Securing Borderless Networks (2012 San Diego)

Housekeeping We value your feedback- dont forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Please remember this is a non-smoking venue! Please set your mobile phones to stun mode Please make use of the recycling bins provided Please remember to wear your badge at all times NO discussions on future products Please remember your NDAs when asking questionsBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Session Abstract This session will explain the security technology behind the Cisco Borderless Networks. We will compare and contrast the networkers of yesterday verses today and the issues that network and security administrator face with these evolving networks. A business case will be presented to introduce common network security challenges and how Borderless Network technology solves them. The technologies that will be covered include Secure Mobility, Web and Email Security, AnyConnect SSL VPN, user & device authorization, Network Device Profiling, supplicant agents, posture assessment, Guest Access, Security Group Access (SGA), and IEEE 802.1AE (MacSec).BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Session Objectives At the end of the session, you should understand: • The Cisco Borderless Network Architecture • The technology that makes up Borderless Networks portfolio including Cisco Firewall, IPS, Content Security • How to design and implement Secure Mobility • Benefits of TrustSec and MacSec technologies You should also: • Have questions for the Q&A section of the session • Provide us with feedback via the Cisco Live online survey • Attend related sessions that interest youBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Agenda Networks of Yesterday Networks of Today Borderless Networks – What does that mean? Case Study – Future Healthcare Cisco AnyConnect Secure Mobility Design Cisco TrustSec Design Q&ABRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Networks of Yesterday

Network Security of Yesterday Corporate Assets Corporate Connectivity Limited Remote Connectivity Employees Only Access Routers Firewalls SwitchesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Networks of Today

Networks Security of Today Corporate and Commercialized Assets Corporate, Partner, Public, Cloud Connectivity Employees, Contractors and Guests Access Routers, Switches, Firewalls, IPS Virtualized Data Centers ISE, NAC, Posture Control Wireless Infrastructures Email and Web Security Unified Communications Mobile Smart Devices – The iRevolutionBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Network Security Policy Today Who are you? ‒ Employee, Partner, Contractor, Guest What are you doing? ‒ Data Entry, Access HR Records, Accessing Payroll Where are you going? ‒ Intranet, Extranet, Internet, Cloud Services When are you connecting? ‒ 8am-5pm, After Hours, Weekends How are you connecting? ‒ Corporate Wired, Corporate Wireless, Public Wireless ‒ Hotel Guest Network, Home NetworkBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Borderless Networks Evolution

Self-Defending Networks Network and Endpoint Security Content Security Application Security System Management and ControlBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

SAFE Blueprints SAFE Small Business SAFE Medium Business SAFE Enterprise Business SAFE Remote SAFE Campus SAFE Data Center SAFE Internet SAFE Wide Area NetworkBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Borderless Networks Architecture What it is: ‒ Architecture for secure connectivity of: • Any Device • Any Place • Any Time What it does (its vision): ‒ Provides consistent user experience & security policies on any device, any place at any time. What it does (business benefit): ‒ Simplifies Secure Connections to resources ‒ Improves workforce productivity through flexibility.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Borderless Networks Architecture Technology Benefit ‒ Borderless Networks transforms the way IT governs networks by linking users, devices, applications, and business processes - together. Value Proposition: ‒ Cisco Borderless Networks securely, reliably, and seamlessly connects people, information, and devices.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Borderless Networks Design BenefitsAccelerates Business Innovation and Transformation Secure – Risk mitigation to protect corporate assets and data Reliable – Business continuity Seamless – Productivity-driven growthBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Borderless Networks Design Elements Architecture for Agile Delivery of the Borderless Experience BORDERLESS END-POLICY POINT/USER SERVICES Securely, Reliably, Seamlessly: AnyConnectMANAGEMENT BORDERLESS NETWORK Multimedia Mobility: Energy Security: AppCISCO SMART SERVICES Optimization: Motion Management: TrustSec Performance:SERVICES Medianet EnergyWise App VelocityCISCO BORDERLESS Unified Core Extended ExtendedLIFECYCLE NETWORK Access Fabric Edge Cloud SYSTEMSSERVICESAPIs Application BORDERLESS Wireless Routing Switching Networking/ Security INFRASTRUCTURE Optimization BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Case Study –Future HealthCare

Future HealthCareIT Network Issues Employees need secure remote access to corporate intranet and email systems Doctors need secure remote access to patient information and email systems Doctors want access to patient data and internet Employees want access to the internet and email Patients want access to the internet and web mail CTO has security and regulation requirements CSO needs prevention of email spear-phishing attacks IT needs corporate devices secure while still providing network access to commercialized mobile devicesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Secure Remote Access Question: ‒ How does IT provide employees secure remote access to corporate intranet and email systems? Answer: ‒ Virtual Private Network (VPNs) ‒ Typically IPSec and/or SSL VPN tunnel connections ‒ Firewalls, Routers and IPS Issues: ‒ Full Tunneling ‒ Split Tunneling ‒ Internet AccessBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Cisco AnyConnect Secure MobilityThe New Answer Question: ‒ How does IT provide employees secure remote access to corporate intranet and email systems? Answer: ‒ Cisco AnyConnect Secure MobilityBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Cisco AnyConnect Secure MobilityWhat is it and How Does it Work? AnyConnect SSL VPN client software connects to the corporate ASA Firewall VPN endpoint. The ASA group policy configuration enforces full tunneling option only. (No Split Tunnel) Use route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled command point all VPN traffic to inside endpoint. Inside endpoint (router/L3 switch) redirects traffic back to ASA using default route. ASA WCCP configuration will now redirect web traffic to the IronPort Web Security Appliance for proxy services.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Cisco Secure MobilityLicensing Requirements Cisco ASA Firewall ‒ SSL VPN Peer Licenses based on remote user count ‒ AnyConnect Essentials or Premium License ‒ AnyConnect for Mobile License Cisco IronPort Web Security Appliance ‒ AsyncOS version 7.x ‒ Cisco Mobile User Security Feature Key License Cisco AnyConnect VPN Client ‒ Version 3.0 or higher (recommend)BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Features and Licensing Matrix: Cisco AnyConnect AnyConnect Ess AnyConnect Ess + AnyConnect Prem AnyConnect PremCisco® AnyConnect Features Only SM Only + SMAuto headend detection    Tethered device support (phonesynchronization)    Access to local printers through endpointfirewall rules    Always-on VPN    Fail-open and fail-close policy support    Captive portal    Clientless VPN    Cisco Secure Desktop    Quarantine indication if posture assessmentfails    Web security    Ess = Essentials, Prem = Premium, SM = Secure Mobility BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

ASA LicensingShow VersionASA-5510# show version....Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 100 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active 365 daysVPN-DES : Enabled perpetualVPN-3DES-AES : Enabled 365 daysSecurity Contexts :2 perpetualGTP/GPRS : Disabled perpetualSSL VPN Peers : 25 365 daysTotal VPN Peers : 250 perpetualShared License : Disabled perpetualAnyConnect for Mobile : Enabled 365 daysAnyConnect for Cisco VPN Phone : Enabled 365 daysAnyConnect Essentials : Enabled perpetualAdvanced Endpoint Assessment : Enabled 365 daysUC Phone Proxy Sessions : 26 365 daysTotal UC Proxy Sessions : 26 365 daysBotnet Traffic Filter : Enabled 365 daysIntercompany Media Engine : Disabled perpetual….BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Cisco Secure MobilityConfiguration See Cisco ASA Secure Mobility Configuration Appendix for step-by-step ASDM configuration guide for setting up Cisco AnyConnect SSL VPN network.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Configure Secure Mobility on ASA IronPort WSA Mobile User Security Configuration From ASDM – Configuration > Remote Access VPN > Network (Client) Access > Secure Mobility Solution ‒ Click Add button ‒ Choose Interface to communicate to WSA (typically Inside or DMZ interface) ‒ IP Address of the WSA and Subnet Mask ‒ Click OK ‒ Make sure “Enable Mobile User Security” checkbox is enabled and the service port is 11999 (default) ‒ Set password to secure communications ‒ Click ApplyBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Configure Secure Mobility on WSAWSA Identity Configuration Login to Web Security Appliance Navigate to Web Security Manager > Identities Click Add Identities Define Members by User Location: Remote Users Only Define Members by Protocol: HTTP/HTTPS Only Define Members by Authentication: Identity Users Transparently through Cisco ASA Integration Authentication Surrogate for Transparent Proxy Mode: IP Address Click Submit and Commit Unique Access Policies can now be set for “Remote Users”BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Configure WCCP Access Lists on ASA Access Lists Configuration Example Configure access list for WCCP appliance access-list WSA extended permit ip host 10.1.1.15 any Configure access list for redirected proxy traffic access-list WSA-Redirect extended deny ip host 10.1.1.15 any access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq www access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq https Assign the redirect proxy traffic to the WCCP appliance wccp 90 redirect-list WSA-Redirect group-list WSA wccp interface inside 90 redirect inBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Configure WCCP Service Groups on ASA Cisco ASDM Configuration From ASDM – Configuration > Device Management > Advanced > WCCP > Service Groups ‒ Click Add button ‒ Service: Dynamic Service Number: 90 ‒ Options: Redirect List: WSA-Redirect ‒ Options: Group List: WSA ‒ Click OKBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Configure WCCP Redirection on ASA Cisco ASDM Configuration From ASDM – Configuration > Device Management > Advanced > WCCP > Redirection ‒ Click Add button ‒ Interface: Inside ‒ Service Group: 90 ‒ Click OK ‒ Click Apply ‒ Click SaveBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Cisco ASA 5500 Series Portfolio ASA 5585-X SSP-60 Comprehensive Solutions from SOHO to the Data Center (40 Gbps, 350K cps) ASA 5585-X SSP-40 (20 Gbps, 200K cps) ASA 5585-X SSP-20 (10 Gbps, 125K cps) Multi-ServicePerformance and Scalability ASA 5585-X SSP-10 (Firewall/VPN and IPS) ASA 5555-X (4 Gbps, 50K cps) (4 Gbps,50K cps) ASA 5545-X NEW (3 Gbps,30K cps) ASA 5525-X (2 Gbps,20K cps) NEW ASA 5515-X ASA 5550 (1.2 Gbps,15K cps) (1.2 Gbps, 36K cps) NEW ASA 5512-X (1 Gbps, 10K cps) ASA 5540 Firewall/VPN Only NEW (650 Mbps, 25K cps) NEW ASA 5520 (450 Mbps, 12K cps) ASA 5510 + ASA 5510 (300 Mbps, 9K cps) (300 Mbps, 9K cps) ASA 5505 (150 Mbps, 4K cps) SOHO Branch Office Internet Edge Campus Data Center BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Cisco ASA 5500 Series Product Lineup Mid-Range Solutions Cisco Cisco Cisco Cisco Cisco ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550Typical Deployment SOHO Branch Office Internet Edge Internet Edge Data CenterPerformance Max Firewall  150 Mbps  300 Mbps  450 Mbps  650 Mbps  1.2 Gbps Max Firewall + IPS  Future  300 Mbps  375 Mbps  450 Mbps  1.2 Gbps Max IPSec VPN  100 Mbps  170 Mbps  225 Mbps  325 Mbps  425 Mbps Max IPSec/SSL VPN Peers  25/25  250/250  750/750  5000/2500  5000/5000Platform Capabilities Max Firewall Conns  10,000/25,000  50,000/130,000  280,000  400,000  650,000 Max Conns/Second  4000  9000  12,000  25,000  36,000 Packets/Second (64 byte)  85,000  190,000  320,000  500,000  600,000 Base I/O  8-port FE switch  5 FE  4 GE + 1 FE  4 GE + 1 FE  8 GE + 1 FE VLANs Supported  3/20 (trunk)  50/100  150  200  400 HA Supported  Stateless A/S  A/A and A/S  A/A and A/S  A/A and A/S  A/A and A/S (Security Plus) (Security Plus) BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Next Generation ASA Mid-Range Appliances ASA 5500-X H/W FeaturesCustomer Benefits 64Bit Multi-Core Processor Performance Up to 16GB of Memory Built-In Multi-Core Crypto Accelerator Density Hardware Flexibility Dedicated IPS Hardware Integrated Services Acceleration Card Management Consolidation Up to 14 1GE Ports Copper & Fiber I/O options Firewall, VPN & IPS Services Dedicated OOB Management PortBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Next Generation Security Services Appliances5 New Models to Meet Varied Throughput Demands 1. Multi-Gig Performance ASA 5512-X To meet growing throughput 1 Gbps Firewall Throughput requirements ASA 5515-X 2. Accelerated Integrated 1.2 Gbps Firewall Throughput Services ASA 5525-X (no extra hardware required) 2 Gbps Firewall Throughput To support changing business needs ASA 5545-X 3. Next-gen services 3 Gbps Firewall Throughput enabled platform ASA 5555-X To provide investment protection 4 Gbps Firewall ThroughputBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Cisco ASA 55xx-X Series Product Lineup Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-XPlatform Base 1RU Short chassis 1RU Short chassis 1RU Short chassis 1RU Long chassis 1RU Long chassis 19” Rack Mountable 19” Rack Mountable 19” Rack Mountable 19” Rack Mountable 19” Rack MountableCPU 1x 2.8 Ghz Intel 2C/2T 1 x 3.06 Ghz Intel 2C/4T 1x 2.40 Ghz Intel 1x 2.66 Ghz Intel 4C/8T 1x 2.80 Ghz Intel 4C/8T 4C/4TDRAM 4GB 8 GB 8GB 12GB 16GBRegex Accel Mezz N/A N/A 1 1 1CardCompact Flash 4GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB 8GB eUSBI/O Ports 6 x 1GbE Cu 6 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 1 x 1GbE Cu Mgmt. 1 x 1GbE Cu Mgmt. 1 x 1GbE Cu Mgmt. 1 x 1GbE Cu Mgmt. 1 x 1GbE Cu Mgmt.Optional I/O Module 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x 1GbE 6 x 1GbE Cu or 6 x 1GbE 1GbE SFP 1GbE SFP 1GbE SFP SFP SFPPower Single Fixed AC Power Single Fixed AC Power Single Fixed AC Power Dual Hot-Swappable Dual Hot-Swappable Supply Supply Supply Redundant AC Power Redundant AC Power Supply SupplyCrypto Capacity 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 4C 4C 4C 8C 8C BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Cisco ASA 5585-X Series Product Lineup Enterprise Solutions ASA 5585-X ASA 5585-X ASA 5585-X ASA 5585-X with SSP-10 with SSP-20 with SSP-40 with SSP-60Typical Deployment Data Center Data Center Data Center Data CenterPerformance Max Firewall  4 Gbps  10 Gbps  20 Gbps  40 Gbps Max Firewall + IPS  2 Gbps  3 Gbps  5 Gbps  10 Gbps Max IPSec VPN  1 Gbps  2 Gbps  3 Gbps  5 Gbps Max IPSec/SSL VPN Peers  5,000 / 5,000  10,000 / 10,000  10,000 / 10,000  10,000 / 10,000Platform Capabilities Max Firewall Conns  1,000,000  2,000,000  4,000,000  10,000,000 Max Conns/Second  65,000  140,000  240,000  350,000 Packets/Second (64 byte)  1,500,000  3,200,000  6,000,000  10,500,000 Base I/O  8 GE + 2 10GE  8 GE + 2 10GE  6 GE + 4 10GE  6 GE + 4 10GE VLANs Supported  1024  1024  1024  1024 HA Supported  A/A and A/S  A/A and A/S  A/A and A/S  A/A and A/S BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Cisco ScanSafe Cloud Services Web Filtering Web Security • Web Usage Controls • Anti-malware protection • Application Visibility • Web content analysis • Bi-directional control • Script emulation Centralized Reporting Secure MobilityBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Cisco ScanSafe Cloud ServicesSolution Overview ScanSafe offers consistent, enforceable, high performance Web security and policy, regardless of where or how users access the internet. BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Cisco Secure Mobility Demo

Case Study – ReviewFuture HealthCare

Future HealthCare GoalsReview IT Network Issues Employees need secure remote access to corporate intranet and email systems Doctors need secure remote access to patient information and email systems Doctors want access to patient data and internet Employees want access to the internet and email Patients want access to the internet and web mail CTO has security and regulation requirements CSO needs prevention of email spear-phishing attacks IT needs corporate devices secure while still providing network access to commercialized mobile devicesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Future HealthCare ReviewWhat Still Needs to be Done? Need to provide security by providing real-time visibility into and control over all users and devices on your network. Need to enable effective corporate compliance by creating consistent polices across the corporate infrastructure. Need to help stream-line IT and network staff productivity by automating labor-intensive tasks.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

TrustSec

What is TrustSec? TrustSec is an umbrella term used to describe and cover all things that have to do with “Identities” TrustSec is all about providing identity-based access policies to tell network and security administrators who and what is connecting to your networks. In general terms think of TrustSec as the next generation of network admission control (NAC)BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Benefits of TrustSec Identity users and/or devices before granting access to network resources Extend access enforcement throughout the network Guest access Identity non-authenticating IP-based devices Capability to know what is on your network Controlling access to restricted devices and/or data Secure sensitive dataBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

TrustSec Technologies IEEE 802.1x (Dot1x) Wired/Wireless Secure Group Access (SGA) MACSec (IEEE 802.1AE) Profiling Guest ServicesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Identity Services Engine

How do we do this? Identity Services Engine (ISE) is a Cisco Security policy engine that allows security administrators to control and manage access to the corporate network for  Any One  Any Device  Any Where  Any TimeBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Questions You Should be Asking Yourself? ISE: Policies for People and Devices Authorized Access Guest Access Non-User Devices• How can I restrict access to my • Can I allow guests Internet-only • How do I discover network? access? non-user devices?• Can I manage the risk of using • How do I manage guest access? • Can I determine what personal PCs, tablets, smart- • Can this work in wireless and they are? devices? wired? • Can I control their access?• Access rights on-prem, at • How do I monitor guest • Are they being spoofed? home, on the road? activities?• Devices are healthy? BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Future HealthCare Business Case ReviewHow Does this Help our Business Case? Now we are able to identity when a doctor, nurse or corporate employee is logging in to the network. From the user identity, we can define policies that grant, limit and/or restrict access to network devices and data. Contractors, vendors, patients and guests users we can provide Internet and printer. Non-authenticated devices such as medical devices, printers, badge readers, security cameras and phones we can secure network access. Permit, restrict or deny access based on posture assessment of a device real time.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Advantages of Identity Services Engine Consolidated Services, Session Directory Software Packages Flexible Service Deployment ACS User ID Access RightsNAC Manager Admin M&T All-in-One HA Console NAC Profiler PairNAC Server ISE NAC Guest Location Distributed PDPs Device (& IP/MAC) Simplify Deployment & Admin Tracks Active Users & Devices Optimize Where Services Run Policy Extensibility Manage Security System-wide Monitoring & Group Access Troubleshooting SGT Public Private Staff Permit Permit Guest Permit DenyLink in Policy Information Points Keep Existing Logical Design Consolidate Data, Three-Click Drill-In 65 BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

ISE Packaging and Licensing Base Feature Set Advanced Feature Set Perpetual Licensing Term Licensing • Authentication / Authorization • Device Profiling • Guest Provisioning • Host Posture • Link Encryption Policies • Security Group Access Appliance Platforms Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

A Practical Example of Policies “Employees should be able to access everything but have limited Internet access on personal devices” “Everyone’s traffic should be encrypted” Internal Resources Campus Network“Printers should only ever Cisco Switch communicate internally” Cisco® Identity Services Engine Cisco Access Cisco Switch Cisco Wireless Point LAN Controller BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Future HealthCare Goals Review IT Network Issues Employees need secure remote access to corporate intranet and email systems Doctors need secure remote access to patient information and corporate email systems Doctors want access to patient data and internet Employees want access to the internet and email Patients want access to the internet and web mail CTO has security and regulation requirements CSO needs prevention of email spear-phishing attacks IT needs corporate devices secure while still providing network access to commercialized mobile devicesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Future HealthCare ReviewWhat Still Needs to be Done? Need to provide security for sensitive data from the end-user’s computer and throughout the network infrastructure.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

MACSec

MACSec What is it and How Does it Benefit Us?  IEEE 802.1AE-based Encryption ‒ Provides strong 128-bit AES-GCM* encryption ‒ NIST approved encryption algorithm ‒ Line-rate encryption/decryption ‒ Standards-based key management: IEEE 802.1X-Rev  Benefits ‒ Protects against man-in-the-middle attacks including snooping, tampering and replay attacks ‒ Network service amenable to hop-by-hop (link-based) approach as compared to end-to-end approach* NIST Special Publication 800-38D http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf* Galois/Counter Mode (GCM) BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

User: Steve MACSec - How Does it Work? Policy: encryptionBob - User: BobMACSec Policy: encryptionenabledclient Campus Network AAA Wiring ClosetSteve – SwitchNon 802.1X-Rev ComponentsMACSecclient • MACSec enabled switches Cisco 3560X/3750X 1 User bob connects. 12.2.(52) SE2 2 Bob’s policy indicates endpoint must encrypt. • AAA server 802.1X-Rev aware 3 Key exchange using MKA, 802.1AE encryption complete. Cisco Identity Services Engine User is placed in corporate VLAN. Session is secured. • Supplicant supporting MKA and 4 User Steve connects 802.1AE encryption 5 Cisco AnyConnect Client Steve’s policy indicates endpoint must encrypt. 6 Endpoint is not MACSec enabled. Assigned to guest VLAN. BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

MACSec Access Port (Crypto)  Standards-based encryption on user ports* (IEEE 802.1AE)  MacSec Key Agreement (MKA) standards-based key exchange protocol (IEEE 802.1X-REV MACSec Key Agreement)  Some newer Intel LOM chip sets support MacSec  MACSec-ready hardware: Intel 82576 Gigabit Ethernet Controller Intel 82599 10 Gigabit Ethernet Controller Intel ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenova, Fujitsu, and HP have desktops shipping with this LOM.)* Please check CCO for the latest MACSec capable switches - www.cisco.com/go/trustsec BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Future HealthCare GoalsReview IT Network Issues Employees need secure remote access to corporate intranet and email systems Doctors need secure remote access to patient information and corporate email systems Doctors want access to patient data and internet Employees want access to the internet and email Patients want access to the internet and web mail CTO has security and regulation requirements CSO needs prevention of email spear-phishing attacks IT needs corporate devices secure while still providing network access to commercialized mobile devicesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Future HealthCare ReviewWhat Still Needs to be Done? Need to prevent sensitive corporate data from traversing the Internet while maintaining compliance with corporate and mandated regulations.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Data Loss Prevention

What is Data Loss Prevention? Data Loss Prevention otherwise known as DLP is technology to inspect and prevent sensitive data from leaking from your corporate network DLP helps CxO maintain corporate and regulations-based policies Examples include HIPAA, GLBA, SOX and PCI compliance DLP is the technology enforcer to prevent accidental or intentional data leakageBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

IronPort Email Security ApplianceRSA Data Loss Prevention Cisco IronPort ESA has onboard RSA DLP blade technologies Allows inspection, remediation and compliance with corporate and regulation-based policies DLP remediation actions include:  Notify  BCC  Quarantine  Encrypt  Bounce  DropBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Future HealthCare GoalsReview IT Network Issues Employees need secure remote access to corporate intranet and email systems Doctors need secure remote access to patient information and corporate email systems Doctors want access to patient data and internet Employees want access to the internet and email Patients want access to the internet and web mail CTO has security and regulation requirements CSO needs prevention of email spear-phishing attacks IT needs corporate devices secure while still providing network access to commercialized mobile devicesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Future HealthCare ReviewWhat Still Needs to be Done? Need to prevent end-users from email spear-phishing attacks that could lead to end-uses giving sensitive corporate data such as user account and password.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 110

IronPort Outbreak Filters

IronPort Email Security ApplianceOutbreak Filters Cisco IronPort ESA has updated and rebrand the Virus Outbreak Filters to the newer technology called Outbreak Filters Outbreak Filters still continue to provide Day-Zero Virus Protection Outbreak Filters also now provide Spear-Phishing prevention by rewriting suspicious URLs embedded in email messages Rewritten URLs will be proxy to the ScanSafe Towers (data centers) for web page inspection which is transparent to the end user when they click on the embedded URL in the email If web site is malicious then the end users will receive a “Block” page If web site is found to be good then the web objects for the web page are sent to the end user via the ScanSafe towersBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 112

Summary

Summary / Glossary What is Secure Mobility? ‒ Remote SSL VPN technology that allows integration of the Cisco AnyConnect, Cisco ASA Firewall and Cisco IronPort Web Security Appliance to back haul browser-based web traffic for proxy filtering What is TrustSec? ‒ Umbrella Term Related to all “Identity Networking” ‒ Systems-Approach to Identity NetworkingBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 116

Summary / Glossary What is Identity Services Engine (ISE)? ‒ ISE is the next-generation policy engine for TrustSec ‒ Combines Identity with 802.1X, Posture, Profiling and Guest Lifecycle into a single platform. What is MACSec (IEEE 802.1AE)? ‒ Layer-2 encryption from device to network What is Data Loss Prevention (DLP)? ‒ Technology to inspect and prevent sensitive data from leaking from your corporate network ‒ DLP is the technology enforcer to prevent accidental or intentional data leakageBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 117

Related SessionsOther TrustSec Security Sessions at Cisco Live 2012 BRKSEC-2022 – Demystifying TrustSec, Identity, NAC and ISE BRKSEC-2046 – Cisco TrustSec and Security Group Tagging BRKSEC-3000 – Advanced Securing Borderless Networks BRKSEC-3032 – Deploying TrustSec In Enterprise Branch and WAN Networks BRKSEC-3040 – TrustSec and ISE Deployment Best TECSEC-3030 – Advanced Network Access Control with ISEBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 118

Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 120

Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 121

Cisco ASA Secure MobilityConfiguration Setup1. SSL Certificate Creation2. Associate trustpoint to Interface3. LDAP Integration4. Connection Profile5. Group Policy6. AnyConnect Packages7. Activate SSL VPN ConfigurationBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 125

Cisco ASA Secure Mobility ConfigurationStep 1 - SSL Certificate CreationCisco Secure Mobility requires the use of the Cisco SSL VPN Clientsoftware – AnyConnectIn order to use AnyConnect SSL VPN software, Cisco ASA must beconfigured with SSL CertificateSSL Certificate can be signed by a trusted root authority such as VeriSign orEntrust -or-Use self-signed SSL certificate generated on the ASA applianceBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 126

Cisco ASA Self-Signed Certificates Certificate Assigned to Trustpoint To verify from the ASA CLI show run crypto ca show crypto ca certBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 127

Cisco ASA Self-Signed CertificatesStep 2. Associate Trustpoint to Interface Associate new trustpoint to outside interface A. Configuration > Device Management > Advanced > SSL Settings B. Associate the new certificate with the outside interface by selecting the outside interface and click the Edit button. C. In the Primary Enrollment Certificate drop-down, select the trustpoint name, click OK. D. Click the Apply button.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

Cisco ASA Secure MobilityConfiguration Setup1. SSL Certificate Creation2. Associate trustpoint to Interface3. LDAP IntegrationBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 130

LDAP IntegrationAAA Server Group Configuration Authenticate Remote SSL VPN users via LDAP integration to back-end Active Directory environment A. From ASDM - Configuration > Device Management > Users/AAA > AAA Server Groups B. From the AAA Server Group table, click the ADD button C. Enter Server Group name (user defined) D. Select LDAP from Protocol drop-down box E. Leave remaining values at default settings F. Click OK buttonBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 131

LDAP IntegrationAAA Server Group Configuration (cont.) G. Single click the newly created LDAP AAA server group H. Servers in the Selected Group (bottom table) select the ADD button to define the AAA Server(s) I. Enter the configuration values for LDAP integration Interface: Inside Server Name or IP Address: IP address for AD Server Port: 389 Server Type: Microsoft Base DN: domain name base DN Scope: All levels beneath the Base DN Naming Attributes(s): sAMAccountName Login DN: Username for LDAP Authentication Login Password: password J. Click OK K. Click ApplyBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 133

LDAP IntegrationAAA Server Group Configuration (cont.) J. Click Test button to verify LDAP authentication configuration Change the Radio button from Authorization to Authentication Enter valid domain username and password Receive a windows that reads: “Authentication test to host X.X.X.X is successful.”BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 135

Cisco ASA Secure MobilityConfiguration Setup1. SSL Certificate Creation2. Associate trustpoint to interface3. LDAP Integration4. Connection ProfileBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 137

Connection Profiles Connection Profiles in ASDM are another name for tunnel-groups within the CLI. They provide a means to apply very specific connection attributes to remote users. Once a user is mapped to a connection profile, we can then associate group-level policies. Any attribute not mapped in a connection profile or group-policy will be inherited from the top-level Default Group Policy.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 138

Connection Profiles Configuration  Setup SSL VPN Connection Profile A. From ASDM - Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles B. Click the ADD button to create a new Connection Profile C. Enter Connection Profile Name D. Enter Connection Profile Alias E. Define Authentication parameters Method – AAA AAA Server Group – LDAP Note: The connection profile alias allows administrators to provide custom group names to the end users when they browse to the webpage of the ASA and also defines the group names seen in the AnyConnect client. BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 139

Connection ProfilesConfiguration (cont.) F. Define the Client Address Pool G. Click the Select … button to create client address pool H. Click Add button Enter IP Pool Name Enter Starting IP Address Enter Ending IP Address Enter Subnet Mask I. Click OK button J. Single click the new address pool name K. Click Assign button L. Click OK button M. Click OK buttonBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 141

Cisco ASA Secure MobilityConfiguration Setup1. SSL Certificate Creation2. Associate trustpoint to interface3. LDAP Integration4. Connection Profile5. Group PolicyBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 143

Group Policy VPN Group Policies are a collection of authorization based attribute/value pairs that can be stored in the ASA Configuration or on a Radius/LDAP server. Customized group attributes include: Tunneling Protocols Connection Profile Lock NAC Policy Access Hours Idle Timeout Maximum Connection Time DNS Servers Split Tunneling Split Tunneling SSL VPN Client Settings SSL VPN Client Settings IPSec Client Settings Banner Login Address PoolsBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 144

Group PolicyConfiguration Setup Group Policy A. From the new configured Connection Profile main page Default Group Policy – click Manage … B. Click ADD Button C. Enter Group Policy Name D. Single click on the “More Options” gray bar E. Uncheck the Inherit button for Tunneling Protocols and select “SSL VPN Client” checkbox only. Uncheck any other remaining protocols. F. Select “Servers” menu option. Uncheck the Inherit button for DNS and enter your internal DNS server IP address.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 145

Group PolicyConfiguration (cont.) G. Open the “More Options” and uncheck the inherit button for “Default Domain” and enter your domain name. H. Click OK I. Click OKBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 146

Group PolicyConfiguration (cont.) G. From the Connection Profile main window – Default Group Policy select the newly created group policy from the drop down box. H. Select the checkbox for “Enable SSL VPN Client Protocol” I. Click OK J. Click ApplyBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 148

Cisco ASA Secure MobilityConfiguration Setup1. SSL Certificate Creation2. Associate trustpoint to interface3. LDAP Integration4. Connection Profile5. Group Policy6. AnyConnect PackagesBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 151

AnyConnect Client Preparation Two options for getting Cisco AnyConnect client installed on to end user’s computer ‒ Option #1 – Use pre-install client package for Windows (.msi) or Mac (.dmg) Standard install application or can be pre-deployed and pre-configured. ‒ Option #2 – Download AnyConnect client from ASA clientless SSL VPN web portal. Requires preparation by uploading and configuring the Cisco ASA for deployment of AnyConnect via SSL web portal.BRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 152

Cisco ASA AnyConnect DeploymentMake Sure You Download the Proper Version for ASA Deployment and Not Pre-deployment Versions. First step is to identity the correct AnyConnect images needed for the end user operating systems and versions that are required for your organization. ‒ Supported Operating Systems ‒ Windows 32/64 bit operating system versions ‒ anyconnect-win-<version>-k9.pkg ‒ Mac OS X Intel platforms ‒ anyconnect-macosx-i386-<version>-k9.pkg ‒ Linux 32/64 bit operating system versions ‒ anyconnect-linux-<version>-k9.pkg ‒ anyconnect-linux-64-<version>-k9.pkgBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 153

Cisco ASA AnyConnect DeploymentConfiguration Steps Download the proper AnyConnect images and configure the software client for the ASA. ‒ From ASDM – Configuration > Remote Access SSL VPN > Network (Client) Access > AnyConnect Client Settings ‒ Download the AnyConnect Packages using link from ASDM or pre-download from CCO directly ‒ Upload the AnyConnect Packages from your desktop to disk0:/ on the ASA FirewallBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 154

Cisco ASA Secure MobilityConfiguration Setup1. SSL Certificate Creation2. Associate trustpoint to interface3. LDAP Integration4. Connection Profile5. Group Policy6. AnyConnect Packages7. Activate SSL VPN ConfigurationBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 155

Activate SSL VPN Configuration From ASDM – Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles ‒ Click on the “Allow Access” check-box for the Outside interface. ‒ Click on the “Enable Cisco AnyConnect VPN Client” access check-box on the Outside interface. ‒ Click the Apply ButtonBRKSEC-2000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 156

Securing Borderless Networks (2012 San Diego)

by Cisco Security on Jun 19, 2012

Statistics

Views

Actions

0 Embeds 0

Accessibility

Categories

Upload Details

Usage Rights

Report content

Securing Borderless Networks (2012 San Diego) Presentation Transcript