Cisco IDENTITY. SERVICES. ENGINE GORAN PETEH ENTERPRISE SYSTEMS ENGINEER

Transcription

1 Cisco IDENTITY. SERVICES. ENGINE GORAN PETEH ENTERPRISE SYSTEMS ENGINEER

2 the challenge 67,000+ and Counting As of June 1 st 2013, that's how many BYOD devices employees are Cisco Apple iphones: 33,138 Apple ipads: 16,197+ Apple Mac computers: 32,936 Windows computers: 83,800 Linux users: 7,378 Android phones: 12,005 Blackberry phones: 4,806 Other phones: 859

3 identity services engine What is ISE? It s NOT this ISE is a POLICY control platform allowing administrators to enforce compliance, enhance security, and simplify operations.

4 identity services engine SIMPLIFIED ARCHITECTURE Provides Authentication & Authorization Services. ACS Cisco ISE NAC Guest integrates previously disparate platforms into NAC Profiler NAC Manager Provides Guest Workflow Services. Provides Device Identification Services. ISE a single unified platform allowing for a more simplified architecture. As a result organizations are able to more easily introduce Comprehensive network access control into their environments while minimizing user impact. Provides Management Services. NAC Server Provides Enforcement Services.

5 identity services engine ENTERPRISE POLICY CONTROL Who What Where When How Security Context / Criteria Cisco ISE Framework Business-Relevant Policies Integrate Existing Network Infrastructure Wired Wireless VPN Ed Office Persona l ipad Joins Wireless Policy = Internet Only Internet Access

6 identity services engine That looks cool I m ready to buy now BUT before I do I want to understand a little more about how it works and what I need.

7 identity services engine AAA SERVICES Cisco ISE provides Radius Authentication & Authorization services for your network. IEEE 802.1X Provides Authentication for all 802.1X enables clients. MAC Authentication Bypass (MAB) Provides Authentication for trusted clients that do not support 802.1X by using it s MAC Address. Centralized Web Authentication For all other devices which fail 802.1X and are not known to ISE they can be redirected to a web portal for authentication.

8 identity services engine LINK ENCRYPTION Cisco MACSec provides data confidentiality by encrypting each packet using symmetric key cryptography. Hop-by-Hop encryption allows specific traffic to be secured while still allowing network policies such as QoS, deep packet inspection and NetFlow be enforced. IT User IT Server Financial Auditor Data Confidentiality/Integrity Zone Financial Server Encrypted Traffic Un-Encrypted Traffic

9 identity services engine GUEST LIFECYCLE Multiple Workflows Available Sponsor/Lobby Ambassador Self Registration Flexible Policies Allow different time profiles Allow some devices to bypass AUP Streamlined Solution Allows same user experience for Wired or Wireless Centralized Reporting Up to 25,000 Guest Accounts stored separate from AD

10 identity services engine DEVICE ONBOARDING ecure & Customizable captive portal Self-Registration for any device Remediate Actions Limit the number of personal devices Trusted Wi-Fi Onboarding Ready Authenticate user Fingerprint device Apply corporate configuration Enterprise applications Automatic policies

11 identity services engine PROFILING & FEEDER SERVICE Active Scanning ISE is able to passively and actively collect device data to determine what it is. Integrated Scanning Cisco Wireless Controllers & Switches offer integrated device profiling * Device Feeder Service In addition to the integrated pre-bui profiles the feeder service allows fo new content to be dynamically adde Internet Feed Server Database Cisco Partner Feeder Service

12 identity services engine SECURE GROUP ACCESS Secure Group Tags are a powerful way to zone and segment a dynamic network without having to re-architect your entire network. Datacenter Office : Clients are DHCP enabled User User User HR Server Firewall /24 HR User Call Center User Call HR Center User User IP Address SGT Firewall SGT 36 No to Rule SGT for 112 SGT : Permit 45 https HR Server IP Address SGT

13 identity services engine POSTURE ASSESSMENT Compliant Windows Patches Current? Part of our Corporate Domain? AV Software Installed? AV Software Up To Date? Non-Compliant Windows Patches Current? Part of our Corporate Domain? AV Software Installed? AV Software Up To Date? ISE can isolate non-compliant host and attempt automatic remediation of issues. Dynamically Updated Posture Content

14 identity services engine MDM INTEGRATION MDM Vendors ISE Authorization Policy Device registration status Device compliance status Disk encryption status Pin lock status Jailbreak status Manufacturer Model Afaria IMEI Serial number Cisco Mobile Collaboration Management Service OS version Phone number

15 Cisco ISE ISE sounds great on paper but HOW do I even attempt to consume it.

16 implementation strategy Crawl Walk Run Crawl: Walk: Run: In After Start this successfully phase with One you or truly completing Two tighten use cases down the Crawl but phase plan security with focus controls the end solving providing mind. newer auditable These challenges use and cases or use often predictable cases start with that experiences had BYOD dependencies and no your matter wireless such the scenario. as a Enterprise network Companies but CA may don t deployment. elect have to to. implement Post- Admission or Posture Assessment controls at this point.

17 implementation strategy CRAWL EXAMPLE In this phase we want to provide differentiated access based solely on who the user is and if they are in particular AD group. When users associate to the wireless network they will automatically be provisioned access based on the table below. full network access access to vdi filtered internet Guest Contractor Employee

18 implementation strategy WALK EXAMPLE In this phase build upon the Crawl phase adding in the ability to Profile devices and/or use Certificates for determining if a device is Trusted or not. The result is being able to distinguish between personally owned employee devices and corporate provided ones. full network access better performance access to vdi filtered internet Guest Contractor Employee BYOD Employee Trusted

19 implementation strategy RUN EXAMPLE In the Run phase we look to implement stronger security controls in the network examining characteristics such as device health. Now administrators would be able to isolate systems that become compromised, fail to meet your corporate standards, and remediate them. full network access better performance access to vdi filtered internet Guest Contractor Employee BYOD Employee Trusted not Healthy Employee Trusted Healthy

20 implementation strategy RUN EXAMPLE Where you stop is up to you ISE is simply the framework. it resources ance resources hr resources shared network performance access to vdi filtered internet Guest IT Contractor Employee Employee Employee HR Employee Contractor BYOD Trusted Trusted Trusted not Healthy IT Employee Trusted

21 Cisco ISE Okay, so now it sounds kind of AWESOME. But, how do I control what people have access to?

22 enforcement options VLAN ASSIGNMENT internet intranet vdi private VLAN10 internet intranet vdi VLAN20 Sarah HR User wireless controller (CORP) internet VLAN30 Sarah joins her corporate ipad personal which iphone laptop is managed to CORP by wireless the corporate SSID. MDM Because product of to the the ISE CORP Authorization wireless Policy SSID. she s Based placed on the on ISE VLAN10. VLAN30. Authorization This particular Policy she s VLAN placed has access on VLAN20. to all the corporate internet This particular only. resources VLAN including has access HR only to most components. corporate resources.

23 enforcement options ACL S internet intranet Jacob Finance User wireless controller (CORP) Named ACL: Empl-Full Empl-Part Guest vdi private Jacob joins his corporate personal iphone ipad laptop to to the the CORP wireless network. His His connection is dynamically provisioned with guest Empl-Part Empl-Full ACL ACL allowing allowing access full access access to the to to the Corporate specific internet only network. corporate and no corporate resources. resources.

24 enforcement options SECURE GROUP TAG (SGT) internet intranet Austin Contractor wireless controller (CORP) IP Address SGT vdi private Austin joins his corporate laptop test ipad to the to the CORP CORP wireless network. His His connection is dynamically provisioned with an SGT of 60 which results in is it getting dynamically access provisioned only to the with internal an SGT application of 50 which he s can developing. be enforced at various points throughout the network.

25 THANK. YOU