Avec Cisco “Identity Services Engine”

Sécuriser le concept “Bring Your Own Device” avec Cisco “Identity Services Engine”

Zakaria Ben Letaief – Consultant Sécurité Réseaux

http://www.cisco.com/go/challenge

of EU Information of IT Workers staff of employees use New networked mobile to keep spend time working devices by up with mobile for work needs

User Wants • Consistent experience on multiple devices • Seamless transitions between devices • Separation of work and 89% 26% personal data • Keep up with tech and 75% social trends

10% 36% IT Wants • Proactive adoption of 22% consumer/mobile devices • Embrace BYOD without sacrificing security, management, business 1% 23% standards • Lower organizational costs • Improved agility

• Difficult to control and secure (1/3 of all workers are out of the office) • Malware (Web: #1 attack vector) • Vulnerability to the organization • Data loss from lost or stolen devices • Access control breach • Policy compliance challenges

Addressing BYOD threats • Protect endpoints from web 2.0 threats • Provide secure remote access from devices • Authenticate & Authorize wireless users who are connecting to network (Guests, Contractors, etc.) BYOD* is Riskiest Source: 2011 ISACA IT Risk/Reward Barometer, US Edition (www.isaca.org/risk-reward-barometer)

Limit Basic Enhanced Advanced

Environment requires Focus on basic Enable differentiated Corp native apps, new tight controls services, easy access, services, on-boarding services, full control almost anybody with security – onsite/offsite Corp Only Device Multiple Device Types, Mfg Environment Broader Device Types Corp Issued Trading Floor But Internet Only Multiple Device Types + Innovative Enterprises Access Methods Classified Gov Edu Environments Retail on Demand Healthcare Networks Public Institutions Mobile Sales Services Early BYOD Enterprise Traditional Enterprise Simple Guest Adopters (Video, Collaboration, etc.) Contractor Enablement

Apps Virtualization

Policy Management

Unified Infrastructure Security

Use Case Limit Basic Enhanced Advanced Business Policy Block Access Role Based Access; Secure granular On-site Full Workspace (Guest Access) and Off-Site Mobility Experience IT Requirements • Visibility to who/what is • Restrict personal devices • Allow granular on-site • Enablea full mobile and on network to public internet. and off-site access to collaboration experience • Restrict access to only • Restricted access to network/applications corporate issued internal sites devices. User Scenario Hospital extends wired Hospital provides guest Doctor uses personal device Hospital administrator is access to medical staff only access to patients in hospital and in an offsite granted full network access (Example) coffee-shop and uses native applications (i.e. HR applicant tracking system)

Solution Technology Cisco Switches Cisco Switches Cisco Switches Cisco Switches Core network Cisco Wireless LAN Cisco Wireless LAN Cisco Wireless LAN Cisco Wireless LAN Infrastructure Infrastructure Infrastructure Infrastructure

Management Cisco Prime Infrastructure Cisco Prime Infrastructure Cisco Prime Infrastructure Cisco Prime Infrastructure 3rd Party MDM Cisco Identity Services Cisco Identity Services Cisco Identity Services Cisco Identity Services Identity and Policy Engine Engine Engine Engine Application Virtualization Cisco VXI , UCS, Nexus Desktop Virtualization Security and Cisco VXI , UCS, Nexus Remote Access Cisco Firewalls Cisco Firewalls Cisco ESA/WSA Virtualization Cisco ESA/WSA Cisco AnyConnect Cisco AnyConnect ScanSafe ScanSafe Applications Enterprise Apps Collaboration Apps Enterprise Apps Collaboration Apps © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 BYOD Key Functionality and Success

Key Functionality

• Unified wired and wireless network with centralized policy management

• Sponsored guest and contractor access management that is isolated and accountable

• “AAA” (Authentication, Authorization, and Accounting) to determine “who” accesses your network

• “PP” (Profiling and Provisioning) to simplify onboarding of personal devices and enforce the “what, where, when, and how” users access your network

What is success?

A well designed Mobility / Unified Access Network provides:

• CONTROL (ISE) and VISIBILITY (Prime) for IT

• DEVICE CHOICE and PREDICTABILITY (CleanAir, ClientLink, VideoStream) for Users

• BALANCE between the number of wired ports (1:1 ratio) and wireless radios (25:1 ratio)

BYOD Mobility & Security Challenges

Cisco Secure Mobility

Identity Services Engine

Cisco Wireless LAN Infrastructure

Cisco Prime

Cisco BYOD in Action

BYOD Mobility & Security Challenges

Cisco Secure Mobility

Identity Services Engine

Cisco Wireless LAN Infrastructure

Cisco Prime

Cisco BYOD in Action

Cisco AnyConnect

Cisco ASA Cisco Content Security

Cisco AnyConnect

• Protocol-agnostic: Client or Clientless; IPSec or SSL VPN

• Automatic: no manual intervention, connection persistence, optimal gateway selection and auto-resume

• Always On: automatically locates the nearest, optimal gateway without requiring credentials

• Flexible License Options: Essentials, Premium, Mobile

• Built for mobility: Support for Apple ios4+ (iphone, ipad, itouch), Cisco Cius, Samsung Android, Windows, MAC, Linux

802.1x Posture / IPsec VPN SSL /DTLS Cloud Web Supplicant MAC Sec VPN HostScan Security (Win & iOS )) SGT IKEv2 )

AnyConnect Core Services Platform

Architecture

Apple Win7 Vista Win XP AC Ubunt ACS EAP-TYPE SL RHL ISE AD LDAP Native Native Native 3.0 u 5.2 (10.5) EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes EAP-TTLS No No No Yes Yes Yes Yes No No Yes Yes PEAP Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No MSCHAPv2 PEAP No No No Yes Yes Yes Yes Yes Yes Yes Yes EAP-GTC PEAP Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes EAP-TLS EAP-FAST No No No Yes Yes Yes Yes Yes Yes Yes No MSCHAPv2 EAP-FAST No No No Yes Yes Yes Yes Yes Yes Yes Yes EAP-GTC Ubuntu, RHL = wpa_supplicant

EAP and ID Store Compatibility Reference: http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html

Cisco Content Security

Internet Traffic

VPN – Internal Traffic (optional)

AnyConnect Secure Mobility

Access Control Policy Access Control Violation •Instant Messaging •File Transfer over IM •Block adult content •Facebook: Limited Apps •Facebook Chat, Email •Bandwidth limits •Video: 512 kbps max •P2P

Employee in Finance

Granular Control over Application Usage

News Email

AnyConnect Information Sharing Between ASA and WSA

ASA Cisco Web Security Appliance Social Networking Enterprise SaaS

Corporate AD

Cisco Secure Mobility

Identity Services Engine

Cisco Wireless LAN Infrastructure

Cisco Prime

Cisco BYOD in Action

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 ISE: An Architectural Approach Based on Two Fundamentals 2 1 ISE Dynamic Context Abstracted Policy Understand the: Business level policy definition  Who That  What Gets automatically mapped  Where  When And  How Directly enforced on the On your network by extracting infrastructure information from the infrastructure

Infrastructure Cisco 2900/3560/3700/4500/6500 & Nexus 7000 Cisco ASA, ISR, ASR 1000 switches, Wireless and Routing Infrastructure

Identity & Access Control

Access Control Solution AnyConnect

Identity & Access Control + Posture

NAC Manager NAC Server

Device Profiling & ISE Provisioning + Identity Monitoring NAC Profiler NAC Collector Standalone appliance or licensed as a module on NAC Server

Guest Lifecycle Management

NAC Agent NAC Guest Server

I want to allow the Authentication “right” users and devices Services on my network

I want user and devices to receive appropriate Authorization network services Services Cisco ISE (dACL, Qos, etc) I want to allow guests Guest Lifecycle into the network Management

I need to allow/deny iPADs Profiling Services in my network (BYOD)

I need to ensure my endpoints don‟t Posture Services become a threat vector

“Employees can access everything from either corporate or personal devices. But non employees are blocked.” Internet

“Employees are required to use corporate devices. Personal Internal devices are not allowed and there Resources is no guest access.”

Campus Network Limited Resources

“Employees can access everything from corporate devices. Employees on personal devices and partners have restricted access.” ISE

Corp Asset? AuthC Type Profile AuthZ Result

• AD • Machine • i-Device • Full Access Member? Certs? • Android • Static List? • User Certs? • Windows • internet only • MDM? • Uname/Pwd • Other • Certificate? • VDI+internet

Registered BYOD User Results

• To identify a corporate-owned or personal device, a unique identifier (UDID, MAC Address, IMEI number, etc.) may be used • The recommended authC method is EAP-TLS based on certificate • There are different ways to provision digital certificates for wired and wireless devices • Some Mobile Device Management (MDM) Systems and Cisco SDP are able to insert device-specific identifiers as a common name in the certificate.

1. iOS device connects to Provisioning SSID 2. Employee authenticated & authorized to connect to Cert server 3. Enrollment and provisioning. New Wi-Fi Profile includes UA_Employee configuration 4. For future connections, use UA_Employee SSID

• To enhance the user experience, the user can be redirected to the provisioning SDP URL automatically • When the user tries to browse the web, the session is redirected • An authorization policy can be used to include the SDP URL

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 User Experience • The user interaction with the SDP router consists of several screens to accept the new certificate and profile • The user opens the Safari browser and gets redirected to the start page URL or enters the start page URL manually • The Start Phase begins, offering the user to install the profile • Once the user clicks on “Install”, the introduction phase begins

Features being added to 1.1 Minor Release-1 of ISE (~Summer „12) Will handle Certificate Provisioning as a “Remote Authority” (RA) Proxy Certificate Enrollment for all Devices Builds Supplicant Configuration Profiles for Devices Allows Self-Registration of Devices & Ties Registration to Employee ID

Policy Centralized Profiling Policy Engine USER LOCATION HTTP DHCP NETFLOW TIME DEVICE Access Method DNS RADIUS SNMP

VLAN 10 VLAN 20 Corporate Resources Corporate

Wireless LAN Single Corp Restricted SSID Controller Access Only Employee Unified Access Personal Management

Corporate Issued Device PERSONAL Device 1. User Authentication and Authorization 1. User Authentication and Authorization 2. Profiling to identify device 2. Profiling to identify device 3. Policy decision 3. Policy decision 4. Policy enforce to “VLAN 10” on same SSID 4. Policy enforce to “VLAN 10 or 20” on same SSID 5. Full access granted 5. Full or Restricted access granted 6. Full device visibility 6. Full device visibility

ISE

1 EAP Authentication Corporate Accept with GUEST ACL Device 2 Accept with VLAN 10 4 Corporate Resources VLAN 10 CAPWAP

802.1Q Trunk VLAN 30 3 Web Auth Internet Guest

• Users with Corporate Devices with their AD user id can be assigned to VLAN 10 • Guests authenticate via Web Auth and are assigned to a GUEST-ACL on the Guest VLAN 30

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 For Your Profiling Attribute Sources for Mobile Reference • For mobile device detection, recommend use a combination of HTTP, RADIUS, DHCP, and DNS probes Probe Type Info Provided RADIUS MAC Address (OUI) (Calling-Station-ID) Example: 0A:1B:2C = vendor X

DHCP Hostname (default may include device type) (host-name) Example: jsmith-ipad (dhcp-class-identifier) Device class / type Examples: BlackBerry, Cisco wireless IP phone

DNS FQDN (default hostname may include device type) (reverse IP lookup) Example: jsmith-ipad.company.com HTTP Details on specific mobile device type (User-Agent) Examples: iPad, iPhone, iPod, Android, Win7

Profiling via HTTP inspect is regex based with approx rate of 500-1200 events/sec with all services running. So, profiling is done only at connect time and not for data traffic.

Function Base Lic Adv Lic Wireless Lic Authc & Authz X X* Guest Services X X* Monitoring X X* Posture X X* Profile X X* SGA X X* End Point Protect X X*

*: Only for Wireless Endpoints

Cisco Secure Mobility

Identity Services Engine

Cisco Wireless LAN Infrastructure

Cisco Prime

Cisco BYOD in Action

Wireless Services Cisco 5500 Module on Catalyst 6500 Wireless Cisco 2500 Controller On ISR SRE • I RU appliance • 3000 Access Points • I RU Appliance • 1000 Flexgroups • 500 Access Points • Blade for Catalyst • 8 GB Mbps • 1000 Access Points • Desktop Appliance • 8 GE ports • 20 GB Mbps Multiple • 50 Access Points • Software on ISR • 500 Mbps module Lean Branch Deployments • 4 GE ports • 50 Access Points Mid-Large Mid-Large • 500 Mbps Small Small Enterprise Enterprise Enterprise Enterprise and Full and Full Service Service Branch Branch

Central Site • FlexConnect = Hybrid Remote Access Point Architecture Centralized • Single Management & Control Traffic

point Centralized Centralized Traffic (Split MAC) Traffic Or Local Traffic (Local MAC) • 300 msec RTT for voice+data deployment WAN • 100 msec RTT for voice only Local deployment Traffic

Remote Office

Gaps vs Scale Throughput local/5500:

• 3000 APs • 1Gbps • External webauth in local switch mode • 30,000 clients • Data DTLS - OEAP • Outdoor AP/mesh • 1000 flex groups • FIPS on 7500 • ISE support profiling

New Features • Local mode • WGB/UWGB • Flexconnect ACL (AP) • Videostream • Flexconnect AP efficient upgrade • IPv6 mobility • CWA supported with ISE1.1 • AAA ACL override • Support for .1x central, AAA vlan override, • ACLs – dynamic (controller) auth parity, fast roaming for voice, OEAP • Trustsec SXP

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 For Your Reference Additional New Functionality – Rel 7.2 Feature Benefits Cisco CleanAir Improvements • Reduced radio interference alerts • Customizes air quality thresholds to each customer’s wireless and troubleshooting environment • Improved Wireless reliability and • Flexibility to configure multiple AP groups with unique radio remediation characteristics per AP group MSE Enhancements • Flexible deployment options • Virtual Appliance: 50k endpoints, 10k Adaptive wIPS • Improved security and reliability • HA: 2:1, 1:1 configs supported • 9 new security alarms • GPS coordinates supported AP Groups and RF profiles • customize the wireless network to • Capability to segment and form virtual subgroup of access business needs and locations points • Simple to create and manage • Capability to apply different RF configurations for different multiple groups access point groups Enhanced quality-of-service (QoS) prioritization • Flexible deployment options • Increased flexibility to apply QoS priority against unicast and • Improved security and reliability multicast traffic on a per WLAN basis within the access point

4x4 ANTENNA DESIGN, 3 SPATIAL STREAMS Fastest, most consistent device uplink speeds, sustained further from the AP CLIENTLINK 2.0 BEAMFORMING Fastest downlink performance to ALL mobile devices: 802.11a/g and now 802.11n across 1, 2, and 3 spatial streams CLEANAIR SPECTRUM INTELLIGENCE Always-on interference protection, plus new optional full-spectrum monitoring module

FUTURE-PROOF MODULAR DESIGN Cisco Aironet Flexible upgrades and add-on options for future technologies 3600 Series with capacity for more mobile devices Access Points

BEFORE AFTER Wireless interference decreases CleanAir mitigates RF interference reliability and performance improving reliability and performance

Wireless Client Performance

AIR QUALITY PERFORMANCE AIR QUALITY PERFORMANCE

Cisco CleanAir – Improves Performance and Predictability

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Why is Cisco’s CleanAir Technology so Unique? High resolution interference detection, classification, and mitigation at chip level

• CleanAir Radio ASIC • Detect Wi-Fi and 100 non-Wi-Fi interference

20 sources

63 • Assess impact 97 to Wi-Fi performance

35 90 • Proactively change channels when interference occurs • Monitor air quality Detect | Classify | Locate | Mitigate

BEFORE AFTER Beam not directed towards clients Beam directed towards client resulting in resulting inconsistent performance consistent experience and better performance

802.11a/g (ClientLink) or 802.11a/g (ClientLink) or 802.11a/g/n (ClientLink 2.0) Wireless Client 802.11a/g/n (ClientLink 2.0) Beam Strength Performance X Beam Forming

802.11n 802.11n

Cisco ClientLink - Improves Predictability and Performance

91% Better Than Competitor A

138% Better Than Competitor A

Competitor A

• Test Case 1 – As many clients as possible on one AP with one 2MB or 5MB stream (all clients use the same bitrate). The quality should not degrade to less than a Video MOS of 4.0 (Only a few artifacts).

Cisco Secure Mobility

Identity Services Engine

Cisco Wireless LAN Infrastructure

Cisco Prime

Cisco BYOD in Action

The Customer Problem…

Users BYOD

Provide Predictable User Provide IT with Control and Experience to Applications Visibility to manage User and Services Experience and Security

ANY USER ANYWHERE ANYTIME ANY DEVICE

ONLY Cisco can provide: • Converged wired/wireless access and integrated policy management – simplified troubleshooting and monitoring of end- user access from a single tool • Complete end-to-end network visibility from the mobile client to the data center – for understanding, troubleshooting and fixing application, services and end-user related issues • End-to-end lifecycle management for ALL Cisco network devices – automates and augments many of the day-to-day tasks associated with managing the network

USE CASE: User calls in to help center because they cannot get access to financial data on the network. IT determines if they are authorized to access this area.

Cisco Prime Network Control System (NCS)

1. Search on user name 2. Identify wired and wireless devices associated with the user Step by Step 3. Display associated and disassociated Recommendations devices 4. Use automated client troubleshooting workflow to resolve the issue 5. Issue resolved

Troubleshoot user and access issues based on identity Speed resolution with intuitive guided workflows

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Isolate End User Network Application Issues Improved troubleshooting and visibility across Wireless & Wired USE CASE: End User calls about issues with his Mobile Jabber Video App End-Users Complain 1. User calls and complains about video problem on his Cius 2. Isolate the end user problem 3. View the application status Where is the problem 4. Quickly identify the source of the WAN problem 5. Fix the problem (WAN optimization)

Application Servers Cisco Nexus 1000V

VM VM VM VM

Virtual Cisco WAAS DC and Cloud Quickly identify the source of the problem Reduces expertise by normalizing and correlating performance data

BYOD Mobility & Security Challenges

Cisco Secure Mobility

Identity Services Engine

Cisco Wireless LAN Infrastructure

Cisco Prime

Cisco BYOD in Action

It is a wireless infrastructure problem

It is a security problem and needs a security solution

It is a device management problem

It needs a virtualization solution

It is a device problem and needs IT friendly devices

Remote access

It is a wireless infrastructure problem

It is a security problem and needs a security solution

It is a device management problem

It needs a virtualization solution

It is a device problem and needs IT friendly devices

Remote access

Unified Wireless Wired LAN Communications

NAC (BYOD) VPN Web Security

• Cisco Unified Wireless Lan Network http://www.cisco.com/go/wireless • AnyConnect Secure Mobility http://www.cisco.com/go/anyconnect • ASA http://www.cisco.com/go/asa • ScanSafe http://www.cisco.com/go/scansafe • IronPort http://www.cisco.com/go/ironport • Identity Services Engine http://www.cisco.com/go/ise

• BYOD (ISE) Demo on YouTube: http://youtube.com/watch?v=pZFuGw88CXQ

• BYOD (AC/iphone) Demo on YouTube: http://www.youtube.com/watch?v=pP1uteL7Z8c

• ISE VOD Overview on YouTube: http://www.youtube.com/watch?v=kGGqjrJpvgk