UA Roadshows— One Policy: ISE and TrustSec Nov 8, 2012 Bob Sayle Principal Systems Engineer © 2012 Cisco and/or its affiliates. All rights reserved. Need for Contextual Access Policy BYOD with Cisco ISE Security Group Access and TrustSec Cisco Access Device ISE Under the Hood © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 The Burden Falls on IT • How do we simplify the security in the BYOD process? • How do we control and segment the device and users? • How do we provide consistent policy across the network? © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Getting BYOD Devices On-Net Without Wasting Their Time BYOD On-Boarding Zero-touch portal automates identity, profiling & provisioning to a users’ identity to get them Zero touch registration & provisioning of employee/guest devices quickly & securely on-net while saving IT time. Allowing Users To Safely Go Where They Are Allowed To Go -- From Anywhere Unified Policy-based Management Visibility & contextual control across the network while blocking untrusted access -- control, guest lifecycle mgmt userPolicy-based authentication, governance device profiling,, contextual posture, location, access method Applying Network Network-wide Policy to Users from Entry to Destination (E2E) Consistent Security Control plane from including access layer802.1X thru data centeruntrusted that is topology independent Compliance ports, device access denial Policy platform for unified access, DC switches & FWs with ecosystem APIs Technology © 2010 Cisco and/or its affiliates. All rights reserved. Utility Energy Healthcare Higher Ed Secondary Ed Cisco Confidential 5 Policy Management Solution Unified Network Access Control Turnkey BYOD Solution 1st System-wide Solution Deep network integration System-wide Policy Control from One Screen Award winning product! ’12 Cisco Pioneer Award Over 400 Trained & Trusted ATP Partners * Pronounced ‘ICE’. Stands for identity services engine, but just call it Cisco ISE © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Policy Management Identity Services Engine (ISE) Policy Information User Directory Prime Infrastructure Profiling from Cisco Infrastructure , Posture from NAC/AnyConnect Agent Policy Enforcement Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers Policy Context User Identity © 2010 Cisco and/or its affiliates. All rights reserved. Personal Devices Corporate Assets Non-User Devices Cisco Confidential 7 One Network I only want to allow the “right” users and devices on my network Authentication Services I want user and devices to receive appropriate network services Authorization Services I want to allow guests into the network and control their behavior Guest Lifecycle Management One Policy I need to allow/deny iPads in my network (BYOD) I want to ensure that devices on my network are clean I need a scalable way of enforcing access policy across the network Profiling and BYOD Services Posture Services TrustSec SGA One Management © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Reduced Burden on IT Staff Reduced Burden on Help Desk Staff Intuitive Management for End Users © 2011 Cisco and/or its affiliates. All rights reserved. • Device On-boarding • Self Registration • Certificate and Supplicant Provisioning • Seamless intuitive end user experience • Support Windows, MAC OS X, iOS, Android • My Devices Portal— register, blacklist, manage • Guest Sponsorship Portal Cisco Confidential 10 MDM cannot ‘see’ non-registered devices to enforce device security – but the network can! Best Practice ISE MDM Device Access Control Mobile Device Security Control Device Identity Device Compliance BYOD On-boarding Mobile Application Management Device Access Control Data Security Controls © 2010 Cisco and/or its affiliates. All rights reserved. * Mobile Device ManagerCisco Confidential 11 • User connects to Secure SSID • PEAP: Username/Password • Redirected to Personal Asset BYOD-Secure Provisioning Portal Access Point • User registers device Downloads Certificate Downloads Supplicant Config Wireless LAN Controller • User reconnects using EAP-TLS ISE © 2010 Cisco and/or its affiliates. All rights reserved. AD/LDAP Cisco Confidential 12 • User connects to Open SSID • Redirected to WebAuth portal • User enters employee or guest credentials Personal Asset BYOD-Secure BYOD-Open • Guest signs AUP and Access Point gets Guest access • Employee registers device Wireless LAN Controller Downloads Certificate Downloads Supplicant Config • Employee reconnects using EAP-TLS ISE © 2010 Cisco and/or its affiliates. All rights reserved. AD/LDAP Cisco Confidential 13 A Retail Environment © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Any Device General Web Server User and Device Role Registered Device Employee News Portal Manager Portal Corporate Device Employee Time Card Application Credit Card Server Unregistered Device Employee Management Credit Card Scanners © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Any Device User and Device Role Unregistered Device Employee Management Credit Card Scanners © 2010 Cisco and/or its affiliates. All rights reserved. Policy Definition General Web Server Registered Device Employee News Portal Manager Portal Employee Time Card Application Corporate Device Credit Card Server Public SSID Corporate SSID Member of group “Employee” Certificate matches endpoint Corporate SSID Member of group Employee and Manager Certificate matches endpoint Credit_Card SSID Member of group “Credit_Scanners” Profiled as “iphone” Cisco Confidential 19 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 SSID Access: Corporate-wifi Employee Registered AD Group: “Management” © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Profiled as an iPhone Certificate Required SSID Access: cc-secure-wifi AD Group: “Credit Card Scanners” © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 VLAN Architecture Scaling Concerns Highly topology dependent ACL Architecture Hard to Maintain 100s-1000s of ACEs 802.1X © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 User and Device Role Ingress Tag Unregistered Device (Unregist_Dev_SGT) Employee (Employee_SGT) Management (Management_SGT) Credit Card Scanners (CC_Scanner_SGT) SGA TAG - Policy who what where when how Public SSID Corporate SSID Member of group “Employee” Certificate matches endpoint Cisco ISE Corporate SSID Member of group Employee and Manager Certificate matches endpoint Credit_Card SSID Member of group “Credit_Scanners” Profiled as “iphone” Finance Employee Manager © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Employee TAG Manager TAG Credit Card Scanner TAG © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Manager TAG © 2010 Cisco and/or its affiliates. All rights reserved. Credit Card Scanner TAG Cisco Confidential 26 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 SRC\DST Time card Credit card Manager (100) Access No access SGT = 100 SGACL I registered my device I’m a manager Time Card (SGT=4) Credit card scanner (SGT=10) Manager SGT = 100 Cisco ISE Security Group Based Access Control • ISE maps tags (SGT) with user identity • ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC) • ISE Authorization policy pushes ACL (SGACL) to egress NAD (ASA or Nexus) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Cisco Innovation IP Address SGT 10.1.100.3 100 SXP SRC\DST Time card Credit card Manager (100) Access No access SGACL I registered my device I’m a manager Time Card (SGT=4) Credit card scanner (SGT=10) 10.1.100.3 Manager SGT = 100 Cisco ISE Security Group Access Protocol For transport through a non SGT core © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Cisco Innovation a Identity Differentiators Authentication Features Monitor Mode Cisco Catalyst Switch • Unobstructed access • No impact on productivity • Gain visibility Flexible Authentication Sequence • Enables single configuration for most use cases • Flexible fallback mechanism and policies Rich and Robust 802.1X IP Telephony Support for Virtual Desktop Environments • Single host mode • Multihost mode • Multiauth mode Authorized Users 802.1X Tablets IP Phones MAB Network Device Guests WebAuth • Multidomain authentication Critical Data/Voice Authentication • Business continuity in case of failure © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 • EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset Use Cases: • Restrict use of personal laptops on a corporate network • Corporate mandates where a corporate asset must be used and the user must be authorized. Machine Credentials Machine Authentication RADIUS User Credentials Machine and User Credentials Validated AD Database User Authentication (includes both user and machine identity types ) User Authentication © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Device Sensor Cisco Innovation Automated Device Classification Using Cisco Infrastructure DEVICE PROFILING CDP LLDP DHCP MAC Supported Platforms: IOS 15.0(1)SE1 for Cat 3K IOS 15.1(1)SG for Cat 4K WLC 7.2 MR1 - DHCP data only ISE 1.1.1 For wired and wireless networks POLICY Printer ISE Personal iPad Access Point Printer Policy CDP LLDP DHCP MAC Personal iPad Policy CDP LLDP DHCP MAC [place on VLAN X] [restricted access] Access Point ` The Solution Efficient Device Classification Leveraging © 2010 Cisco and/or itsInfrastructure affiliates. All rights reserved. DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS COLLECTION Switch Collects Device Related Data and Sends Report to ISE CLASSIFICATION ISE Classifies Device, Collects Flow Information and Provides Device Usage Report AUTHORIZATION ISE Executes Policy Based on User and Device Cisco Confidential 34 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Tying it All Together Contextual Access Control User © 2010 Cisco and/or its affiliates. All rights reserved. Device Type Location Posture Time Access Method Custom Cisco Confidential 37 What’s the Cisco Advantage? Fun Fact: Cisco has 4X more dedicated BYOD engineers than our competitors! Market Leader NAC, AAA, VPN, FW – we know security Systems Solution vs. Overlay Deep integration vs. band aids Commitment Extensive engineering is funded We are Ready Over 400 ATP partners vigorously trained Leader in Gartner NAC Magic Quadrant Dec 2011 “TrustSec and ISE are consistent with our view of identity-centric end-to-end security that is both needed and lacking in the enterprise today.” Forrester 2011 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Removes the IT Burden Easy BYOD User Self Onboarding Unified Policy Access Control Contextual Policy & Access Control for Users & Guests Consistent Security © 2010 Cisco and/or its affiliates. All rights reserved. Compliance: Regulatory, Government, Corporate Cisco Confidential 39 • ISE Information: http://www.cisco.com/go/ise • Cisco TrustSec: www.cisco.com/go/trustsec • Application Notes and How-To Guides: http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/l anding_DesignZone_TrustSec.html © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40