ise ebc
DESCRIPTION
TRANSCRIPT
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Cisco Trustsec Solution: Identity Services Engine (ISE)
Introduction and Overview
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Forward-Looking Statements
Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The Network Policy is an Extension of Business Goals and Objectives
“I need to on board consumerized IT devices to reduce
desktop computing costs”
“I need to support an organization that works globally”
“We must be compliant with regulations, and be able to prove that
we are compliant”
“Our business transactions need to
be protected from malicious attack”
Chief Information
Officer
What Exactly Is Your Network Policy?
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4Cisco Confidential 4
The RIGHT Person
An approved Device
In The Right Way
Anyone
Any Device
Anywhere
Anytime
Policy Evolving with Borderless Network
Borderless Networks
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5Cisco Confidential 5
Cisco Borderless Network ArchitectureDiverse WorkforceAlways On Employees Consumer IT Devices Multi-Modal
Cisco TrustSec® is what protects a borderless network
Borderless Management
and Policy
Borderless End-Point/User Services
Mobility WorkplaceExperience
Video
Mobility: Motion
Green:Cisco
EnergyWise
Video and Voice:
Medianet
Application Performance
Security:Cisco TrustSec
Solutions
Infrastructure
Switching
Wireless
WAAS
Routing
Security
Secure, Reliable, Seamless, Collaborative Cisco® Services for Borderless Network
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Cisco TrustSec® Securely Enables Your Business by Applying the Appropriate Policies Throughout the Network
“We need to monitor the real-time mapping of people to device for accountability and compliance”
Employees now get $1500 to buy Laptops and are responsible for updating but they can also get corporate
issued smart phones to access corp data anywhere any time”
I need to onboard consumerized IT devices to enable new services while reducing
our desktop computing costs”
Cisco TrustSec Solution
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Non-User Devices
• How do I discover non-user devices?
• Can I determine what they are?
• Can I control their access?
• Are they being spoofed?
Cisco Trustsec: Identity Services EngineISE: Policies for people and devices
• Can I allow guests Internet-only access?
• How do I manage guest access?
• Can this work in wireless and wired?
• How do I monitor guest activities?
Guest Access
• How can I restrict access to my network?
• Can I manage the risk of using personal PCs, tablets, smart-devices?
• Access rights on-prem, at home, on the road?
• Devices are healthy?
Authorized Access
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
A Practical Example of Policies
Internet
Campus Network
“Printers should only ever communicate
internally”
“Employees should be able to access everything but have limited access on personal
devices”
“Everyone’s traffic should be encrypted” Internal
Resources
Cisco WirelessLAN Controller
Cisco AccessPoint
Cisco® Identity Services EngineCisco Switch
Cisco Switch
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9Cisco Confidential 9
Advantages of Identity Services EngineConsolidated Services,
Software Packages
Simplify Deployment & Admin
ACS
NAC Profiler
NAC Guest
NAC Manager
NAC Server ISE
Location
User ID Access Rights
Session Directory
Tracks Active Users & Devices
Flexible Service Deployment
Optimize Where Services Run
AdminConsole
Distributed PDPs
M&T
All-in-One HA Pair
Policy Extensibility
Link in Policy Information Points
Manage Security Group Access
Keep Existing Logical Design
System-wide Monitoring & Troubleshooting
Consolidate Data, Three-Click Drill-In
SGT Public Private
Staff
Guest
Permit
Deny
Permit
Permit
Device (& IP/MAC)
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Cisco Confidential 10
ISE Packaging and Licensing
Appliance Platforms
Base Feature SetPerpetual Licensing
Advanced Feature SetTerm Licensing
• Authentication / Authorization• Guest Provisioning• Link Encryption Policies
• Device Profiling• Host Posture• Security Group Access
Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Upgrades and Migrations
ACS
Identity Services Engine
NAC Guest NAC Profiler NAC Manager NAC Server
• Current hardware is software upgradeable (1121/3315/3355/3395)• Migration program for older hardware at large discount levels• License migration program for all software licenses• Data and Configurations migration tools available*
*Available over future releases
Existing Investments Protected
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12Cisco Confidential 12
Two-Year Roadmap Outlook
Converged Policy Platform
Unified Agent Identity BasedFirewall
Simplified DeviceProfiling
Network Infection Containment
System-wide Monitoring & Troubleshooting
• AAA, 802.1x, guest, profiler, posture• System monitor & diagnosis• “ISE”: Next-generation ACS + NAC
ISENAC ACS
GuestProfiler
• Offers Cisco AnyConnect™ technology: On- and off-premises security
• Extends 802.1x & VPN client + NAC• Extends management to Positron
• User, group, device based policy• ASA & Positron platforms
User group enforcement
Sales
HR
UK Employees
• Cisco delivered device template feed• Switches collect & forward device
fingerprint, no traffic re-engineering
• Streamline the locate, contain, & remediation process
• Leverage reputation & NIPS feeds
• Single admin pane-of-glass• Wired & wireless infrastructure
Network Device
ProvisioningIdentity Policy
Monitoring & Troubleshooting
Client Management
Cisco Security Intelligence Ops
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13Cisco Confidential 13
Guests
Device
Full
Internet
Quarantine
ISE: Looking to the Future
Business Relevant Policies
Context Awareness
Visibility & Control
Policy Enablement Platform
Cisco TrustSec
ISE
Policy Governed Networks
Policy Based on Business Objects
Policy Enabled Services
Policy Management
Today Tomorrow
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Cisco SecureX Architecture
Management Services Partners
Application Programming Interfaces
Sec
ure
End
poin
t
Sec
ure
Virt
ual a
nd C
loud
Cisco Infrastructure
ControlVisibility Context
Network
CloudIntegrated Overlay
Context Aware Enforcement
Context Aware Policy
Acc
ess
Con
trol
Acc
ess
Con
trol
Tru
stS
ec
Tru
stS
ec
Any
Con
nect
Nex
us 1
K a
nd C
loud
C
onne
cted
Net
wor
k
Cisco SIOThreat Intelligence
C97-654933-00 | © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Thank you.