Local knowledge. Cisco Connect 2019 Serbia, 19th March 2019 Cisco Connect 2019 Security presenter: Branislav Ostojić COM-4T DOO Belgrade Connecting trusted users and devices to trusted services CISCO IDENTITY SERVICES ENGINE User-Groups Device-type Cloud Location Posture Server B Server Partners Server A Server Trusted User Trusted Cloud App B App Cloud Cloud App A App Cloud Trusted Asset ✓ ✕ ✓ ✓ ✓ ✓ On Prem Trusted User ✕ ✓ ✓ ✓ ✓ ✕ Partners Trusted App / Services Time Threats Trusted App / Services ✕ ✕ ✓ ✓ ✕ ✕ - Non Behavior Vulnerability Software-Defined Segmentation, Location-Free App/Service Improved Visibility and Decision Service Access & Entitlement Access Not a standard or recommended approach | Each use case may be the end goal Use Case WIRELESS GUEST WIRED POSTURE Segmentation RTC Customer CORPORATE Starts with Control wired See Apps & HW Use SGTs for Integrate with Wireless access inventory segmentation eco-system partners Non- 802.1X / MAB Enforce system Enforce Group disruptive due (with Profiling) compliancy based policies Contain threats to SSIDs BYOD CONTROL | Authorized network access, Segmentation, Threat Containment VISIBILITY | Users, Devices, Location, Applications, Threats, Vulnerabilities COMPLIANCE | PCI, HIPAA, SOX, Financial and other regulations Cisco ISE can reach deep into the network to deliver superior visibility into who Asset Visibility and what is accessing resources. Consistent access control across wired, wireless and VPN Networks. 802.1X, Access Control MAC, Web Authentication and Easy connect for admission control. Fully customizable branded mobile and desktop guest portals, with dynamic Guest Access visual workflows to easily manage guest user experience. Simplified BYOD management with built-in CA and 3rd party MDM integration BYOD Access for on boarding and self-service of personal mobile devices Topology independent Software-defined segmentation policy to contain Segmentation network threats. Context sharing with partner eco-system to improve their overall efficacy and Context Exchange accelerate time to containment of network threats. Protection against threats across the attack continuum, before, during and after Threat Control an attack. Reduce time-to-detection from days to hours. Cisco ISE supports device administration using the TACACS+ security protocol Device Admin to control and audit the configuration of network devices The profiling service in Cisco ISE identifies the devices that connect to your network Endpoints send DS interesting data, that DS reveal their Feed Service Cisco ISE (Online/Offline) device identity ACIDex AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS) 1 million API EMAIL PRINT SMS # of supported Portal language Social Media Manage guest Guest accounts Guest account notification customization Login support accounts via REST options Hotspot Self Registered Sponsored Guest Access Facebook Facebook Immediate, un-credentialed Self-registration by guests, Authorized sponsors create Internet access Sponsors may approve access account and share credentials The 3 types of guest access Simple BYOD Full BYOD (Base License) (Base + Plus License) • Guest type ’internet only’ • Full automation of BYOD access to personal device Or process – Device registration, Native supplicant • Password based access to configuration, Certificate BYOD SSID, limited access installation, manage. PUBLIC Device Support EMM integrations iDevice Single / Dual Access based on SSID MDM policy provisioning Android Resources ✕ ✓ ✕ ✓ ✓ ✓ MAC macOS ✓ ✓ ✕ ✓ ✕ ✕ Devices ✕ ✓ ✓ ✕ ✕ ✕ Windows Native supplicant ISE internal CA for ChromeOS & cert BYOD certificates provisioning CORPORATE MDM Policy Checks Posture Compliance assessment for Mobile devices Device registration status Device compliance status 1. Register with ISE 2. Internet Access Disk encryption status Pin lock status Jailbreak status Cisco ISE Internet Manufacturer 4. Comply MDM Policy Model IMEI Personal Device Serial number OS version 3. Register with MDM 5. Allow Corp access Phone number MDM Corporate GOOD Absolute Software SAP IBM AirWatch Jamf Tangoe MobileIron Globo Symantec MaaS360 software Posture defines the state of compliance with the company’s security policy Posture Flow Antivirus Update Authenticate User/Device Posture: Unknown/Non-Compliant ? Posture AntiRemediation-Malware Condition Actions Quarantine Anti-Spyware Condition Limited Access: VLAN/dACL/SGTs Anti-Malware Condition Anti-Virus? Anti-SpywareVirus Condition Condition Posture Assesment AntiApplication-Virus Condition Condition Check Hotfix, AV, Pin lock, USB Device, etc. FileCompound Remediations Condition LaunchDisk Encryption Program Condition Remediations Remediation LinkFile ConditionRemediations WSUS, Launch App, Scripts, MDM, etc. Patch Management RemediationsCondition USBRegistry Remediations Condition Authorization Change WindowService ConditionServer Update Server Full Access – VLAN/dACL/SGTs. WindowsUSB Condition Update Remediations Traditional Group Based DC Servers Segmentation Policy DC Firewall / Switch Static ACL Enterprise Micro/Macro Segmentation Routing Enterprise Backbone Backbone ISE Redundancy Central Policy Provisioning DHCP Scope Policy Aggregation Layer No Topology Change VACL Address No VLAN Change VLAN Access Layer Access Layer Non-Compliant Voice Employee Supplier BYOD Voice Non- Employee Supplier BYOD Compliant Employee Tag Quarantine Voice Data Guest BYOD Voice Data Supplier Tag VLAN VLAN VLAN VLAN VLAN VLAN VLAN Security Policy based on Topology Non-Compliant Tag Use existing topology and automate High cost and complex maintenance security policy to reduce OpEx Threat Mobility Intelligence Services Engine Who System Mobile Device What managers Managers When Directory Vulnerability Services Scanners Where STEALTHWATCH How • pxGrid FIREPOWER SERVICES Posture • REST API Threat • Syslog DNAC CISCO ISE Vulnerability + 3rd PARTY PARTNERS Scalable Group ENDPOINTS Visibility and Access Control Context Reuse ISE builds context and applies access control restrictions to users and devices by eco-system partners for analysis & control Cisco ISE protects your Create ISE authorization policies based on the threat and vulnerability attributes network from data breaches by segmenting compromised and vulnerable endpoints for remediation. - Threat events - Vulnerability assessments AMP Qualys Compliments Posture - CVSS - Threat notifications Vulnerability data tells - IOC Who endpoint’s posture from the outside What Expanded control driven by threat intelligence When and vulnerability assessment data Where Faster response Network Access Policy How with automated, real-time policy updates based on Posture vulnerability data and threat Cisco ISE metrics Threat Endpoints Vulnerability Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC) Employee Change Authorization ISE QuarantineSupplier Server Event: XYZ Source IP: 10.4.51.5 Role: Supplier StealthWatch Response: Quarantine FirePower or 3rd party App Network Fabric Such as Splunk Quarantine High Risk Segment Shared Internet Server Employee Cisco DNA™ Center: Simple workflows Design Provision Assurance Policy Cisco DNA Center Software-Defined Access Network data Identity Services platform APIC-EM Engine Wireless Wireless Routers Switches access points LAN controllers Cisco Identity Services Engine Authentication Groups and Authorization Policies Policies pxGrid Campus Fabric REST APIs Fabric Policy Management Authoring Workflows Cisco DNA Center Establish user trust with MFA ● Compromised credentials is a major security risk ● Cumbersome tokens and 81% one-time passwords; of breaches leverage not user friendly stolen or weak passwords Source: Verizon 2018 Data Breach Investigations Report Start Here Then Expand VPN RA Multicloud Email/MSFT On-Prem SSO Custom REST APIS WEB SDK RADIUS SAML RRAS OIDC Automatic Enrollment Self Enrollment Import Users Admins can import Users can self-enroll Provision users using users from existing into Duo in less than Duo’s REST API or Azure, LDAP and 1 minute add users manual AD directories one at a time or through CSV ● Users can manage their own 2FA devices during login. ● Add, Remove and Configure Devices ● Reduce TCO by enabling the user to easily manage their own device. Learn more about Device Management Assess the health and security posture of any device ● Attackers exploit known vulnerabilities ● Patching devices (especially user owned) is complex 99% ● End users continue to access data of vulnerabilities exploited from potentially vulnerable devices will be ones known by security team for at least one year ● Accessing critical data from vulnerable devices can be risky (through 2021) Source: Gartner, Dale Gardner, 2018 Security Summit Security Endpoint Posture Visibility Management Status Duo’s Unified Endpoint Duo’s Trusted Endpoints Visibility inspects the device at integrates with endpoint the time of access without management systems to installing any endpoint agents. detect if the device is managed by your IT. Mobile Devices Laptops / Desktops Corp managed asset status Corp managed asset status* Biometrics (Touch/Face) status Device owner Screen lock status OS type OS condition (tampered) status OS versions Encryption status Browser type Platform type Browser versions Device OS type Flash & Java plugins versions Device OS version OS, browser and plugins status Device owner Duo Mobile version * Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus,