Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD

Transcription

1 Stefan Dürnberger Consulting Systems Engineer Cisco Deutschland sduernbe@cisco.com CCIE Security #16458 Co-Author Bitkom Leitfaden BYOD Cisco and/or its affiliates. All rights reserved. 1

2 Majority of new network devices will have no wired port Users are starting to bring in / use more than one device Mobile device speeds are increasing every few years Users will change devices more frequently than in the past Users want to be always connected to work, family, and friends Users want access to all their applications - anywhere, anytime, and with any device Guest access with accountability has become a business requirement 2012 Cisco and/or its affiliates. All rights reserved. 2

3 OLD SCHOOL Enterprise provided mobile devices Work is a place you go to limited off campus access IT visibility and control into user devices and applications EMPLOYEE NEW SCHOOL Anywhere, anytime, any device usage Work is a function globally dispersed, mixed device ownership Change in IT control and management paradigm granularity beyond device IT 2012 Cisco and/or its affiliates. All rights reserved. 3

4 2012 Cisco and/or its affiliates. All rights reserved. 4

5 Basic Guest Mobility Basic Contractor BYOD Advanced Employee BYOD BYOD Wireless Account sponsorship Acceptable use agreement Internet access only Rate & Time limited Identity based accountability and access logging BYOD Wired & Wireless Account sponsorship Acceptable use agreement Internet access and restricted corporate access Data Loss Prevention Identity based accountability and access logging BYOD Wired & Wireless User Directory VPN access VDI / VXI access Voice, Video, Data Unrestricted corporate access Data Loss Prevention Mobile Device Management Identity based accountability and access logging 2012 Cisco and/or its affiliates. All rights reserved. 5

6 User (Who) Device (What) Access (Which) Location (Where) Time (When) Policy Guest Personal Device Wireless Conference Rooms M S 8 am 6 pm Captive Portal DMZ Guest Tunnel Guest VLAN Contractor Contractor Device Wired Contractor cubicles Anytime Contractor VLAN Personal Device Wireless No HR or Finance spaces M S 8 am -6 pm Contractor ACL Employee Corporate Device Wired Anywhere Anywhere Employee VLAN Personal Device Wireless Anywhere Anywhere Employee ACL VPN Anywhere IF $Identity AND $Device AND $Access AND $Location AND $Time THEN $Policy 2012 Cisco and/or its affiliates. All rights reserved. 6

7 I only want to allow the right users and devices on my network Authentication Services Identity Services Engine I want user and devices to receive appropriate network services Authorization Services I want to allow guests into the network and control their behavior Guest Lifecycle Management I need to allow/deny ipads in my network (BYOD) Profiling Services Simplified Policy Management I want to ensure that devices on my network are clean Posture Services Secure Groups Access 2012 Cisco and/or its affiliates. All rights reserved. 7

8 Compliance Operations Network Team Security Operations Endpoint Team Application Team Human Resources 2012 Cisco and/or its affiliates. All rights reserved. 8

9 Next Generation Workspace Policy Management Unified Infrastructure Security 2012 Cisco and/or its affiliates. All rights reserved. 10

10 FW Router Wireless Wired ISE NCS Prime Connectivity Layer VPN External Wi- Fi Internal Wi-Fi Wired Smartphones Tablets Thin/VirtualClients Desktop/Notebooks Devices Layer 2012 Cisco and/or its affiliates. All rights reserved. 11

11 AnyConnect ScanSafe ESA/WSA ISE NCS Prime FW Router Wireless Wired ISE NCS Prime Connectivity Layer VPN External Wi- Fi Internal Wi-Fi Wired Smartphones Tablets Thin/VirtualClients Desktop/Notebooks Devices Layer 2012 Cisco and/or its affiliates. All rights reserved. 12

12 Webex Jabber Quad VXI... ISE NCS Prime AnyConnect ScanSafe ESA/WSA ISE NCS Prime FW Router Wireless Wired ISE NCS Prime Connectivity Layer VPN External Wi- Fi Internal Wi-Fi Wired Smartphones Tablets Thin/VirtualClients Desktop/Notebooks Devices Layer 2012 Cisco and/or its affiliates. All rights reserved. 13

13 Provision Manage Notify Report Create Guest Accounts in the Sponsor Portal Create Sponsor Policy Manage sponsor groups Customize Portals Notify Guest using different method Print SMS Report on all aspects of Guest Accounts 2012 Cisco and/or its affiliates. All rights reserved. 14

14 Multiple ways to notify Guest with their credentials and other access info 1. Print the details 2. Send via 3. Send via SMS 2012 Cisco and/or its affiliates. All rights reserved. 15

15 ISE Database Guest DB Created by sponsors (bulk option) Guest self service Restricted access duration External DB LDAP / AD Managed externally Enabled/ disabled 2012 Cisco and/or its affiliates. All rights reserved. 16

16 MachineAuth Approach Start Here yes Corp Asset? Access-Accept no Access-Reject Only corporate devices may access my network, period. Use EAP-TLS with ADissued non-exportable machine certificates. That is our BYOD Policy. Not too common anymore Cisco and/or its affiliates. All rights reserved. 17 1

17 2012 Cisco and/or its affiliates. All rights reserved VDx Approach Start Here Corp Asset? yes no Limited Access to VDI farm only Only corporate devices may access my Corporate Network. Others should get RDP/ICA to a VDI farm. Could use Profiling to determine Corp Asset. Could use Certs or Machine- Auth w/ PEAP-MSChapv2 Access-Accept

18 Even more complicated Start Here Employee No Registered GUEST No Yes Yes Access-Reject i-device Yes Registered Device No No Yes Access-Accept Internet Only 2012 Cisco and/or its affiliates. All rights reserved. 19

19 Best Practice Today ISE 1.2 ISE Device Access Control MDM Mobile Devices Security Control ISE and MDM Enforced Mobile Device Compliance Device Profiling BYOD On-boarding Device Access Control Posture Device Compliance Mobile Application Management Securing Data at Rest Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy MDM cannot see non-registered devices to enforce device security but the network can! Version: 6.2 Version: 7.1 Version: 2.3 Version: Cisco and/or its affiliates. All rights reserved. 20

20 NETWORK ENABLEMENT (ISE) Classification/ Profiling Secure Network Access (Wireless, Wired, VPN) Mobile + PC AUP User <-> Device Ownership Context-Aware Access Control (Role, Location, etc.) Registration Cert + Supplicant Provisioning Inventory Management DEVICE MANAGEMENT (MDM) Enterprise Software Distribution Policy Compliance (Jailbreak, Pin Lock, etc.) Management (Backup, Remote Wipe, etc.) Secure Data Containers User Managed Device Network-Based IT Control User/IT Co-Managed Device Device and Network-Based IT Control 2012 Cisco and/or its affiliates. All rights reserved. 21

21 With the API, we can query on: General Compliant or! Compliant (Macro level) -or- Disk encryption is on Pin lock Jail broken 2012 Cisco and/or its affiliates. All rights reserved. 22

22 Ability for administrator and user in ISE to issue remote actions on the device through the MDM server (eg: remote wiping the device) MyDevices Portal Endpoints Directory in ISE Edit Reinstate Lost? Delete Full Wipe Corporate Wipe PIN Lock 2012 Cisco and/or its affiliates. All rights reserved. 23

23 Responsible for issuing, validating, renewing, revoking and logging certificates Establishes and verifies the identities of certificate requestors Configures the usage and content of certificates (templates) and issues certificates to users, computers, and services 2012 Cisco and/or its affiliates. All rights reserved. 24 2

24 1. User/Identity Certificates A certificate that contains a user based attribute Usually in the CN or UPN field 2. Device Certificates A certificate that contains a device specific attribute 3. Hybrid (User plus Device) Certificates Allow for network access of specifically authorized devices used by specifically authorized users Cisco and/or its affiliates. All rights reserved. 25 2

25 EAP-TLS uses certificates for authentication to wireless Wired 802.1x uses certificates for authentication and device authorization Network Admission Control (NAC) can use certificates as part of a device security posture check 2012 Cisco and/or its affiliates. All rights reserved. 26 2

26 Active Directory Certificate Services Built into Windows Server OS (Save$) Windows Server 2008 R2 Enterprise is recommended Automatic Certificate Enrollment!!! AD Group Policy cert push to domain computers Fully Active Directory Integrated SCEP support for easy deployment to mobile / non-ad 2012 Cisco and/or its affiliates. All rights reserved. 27 2

27 Identify your user profiles Build security policies MDM, Certs & Policy Engine as Cisco ISE 2012 Cisco and/or its affiliates. All rights reserved. 28 2

28 Thank You 2012 Cisco and/or its affiliates. All rights reserved. 29

29 Registered? ISE BYOD Registration Internet Only MDM Register ISE Portal Link to MDM onboarding MDM Compliant ISE Portal for MDM non-compliance Access-Accept 2012 Cisco and/or its affiliates. All rights reserved. 30