BYOD @ Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD

Similar documents
Bring Your Own Device

The BYOD Wave: Policy, Security, and Wireless Infrastructure

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco s BYOD / Mobility

Bring Your Own Device (BYOD) and 1:1 Initiatives: What Questions Do You Need to Answer Before Jumping In?

Secure Your Mobile Device Access with Cisco BYOD Solutions

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco BYOD Smart Solution: Take a Comprehensive Approach to Secure Mobility

Cisco Mobile Collaboration Management Service

Cisco TrustSec Solution Overview

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

MOBILITY BEYOND BYOD. Jonas Gyllenhammar. Consulting Engineer Junos Pulse solutions

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

Cisco Secure BYOD Solution

BYOD Strategy and Solutions

Taking Charge with Apps, Policy, Security and More. October 16, 2012 Sheraton Denver Downtown Hotel Denver, CO

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Workplace-as-a-Service BYOD Management

Systems Manager Cloud-Based Enterprise Mobility Management

Cisco TrustSec How-To Guide: Guest Services

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Integrating Cisco Identity Services Engine with GO!Enterprise MDM

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

Embracing Complete BYOD Security with MDM and NAC

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Securing BYOD With Network Access Control, a Case Study

Network and Device Level Mobile Security Controls IT Considera-ons in the BYOD Era

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

On-boarding and Provisioning with Cisco Identity Services Engine

Symantec Mobile Management Suite

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Delivering Control with Context Across the Extended Network

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

ForeScout MDM Enterprise

Cisco Identity Services Engine

Embracing BYOD with MDM and NAC. Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Dell World Software User Forum 2013

Configure ISE Version 1.4 Posture with Microsoft WSUS

BYOD(evice) without BYOI(nsecurity)

Solutions for admission control and data loss prevention in a modern corporate network

ClearPass: Understanding BYOD and today s evolving network access security requirements

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

The ForeScout Difference

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

Advanced Configuration Steps

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

Empowering Students with Mobility and BYOD Technology

Readiness Assessments: Vital to Secure Mobility

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

MDM Mobile Device Management

Mobile device and application management. Speaker Name Date

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

How To Write A Mobile Device Policy

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Cisco Secure Network Server

RFI Template for Enterprise MDM Solutions

Addressing BYOD Challenges with ForeScout and Motorola Solutions

OneFabric Connect. Overview. Extend the OneFabric architecture to 3rd party applications DATA SHEET BENEFITS BUSINESS ALIGNMENT

How To Make Your Computer System More Secure And Secure

Symantec Mobile Management 7.1

ClearPass Policy Manager

Ensuring the security of your mobile business intelligence

Chris Boykin VP of Professional Services

EFFECTIVE BYOD. A presentation by: Tzachy Givaty, CommuniTake

Addressing BYOD Management Challenges with Cisco Prime

Avaya Identity Engines Portfolio

What We Do: Simplify Enterprise Mobility

The BYOD of Tomorrow: BYOD 2.0. What is BYOD 1.0? What is BYOD 2.0? 3/27/2014. Cesar Picasso, MBA SOTI Inc. April 02, 2014

How Cisco IT Built Virtual Desktop Infrastructure

POLICY SECURE FOR UNIFIED ACCESS CONTROL

Cisco AnyConnect Secure Mobility Client integration with ISE & SCCM client for patch remediation on windows

Mobile Device Strategy

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Windows Phone 8.1 in the Enterprise

Configure AirWatch for Your Mobile Device

Symantec Mobile Management 7.2

Secure, Centralized, Simple

BYOD (Bring Your Own Device)

Athena Mobile Device Management from Symantec

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

TrustSec How-To Guide: On-boarding and Provisioning

Technical Note. CounterACT: 802.1X and Network Access Control

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

When enterprise mobility strategies are discussed, security is usually one of the first topics

ADDING STRONGER AUTHENTICATION for VPN Access Control

Systems Manager Cloud Based Mobile Device Management

Secure mobility with Citrix & Cisco

Technical Certificates Overview

Transcription:

BYOD @ Stefan Dürnberger Consulting Systems Engineer Cisco Deutschland sduernbe@cisco.com CCIE Security #16458 Co-Author Bitkom Leitfaden BYOD http://www.bitkom.org/files/documents/20130404_lf_byod_2013_v2.pdf 2012 Cisco and/or its affiliates. All rights reserved. 1

Majority of new network devices will have no wired port Users are starting to bring in / use more than one device Mobile device speeds are increasing every few years Users will change devices more frequently than in the past Users want to be always connected to work, family, and friends Users want access to all their applications - anywhere, anytime, and with any device Guest access with accountability has become a business requirement 2012 Cisco and/or its affiliates. All rights reserved. 2

OLD SCHOOL Enterprise provided mobile devices Work is a place you go to limited off campus access IT visibility and control into user devices and applications EMPLOYEE NEW SCHOOL Anywhere, anytime, any device usage Work is a function globally dispersed, mixed device ownership Change in IT control and management paradigm granularity beyond device IT 2012 Cisco and/or its affiliates. All rights reserved. 3

2012 Cisco and/or its affiliates. All rights reserved. 4

Basic Guest Mobility Basic Contractor BYOD Advanced Employee BYOD BYOD Wireless Account sponsorship Acceptable use agreement Internet access only Rate & Time limited Identity based accountability and access logging BYOD Wired & Wireless Account sponsorship Acceptable use agreement Internet access and restricted corporate access Data Loss Prevention Identity based accountability and access logging BYOD Wired & Wireless User Directory VPN access VDI / VXI access Voice, Video, Data Unrestricted corporate access Data Loss Prevention Mobile Device Management Identity based accountability and access logging 2012 Cisco and/or its affiliates. All rights reserved. 5

User (Who) Device (What) Access (Which) Location (Where) Time (When) Policy Guest Personal Device Wireless Conference Rooms M S 8 am 6 pm Captive Portal DMZ Guest Tunnel Guest VLAN Contractor Contractor Device Wired Contractor cubicles Anytime Contractor VLAN Personal Device Wireless No HR or Finance spaces M S 8 am -6 pm Contractor ACL Employee Corporate Device Wired Anywhere Anywhere Employee VLAN Personal Device Wireless Anywhere Anywhere Employee ACL VPN Anywhere IF $Identity AND $Device AND $Access AND $Location AND $Time THEN $Policy 2012 Cisco and/or its affiliates. All rights reserved. 6

I only want to allow the right users and devices on my network Authentication Services Identity Services Engine I want user and devices to receive appropriate network services Authorization Services I want to allow guests into the network and control their behavior Guest Lifecycle Management I need to allow/deny ipads in my network (BYOD) Profiling Services Simplified Policy Management I want to ensure that devices on my network are clean Posture Services Secure Groups Access 2012 Cisco and/or its affiliates. All rights reserved. 7

Compliance Operations Network Team Security Operations Endpoint Team Application Team Human Resources 2012 Cisco and/or its affiliates. All rights reserved. 8

Next Generation Workspace Policy Management Unified Infrastructure Security 2012 Cisco and/or its affiliates. All rights reserved. 10

FW Router Wireless Wired ISE NCS Prime Connectivity Layer VPN External Wi- Fi Internal Wi-Fi Wired Smartphones Tablets Thin/VirtualClients Desktop/Notebooks Devices Layer 2012 Cisco and/or its affiliates. All rights reserved. 11

AnyConnect ScanSafe ESA/WSA ISE NCS Prime FW Router Wireless Wired ISE NCS Prime Connectivity Layer VPN External Wi- Fi Internal Wi-Fi Wired Smartphones Tablets Thin/VirtualClients Desktop/Notebooks Devices Layer 2012 Cisco and/or its affiliates. All rights reserved. 12

Webex Jabber Quad VXI... ISE NCS Prime AnyConnect ScanSafe ESA/WSA ISE NCS Prime FW Router Wireless Wired ISE NCS Prime Connectivity Layer VPN External Wi- Fi Internal Wi-Fi Wired Smartphones Tablets Thin/VirtualClients Desktop/Notebooks Devices Layer 2012 Cisco and/or its affiliates. All rights reserved. 13

Provision Manage Notify Report Create Guest Accounts in the Sponsor Portal Create Sponsor Policy Manage sponsor groups Customize Portals Notify Guest using different method Print Email SMS Report on all aspects of Guest Accounts 2012 Cisco and/or its affiliates. All rights reserved. 14

Multiple ways to notify Guest with their credentials and other access info 1. Print the details 2. Send via e-mail 3. Send via SMS 2012 Cisco and/or its affiliates. All rights reserved. 15

ISE Database Guest DB Created by sponsors (bulk option) Guest self service Restricted access duration External DB LDAP / AD Managed externally Enabled/ disabled 2012 Cisco and/or its affiliates. All rights reserved. 16

MachineAuth Approach Start Here yes Corp Asset? Access-Accept no Access-Reject Only corporate devices may access my network, period. Use EAP-TLS with ADissued non-exportable machine certificates. That is our BYOD Policy. Not too common anymore. 2012 Cisco and/or its affiliates. All rights reserved. 17 1

2012 Cisco and/or its affiliates. All rights reserved. 18 18 VDx Approach Start Here Corp Asset? yes no Limited Access to VDI farm only Only corporate devices may access my Corporate Network. Others should get RDP/ICA to a VDI farm. Could use Profiling to determine Corp Asset. Could use Certs or Machine- Auth w/ PEAP-MSChapv2 Access-Accept

Even more complicated Start Here Employee No Registered GUEST No Yes Yes Access-Reject i-device Yes Registered Device No No Yes Access-Accept Internet Only 2012 Cisco and/or its affiliates. All rights reserved. 19

Best Practice Today ISE 1.2 ISE Device Access Control MDM Mobile Devices Security Control ISE and MDM Enforced Mobile Device Compliance Device Profiling BYOD On-boarding Device Access Control Posture Device Compliance Mobile Application Management Securing Data at Rest Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy MDM cannot see non-registered devices to enforce device security but the network can! Version: 6.2 Version: 7.1 Version: 2.3 Version: 5.0 2012 Cisco and/or its affiliates. All rights reserved. 20

NETWORK ENABLEMENT (ISE) Classification/ Profiling Secure Network Access (Wireless, Wired, VPN) Mobile + PC AUP User <-> Device Ownership Context-Aware Access Control (Role, Location, etc.) Registration Cert + Supplicant Provisioning Inventory Management DEVICE MANAGEMENT (MDM) Enterprise Software Distribution Policy Compliance (Jailbreak, Pin Lock, etc.) Management (Backup, Remote Wipe, etc.) Secure Data Containers User Managed Device Network-Based IT Control User/IT Co-Managed Device Device and Network-Based IT Control 2012 Cisco and/or its affiliates. All rights reserved. 21

With the API, we can query on: General Compliant or! Compliant (Macro level) -or- Disk encryption is on Pin lock Jail broken 2012 Cisco and/or its affiliates. All rights reserved. 22

Ability for administrator and user in ISE to issue remote actions on the device through the MDM server (eg: remote wiping the device) MyDevices Portal Endpoints Directory in ISE Edit Reinstate Lost? Delete Full Wipe Corporate Wipe PIN Lock 2012 Cisco and/or its affiliates. All rights reserved. 23

Responsible for issuing, validating, renewing, revoking and logging certificates Establishes and verifies the identities of certificate requestors Configures the usage and content of certificates (templates) and issues certificates to users, computers, and services 2012 Cisco and/or its affiliates. All rights reserved. 24 2

1. User/Identity Certificates A certificate that contains a user based attribute Usually in the CN or UPN field 2. Device Certificates A certificate that contains a device specific attribute 3. Hybrid (User plus Device) Certificates Allow for network access of specifically authorized devices used by specifically authorized users. 2012 Cisco and/or its affiliates. All rights reserved. 25 2

EAP-TLS uses certificates for authentication to wireless Wired 802.1x uses certificates for authentication and device authorization Network Admission Control (NAC) can use certificates as part of a device security posture check 2012 Cisco and/or its affiliates. All rights reserved. 26 2

Active Directory Certificate Services Built into Windows Server OS (Save$) Windows Server 2008 R2 Enterprise is recommended Automatic Certificate Enrollment!!! AD Group Policy cert push to domain computers Fully Active Directory Integrated SCEP support for easy deployment to mobile / non-ad 2012 Cisco and/or its affiliates. All rights reserved. 27 2

Identify your user profiles Build security policies MDM, Certs & Policy Engine as Cisco ISE 2012 Cisco and/or its affiliates. All rights reserved. 28 2

Thank You 2012 Cisco and/or its affiliates. All rights reserved. 29

Registered? ISE BYOD Registration Internet Only MDM Register ISE Portal Link to MDM onboarding MDM Compliant ISE Portal for MDM non-compliance Access-Accept 2012 Cisco and/or its affiliates. All rights reserved. 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information