Cisco IDENTITY. SERVICES. ENGINE GORAN PETEH ENTERPRISE SYSTEMS ENGINEER

Similar documents
Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

Cisco TrustSec Solution Overview

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Implementing and Configuring Cisco Identity Services Engine SISE v1.3; 5 Days; Instructor-led

Bring Your Own Device (BYOD) and 1:1 Initiatives: What Questions Do You Need to Answer Before Jumping In?

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Embracing Complete BYOD Security with MDM and NAC

Securing BYOD With Network Access Control, a Case Study

Secure Your Mobile Device Access with Cisco BYOD Solutions

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

Cisco EXAM Enterprise Network Unified Access Essentials. Buy Full Product.

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco TrustSec How-To Guide: Guest Services

BYOD: BRING YOUR OWN DEVICE.

Best Practices for Outdoor Wireless Security

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

On-boarding and Provisioning with Cisco Identity Services Engine

TrustSec How-To Guide: On-boarding and Provisioning

Bring Your Own Design: Implemen4ng BYOD Without Going Broke or Crazy. Eric Stresen- Reuter Technical Director Ruckus Wireless

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

ClearPass: Understanding BYOD and today s evolving network access security requirements

Embracing BYOD with MDM and NAC. Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout

Paul Cochran - Account Manager. Chris Czerwinski System Engineer

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Network and Device Level Mobile Security Controls IT Considera-ons in the BYOD Era

Delivering Control with Context Across the Extended Network

Passguide q

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Mobile Device Strategy

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Closed loop endpoint compliance an innovative, standards based approach A case study - NMCI

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

The BYOD Wave: Policy, Security, and Wireless Infrastructure

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Cisco s BYOD / Mobility

ClearPass Policy Manager

Cisco Secure BYOD Solution

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Network Virtualization Network Admission Control Deployment Guide

BYOD Networks for Kommuner

ClearPass Policy Manager

DYNAMIC SECURE MOBILE ACCESS

MOBILITY BEYOND BYOD. Jonas Gyllenhammar. Consulting Engineer Junos Pulse solutions

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Technical Note. CounterACT: 802.1X and Network Access Control

Symantec Client Management Suite 8.0

How to Configure a BYOD Environment with the DWS-4026

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

Symantec Mobile Management Suite

Virtuelle WLAN Controller Alcatel Lucent Wireless LAN Instant AP

Developing Network Security Strategies

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Workplace-as-a-Service BYOD Management

Enforcing PCI Data Security Standard Compliance

Lucent VPN Firewall Security in x Wireless Networks

APPENDIX 3 LOT 3: WIRELESS NETWORK

ForeScout CounterACT. Continuous Monitoring and Mitigation

Cisco Identity Services Engine

CISCO IOS NETWORK SECURITY (IINS)

ForeScout Technologies Is A Leader Among Network Access Control Vendors

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network security strategy to meet new threats and simplify IT security operations

Strategic Road Map for Network Access Control

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Real-World Scale for Mobile IT: Nine Core Performance Requirements

OneFabric Connect. Overview. Extend the OneFabric architecture to 3rd party applications DATA SHEET BENEFITS BUSINESS ALIGNMENT

» WHITE PAPER X and NAC: Best Practices for Effective Network Access Control.

Particularities of security design for wireless networks in small and medium business (SMB)

How To Write A Mobile Device Policy

MANAGE SECURE ACCESS TO APPLICATIONS BASED ON USER IDENTITY. EMEA Webinar July 2013

F5 Identity and Access Management (IAM) Overview. Laurent PETROQUE Manager Field Systems Engineering, France

Configure ISE Version 1.4 Posture with Microsoft WSUS

Implementing Cisco IOS Network Security

The most advanced policy management platform available

Simple security is better security Or: How complexity became the biggest security threat

Chris Boykin VP of Professional Services

The User is Evolving. July 12, 2011

HiveManager Client Management

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

BYOD(evice) without BYOI(nsecurity)

Systems Manager Cloud-Based Enterprise Mobility Management

ALCATEL-LUCENT ENTERPRISE CONVERGED NETWORK SOLUTION Deliver a consistent and quality user experience, streamline operations and reduce costs

Meraki: Introduction to Cloud Networking

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Total Enterprise Mobility

Bring Your Own Device

Systems Manager Cloud Based Mobile Device Management

An Intelligent Solution for the Mobile Enterprise

PCI Solution for Retail: Addressing Compliance and Security Best Practices

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

Transcription:

Cisco IDENTITY. SERVICES. ENGINE GORAN PETEH ENTERPRISE SYSTEMS ENGINEER GOPETEH@CISCO.COM

the challenge 67,000+ and Counting As of June 1 st 2013, that's how many BYOD devices employees are using @ Cisco Apple iphones: 33,138 Apple ipads: 16,197+ Apple Mac computers: 32,936 Windows computers: 83,800 Linux users: 7,378 Android phones: 12,005 Blackberry phones: 4,806 Other phones: 859

identity services engine What is ISE? It s NOT this ISE is a POLICY control platform allowing administrators to enforce compliance, enhance security, and simplify operations.

identity services engine SIMPLIFIED ARCHITECTURE Provides Authentication & Authorization Services. ACS Cisco ISE NAC Guest integrates previously disparate platforms into NAC Profiler NAC Manager Provides Guest Workflow Services. Provides Device Identification Services. ISE a single unified platform allowing for a more simplified architecture. As a result organizations are able to more easily introduce Comprehensive network access control into their environments while minimizing user impact. Provides Management Services. NAC Server Provides Enforcement Services.

identity services engine ENTERPRISE POLICY CONTROL Who What Where When How Security Context / Criteria Cisco ISE Framework Business-Relevant Policies Integrate Existing Network Infrastructure Wired Wireless VPN Ed Office Persona l ipad Joins Wireless Policy = Internet Only Internet Access

identity services engine That looks cool I m ready to buy now BUT before I do I want to understand a little more about how it works and what I need.

identity services engine AAA SERVICES Cisco ISE provides Radius Authentication & Authorization services for your network. IEEE 802.1X Provides Authentication for all 802.1X enables clients. MAC Authentication Bypass (MAB) Provides Authentication for trusted clients that do not support 802.1X by using it s MAC Address. Centralized Web Authentication For all other devices which fail 802.1X and are not known to ISE they can be redirected to a web portal for authentication.

identity services engine LINK ENCRYPTION Cisco MACSec provides data confidentiality by encrypting each packet using symmetric key cryptography. Hop-by-Hop encryption allows specific traffic to be secured while still allowing network policies such as QoS, deep packet inspection and NetFlow be enforced. IT User IT Server Financial Auditor Data Confidentiality/Integrity Zone Financial Server Encrypted Traffic Un-Encrypted Traffic

identity services engine GUEST LIFECYCLE Multiple Workflows Available Sponsor/Lobby Ambassador Self Registration Flexible Policies Allow different time profiles Allow some devices to bypass AUP Streamlined Solution Allows same user experience for Wired or Wireless Centralized Reporting Up to 25,000 Guest Accounts stored separate from AD

identity services engine DEVICE ONBOARDING ecure & Customizable captive portal Self-Registration for any device Remediate Actions Limit the number of personal devices Trusted Wi-Fi Onboarding Ready Authenticate user Fingerprint device Apply corporate configuration Enterprise applications Automatic policies

identity services engine PROFILING & FEEDER SERVICE Active Scanning ISE is able to passively and actively collect device data to determine what it is. Integrated Scanning Cisco Wireless Controllers & Switches offer integrated device profiling * Device Feeder Service In addition to the integrated pre-bui profiles the feeder service allows fo new content to be dynamically adde Internet Feed Server Database Cisco Partner Feeder Service

identity services engine SECURE GROUP ACCESS Secure Group Tags are a powerful way to zone and segment a dynamic network without having to re-architect your entire network. Datacenter Office : Clients are DHCP enabled User User User HR Server Firewall 10.1.10.0/24 HR User Call Center User Call HR Center User User IP Address SGT 10.1.10.10 10.1.10.22 36 45 Firewall SGT 36 No to Rule SGT for 112 SGT : Permit 45 https HR Server IP Address SGT 10.100.1.72 112

identity services engine POSTURE ASSESSMENT Compliant Windows Patches Current? Part of our Corporate Domain? AV Software Installed? AV Software Up To Date? Non-Compliant Windows Patches Current? Part of our Corporate Domain? AV Software Installed? AV Software Up To Date? ISE can isolate non-compliant host and attempt automatic remediation of issues. Dynamically Updated Posture Content

identity services engine MDM INTEGRATION MDM Vendors ISE Authorization Policy Device registration status Device compliance status Disk encryption status Pin lock status Jailbreak status Manufacturer Model Afaria IMEI Serial number Cisco Mobile Collaboration Management Service OS version Phone number

Cisco ISE ISE sounds great on paper but HOW do I even attempt to consume it.

implementation strategy Crawl Walk Run Crawl: Walk: Run: In After Start this successfully phase with One you or truly completing Two tighten use cases down the Crawl but phase plan security with focus controls the end solving providing mind. newer auditable These challenges use and cases or use often predictable cases start with that experiences had BYOD dependencies and no your matter wireless such the scenario. as a Enterprise network Companies but CA may don t deployment. elect have to to. implement Post- Admission or Posture Assessment controls at this point.

implementation strategy CRAWL EXAMPLE In this phase we want to provide differentiated access based solely on who the user is and if they are in particular AD group. When users associate to the wireless network they will automatically be provisioned access based on the table below. full network access access to vdi filtered internet Guest Contractor Employee

implementation strategy WALK EXAMPLE In this phase build upon the Crawl phase adding in the ability to Profile devices and/or use Certificates for determining if a device is Trusted or not. The result is being able to distinguish between personally owned employee devices and corporate provided ones. full network access better performance access to vdi filtered internet Guest Contractor Employee BYOD Employee Trusted

implementation strategy RUN EXAMPLE In the Run phase we look to implement stronger security controls in the network examining characteristics such as device health. Now administrators would be able to isolate systems that become compromised, fail to meet your corporate standards, and remediate them. full network access better performance access to vdi filtered internet Guest Contractor Employee BYOD Employee Trusted not Healthy Employee Trusted Healthy

implementation strategy RUN EXAMPLE Where you stop is up to you ISE is simply the framework. it resources ance resources hr resources shared network performance access to vdi filtered internet Guest IT Contractor Employee Employee Employee HR Employee Contractor BYOD Trusted Trusted Trusted not Healthy IT Employee Trusted

Cisco ISE Okay, so now it sounds kind of AWESOME. But, how do I control what people have access to?

enforcement options VLAN ASSIGNMENT internet intranet vdi email private VLAN10 internet intranet vdi email VLAN20 Sarah HR User wireless controller (CORP) internet VLAN30 Sarah joins her corporate ipad personal which iphone laptop is managed to CORP by wireless the corporate SSID. MDM Because product of to the the ISE CORP Authorization wireless Policy SSID. she s Based placed on the on ISE VLAN10. VLAN30. Authorization This particular Policy she s VLAN placed has access on VLAN20. to all the corporate internet This particular only. resources VLAN including has access HR only to most components. corporate resources.

enforcement options ACL S internet intranet Jacob Finance User wireless controller (CORP) Named ACL: Empl-Full Empl-Part Guest vdi email private Jacob joins his corporate personal iphone ipad laptop to to the the CORP wireless network. His His connection is dynamically provisioned with guest Empl-Part Empl-Full ACL ACL allowing allowing access full access access to the to to the Corporate specific internet only network. corporate and no corporate resources. resources.

enforcement options SECURE GROUP TAG (SGT) internet intranet Austin Contractor wireless controller (CORP) IP Address SGT 10.1.220.27 10.1.220.29 50 60 vdi email private Austin joins his corporate laptop test ipad to the to the CORP CORP wireless network. His His connection is dynamically provisioned with an SGT of 60 which results in is it getting dynamically access provisioned only to the with internal an SGT application of 50 which he s can developing. be enforced at various points throughout the network.

THANK. YOU

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information