sécuriser le concept “bring your own ” avec cisco ...€¦ · and auto-resume •always on:...

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Zakaria Ben Letaief – Consultant Sécurité Réseaux

Sécuriser le concept “Bring Your Own Device” avec Cisco “Identity Services Engine”


http://www.cisco.com/go/challenge

Take the BYOD Challenge (only for Customers)Win a Trip to the Olympic Games


of employees use

for work

to keep up with mobile

needs

of IT staff

New networked mobile devices by

of EUInformation

Workers

spend time working

Demand for Mobile Access


Driving Ongoing Shift to BYOD:Device Diversity is here to stay

89%

10%

1%

User Wants

• Consistent experience on multiple devices

• Seamless transitions between devices

• Separation of work and personal data

• Keep up with tech and social trends

IT Wants

• Proactive adoption of consumer/mobile devices

• Embrace BYOD without sacrificing security, management, business standards

• Lower organizational costs

• Improved agility

23%

36%

26%

75%

22%


• Difficult to control and secure (1/3 of all workers are out of the office)

• Malware (Web: #1 attack vector)

• Vulnerability to the organization

• Data loss from lost or stolen devices

• Access control breach

• Policy compliance challenges

THREATS

BYOD Security Threats and NeedsEmployee-owned Mobile Devices Are Riskiest

BYOD* is RiskiestSource: 2011 ISACA IT Risk/Reward Barometer, US Edition (www.isaca.org/risk-reward-barometer)

• Protect endpoints from web 2.0 threats

• Provide secure remote access from devices

• Authenticate & Authorize wireless users who are connecting to network (Guests, Contractors,

etc.)

Addressing BYOD threats

http://aws.amazon.com/


IT Challenges to Mobile Freedom


The BYOD Spectrum

Limit AdvancedEnhancedBasic

Environment requires tight controls

Corp Only Device

Mfg Environment

Trading Floor

Classified Gov Networks

Traditional Enterprise

Focus on basic services, easy access,

almost anybody

Broader Device Types But Internet Only

Edu Environments

Public Institutions

Simple Guest

Enable differentiated services, on-boarding

with security –onsite/offsite

Multiple Device Types + Access Methods

Healthcare

Early BYOD Enterprise Adopters

Contractor Enablement

Corp native apps, new services, full control

Multiple Device Types, Corp Issued

Innovative Enterprises

Retail on Demand

Mobile Sales Services

(Video, Collaboration, etc.)


Cisco BYOD Building Blocks

Unified Infrastructure

Policy

Apps

Management

Security

Virtualization


BYOD Use Cases <-> SolutionsUse Case Limit Basic Enhanced Advanced

Business Policy Block Access Role Based Access;

(Guest Access)

Secure granular On-site

and Off-Site Mobility

Full Workspace

Experience

IT Requirements • Visibility to who/what is

on network

• Restrict access to only

corporate issued

devices.

• Restrict personal devices

to public internet.

• Restricted access to

internal sites

• Allow granular on-site

and off-site access to

network/applications

• Enablea full mobile and

collaboration experience

User Scenario

(Example)

Hospital extends wired

access to medical staff only

Hospital provides guest

access to patients

Doctor uses personal device

in hospital and in an offsite

coffee-shop

Hospital administrator is

granted full network access

and uses native applications

(i.e. HR applicant tracking

system)

Solution Technology Cisco Switches

Cisco Wireless LAN Infrastructure

Cisco Prime Infrastructure

Cisco Identity Services Engine

Application VirtualizationCisco VXI , UCS, Nexus

Cisco Switches




Cisco Switches



Cisco Switches


Cisco Prime Infrastructure3rd Party MDM


Desktop VirtualizationCisco VXI , UCS, Nexus

Cisco Firewalls

Cisco ESA/WSA

Cisco AnyConnect

ScanSafe

Enterprise Apps Collaboration Apps

Virtualization

Core network

Management

Identity and Policy

Security and Remote Access

Applications


Cisco Firewalls

Cisco ESA/WSA

Cisco AnyConnect

ScanSafe

Enterprise Apps Collaboration Apps


BYODKey Functionality and Success

What is success?

A well designed Mobility / Unified Access Network provides:

• CONTROL (ISE) and VISIBILITY (Prime) for IT

• DEVICE CHOICE and PREDICTABILITY (CleanAir, ClientLink, VideoStream) for Users

• BALANCE between the number of wired ports (1:1 ratio) and wireless radios (25:1 ratio)

Key Functionality

• Unified wired and wireless network with centralized policy management

• Sponsored guest and contractor access management that is isolated and accountable

• “AAA” (Authentication, Authorization, and Accounting) to determine “who” accesses your

network

• “PP” (Profiling and Provisioning) to simplify onboarding of personal devices and enforce the

“what, where, when, and how” users access your network


Cisco BYOD: Solution to IT Challenges to Mobile Freedom


Agenda

BYOD Mobility & Security

Challenges

Cisco Secure Mobility

Identity Services Engine

Cisco Prime


Cisco BYOD in Action


Agenda


Challenges



Cisco Prime




Cisco AnyConnect

Cisco Content SecurityCisco ASA



Cisco AnyConnect



• Protocol-agnostic: Client or Clientless; IPSec or SSL VPN

• Automatic: no manual intervention, connection persistence, optimal gateway selection and auto-resume

• Always On: automatically locates the nearest, optimal gateway without requiring credentials

• Flexible License Options: Essentials, Premium, Mobile

• Built for mobility: Support for Apple ios4+ (iphone, ipad, itouch),Cisco Cius, Samsung Android, Windows, MAC, Linux

Highlights

AnyConnect 3.0 (AC Secure Mobility Client)


AnyConnect Modularity

Architecture

AnyConnect Core Services Platform

SSL /DTLS VPN

)

IPsec VPN

IKEv2

Posture / HostScan

Cloud Web Security

802.1x Supplicant (Win & iOS ))

MAC Sec SGT


EAP Types

EAP-TYPEWin7

Native

Vista

Native

Win XP

Native

AC

3.0

Apple

SL

(10.5)

Ubunt

uRHL

ACS

5.2ISE AD LDAP

EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

EAP-TTLS No No No Yes Yes Yes Yes No No Yes Yes

PEAP

MSCHAPv2Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No

PEAP

EAP-GTCNo No No Yes Yes Yes Yes Yes Yes Yes Yes

PEAP

EAP-TLSYes Yes Yes Yes Yes Yes Yes No Yes Yes Yes

EAP-FAST

MSCHAPv2No No No Yes Yes Yes Yes Yes Yes Yes No

EAP-FAST

EAP-GTCNo No No Yes Yes Yes Yes Yes Yes Yes Yes

EAP and ID Store Compatibility Reference:http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html

Ubuntu, RHL = wpa_supplicant

For YourReference

http://www.cisco.com/web/techdoc/wcs/location/client-tracking/tracking_wi-fi_clients.html


Cisco Content Security



AnyConnect Secure Mobility

Internet Traffic

VPN – Internal Traffic(optional)

ScanSafe Secure Mobility With AnyConnect 3.0


Web Application ControlsGranular control over Web apps

Granular Control over Application Usage

Employee in Finance

Access Control Policy Access Control Violation

•Instant Messaging

•Facebook: Limited Apps

•Video: 512 kbps max

•File Transfer over IM

•Facebook Chat, Email

•P2P

•Block adult content•Bandwidth limits


Hybrid Web Security Protection

News Email

Social Networking Enterprise SaaS

Cisco WebSecurity Appliance

Information Sharing Between ASA and WSA

Corporate AD

ASA

AnyConnect


AgendaBYOD Mobility & Security

Challenges



Cisco Prime




Based on Two Fundamentals

ISE: An Architectural Approach

Dynamic Context

Understand the:

Who What Where When How

On your network by extracting information from the infrastructure

Abstracted Policy

Business level policy definition

That

Gets automatically mapped

And

Directly enforced on the infrastructure

ISE

Cisco 2900/3560/3700/4500/6500 & Nexus 7000 switches, Wireless and Routing Infrastructure

Cisco ASA, ISR, ASR 1000

Infrastructure

1 2


NAC Manager NAC Server

NAC Profiler

NAC Guest ServerNAC Agent

Device Profiling & Provisioning + Identity

Monitoring

Identity & Access Control + Posture

Guest Lifecycle Management

NAC CollectorStandalone appliance or licensed as a module on

NAC Server

Identity & Access Control

Access Control Solution

Introducing Identity Services EngineNext Generation Policy Management Solution Portfolio

ISE

AnyConnect


BYOD Starts with a PolicyAccess Control

I want user and devices to receive appropriate

network services (dACL, Qos, etc)

I want to allow guests into the network

I want to allow the“right” users and devices

on my network

I need to ensure my endpoints don‟t

become a threat vector

I need to allow/deny iPADsin my network (BYOD)

Authorization Services

Guest Lifecycle Management

Profiling Services

Authentication Services

Posture Services

Cisco ISE


Example of a Simple BYOD Policy

Internet

“Employees can access everything from either corporate or personal devices. But non employees are blocked.”

“Employees are required to use corporate devices. Personal devices are not allowed and there is no guest access.”

Internal Resources

“Employees can access everything from corporate devices. Employees on personal devices and partners have restricted access.”

Campus Network Limited Resources

ISE


How do we Build a BYOD Policy?What are the Required Parts of the Policy?

Corp Asset?

• AD Member?

• Static List?

• MDM?

• Certificate?

AuthC Type

• Machine Certs?

• User Certs?

• Uname/Pwd

Profile

• i-Device

• Android

• Windows

• Other

AuthZ Result

• Full Access

• internet only

• VDI+internet


Example of BYOD Policy in ISEUsing a Pre-Defined List of Assets

User ResultsRegistered BYOD


i-Device Provisioning Options

• To identify a corporate-owned or personal device, a unique identifier (UDID, MAC Address, IMEI number, etc.) may be used

• The recommended authC method is EAP-TLS based on certificate

• There are different ways to provision digital certificates for wired and wireless devices

• Some Mobile Device Management (MDM) Systems and Cisco SDP are able to insert device-specific identifiers as a common name in the certificate.


Device Enrollment and Provisioning

1. iOS device connects to Provisioning SSID

2. Employee authenticated & authorized to connect to Cert server

3. Enrollment and provisioning. New Wi-Fi Profile includes UA_Employee configuration

4. For future connections, use UA_Employee SSID

Example with 3 SSID


Certificate Enrollment and Provisioning:SDP/SCEP• Steps to provision a digital certificate

AD


Client Redirection to the SDP Router

• To enhance the user experience, the user can be redirected to the provisioning SDP URL automatically

• When the user tries to browse the web, the session is redirected

• An authorization policy can be used to include the SDP URL

For YourReference


User Experience• The user interaction with the SDP router consists of several screens to

accept the new certificate and profile

• The user opens the Safari browser and gets redirected to the start page URL or enters the start page URL manually

• The Start Phase begins, offering the user to install the profile

• Once the user clicks on “Install”, the introduction phase begins


What’s is the Future of BYOD with ISE

Features being added to 1.1 Minor Release-1 of ISE (~Summer „12)

Will handle Certificate Provisioning as a “Remote Authority” (RA)

Proxy Certificate Enrollment for all Devices

Builds Supplicant Configuration Profiles for Devices

Allows Self-Registration of Devices & Ties Registration to Employee ID

Supplicant and Certificate Provisioning: ISE 1.1MnR


Demo


Policy Profiling

VLAN 10

VLAN 20

Personal

Employee

Corporate

Wireless LAN Controller

CorporateResources

Restricted Access Only

USER LOCATION

TIME Access Method

DHCP

RADIUS SNMP

NETFLOW

Corporate Issued Device1. User Authentication and Authorization 2. Profiling to identify device3. Policy decision4. Policy enforce to “VLAN 10” on same SSID5. Full access granted6. Full device visibility

PERSONAL Device1. User Authentication and Authorization2. Profiling to identify device3. Policy decision4. Policy enforce to “VLAN 10 or 20” on same SSID5. Full or Restricted access granted6. Full device visibility

HTTP

DNSDEVICE

Centralized Policy Engine

Unified Access Management

Single CorpSSID

Corporate Device vs BYOD


Corporate Devices vs Guest Access

Guest

802.1Q Trunk

VLAN 10

VLAN 30

EAP Authentication1

Accept with VLAN 102

Web Auth3

Accept with GUEST ACL4Corporate

Device

ISE

Corporate Resources

Internet

• Users with Corporate Devices with their AD user id can be assigned to VLAN 10

• Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN 30

CAPWAPCAPWAP


Profiling Attribute Sources for Mobile

• For mobile device detection, recommend use a combination of HTTP, RADIUS, DHCP, and DNS probes

Profiling via HTTP inspect is regex based with approx rate of 500-1200 events/sec with all services running. So, profiling is done only at connect time and not for data traffic.

Probe Type Info Provided

RADIUS

(Calling-Station-ID)

MAC Address (OUI)

Example: 0A:1B:2C = vendor X

DHCP

(host-name)

(dhcp-class-identifier)

Hostname (default may include device type)

Example: jsmith-ipad

Device class / type

Examples: BlackBerry, Cisco wireless IP phone

DNS

(reverse IP lookup)

FQDN (default hostname may include device type)

Example: jsmith-ipad.company.com

HTTP

(User-Agent)

Details on specific mobile device type

Examples: iPad, iPhone, iPod, Android, Win7

For YourReference


ISE Licensing Options

Function Base Lic Adv Lic Wireless Lic

Authc & Authz X X*

Guest Services X X*

Monitoring X X*

Posture X X*

Profile X X*

SGA X X*

End Point Protect X X*

*: Only for Wireless Endpoints

For YourReference



Challenges



Cisco Prime




New Wireless Controller ScaleCisco Flex 7500

Cloud Controller

Multiple Lean Branch Deployments

• I RU appliance• 3000Access Points• 1000 Flexgroups

Cisco 2500

• Desktop Appliance• 50 Access Points• 500 Mbps• 4 GE ports

Small Enterprise and Full Service Branch

Wireless Controller

On ISR SRE

• Software on ISRmodule

• 50 Access Points• 500 Mbps

Small Enterprise and Full Service Branch

Wireless Services Module on

Catalyst 6500

Mid-Large Enterprise

• Blade for Catalyst• 1000Access Points• 20 GB Mbps

Cisco 5500

• I RU Appliance• 500 Access Points• 8 GB Mbps• 8 GE ports

Mid-Large Enterprise

Scale and Performance


What is FlexConnect (Previously HREAP)?

• FlexConnect = Hybrid Remote Access Point Architecture

• Single Management & Control point

Centralized Traffic (Split MAC)

Or

Local Traffic (Local MAC)

• 300 msec RTT for voice+datadeployment

• 100 msec RTT for voice onlydeployment

WAN

Remote Office

CentralizedTraffic

CentralizedTraffic

LocalTraffic

Central Site


FlexConnect Enhancements – Rel 7.2

Scale

• 3000 APs

• 30,000 clients

• 1000 flex groups

Throughput

New Features

• 1Gbps

• Data DTLS - OEAP

• Flexconnect ACL (AP)

• Flexconnect AP efficient upgrade

• CWA supported with ISE1.1

• Support for .1x central, AAA vlan override,

auth parity, fast roaming for voice, OEAP

Gaps vslocal/5500:

• External webauth in local switch mode

• Outdoor AP/mesh

• FIPS on 7500

• ISE support profiling

• Local mode

• WGB/UWGB

• Videostream

• IPv6 mobility

• AAA ACL override

• ACLs – dynamic (controller)

• Trustsec SXP


Additional New Functionality – Rel 7.2Feature Benefits

Cisco CleanAir Improvements

• Customizes air quality thresholds to each customer’s wireless

environment

• Flexibility to configure multiple AP groups with unique radio

characteristics per AP group

• Reduced radio interference alerts

and troubleshooting

• Improved Wireless reliability and

remediation

MSE Enhancements

• Virtual Appliance: 50k endpoints, 10k Adaptive wIPS

• HA: 2:1, 1:1 configs supported

• 9 new security alarms

• GPS coordinates supported

• Flexible deployment options

• Improved security and reliability

AP Groups and RF profiles

• Capability to segment and form virtual subgroup of access

points

• Capability to apply different RF configurations for different

access point groups

• customize the wireless network to

business needs and locations

• Simple to create and manage

multiple groups

Enhanced quality-of-service (QoS) prioritization

• Increased flexibility to apply QoS priority against unicast and

multicast traffic on a per WLAN basis within the access point

• Flexible deployment options

• Improved security and reliability

For YourReference


Cisco Aironet3600 Series Access Points

4x4 ANTENNA DESIGN, 3 SPATIAL STREAMSFastest, most consistent device uplink speeds, sustained further from the AP

CLIENTLINK 2.0 BEAMFORMINGFastest downlink performance to ALL mobile devices: 802.11a/gand now 802.11n across 1, 2, and 3 spatial streams

CLEANAIR SPECTRUM INTELLIGENCEAlways-on interference protection, plus new optionalfull-spectrum monitoring module

FUTURE-PROOF MODULAR DESIGNFlexible upgrades and add-on options for future technologies with capacity for more mobile devices

Up to 30% better Performance

Cisco Aironet 3600 Access Point


Cisco's CleanAir TechnologyIndustry’s first chip level proactive and automatic interference protection

BEFOREWireless interference decreases

reliability and performance

AIR QUALITY PERFORMANCE

Cisco CleanAir – Improves Performance and Predictability

AFTERCleanAir mitigates RF interference

improving reliability and performance

AIR QUALITY PERFORMANCE

Wireless ClientPerformance


• CleanAir Radio ASIC

• Detect Wi-Fi and

non-Wi-Fi interference

sources

• Assess impact

to Wi-Fi performance

• Proactively change

channels when

interference occurs

• Monitor air quality

Why is Cisco’s CleanAir Technology so Unique?High resolution interference detection, classification, and mitigation at chip level

100

63

97

35

20

Detect | Classify | Locate | Mitigate

90


Cisco's ClientLink / ClientLink 2.0 TechnologyAdvanced beam forming technology improves wireless client performance

Cisco ClientLink - Improves Predictability and Performance

BEFOREBeam not directed towards clients resulting inconsistent performance

802.11a/g (ClientLink) or 802.11a/g/n (ClientLink 2.0)

802.11n

Beam StrengthX

AFTERBeam directed towards client resulting in

consistent experience and better performance

Beam Forming

802.11n

Wireless ClientPerformance

802.11a/g (ClientLink) or 802.11a/g/n (ClientLink 2.0)


• Test Case 1 – As many clients as possible on one AP with one 2MB or 5MB stream (all clients use the same bitrate).

The quality should not degrade to less than a Video MOS of 4.0 (Only a few artifacts).

91% Better Than Competitor A

138% Better Than Competitor A

Competitor A

VideoStream Scale, Single Stream - Test Results



Challenges



Cisco Prime




The Customer Problem…

“How do I manage the proliferation of

mobile devices and users..”


BYOD is Changing the IT/User Equilibrium

BYOD

IT

Users

Provide Predictable User Experience to Applications and Services

Provide IT with Control andVisibility to manage UserExperience and Security

ANYTIMEANYWHERE ANY DEVICEANY USER


Using Cisco Prime to Deliver the Cisco Advantage

ONLY Cisco can provide:

• Converged wired/wireless access and integrated policy management – simplified troubleshooting and monitoring of end-user access from a single tool

• Complete end-to-end network visibility from the mobile client to the data center – for understanding, troubleshooting and fixing application, services and end-user related issues

• End-to-end lifecycle management for ALL Cisco network devices – automates and augments many of the day-to-day tasks associated with managing the network


Troubleshoot Wired and Wireless AccessUsing Cisco Prime for Converged Client Devices

1. Search on user name

2. Identify wired and wireless devices

associated with the user

3. Display associated and disassociated

devices

4. Use automated client troubleshooting

workflow to resolve the issue

5. Issue resolved

USE CASE: User calls in to help center because they cannot get access to financial data on the network. IT determines if they are authorized to access this area.

Troubleshoot user and access issues based on identity

Speed resolution with intuitive guided workflows

Cisco Prime Network Control System (NCS)

Step by Step Recommendations


Isolate End User Network Application IssuesImproved troubleshooting and visibility across Wireless & Wired

1. User calls and complains about video

problem on his Cius

2. Isolate the end user problem

3. View the application status

4. Quickly identify the source of the

problem

5. Fix the problem (WAN optimization)

USE CASE: End User calls about issues with his Mobile Jabber Video App

Reduces expertise by normalizing and correlating performance data

Quickly identify the source of the problem

Cisco WAAS

VMVMVMVM

Cisco Nexus 1000V

Application Servers

Virtual DC and Cloud

WANWhere is the problem

End-Users Complain


Agenda


Challenges



Cisco Prime




It is a security problem and needs a security solution

It is a wireless infrastructure problem

It is a device management problem

It is a device problem and needs IT friendly devices

Remote access

It needs a virtualization solution

Addressing BYOD Needs


Wireless Wired LAN

VPN

Gartner Implicit View of BYOD Strategy LeaderOnly Cisco is the Leader in Each of These Key Areas

Web SecurityNAC (BYOD)

Unified Communications


Resources

• Cisco Unified Wireless Lan Network

http://www.cisco.com/go/wireless

• AnyConnect Secure Mobility

http://www.cisco.com/go/anyconnect

• ASA

http://www.cisco.com/go/asa

• ScanSafe

http://www.cisco.com/go/scansafe

• IronPort

http://www.cisco.com/go/ironport

• Identity Services Engine

http://www.cisco.com/go/ise

http://www.cisco.com/go/wireless

http://www.cisco.com/go/anyconnect

http://www.cisco.com/go/asa

http://www.cisco.com/go/scansafe






BYOD Demos via YouTube

• BYOD (ISE) Demo on YouTube: http://youtube.com/watch?v=pZFuGw88CXQ

• BYOD (AC/iphone) Demo on YouTube:

http://www.youtube.com/watch?v=pP1uteL7Z8c

• ISE VOD Overview on YouTube:

http://www.youtube.com/watch?v=kGGqjrJpvgk

http://www.youtube.com/watch?v=pZFuGw88CXQ&feature=player_embedded













Thank you.

sécuriser le concept “bring your own ” avec cisco ...€¦ · and auto-resume •always on:...

Documents