

heterogeneous environments

Robust integrated enforcement solution for 802.1X-enabled

infrastructures

NAC ManagerAdmin, Reporting,

and Policy Store

NAC ServerPosture, Services,

and Enforcement

NAC Agent

No-Cost Persistent & Temporal Clients for

Authentication, Posture, & Remediation

Web Agent

**Cisco 2900/3560/3700/4500/6500 and Nexus

7000 switches, Wireless and Infrastructure

CSSC or OS-

Embedded Supplicant

802.1x Supplicant

SSC

Identity & 802.1x

Access Policy System

ACS 5.1

NAC GuestFull-Featured Guest Provisioning Server

NAC ProfilerProfiles Non-Authenticating Devices

What’s Right For Me?

Immediate need for

posture assessment?

NAC

Largely non-Cisco

access infrastructure?

NAC

802.1x or industry

standard mandate over next 1-2

years?

Infra-

structure

Have or plan to

deploy a service-enabled

infrastructure?

Infra-

structure

Note –Guest Server and

Profiler can be deployed with both NAC and ACS

NAC Appliances 802.1X/Infrastructure

**First Switches targeted to support SGT Cisco 2900/3560/3700/4500/6500


Cisco NAC Appliance Advantages

Flexible deployment options: in-band and out-of-band

Covers all use cases: wired, wireless, and VPN

Includes authentication, authorization, guest, profiling, posture

Comprehensive NAC Solution

Market Leadership 5000+ customers

Leading NAC vendor: Gartner, IDC, Infonetics, Frost & Sullivan

Complete Posture LifecycleOffers endpoint compliance verification and remediation

Agents for managed & unmanaged PCs

Automated updates simplify compliance for 350+ security apps Quarantine Non-Compliant Devices

RemediateCheck Compliance

Verify User and Device Identity

Complete PostureLifecycle

NAC Appliances


NAC Appliance in ActionA Conceptual View

THE GOAL

NAC Server gathers and assesses

user/device information Username and password

Device configuration and vulnerabilities

Noncompliant device or incorrect login Access denied

Placed to quarantine for remediation

Device is compliant Placed on ―certified devices list‖

Network access granted

NAC Server

NAC Manager

End user attempts to

access network Initial access is blocked

Single-sign-on or web login

Authentication

Server

1

2

3a

3bQuarantine

Intranet/

Network

NAC Appliances


Cisco 802.1X/Infrastructure Advantages

Secure Network Fabric

Security Group Access Control

Monitoring , Troubleshooting

& Reporting

Consistent Infrastructure

Simplifies Rollout

• Correlates access log data from multiple network enforcement sources

• Customized queries

• Centralized dashboard

• Integrated diagnostics

• Reporting

• Consistent functionality across Cisco switch platforms

• Broad use-case support for device authentication & enforcement

• Flexible deployment options: monitor-mode, low-impact, high-security

• Provides consistent confidentiality and integrity across wireless, VPN, and now wired Ethernet

• Open standards based –802.1AE MACsec & 802.1X-2010

• Network Edge Authentication Topology (NEAT): Only legitimate network devices join the fabric

Web

Auth

1X Impact

Modes

MAB

802.1X/Infrastructure

• Operationally simplified access control deployment

• Infrastructure-based, spans campus to data center

• Deployed independent of topology & network design


802.1X/Infrastructure in ActionA Conceptual View

Network-Attached

Device

Nexus® 7000

Switch

NAC Guest

Server NAC Profiler

Server

ACS

802.1X

Protected

Resources

IP Phones

Control Plane: RADIUS

Supplicant

Directory

Service

Cisco®

Catalyst® Switch

Users,

Endpoints

Campus

Network

Guest User

End user / Endpoint attempts to

access network 802.1X Authentication for registered user

MAC Authentication Bypass for agentless device

Web Authentication for Guest

1

Policy Servers evaluate identity information NAC Profiler evaluates agentless device

Guest Server manages temporary guest access

ACS evaluates overall policy and returns authorization back to NAD

2

Access Control based on policies Catalyst switch to enforce access control based on policy

(VLAN Assignment, dACL, SGT)

Nexus 7000 to apply SGACL based on SGT mapped to role

3



Consistent Infrastructure Simplifies Rollout

What does it do?

Open mode enables readiness

assessment for 802.1X

enforcement

Discovers users and devices

How does it do it?

Monitor-only, no access

restrictions

Tracks user authentications

Identifies non-802.1x capable

devices and creates a device

list

Monitor

Mode

What does it do?

High impact security mode

provides access control

based on user and device

group membership

How does it do it?

Traditional 802.1X

Role-based access control:

Dynamic VLANs, dACLs,

SGACL

1

What does it do?

Low impact security mode

provides two levels of access

for all users and devices–

limited and normal

How does it do it?

Limited network access

permitted by default for all users

and devices

Normal access granted based

on user and device

authorization via dACLs

Authenticated

Access Mode/Low Impact

2

Differentiated

Access Mode/High Impact

3

• Flexible Authentication• Multiple Authentication

• Open Access• Multi-Domain Access

• MAC Move/Replace• 802.1X-2010

802.1x/Infrastructure

Consistent functionality across Cisco‘s switch platforms:


Differentiated Access Security Group Access Control (SGACL)

802.1x/Infrastructure

Security Group Access Control Concept

Define ―Roles‖ for users in organization

• Authenticate user (802.1x) at access layer

• Assign ―Role‖ to user

Network enforces role-based access policy

Benefits

Significant OPEX savings!

• Reduces thousands of ACLs to pre-defined set

• Simplifies traffic management, add/change/move

Immediate Opportunities

Compliance Issue – LAN Access to the Data Center

Available NOW! (SXP* + Nexus 7000 + ACS)

*Technical Note: Upon 802.1X authentication, SXP (Security Exchange Protocol) binds the user‘s IP address to the user‘s ―role‖ (defined by the ACS) on switches that do not yet support SG tagging. This SXP information is processed by the Nexus 7000 switch the same as an SGT. More robust SGT functions will be available as SGT rolls out across more switch devices.


Security Group Access Control

SGTsVLANs, ACLs, and Subnets are topology dependent and operationally intensive

TrustSec is topology independent and streamlines network segmentation

Security Group Tags (SGTs) are assigned to users, devices, or VMs based on role

Security Group ACLs (SGACLs) enforce access policy based on SGTs

SGTs and SGACLs can replace multiple ACLs, thereby reducing OPEXSGACLs


Security Groups

Source

Employee

Contractor

Guest/Unknown

Security Groups

Destination

Internet

Special Projects

Print/Copy

Individuals Resources

Authz Rules

Access Rules

Access Rules

Confidential

Authz Rules

Authz Rules

Authz Rules

Security group–based access control allows customers:

To keep existing logical design at the access layer

To dynamically change / apply policy to meet today‘s business requirements

To distribute policy from a central management server


Cisco Secure ACS Policy Control

Cisco Secure ACS is the world‘s most popular enterprise access and policy platform

ACS delivers a centralized identity and access policy solution that seamlessly enables an enterprise grade network access policy and identity strategy for both large and small organizations

35,000+ ACS Installed Base

Used by 95% of Cisco Top 100, 90% of Cisco Top 500, 85% of Cisco Top 1000

86 of Standard & Poors 100

S&P 100

86%

Fortune 500

86%

Russell 1000

70%


Cisco Secure ACS Monitoring, Troubleshooting, and Reporting

Simplify operations with a centralized system dashboard

Custom query response and

troubleshooting

Alarms and alerts

Tracks events from switches & ACS

Real-time network access visibility

and monitoring

Compliance reporting

Diagnostics and failure analysis



Selling TrustSec


Sales Tactics

Low-hanging fruit

Enterprise (500+ users)

Security-conscious

Regulatory compliance

Internal mandates for 802.1X

Key decision influencers

Network decision-maker

Security decision-maker

Compliance officer

IT director


Sales Tactics:Drive ACS and Legacy Switch Migrations

NOW: Accelerate switch migration to 802.1x

Secure access layer with 802.1x infrastructure

Identify existing legacy switch install base and migrate to 802.1x-enabled switch infrastructure

NOW: Ensure account control with Access Control

Seed ACS 5.1 in account by selling new features, including enhanced monitoring and troubleshooting, and flexible rules based policies

Upgrade existing ACS devices to 5.1 to manage and control 802.1x access control policy

NOW: Position Guest Access and Device Profiler appliances


Sales Tactics (cont’d):Drive ACS and Legacy Switch Migrations

NEXT: Extend Cisco value by leveraging new TrustSec solutions for 802.1x

Upgrade ACS/Guest Access/Device Posture devices to Positron

Showcase competitive advantages of Cisco switches with hop-by-hop encryption and Security Group Tags and Security Group ACLs

ONGOING: Add value-added professional services for migrations


Sales Process

Presentation and demo

AssessmentProof of Concept

Deployment

Tools Available:

• Sales and technical presentations• Infrastructure assessment guidelines• Configuration guides for POCs • Design and deployment guides


Insert either a bulleted list or graphic here.

(Ref. SME note)

Placeholder Specifications:

Image size can range from 2-4 in. wide and 2-

5.75 in. high., 72-150 dpi, RGB, png format

(necessary for transparent backgrounds similar

to slide 6) or jpg (if rectangular image)

Partner Opportunities

Migration:

• Use TrustSec features to drive switch upgrades

• Install Base Lifecycle Management (IBLM)

• Network Assessments

• Security Assessments

• Technology Migration Program (TMP)

• Trade in Accelerator Program (TAP)

Other Incentives:

Value Incentive Program (VIP)

Opportunity Incentive Program (OIP)

Partner Program Opportunities and Incentives


TrustSec Sales Opportunities

1. Create migrationopportunities

2. Include security technology

3. Add high-marginprofessional services


Migration Opportunity: Total Market

2K3K4K6K


Legacy Migration Plan

Catalyst 2940, 2950 2960, 2960-S

Catalyst 2970 2960, 2960-S, IE 3100

Catalyst 3550 3560, 3750, 3560E,

3750E, 3560X, 3750X

Catalyst 400x & 4500 non-E Series (SUP1,

SUPII , SUPII+TS , SUPII+ , SUPII+10G,

SUPIII, SUP-IV , SUPV )

4500 E Series

(with Sup6-E, Sup6L-E,

4500 with SupV-10GE)

Catalyst 6K Sup 1, Sup 2 Sup 32 or Sup 720

Catalyst Migration Opportunity: Optimal Path


Switch Technical Differentiators

Flexible

Authentication

Sequencing

Rolling authentication

with a flexible

sequence (.1x, Mac

Auth Bypass, and web

authentication)

Most flexible authentication in the

market: automates the port

configuration to accommodate all

endpoint devices – necessary to

support the most enterprise use cases

Unified

Guest

Access

Monitor

Mode

Unified guest access

with local web

authentication on the

switch

Gathers information

about device/user

access without adverse

impact

Same infrastructure for wired and

wireless guest access – same

premiere user experience

Critical to deploying network-based

identity without locking out users or

devices


Migration Opportunities

ACS

Strategy – Secure account control with customers who want posture with 8021.x, by preparing their base networking infrastructure.

Migrate existing ACS 4.x customers to ACS 5.1 (SKUs and migration tools are available – utility in ACS 5.1 to migrate data)

Sell professional services required to facilitate the policy migration

NAC

Strategy – maximize customer satisfaction / minimize ongoing support by migrating existing NAC customers to 4.7.1

Migrate existing SW-only customers to 4.7.1 - For customers on non-CiscoHW, migration to latest appliance (33x5) is mandatory (program and SKUs are available)

Migrate existing Profiler customers to 3.x – UI and stability enhancements

Upsell NAC Guest Server


ACS Migration - Value and Migration Detail

Customer Value - Integrated ―View‖ functionality, c/w

extensive reporting templates

- Simplified policy creation with

enhanced policy monitoring

- Improved visibility into network

access and device admin specifics

- Support for Cisco identity-enabled

networks, with .1x and SGT support

Pro

duct E

volu

tion

ACS 4.x

ACS 5.2

Time

ACS 5.1

Customer Value - Enhanced support for GOV

installations requiring FIPS

compliance

• SW / HW migration from

ACS 4.x to ACS 5.1

• SW migration from ACS

5.0 to ACS 5.1

• SW migration from ACS

5.1 to ACS 5.2


ACS 5.1 Upgrade and Migration

From Any Previous Release To the latest 5.1 Release

Upgrade part numbers available with special pricing (refer to ACS migration matrix)

Upgrade from appliance or software to 1121 appliance or VMware versions

Example 1 - Go from ACS 3.3 on Windows to 1121 ApplianceExample 2 - Go from 1111 Appliance to 5.2 VMware

Migration utility in 5.1 to migrate existing dataComes with all previous versions needed to perform acomplete data migration


ACS Migration Tools

Category Components

Education

• ACS-specific collateral updates (BDM, TDM)

• ACS 5.1 Overview and Value Proposition presentation

• 5 Things You Need To Know about ACS 5 (short presentation)

• Archived Webinar series

ACS – What‘s In It For Me? (ACS value proposition,

ACS Migration Strategy)

Migration

Process

Migration Workload Estimating Tool

Migration Guide

Migration Deep Dive webinar

Migration Utility (in ACS 5.1)

Offers 40% Upgrade discount for existing customers


ACS 5.1 Summary

Sell ACS 5.1 for the following customer benefits:

- Compliance & Audit through integrated reporting across the entire deployment

- Troubleshooting capabilities lower operational expenditure

- Enable infrastructure services – identity, TrustSec

Sell ACS 5.1 to

- Seed the account to prevent competition from switch vendors such as HP and Juniper

- Position infrastructure upgrades by enabling advanced services like identity and TrustSec

- Bundle additional products like NAC Guest and NAC Profiler


NAC Migration - Value and Migration Detail

Customer Value - Enhanced agent side

reporting

- Improved user experience- Reduced client footprint

- Easy NAC Agent

Management- Simplified Troubleshooting

Pro

duct E

volu

tion

NAC 4.5.x

NAC 4.7.x

Time

NAC 4.6.x

NAC 4.8 (Planned)

Customer Value - Dedicated FIPS certified

HW Security Module, which

handles cryptographic operations

- Higher-scalability (5000

user) HW option- Support for Windows 7 and

Mac Snow Leopard

Customer Value - Improved reporting

capability

- Faster response to AV / AS- Post-admission NAC for

ongoing device posture

• NAC Pre-4.5 to 4.7.1 via

SW / HW migration program

• SW migration from NAC

4.5x to NAC 4.6x

• SW migration from NAC 4.6.x

to NAC 4.7.x

• Separate FIPS HW module

(note – FIPS module supported

on 33x5 platform only)

• SW migration from NAC

4.7.x to NAC 4.8


NAC Migration Opportunities Details

Migrate existing software-only customers to 4.7.1

For customers on non-Cisco hardware, migration to latest appliance (IBM Platform) is mandatory

These customers can take advantage of 80% discount on new appliances

• Note that customers on Cisco hardware will only require a software upgrade.

• Upsell NAC Guest Server

Add value added professional services


NAC Migration Tools and Offers

NAC Appliance Migrations

Step by Step Migration Guide for Software-Only Customers

Migration Deep Dive Webinar

(archived version available)

Migration Offer

Pre-discounted NAC appliances (IBM Platform) –Up to 80% off


ACS and NAC - Migration Overview

Mid-Year 2010Today Q4CY‘10

NAC 4.7.1(33x5 HW)

ACS 5.2(1121 HW)

NAC Pre-4.5 to 4.7.1

- NAC SW / HW migration program

NAC 4.5 / 4.6 to 4.7.1

- SW migration

ACS 5.1(1121 HW)

Consolidated Platform

(1121 / 33x5 HW)

NAC 4.8(33x5 HW)

ACS pre-5.x to 5.x migration

- dedicated VMWare / appliance SKUs

ACS 5.0 to 5.1 migration

- SW migration

NAC 4.5 / 4.6 to 4.8

- SW migration

ACS 5.1 to ACS 5.2

- FIPS Compliance migration (SW)

ACS 5.1 / 52 to Consolidated Platform

- SW “cross-grade”, HW migration for

pre-1121 HW

NAC 4.8 to Consolidated Platform

- SW “cross-grade”, HW migration for

pre-33x5 HW


Sales Opportunity: Attach Security

Discuss enhanced capabilities of ACS 5.1 to drive migration (35,000 + customers)

Demonstrate the best-in-class guest access management of NAC Guest Server

Position the ease of deployment with NAC Profiler

All technologies provided by the proven leader in Network Security and Network Admission Control –

Cisco Systems

NEW!


Sales Opportunity: Data Center and SGACL

Opportunity:

Data center growth is exploding!

Compliance mandates require appropriate access control for data center resources

Huge opportunity to migrate not only access switches but data center switches

TrustSec Relevance:

Begin data center access control discussions with Security Group ACL

Position Nexus 7000 and SXP

Demonstrate how authentication for LAN users can be enforced easily in the data center


Example TrustSec Deal Size

Switch Migration:

15 Catalyst 6500 Series


125 Catalyst 4500E Series

Attached Security:

5 Access Control Systems

1 Profiler (up to 40,000 MAC addresses)

1 Guest Server

Switch Migration:

50 Catalyst® 6500 Series



Attached Security:

14 Access Control Systems

3 Profilers (up to 40,000 MAC addresses each)

3 Guest Servers

Large enterprise network Mid-sized network

$24M(List)

$7M(List)


Sales Opportunity: Offer High-Margin Professional Services

Business processes

Network discovery

Migration services

Implementation services

Leveraging partner services


Security policy review

Match compliance to infrastructure

Custom design for authentication

and access objectives

Customized solution for existing

network

Experienced rollout services

Expertise decreases deployment

time

Training for operation, maintenance,

management, and tuning

Professional Services

Security Policy Review

Design Strategy Development

Controlled Deployment

Full Deployment

Training and Knowledge Transfer

Service Components Activities and Deliverables

Professional Services from Cisco, or one of our Services Partners,

is an Important Component of Any Successful Rollout

.


Next Steps: Determine the Appropriate Solution

Engage your SE

Clarify Customer‘s Pain

Discuss Pro‘s and Con‘s (.1x, NAC, Profiler, GS)

Present the BEST solution First, THENdiscuss Cost

Set Appropriate Expectations: Timeline, Pilot, Needed Customer Resources, etc.

Ask for the Order

Upgrade Legacy

Switches

Sell/Upgrade ACS

Sell CSSC

Upsell NAC Profiler

Upsell NAC Guest

ACS & SWITCHES

(INFRASTRUCTURE)

Sell NAC Server

Sell NAC Manager

Upsell NAC Profiler

Upsell NAC Guest

NAC

(OVERLAY)

NAC Appliances 802.1X/Infrastructure


Guiding The Conversation

Access control is a critical issue for many organizations, such as regulatory requirements.

Access control can also be a key driver in getting customers to migrate to an 802.1x-enabled infrastructure

Control the Conversation: keep the customer on topic. Table topics such as Data Center, UC, etc. for later. Keep them thinking security.

Use the questions on slide 8 to guide the conversation

If they wander off topic ask another question to bring them back to Access/Identity Security


Objection Handling

Costsa) Be sure to be comparing Apples to

Apples

b) Emphasize total cost of ownership. Remember this is a solution sale that is part of an integrated, long-term strategy, NOT simply a box.

c) Find Pain, Discuss, Provide Solution again

Deployment Easea) Set expectations and ―spotlight‖

features

b) Be sure to appropriately cover SOW

Competitive Advantages a) No one else can offer this solution (see

next slide)


Sales Differentiators: Defend Against Competitors!

Market-leading solution

• Ease of deployment:

Monitoring (open) mode, authenticated (low impact), and differentiated (high-impact) deployment options

• Flexible:

Three ways to authenticate using a single configuration

• Efficient, consistent, and scalable:

Leverage your infrastructure and use a common policy

• Ease of ongoing management:

Security Group Tagging (SGT) and Security Group ACLs (SGACL) enable scalable network access control through simplified network design

Complete, single vendor solution


Identity Compliance Requirements

US Department of Defense

―Information Assurance Officers/Network

Security Officers will ensure either MAC

security (with profiling) or 802.1X port

authentication is used on all network

access ports‖

Defense Information Systems Agency

“Access Control in Support of Information Systems,

Security Technical Implementation Guide”

(26 December 2008)

Cisco TrustSec addresses mandated access control security requirements

Payment Card Industry (PCI)

Implement Strong Access Control Measures• Requirement 7: Restrict access to cardholder

data by business need-to-know• Requirement 8: Assign a unique ID to each

person with computer access• Requirement 9: Restrict physical access to

cardholder data

Payment Card Industry (PCI) Data Security Standard

“Requirements and Security Assessment Procedures”

(Version 1.2.1, July 2009)


Case StudyUniversity of Montreal

Background

One of the top 100 universities in the world,

with 55,000 students and an annual research

budget of CAD$450 million

Business Challenges

Support collaboration between research groups

Differentiated access for students, researchers,

and faculties

Cisco Solution Benefits

Tailored network services with identity-

based access

Scalable network environment

Improves OPEX with network moves, adds,

and changes

―Our new network is more secure, and we can do a better job by giving more specialized service to people.‖

Michel L'Heureux Director of Telecommunications Université de Montréal

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7

08/case_study_c36-566762.html

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/case_study_c36-566762.html





Cisco Leadership Advantage

1Infonetics, June 20082Gartner Magic Quadrant March 2009, Frost & Sullivan April 2008, Forrester September 2008, IDC Dec 2007, Infonetics June 2008 3http://searchsecurity.techtarget.com/productsOfTheYearCategory/0,294802,sid14_tax310405_ayr2008,00.html3

The Network Provides Comprehensive Visibility and Control

#1 NAC Vendor

• 41% market share1

• Leading analysts agree2

• 5000+ customers

• Info Security‘s ‗Reader‘s Choice‘ Gold Award3

LAN Infrastructure

Market Leader

• Widest range of market-leading

switching platforms• Widest range of market-leading

routing platforms

Cisco Innovation

• Pioneered NAC technology• Developed NAC standards

• First to launch - 2004

35,000+ ACS

Installed Base

• 95% of Cisco Top 100




Next Steps – Important Resources

Resources• TrustSec Business Presentations NEW!

• TrustSec Technical Presentation NEW!

• TrustSec At-A-Glance NEW!

• TrustSec Quick Reference Card NEW!

• TrustSec Email Alias NEW! [email protected]

Web Sites• Partner Central Secure Borderless

Networks Launch page

www.cisco.com/go/sbn

• Partner Central Borderless Networks Launch page

www.cisco.com/partner/bn2

• Partner Central Security page

www.cisco.com/go/partners-security

• Cisco TrustSec external page

www.cisco.com/go/trustsec

mailto:[email protected]

http://www.cisco.com/go/sbn

http://www.cisco.com/partner/bn2

http://www.cisco.com/go/partners-security



http://www.cisco.com/go/trustsec


Next Steps

1. Establish executive sponsor – leverage

Cisco team to get access to CXO

2. Engage all key decision makers: Network,

Data Center, Security teams

3. Create a multi-phase rollout to secure the

access layer – overlay or infrastructure

a) Migrate switch infrastructure to enable

802.1X

b) Migrate or upsell centralized access

policy control with ACS 5.1

c) Upsell guest and profiler appliances

d) Secure Data Center access with

Nexus 7000 (SGT and SXP)

5858© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public

Documents

How to Sell Cisco Trustsec: Network Identity Architecture ......•Employees demand mobility and device choice •Consumerization of access devices •Complex workforce –employees,