Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Presenter‘s Name
Date
How to Sell Cisco Trustsec: Network Identity Architecture Solutions
© 2010 Cisco Systems, Inc. All rights reserved.
At the end of the session, the participants should be able to:
• Understand Cisco TrustSec relevant to Cisco
Borderless Network
• Understand Security market landscape and
customers need
• Understand Cisco TrustSec key offerings and how to
position the right solution for customer
• Understand migration and opportunities
Session Objectives
© 2009 Cisco Systems, Inc. All rights reserved. 3
Any Person
Any Place
Any Device
Any Resource
A Next Generation Architecture to Deliver the New Workspace Experience
BORDERLESS NETWORKS
The Transformation: The World Is Our New Workspace
Right Person
Right Device
Right Place
Right Resource
© 2009 Cisco Systems, Inc. All rights reserved. 4
Borderless Network Market Drivers
Users
IaaS, SaaS
Applications
DevicesExternal
AppsInternal
Apps
• Employees demand mobility and device choice
• Consumerization of access devices
• Complex workforce – employees, guests, contractors, partners
• Purpose-built devices becoming network enabled
• Increased use of virtualization
• Move to cloud-based access and services
© 2009 Cisco Systems, Inc. All rights reserved. 5
Identity Critical to Borderless Security
Traditional borders are blurred. Access is possible from anywhere
Security Challenges
Where?
Enforce compliance for proliferating consumer and network capable purpose-built devices
What?
Who? Identify users and provide differentiated access in a dynamic, borderless environment
Establish, monitor, and enforce consistent global access policies
How?
© 2009 Cisco Systems, Inc. All rights reserved. 6
Announcing Cisco TrustSec
Cisco TrustSec rebrands our policy-based access control, identity-aware networking, and data integrity and confidentiality services under a single name
The term TrustSec has been
expanded from SGT to include
both switch infrastructure and
appliance-based solutions for
securing network access and
control, including:
• Identity-Based Networking
Services (IBNS) and 802.1x
• Network Admission Control
• Cisco Secure Access Control Server (ACS)
© 2009 Cisco Systems, Inc. All rights reserved. 7
Market Opportunity
Gartner predicts the adoption rate of 802.1x for wired networks will be 70% by 2011. It bases this on the belief that 802.1x implementation will be made simpler and that demand for NAC to control access of guest PCs will continue grow.
Source: Network World, August 2008
http://www.networkworld.com/newsletters/vpn/2008/081808nac1.html
© 2010 Cisco Systems, Inc. All rights reserved. 8
Customer Challenge in Building an Access Policy in a Borderless Network
Authorized Access
How can I restrict access to my network?
Can I manage the risk of using personal PCs?
Common access rights when on-premises, at home, on the road?
Endpoints are healthy?
Guest Access
Can I allow guests Internet-only access?
How do I easily create a guest account?
Can this work in wireless and wired?
How do I monitor guest activities?
Non-Authenticating Devices
How do I discover non-authenticating devices?
Can I determine what they are?
Can I control their access?
Are they being spoofed?
Common questions customers ask
© 2010 Cisco Systems, Inc. All rights reserved. 9
SupportsCompliance
Dynamically
authenticate and
assign access
based on user and
device role and
location
Enforce consistent
security policy,
ensure endpoint
health, deliver a
secure network
fabric
Provides real-time
access visibility
and audit trails for
monitoring,
auditing and
reporting
StrengthensSecurity
Enables SecureCollaboration
Why Do Customers Care?
© 2010 Cisco Systems, Inc. All rights reserved. 10
1
4
2
Who are you?An 802.1x-enabled device or a Network Admission
Control (NAC) appliance authenticates the user
What service level do you receive?The user is assigned services based on role and
policy ( job, location, device, etc.)
What are you doing?The user‘s identity, location, and access history are
used for compliance & reporting
Where can you go?Based on authentication data, the user is placed in
the correct VLAN
3
Enforces Access Policy
IdentifiesAuthorized
Users
PersonalizesThe
Network
Increases Network Visibility
TrustSec Addresses Customer Concerns
© 2009 Cisco Systems, Inc. All rights reserved. 11
Other Conditions
Identity Information
+Group:
Contractor
Group:
Full-TimeEmployee
Group:
Guest
What TrustSec Does
Time and Date
Access Type
LocationPosture
Authorization (Controlling Access)
Broad Access
Limited Access
Guest/Internet
Deny Access
Quarantine
Access ComplianceReporting
Device Type
NAC Appliances 802.1x/Infrastructure
Vicky Sanchez
Employee, Marketing
Wireline
3 p.m.
Frank Lee
Guest
Wireless
9 a.m.
Security Camera G/W
Agentless Asset
MAC: F5 AB 8B 65 00 D4
Francois Didier
Consultant
HQ—Strategy
Remote Access
6 p.m.
© 2010 Cisco Systems, Inc. All rights reserved. 12Cisco Public
Guest Access for NAC and 802.1X Deployments
NAC Guest Server Provision: Guest accounts via sponsor portal
Notify: Guests of account details by print, email, or SMS
Manage: Sponsor privileges, guest accounts and policies, guest portal
Report: On all aspects of guest accounts
NowSupports 802.1X
© 2010 Cisco Systems, Inc. All rights reserved. 13
Non-Authenticating Device Policy for NAC and 802.1X Deployments
NAC Profiler
Device Identification
Determine device type
Centralized device discovery and inventory
Uses network device
tables and analyzes endpoint traffic
Many endpoint devices are undocumented and cannot authenticate to the network
Printers
Fax Machines
IP Cameras
Cash Registers
Alarm Systems
Video Conference
Turnstiles
HVAC Systems
Enterprises withoutVoIP Wired Endpoints Distribution
Enterprises withVoIP Wired Endpoints Distribution
33%PCs
33%IP
Phones
33%Other
50%PCs
50%Other
Control and Audit
Authorize based on device role
Monitor and audit to prevent spoofing
NowSupports 802.1x
© 2010 Cisco Systems, Inc. All rights reserved. 14
New TrustSec Capabilities
Enhanced Switch Features:
• More authentication options: FlexAuth, WebAuth
• Additional deployment capabilities: Open Mode, IP Telephony
Cisco ACS 5.1:
• Improve operations with monitoring and troubleshooting
Cisco NAC Guest and Profiler: • Lower the cost of managing identity and policy in both a
802.1X and NAC appliance environment
MACsec: • Addresses compliance by providing an encrypted link from
the Catalyst® 3750-X, 3560-X, and Nexus® 7000 to the endpoint
Security Group Tagging (SGT) and Security Group ACLs (SGACL) :
• Reduces OPEX and provides topology independence access and enforcement
TrustSec for 802.1X is a long-term, multi-phase opportunity:
1. Migrate the customer to an 802.1X infrastructure to secure their access layer
2. Create user and device posture with ACS, Guest, and Profiler appliances
3. Introduce SGTs and SGACLs to reduce OPEX and extend enforcement
© 2010 Cisco Systems, Inc. All rights reserved. 15
Two TrustSec Options for Any Customer
NAC overlay solution for quick deployment and/or
heterogeneous environments
Robust integrated enforcement solution for 802.1X-enabled
infrastructures
NAC ManagerAdmin, Reporting,
and Policy Store
NAC ServerPosture, Services,
and Enforcement
NAC Agent
No-Cost Persistent & Temporal Clients for
Authentication, Posture, & Remediation
Web Agent
**Cisco 2900/3560/3700/4500/6500 and Nexus
7000 switches, Wireless and Infrastructure
CSSC or OS-
Embedded Supplicant
802.1x Supplicant
SSC
Identity & 802.1x
Access Policy System
ACS 5.1
NAC GuestFull-Featured Guest Provisioning Server
NAC ProfilerProfiles Non-Authenticating Devices
What’s Right For Me?
Immediate need for
posture assessment?
NAC
Largely non-Cisco
access infrastructure?
NAC
802.1x or industry
standard mandate over next 1-2
years?
Infra-
structure
Have or plan to
deploy a service-enabled
infrastructure?
Infra-
structure
Note –Guest Server and
Profiler can be deployed with both NAC and ACS
NAC Appliances 802.1X/Infrastructure
**First Switches targeted to support SGT Cisco 2900/3560/3700/4500/6500
© 2010 Cisco Systems, Inc. All rights reserved. 16
Cisco NAC Appliance Advantages
Flexible deployment options: in-band and out-of-band
Covers all use cases: wired, wireless, and VPN
Includes authentication, authorization, guest, profiling, posture
Comprehensive NAC Solution
Market Leadership 5000+ customers
Leading NAC vendor: Gartner, IDC, Infonetics, Frost & Sullivan
Complete Posture LifecycleOffers endpoint compliance verification and remediation
Agents for managed & unmanaged PCs
Automated updates simplify compliance for 350+ security apps Quarantine Non-Compliant Devices
RemediateCheck Compliance
Verify User and Device Identity
Complete PostureLifecycle
NAC Appliances
© 2010 Cisco Systems, Inc. All rights reserved. 17
NAC Appliance in ActionA Conceptual View
THE GOAL
NAC Server gathers and assesses
user/device information Username and password
Device configuration and vulnerabilities
Noncompliant device or incorrect login Access denied
Placed to quarantine for remediation
Device is compliant Placed on ―certified devices list‖
Network access granted
NAC Server
NAC Manager
End user attempts to
access network Initial access is blocked
Single-sign-on or web login
Authentication
Server
1
2
3a
3bQuarantine
Intranet/
Network
NAC Appliances
© 2010 Cisco Systems, Inc. All rights reserved. 18
Cisco 802.1X/Infrastructure Advantages
Secure Network Fabric
Security Group Access Control
Monitoring , Troubleshooting
& Reporting
Consistent Infrastructure
Simplifies Rollout
• Correlates access log data from multiple network enforcement sources
• Customized queries
• Centralized dashboard
• Integrated diagnostics
• Reporting
• Consistent functionality across Cisco switch platforms
• Broad use-case support for device authentication & enforcement
• Flexible deployment options: monitor-mode, low-impact, high-security
• Provides consistent confidentiality and integrity across wireless, VPN, and now wired Ethernet
• Open standards based –802.1AE MACsec & 802.1X-2010
• Network Edge Authentication Topology (NEAT): Only legitimate network devices join the fabric
Web
Auth
1X Impact
Modes
MAB
802.1X/Infrastructure
• Operationally simplified access control deployment
• Infrastructure-based, spans campus to data center
• Deployed independent of topology & network design
© 2010 Cisco Systems, Inc. All rights reserved. 19
802.1X/Infrastructure in ActionA Conceptual View
Network-Attached
Device
Nexus® 7000
Switch
NAC Guest
Server NAC Profiler
Server
ACS
802.1X
Protected
Resources
IP Phones
Control Plane: RADIUS
Supplicant
Directory
Service
Cisco®
Catalyst® Switch
Users,
Endpoints
Campus
Network
Guest User
End user / Endpoint attempts to
access network 802.1X Authentication for registered user
MAC Authentication Bypass for agentless device
Web Authentication for Guest
1
Policy Servers evaluate identity information NAC Profiler evaluates agentless device
Guest Server manages temporary guest access
ACS evaluates overall policy and returns authorization back to NAD
2
Access Control based on policies Catalyst switch to enforce access control based on policy
(VLAN Assignment, dACL, SGT)
Nexus 7000 to apply SGACL based on SGT mapped to role
3
802.1X/Infrastructure
© 2010 Cisco Systems, Inc. All rights reserved. 20
Consistent Infrastructure Simplifies Rollout
What does it do?
Open mode enables readiness
assessment for 802.1X
enforcement
Discovers users and devices
How does it do it?
Monitor-only, no access
restrictions
Tracks user authentications
Identifies non-802.1x capable
devices and creates a device
list
Monitor
Mode
What does it do?
High impact security mode
provides access control
based on user and device
group membership
How does it do it?
Traditional 802.1X
Role-based access control:
Dynamic VLANs, dACLs,
SGACL
1
What does it do?
Low impact security mode
provides two levels of access
for all users and devices–
limited and normal
How does it do it?
Limited network access
permitted by default for all users
and devices
Normal access granted based
on user and device
authorization via dACLs
Authenticated
Access Mode/Low Impact
2
Differentiated
Access Mode/High Impact
3
• Flexible Authentication• Multiple Authentication
• Open Access• Multi-Domain Access
• MAC Move/Replace• 802.1X-2010
802.1x/Infrastructure
Consistent functionality across Cisco‘s switch platforms:
© 2010 Cisco Systems, Inc. All rights reserved. 21
Differentiated Access Security Group Access Control (SGACL)
802.1x/Infrastructure
Security Group Access Control Concept
Define ―Roles‖ for users in organization
• Authenticate user (802.1x) at access layer
• Assign ―Role‖ to user
Network enforces role-based access policy
Benefits
Significant OPEX savings!
• Reduces thousands of ACLs to pre-defined set
• Simplifies traffic management, add/change/move
Immediate Opportunities
Compliance Issue – LAN Access to the Data Center
Available NOW! (SXP* + Nexus 7000 + ACS)
*Technical Note: Upon 802.1X authentication, SXP (Security Exchange Protocol) binds the user‘s IP address to the user‘s ―role‖ (defined by the ACS) on switches that do not yet support SG tagging. This SXP information is processed by the Nexus 7000 switch the same as an SGT. More robust SGT functions will be available as SGT rolls out across more switch devices.
© 2010 Cisco Systems, Inc. All rights reserved. 22Cisco Public
Security Group Access Control
SGTsVLANs, ACLs, and Subnets are topology dependent and operationally intensive
TrustSec is topology independent and streamlines network segmentation
Security Group Tags (SGTs) are assigned to users, devices, or VMs based on role
Security Group ACLs (SGACLs) enforce access policy based on SGTs
SGTs and SGACLs can replace multiple ACLs, thereby reducing OPEXSGACLs
802.1X/Infrastructure
Security Groups
Source
Employee
Contractor
Guest/Unknown
Security Groups
Destination
Internet
Special Projects
Print/Copy
Individuals Resources
Authz Rules
Access Rules
Access Rules
Confidential
Authz Rules
Authz Rules
Authz Rules
Security group–based access control allows customers:
To keep existing logical design at the access layer
To dynamically change / apply policy to meet today‘s business requirements
To distribute policy from a central management server
© 2010 Cisco Systems, Inc. All rights reserved. 23Cisco Public
Cisco Secure ACS Policy Control
Cisco Secure ACS is the world‘s most popular enterprise access and policy platform
ACS delivers a centralized identity and access policy solution that seamlessly enables an enterprise grade network access policy and identity strategy for both large and small organizations
35,000+ ACS Installed Base
Used by 95% of Cisco Top 100, 90% of Cisco Top 500, 85% of Cisco Top 1000
86 of Standard & Poors 100
S&P 100
86%
Fortune 500
86%
Russell 1000
70%
© 2010 Cisco Systems, Inc. All rights reserved. 24Cisco Public
Cisco Secure ACS Monitoring, Troubleshooting, and Reporting
Simplify operations with a centralized system dashboard
Custom query response and
troubleshooting
Alarms and alerts
Tracks events from switches & ACS
Real-time network access visibility
and monitoring
Compliance reporting
Diagnostics and failure analysis
802.1X/Infrastructure
© 2010 Cisco Systems, Inc. All rights reserved. 25
Selling TrustSec
© 2010 Cisco Systems, Inc. All rights reserved. 26
Sales Tactics
Low-hanging fruit
Enterprise (500+ users)
Security-conscious
Regulatory compliance
Internal mandates for 802.1X
Key decision influencers
Network decision-maker
Security decision-maker
Compliance officer
IT director
© 2010 Cisco Systems, Inc. All rights reserved. 27
Sales Tactics:Drive ACS and Legacy Switch Migrations
NOW: Accelerate switch migration to 802.1x
Secure access layer with 802.1x infrastructure
Identify existing legacy switch install base and migrate to 802.1x-enabled switch infrastructure
NOW: Ensure account control with Access Control
Seed ACS 5.1 in account by selling new features, including enhanced monitoring and troubleshooting, and flexible rules based policies
Upgrade existing ACS devices to 5.1 to manage and control 802.1x access control policy
NOW: Position Guest Access and Device Profiler appliances
© 2010 Cisco Systems, Inc. All rights reserved. 28
Sales Tactics (cont’d):Drive ACS and Legacy Switch Migrations
NEXT: Extend Cisco value by leveraging new TrustSec solutions for 802.1x
Upgrade ACS/Guest Access/Device Posture devices to Positron
Showcase competitive advantages of Cisco switches with hop-by-hop encryption and Security Group Tags and Security Group ACLs
ONGOING: Add value-added professional services for migrations
© 2010 Cisco Systems, Inc. All rights reserved. 29
Sales Process
Presentation and demo
AssessmentProof of Concept
Deployment
Tools Available:
• Sales and technical presentations• Infrastructure assessment guidelines• Configuration guides for POCs • Design and deployment guides
© 2010 Cisco Systems, Inc. All rights reserved. 30
Insert either a bulleted list or graphic here.
(Ref. SME note)
Placeholder Specifications:
Image size can range from 2-4 in. wide and 2-
5.75 in. high., 72-150 dpi, RGB, png format
(necessary for transparent backgrounds similar
to slide 6) or jpg (if rectangular image)
Partner Opportunities
Migration:
• Use TrustSec features to drive switch upgrades
• Install Base Lifecycle Management (IBLM)
• Network Assessments
• Security Assessments
• Technology Migration Program (TMP)
• Trade in Accelerator Program (TAP)
Other Incentives:
Value Incentive Program (VIP)
Opportunity Incentive Program (OIP)
Partner Program Opportunities and Incentives
© 2010 Cisco Systems, Inc. All rights reserved. 31
TrustSec Sales Opportunities
1. Create migrationopportunities
2. Include security technology
3. Add high-marginprofessional services
© 2010 Cisco Systems, Inc. All rights reserved. 32
Migration Opportunity: Total Market
2K3K4K6K
© 2010 Cisco Systems, Inc. All rights reserved. 33
Legacy Migration Plan
Catalyst 2940, 2950 2960, 2960-S
Catalyst 2970 2960, 2960-S, IE 3100
Catalyst 3550 3560, 3750, 3560E,
3750E, 3560X, 3750X
Catalyst 400x & 4500 non-E Series (SUP1,
SUPII , SUPII+TS , SUPII+ , SUPII+10G,
SUPIII, SUP-IV , SUPV )
4500 E Series
(with Sup6-E, Sup6L-E,
4500 with SupV-10GE)
Catalyst 6K Sup 1, Sup 2 Sup 32 or Sup 720
Catalyst Migration Opportunity: Optimal Path
© 2010 Cisco Systems, Inc. All rights reserved. 34
Switch Technical Differentiators
Flexible
Authentication
Sequencing
Rolling authentication
with a flexible
sequence (.1x, Mac
Auth Bypass, and web
authentication)
Most flexible authentication in the
market: automates the port
configuration to accommodate all
endpoint devices – necessary to
support the most enterprise use cases
Unified
Guest
Access
Monitor
Mode
Unified guest access
with local web
authentication on the
switch
Gathers information
about device/user
access without adverse
impact
Same infrastructure for wired and
wireless guest access – same
premiere user experience
Critical to deploying network-based
identity without locking out users or
devices
© 2010 Cisco Systems, Inc. All rights reserved. 35
Migration Opportunities
ACS
Strategy – Secure account control with customers who want posture with 8021.x, by preparing their base networking infrastructure.
Migrate existing ACS 4.x customers to ACS 5.1 (SKUs and migration tools are available – utility in ACS 5.1 to migrate data)
Sell professional services required to facilitate the policy migration
NAC
Strategy – maximize customer satisfaction / minimize ongoing support by migrating existing NAC customers to 4.7.1
Migrate existing SW-only customers to 4.7.1 - For customers on non-CiscoHW, migration to latest appliance (33x5) is mandatory (program and SKUs are available)
Migrate existing Profiler customers to 3.x – UI and stability enhancements
Upsell NAC Guest Server
© 2010 Cisco Systems, Inc. All rights reserved. 36
ACS Migration - Value and Migration Detail
Customer Value - Integrated ―View‖ functionality, c/w
extensive reporting templates
- Simplified policy creation with
enhanced policy monitoring
- Improved visibility into network
access and device admin specifics
- Support for Cisco identity-enabled
networks, with .1x and SGT support
Pro
duct E
volu
tion
ACS 4.x
ACS 5.2
Time
ACS 5.1
Customer Value - Enhanced support for GOV
installations requiring FIPS
compliance
• SW / HW migration from
ACS 4.x to ACS 5.1
• SW migration from ACS
5.0 to ACS 5.1
• SW migration from ACS
5.1 to ACS 5.2
© 2010 Cisco Systems, Inc. All rights reserved. 37
ACS 5.1 Upgrade and Migration
From Any Previous Release To the latest 5.1 Release
Upgrade part numbers available with special pricing (refer to ACS migration matrix)
Upgrade from appliance or software to 1121 appliance or VMware versions
Example 1 - Go from ACS 3.3 on Windows to 1121 ApplianceExample 2 - Go from 1111 Appliance to 5.2 VMware
Migration utility in 5.1 to migrate existing dataComes with all previous versions needed to perform acomplete data migration
© 2010 Cisco Systems, Inc. All rights reserved. 38
ACS Migration Tools
Category Components
Education
• ACS-specific collateral updates (BDM, TDM)
• ACS 5.1 Overview and Value Proposition presentation
• 5 Things You Need To Know about ACS 5 (short presentation)
• Archived Webinar series
ACS – What‘s In It For Me? (ACS value proposition,
ACS Migration Strategy)
Migration
Process
Migration Workload Estimating Tool
Migration Guide
Migration Deep Dive webinar
Migration Utility (in ACS 5.1)
Offers 40% Upgrade discount for existing customers
© 2010 Cisco Systems, Inc. All rights reserved. 39
ACS 5.1 Summary
Sell ACS 5.1 for the following customer benefits:
- Compliance & Audit through integrated reporting across the entire deployment
- Troubleshooting capabilities lower operational expenditure
- Enable infrastructure services – identity, TrustSec
Sell ACS 5.1 to
- Seed the account to prevent competition from switch vendors such as HP and Juniper
- Position infrastructure upgrades by enabling advanced services like identity and TrustSec
- Bundle additional products like NAC Guest and NAC Profiler
© 2010 Cisco Systems, Inc. All rights reserved. 40
NAC Migration - Value and Migration Detail
Customer Value - Enhanced agent side
reporting
- Improved user experience- Reduced client footprint
- Easy NAC Agent
Management- Simplified Troubleshooting
Pro
duct E
volu
tion
NAC 4.5.x
NAC 4.7.x
Time
NAC 4.6.x
NAC 4.8 (Planned)
Customer Value - Dedicated FIPS certified
HW Security Module, which
handles cryptographic operations
- Higher-scalability (5000
user) HW option- Support for Windows 7 and
Mac Snow Leopard
Customer Value - Improved reporting
capability
- Faster response to AV / AS- Post-admission NAC for
ongoing device posture
• NAC Pre-4.5 to 4.7.1 via
SW / HW migration program
• SW migration from NAC
4.5x to NAC 4.6x
• SW migration from NAC 4.6.x
to NAC 4.7.x
• Separate FIPS HW module
(note – FIPS module supported
on 33x5 platform only)
• SW migration from NAC
4.7.x to NAC 4.8
© 2010 Cisco Systems, Inc. All rights reserved. 41
NAC Migration Opportunities Details
Migrate existing software-only customers to 4.7.1
For customers on non-Cisco hardware, migration to latest appliance (IBM Platform) is mandatory
These customers can take advantage of 80% discount on new appliances
• Note that customers on Cisco hardware will only require a software upgrade.
• Upsell NAC Guest Server
Add value added professional services
© 2010 Cisco Systems, Inc. All rights reserved. 42
NAC Migration Tools and Offers
NAC Appliance Migrations
Step by Step Migration Guide for Software-Only Customers
Migration Deep Dive Webinar
(archived version available)
Migration Offer
Pre-discounted NAC appliances (IBM Platform) –Up to 80% off
© 2010 Cisco Systems, Inc. All rights reserved. 43
ACS and NAC - Migration Overview
Mid-Year 2010Today Q4CY‘10
NAC 4.7.1(33x5 HW)
ACS 5.2(1121 HW)
NAC Pre-4.5 to 4.7.1
- NAC SW / HW migration program
NAC 4.5 / 4.6 to 4.7.1
- SW migration
ACS 5.1(1121 HW)
Consolidated Platform
(1121 / 33x5 HW)
NAC 4.8(33x5 HW)
ACS pre-5.x to 5.x migration
- dedicated VMWare / appliance SKUs
ACS 5.0 to 5.1 migration
- SW migration
NAC 4.5 / 4.6 to 4.8
- SW migration
ACS 5.1 to ACS 5.2
- FIPS Compliance migration (SW)
ACS 5.1 / 52 to Consolidated Platform
- SW “cross-grade”, HW migration for
pre-1121 HW
NAC 4.8 to Consolidated Platform
- SW “cross-grade”, HW migration for
pre-33x5 HW
© 2010 Cisco Systems, Inc. All rights reserved. 44
Sales Opportunity: Attach Security
Discuss enhanced capabilities of ACS 5.1 to drive migration (35,000 + customers)
Demonstrate the best-in-class guest access management of NAC Guest Server
Position the ease of deployment with NAC Profiler
All technologies provided by the proven leader in Network Security and Network Admission Control –
Cisco Systems
NEW!
© 2010 Cisco Systems, Inc. All rights reserved. 45
Sales Opportunity: Data Center and SGACL
Opportunity:
Data center growth is exploding!
Compliance mandates require appropriate access control for data center resources
Huge opportunity to migrate not only access switches but data center switches
TrustSec Relevance:
Begin data center access control discussions with Security Group ACL
Position Nexus 7000 and SXP
Demonstrate how authentication for LAN users can be enforced easily in the data center
© 2010 Cisco Systems, Inc. All rights reserved. 46
Example TrustSec Deal Size
Switch Migration:
15 Catalyst 6500 Series
50 Catalyst 3750 Series
125 Catalyst 4500E Series
Attached Security:
5 Access Control Systems
1 Profiler (up to 40,000 MAC addresses)
1 Guest Server
Switch Migration:
50 Catalyst® 6500 Series
50 Catalyst 3750 Series
2000 Catalyst 2960 Series
Attached Security:
14 Access Control Systems
3 Profilers (up to 40,000 MAC addresses each)
3 Guest Servers
Large enterprise network Mid-sized network
$24M(List)
$7M(List)
© 2010 Cisco Systems, Inc. All rights reserved. 47
Sales Opportunity: Offer High-Margin Professional Services
Business processes
Network discovery
Migration services
Implementation services
Leveraging partner services
© 2010 Cisco Systems, Inc. All rights reserved. 48
Security policy review
Match compliance to infrastructure
Custom design for authentication
and access objectives
Customized solution for existing
network
Experienced rollout services
Expertise decreases deployment
time
Training for operation, maintenance,
management, and tuning
Professional Services
Security Policy Review
Design Strategy Development
Controlled Deployment
Full Deployment
Training and Knowledge Transfer
Service Components Activities and Deliverables
Professional Services from Cisco, or one of our Services Partners,
is an Important Component of Any Successful Rollout
.
© 2010 Cisco Systems, Inc. All rights reserved. 49
Next Steps: Determine the Appropriate Solution
Engage your SE
Clarify Customer‘s Pain
Discuss Pro‘s and Con‘s (.1x, NAC, Profiler, GS)
Present the BEST solution First, THENdiscuss Cost
Set Appropriate Expectations: Timeline, Pilot, Needed Customer Resources, etc.
Ask for the Order
Upgrade Legacy
Switches
Sell/Upgrade ACS
Sell CSSC
Upsell NAC Profiler
Upsell NAC Guest
ACS & SWITCHES
(INFRASTRUCTURE)
Sell NAC Server
Sell NAC Manager
Upsell NAC Profiler
Upsell NAC Guest
NAC
(OVERLAY)
NAC Appliances 802.1X/Infrastructure
© 2010 Cisco Systems, Inc. All rights reserved. 50
Guiding The Conversation
Access control is a critical issue for many organizations, such as regulatory requirements.
Access control can also be a key driver in getting customers to migrate to an 802.1x-enabled infrastructure
Control the Conversation: keep the customer on topic. Table topics such as Data Center, UC, etc. for later. Keep them thinking security.
Use the questions on slide 8 to guide the conversation
If they wander off topic ask another question to bring them back to Access/Identity Security
© 2010 Cisco Systems, Inc. All rights reserved. 51
Objection Handling
Costsa) Be sure to be comparing Apples to
Apples
b) Emphasize total cost of ownership. Remember this is a solution sale that is part of an integrated, long-term strategy, NOT simply a box.
c) Find Pain, Discuss, Provide Solution again
Deployment Easea) Set expectations and ―spotlight‖
features
b) Be sure to appropriately cover SOW
Competitive Advantages a) No one else can offer this solution (see
next slide)
© 2010 Cisco Systems, Inc. All rights reserved. 52
Sales Differentiators: Defend Against Competitors!
Market-leading solution
• Ease of deployment:
Monitoring (open) mode, authenticated (low impact), and differentiated (high-impact) deployment options
• Flexible:
Three ways to authenticate using a single configuration
• Efficient, consistent, and scalable:
Leverage your infrastructure and use a common policy
• Ease of ongoing management:
Security Group Tagging (SGT) and Security Group ACLs (SGACL) enable scalable network access control through simplified network design
Complete, single vendor solution
© 2010 Cisco Systems, Inc. All rights reserved. 53
Identity Compliance Requirements
US Department of Defense
―Information Assurance Officers/Network
Security Officers will ensure either MAC
security (with profiling) or 802.1X port
authentication is used on all network
access ports‖
Defense Information Systems Agency
“Access Control in Support of Information Systems,
Security Technical Implementation Guide”
(26 December 2008)
Cisco TrustSec addresses mandated access control security requirements
Payment Card Industry (PCI)
Implement Strong Access Control Measures• Requirement 7: Restrict access to cardholder
data by business need-to-know• Requirement 8: Assign a unique ID to each
person with computer access• Requirement 9: Restrict physical access to
cardholder data
Payment Card Industry (PCI) Data Security Standard
“Requirements and Security Assessment Procedures”
(Version 1.2.1, July 2009)
© 2010 Cisco Systems, Inc. All rights reserved. 54
Case StudyUniversity of Montreal
Background
One of the top 100 universities in the world,
with 55,000 students and an annual research
budget of CAD$450 million
Business Challenges
Support collaboration between research groups
Differentiated access for students, researchers,
and faculties
Cisco Solution Benefits
Tailored network services with identity-
based access
Scalable network environment
Improves OPEX with network moves, adds,
and changes
―Our new network is more secure, and we can do a better job by giving more specialized service to people.‖
Michel L'Heureux Director of Telecommunications Université de Montréal
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7
08/case_study_c36-566762.html
© 2010 Cisco Systems, Inc. All rights reserved. 55Cisco Public
Cisco Leadership Advantage
1Infonetics, June 20082Gartner Magic Quadrant March 2009, Frost & Sullivan April 2008, Forrester September 2008, IDC Dec 2007, Infonetics June 2008 3http://searchsecurity.techtarget.com/productsOfTheYearCategory/0,294802,sid14_tax310405_ayr2008,00.html3
The Network Provides Comprehensive Visibility and Control
#1 NAC Vendor
• 41% market share1
• Leading analysts agree2
• 5000+ customers
• Info Security‘s ‗Reader‘s Choice‘ Gold Award3
LAN Infrastructure
Market Leader
• Widest range of market-leading
switching platforms• Widest range of market-leading
routing platforms
Cisco Innovation
• Pioneered NAC technology• Developed NAC standards
• First to launch - 2004
35,000+ ACS
Installed Base
• 95% of Cisco Top 100
• 90% of Cisco Top 500
• 85% of Cisco Top 1000
© 2010 Cisco Systems, Inc. All rights reserved. 56
Next Steps – Important Resources
Resources• TrustSec Business Presentations NEW!
• TrustSec Technical Presentation NEW!
• TrustSec At-A-Glance NEW!
• TrustSec Quick Reference Card NEW!
• TrustSec Email Alias NEW! [email protected]
Web Sites• Partner Central Secure Borderless
Networks Launch page
www.cisco.com/go/sbn
• Partner Central Borderless Networks Launch page
www.cisco.com/partner/bn2
• Partner Central Security page
www.cisco.com/go/partners-security
• Cisco TrustSec external page
www.cisco.com/go/trustsec
© 2009 Cisco Systems, Inc. All rights reserved. 57
Next Steps
1. Establish executive sponsor – leverage
Cisco team to get access to CXO
2. Engage all key decision makers: Network,
Data Center, Security teams
3. Create a multi-phase rollout to secure the
access layer – overlay or infrastructure
a) Migrate switch infrastructure to enable
802.1X
b) Migrate or upsell centralized access
policy control with ACS 5.1
c) Upsell guest and profiler appliances
d) Secure Data Center access with
Nexus 7000 (SGT and SXP)
5858© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public