Ua roadshows one policy ise and trustsec
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

UA Roadshows— One Policy : ISE and TrustSec PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on
  • Presentation posted in: General

UA Roadshows— One Policy : ISE and TrustSec. Nov 8 , 2012 Bob Sayle Principal Systems Engineer. Session Agenda. Need for Contextual Access Policy. BYOD with Cisco ISE. Security Group Access and TrustSec. Cisco Access Device. ISE Under the Hood. The Need For Contextual Access Policy.

Download Presentation

UA Roadshows— One Policy : ISE and TrustSec

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ua roadshows one policy ise and trustsec

UA Roadshows—One Policy:ISE and TrustSec

Nov 8, 2012

Bob Sayle

Principal Systems Engineer


Session agenda

Session Agenda

Need for Contextual Access Policy

BYOD with Cisco ISE

  • Security Group Access and TrustSec

Cisco Access Device

  • ISE Under the Hood


The need for contextual access policy

The Need For Contextual Access Policy


Top of mind concerns to enable byod

Top of Mind Concerns to enable BYOD

The Burden Falls on IT

  • How do we simplify the security in the BYOD process?

  • How do we control and segment the device and users?

  • How do we provide consistent policy across the network?


Ua roadshows one policy ise and trustsec

Policy Access Control - Enabling BYOD

  • Getting BYOD Devices On-Net Without Wasting Their Time

    • Zero-touch portal automates identity, profiling & provisioning to a users’ identity to get them quickly & securely on-net while saving IT time.

  • BYOD On-Boarding

    • Zero touch registration &provisioning of employee/guest devices

  • Unified Policy-based Management

    • Policy-based governance , contextual control, guest lifecycle mgmt

  • Consistent Network-wide Security

    • Compliance including 802.1X ports, untrusted device access denial

  • Allowing Users To Safely Go Where They Are Allowed To Go -- From Anywhere

    • Visibility & contextual control across the network while blocking untrusted access --

    • user authentication, device profiling, posture, location, access method

  • Applying Network Policy to Users from Entry to Destination (E2E)

    • Control plane from access layer thru data center that is topology independent

    • Policy platform for unified access, DC switches & FWs with ecosystem APIs

Technology

Utility

Energy

Healthcare

Higher Ed

Secondary Ed


Ua roadshows one policy ise and trustsec

Meet Cisco ISE*

  • Policy Management Solution

    • Unified Network Access Control

    • Turnkey BYOD Solution

  • 1st System-wide Solution

  • Deep network integration

  • System-wide Policy Control from One Screen

  • Award winning product!

  • ’12 Cisco Pioneer Award

  • Over 400 Trained & Trusted ATP Partners

* Pronounced ‘ICE’. Stands for identity services engine, but just call it Cisco ISE


One policy platform components

One Policy Platform: Components

Policy

Management

Policy

Context

Policy

Information

Policy

Enforcement

Identity Services Engine (ISE)

Prime Infrastructure

Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers

,

Posture from NAC/AnyConnect Agent

User Directory

Profiling from Cisco Infrastructure

Non-User Devices

Personal Devices

User Identity

Corporate Assets


One policy platform use cases

One Policy Platform: Use Cases

I only want to allow the “right” users and devices on my network

One Network

Authentication Services

I want user and devices

to receive appropriate network services

Authorization Services

I want to allow guests into the network and control their behavior

Guest Lifecycle Management

One Policy

I need to allow/deny iPads in my network (BYOD)

Profiling and BYOD Services

I want to ensure that devices on my network are clean

Posture Services

I need a scalable way of enforcing access policy across the network

TrustSec SGA

One Management


Byod with cisco ise

BYOD with Cisco ISE


Simplified byod with cisco ise

Simplified BYOD with Cisco ISE

  • Device On-boarding

  • Self Registration

  • Certificate and Supplicant Provisioning

  • Reduced Burden on IT Staff

Reduced Burden on Help Desk Staff

  • Seamless intuitive end user experience

  • Support Windows, MAC OS X, iOS, Android

Intuitive Management for End Users

  • My Devices Portal—register, blacklist, manage

  • Guest Sponsorship Portal


Ua roadshows one policy ise and trustsec

But What About MDM?*

MDM cannot ‘see’ non-registered devices to enforce device security – but the network can!

Best Practice

MDM

Mobile Device Security Control

ISE

Device Access Control

Device Compliance

Mobile Application Management

Data Security Controls

Device Identity

BYOD On-boarding

Device Access Control

* Mobile Device Manager


Byod flow single ssid

New

BYOD FlowSingle SSID

  • User connects to Secure SSID

  • PEAP: Username/Password

  • Redirected to Provisioning Portal

  • User registers device

    • Downloads Certificate

    • Downloads Supplicant Config

  • User reconnects using EAP-TLS

Personal Asset

BYOD-Secure

Access Point

Wireless LAN Controller

ISE

AD/LDAP


Byod flow dual ssid

New

BYOD FlowDual SSID

  • User connects to Open SSID

  • Redirected to WebAuth portal

  • User enters employee or guest credentials

  • Guest signs AUP and gets Guest access

  • Employee registers device

    • Downloads Certificate

    • Downloads Supplicant Config

  • Employee reconnects using EAP-TLS

Personal Asset

BYOD-Secure

BYOD-Open

Access Point

Wireless LAN Controller

ISE

AD/LDAP


Byod demo

BYOD Demo

A Retail Environment


Security group access

Security Group Access


User and device roles

User and Device Roles

Any Device

Registered Device

Corporate Device

General Web Server

Employee News Portal

Manager Portal

Credit Card Server

Employee Time Card Application

User and Device Role

Unregistered Device

Employee

Management

Credit Card Scanners


Policy definition for roles

Policy Definition for Roles

Any Device

Corporate Device

Registered Device

Policy Definition

Manager Portal

General Web Server

Employee News Portal

Employee Time Card Application

Credit Card Server

User and Device Role

Public SSID

Corporate SSID

Member ofgroup “Employee”

Certificate matches endpoint

Unregistered Device

Corporate SSID

Member of group Employee and Manager

Certificate matches endpoint

Employee

Credit_Card SSID

Member of group “Credit_Scanners”

Profiled as “iphone”

Management

Credit Card Scanners


Policy definition inside ise

Policy Definition Inside ISE


Inside ise management policy

Inside ISE: Management Policy

Employee Registered

SSID Access: Corporate-wifi

AD Group: “Management”


Inside ise credit card scanner policy

Inside ISE: Credit Card Scanner Policy

Profiled as an iPhone

Certificate Required

SSID Access:

cc-secure-wifi

AD Group: “Credit Card Scanners”


Enforcement vlans or acls

Enforcement:VLANs or ACLs

VLAN ArchitectureScaling Concerns

Highly topology dependent

ACL ArchitectureHard to Maintain

100s-1000s of ACEs

802.1X


Enforcement security group access sga

Enforcement: Security Group Access (SGA)

SGA TAG - Policy

User and Device RoleIngress Tag

Public SSID

Unregistered Device(Unregist_Dev_SGT)

Corporate SSID

Member ofgroup “Employee”

Certificate matches endpoint

who

what

where

when

how

Corporate SSID

Member of group Employee and Manager

Certificate matches endpoint

Employee(Employee_SGT)

Credit_Card SSID

Member of group “Credit_Scanners”

Profiled as “iphone”

Cisco ISE

Management(Management_SGT)

Credit Card Scanners(CC_Scanner_SGT)

Finance

Employee

Manager


Sga inside ise

SGA Inside ISE

Employee TAG

Manager TAG

Credit Card Scanner TAG


Sga enforced at asa firewall

SGA Enforced at ASA Firewall

Manager TAG

Credit Card Scanner TAG


Sga enforced on switches

SGA Enforced on Switches


Trustsec scalable context aware enforcement

TrustSec Scalable Context Aware Enforcement


Sga policy enforcement flow

SGA Policy Enforcement Flow

  • Security Group Based Access Control

SGT = 100

SGACL

I registered my device

I’m a manager

Time Card (SGT=4)

Credit card

scanner (SGT=10)

Manager

SGT = 100

Cisco ISE

  • ISE maps tags (SGT) with user identity

  • ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC)

  • ISE Authorization policy pushes ACL (SGACL) to egress NAD (ASA or Nexus)


Migrating to security group access sgt exchange protocol sxp

Cisco

Innovation

Migrating to Security Group AccessSGTeXchange Protocol (SXP)

SXP

SGACL

I registered my device

I’m a manager

Time Card (SGT=4)

Credit card

scanner (SGT=10)

10.1.100.3

Manager

SGT = 100

Cisco ISE

  • Security Group Access Protocol

    • For transport through a non SGT core


Cisco access devices leading the industry by providing added value

Cisco Access DevicesLeading the Industry by Providing Added Value


Industry leading identity features a

Cisco

Innovation

Industry Leading Identity Featuresa

Authentication Features

Identity Differentiators

  • Monitor Mode

  • Unobstructed access

  • No impact on productivity

  • Gain visibility

  • Flexible Authentication Sequence

  • Enables single configuration for most use cases

  • Flexible fallback mechanism and policies

Cisco Catalyst Switch

Rich and Robust 802.1X

  • IP Telephony Supportfor Virtual Desktop Environments

  • Single host mode

  • Multihost mode

  • Multiauth mode

  • Multidomain authentication

  • Critical Data/Voice Authentication

  • Business continuity in case of failure

Authorized Users

Tablets

IP Phones

Network Device

Guests

  • 802.1X

  • MAB

  • WebAuth


Eap chaining

EAP Chaining

  • EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset

  • Use Cases:

  • Restrict use of personal laptops on a corporate network

  • Corporate mandates where a corporate asset must be used and the user must be authorized.

Machine

Credentials

Machine

Authentication

Machine and User Credentials

Validated AD Database

RADIUS

User

Credentials

User Authentication (includes both user and machine identity types )

User

Authentication


Device sensor

Cisco

Innovation

Device Sensor

Automated Device Classification Using Cisco Infrastructure

DEVICE PROFILING

Supported Platforms:

IOS 15.0(1)SE1 for Cat 3K

IOS 15.1(1)SG for Cat 4K

WLC 7.2 MR1 - DHCP data only

ISE 1.1.1

Access

Point

For wired and wireless networks

CDP

LLDP

DHCP

MAC

POLICY

Printer

Personal iPad

ISE

Access Point

Printer Policy

PersonaliPadPolicy

[place on VLAN X]

[restricted access]

CDP

LLDP

DHCP

MAC

CDP

LLDP

DHCP

MAC

`

The Solution

  • DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS

Efficient Device Classification Leveraging Infrastructure

  • CLASSIFICATIONISE Classifies Device, Collects Flow Information and Provides Device Usage Report

  • AUTHORIZATIONISE Executes Policy Based on User and Device

  • COLLECTIONSwitch Collects Device Related Data and Sends Report to ISE


Ise under the hood

ISE Under The Hood


Ise feature demo

ISE Feature Demo


Tying it all together contextual access control

Posture

Tying it All TogetherContextual Access Control

Device Type

Location

User

Custom

Access Method

Time


Ua roadshows one policy ise and trustsec

What’s the Cisco Advantage?

Fun Fact:

Cisco has 4X more dedicated BYOD engineers than our competitors!

Market Leader

  • NAC, AAA, VPN, FW – we know security

    Systems Solution vs. Overlay

  • Deep integration vs. band aids

    Commitment

  • Extensive engineering is funded

    We are Ready

  • Over 400 ATP partners vigorously trained

“TrustSec and ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise today.”

Forrester 2011

Leader in Gartner NAC Magic Quadrant

Dec 2011


Ua roadshows one policy ise and trustsec

ISE – Securely Enabling BYOD

Removes the IT Burden

User Self Onboarding

Easy BYOD

Contextual Policy & Access Control for Users & Guests

Unified Policy Access Control

Compliance: Regulatory, Government, Corporate

Consistent Security


Resources customers

Resources - Customers

  • ISE Information: http://www.cisco.com/go/ise

  • Cisco TrustSec:www.cisco.com/go/trustsec

  • Application Notes and How-To Guides:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html


  • Login