Break-1659 – Building and Managing
a Secure BYOD Environment
Tuesday, Mar 12, 9:45 AM - 10:45 AM
Timothy Guy- Solutions Architect
Brad Garczynski -Systems Engineer
Building and Managing a Secure BYOD Environment
One to one initiatives have flooded k-12 classrooms with
new devices. The cost associated with these devices
continues to pose a large financial burden.
It is widely thought that allowing students to bring his or
her device into the classroom (BYOD) would dramatically
reduce this burden.
The challenge is to incorporate a management solution that
provides a secure and effective BYOD environment
• Discussion Topics:
– How to properly secure a BYOD environment
– How to deliver educational content across various
devices
– Allowing secure device access to district applications
How did we get here?
3
Topics
– How did we get here Story
– Right Priority, Unpopular Message
– Identity Service Engine (ISE) 101
– Live ISE Demo of ISE - Dynamic ACL/Dynamic
Vlans/Web Auth/Reporting/User Integration
– Mobile Device Management Solutions (MDM)
– Live CX Next Generation of firewalls for
applications
– Questions
Right Priority, Unpopular Message
1. Solid, switched, virtualized network
2. Pervasive RF in all areas where students will be
focused, with Central Web Authorization
3. Internet capacity to allow consumption without
frustration & ensure filtering is accurate
4. High capacity virtualized server environment for
applications
5. Add Identity Services posture and profile services to
Authorization with NCS Prime for Management
6. Utilize an MDM for rapid deployment
ISE 101
6
7
Solutions Overview
9
1
1
1
1
1
What we have done so far….
Start
Here
Single
Service
no
Access-Reject
yes
Access-Accept
1
What is the flow of a Policy in ISE…
Start Here
Registered
Guest
No
Student
No
Access-Reject
Yes
Yes
i-Device
Yes
No
Registered
Device
No
Yes
Access-Accept
Internet Only
1
Live Demo of ISE
– Dynamic ACL
– Dynamic Vlans
– Web Authentication
– Reporting
– User Integration
ISE Deep Dive
1
ISE Personas
Administration Node
– Interface to configure policies
Monitoring Node
– Interface for logging and report data
Policy Service Node (PSN)
– Engine that makes policy decisions
Network Access Device (NAD)/Inline Posture Node
– Interface that queries Policy Service node and enforces policy
External Attribute Stores
– Interface to retrieve policy or policy information
Basic 2-Node ISE Deployment
(Redundant)
 Maximum endpoints – 2000
 Redundant sizing - 2000
ISE Node
Primary
Admin
ISE Node
Admin
Admin
Secondary
Admin
Monitoring
Monitoring
Primary
Monitoring
Policy
Service
Policy
Service
Secondary
Monitoring
Distributed Deployment
•Administration + Monitoring on same
appliance; Policy Service on dedicated
appliance
• 2 x Admin+Monitor
• Max 5 PSNs
• Max 10k endpoints
Admin
Mon
Admin
Mon
Policy
Svcs
Policy
Svcs
Policy
Svcs
Policy
Svcs
Policy
Svcs
Typical ISE Deployment
Example Small School District
A/S Admin, Monitoring,
Policy Service nodes
AD/LDAP
(External ID/
Attribute Store)
HA Inline Posture
Nodes
Campus A
ASA VPN
WLC
802.1X
Switch
802.1X
AP
Branch B
Branch A
AP
Switch
802.1X
AP
Switch
802.1X
Typical ISE Deployment
Example Medium 2 Building Campus
A/S Admin +
Monitoring
nodes
Policy Service Cluster
AD/LDAP
(External ID/
Attribute Store)
Distributed Policy
Service node
HA Inline Posture
Nodes
Campus A
Campus B
ASA VPN
Distributed Inline
Posture Node
WLC
Switch
802.1X
WLC
Switch
802.1X
AP
AP
Branch B
Branch A
AP
Switch
802.1X
AP
Switch
802.1X
Mobile Device Management
2
Cisco
Prime
Infrastructure
Mobility
Services Engine
w/ Assurance
(MSE)
Catalyst
Switches
Mobile Device
Management
Identity
Services Engine
(ISE)
Cisco
WLC
Cisco
AnyConnect
Wired Network
Wireless Network
Remote Access
Network
2
ISE & MDM Are Complimentary
Mobile + PC
Classification/
Profiling
Secure Network Access
(Wireless, Wired, VPN)
AUP
Registration
User <-> Device
Ownership
Cert + Supplicant
Provisioning
Context-Aware Access Control
(Role, Location, etc.)
= Network Enablement (ISE)
Enterprise Software
Distribution
Management
(Backup, Remote Wipe,
etc.)
Policy Compliance
(Jailbreak, Pin Lock, etc.)
Secure Data
Containers
Inventory
Management
= Mobile Device Management
2
Mobile Device Management Flow
Multi Context NG Firewall
2
Multiple Context’s -One Firewall
BYOD
Segments
Student
Wired
Segments
Guest
Segments
Closing discussion
– Topics to take away and respond to
Leave you with these questions
• What is your BYOD policy?
• Where are your BYOD roadmap?
• How do you know what is on your network any given
time? And what they are doing?
• How do you allow contractors access to your network?
• How do you profile devices?
• How do you ensure data loss prevention in devices?
• How would you minimize the risk of your rollout of
802.1X implementation without risking outages?
• How would you segment data center access?
Reference Slides
Solution: Cisco TrustSec
Remote VPN
User
Wireless User
VPN User
Devices
Devices
VLANs
Guest Access
Profiling
Posture
Identity-Enabled
Infrastructure
dACLs
SGTs
Scalable Enforcement
Policy-Based Access
and Services:
Identity Services
Engine (ISE)
Data Center Intranet
Internet
Security
Zones
Netech
Demo at
End of
Presentation
Device Profiling – 1st defense
• Allows different access levels to be
automatically applied to different devices,
even when using the same credentials.
– For example:
• Mobile devices = Internet + AirPlay
• Laptops allowed full access with posture assessment
– No need for certificates, etc.
– Can isolate or deny access to certain device types
as well
Posture assessment – 2nd defense
• Performs additional checks to verify the
workstation is yours before allowing full
network access
– Can validate just about anything on the device
before allowing network access
Inline Posture Node High Availability
Remote Access Example
ISE Inline
ACTIVE
ASA HA: A/S or
VPN Cluster
VLAN 11
eth1
Internet
Router
VPN Client HA: VPN
to single ASA HA IP
or VPN Cluster IP
External
Switch
eth2 (HB Link)
VLAN 12
ASA
vpn
outside
inside
ISP A
VLAN 15
L3 Switch
VLAN 14
FO
Link
Internet
VPN
User
eth0
Inline
Service IP
eth1
State
Link
Trunk:
VLANs
11-15
Inline
Service IP
eth0
Internal
Network
ISP B
inside
outside
Internet
Router
VLANS
• VLAN 11: (ASA VPN; Inline node untrusted)
• VLAN 12: (Inline node trusted)
• VLAN 13: (Inline Heartbeat Link)
• VLAN 14: (ASA Inside)
• VLAN 15: (Internal Network)
External
Switch
ASA
vpn
L3 Switch
eth1
VLAN 12
eth0
eth2 (HB Link)
VLAN 11
ASA Redundant
Links
ISE Inline
STANDBY
School Issues Addressed by CS
School Issue
Student
Mobile Device Management on Cloud
• For Cloud Based Solutions, Bandwidth and Latency will
need to be considered.
• Scalability = 30 Calls per second.
• Survivability:
– If the MDM is not available, the rule will not match.
– Will (by default) stick the user in the “Register with MDM”
state.
• Ability for administrator and user in ISE to issue remote
actions on the device through
– the MDM server (eg: remote wiping the device)
• MyDevices Portal
– Endpoints Directory in ISE
Mobile Device Management API
• With the API, we can query on:
–
–
–
–
–
–
General Compliant or ! Compliant (Macro level) -orDisk encryption is one
Pin lock
Jail broken
Bulk re-check against the MDM every 4 hours.
But we are not using the cached data in the AuthZ
• If result of Bulk Re-check shows that a device is
no longer compliant – we will send a CoA Change
of Authorization to terminate session.
• Works same with all 4 vendors.
Mobile Device Management Solutions
– Cisco Published Specs to 4 vendors
•
•
•
•
AirWatch 6.2
Mobile Iron 5.0
ZenPrise 7.1
Good Version 2.3
– Require API to be open
– Only one MDM at a time
Local LAN Auth Example
Monitoring - Distributed Log
Collection
•
•
•
•
ISE supports distributed log collection across all nodes to optimize local data
collection , aggregation, and centralized correlation and storage.
Each ISE node collects logs locally from itself; Policy Service nodes running Profiler
Services may also collect log (profile) data from NADs.
Each node buffers and transports collected data to each Monitoring node as Syslog
NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity
logging, diagnostics, and troubleshooting.
NADs
HTTP SPAN,
DHCP
SPAN/Helper/Proxy
Policy Service
Nodes
Netflow,
SNMP Traps,
RADIUS
Syslog
(UDP/20514),
Profiler Syslog
(UDP/30514)
Monitoring
Nodes
External Log
Servers
Alarm-triggered
Syslog
External Log Targets: Syslog (UDP/20514)
Syslog (UDP/20514)
Administration HA and Synchronization
• Changes made via Primary Administration DB are automatically synced to
Secondary Administration and all Policy Service nodes.
Policy Service
Node
Admin Node
(Secondary)
Policy Sync
Policy Service
Node
Admin Node
(Primary)
Policy Sync
Policy Service
Node
Admin
User
Logging
Monitoring
Node (Primary)
Monitoring
Node (Secondary)