32. iPhone 3G/3GS/4/4S iPad и iPad 2 iTouch
Поддержка платформ на базе Apple iOS 5
Lenovo Thinkpad Samsung Galaxy HTC Cisco Cius
Поддержка платформ на базе Android
38. Управление работой web-приложений
Тонкое управление работой с web-приложениями
Политика контроля доступа Нарушение политики
• Мгновенные сообщения • Передача файлов по IM
• Блокировка «взрослого» контента
• Facebook: с ограничениями • Чат Facebook • Ограничение пропускной способности
• Видео: не более 512 кбит/с • P2P
Сотрудница
бухгалтерии
Тонкое управление работой с приложениями
39. Решение Cisco IronPort WSA
Защита от угроз, связанных с Web 2.0
• Фильтры web-репутации: учет более чем 200 параметров позволяет
блокировать более 70% угроз категории "Day Zero"
• Управление фильтрацией доступа к web-ресурсам: блокирование
доступа к URL-адресам (отнесенных к определенным категориям и
не классифицированным); динамический модуль сканирования
контента успешно идентифицирует более 90% URL-адресов
нежелательного контента
• Модуль поиска вредоносного ПО: блокировка известного
вредоносного ПО практически без задержек (как с использованием
сигнатур, так и с использованием эвристического анализа)
• Управление приложениями Web 2.0: Facebook, Twitter, You Tube и т. п.
• Средства управления пропускной способностью для отдельных
пользователей (You Tube и т. п.)
40. Защищенная мобильность: AnyConnect и другие
Компоненты и их функции
VPN-клиент AnyConnect Решение Cisco IronPort WSA
1 2
Удобство подключения (постоянное Устранение вредоносного ПО
подключение, обнаружение доверенной сети)
Фильтры репутации
Унифицированный агент (VPN, NAM, Scansafe,
Монитор трафика (L4)
NAC-в следующей версии)
Контроль использования web-ресурсов
Интеграция/совместная работа
Cisco ASA (МСЭ, VPN, IPS)
Обмен данными между
ASA и WSA
Cisco® AnyConnect
ASA
Cisco WSA
Facebook
Salesforce.com
Corporate AD
Корпоративная
Социальные сети SaaS-система
48. Представляем Cisco ISE
Решение в области обеспечение ИБ следующего поколения
Идентификация и контроль доступа
Cisco ACS
AnyConnect
Идентификация, контроль доступа,
оценка состояния
NAC Manager NAC Server
Профилирование, выделение
ISE
ресурсов, мониторинг
NAC Profiler NAC Collector
Автономное устройство или
лицензия на модуль NAC Server
Управление жизненным циклом
гостевого доступа
NAC Agent
NAC Guest Server
49. Консолидированные сервисы в Каталог текущих сессий
одном продукте Гибкие схемы внедрения
ACS User ID Access Rights
NAC Manager
Admin M&T
All-in-One HA Console
NAC Profiler Pair
NAC Server ISE
Distributed PDPs
NAC Guest Location Device (& IP/MAC)
Simplify Deployment & Admin Tracks Active Users & Devices Optimize Where Services Run
Гибкость политик доступа Управление доступом на основе
Групп Безопасн Функции детального мониторинга и
поиска неисправностей
SGT Public Private
Staff Permit Permit
Guest Permit Deny
Link in Policy Information Points Keep Existing Logical Design Consolidate Data, Three-Click Drill-In
66. Реализация BYOD на базе ISE
Контроль доступа
Я хочу разрешить работу Сервисы аутентификации
в моей сети только «нужных»
пользователей и устройств
Мне нужно, чтобы пользователи и
устройства получали адекватный Сервисы авторизации
доступ к сетевым сервисам
(dACL, Qos, и т. п.)
Cisco ISE
Мне требуется разрешить Управление жизненным
гостевой доступ к сети циклом гостевого доступа
Мне требуется
разрешить/запретить доступ с iPAD Сервисы профилирования
в мою сеть(BYOD)
Мне требуется уверенность, что
мои оконечные устройства не Сервисы оценки состояния
станут источником атаки
Through our ISBG Group, Cisco has worked with customers to do some forecasting of our own. We’re predicting that by 2013 there will be one trillion devices connected to the network, up from 35 billion in today.That means that one trillion devices will connect people through SMS, video, social networks, email, instant messaging and even ways that we haven’t thought of to be together.Today, companies are wondering how to leverage that growth in the tremendous increase of even more people connecting through the network; how to adapt and take advantage of the collective power of the human network.This is part of what we’ll talk about in this presentation. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Source: Cisco IBSG
We all know that the way we work is changing.Consumerization, continuous connectivity, device proliferation, and mobility are changing the way we work and share informationThese new trends requires us to acknowledge that our workforce are driving new demands and a new type of experience. Employees now expect the same experience in the workplace that they do online as consumers. Our goal is to help deliver the experience whilst helping enable our employees to increase their productivitySMARTPHONEThis has steadily grown since we made some of the big entitlement changes with users being moved from Corporate paid devices and voice/data contracts. This drove our client base to below 24,000 and since then he has increase to over 30,000 with the increase coming from users on personal contracts and devices – very much supporting the consumerization story The biggest growth continues to be iPhones, with Android growing the fastest month on month – very supporting the prior market slide TABLET TIERThe tablet tier is the new tier where we are seeing more devices and driving multiple device use. This is driving requests for enterprise based services and support. With the bigger real estate – users what to do more with them and are looking at ways of it becoming more than a companion device. Its ideally the one device users wish to only carry. Its biggest shift demand is how to have it more than a consumption oriented device. With our own CIUS the internal demand is going to increase especially when you integrate with a full suite of Cisco solutions like IWE, Voice, Video and Virtual Desktop Experience. The content in this deck relates to how we enable smartphone and tablet devices at Cisco.
A recent Cisco Connected World Report shows that employees expect to have more flexible work options. For many, such flexibility is even more important than salary. IDC predicts that in 2012, the number of mobile devices is likely to reach 462 million, exceeding PC shipments.Such increased access methods and devices present major challenges for many organizations, as they try to maintain a high level of security while supporting productivity and work flexibility. Some specific challenges include:1) Mobile workers need access to resources on the internal network from anywhere, and they also need access to cloud-based services.2) The large number of user-owned mobile devices and many different types of these devices make it difficult for organizations to identify the devices and to ensure policy compliance.3) Without proper protection, data residing on the mobile devices becomes a high risk of corporate data loss as well as compliance violations.
In addition to the multi-dimensional complexity of the internet edge, the traffic traversing the internet edge is richer than ever before. Not many years ago the workstations were locked down and all the applications that you needed to use or access were installed or explicitly made accessible by IT on the your machine. If you needed a sales app or a finance app, IT would come and install the application or the fat client on the user’s machine. Today the situation is dramatically different. While email was one of the first applications enabling the borderless internet edge experience, the traffic today is much more complex and includes application types like web surfing, video, audio, SaaS, applications tunneling over the Web (IM, P2P). With more and more traffic going over the Web, HTTP has become the new TCP.It is becoming more and more of a common site where employees are logged into WebEx, Enterprise Email, Facebook / LinkedIn, their personal email – all at the same time, thus blurring the lines between business traffic and personal traffic at the internet edge. While this has in many ways improved collaboration and productivity, it raises new challenges for effective management of this traffic.
Transcript:So if work isn't a place, it's not something I can draw a line around and I can control, then I have this tension between enabling people to be global on one side of the scale, enabling them to be mobile, enabling them to go out and do these things, and then having it still be secure, making sure that someone doesn't put me out of business by doing something stupid. So that's another way this whole conversation can come up with TrustSec. Part of it is network evolution, as we went through before. The more recent conversations with the customers are happening around devices, though. BYOD, consumerized IT trends. Have you seen that? What's the mix? How many people see more-- I'm going to make you interact whether you want to or not. How many people have seen more BYOD than the network evolution of BN? So about half the room. How about the other way around? And the rest just didn't answer. OK. But there is a lot of BYOD way out there. Questions on how we're defining the problem set? I'm going to get into solutions in a second. We're still doing some of the ways that the customers will set these things up you. But are those clear so far? General grunts of assent.Author’s Original Notes:In the past, security has often been seen as an impediment to the business, or can get in the way of innovation and productivity. The security organization has imperatives such as protecting the organization against threats, achieving compliance, and supporting access to the network. That is balanced against the business imperatives of improving agility, enabling collaboration and driving operational efficiencies. There will always be some natural contention between the two sets of imperatives, but security touches so much of the business these days that better alignment can actually be a strength or an asset. Security can become the “safety” net” that allows the business to innovate and boost user productivity, allowing them to say yes more often, and move faster knowing they have a solid security architecture and strategy in place. And security costs cannot continue to increase, organizations are seeking ways to control cost and tie security to the operational aspects of the business. There is clearly a business driver for security to change.
Transcript:So now we finally get to solutions. What did we build to fix this? We built TrustSec. Similar to what we were talking about on the evolution of borderless networks. We learned our lesson through the years that we really needed to do all of these things together. TrustSec as a solution covers the areas of technology that we had with the appliance overlays. So with ACS, with NAC, with a NAC guest server, with a profiler, all these different boxes that we had. ISE is functionally replacing the orchestration. TrustSec technology built into the infrastructure is doing a lot of the enforcement works. So together as a solution, it's really replaced a lot of these things. We've also gotten smart about the devices in that process too. So it's not just PCs up here. It's now all these other things that we're talking about. It's the additional smart phones. It's the additional tablets. The main benefits to IT when that happens, or to the customer, is the productivity and risk management. So if you're building a value proposition for a customer out of this, those are the two that come up over and over again. The improved operational efficiency, eh. It's nice to have three things up there, and people always like seeing things in three. The two that matter are I'm going to give you a tool that makes your business work in a more modern fashion. That is a powerful message for a lot of customers. The other one is I'm going to make it safe for you to do that. I'm going to make sure that your risk is mitigated. And that's the core value proposition that we're trying to build with this stuff. You've got the problem set up of all these different types of devices, problem set up of all these different types of access methods. And what we're bringing you is a way to keep your network safe. We're bringing you a way to deal with that issue. How many people have had this customer conversation on some level on some technology in the past couple years? You guys up front? How did it go? AUDIENCE: I've got clients [INAUDIBLE] going on right now. And we need to talk after this. BRENDAN O CONNELL: Excellent. ISE pilot and follow up questions is the answer. AUDIENCE: [INAUDIBLE] data right now. BRENDAN O CONNELL: OK, good. Was the customer interest along these lines? Like they're buying it to mitigate risk, or they're buying it to improve efficiency for the pilots that you've got? AUDIENCE: That customer wanted TrustSec 18 months ago, or 12 months ago to solve the problem of third party access. They had people in their environment that aren't [INAUDIBLE] and they want to control where they go. BRENDAN O CONNELL: There we go. Yeah. So the comment was the customer's been after it for 18 months because they've had an issue with contractors and guests accessing their network. We'll talk about that. We'll do some deep dives on some of the solution aspects.
Why Cisco/network wins
Cisco Secure Remote Access is a best of breed solution, offering a full featured, mature solution resulting from 15+ years of VPN remote access expertise, proven innovation, and product integration.Our expert engineers have engineered and optimized several generations of Cisco VPN product lines and features, including the VPN3000 series, the PIX series and the ASA series, offering both IPsec or SSL VPN remote access., as well as VPN site to site.They have architected the solution for optimum VPN remote access, VPN site to site access, and integrated security services, thereby enabling each customer to build, “a la carte”, their VPN Secure Remote Access solution.The best testimonial of this successful design is the adoption of the Cisco VPN remote access solution by millions of remote access users.Planning to discontinue some platforms:WM, webOS, Symbian
Cisco’s on-premise solution is focused on enabling a seamless end-to-end user experience…transparently inserting security into every transaction. The two major components of this are the AnyConnect Secure Mobility Client and information exchange between the ASA (termination point for AnyConnect session) and WSA (policy enforcement & Web security).AnyConnect can be configured to provide an Always-On VPN, meaning that the user must have a secure VPN connection in order to access the Internet. Always-On VPN provides the foundation for changing from the occasionally-protected model (The “captive portal” case—providing access to login to a hotspot at a hotel or coffee shop—is fully supported. ) Rather than forcing the user to manually select the head-end, the optimal headend is detected and AnyConnect connects securely to it. If certificates are in use, then the user doesn’t even need to do anything to authenticate…the connection just happens.The ASA head-end then communicates to the WSA, providing information on who the user is (avoiding any additional authentication step for the user to access their web content) as well as the fact that they’re mobile. The WSA uses this information to apply location-aware policy—maybe both enforcing acceptable use and protecting from malware in the office, but just protecting from malware while mobile.
Another key to making the experience seamless is by ensuring that the scanning elements are distributed throughout the network and not just at HQ—pressing out to the capillaries of the network through ISR integration; as well as in the cloud.The recent ScanSafe acquisition accelerates Cisco’s ability to deliver security services in the cloud. Over time, Cisco is planning to build a hybrid hosted model in which users will be able to attach to either a company-owned head-end or a cloud enforcement point—whichever provides the best user experience—while getting consistent policy enforcement and security.In the interim, customers have the choice of on-prem or cloud enforcement for their mobile users. For the cloud-based solution, the Anywhere+ client will re-direct web traffic to the Cisco-ScanSafe cloud for scanning and enforcement. In the near future, this client will converge with the AnyConnect client for a unified client footprint.Alternatively, customers can use the AnyConnect Secure Mobility client to connect to on-premise equipment for security. We’ll dig into this solution in more detail on the next slide.
A recent Cisco Connected World Report shows that employees expect to have more flexible work options. For many, such flexibility is even more important than salary. IDC predicts that in 2012, the number of mobile devices is likely to reach 462 million, exceeding PC shipments.Such increased access methods and devices present major challenges for many organizations. They need to maintain a high level of security while supporting productivity and work flexibility.Issues around these devices include: Making sure that users and devices are healthyEnsuring that devices are connected securely to servicesEnsuring that devices and users only have access to network resources appropriate to a number of context-based decisions, such as the user’s role, the kind of device being used, where is it located, what time is it, what sort of connection is being used, etc.The ability to provide consistent policy for any user or device, from the most remote endpoint, across the network, to the center of the data center.The ability to determine, based on policy, when and if data ought to be secured, and then being able to dynamically enforce data encryption.
The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. The Cisco AnyConnect client, which is a piece of software running on mobile devices such as laptops or smart phones, is industry’s only unified client. The latest version, 3.0, supports the following security capabilities:SSLVPN and IPSec VPN802.1X authenticationMACsec encryptionWireless connection, authentication and encryptionCisco ScanSafe IntegrationThe Cisco AnyConnect client works with Cisco ASA, Cisco Identity Services Engine and additional Cisco security devices to deliver the following secure mobility solution offers:- Security policy enforcement that is context-aware, comprehensive, and preemptive. - Connectivity that is intelligent, simple, and always on. - Highly secure mobility across the rapidly increasing number of managed and unmanaged mobile devices.automatically creates an SSLVPN, IPSec VPN, or MACsec encrypted tunnelCatalyst Switch: Cisco TrustSec tags data with access policy, inspects MACsec encrypted traffic, assesses the health of the endpoint device, and provides role-based accessCisco ASA: Cisco ASA terminates SSL or IPSec VPN tunnel, provides traffic protectionCisco ISE: Cisco ISE provides role-based access policy and AAA (Authentication, Authorization, and Accounting) servicesNexus Switch: Cisco TrustSec inspects MACsec encrypted traffic, reads data policy tags, and enforces access policy
У кого какой тип доступа
Transcript:So now we finally get to solutions. What did we build to fix this? We built TrustSec. Similar to what we were talking about on the evolution of borderless networks. We learned our lesson through the years that we really needed to do all of these things together. TrustSec as a solution covers the areas of technology that we had with the appliance overlays. So with ACS, with NAC, with a NAC guest server, with a profiler, all these different boxes that we had. ISE is functionally replacing the orchestration. TrustSec technology built into the infrastructure is doing a lot of the enforcement works. So together as a solution, it's really replaced a lot of these things. We've also gotten smart about the devices in that process too. So it's not just PCs up here. It's now all these other things that we're talking about. It's the additional smart phones. It's the additional tablets. The main benefits to IT when that happens, or to the customer, is the productivity and risk management. So if you're building a value proposition for a customer out of this, those are the two that come up over and over again. The improved operational efficiency, eh. It's nice to have three things up there, and people always like seeing things in three. The two that matter are I'm going to give you a tool that makes your business work in a more modern fashion. That is a powerful message for a lot of customers. The other one is I'm going to make it safe for you to do that. I'm going to make sure that your risk is mitigated. And that's the core value proposition that we're trying to build with this stuff. You've got the problem set up of all these different types of devices, problem set up of all these different types of access methods. And what we're bringing you is a way to keep your network safe. We're bringing you a way to deal with that issue. How many people have had this customer conversation on some level on some technology in the past couple years? You guys up front? How did it go? AUDIENCE: I've got clients [INAUDIBLE] going on right now. And we need to talk after this. BRENDAN O CONNELL: Excellent. ISE pilot and follow up questions is the answer. AUDIENCE: [INAUDIBLE] data right now. BRENDAN O CONNELL: OK, good. Was the customer interest along these lines? Like they're buying it to mitigate risk, or they're buying it to improve efficiency for the pilots that you've got? AUDIENCE: That customer wanted TrustSec 18 months ago, or 12 months ago to solve the problem of third party access. They had people in their environment that aren't [INAUDIBLE] and they want to control where they go. BRENDAN O CONNELL: There we go. Yeah. So the comment was the customer's been after it for 18 months because they've had an issue with contractors and guests accessing their network. We'll talk about that. We'll do some deep dives on some of the solution aspects.
Cisco has considerable investment in identity features on our infrastructure. A number of differentiators include monitor mode that allows you to authenticate users wthout enforcement. Another differentiator is flex auth, our ability to order authentication appropriately along with the right behavior when authentication fails. Interop with IP telephony and in VDI environments are also supportedThese features are delivered consistently across our entire switch portfolio, so whether you’re deploying a Cat 3K, 4K or 6K, the customer just has to select the right switch
[Need animation on this slide]
Application Team – Control access to PCI Customer Data based on user, roleSystem Team – Identify data locations with PCI Customer DataNetwork Team – Create router, switch access controls for user IP addresses to Networks with PCI Customer Data
Problems - Different kinds of device types appearing on the network (wired & wireless) : ipads, printers, phones etc - IT needs visibility into all devices - IT may choose to have different policy for certain kinds of devices (don’t allow ipad on the network) - IT needs assurance that a device conforms with its signature for security reasons
The key component of the TrustSec architecture is ISE. It converges NAC and ACS functionality from AAA functions to security services like guest, profiling and posture into one appliance, making the choice of deploying either a “overlay mode” or “infrastructure integrated mode” a lot simpler for customers.Current NAC and ACS hardware platform is software upgradeable to ISELicense migration program for all software licensesData and Configurations migration tools available*
Policy is construct to tackle this problemBYOD multiple components – have to bring a broader policy solution set to cover this market to differentiateWhat’s going on in the market (Aruba buying Avenda would be a last decade solution) – hodge-podgeStitch it in a common domain – NAC framework orig vision – ubiquitous way for common policy centralized, distributed deployment
BYOD is a policy manifestationDifferent philosophical adoption curves – wherever org is, multiple capabilities are required to support the policyPhilosophy is what is your business policyMDM cannot control access on prem or VPNWhat do you want from a policy level to what you want from a management level
Comprehensive device provisioningAutomated on premise MDM enrollment with appropriate device and application provisioningDetailed User and Device ContextHigh fidelity device info offer true visibility of what is connectedIncreased device details (OS version, serial number, etc) enhances policy decisioning.Increased Device and Application SecurityDevice tracking capabilities upon device loss