Duo Access Gateway (SAML): Cisco ASA Only
Total Page:16
File Type:pdf, Size:1020Kb
#CLMEL Duo Security: Journey toward Zero Trust Karl Lewis, Solutions Engineer - APJC BRKSEC-2718 #CLMEL BRK-2718 Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda • Introduction • Where did Zero-Trust come from? • Why are traditional approaches Failing? • How does Zero-Trust address these new challenges? • What does the journey look like? Where do I get value? • Use Cases and Architecture– How does it really work? • Live Demo and Integrations discussion. • Q&A BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Different Words, Similar Ideas John Kindervag at Forrester describes a “Zero Trust model” 2009 2003-ish 2013 The Jericho Forum Google talks about their first discusses “de- implementation, called perimeterization” “BeyondCorp” #CLMEL © 2019BRK Cisco-2718 and/or its affiliates. All rights reserved. Cisco Public Don’t trust something just because it’s on the “inside” of your firewall. It doesn’t mean you don’t need a firewall. #CLMEL BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRK-2718 Traditional approaches to security are falling short. A Castle Wall only works when everything you need to protect is: INSIDE And the attackers are: OUTSIDE © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public The New IT Reality It’s more difficult to establish user and device trust Apps are available 1 on-premises plus via IaaS and SaaS Employees, contractors, others 2 access these apps with BYOD and mobile devices Attackers most often cause data breaches by directly accessing 3 these apps via compromised passwords and devices #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Security Risks Persist with Traditional MFA Poorly deployed and cannot support all applications; exposing security gaps 81% of breaches leverage either stolen or weak Cumbersome tokens and passwords one-time passwords; Source: Verizon, 10th edition of the not user friendly Data Breach Investigations Report #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Compromised Devices Can Access Your Data Admin lack time to patch all corporate (managed) devices % End users access data with 99 of vulnerabilities exploited personal (unmanaged) devices will be ones known by security team for at least one year (through 2021) End users don’t want admins to Source: Gartner, Dale Gardner, 2018 take control of personal devices Security Summit #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. 1 2 How do you stop How do you prevent attacks that use devices with poor security stolen (yet legitimate) hygiene from accessing credentials? critical apps? #CLMEL BRK-2718 A New Model for Security: Duo Trusted Access Trusted Users Strong user authentication for all types of users. Visibility and Policies Every Application Trusted Devices Consistent user experience Establish device for every application trust without agents #CLMEL BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Many deployments are limited or not user friendly Cloud-silo SDP-silo Identity-silo EMM-silo providers providers providers providers Prioritize securing Must deploy new Offer limited app Require device access to just their agents on all coverage and control, including single cloud endpoints device visibility BYO, for trust SDP = Software-Defined Perimeter | EMM = Enterprise Mobility Management #CLMEL BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public BRK-2718 Zero Trust “Beyond” Concept ● Assume every access attempt originates from an untrusted network. ● Protect every application in the same manner regardless of where hosted or how it’s accessed. ● Enable every worker to work successfully from untrusted networks without needing a client VPN. ● Manage the privileges for any application access. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Duo Beyond Enable the rapid adoption of the zero trust architecture by deploying its core components through a single, extensible platform #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Zero-Trust Maturity Model Duo Beyond Enable every employee to work securely from untrusted networks without the use of a VPN. Assume all networks are untrusted. Migration of access 5 Zero-Trust security policies from the network to the application. Duo Beyond Securely enable complete BYOD and mobility for all 4 Inspect Devices for Trust employees. Allow or deny a device trying to connect to a work application based on the device trust level and policy. Duo Access Protect access to applications by creating and 3 Enable Adaptive Policies enforcing adaptive risk based policies. Tier applications, users and devices based on risk. Duo Access Create an inventory of all devices used to 2 Gain Visibility Into Devices & Activity access work applications. Understand application access activity and risks. Duo MFA Protect from compromised 1 Verify Users for Trust credentials. Enable strong authentication for all apps/users #CLMEL BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Multi-factor authentication Access Remote access and agent(less) assessment policy and app access Benefit: Security Verify identity for any user and hygiene for any device Mobile push Latest verification Profile OS compliant OS Outdated jailbroken browser Patched browser Trustworthiness Fail phishing campaign Time BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Any user/device including third- Access Work apps via SaaS party and personal policy or SD-perimeters Benefit: User Experience Grant easier, safer access Private Apps to specific work apps App Access Single Sign-On Public Apps User+Device BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Time to get technical! Duo never touches the primary authentication Core service and policy engine is always in the • Duo Push cloud • Mobile Passcode • Phone, SMS • HOTP Token • U2F/WebAuthN • Bypass #CLMEL BRK-2718 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Any Corporate Application #CLMEL BRK-2718 Integration documents are available at duo.com/docs Duo MFA Supports Your Work Applications Start Here Then Expand VPN RA Multicloud Email/MSFT On-Prem SSO Custom REST APIS WEB SDK RADIUS SAML RRAS OIDC Learn more about application integrations #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Cisco + Duo Better Together. #CLMEL BRK-2718 Duo & AnyConnect Secure Remote Access ● Secure AnyConnect in < 30 minutes ● Users authentication in seconds ● Works with AnyConnect thick client & SSL VPN ● Several integration options ● *AVAILABLE ON* ASA and FTD #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo and AnyConnect: Integration options ASA FTD/ASA Use Duo Access Use Duo Auth Gateway (SAML) for Proxy (Radius). ASA. Best user User receives experience + Trusted automatic push. Endpoints soon Consider for older versions and FTD. #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo Access Gateway (SAML): Cisco ASA only Requirements: 1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read more here. 2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release 3. AnyConnect 4.6 or later. Learn more about AnyConnect SAML integration #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo Access Gateway (SAML): Cisco ASA only (Demo) #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. RADIUS: Available with Cisco ASA or FTD Requirements 1. Cisco ASA 8.3 or later 2. Cisco FTD 6.3 or later 3. Duo Auth proxy Learn more about AnyConnect RADIUS integration CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. RADIUS: Available with Cisco ASA or FTD (Demo) CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. LDAP: Available with Cisco ASA or FTD (Demo) CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo & Cisco ISE Device Posture Cloud SaaS Compliant Device Allow Access MFA Non-compliant Device Self- Remediation / Block Corporate Network Trusted Device Allow Access User MFA Untrusted Device Quarantine Access Cisco ISE Software-defined access policy evolution Zero Trust Approach to Zero Trust Approach to Network Access App Access Cisco Identity Services Engine (ISE) Trusted Access across Hybrid IT Enterprises IoT Access App / Services Mobile & BYOD App / Services Solution Access Solution On-Prem Cloud On-Prem Cloud Head- User + On-Prem ISEISE ISE orISE Duo** Duo less On-Prem ISE ISE Device Device Off-Prem ISEISE*☨ or or Duo Duo*☨ DuoDuo MFA ☨ Integrated with AnyConnect #CLMEL BRK-2718 *Duo Beyond with Network Gateway (i.e. reverse proxy) **Duo Access for BYOD Duo for Microsoft #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Duo Can Easily Secure O365 Duo Access Native SSO and Native Azure-AD Gateway IdP Support Conditional Access 3rd Party Identity Provider On-premises Directory On-premises Integration with DAG/Duo SSO Directory Integration with ADFS Integration with Azure AD #CLMEL BRK-2718 MFA for Windows Login / Remote Desktop (RDP) Learn how to set up Duo's RDP #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. MFA for Windows Login / Remote Desktop (RDP) (Demo) #CLMEL BRK-2718 CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC. Temporary Offline Authentication for Windows Executive on a Plane Salesperson at Hotel Vendor at Customer Users need to authenticate with MFA into their machines before they can access internet / secure portal #CLMEL BRK-2718 Supported Auth Methods for Windows Offline Duo Mobile Passcode ● Use the smartphone you own ● Enter one-time passcode #CLMEL BRK-2718 Understanding SAML 2.0 This is SAML #CLMEL BRK-2718 © 2019 Cisco and/or its affiliates.