Upload
cisco-public-sector
View
361
Download
6
Embed Size (px)
DESCRIPTION
CLLE FL 092014
Citation preview
Cisco Security The Evolution Continues
Tim Ryan, Security Consulting Systems Engineer – CCIE, CISSP
US Public Sector
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1. Next Generation Security Model
2. ASA + Sourcefire = Next Gen FW / Gen 2 IPS
3. Web Security / Filtering Review
4. Access Control Technology - ISE
Agenda
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
3
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
What Device Types, Users & Applications should be on the Network?
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
BEFORE THE ATTACK: You need to know what's on your network to be able to defend it – devices / OS / services / applications / users (FireSight)
Access Controls, Enforce Policy, Manage Applications And Overall Access To Assets.
Access Controls reduce the surface area of attack, but there will still be holes that the bad guys will find. ATTACKERS DO NOT DISCRIMINATE. They will find any gap in defenses and exploit it to achieve their objective
The Next Generation Security Model
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Challenges with Traditional ‘Defense-in-Depth’ Security
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS
Security Intelligence
Web Security
Advanced MalwareProtection
BEFOREDiscoverEnforceHarden
DURINGDetectBlock
Defend
AFTERScope
ContainRemediate
Attack Continuum
Visibility and Automation
Granular App Control
Modern Threat Control
Retrospective Security
IoCs/IncidentResponse
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introducing FirePOWER Services for ASA
ASA
FirePOWER Services Blade
• Models: ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X with SSD drive.
• FirePOWER Services Software Module
• Add Licenses & Subscriptions
• Models: ASA 5585-X-SSP10, ASA 5585-X-SSP20, ASA 5585-X-SSP40, ASA 5585-X-SSP60
• FirePOWER Services HW Module Required
• Add Licenses & Subscriptions
Proven Cisco ASA firewalling+ Industry leading NGIPS and AMP Cisco ASA with FirePOWER Services
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multilayered Protection – Next Gen FW + Gen2 IPS
► World’s most widely deployed, enterprise-class ASA stateful firewall
► Granular Cisco® Application Visibility and Control (AVC)
► Industry-leading FirePOWER Next-Generation IPS (NGIPS)
► Reputation- and category-based URL filtering
► Advanced Malware Protection
Cisco ASA
Identity-Policy Control & VPN
URL Filtering(Subscription)
FireSIGHTAnalytics & Automation
Advanced Malware
Protection(Subscription)
Application Visibility & ControlNetwork Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention
(Subscription)
• Visibility over – Network, Device, Application, Threat Detection & Mitigation
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER Services for ASA: SubscriptionsFirePOWER Services for ASA Included
*
Appliance FeatureDefaults
Configurable Fail Open ✓
Connection/Flow Logging ✓
Network, User, and Application Discovery [4] ✓
Traffic filtering / ACLs ✓
NSS Leading IPS Engine ✓
Comprehensive Threat Prevention ✓
Security Intelligence (C&C, Botnets, SPAM etc) ✓
Blocking of Files by Type, Protocol, and Direction ✓
Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓
Access Control: AVC - Enforcement by Application ✓
Access Control: Enforcement by User ✓IPS and
App Updates
IPS Rule and Application Updates Annual Fee
URL Filtering URL Filtering Subscription Annual Fee
MalwareProtection
Subscription for Malware Blocking, Continuous File Analysis, Malware Network Trajectory
Annual Fee
App Visibility / Control
URL Filtering
Advanced Malware Protection
Next Gen IPS
VPN Termination
ACL’s – Protocol Inspection
Routing
Network Address Translation
Base ASA
Firewall
SourcefireServices
* Included - Smartnet Required for Security Intell. Updates
9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Intelligence Black List Objects
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sourcefire on ASA Licensing
Cisco Restricted 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Virtual or Physical FireSIGHT Management Center required
All FirePOWER Service device licenses are managed on the FireSIGHT Management Console. A license key from the FireSIGHT Management Center is required for registering PAKs
Licenses are specific to each ASA model and mapped to managed ASA devices
Subscriptions must be purchased on both elements of an HA pair
Term licenses have a start and end date, beyond the end date requires renewal to receive subscription updates.
Application Visibility and Control updates are included in SMARTnet Services
IPS subscription is a pre-requisite for Advanced Malware Protection (AMP) sub
SSDs are included in all new ASA FirePOWER Services hardware SKUs
Licensing Notes
Cisco Restricted 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Five Subscription Packages to Choose From for Each Appliance
• 1 and 3 year terms
• AVC is part of the default offering
• AVC updates are included in SMARTnet
• IPS is required before AMP or URL license can be added
IPS
URL
URL
IPS
TAMCTACTA
URL
URL
AMP
IPS
TAM
AMP
IPS
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT Management Center Sizing Guidance
13
* Max number of devices is dependent upon sensor type and event rate
750FS750-K9
1500FS1500-
K9
3500FS3500-K9
VirtualFS-VMW-SW-K9
Max. Devices
Managed*10 35 150 Virtual FireSIGHT
Management CenterUp to 25 Managed Devices
Event Storage 100 GB 125 GB 400 GB
Max. Network
Map (hosts / users)
2K/2K 50K/50K 300K/300K
Also available:
Lower-priced Virtual FireSIGHT Management Center offerings limited to 2 and 10 FirePOWER
Services (only) devices managed (note: enforced by support!!).
FS-VMW-2-SW-K9FS-VMW-10-SW-K9
These special offerings do not
manage FirePOWER Appliances.
Events per Sec (EPS) 2000 6000 10000
Cisco Restricted 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Component License Name and Features Enabled License Type Fulfillment
FirePOWER Services
Protect Enables FirePOWER Services (IPS and AVC Core Functionality)
Perpetual License (Included)
PAK claim certificate ships
with Appliance/Upgra
de LicenseControl
IPS IPS Subscription Service Contract(Purchase)
Services support Contract only
URL Filtering URL Filtering Subscription Term License (Purchase)
PAK claim certificate ships
with URL Subscriptions
MalwareProtection AMP Subscription Term License
(Purchase)
PAK claim certificate ships
with AMP Subscriptions
FireSIGHT Management
CenterFireSIGHT Network Awareness Perpetual License
(Included)
PAK claim certificate ships
with Appliance/Software Download
FirePOWER Services Licensing Reference
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SourcefireGen2 IPS / Next Gen Firewall Features
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Discovery & Connection Awareness
Host discovery
Identifies OS, protocols and
services running on each host
Reports on potential
vulnerabilities present on each
host based on the information it’s
gathered
Application identification
FireSIGHT can identify over 1900
unique applications using OpenAppID
Includes applications that
run over web services such as
Facebook or LinkedIn
Applications can be used as criteria for
access control
User discovery
Monitors for user IDs transmitted as services are used
Integrates with MS AD servers to
authoritatively ID users
Authoritative users can be used as access control
criteria
FireSIGHTWhat are the Key FireSIGHT Components?
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Discovery is reported to you by way of events
• Connection events are recorded as every connection in a monitored network is seen
• Host events are recorded when something new on a host is detected or a change to a host is detected
Information about all the hosts in your environment is stored in host profiles
Sourcefire FireSIGHT TechnologyFireSIGHT Discovery
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
By knowing the details of what’s running in your environment, the Sourcefire System can produce a list of what vulnerabilities likely exist
This allows the Sourcefire System to put intrusion events in context for more accurate and actionable alerting
Which would matter more to you?
• A code red attack against a host running Linux in your environmentOr
• A code red attack against a host running a vulnerable version of Windows in your environment
Sourcefire FireSIGHT TechnologyFireSIGHT Discovery
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
With FireSIGHT, IPS events are assigned an impact level
• 0 – host not on monitored networks• 4 – no entry for the host in the network map• 3 – host not running the service or protocol that was attacked• 2 – host is running the service or protocol that was attacked• 1 – host is running the service or protocol that was attacked an a
vulnerability is against the service or protocol is mapped to the host
FireSIGHT also lets you fine-tune your IPS polices by recommending rules to protect against the known vulnerabilities in your environment
Sourcefire FireSIGHT TechnologyFireSIGHT Discovery
Firesight Management Center - FMCIntrusion Events with Impact Levels
Firesight Management Center – Threat Information
Malware Detected & Blocked
Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
BEFOREControlEnforceHarden
DURINGDetectBlock
Defend
AFTERScope
ContainRemediate
Network
Endpoint
Anti-Malware Protection & the Attack Continuum
File RetrospectionFile Trajectory
Contextual AwarenessControl Automation
File RetrospectionFile TrajectoryDevice TrajectoryFile Analysis
Indications of CompromiseOutbreak Control
In-line Threat Detection and Prevention
File Execution Blocking
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sourcefire Deployment Options Appliance, ASA, Virtual
33© 2013-2014 Cisco and/or its affiliates. All rights reserved. 33
8270/8360* 8260 8250 8140
8120/ (8150 > AMP) 7120 7115
7030 70207010
20 Gbps
10 Gbps
6 Gbps
4 Gbps2 Gbps
1 Gbps
750Mbps
250 Mbps
100 Mbps50 Mbps
Fix
ed I
nter
face
sM
odul
ar I
nter
face
s
IPS Throughput
Sta
ckab
le
8130
40 Gbps
30 Gbps
8290
Sourcefire Hardware Appliances
60Gbps 8390*45 Gbps 8370*
15Gbps 8350*
1.25Gbps 7125
7110/ (7150 > AMP)
500 Mbps
SSL2000
SSL1500
SSL8200
Appliances & SFR on ASA Managed via (Defense Center) FireSight Management Center Appliances-10, 35, 150 devicesVM- 2, 10 or 25 devices
Model #
AMP optimized Appliances8150 – 2 Gbps AMP7150 – 500 Mbps AMP
Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Perf
orm
ance
and S
cala
bili
ty
1 RU Platforms
Branch Office/Internet Edge
200Mbps - 2 Gbps: Firewall
100 – 725 Mbs: Next Gen IPS
30-160 Mbps: NGIPS, AVC, AMP* Performance numbers to be finalized
Cisco ASA Product Family - Sourcefire Services Performance Specifications
2 RU Platforms - 5585
Internet Edge/Campus/Data Center
2 – 20 Gbps: Firewall
1.2 – 6 Gbps: Next Gen IPS
650Mbps – 2.4 Gbps:NGIPS, AVC, AMP
ASA 5512-X ASA 5515-XASA 5525-X
ASA 5545-X
ASA 5555-X
ASA 5585-SSP10
ASA 5585-SSP20
ASA 5585-SSP40
ASA 5585-SSP60
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 35
VMware Hypervisor (vSwitch & dvSwitch)
Term-based licensing (vCPU, not socket)
4 CPU & 16 CPU Bundles only – until dec 14
100 user Trial version .ova file available
10 Interfaces (VMware Limitation)
Up to 200 VLAN sub-interfaces
1000 VxLANs – SDN/ACI support
1-2 Gbps versions (cpu dependent)
Hyper-V coming late 2014
Virtual ASA - May 2014 – ver 9.2
Security for the Virtual World
UCSVirtual AccessStorage
Data security authenticate & access control
Port security authentication, QoS features
Virtual FirewallReal-time MonitoringFirewall Rules
Virtual FirewallVirtual IPS
Remote VPN to ASAv
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 36
Data Sheet Metric 1 vCPU 2 vCPU 3 vCPU 4 vCPU
Stateful Inspection Throughput (Maximum) 1 Gbps 1.2 Gbps 1.5 Gbps 2 Gbps
Stateful Inspection Throughput (Multi-Protocol)
500 Mbps 600 Mbps 750 Mbps 1 Gbps
Concurrent Sessions 100,000 250,000 350,000 500,000
Connections Per Second 10,000 15,000 15,000 20,000
Packets Per Second (64 Byte) 450,000 500,000 600,000 700,000
VLANs 50 100 100 200
Cisco® Cloud Web Security Users 100 250 250 500
S2S IPSec IKEv1 Client VPN User Sessions 250 250 250 750
Cisco AnyConnect® or Clientless User Sessions 250 250 250 750
ASAv PERFORMANCE
Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Collective Security Intelligence (CSI)
Contextual Device, Network and End-Point Visibility
Classic Stateful Firewall
Gen1 IPSApplication VisibilityWeb—URL Controls
AV and Basic Protections
NGIPS
Vulnerability Management
*Client Anti-Malware (AMP)
Correlated SIEM Eventing
Incident Control System
Network Anti-Malware
Controls (AMP)
Behavioral Indications of Compromise
User Identity
NGFW
Open APP-ID SNORT Open IPS
Host Trajectory Retrospective Analysis
NG Sandbox for Evasive Malware
Auto-Remediation / Dynamic Policies
Integrated Threat Defense System *Agent
Adaptive Security
Sandboxing
Classic Stateful Firewall
Retrospective DetectionMalware File Trajectory
Threat Hunting
Forensics and Log Management
Dynamic Outbreak ControlsURL and IP Reputation
1
2
Cisco Threat Defense System – 5000 Foot ViewBEFORE DURING AFTER Cisco OnlyCisco and Others
Management Interfaces
n
Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security Portfolio IPS & NGIPS
• Cisco ASA 5500-X IPS
• Sourcefire Next Gen
IPS
• Sourcefire Virtual
NGIPS
Web Security
• Web Security Appliance (WSA)
• Virtual WSA • Cisco Cloud Web
Security• CX Web Filtering
Firewall & NGFW
• Cisco ASA 5500-X Series
• Cisco ASA 5585-X
• Sourcefire Appliances
Advanced Malware Protection
• Cloud Based Analytics• FireAMP Windows• FireAMP Mobile • FireAMP Virtual• AMP Network
appliance
Identity Services & Access Control
• Cisco Identity Services Engine (ISE)
• Cisco Access Control Server (ACS)
Email Security
• Email Security Appliance (ESA)
• Virtual ESA• Cisco Cloud Email
Security
UTM
• Meraki MX Serieis: Firewall, IPS, AVC, Anti-Malware, URL Filtering
VPN
• Cisco AnyConnect VPN
• Site to Site VPN – ASA & Router Based
Cisco SIO & Sourcefire VRT
Passive - Device, OS & Application Fingerprinting
Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Web Filtering/Security Comparisons
WSA, Sourcefire, CWS, Meraki
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40Cisco Confidential – Redistribution Prohibited
Cisco Web Security Options
• Inline: Next Gen IPS - Multi-port GE/10GE/40GE
• Anti-Malware- Network & Agent based
• Web filtering
• Application control across all ports
• SIO & VRT Threat Intelligence
• Defense Center- Threat Detection Correlation view
• Internet B/w from 50Mbps - 60 Gbps – High Performance Platform
• Inline - Next Gen firewall plus Web filtering
• Anti-Virus, IPS (Snort)
• Cloud Managed
• Application control across all ports
• Traffic Shaping
• Simple Configuration & Monitoring
• CIPA- SafeSearch, YouTube for EDU
• Internet B/W less than 1 Gbps
• Transparent Re-direct via Router, ASA, WSA, Anyconnect Agent (Win, mac)
• Port 80/443 – SSL Decrypt
• Anti Malware from Sourcefire & multiple malware scanners
• Granular Filtering using Cisco Web usage control
• Web security for mobile users without the need for VPN
• SIO & VRT Threat Intelligence – Web Reputation
• Dynamic Web Categorization
• CIPA- SafeSearch, YouTube for EDU - per policy
• Internet B/w – no Limit
• Transparent Re-direct via WCCP or Browser Proxy
• Port 80/443-SSL Decrypt
• Anti Malware from Sourcefire plus Sophos & McAfee
• DLP for Web
• Granular Url Filtering CWUC
• App Control
• Central Logging or Splunk
• Video/Audio bandwidth throttling – Media Apps
• SIO & VRT Threat Intelligence – Web Rep
• Dynamic Web Categorization & Caching
• CIPA- SafeSearch, YouTube for EDU
• Internet B/w – Depends on # of WSA’s & Requests / Sec.
MerakiCloud Web Security
(aka –ScanSafe)
IronPort(Web Security Appliance)
Physical or VirtualSourcefire
Feature Comparison -- Appliance
Cisco WSA Sourcefire
Antimalware Webroot, Sophos, McAfee & Now AMP Via Blacklist and AMP
Adaptive scanning Queue Yes No
Zero-day protection / Threat Intelligence SIO-VRT VRT-SIO
Botnet protection L4TM Botnet & CnC Blacklist
Data loss prevention On-box data controls/ICAP with Third Party DLP Vendors
Yes via Snort rule
Reputation filtering Yes Yes
URL classification Pre-defined & custom categories Yes
Dynamic classification Yes No
App visibility & control Extensive and granular Extensive
SaaS controls Yes via SAML API support
Detailed threat reporting Extensive Yes
On-box reporting Yes Yes
Off-box reporting Yes via M-Series Yes via Estreamer App
Centralized admin Yes via M-Series Yes
Deployment Methods WCCP or PAC files In-Line with all traffic
Ports covered 80, 443 All
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42Cisco Confidential – Redistribution Prohibited
Strong Inbound Web Protection
WWW
Time of Request
Time of Response
Cisco® SIO
URL Filtering
Reputation Filter
Dynamic Content Analysis (DCA)
Signature-based Anti-Malware Engines
Advanced Malware Protection Cloud
Block
WWW
Block
WWW
Block
WWW
Allow
WWW
Warn
WWW
WWW
Partial Block
Block
WWW
Block
WWW
Block
WWW
43© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Policy Management
Webroot
SophosIRONPORT
DVS ENGINE
McAfee
• Deep content inspection - High-performance scanning• Multiple verdict engines
• Webroot• Sophos• McAfee
• Adaptive scanning is a decision engine - Decides how long an object can sit on the scanner queue
• If the object times out is it marked as Unscannable• Unscannable objects can be blocked or allowed
• Assigns each transaction a Risk Score based on:• Web Reputation Score
• Content type
• AV scanners available or licensed
• AV scanner catch rate for the content type
• AV scanner scanning cost
Cisco IronPort Dynamic Vectoring and Streaming (DVS) Engine
NOTE: For a single policy group, you cannot use both Sophos and McAfee
44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Phone-home Domains
Phone-home IPs, Subnets, CIDRs
Malware Detection(Layer 4 Traffic Monitor)
Total signature set: over 150,000
Phishing URLs & Domains
Malware URLs & Domains
Malware User Agents
Malware Signatures
Malware Protection(Web Proxy)
Widest Signature Set Available at Gateway
Comprehensive Security Solution
WSA: Malware Detection and Protection
45© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Explicit Forward Mode vs. Transparent Mode
Explicit Mode
• Client directs traffic to proxy server
• Requires no network infrastructure to redirect client request
• Proxy resolves hostname of target web server
• Authentication is straight-forward
• Client config must change (several options available)
Transparent Mode
• Client directs traffic to target web server
• Network infrastructure (such as WCCP) redirects client request to proxy server
• Client resolves hostname of target web-server
• Authentication can be problematic
46© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CWS is best positioned with customers who: Have a distributed network with remote branches with internet
breakout points and do not want to backhaul internet traffic to main HQ
Require web protection for roaming users when off network without having to backhaul external traffic via VPN (CWS allows secure split tunnelling)
Have existing Cisco infrastructure or are considering purchasing/upgrading firewalls and routers for easy integration and redirection to the cloud
Have already invested or are going to invest in cloud services Want a centralized web filtering policy for all users, static or
roaming, at all locations, and at all times Want a comprehensive insight into web activity through flexible
reports, and do not want to install any local infrastructure for reporting capabilities
Positioning CWS Against WSA and ASA NGFW
Full positioning document: http://wwwin.cisco.com/data-shared/stg/pmtool/ASA_CX/ngfw_wsa_ss_positioning.pdf
Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Authentication, Authorization, Accounting
Cisco Identity Services Engine
Authentication, Authorization, and Accounting
“Who” is Connecting, What Access Rights are Assigned to them, and Where is it Logged?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Cisco Secure Access Architecture with ISEIdentity and Context-Centric Security for Policy Enforcement
48
WHENWHATWHERE
HOWWHO
Identity
Security Policy Attributes
Centralized Policy Engine
Business-Relevant Policies
User and Devices
Dynamic Policy & Enforcement
MDM - External IntegrationMONITORING AND REPORTINGSECURITY POLICY ENFORCEMENT
Access Lists, Vlans, Security Tags
Cisco Restricted 49© 2013-2014 Cisco and/or its affiliates. All rights reserved.
•Centralized Policy Enforcement
•RADIUS Server - AAA
•Secure Group Tagging
•Posture Assessment
•Guest Access Services
•Device Profiling
•Monitoring
•Troubleshooting
•Reporting
Free ACS 5.x License with order for: ISE Base License (min. 1000 device count) & a Physical ISE Appliance
Identity Services Engine Features
49
Device Control
Device Registration
Wireless & Wired Supplicant and Certificatee Provisioning
Mobile Device Management
* Certificate Authority – AD, PKI, ISE 1.3
* Multi AD support
* MDM integration & some functions in ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
ISE is a Standards-Based AAA RADIUS ServerAccess Control System Must Support All Connection Methods
50
ISE Policy Server
VPN
Cisco Prime
Wired
Wireless
VPN
Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN Protocols
RADIUS802.1X = EAPoLAN
802.1X = EAPoLAN
SSL / IPsec
WebAuth & MAC Bypass
Cisco Restricted 51© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detailed Visibility into System Operations
51
Cisco Restricted 52© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Session Log – Session Tracking & SearchingDisconnect Device Search: user / device
Cisco Restricted 53© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Mobile Device Management (MDM)Extending “Posture” Assessment and Remediation to Mobile Devices
BEFORE DURING AFTER
Cisco Restricted 54© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Evolving Roles of ISE and MDMsEnterprise
App Distribution & Mgmt
Inventory/CostManagement
DataBackup
Classification/ProfilingEnrollment & RegistrationSecure Network Access
(Wireless, Wired, VPN)
Context-Aware Access Control (Role, Location,
etc.)
Cert + Supplicant Provisioning
Network PolicyEnforcement
Policy Compliance (Jailbreak,
PIN Lock, etc.)
Data Loss Prevention (Container,
encryption, wipe)
ISE MDM
EnterpriseApp Policy
Native ISE functionality• Profiling• Authentication• Policy Enforcement
ISE 1.0 & 1.1Native ISE functionality• Enrollment/Registration• Self-Enroll Portal• Certificate Enrollment• Blacklisting
ISE 1.1MR (Jul ‘12)
ISE API for MDM’s• Additional device data• Policy compliance• Data wipe
ISE 1.2
Cisco Restricted 55© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISE Integration with 3rd-PartyMDM Vendors
MDM device registration via ISE– Non registered clients redirected
to MDM registration page Restricted access
– Non compliant clients will be given restricted access based on policy
Endpoint MDM agent– Compliance– Device applications check
Device action from ISE– Device stolen -> wipe data on
client
v2.3v6.2v5.0 v7.1
MCMS
55
v7.0 SP3 v4.1.10 v13.2 Patch 5v1.0
Cisco Restricted 56© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customizable Portal Use Cases
Cisco Restricted 57© 2013-2014 Cisco and/or its affiliates. All rights reserved.
HotspotGuest Flow #1
Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next time so you don’t get in their way.
44:6D:77:B4:FD:01
I Agree
Acceptable Use PolicyI promise to be good.
Day Ends
44:6D:77:B4:FD:01
Cisco Restricted 58© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Self Service with SMS
Goal: Get them on the Internet as long as you have a 3rd party identifier that proves who the user is.
optionaloptional
Cisco Restricted 59© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Fill In A Simple Form Check Your Email Connect to WFI
hansolonerfherder
Self Service with Email Verification
Sponsored Flow
Hi! Can I get on your Wi-
Fi?Sure. I just
need a little information.
Print, email & SMS
credentials. Cool!
TrustSec Enabled Network SegmentationCampus and Branch Segmentation
Business Drivers includePCI for Financial data, HIPAA Medical DataMedical Device Seperation within VLANAccess Control with
Secure Group Access
• Rules defined by business function & Roles
• 80% + reduction over manual rules
• Simple to add/remove rules Enterprise Wide
• Topology-independent• Scalable• One Policy for Wired or
Wireless
BEFOREDetect Block
Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
AFTER THE ATTACK: Cross Device Information Sharing - Evolvinginvariably some attacks will be successful, and customers need to be able to determine the scope of the damage, contain the event, remediate, and bring operations back to normalAlso need to address a broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself – on the network, endpoint, mobile devices, virtual environments, including cloud
The Next Generation Security Model
Thank you.