BYOD:
Bring Your Own Device
Goran Peteh
Channel Systems Engineer
Sarajevo, 15.11.2012.
© 2012 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Policy Access Control: Challenges and Architecture
Security Group Access and TrustSec
Cisco Access Devices and Identity
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
BYOD On-Boarding
Zero touch registration & provisioning of employee/guest devices
Unified Policy-based Management
Policy-based governance , contextual control, guest lifecycle mgmt
Consistent Network-wide Security
Compliance including 802.1X ports, untrusted device access denial
Technology
© 2010 Cisco and/or its affiliates. All rights reserved.
Utility
Energy
Healthcare
Higher Ed
Secondary Ed
Cisco Confidential
7
Getting BYOD Devices On-Net Without Wasting Their Time
BYOD On-Boarding
Zero-touch portal automates identity, profiling & provisioning to a users identity to get them
Zero
touch registration
& provisioning
of employee/guest devices
quickly
& securely
on-net while saving
IT time.
Allowing Users To Safely Go Where They Are Allowed To Go -- From Anywhere
Unified
Policy-based Management
Visibility & contextual control across the network while blocking untrusted access --
, contextual
control,
guest
lifecycle mgmt
userPolicy-based
authentication, governance
device profiling,
posture, location,
access
method
Applying
Network Network-wide
Policy to Users from
Entry to Destination (E2E)
Consistent
Security
Control
plane fromincluding
access layer802.1X
thru data
centeruntrusted
that is topology
independent
Compliance
ports,
device
access denial
Policy platform for unified access, DC switches & FWs with ecosystem APIs
Technology
© 2010 Cisco and/or its affiliates. All rights reserved.
Utility
Energy
Healthcare
Higher Ed
Secondary Ed
Cisco Confidential
8
Policy
Management
Identity Services Engine (ISE)
Policy
Information
Policy
Enforcement
User Directory
Prime Infrastructure
Profiling from Cisco Infrastructure
,
Posture from NAC/AnyConnect
Agent
Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers
Policy
Context
User Identity
© 2010 Cisco and/or its affiliates. All rights reserved.
Personal Devices
Corporate Assets
Non-User Devices
Cisco Confidential
9
Policy Management
Solution
Unified Network
Access Control
Turnkey BYOD
Solution
1st System-wide Solution
Deep network integration
System-wide Policy
Control from One Screen
Best Product in Cisco!
12 Cisco Pioneer Award
Over 400 Trained &
Trusted ATP Partners
Over 1,000 Wins – Year 1
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
One Network
I only want to allow the right users
and devices on my network
Authentication
Services
I want user and devices
to receive appropriate network services
Authorization
Services
I want to allow guests into the network
and control their behavior
Guest Lifecycle
Management
One Policy
I need to allow/deny iPads in my
network (BYOD)
I want to ensure that devices on my
network are clean
I need a scalable way of enforcing
access policy across the network
Profiling and BYOD
Services
Posture
Services
TrustSec SGA
One Management
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Reduced
Burden on
IT Staff
Reduced
Burden on Help
Desk Staff
Intuitive
Management
for End Users
© 2011 Cisco and/or its affiliates. All rights reserved.
•  Device On-boarding
•  Self Registration
•  Certificate and Supplicant
Provisioning
•  Seamless intuitive end
user experience
•  Support Windows,
MAC OS X, iOS, Android
•  My Devices Portal—
register, blacklist, manage
•  Guest Sponsorship Portal
Cisco Confidential
13
The New Way
Coming Soon
Best Practice Today
Best Practice (~CY13 Q2)
ISE
MDM
ISE & MDM Integrate
Device Access Control
Mobile Device Security Control
Enforced Mobile Device Compliance
Device Identity
Device Compliance
BYOD On-boarding
Mobile Application
Management
Device Access Control
Data Security Controls
Forces on-boarding to MDM
with personal devices used
for work
Register but restrict access
for personal devices not
managed by MDM
Quarantine non-compliant
devices based on MDM policy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
•  User connects to
Secure SSID
•  PEAP: Username/
Password
•  Redirected to
Provisioning Portal
Personal Asset
BYOD-Secure
Access Point
•  User registers device
Downloads Certificate
Downloads Supplicant Config
Wireless
LAN Controller
•  User reconnects using
EAP-TLS
ISE
© 2010 Cisco and/or its affiliates. All rights reserved.
AD/LDAP
Cisco Confidential
15
•  User connects to
Open SSID
•  Redirected to
WebAuth portal
•  User enters employee
or guest credentials
Personal Asset
BYOD-Secure
BYOD-Open
•  Guest signs AUP and
Access Point
gets Guest access
•  Employee registers device
Wireless
LAN Controller
Downloads Certificate
Downloads Supplicant Config
•  Employee reconnects
using EAP-TLS
ISE
© 2010 Cisco and/or its affiliates. All rights reserved.
AD/LDAP
Cisco Confidential
16
Any
Device
General Web
Server
User and Device Role
Registered
Device
Employee
News Portal
Manager
Portal
Corporate
Device
Employee
Time Card
Application
Credit Card
Server
Unregistered Device
Employee
Management
Credit Card Scanners
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Any
Device
User and Device Role
Unregistered Device
Employee
Management
Credit Card Scanners
© 2010 Cisco and/or its affiliates. All rights reserved.
Policy Definition
General
Web Server
Registered Device
Employee
News
Portal
Manager
Portal
Employee
Time Card
Application
Corporate
Device
Credit Card
Server
Public SSID
Corporate SSID
Member of group Employee
Certificate matches endpoint
Corporate SSID
Member of group Employee and
Manager
Certificate matches endpoint
Credit_Card SSID
Member of group Credit_Scanners
Profiled as iphone
Cisco Confidential
18
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
SSID Access:
Corporate-wifi
Employee
Registered
AD Group:
Management
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
Profiled as an
iPhone
Certificate
Required
SSID Access:
cc-secure-wifi
AD Group:
Credit Card Scanners
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
VLAN Architecture
Scaling Concerns
Highly topology dependent
ACL Architecture
Hard to Maintain
100s-1000s of ACEs
802.1X
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
User and Device Role
Ingress Tag
Unregistered Device
(Unregist_Dev_SGT)
Employee
(Employee_SGT)
Management
(Management_SGT)
Credit Card Scanners
(CC_Scanner_SGT)
SGA TAG - Policy
Public SSID
who
what
where
Corporate SSID
Member of group Employee
Certificate matches endpoint
when
how
Cisco ISE
Corporate SSID
Member of group Employee and Manager
Certificate matches endpoint
Credit_Card SSID
Member of group Credit_Scanners
Profiled as iphone
Finance
Employee
Manager
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Access controls defined using meaningful groups and roles (e.g. user role, server function)
Resources/assets can be mapped dynamically into Security Groups as they are identified.
Grouping resources with common permissions simplifies management
How these asset groups can communicate may then be defined in rules permitting ports/
protocols passed between the Security Groups (Security Group ACLs )
User / system roles Security Group
User
x10
0
VDI user
groups
Security Group
Role A
(SGT10)
Role B
(SGT20)
Prod
(SGT400)
SGACL
Developers
(SGT30)
Dev
(SGT500)
PCI
(SGT600)
Storage
© 2012 Cisco and/or its affiliates. All rights reserved.
System roles
kregan@cisco.com
Cisco Confidential
24
•  TrustSec SGA provides scalable access control by tagging traffic with Security Group Tags
•  These tags represent logical groups of users and/or servers sharing similar sets of privileges
or roles
•  Allows intelligent ACLs to be utilised on switches (SG-ACLs)
•  Sec Group classification can also be used to simplify/automate Firewall rules (SG-FW)
Individuals
Individual Servers
Data Centre
Sample
Logical Security Groups
Sample
Logical Security Groups
Employee
In this example
source entities are
reduced from 46 to 4
Partner
Company
Confidential
SG-ACL
NDA
Confidential
In this example
destination entities
are reduced from 60
to 4
Contractor
Example Access Policy Simplification
Sensitive
Guest
Unknown
Before - 46 (source IPs) x 60 (dest IPs) x 4 TCP/UDP Port Permissions = 11040 ACE/ACLs
After - 4 (source SGTs) x 4 (dest SGs) x 4 TCP/UDP Port Permissions = 64 SGACLs
General Access
© 2012 Cisco and/or its affiliates. All rights reserved.
kregan@cisco.com
Cisco Confidential
25
Egress Policy Table
Source Security Group (Tag value)
Destination Security Group (Tag
value)
SGACLs
Detective (10)
Criminal Records Database (111)
CR_Access_Protocols
Image analysis developers (20)
Development Servers(222)
Permit All
Forensic analyst (30)
Forensics database (1000)
Permit All
permit tcp dst eq 443
permit tcp dst eq 80
permit tcp dst eq 22
permit tcp dst eq 3389
permit tcp dst eq 135
permit tcp dst eq 136
permit tcp dst eq 137
permit tcp dst eq 138
permit tcp des eq 139
deny ip
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
•  No IP addresses in
ACE
© 2012 Cisco and/or its affiliates. All rights reserved.
kregan@cisco.com
Cisco Confidential
27
Egress Policy Matrix
SRC \ DST
C Records (111)
Development
Servers
Forensics DB (222)
Detective (10)
Permit all
Deny All
SGACL-B
Image Analysis
Developers (20)
Deny All
Permit All
Deny All
Forensics Analyst
(20)
Deny all
Deny All
SGACL-C
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Protecting compliance-critical assets in the DC
•  Controlled access to compliance-critical systems like servers processing
credit-card data
User role + Host Posture + Location
•  Reducing the scope of compliance controls through tag-based
segmentation
•  Rules defined in compliance terms and audit needs (not IP addresses etc)
e.g. Trading applications accessible only from regulated trading floor
environments
e.g. unmanaged devices cannot access compliance-critical servers
Extranet: Marking traffic from specific external user groups
•  Offshore development partners access Development Servers only, not
Production services
© 2012 Cisco and/or its affiliates. All rights reserved.
kregan@cisco.com
Cisco Confidential
29
Egress Policy Enforcement
§  Security Group ACL
HR Server Zone
Campus
Network
Users,
Endpoints
Production
Trading
Services
Catalyst® Switches
(3K/4K/6K)
Ingress classification
Nexus® 7000
SGT=10 (HR user)
Development Systems
ISE
Group-based rules defined for users - server functional groups:
Source Security Group (Tag value)
Destination Security Group (Tag value)
SGACLs
HR (10)
HR Server Zone (111)
HR_Access_Protocols
Offshore developers (20)
Development Servers(222)
Permit All Protocols
Trading group (30)
Production trading (1000)
Permit All Protocols
© 2012 Cisco and/or its affiliates. All rights reserved.
kregan@cisco.com
Cisco Confidential
30
§  Unique 16 bit (64K) tag assigned to unique role
Security
Group
Tag
§  Tag = privilege of the source user, device, or
entity
§  Tagged at ingress of TrustSec domain
§  Filtered at egress of TrustSec domain (by an SG-ACL)
SGACL
SG
§  No IP address required in ACE (IP address is bound to
SGT)
§  Policy (ACL) is distributed from central server
§  Provides topology
independent policy
§  Flexible and scalable policy based on user role
§  Centralised Policy Management for Dynamic policy provisioning
© 2012 Cisco and/or its affiliates. All rights reserved.
kregan@cisco.com
Cisco Confidential
31
Authenticated
Encrypted
DMAC
SMAC
802.1AE Header
CMD EtherType
802.1Q
Version Length
CMD
ETYPE
SGT Opt Type
ICV
PAYLOAD
SGT Value
CRC
Other CMD Options
Cisco Meta Data
Ethernet Frame field
§
802.1AE Header
CMD
ICV
are the L2 802.1AE + TrustSec overhead
§  Frame is always tagged at ingress port of SGT capable device
§  Tagging process prior to other L2 service such as QoS
§  No impact IP MTU/Fragmentation
§  L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600
bytes with 1552 bytes MTU)
© 2012 Cisco and/or its affiliates. All rights reserved.
kregan@cisco.com
Cisco Confidential
32
Employee TAG
Manager TAG
Credit Card
Scanner TAG
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Manager TAG
© 2010 Cisco and/or its affiliates. All rights reserved.
Credit Card
Scanner TAG
Cisco Confidential
34
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
SGT = 100
SRC\DST
Time card
Credit card
Manager
(100)
Access
No access
SGACL
I registered my device
I m a manager
Time Card (SGT=4)
Credit card
scanner (SGT=10)
Manager
SGT = 100
Cisco ISE
Security Group Based Access Control
•  ISE maps tags (SGT) with user identity
•  ISE Authorization policy pushes SGT to ingress NAD ( switch/WLC)
•  ISE Authorization policy pushes ACL (SGACL) to egress NAD (ASA or Nexus)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
Cisco
Innovation
IP Address
SGT
10.1.100.3
100
SXP
SRC\DST
Time card
Credit card
Manager
(100)
Access
No access
SGACL
I registered my device
I m a manager
Time Card (SGT=4)
Credit card
scanner (SGT=10)
10.1.100.3
Manager
SGT = 100
Cisco ISE
Security Group Access Protocol
For transport through a non SGT core
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
Cisco
Innovation
Assign SGT to
Users / Devices
Transport SGT
across Network
(Inline/SXP)
Enforce Policy
based on SGT
(SGACL/SGFW)
Catalyst 2K
Catalyst 3K
Catalyst 4K
Catalyst 6K
WLC 7.2
Nexus 7K
Nexus 5K
Cat 6K Sup720 (SXP)
Cat 2K-S (SXP)
N7K (SXP/SGT)
Cat 3K (SXP)
N5K (SGT)
Cat 3K-X (SXP/SGT)
N1Kv (SXP) - Q4CY12
Cat 4K (SXP)
Cat 6K Sup2T (SXP/SGT)
N7K / N5K
(SGACL)
Cat6K
(SGACL)
Cat3K-X
(SGACL)
ASR1K (SXP/SGT)
ISR G2 (SXP)
WLC 7.2 (SXP)
ASA (SXP) - CY12 2H
ASA (SGFW)
- CY12 2H
Blue: ~2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Nexus 1Kv
(Q4CY12)
ASR1K/ISRG2
(SGFW)
Red: 2012~
Cisco Confidential
39
Cisco
Innovation
a
Identity Differentiators
Authentication Features
Monitor Mode
Cisco Catalyst Switch
•  Unobstructed access
•  No impact on productivity
•  Gain visibility
Flexible Authentication Sequence
•  Enables single configuration for most use cases
•  Flexible fallback mechanism and policies
Rich and Robust 802.1X
IP Telephony Support for
Virtual Desktop Environments
•  Single host mode
•  Multihost mode
•  Multiauth mode
Authorized
Users
802.1X
Tablets
IP Phones
MAB
Network
Device
Guests
WebAuth
•  Multidomain authentication
Critical Data/Voice Authentication
•  Business continuity in case of failure
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
Device Sensor
Cisco
Innovation
Automated Device Classification Using Cisco Infrastructure
DEVICE PROFILING
CDP
LLDP
DHCP
MAC
Supported Platforms:
IOS 15.0(1)SE1 for Cat 3K
IOS 15.1(1)SG for Cat 4K
WLC 7.2 MR1 - DHCP data only
ISE 1.1.1
For wired and wireless networks
POLICY
Printer
ISE
Personal iPad
Access Point
Printer Policy
[place on VLAN X]
CDP
LLDP
DHCP
MAC
[restricted access]
Access
Point
`
The Solution
Efficient Device
Classification
Leveraging
© 2010 Cisco and/or itsInfrastructure
affiliates. All rights reserved.
Personal
iPad Policy
CDP
LLDP
DHCP
MAC
DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS
COLLECTION
Switch Collects Device
Related Data and Sends
Report to ISE
CLASSIFICATION
ISE Classifies Device, Collects
Flow Information and Provides
Device Usage Report
AUTHORIZATION
ISE Executes Policy Based
on User and Device
Cisco Confidential
41
ISE Profiling
Probe Type
Info Provided
RADIUS
(Calling-Station-ID)
MAC Address (OUI)
Example: 0A:1B:2C = vendor X
DHCP
(host-name)
(dhcp-class-identifier)
Hostname (default may include device type)
Example: jsmith-ipad
Device class / type
Examples: BlackBerry, Cisco wireless IP phone
DNS
(reverse IP lookup)
FQDN (default hostname may include device type)
Example: jsmith-ipad.company.com
HTTP
(User-Agent)
Details on specific mobile device type
Examples: iPad, iPhone, iPod, Android, Win7
NMAP Scan
(SNMPPortsAndOS-scan )
Trigger endpoint scan for OS
Example: OS= Apple iOS
SNMP Trap/Query
(MAC Notification/CDP/LLDP
collection)
MAC Address/Interface Data, Session Data and System Query
Examples: 0A:1B:2C/ARP table
Netflow
(Capture flows)
Capture flows to match endpoint quintuple traffic
Examples: SRC/DST IP/Port/Protocol
RADIUS Accounting provides MAC:IP binding to support other probes that rely on IP address (DNS,
NetFlow, NMAP, and HTTP)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
•  Catalyst 6K Supervisor 2T
ü  Layer 3 SGT
•  Cisco WLC 7.2 (WLC
7500/5500/2500)
ü  VLAN to SGT mapping
ü  SXP support
ü  Subnet to SGT Mapping
ü  MACsec
ü  RADIUS CoA on Open SSIDs
ü  BYOD support
ü  MACsec over EoMPLS
ü  Device Sensor (DHCP)
ü  Native Security Group Tagging
ü  FlexConnect enhancements
ü  Advanced Identity features
•  Catalyst 4K Supervisor 7E
ü  Advanced Identity Features
ü  MACSEC (switch-to-switch and switch-client)
ü  Device Sensor
•  Catalyst 3K-X
ü  Advanced Identity features
ü  Native Security Group Tagging
ü  Device Sensor
ü  MACSEC (switch-to-switch and switch-client)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
Tying it All Together
Contextual Access Control
User
© 2010 Cisco and/or its affiliates. All rights reserved.
Device Type Location
Posture
Time
Access Method Custom
Cisco Confidential
45
BYOD
•  User Self Onboarding
•  MDM Vendor Partnerships
Access Control
•  Context: Who/What/How/Where
•  Visibility: Profiling
Holistic Solution
•  SGA: Topology independent, Business language
•  Enforcement: Router/Switch/Controller feature
•  Endpoint: Posture, VPN
•  Info stores: AD, LDAP, DHCP, MDM
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
•  ISE Information:
http://www.cisco.com/go/ise
•  Cisco TrustSec (SGA and certified solutions):
www.cisco.com/go/trustsec
•  Application Notes and How-To Guides:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/
landing_DesignZone_TrustSec.html
•  Design Zone – BYOD Reference Design
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/
ns1050/own_device.html#~overview
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
47
•  ATP Program Site:
http://www.cisco.com/web/partners/partner_with_cisco/
channel_partner_program/resale/atp/ise.html
•  Partner Security Home Page:
https://communities.cisco.com/community/partner/borderlessnetworks/
security
•  ATP Partner Resource Center (for certified Partners)
http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48