Mobile Devices & BYOD Security – Deployment & Best Practices

Mobile Devices and BYOD Security: Deployment and Best Practices

BRKSEC-2045

Sylvain Levesque

Security Consulting Systems Engineer

[email protected]

© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Agenda

Test bed Used

State of Malware on Mobile Devices

802.1X Network Authentication

Device Profiling with the Identity Services Engine

Digital Certificates Usage and Provisioning Methods

Remote Access VPN

Web Security

Recommendations and Conclusion

3

Test bed Used

Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public

Test bed Used

A number of tests were conducted for this session to document the behavior of mobile devices with different Cisco security solutions.

A group of devices under test was used to represent the major mobile platforms on the market today. Recent releases of operating systems were used and therefore the behavior documented in this presentation might vary with older OS releases.

5

Toshiba AT300

Tab/Android ICS 4.0.3

Samsung Galaxy Tab2 4.1+

Samsung:

Nexus/Google Android JB 4.4+

Galaxy S2/SS Android JB 4.1.2

RIM/Blackberry:

Bold 9900 7.1.0

Z10 10.0.10+

Microsoft Surface

Windows 8 RT+

Apple iPad3 tablet/

iOS 6.1.2+

Anyconnect 3.x ASA 9.1(4) WSA 7.5(0)-833 ISE 1.2 Airwatch Cloud-Based

MDM 6.3.1.2

*ICS=Ice Cream Sandwich *JB=Jelly Bean

Microsoft Certificate

Services Windows 2008

Enterprise R2

State of Malware on Mobile Devices


Mobile Devices Market

Android currently dominates the Mobile OS market followed by iOS

While iOS devices are pretty current, a large percentage of Android devices still uses outdated releases that could be subject to security vulnerabilities

7

Source: IDC Source: developer.android.com

iOS Versions Android Versions


State of Malware

Interesting statistics can be found on malware, exploits and mobile devices in this report:

• Malware on Android up 2,577%

• 99% of mobile malware target Android

• Encounters with web malware: 70%

Android, Apple iOS 22% percent

• Malware on mobile devices: 1.2% of all

web malware found (up from 0.42%)

• Most exploits with Java: sparse support

on mobile devices

The Cisco 2014 Annual Security Report describes the evolution of exploits and malware and is a great reference for any IT or Security professional:

http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html

8










Other Interesting Facts and Conclusions

9

25%+ of malware on mobile devices come from porn sites…

• Phishing: still a major malware infection

vector as with PCs

• Users click on a link in an email that

has them installing an App from an

untrusted application store

Typical exploits on Android:

• subscription to premium SMS services

• botnet infection and remote control

• banking information theft 2012 -> first Android botnet in the wild

2013 -> large Android botnets

observed in China (1 million + devices)

The use of non-managed mobile devices

could expose your organization to

infection or data theft (Android or others)


Other Interesting Facts and Conclusions

10

25% of malware on mobile devices come from porn sites…

• Phishing: still a major malware infection

vector as with PCs

• Users click on a link in an email that

has them installing an App from an

untrusted application store

Typical exploits on Android:

• subscription to premium SMS services

• botnet infection and remote control

• banking information theft 2012 -> first Android botnet in the wild

2013 -> large Android botnets

observed in China (1 million + devices)

The use of non-managed mobile devices

could expose your organization to

infection or data theft (Android or others)

Cisco Annual Security Report:

“The impact of BYOD and the proliferation of devices cannot be overstated, but

organizations should be more concerned with threats such as accidental data loss,

ensuring employees do not “root” or “jailbreak” their devices, and only install

applications from official and trusted distribution channels”

Secure Access with 802.1X, Remote Access VPN and Web Security


802.1x is used to provide authentication of a user or a device to the network

3 main components are involved in a 802.1x authentication:

- Supplicant: Provides Identity Information to the network. Supplicant software is embedded in all modern

Operating Systems. Ex: Apple iOS, Android, Windows 8, etc.

- Authenticator: Device that controls access to the network, participates in the initial EAP (Extensible

Authentication Protocol) exchange and acts as a relay between the Supplicant and the Authentication

Server. Ex: Switch, Wireless Controller

- Authentication Server: RADIUS Server that validates the identity information provided and sends

authorization attributes such as a VLAN, Access-List, Session timeout, URL for redirection. The identity

can be optionally validated by an external Identity Store. Ex: ISE, ACS

Network-Based Authentication using 802.1X - Review

Authentication

Server (RADIUS) Supplicant Authenticator

EAP over RADIUS EAP/WPA2

EAP session

12


802.1x Identity Information Types

Different types for different mobility use cases:

1. Username/Password Combination

- User authentication (also Machine Auth for Windows)

- Active Directory/LDAP/RADIUS ID Stores

- EAP types: PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST

2. Two-Factor Authentication

- Something you know, you have, you are

- Mostly for user authentication

- RSA SecurID and other token-based ID Systems

- EAP types: PEAP-GTC, EAP-FAST/EAP-GTC

3. Digital Certificates

- Signed/emitted by a public or private Certificate Authority

- Can be used for user and/or device authentication

- Microsoft AD Certificate Services, Entrust, Verisign, etc.

- EAP types: EAP-TLS, EAP-FAST

EAP

Extensible Authentication Protocol

PEAP

Protected EAP

GTC

Generic Token Card

FAST

Flexible Authentication

via Secure Tunneling

TLS

Transport Layer Security

13


Device & User Authentication/Authorization

14

Machine AuthC PEAP-MSCHAPv2*

EAP-TLS

host/MTLLAB-W500

User AuthC PEAP-MSCHAPv2

EAP-TLS

CISCO\slevesqu 2

1

2 1 +

2 PHASES

POSSIBLE Same EAP Type with Native Supplicant

*Windows RT/Phone can not join Active Directory and can not use PEAP-MSCHAPv2 for Machine Authentication

1 PHASE

ONLY

AuthC=AuthentiCation

AuthZ=AuthoriZation

CN=Common Name

SAN=Subject Alternate Name

= Certificate

PEAP-MSCHAPv2

EAP-TLS

slevesqu User AuthC

User AuthZ

Hybrid AuthZ

Device AuthZ

CN=slevesqu

SAN=00:21:6A:AB:0C:8E

CN=slevesqu

SAN=00:21:6A:AB:0C:8E

https://10.85.137.80/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Endpoint/Endpoint_MAC_Authentication_Summary.rptdesign&rptMacAddress=00:21:6A:AB:0C:8E&rptTimeRange=lastMonth&rptProtocol=RADIUS&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false

https://10.85.137.80/mntreport/servlet/GenericRedirector?command=submit&__requesttype=immediate&invokeSubmit=true&__executableName=/home/admin/Endpoint/Endpoint_MAC_Authentication_Summary.rptdesign&rptMacAddress=00:21:6A:AB:0C:8E&rptTimeRange=lastMonth&rptProtocol=RADIUS&__locale=en_US&iportalID=QHLVSY&__masterpage=false&__newWindow=false


2-Factor Authentication Workaround with 802.1X and Central Web Authentication

802.1X EAP-TLS authentication with Certificate

1

Central Web Authentication with User AD Account

2

Factor 1: Device

Certificate!!!

Factor 2: Employee User

Credentials!!!

ISE


EAP-Type

Win 8

Pro/Enter

prise

Win RT Apple

iOS Android BB7/10 ACS 5.x ISE 1.x AD LDAP

EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes

PEAP

MSCHAPv2 Yes Yes Yes Yes Yes Yes Yes Yes No

PEAP

EAP-GTC No1 No Yes Yes Yes Yes Yes Yes Yes

EAP-FAST No1 No Yes2 No3 Yes Yes Yes Yes No

Common 802.1X EAP Types and Compatibility

1. Supported through 3rd-party supplicants such as Anyconnect NAM

2. Configuration required through Apple Configuration Utility or MDM

3. No native support. Supported through Cisco Compatible Extensions (CCX) with specific mobile devices manufacturers. More information:

http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html

No native support for token based systems such as RSA SecurID

16

BRKSEC-2691: Identity Based Networking: IEEE 802.1X and beyond More on 802.1X!


802.1X Configuration: PEAP-MSCHAPv2 User Authentication Example

Touch-hold

1

2

3 4

1 2

3

1 2 3

4

6

5

Device Profiling with the Identity Services Engine


ISE Profiler Review

The ISE Profiler service uses a number of probes to capture the traffic generated by an endpoint device

It then extracts information from this traffic and compares patterns with profiling rules that are either pre-

defined or custom-built to match an endpoint type and a profile

An Authorization rule can then use this information to assign network access privileges based on the device

profile (iPhone/iPad vs Android vs Blackberry vs Windows)

Probe Data Provided

RADIUS OUI, MAC Address

DHCP DHCP attributes, hostname

DNS FQDN, hostname

HTTP User-Agent

NMAP OS fingerprint

NETFLOW TCP/UDP ports used

SNMP MIB strings

Probes Currently

Used to Profile

Mobile Devices

BRKSEC-3698: Advanced ISE and Secure Access Deployment

19

More on Profiling!!


Example of Profiling Rules for iPad

20


Analyzing HTTP User Agents

Compatibility with Mozilla’s Rendering Engine

OS and Version

Device Model

HTML Layout Engine

Browser and Extensions

Mozilla/5.0 (Linux; Android 4.0.3; AT300 Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166

Safari/535.19

21


Sample HTTP User Agents

Apple iPad

Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53

Windows RT

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; ARM; Trident/6.0; Touch)

Android Samsung Tab2 tablet

Mozilla/5.0 (Linux; U; Android 4.1.2; en-ca; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Android LG Google Nexus 5 smartphone

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Mobile

Safari/537.36

Blackberry Z10 smartphone

Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.2.1.1925 Mobile Safari/537.35+

22

View your own user-agent at: http://whatsmyuseragent.com!!


Viewing Endpoint Profiling Data

23

Profiling data Profiling data

Digital Certificates Usage and Provisioning Methods


Certificates, Trust and 802.1X

Public Key Cryptography (PKI) uses the concept of trusted Certification Authorities (CA). A list of public

CAs on the Internet is embedded in the certificate store as Trusted Roots in every device

Many organizations typically deploy a private enterprise Certification Authority that allow them better

control and scalability. The Root Certificate and certification chain of this private CA has to be

provisioned in corporate devices in order for them to trust it

Non-corporate mobile devices will not trust by default the certificates generated by a private CA and the

802.1X behavior of mobile devices in this scenario will vary:

– Apple iOS: User notification-> users might refuse to install the certificate and call the help desk

– Android: Will accept non-trusted certificates by default without warning!

– Windows RT/8: User notification -> users might refuse it as well

– Blackberry 7: No notification -> Access rejected

– Blackberry 10: Will accept non-trusted certificates by default without warning!

Windows RT/8 and BB 7: Validation of the server certificate can be disabled for PEAP/EAP-TLS. Useful for lab testing or proof-of-concept, but not recommended for production where we should use certificates from Public CAs to avoid end user issues

25


Certificates Installation and Enrollment

Non-trusted Root and user/device Certificates can be created and provisioned on mobile devices using a number of methods that can be manual or automated:

Copy it to the device. Ex: Corporate mobile devices

Push computer or user certificates through Group-Policy Objects (GPOs) for Windows corporate devices

The administrator can create the certificate or email it to the user the device. Ex: BYOD personal device

Certificate Server web portal (administrator or user)

The certificate creation and provisioning can be automated the Simple Certificate Enrollment Protocol (SCEP). A few options are available: – SCEP from the mobile device itself (support vary by mobile platform) – SCEP with the Anyconnect VPN client – SCEP Proxy with the Anyconnect VPN client and the ASA – Identity Services Engine (ISE) with the Onboarding service for 802.1x, SCEP with Mobile

Device Management solutions

26


Anyconnect Profile: SCEP Host = myCA.bn-lab.local

Certificate Enrollment using SCEP and VPN

27

SCEP with Anyconnect:

SCEP Proxy with Anyconnect and the ASA:

IPSec/SSL tunnel

SCEP Request

IPSec/SSL tunnel

SCEP Request SCEP Request

1. ASA performs policy enforcement 2. ASA inserts machine device-id from posture

• Initiated by the user

• No Certificate renewal

• Needs direct access to CA

• Requires Anyconnect 2.4+ ASA

ASA SCEP Proxy

• Controlled by the head-end (ASA)

• Pre-enrollment policy enforcement

• Device-ID for Authorization

• Automatic Certificate renewal

• Only ASA communicates with CA

• Requires Anyconnect 3.0+


Onboarding with ISE on Wired/WLAN

Access Point

ISE

Mary User Name = Mary Password = *******

1

Mary connects to Secure SSID

3 Register Device Provision Certificate Configure Supplicant

Mary Reconnects to Secure SSID

2 Redirect to Self Provisioning

Portal 2

BYOD-Secure

SSID’s

Personal asset

Wireless LAN Controller

AD/LDAP

N.B.: A dual-SSID option can also be

used where the 2nd Open SSID is

used for the onboarding process

28

CA


ISE Authorization Using Certificate Attributes

Registered Devices: Indicates the device

went through the BYOD onboarding process

Network Access only allows EAP-TLS

authentication with Certificate

The Radius attribute Calling-Station-ID

contains the MAC address of the device

which is compared against the SAN in the

Certificate

The AD username is read from the Subject-

Name and sent to AD where its attributes are

retrieved for authorization

Different Permissions Assigned

(VLAN, ACLs, etc)

29


Method

Win 8

Pro/Enterp

rise

Win RT Apple

iOS Android BB7 BB10

Email Yes Yes Yes No1 Yes No

Copy To Device Yes Yes Yes2 Yes Yes Yes

Web (CA

Server) Yes Yes Yes Yes Yes No

Anyconnect

SCEP Yes No Yes Yes No No

SCEP Proxy Yes No Yes Yes No No

ISE

Onboarding3 Yes No Yes Yes No No

Certificates Installation Summary

1. Can not be installed from email directly but can be saved and installed from storage

2. Via the iPhone Configuration Utility or an MDM

3. More details on supported platforms:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321

30

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html


Certificate Management

1

2

3

4

1 2

3

1 3

4

5

Swipe-In

5

2

4

6

7

Remote Access VPN


ASA Remote Access VPN Options review

Clientless SSL

Basic Web, Email and CIFS Access

Customized User Screen

Thin-Client SSL

Plugins (SSH,VNC,

Telnet,RDP, Citrix)

Smart Tunnels

Client-Based SSL or IPSec

AnyConnect

33


Citrix Mobile Receiver Support

ASA release 9.0 introduces the support of the Citrix Mobile Receiver application directly in clientless SSLVPN for most desktop OSes and for Apple iOS and Android

Allows the ASA to communicate directly to XenApp 6.5 or XenDesktop 5.5, 5.6

Access Gateway Firewall User Device

Connected Using

Citrix Online Plug-Ins

Internet

Web Interface

Installed Behind the

Access Gateway

Server Farm

Firewall

Cisco® ASA

34


Websockets HTML5 Access

ASA release 9.1(4) introduces the support of Websockets and HTML5 proxy

Enables a “fully clientless” solution homogeneously across differents OSes using a browser that supports HTML5 – No more dependencies on Java and ActiveX!

Uses 3rd-party Websockets gateways that converts HTML5 to a client protocol such as RDP/VNC/etc

The HTML5 resource is a simple bookmark accessed on the ASA clientless Web Portal

Mobile Device

with an HTML5

browser

Internet

35

ASA

SSL SSL RDP, VNC, CIFS, etc

Application Websockets

Gateway/Ser

ver

Intranet Data Center


Method Win 8

Pro/Enterprise Win RT/Phone Apple iOS Android BB7/10

Anyconnect – SSL transport Yes No1 Yes Yes No1

Anyconnect – IPSec/IKEv2 Yes No1 Yes Yes No1

Websockets – HTML5 Yes Yes Yes Yes Yes

Native VPN support Yes Yes Yes Yes No

Clientless/Smartunnels/Plugins/ Yes No No No No

Clientless – Mobile Citrix Receiver No No Yes (v4+) Yes (v2+) No

Mobile Devices VPN Support Summary

1. RIM/BB and Microsoft do now allow the development of Anyconnect (or other VPN clients) on BBOS and Windows RT/Phone

• For more detailed information on device/OS support, please consult the ASA Supported VPN Platforms document:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp177602

• For more information on features supported on Anyconnect with Android and Apple iOS, please consult their respective release notes:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-android.html

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html#wp1148532

36

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html











http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html








Corporate vs BYOD

2 methods can be used to match device-specific identity information that will allow a differentiation of policies:

1. Use of certificates for authentication and authorization: Certificate attributes can be defined for uses cases like Corporate & BYOD. These attributes can be matched to different authorization policies in the ASA and ISE

2. With posture: The posture service on the ASA for VPN and ISE can gather information on the device that can include the device type, OS type, processes/services running, Windows registry information, file information, certificate information.

– If a corporate device is for example only a Windows PC domain member, the posture service could look for a specific piece of information like the registry entry defining the AD Domain, something that a mobile device would not have

– If no mobile devices are to be allowed to connect, the posture service could use rules that would deny access to all mobile devices types

How can I apply different access policies to a corporate device and a personal BYOD?

How can I prevent a personal BYOD from connecting to my network?

37


Mobile Posture with Anyconnect

ASA Release 8.2(5) introduced the ability to pass posture endpoint attributes from

Anyconnect to ASA Dynamic Access Policies (DAP)

Can be used to control VPN connections from mobile endpoints and assign them specific

access policies.

Posture is also used with SCEP proxy in ASA 9.0 to embed unique device identity in

certificate enrollment requests

The Mobile Endpoint attributes include:

‒ Version of the Anyconnect client (e.g. “3.0.x”)

‒ Client Platform (“apple-ios”, “android”, etc)

‒ Client OS version (e.g. “5.0”)

‒ Type of device (varies per client platform but can be used to differentiate iPad from iPhone)

‒ Device UniqueID (varies per client platform, consists of Device UDID for iOS, opaque hash of IMEI/MEID/ESN or MAC+AndroidID for Android mobiles)

38


Mobile Posture Configuration

39



40

Choose Anyconnect as the

Endpoint Attribute Type



41

Select an Access Policy for

the DAP defined


Mobile VPN Authorization with Certificates

• Certificate maps can be used with the ASA to allow matching of received certificate DN values and then map them to a Connection Profile.

• Can be used with IPSec VPN and SSL VPN

• Can be used with the Local CA feature on the ASA or with certificates generated from a 3rd-party CA

• The following values from the certificate can be used for mapping:

1. Alt-subject-name

2. Subject-name

3. Issuer-name

4. Extended Key Usage (EKU) extensions

BRKSEC-2053: Practical PKI for VPN More on Certificates

for VPN

42


ASA Certificate Matching Configuration for VPN

43


Licensing on the ASA

AnyConnect Essentials enables the use of Anyconnect for a full-tunnel VPN

with SSL or IPSec IKEv2. One license if required per ASA

Anyconnect Premium activates advanced features such as the Clientless

Portal, Smartunnels, Plugins, Posture and Mobile Posture. One license per

concurrent user is required.

Anyconnect Essentials and Premium are mutually exclusive on an ASA

The Anyconnect Mobile license is required on top of Anyconnect Essentials

or Anyconnect Premium licenses for mobile devices to establish a VPN tunnel

with the ASA!! One license is required per ASA

For ASA releases 8.2 and below, 2 licenses per failover pair are required.

Starting from ASA release 8.3, only one license is required per failover pair

Recommendation: Always include the Anyconnect Mobile License when

purchasing a new ASA for VPN 44

Web Security


Web Security Gateway - Deployment Methods

Web Security Gateways such as the Cisco Web Security Appliance (WSA)

provide a number of security services at an organization’s perimeter such as

URL Filtering, Web Reputation Filtering, Anti-Malware Filtering, Granular

Application Control, Data Loss Prevention and others

These gateways typically do not sit inline the traffic and therefore Web user

traffic must be redirected to these gateways

3 methods can be used for this redirection:

‒ Explicit Forward Mode: A proxy server entry is configured manually or automatically with the Web-

Proxy Auto-configuration Protocol (WPAD) in the web browser to redirect its traffic to the Web

Security Gateway

‒ Transparent Mode: The Web Cache Control Protocol (WCCP) is used between the Web Security

Gateway and a network or security device to redirect user traffic to the Web Security Gateway

‒ Load-Balancers: For larger deployments. A Load-Balancer redirects the user traffic to the Web

Security Gateway farms

46


Web Security Gateway – User Authentication

Organizations typically require users to authenticate to an enterprise directory such as

Active Directory before accessing Internet resources to allow for enforcement of

Acceptable Use Policies per role and to provide auditing for reporting and compliance

purposes

3 methods can be used to authenticate users:

‒ Basic Browser Authentication: The user is prompted to enter his credentials which can be sent to

Active Directory/LDAP for authentication. Credentials can be cached by the browser to prevent the

user to be prompted in the future. The user’s AD/LDAP attributes are also fetched for authorization

and mapping to Access Policies. Appropriate for BYOD, guests or consultants.

‒ NTLMSSP Browser Authentication: The user’s Windows login credentials are fetched transparently

from the browser using an NTLM challenge-response authentication and sent to Active Directory for

authentication. The user’s AD attributes are also fetched for authorization and mapping to Access

Policies. Appropriate for Windows corporate assets.

‒ Passive Identification: The Web Gateway uses the user’s IP address and sends a request to the

Active Directory/Novell Directory Server that maintains the mapping of usernames/IP addresses seen

when users log in. The Web Gateway then fetches the user’s AD/LDAP attributes for authorization

and mapping to Access Policies. Appropriate for Windows corporate assets.

47


Feature

Win 8

Pro/Enter

prise

Win

RT

Apple

iOS Android BB7 BB10

Proxy

Configuration Yes Yes Yes Yes No1 Yes

PAC-WPAD Yes Yes Yes No No Yes

PAC-GPO Yes No No No No No

PAC-MDM3 Yes No Yes No No No

Basic

Authentication Yes Yes Yes Yes Yes Yes

NTLMSSP Yes Yes2 Yes2 Yes2 No Yes2

Passive

Identification Yes No No No No No

Proxy and Authentication Methods Support

1. No support on native browser on Wifi. Supported with the Opera mini-browser and 3rd-party applications (not tested)

2. No Single Sign-On

3. Using the Airwatch MDM. Other MDMs may have different capabilities

48

BRKSEC-3771: Advanced Web Security Deployment with WSA and ASA-CX More on WSA

Recommendations and Conclusion


Security policies relative to the use of personal devices in the corporate environment

should be created before a BYOD deployment

Business units owners should be involved to define the requirements and uses cases

that will drive the architecture of the solution for mobile devices

User education and awareness is key! A BYOD deployment should include training and

guidelines for users on how to use their personal mobile device to lower the risk of

having their device compromised and exploited

A private Certification Authority should be considered for deployments requiring

differentiation of access privileges between corporate and personal mobile devices

Profiling and VPN posture can be used to differentiate mobile devices from

laptops/desktops and are great tools for device identification and inventory

A Virtual Desktop Infrastructure (VDI) architecture can help reduce the risk of data

leakage and improve the user experience

Deployment Recommendations

50


Don’t forget to activate your Cisco Live Virtual

account for access to all session material,

communities, and on-demand and live

activities throughout the year. Activate your

account at the Cisco booth in the World of

Solutions or visit www.ciscolive.com.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Note: This slide is now a Layout choice

51

http://www.ciscolive.com

Technology

Mobile Devices & BYOD Security – Deployment & Best Practices