Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Identity Services Engine Overview and Update

5 268 vues

Publié le

Identity Services Engine Overview and Update presentation for Cisco Connect Canada Tour 2014.

Publié dans : Technologie
  • We called it "operation mind control" - as we discovered a simple mind game that makes a girl become obsessed with you. (Aand it works even if you're not her type or she's already dating someone else) Here's how we figured it out... ★★★ http://ishbv.com/unlockher/pdf
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • ➤➤ 3 Reasons Why You Shouldn't take Pills for ED (important) ▲▲▲ https://tinyurl.com/rockhardxxx
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • identity context
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Identity Services Engine Overview and Update

  1. 1. Identity Services Engine Abhi Gupta, SE 30 September 2014 Overview & Update
  2. 2. Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control Who What Where When How VM client, IP device, guest, employee, remote user Wired Wireless VPN Business-Relevant Policies Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers Security Policy Attributes Identity Context
  3. 3. Cisco Public 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Identity Services Engine (ISE) How What Who Where When Network Partner Context Data Consistent Secure Access Policy ISE Cisco ISE is the Market Leader
  4. 4. Cisco Public 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. ISE Provides Visibility, Context, and Control Across the Entire Continuum BEFORE Control Enforce Harden DURING AFTER Detect Block Defend Scope Contain Remediate Attack Continuum Firewall NGFW NAC + Identity Services VPN UTM NGIPS Web + Email Security Advanced Malware Protection Network Behavior Analysis pxGrid + ISE Ecosystem Role of Cisco ISE in the Attack Continuum
  5. 5. Cisco Public 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. Guest Access Management Easily provide guests limited-time, limited-resource Internet access BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN With Cisco TrustSec® Identity-aware Network Segmentation and Access Policy Enforcement Customer use cases for ISE
  6. 6. Cisco Public 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  7. 7. Cisco Public 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. Guest Access Flow Redirection of the guest web session to Cisco® ISE guest portal for authentication ISE Switches WLC AP Imran ******** Sponsor Local Radius Workstations Mobile (iPhone) Guest
  8. 8. Cisco Public 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. Life Cycle Management Provision Manage Notify Report Create guest accounts in the sponsor portal Create sponsor policy Manage sponsor groups Customize portals Notify guest using different method Print Email SMS Report on all aspects of guest accounts
  9. 9. Cisco Public 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Branding with Themes! Themes give you complete control over the look and feel of your sponsor Portal. Mobile Sponsors You are free to move about the cabin! Create a guest account on the fly from your smartphone / tablet away from your desk. Streamlined Guest Creation Set up your sponsor portal to show only the fields you need for your business. Create Accounts Create Accounts Print Email SMS Sponsoring Guests
  10. 10. Cisco Public 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Guest Receipts with Your Brand Whether you’re delivering guest credentials on the printed page, over email or SMS, ISE makes it easy to deliver your complete branded experience. SMS Notifications Send credentials directly to a guests mobile phone. Email Notifications Do you have Guests visiting? Send them login credentials before they even arrive! Your credentials username: trex42 password: littlearms Branded Guest Notifications
  11. 11. Cisco Public 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. A Guest Button With our new navigation, getting to the Guest admin has never been easier. Prepackaged Flows Ships with the default flows used by 90% of our customers: Hotspot, Self-Service (with or without approval), & Sponsored. One Stop Setup Once you’re there, all the pieces you need are accessed in one place. New Guest Portal Admin
  12. 12. Cisco Public 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. End User Visibility ISE makes the end user experience crystal clear as it updates the guest flow diagram in real time with each settings change. Admin Friendly Through extensive user research we’re made guest settings so easy to find that setting up a guest flow can be done in just a few clicks. Guest Portal building made easy
  13. 13. Cisco Public 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Themes! Themes give you complete control over the look and feel of your guest pages. Use our out- of-the-box themes or create your own using ThemeRoller for jQuery Mobile or standard CSS. Live Preview See your pages as the guests will see them as you customize. Full Page Control Use our defaults or customize every field in multiple languages. Customize with Themes
  14. 14. Cisco Public 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  15. 15. Cisco Public 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. BYOD Spectrum Managed User Managed Device Managed User + Unmanaged Device + Secure + Compliance Managed User Unmanaged Device + Secure Managed User Unmanaged Device Environment requires tight controls Basic services and easy access for everyone Register, configure connectivity Company’s native applications, new services, and full control
  16. 16. Cisco Public 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. What Does Cisco ISE offer? Multiple Device Support Certificate Provisioning Multiple Network Topologies Blacklisting and Reinstating of Devices Self-Registration
  17. 17. Cisco Public 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.  User connects to open SSID  Redirected to WebAuth portal  User enters employee or guest credentials  Guest signs AUP and gets guest access  Employee registers device  Downloads certificate  Downloads supplicant configuration  Employee reconnects using EAP-TLS BYOD Flow Use Case: Single SSID BYOD-Secure Access Point ISE Wireless LAN Controller AD/LDAP Personal Asset
  18. 18. Cisco Public 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public Key Infrastructure. The ISE Certificate Authority is designed to work in concert as a self contained solution or with your existing Enterprise PKI to simplify BYOD deployments.  Single Management Console – Manage endpoints and their certs. Delete an endpoint ISE deletes the cert.  Simplified deployment – Supports stand alone and subordinate deployments. Removes corporate PKI team from every BYOD interaction. Native Certificate Authority Designed for BYOD use-cases only, not a general purpose CA Optional Enterprise Root Self-Contained or Optional Subordinate Cisco ISE Certificate Authority
  19. 19. Cisco Public 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.  PAN is Root CA for the ISE Cube  All PSNs are Subordinate CA’s to the PAN  PSNs are SCEP Registration Authorities (RA’s)  ISE PAN may be Subordinate to an existing Root CA or may be Stand- Alone Root.  Promotion of Standby PAN:  Will not have any effect on operation of the subordinate CA’s  For Standby to become Root CA > must manually install the Private/Public keys from the Primary PAN PKI Hierarchy and Roles PSN PSNPSNPSN Primary ISE CA Enterprise Root (optional) PAN Standby PAN Subordinate CA SCEP RA Subordinate CA SCEP RA Subordinate CA SCEP RA Subordinate CA SCEP RA
  20. 20. Cisco Public 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. Certificate Template(s) • Define Internal or External CA • Set the Key Sizes • SAN Field Options • UUID • DNS Name • MAC Address • Serial # • No Free-Form Adds.. • Set length of validity
  21. 21. Cisco Public 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. • ISE can Query MDM server using APIs • Compliance based on: ̶ General Compliant or ! Compliant Status OR ̶ Disk encryption enabled ̶ PIN lock enabled ̶ Jail-broken status • MDM attributes available for policy conditions • “Passive Reassessment”: Bulk recheck against the MDM server using a configurable timer ̶ If the result of a periodic recheck shows that a connected device is no longer compliant, Cisco® ISE sends a CoA to terminate the session. MDM Integration Macro level Micro level Survivability Attribute
  22. 22. Cisco Public 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  23. 23. Cisco Public 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. Secure Access Role-Based, Dynamic Provisioning Context- Aware Classification Context- Aware Policy Enforcement 1 2 3 ISE Who? What? When? Where? How?
  24. 24. Cisco Public 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco ISE Authentication Policy Who = 802.1X Managed Users Who? How Examples: Employees and staff, faculty and students, or extended access to partners and contractors Primary authentication methods: 802.1X or agent-based
  25. 25. Cisco Public 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.  Support for up to 50 concurrent Active Directory multi-join points.  No need for 2-way trust relationship between domains  Advanced algorithms for dealing with identical usernames. ISE 1.3 is designed for growing businesses. With support for multiple Active Directory domains, ISE 1.3 enables authentication and attribute collection across the largest enterprises. example-1.com example-2.com example-n.com ISE Multi-Forest Active Directory Support
  26. 26. Cisco Public 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. ScopeA acs.com Company-B.com Company-C.com Company-D.com Company-E.com acs.com acs.com oceania.acs.com australia.oceania.acs.com canberra.australia.oceania.acs.com amer.acs.com brazil.south.amer.acs.com 1.3 AD Instance == 1.2 AD Scope defines selected instances. Here we have 3 AD instances for Scope A out of 5 AD instances configured on the ISE Terminology
  27. 27. Cisco Public 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. Authentication Policy Individual AD Instance can be selected Scopes can be selected (All_AD_Instances, is a synthetic scope created automatically to select all configured AD instances)
  28. 28. Cisco Public 29© 2013-2014 Cisco and/or its affiliates. All rights reserved. Authorization Policy Sample Policy Permissions = Authorizations • Employee_iPAD Set VLAN = 30 (Corporate Access) • Contractor_iPAD Set VLAN = 40 (Internet Only) Who? Who?
  29. 29. Cisco Public 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. What is Profiling ? Collection Classification Classifies based on Device fingerprint • Process of collecting data to be used for identifying devices • Uses Probes for collecting device attributes NMAP SNMPHTTP Radius DHCP LLDP NetFlow
  30. 30. Cisco Public 31© 2013-2014 Cisco and/or its affiliates. All rights reserved. ISE Authorization Smartphones and Corporate Policy Permissions = Authorizations • Employee Phone Set VLAN = 601 (Internet Only) • Employee PC Set VLAN = 603 (Full Access) Who = EmployeeWhat=? Who? What?
  31. 31. Cisco Public 32© 2013-2014 Cisco and/or its affiliates. All rights reserved. What is Posture ? Posture is the state of compliance with the company’s security policy. • Is the system running the current Windows patches? • Do you have anti-virus software installed? Is it up to date? • Do you have anti-spyware software installed? Is it up to date?
  32. 32. Cisco Public 33© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco ISE Posture Policy Example Corporate Policy: • Must have Kaspersky AV installed • Automatic remediation enforced Guest Policy: • Must have AV installed but can be ANY vendor
  33. 33. Cisco Public 34© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco ISE Posture Agents Cisco NAC Agent Cisco AnyConnect 4.0
  34. 34. Cisco Public 35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  35. 35. Cisco Public 36© 2013-2014 Cisco and/or its affiliates. All rights reserved. Tree View AuthC Protocols Identity Store
  36. 36. Cisco Public 37© 2013-2014 Cisco and/or its affiliates. All rights reserved. Filters in Live Log & Live Sessions
  37. 37. Cisco Public 38© 2013-2014 Cisco and/or its affiliates. All rights reserved. Off-Line Examination of Configuration • Exportable Policy Quick Link to Export Page
  38. 38. Cisco Public 39© 2013-2014 Cisco and/or its affiliates. All rights reserved. Exports as XML
  39. 39. Cisco Public 40© 2013-2014 Cisco and/or its affiliates. All rights reserved. Consistent Secure Access A Solid Foundation Today & Tomorrow Simplified, Unified Policy Management for Access Innovation & Market Leadership in NAC, at the core of Cisco Security & Solutions Unparalleled Visibility & Context Get a Clearer Picture of Who and What Is On Your Network Detect Threats from Compromised Devices via Health Checks & SIEM/TD Advanced Threat Containment Only Cisco ISE delivers …
  40. 40. Abhi Gupta, SE abhigup@cisco.com Rob Bleeker, CSE robleeke@cisco.com

×