sécuriser le concept “bring your own ” avec cisco ...€¦ · and auto-resume •always on:...
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Zakaria Ben Letaief – Consultant Sécurité Réseaux
Sécuriser le concept “Bring Your Own Device” avec Cisco “Identity Services Engine”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
http://www.cisco.com/go/challenge
Take the BYOD Challenge (only for Customers)Win a Trip to the Olympic Games
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
of employees use
for work
to keep up with mobile
needs
of IT staff
New networked mobile devices by
of EUInformation
Workers
spend time working
Demand for Mobile Access
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Driving Ongoing Shift to BYOD:Device Diversity is here to stay
89%
10%
1%
User Wants
• Consistent experience on multiple devices
• Seamless transitions between devices
• Separation of work and personal data
• Keep up with tech and social trends
IT Wants
• Proactive adoption of consumer/mobile devices
• Embrace BYOD without sacrificing security, management, business standards
• Lower organizational costs
• Improved agility
23%
36%
26%
75%
22%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
• Difficult to control and secure (1/3 of all workers are out of the office)
• Malware (Web: #1 attack vector)
• Vulnerability to the organization
• Data loss from lost or stolen devices
• Access control breach
• Policy compliance challenges
THREATS
BYOD Security Threats and NeedsEmployee-owned Mobile Devices Are Riskiest
BYOD* is RiskiestSource: 2011 ISACA IT Risk/Reward Barometer, US Edition (www.isaca.org/risk-reward-barometer)
• Protect endpoints from web 2.0 threats
• Provide secure remote access from devices
• Authenticate & Authorize wireless users who are connecting to network (Guests, Contractors,
etc.)
Addressing BYOD threats
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
IT Challenges to Mobile Freedom
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
The BYOD Spectrum
Limit AdvancedEnhancedBasic
Environment requires tight controls
Corp Only Device
Mfg Environment
Trading Floor
Classified Gov Networks
Traditional Enterprise
Focus on basic services, easy access,
almost anybody
Broader Device Types But Internet Only
Edu Environments
Public Institutions
Simple Guest
Enable differentiated services, on-boarding
with security –onsite/offsite
Multiple Device Types + Access Methods
Healthcare
Early BYOD Enterprise Adopters
Contractor Enablement
Corp native apps, new services, full control
Multiple Device Types, Corp Issued
Innovative Enterprises
Retail on Demand
Mobile Sales Services
(Video, Collaboration, etc.)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco BYOD Building Blocks
Unified Infrastructure
Policy
Apps
Management
Security
Virtualization
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
BYOD Use Cases <-> SolutionsUse Case Limit Basic Enhanced Advanced
Business Policy Block Access Role Based Access;
(Guest Access)
Secure granular On-site
and Off-Site Mobility
Full Workspace
Experience
IT Requirements • Visibility to who/what is
on network
• Restrict access to only
corporate issued
devices.
• Restrict personal devices
to public internet.
• Restricted access to
internal sites
• Allow granular on-site
and off-site access to
network/applications
• Enablea full mobile and
collaboration experience
User Scenario
(Example)
Hospital extends wired
access to medical staff only
Hospital provides guest
access to patients
Doctor uses personal device
in hospital and in an offsite
coffee-shop
Hospital administrator is
granted full network access
and uses native applications
(i.e. HR applicant tracking
system)
Solution Technology Cisco Switches
Cisco Wireless LAN Infrastructure
Cisco Prime Infrastructure
Cisco Identity Services Engine
Application VirtualizationCisco VXI , UCS, Nexus
Cisco Switches
Cisco Wireless LAN Infrastructure
Cisco Prime Infrastructure
Cisco Identity Services Engine
Cisco Switches
Cisco Wireless LAN Infrastructure
Cisco Prime Infrastructure
Cisco Switches
Cisco Wireless LAN Infrastructure
Cisco Prime Infrastructure3rd Party MDM
Cisco Identity Services Engine
Desktop VirtualizationCisco VXI , UCS, Nexus
Cisco Firewalls
Cisco ESA/WSA
Cisco AnyConnect
ScanSafe
Enterprise Apps Collaboration Apps
Virtualization
Core network
Management
Identity and Policy
Security and Remote Access
Applications
Cisco Identity Services Engine
Cisco Firewalls
Cisco ESA/WSA
Cisco AnyConnect
ScanSafe
Enterprise Apps Collaboration Apps
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
BYODKey Functionality and Success
What is success?
A well designed Mobility / Unified Access Network provides:
• CONTROL (ISE) and VISIBILITY (Prime) for IT
• DEVICE CHOICE and PREDICTABILITY (CleanAir, ClientLink, VideoStream) for Users
• BALANCE between the number of wired ports (1:1 ratio) and wireless radios (25:1 ratio)
Key Functionality
• Unified wired and wireless network with centralized policy management
• Sponsored guest and contractor access management that is isolated and accountable
• “AAA” (Authentication, Authorization, and Accounting) to determine “who” accesses your
network
• “PP” (Profiling and Provisioning) to simplify onboarding of personal devices and enforce the
“what, where, when, and how” users access your network
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco BYOD: Solution to IT Challenges to Mobile Freedom
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Agenda
BYOD Mobility & Security
Challenges
Cisco Secure Mobility
Identity Services Engine
Cisco Prime
Cisco Wireless LAN Infrastructure
Cisco BYOD in Action
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Agenda
BYOD Mobility & Security
Challenges
Cisco Secure Mobility
Identity Services Engine
Cisco Prime
Cisco BYOD in Action
Cisco Wireless LAN Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1414
Cisco AnyConnect
Cisco Content SecurityCisco ASA
Cisco Secure Mobility
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1515
Cisco AnyConnect
Cisco Secure Mobility
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
• Protocol-agnostic: Client or Clientless; IPSec or SSL VPN
• Automatic: no manual intervention, connection persistence, optimal gateway selection and auto-resume
• Always On: automatically locates the nearest, optimal gateway without requiring credentials
• Flexible License Options: Essentials, Premium, Mobile
• Built for mobility: Support for Apple ios4+ (iphone, ipad, itouch),Cisco Cius, Samsung Android, Windows, MAC, Linux
Highlights
AnyConnect 3.0 (AC Secure Mobility Client)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
AnyConnect Modularity
Architecture
AnyConnect Core Services Platform
SSL /DTLS VPN
)
IPsec VPN
IKEv2
Posture / HostScan
Cloud Web Security
802.1x Supplicant (Win & iOS ))
MAC Sec SGT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
EAP Types
EAP-TYPEWin7
Native
Vista
Native
Win XP
Native
AC
3.0
Apple
SL
(10.5)
Ubunt
uRHL
ACS
5.2ISE AD LDAP
EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
EAP-TTLS No No No Yes Yes Yes Yes No No Yes Yes
PEAP
MSCHAPv2Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No
PEAP
EAP-GTCNo No No Yes Yes Yes Yes Yes Yes Yes Yes
PEAP
EAP-TLSYes Yes Yes Yes Yes Yes Yes No Yes Yes Yes
EAP-FAST
MSCHAPv2No No No Yes Yes Yes Yes Yes Yes Yes No
EAP-FAST
EAP-GTCNo No No Yes Yes Yes Yes Yes Yes Yes Yes
EAP and ID Store Compatibility Reference:http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html
Ubuntu, RHL = wpa_supplicant
For YourReference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1919
Cisco Content Security
Cisco Secure Mobility
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
AnyConnect Secure Mobility
Internet Traffic
VPN – Internal Traffic(optional)
ScanSafe Secure Mobility With AnyConnect 3.0
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Web Application ControlsGranular control over Web apps
Granular Control over Application Usage
Employee in Finance
Access Control Policy Access Control Violation
•Instant Messaging
•Facebook: Limited Apps
•Video: 512 kbps max
•File Transfer over IM
•Facebook Chat, Email
•P2P
•Block adult content•Bandwidth limits
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Hybrid Web Security Protection
News Email
Social Networking Enterprise SaaS
Cisco WebSecurity Appliance
Information Sharing Between ASA and WSA
Corporate AD
ASA
AnyConnect
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
AgendaBYOD Mobility & Security
Challenges
Cisco Secure Mobility
Identity Services Engine
Cisco Prime
Cisco BYOD in Action
Cisco Wireless LAN Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Based on Two Fundamentals
ISE: An Architectural Approach
Dynamic Context
Understand the:
Who What Where When How
On your network by extracting information from the infrastructure
Abstracted Policy
Business level policy definition
That
Gets automatically mapped
And
Directly enforced on the infrastructure
ISE
Cisco 2900/3560/3700/4500/6500 & Nexus 7000 switches, Wireless and Routing Infrastructure
Cisco ASA, ISR, ASR 1000
Infrastructure
1 2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
NAC Manager NAC Server
NAC Profiler
NAC Guest ServerNAC Agent
Device Profiling & Provisioning + Identity
Monitoring
Identity & Access Control + Posture
Guest Lifecycle Management
NAC CollectorStandalone appliance or licensed as a module on
NAC Server
Identity & Access Control
Access Control Solution
Introducing Identity Services EngineNext Generation Policy Management Solution Portfolio
ISE
AnyConnect
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
BYOD Starts with a PolicyAccess Control
I want user and devices to receive appropriate
network services (dACL, Qos, etc)
I want to allow guests into the network
I want to allow the“right” users and devices
on my network
I need to ensure my endpoints don‟t
become a threat vector
I need to allow/deny iPADsin my network (BYOD)
Authorization Services
Guest Lifecycle Management
Profiling Services
Authentication Services
Posture Services
Cisco ISE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Example of a Simple BYOD Policy
Internet
“Employees can access everything from either corporate or personal devices. But non employees are blocked.”
“Employees are required to use corporate devices. Personal devices are not allowed and there is no guest access.”
Internal Resources
“Employees can access everything from corporate devices. Employees on personal devices and partners have restricted access.”
Campus Network Limited Resources
ISE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
How do we Build a BYOD Policy?What are the Required Parts of the Policy?
Corp Asset?
• AD Member?
• Static List?
• MDM?
• Certificate?
AuthC Type
• Machine Certs?
• User Certs?
• Uname/Pwd
Profile
• i-Device
• Android
• Windows
• Other
AuthZ Result
• Full Access
• internet only
• VDI+internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Example of BYOD Policy in ISEUsing a Pre-Defined List of Assets
User ResultsRegistered BYOD
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
i-Device Provisioning Options
• To identify a corporate-owned or personal device, a unique identifier (UDID, MAC Address, IMEI number, etc.) may be used
• The recommended authC method is EAP-TLS based on certificate
• There are different ways to provision digital certificates for wired and wireless devices
• Some Mobile Device Management (MDM) Systems and Cisco SDP are able to insert device-specific identifiers as a common name in the certificate.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Device Enrollment and Provisioning
1. iOS device connects to Provisioning SSID
2. Employee authenticated & authorized to connect to Cert server
3. Enrollment and provisioning. New Wi-Fi Profile includes UA_Employee configuration
4. For future connections, use UA_Employee SSID
Example with 3 SSID
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Certificate Enrollment and Provisioning:SDP/SCEP• Steps to provision a digital certificate
AD
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Client Redirection to the SDP Router
• To enhance the user experience, the user can be redirected to the provisioning SDP URL automatically
• When the user tries to browse the web, the session is redirected
• An authorization policy can be used to include the SDP URL
For YourReference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
User Experience• The user interaction with the SDP router consists of several screens to
accept the new certificate and profile
• The user opens the Safari browser and gets redirected to the start page URL or enters the start page URL manually
• The Start Phase begins, offering the user to install the profile
• Once the user clicks on “Install”, the introduction phase begins
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
What’s is the Future of BYOD with ISE
Features being added to 1.1 Minor Release-1 of ISE (~Summer „12)
Will handle Certificate Provisioning as a “Remote Authority” (RA)
Proxy Certificate Enrollment for all Devices
Builds Supplicant Configuration Profiles for Devices
Allows Self-Registration of Devices & Ties Registration to Employee ID
Supplicant and Certificate Provisioning: ISE 1.1MnR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Demo
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Policy Profiling
VLAN 10
VLAN 20
Personal
Employee
Corporate
Wireless LAN Controller
CorporateResources
Restricted Access Only
USER LOCATION
TIME Access Method
DHCP
RADIUS SNMP
NETFLOW
Corporate Issued Device1. User Authentication and Authorization 2. Profiling to identify device3. Policy decision4. Policy enforce to “VLAN 10” on same SSID5. Full access granted6. Full device visibility
PERSONAL Device1. User Authentication and Authorization2. Profiling to identify device3. Policy decision4. Policy enforce to “VLAN 10 or 20” on same SSID5. Full or Restricted access granted6. Full device visibility
HTTP
DNSDEVICE
Centralized Policy Engine
Unified Access Management
Single CorpSSID
Corporate Device vs BYOD
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Corporate Devices vs Guest Access
Guest
802.1Q Trunk
VLAN 10
VLAN 30
EAP Authentication1
Accept with VLAN 102
Web Auth3
Accept with GUEST ACL4Corporate
Device
ISE
Corporate Resources
Internet
• Users with Corporate Devices with their AD user id can be assigned to VLAN 10
• Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN 30
CAPWAPCAPWAP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Profiling Attribute Sources for Mobile
• For mobile device detection, recommend use a combination of HTTP, RADIUS, DHCP, and DNS probes
Profiling via HTTP inspect is regex based with approx rate of 500-1200 events/sec with all services running. So, profiling is done only at connect time and not for data traffic.
Probe Type Info Provided
RADIUS
(Calling-Station-ID)
MAC Address (OUI)
Example: 0A:1B:2C = vendor X
DHCP
(host-name)
(dhcp-class-identifier)
Hostname (default may include device type)
Example: jsmith-ipad
Device class / type
Examples: BlackBerry, Cisco wireless IP phone
DNS
(reverse IP lookup)
FQDN (default hostname may include device type)
Example: jsmith-ipad.company.com
HTTP
(User-Agent)
Details on specific mobile device type
Examples: iPad, iPhone, iPod, Android, Win7
For YourReference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
ISE Licensing Options
Function Base Lic Adv Lic Wireless Lic
Authc & Authz X X*
Guest Services X X*
Monitoring X X*
Posture X X*
Profile X X*
SGA X X*
End Point Protect X X*
*: Only for Wireless Endpoints
For YourReference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
AgendaBYOD Mobility & Security
Challenges
Cisco Secure Mobility
Identity Services Engine
Cisco Prime
Cisco BYOD in Action
Cisco Wireless LAN Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
New Wireless Controller ScaleCisco Flex 7500
Cloud Controller
Multiple Lean Branch Deployments
• I RU appliance• 3000Access Points• 1000 Flexgroups
Cisco 2500
• Desktop Appliance• 50 Access Points• 500 Mbps• 4 GE ports
Small Enterprise and Full Service Branch
Wireless Controller
On ISR SRE
• Software on ISRmodule
• 50 Access Points• 500 Mbps
Small Enterprise and Full Service Branch
Wireless Services Module on
Catalyst 6500
Mid-Large Enterprise
• Blade for Catalyst• 1000Access Points• 20 GB Mbps
Cisco 5500
• I RU Appliance• 500 Access Points• 8 GB Mbps• 8 GE ports
Mid-Large Enterprise
Scale and Performance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
What is FlexConnect (Previously HREAP)?
• FlexConnect = Hybrid Remote Access Point Architecture
• Single Management & Control point
Centralized Traffic (Split MAC)
Or
Local Traffic (Local MAC)
• 300 msec RTT for voice+datadeployment
• 100 msec RTT for voice onlydeployment
WAN
Remote Office
CentralizedTraffic
CentralizedTraffic
LocalTraffic
Central Site
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
FlexConnect Enhancements – Rel 7.2
Scale
• 3000 APs
• 30,000 clients
• 1000 flex groups
Throughput
New Features
• 1Gbps
• Data DTLS - OEAP
• Flexconnect ACL (AP)
• Flexconnect AP efficient upgrade
• CWA supported with ISE1.1
• Support for .1x central, AAA vlan override,
auth parity, fast roaming for voice, OEAP
Gaps vslocal/5500:
• External webauth in local switch mode
• Outdoor AP/mesh
• FIPS on 7500
• ISE support profiling
• Local mode
• WGB/UWGB
• Videostream
• IPv6 mobility
• AAA ACL override
• ACLs – dynamic (controller)
• Trustsec SXP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Additional New Functionality – Rel 7.2Feature Benefits
Cisco CleanAir Improvements
• Customizes air quality thresholds to each customer’s wireless
environment
• Flexibility to configure multiple AP groups with unique radio
characteristics per AP group
• Reduced radio interference alerts
and troubleshooting
• Improved Wireless reliability and
remediation
MSE Enhancements
• Virtual Appliance: 50k endpoints, 10k Adaptive wIPS
• HA: 2:1, 1:1 configs supported
• 9 new security alarms
• GPS coordinates supported
• Flexible deployment options
• Improved security and reliability
AP Groups and RF profiles
• Capability to segment and form virtual subgroup of access
points
• Capability to apply different RF configurations for different
access point groups
• customize the wireless network to
business needs and locations
• Simple to create and manage
multiple groups
Enhanced quality-of-service (QoS) prioritization
• Increased flexibility to apply QoS priority against unicast and
multicast traffic on a per WLAN basis within the access point
• Flexible deployment options
• Improved security and reliability
For YourReference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Cisco Aironet3600 Series Access Points
4x4 ANTENNA DESIGN, 3 SPATIAL STREAMSFastest, most consistent device uplink speeds, sustained further from the AP
CLIENTLINK 2.0 BEAMFORMINGFastest downlink performance to ALL mobile devices: 802.11a/gand now 802.11n across 1, 2, and 3 spatial streams
CLEANAIR SPECTRUM INTELLIGENCEAlways-on interference protection, plus new optionalfull-spectrum monitoring module
FUTURE-PROOF MODULAR DESIGNFlexible upgrades and add-on options for future technologies with capacity for more mobile devices
Up to 30% better Performance
Cisco Aironet 3600 Access Point
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cisco's CleanAir TechnologyIndustry’s first chip level proactive and automatic interference protection
BEFOREWireless interference decreases
reliability and performance
AIR QUALITY PERFORMANCE
Cisco CleanAir – Improves Performance and Predictability
AFTERCleanAir mitigates RF interference
improving reliability and performance
AIR QUALITY PERFORMANCE
Wireless ClientPerformance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
• CleanAir Radio ASIC
• Detect Wi-Fi and
non-Wi-Fi interference
sources
• Assess impact
to Wi-Fi performance
• Proactively change
channels when
interference occurs
• Monitor air quality
Why is Cisco’s CleanAir Technology so Unique?High resolution interference detection, classification, and mitigation at chip level
100
63
97
35
20
Detect | Classify | Locate | Mitigate
90
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cisco's ClientLink / ClientLink 2.0 TechnologyAdvanced beam forming technology improves wireless client performance
Cisco ClientLink - Improves Predictability and Performance
BEFOREBeam not directed towards clients resulting inconsistent performance
802.11a/g (ClientLink) or 802.11a/g/n (ClientLink 2.0)
802.11n
Beam StrengthX
AFTERBeam directed towards client resulting in
consistent experience and better performance
Beam Forming
802.11n
Wireless ClientPerformance
802.11a/g (ClientLink) or 802.11a/g/n (ClientLink 2.0)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
• Test Case 1 – As many clients as possible on one AP with one 2MB or 5MB stream (all clients use the same bitrate).
The quality should not degrade to less than a Video MOS of 4.0 (Only a few artifacts).
91% Better Than Competitor A
138% Better Than Competitor A
Competitor A
VideoStream Scale, Single Stream - Test Results
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
AgendaBYOD Mobility & Security
Challenges
Cisco Secure Mobility
Identity Services Engine
Cisco Prime
Cisco BYOD in Action
Cisco Wireless LAN Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
The Customer Problem…
“How do I manage the proliferation of
mobile devices and users..”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
BYOD is Changing the IT/User Equilibrium
BYOD
IT
Users
Provide Predictable User Experience to Applications and Services
Provide IT with Control andVisibility to manage UserExperience and Security
ANYTIMEANYWHERE ANY DEVICEANY USER
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Using Cisco Prime to Deliver the Cisco Advantage
ONLY Cisco can provide:
• Converged wired/wireless access and integrated policy management – simplified troubleshooting and monitoring of end-user access from a single tool
• Complete end-to-end network visibility from the mobile client to the data center – for understanding, troubleshooting and fixing application, services and end-user related issues
• End-to-end lifecycle management for ALL Cisco network devices – automates and augments many of the day-to-day tasks associated with managing the network
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Troubleshoot Wired and Wireless AccessUsing Cisco Prime for Converged Client Devices
1. Search on user name
2. Identify wired and wireless devices
associated with the user
3. Display associated and disassociated
devices
4. Use automated client troubleshooting
workflow to resolve the issue
5. Issue resolved
USE CASE: User calls in to help center because they cannot get access to financial data on the network. IT determines if they are authorized to access this area.
Troubleshoot user and access issues based on identity
Speed resolution with intuitive guided workflows
Cisco Prime Network Control System (NCS)
Step by Step Recommendations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Isolate End User Network Application IssuesImproved troubleshooting and visibility across Wireless & Wired
1. User calls and complains about video
problem on his Cius
2. Isolate the end user problem
3. View the application status
4. Quickly identify the source of the
problem
5. Fix the problem (WAN optimization)
USE CASE: End User calls about issues with his Mobile Jabber Video App
Reduces expertise by normalizing and correlating performance data
Quickly identify the source of the problem
Cisco WAAS
VMVMVMVM
Cisco Nexus 1000V
Application Servers
Virtual DC and Cloud
WANWhere is the problem
End-Users Complain
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Agenda
BYOD Mobility & Security
Challenges
Cisco Secure Mobility
Identity Services Engine
Cisco Prime
Cisco BYOD in Action
Cisco Wireless LAN Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
It is a security problem and needs a security solution
It is a wireless infrastructure problem
It is a device management problem
It is a device problem and needs IT friendly devices
Remote access
It needs a virtualization solution
Addressing BYOD Needs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
It is a security problem and needs a security solution
It is a wireless infrastructure problem
It is a device management problem
It is a device problem and needs IT friendly devices
Remote access
It needs a virtualization solution
Addressing BYOD Needs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Wireless Wired LAN
VPN
Gartner Implicit View of BYOD Strategy LeaderOnly Cisco is the Leader in Each of These Key Areas
Web SecurityNAC (BYOD)
Unified Communications
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Resources
• Cisco Unified Wireless Lan Network
http://www.cisco.com/go/wireless
• AnyConnect Secure Mobility
http://www.cisco.com/go/anyconnect
• ASA
http://www.cisco.com/go/asa
• ScanSafe
http://www.cisco.com/go/scansafe
• IronPort
http://www.cisco.com/go/ironport
• Identity Services Engine
http://www.cisco.com/go/ise
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
BYOD Demos via YouTube
• BYOD (ISE) Demo on YouTube: http://youtube.com/watch?v=pZFuGw88CXQ
• BYOD (AC/iphone) Demo on YouTube:
http://www.youtube.com/watch?v=pP1uteL7Z8c
• ISE VOD Overview on YouTube:
http://www.youtube.com/watch?v=kGGqjrJpvgk
Thank you.