Duo Access Gateway (SAML): Cisco ASA Only

#CLMEL Duo Security: Journey toward Zero Trust

Karl Lewis, Solutions Engineer - APJC BRKSEC-2718

#CLMEL BRK-2718 Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSEC-2718

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda • Introduction • Where did Zero-Trust come from? • Why are traditional approaches Failing? • How does Zero-Trust address these new challenges? • What does the journey look like? Where do I get value? • Use Cases and Architecture– How does it really work? • Live Demo and Integrations discussion. • Q&A

John Kindervag at Forrester describes a “Zero Trust model”

2009

2003-ish 2013

The Jericho Forum Google talks about their first discusses “de- implementation, called perimeterization” “BeyondCorp”

It doesn’t mean you don’t need a firewall.

Traditional approaches to security are falling short.

A Castle Wall only works when everything you need to protect is: INSIDE And the attackers are: OUTSIDE

Apps are available 1 on-premises plus via IaaS and SaaS

Employees, contractors, others 2 access these apps with BYOD and mobile devices

Attackers most often cause data breaches by directly accessing 3 these apps via compromised passwords and devices

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Security Risks Persist with Traditional MFA

Poorly deployed and cannot support all applications; exposing security gaps 81% of breaches leverage either stolen or weak Cumbersome tokens and passwords

one-time passwords; Source: Verizon, 10th edition of the not user friendly Data Breach Investigations Report

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Compromised Devices Can Access Your Data

Admin lack time to patch all corporate (managed) devices % End users access data with 99 of vulnerabilities exploited personal (unmanaged) devices will be ones known by security team for at least one year (through 2021) End users don’t want admins to Source: Gartner, Dale Gardner, 2018 take control of personal devices Security Summit

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. 1 2

How do you stop How do you prevent attacks that use devices with poor security stolen (yet legitimate) hygiene from accessing credentials? critical apps?

#CLMEL BRK-2718 A New Model for Security: Duo Trusted Access

Trusted Users Strong user authentication for all types of users.

Visibility and Policies

Every Application Trusted Devices Consistent user experience Establish device for every application trust without agents

Cloud-silo SDP-silo Identity-silo EMM-silo providers providers providers providers Prioritize securing Must deploy new Offer limited app Require device access to just their agents on all coverage and control, including single cloud endpoints device visibility BYO, for trust

SDP = Software-Defined Perimeter | EMM = Enterprise Mobility Management

● Assume every access attempt originates from an untrusted network. ● Protect every application in the same manner regardless of where hosted or how it’s accessed. ● Enable every worker to work successfully from untrusted networks without needing a client VPN. ● Manage the privileges for any application access.

Enable the rapid adoption of the zero trust architecture by deploying its core components through a single, extensible platform

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Zero-Trust Maturity Model

Duo Beyond Enable every employee to work securely from untrusted networks without the use of a VPN. Assume all networks are untrusted. Migration of access 5 Zero-Trust security policies from the network to the application.

Duo Beyond Securely enable complete BYOD and mobility for all 4 Inspect Devices for Trust employees. Allow or deny a device trying to connect to a work application based on the device trust level and policy.

Duo Access Protect access to applications by creating and 3 Enable Adaptive Policies enforcing adaptive risk based policies. Tier applications, users and devices based on risk.

Duo Access Create an inventory of all devices used to 2 Gain Visibility Into Devices & Activity access work applications. Understand application access activity and risks.

Duo MFA Protect from compromised 1 Verify Users for Trust credentials. Enable strong authentication for all apps/users

Benefit: Security

Verify identity for any user and hygiene for any device

Mobile push Latest verification Profile OS compliant

OS Outdated jailbroken browser Patched

browser Trustworthiness Fail phishing campaign Time

Benefit: User Experience

Grant easier, safer access Private Apps to specific work apps App Access

Single Sign-On

Public Apps User+Device

Core service and policy engine is always in the • Duo Push cloud • Mobile Passcode • Phone, SMS • HOTP Token • U2F/WebAuthN • Bypass

#CLMEL BRK-2718 Integration documents are available at duo.com/docs Duo MFA Supports Your Work Applications

Start Here Then Expand

VPN RA Multicloud Email/MSFT On-Prem SSO Custom

REST APIS

WEB SDK

RADIUS

SAML

RRAS OIDC

Learn more about application integrations #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Cisco + Duo Better Together.

#CLMEL BRK-2718 Duo & AnyConnect Secure Remote Access

● Secure AnyConnect in < 30 minutes

● Users authentication in seconds

● Works with AnyConnect thick client & SSL VPN

● Several integration options

● *AVAILABLE ON* ASA and FTD

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo and AnyConnect: Integration options

ASA FTD/ASA

Use Duo Access Use Duo Auth Gateway (SAML) for Proxy (Radius). ASA. Best user User receives experience + Trusted automatic push. Endpoints soon Consider for older versions and FTD.

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo Access Gateway (SAML): Cisco ASA only

Requirements: 1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read more here. 2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release 3. AnyConnect 4.6 or later.

Learn more about AnyConnect SAML integration

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo Access Gateway (SAML): Cisco ASA only (Demo)

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. RADIUS: Available with Cisco ASA or FTD Requirements

1. Cisco ASA 8.3 or later 2. Cisco FTD 6.3 or later 3. Duo Auth proxy

Learn more about AnyConnect RADIUS integration

CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. RADIUS: Available with Cisco ASA or FTD (Demo)

CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. LDAP: Available with Cisco ASA or FTD (Demo)

CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo & Cisco ISE Device Posture

Cloud SaaS Compliant Device Allow Access MFA Non-compliant Device Self- Remediation / Block Corporate Network Trusted Device Allow Access User MFA

Untrusted Device Quarantine Access Cisco ISE Software-defined access policy evolution

Zero Trust Approach to Zero Trust Approach to Network Access App Access

Cisco Identity Services Engine (ISE)

Trusted Access across Hybrid IT Enterprises

IoT Access App / Services Mobile & BYOD App / Services Solution Access Solution On-Prem Cloud On-Prem Cloud

Head- User + On-Prem ISEISE ISE orISE Duo** Duo less On-Prem ISE ISE Device Device Off-Prem ISEISE*☨ or or Duo Duo*☨ DuoDuo MFA

☨ Integrated with AnyConnect #CLMEL BRK-2718 *Duo Beyond with Network Gateway (i.e. reverse proxy) **Duo Access for BYOD Duo for Microsoft

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo Can Easily Secure O365

Duo Access Native SSO and Native Azure-AD Gateway IdP Support Conditional Access

3rd Party Identity Provider

On-premises Directory

On-premises Integration with DAG/Duo SSO Directory

Integration with ADFS Integration with Azure AD

#CLMEL BRK-2718 MFA for Windows Login / Remote Desktop (RDP)

Learn how to set up Duo's RDP

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. MFA for Windows Login / Remote Desktop (RDP) (Demo)

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Temporary Offline Authentication for Windows

Executive on a Plane Salesperson at Hotel Vendor at Customer

Users need to authenticate with MFA into their machines before they can access internet / secure portal

#CLMEL BRK-2718 Supported Auth Methods for Windows Offline

Duo Mobile Passcode ● Use the smartphone you own ● Enter one-time passcode

#CLMEL BRK-2718 Understanding SAML 2.0 This is SAML

Security Assertion Markup Language (SAML) is an XML-based standard, used by to federate identities for authentication.

A Service Provider (SP) is a cloud application that supports SAML, e.g. Google, Salesforce, Box & Slack.

An Identity Provider (IdP) authenticates users and provides information about users identities.

A Trust relationship is established between a SP and an IdP for identity federation and single sign-on (SSO) to function.

An Assertion is a package of information that supplies one or more statements made by a certificate authority. There are three types of statements: authentication, attribute and authorization decision.

Federation Web Browser Service Provider (SP) Identity Provider (IdP)

1) Lee navigates 2) Salesforce sends 3) Verifies Lee is authenticated OR to Salesforce authentication request SAML 2.0 is widely adopted by prompts for auth (Parses SAML URL to IdP (SAML Auth Auth request & generates token) thousands of cloud applications. request)

Once a trust is established between a SP and an IdP, SAML 2.0 requests and 4) Lee’s responses are used to verify and share browser DAG user login state with cloud applications. SSO URL SAML federation verifies authentication state of a user using a logon token (not shared credentials) 6) DAG redirects Lee’s browser to Salesforce to allow access (SAML token response)

7) Lee accesses Salesforce (Verified SAML token)

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Improve End User Productivity with Duo’s SSO

● Easily access all cloud applications from a single dashboard

● Enable consistent security controls across cloud applications

● Secure every cloud application

Duo SSO for Cloud apps

#CLMEL BRK-2718 Duo Access Gateway Setup (DAG)

Duo Access Gateway Documentation

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Third Party SSO/IAM Support

● Integrate Duo natively across multiple Identity / SSO platforms

● Provide Consistent end user experience and security controls across all applications

● Easily gain device visibility & trust across all applications

Duo SSO for Cloud apps #CLMEL BRK-2718 DAG IdP Authentication Sources

DAG Authentication Sources Cloud Identity Providers The DAG can be configured to use a SAML or OIDC for The DAG is an IdP that verifies authentication requests cloud identities through 3rd party providers. against an on-premise or cloud identity database.

SAML Providers ● Shibboleth ● Bitium On-premise: Cloud: ● Microsoft AD FS ● CA SSO ● Microsoft Azure AD ● Radiant Logic ● Microsoft ● SAML IdP ● G Suite (Google) ● F5 ● Okta ● Juniper ● AD OpenID ● OneLogin ● Oracle ● LDAP Connect ● SecureAuth ● Many more! OIDC Providers ● G Suite (Google) ● Microsoft Azure

#CLMEL BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRK-2718 Why is Duo’s SSO More Secure? ● Strong authentication: Combining SSO with MFA reduces the risk of unauthorized access to applications. ● Step-up authentication: Define policies that match application security tiers. ● Separation of factors: As a security best practice Duo does not manage primary credentials, preventing attackers from compromising multi-factor. ● Device health: Ensure user devices are up to date before granting access to critical cloud applications.

Trusted User Trusted Device 10.0.0.1-4

Tier 1

*.domain.local Tier 2 SSH Public Internet DNG 192.0.0.1/24 (443) Tier 3

Security Groups

Use Duo Beyond to secure access to internal networks and the public cloud.

#CLMEL BRK-2718 BRK-2718 What is a reverse proxy?

• A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself.[1] Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client.

● Deploy a Duo Network Gateway in the DMZ using Docker, with both “public” and “internal” access. ● Configure your SAML IdP for primary auth. ● Configure DNG with Duo for secondary auth. ● Configure a web application on the DNG for your protected “internal” application. ● Create public DNS entries for your protected internal web apps to point to the DNG’s public interface. ● Users access the “internal” app using their browser.

#CLMEL BRK-2718 Demo: SSH Access with Duo Beyond

https://demo.duo.com/ssh-remote-access

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Verify Trust for Any Device Limit Access to Compliant Devices

● Identify corporate-owned & BYOD

● Verify if devices are out-of-date and potentially vulnerable to security risks

● Block devices access to critical applications

● Apply policies consistently for any device platform: Windows, MacOS, iOS & Android

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. How does Duo Establish Trust in Devices?

Security Endpoint Posture Visibility Management Status

Duo’s Unified Endpoint Visibility Duo’s Trusted Endpoints inspects the device at the time of integrates with endpoint access without installing any management systems to detect if endpoint agents. the device is managed by your IT.

#CLMEL BRK-2718 Unified Device Visibility with Duo

Mobile Devices Laptops / Desktops

● Corp managed asset status ● Corp managed asset status* ● Biometrics (Touch/Face) status ● Device owner ● Screen lock status ● OS type ● OS condition (tampered) status ● OS versions ● Encryption status ● Browser type ● Platform type ● Browser versions ● Device OS type ● Flash & Java plugins versions ● Device OS version ● OS, browser and plugins status ● Device owner ● Duo Mobile version

* Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus, etc.

Learn more about Unified Device Visibility #CLMEL BRK-2718 Improve Security Posture by Informing the User

End users get just-in-time notification about If users do not update by a certain day, out-of-date OS, browsers, Flash and Java the endpoints are blocked

Learn more about self remediation #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Device Management (Trusted Endpoint) Trust if the Device is Managed

Mobile Windows MacOS

Duo: Duo Mobile app can be Native: Microsoft AD, Ivanti Native: Jamf used to trust mobile devices. (Landesk) (Great for customers w/o Script based: Symantec MDM) Script based: Symantec Altiris, Chef, Microsoft Altiris, Chef, Microsoft SCCM, AirWatch, etc. SCCM, AirWatch, etc. Native: AirWatch, Alternative: Duo has a MobileIron, Google G Suite, Alternative: Duo has a generic cert deployment Sophos generic cert deployment

Alternative: Duo has a generic cert deployment

Learn more about Trusted Endpoints #CLMEL BRK-2718 How Trusted Device Verification Works (Win/Mac)

1. Duo issues certs for client auth to managed devices from our cloud-based PKI 2. User logs into a browser-based, Duo- protected app showing inline Duo prompt 3. Successful primary login to the web app redirects the client to Duo 4. Duo's cloud service applies the Trusted Endpoints policy setting to access attempt 5. Duo prompt checks for Duo device cert in the user's personal store. If present. Duo reports the endpoint as trusted. 6. If Duo cert isn't present we report that endpoint does not have a cert (and is therefore not a managed endpoint). App access may be blocked from that device.

#CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Demo BRK-2718 Complete your online session survey

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

#CLMEL BRK-2718 Continue Your Education

Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings