secure borderless
Post on 13-Nov-2014
58 Views
Preview:
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 2
Securing Borderless Networks BRKSEC-2000
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 3
Christopher Heffner, CCIE #8211 Security Consulting Engineer
chheffne@cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 4
Housekeeping
We value your feedback- don't forget to complete your online session
evaluations after each session & complete the Overall Conference
Evaluation which will be available online from Thursday
Please remember this is a 'non-smoking' venue!
Please set your mobile phones to stun mode
Please make use of the recycling bins provided
Please remember to wear your badge at all times
NO discussions on future products
Please remember your NDAs when asking questions
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 5
Session Abstract
This session will explain the security technology behind the Cisco
Borderless Networks.
We will compare and contrast the networkers of yesterday verses today
and the issues that network and security administrator face with these
evolving networks.
A business case will be presented to introduce common network security
challenges and how Borderless Network technology solves them.
The technologies that will be covered include Secure Mobility, Web and
Email Security, AnyConnect SSL VPN, user & device authorization,
Network Device Profiling, supplicant agents, posture assessment, Guest
Access, Security Group Access (SGA), and IEEE 802.1AE (MacSec).
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 6
Session Objectives
• The Cisco Borderless Network Architecture
• The technology that makes up Borderless Networks portfolio including Cisco Firewall, IPS, Content Security
• How to design and implement Secure Mobility
• Benefits of TrustSec and MacSec technologies
At the end of the session, you should understand:
• Have questions for the Q&A section of the session
• Provide us with feedback via the Cisco Live online survey
• Attend related sessions that interest you
You should also:
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 7
Agenda
Networks of Yesterday
Networks of Today
Borderless Networks – What does that mean?
Case Study – Future Healthcare
Cisco AnyConnect Secure Mobility Design
Cisco TrustSec Design
Q&A
Networks of Yesterday
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 9
Networks of Yesterday
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 10
Network Security of Yesterday
Corporate Assets
Corporate Connectivity
Limited Remote Connectivity
Employees Only Access
Routers
Firewalls
Switches
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 11
Network Security Policy Yesterday
Authentication
Authorization
Accounting
Secure Access Control
Networks of Today
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 13
Networks of Today
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 14
Networks Security of Today
Corporate and Commercialized Assets
Corporate, Partner, Public, Cloud Connectivity
Employees, Contractors and Guests Access
Routers, Switches, Firewalls, IPS
Virtualized Data Centers
ISE, NAC, Posture Control
Wireless Infrastructures
Email and Web Security
Unified Communications
Mobile Smart Devices – The iRevolution
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 15
Network Security Policy Today
Who are you?
‒ Employee, Partner, Contractor, Guest
What are you doing?
‒ Data Entry, Access HR Records, Accessing Payroll
Where are you going?
‒ Intranet, Extranet, Internet, Cloud Services
When are you connecting?
‒ 8am-5pm, After Hours, Weekends
How are you connecting?
‒ Corporate Wired, Corporate Wireless, Public Wireless
‒ Hotel Guest Network, Home Network
Borderless Networks Evolution
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 17
Borderless Networks Evolution
Self-Defending Networks
SAFE Blueprints
Borderless Networks Architecture
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 18
Self-Defending Networks
Network and Endpoint Security
Content Security
Application Security
System Management and Control
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 19
SAFE Blueprints
SAFE Small Business
SAFE Medium Business
SAFE Enterprise Business
SAFE Remote
SAFE Campus
SAFE Data Center
SAFE Internet
SAFE Wide Area Network
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 20
Borderless Networks Architecture
What it is:
‒ Architecture for secure connectivity of:
• Any Device
• Any Place
• Any Time
What it does (its vision):
‒ Provides consistent user experience & security policies on any device, any place
at any time.
What it does (business benefit):
‒ Simplifies Secure Connections to resources
‒ Improves workforce productivity through flexibility.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 21
Borderless Networks Architecture
Technology Benefit
‒ Borderless Networks transforms the way IT governs networks by linking users,
devices, applications, and business processes - together.
Value Proposition:
‒ Cisco Borderless Networks securely, reliably, and seamlessly connects people,
information, and devices.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 22
Borderless Networks Design Benefits
Secure – Risk mitigation to protect corporate assets and data
Reliable – Business continuity
Seamless – Productivity-driven growth
Accelerates Business Innovation and Transformation
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 23
Borderless Networks Design Elements
BORDERLESS INFRASTRUCTURE
Application Networking/ Optimization
Switching Security Routing Wireless
BORDERLESS NETWORK SYSTEMS
BORDERLESS NETWORK SERVICES
BORDERLESS END-POINT/USER SERVICES
Securely, Reliably, Seamlessly: AnyConnect
Mobility: Motion
App Performance: App Velocity
Energy Management: EnergyWise
Multimedia Optimization:
Medianet
Security: TrustSec
Architecture for Agile Delivery of the Borderless Experience
Extended Edge
Extended Cloud
Unified Access
CISCO
LIFECYCLE
SERVICES
POLICY
CISCO SMART
SERVICES
MANAGEMENT
APIs
Core Fabric
Case Study –
Future HealthCare
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 25
Future HealthCare
Employees need secure remote access to corporate intranet and email
systems
Doctors need secure remote access to patient information and email
systems
Doctors want access to patient data and internet
Employees want access to the internet and email
Patients want access to the internet and web mail
CTO has security and regulation requirements
CSO needs prevention of email spear-phishing attacks
IT needs corporate devices secure while still providing network access to
commercialized mobile devices
IT Network Issues
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 26
Secure Remote Access
Question:
‒ How does IT provide employees secure remote access to corporate intranet and
email systems?
Answer:
‒ Virtual Private Network (VPNs)
‒ Typically IPSec and/or SSL VPN tunnel connections
‒ Firewalls, Routers and IPS
Issues:
‒ Full Tunneling
‒ Split Tunneling
‒ Internet Access
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 27
Cisco AnyConnect Secure Mobility
Question:
‒ How does IT provide employees secure remote access to corporate intranet and
email systems?
Answer:
‒ Cisco AnyConnect Secure Mobility
The New Answer
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 28
Cisco AnyConnect Secure Mobility
AnyConnect SSL VPN client software connects to the corporate ASA
Firewall VPN endpoint.
The ASA group policy configuration enforces full tunneling option only.
(No Split Tunnel)
Use route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled command point all
VPN traffic to inside endpoint.
Inside endpoint (router/L3 switch) redirects traffic back to ASA using
default route.
ASA WCCP configuration will now redirect web traffic to the IronPort Web
Security Appliance for proxy services.
What is it and How Does it Work?
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 29 29
Cisco AnyConnect 2.5
Cisco IronPort WSA 7.0 Cisco ASA 8.3
Cisco AnyConnect Secure Mobility
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 30
Cisco Secure Mobility
Cisco ASA Firewall
‒ SSL VPN Peer Licenses based on remote user count
‒ AnyConnect Essentials or Premium License
‒ AnyConnect for Mobile License
Cisco IronPort Web Security Appliance
‒ AsyncOS version 7.x
‒ Cisco Mobile User Security Feature Key License
Cisco AnyConnect VPN Client
‒ Version 3.0 or higher (recommend)
Licensing Requirements
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 31
Features and Licensing Matrix:
Cisco AnyConnect
Ess = Essentials, Prem = Premium, SM = Secure Mobility
Cisco® AnyConnect Features AnyConnect Ess
Only
AnyConnect Ess +
SM
AnyConnect Prem
Only
AnyConnect Prem
+ SM
Auto headend detection
Tethered device support (phone
synchronization)
Access to local printers through endpoint
firewall rules
Always-on VPN
Fail-open and fail-close policy support
Captive portal
Clientless VPN
Cisco Secure Desktop
Quarantine indication if posture assessment
fails
Web security
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 32
ASA Licensing
ASA-5510# show version
....
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active 365 days
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled 365 days
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 25 365 days
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled 365 days
AnyConnect for Cisco VPN Phone : Enabled 365 days
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Enabled 365 days
UC Phone Proxy Sessions : 26 365 days
Total UC Proxy Sessions : 26 365 days
Botnet Traffic Filter : Enabled 365 days
Intercompany Media Engine : Disabled perpetual
….
Show Version
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 33
Cisco IronPort WSA Feature Keys Cisco Mobile User Security License
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 34
Cisco Secure Mobility
See Cisco ASA Secure Mobility Configuration Appendix for step-by-step
ASDM configuration guide for setting up Cisco AnyConnect SSL VPN
network.
Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 35
Configure Secure Mobility on ASA
From ASDM – Configuration > Remote Access VPN > Network (Client)
Access > Secure Mobility Solution
‒ Click Add button
‒ Choose Interface to communicate to WSA (typically Inside or DMZ interface)
‒ IP Address of the WSA and Subnet Mask
‒ Click OK
‒ Make sure “Enable Mobile User Security” checkbox is enabled and the service
port is 11999 (default)
‒ Set password to secure communications
‒ Click Apply
IronPort WSA Mobile User Security Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 36
Configure Secure Mobility on ASA ASDM Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 37
Verify Secure Mobility on ASA Show WSA Sessions
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 38
Configure Secure Mobility on WSA
Login to Web Security Appliance
Navigate to Web Security Manager > Identities
Click Add Identities
Define Members by User Location: Remote Users Only
Define Members by Protocol: HTTP/HTTPS Only
Define Members by Authentication: Identity Users Transparently
through Cisco ASA Integration
Authentication Surrogate for Transparent Proxy Mode: IP Address
Click Submit and Commit
Unique Access Policies can now be set for “Remote Users”
WSA Identity Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 39
Configure Secure Mobility on WSA
WSA Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 40
Configure WCCP Access Lists on ASA
Configure access list for WCCP appliance
access-list WSA extended permit ip host 10.1.1.15 any
Configure access list for redirected proxy traffic
access-list WSA-Redirect extended deny ip host 10.1.1.15 any
access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq www
access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq https
Assign the redirect proxy traffic to the WCCP appliance
wccp 90 redirect-list WSA-Redirect group-list WSA
wccp interface inside 90 redirect in
Access Lists Configuration Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 41
Configure WCCP Service Groups on ASA
From ASDM – Configuration > Device Management > Advanced > WCCP
> Service Groups
‒ Click Add button
‒ Service: Dynamic Service Number: 90
‒ Options: Redirect List: WSA-Redirect
‒ Options: Group List: WSA
‒ Click OK
Cisco ASDM Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 42
Cisco WCCP Service Groups on ASA Cisco ASDM Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 43
Configure WCCP Redirection on ASA
From ASDM – Configuration > Device Management > Advanced > WCCP
> Redirection
‒ Click Add button
‒ Interface: Inside
‒ Service Group: 90
‒ Click OK
‒ Click Apply
‒ Click Save
Cisco ASDM Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 44
Cisco WCCP Service Groups on ASA Cisco ASDM Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 45
Cisco ASA 5500 Series Portfolio Comprehensive Solutions from SOHO to the Data Center
Multi-Service (Firewall/VPN and IPS)
Per
form
ance
an
d S
cala
bili
ty
Data Center Campus Branch Office Internet Edge
ASA 5585-X SSP-20 (10 Gbps, 125K cps)
ASA 5585-X SSP-60 (40 Gbps, 350K cps)
ASA 5585-X SSP-40 (20 Gbps, 200K cps)
ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X
(4 Gbps,50K cps)
NEW ASA 5545-X (3 Gbps,30K cps)
NEW ASA 5525-X
(2 Gbps,20K cps)
NEW ASA 5512-X
(1 Gbps, 10K cps)
NEW
ASA 5515-X (1.2 Gbps,15K cps)
NEW
ASA 5510 (300 Mbps, 9K cps)
ASA 5510 + (300 Mbps, 9K cps)
ASA 5520 (450 Mbps, 12K cps)
ASA 5540 (650 Mbps, 25K cps)
ASA 5550 (1.2 Gbps, 36K cps)
Firewall/VPN Only
SOHO
ASA 5505 (150 Mbps, 4K cps)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 46
Cisco ASA 5500 Series Product Lineup Mid-Range Solutions
Cisco ASA 5505
Cisco ASA 5510
Cisco ASA 5520
Cisco ASA 5540
Typical Deployment
Performance
Max Firewall
Max Firewall + IPS
Max IPSec VPN
Max IPSec/SSL VPN Peers
Platform Capabilities
Max Firewall Conns
Max Conns/Second
Packets/Second (64 byte)
Base I/O
VLANs Supported
HA Supported
SOHO
150 Mbps
Future
100 Mbps
25/25
10,000/25,000
4000
85,000
8-port FE switch
3/20 (trunk)
Stateless A/S
(Security Plus)
Branch Office
300 Mbps
300 Mbps
170 Mbps
250/250
50,000/130,000
9000
190,000
5 FE
50/100
A/A and A/S
(Security Plus)
Internet Edge
450 Mbps
375 Mbps
225 Mbps
750/750
280,000
12,000
320,000
4 GE + 1 FE
150
A/A and A/S
Internet Edge
650 Mbps
450 Mbps
325 Mbps
5000/2500
400,000
25,000
500,000
4 GE + 1 FE
200
A/A and A/S
Cisco ASA 5550
Data Center
1.2 Gbps
1.2 Gbps
425 Mbps
5000/5000
650,000
36,000
600,000
8 GE + 1 FE
400
A/A and A/S
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 47
Next Generation ASA Mid-Range Appliances
64Bit Multi-Core Processor
Up to 16GB of Memory
Built-In Multi-Core Crypto Accelerator Hardware
Dedicated IPS Hardware Acceleration Card
Up to 14 1GE Ports
Copper & Fiber I/O options
Firewall, VPN & IPS Services
Dedicated OOB Management Port
Performance
Density
Flexibility
Integrated Services
Management Consolidation
ASA 5500-X H/W Features
Customer Benefits
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 48
Next Generation Security Services Appliances 5 New Models to Meet Varied Throughput Demands
ASA 5512-X 1 Gbps Firewall
Throughput
ASA 5515-X 1.2 Gbps Firewall
Throughput
ASA 5525-X 2 Gbps Firewall Throughput
ASA 5545-X 3 Gbps Firewall Throughput
ASA 5555-X 4 Gbps Firewall Throughput
1. Multi-Gig Performance To meet growing throughput
requirements
2. Accelerated Integrated
Services (no extra hardware required) To support changing business needs
3. Next-gen services
enabled platform To provide investment protection
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 49
Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
Platform Base 1RU Short chassis
19” Rack Mountable
1RU Short chassis
19” Rack Mountable
1RU Short chassis
19” Rack Mountable
1RU Long chassis
19” Rack Mountable
1RU Long chassis
19” Rack Mountable
CPU 1x 2.8 Ghz Intel 2C/2T 1 x 3.06 Ghz Intel 2C/4T 1x 2.40 Ghz Intel 4C/4T
1x 2.66 Ghz Intel 4C/8T 1x 2.80 Ghz Intel 4C/8T
DRAM 4GB 8 GB 8GB 12GB 16GB
Regex Accel Mezz Card
N/A N/A 1 1 1
Compact Flash 4GB eUSB 8GB eUSB 8GB eUSB
8GB eUSB
8GB eUSB
I/O Ports 6 x 1GbE Cu
1 x 1GbE Cu Mgmt.
6 x 1GbE Cu
1 x 1GbE Cu Mgmt.
8 x 1GbE Cu
1 x 1GbE Cu Mgmt.
8 x 1GbE Cu
1 x 1GbE Cu Mgmt.
8 x 1GbE Cu
1 x 1GbE Cu Mgmt.
Optional I/O Module 6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
Power Single Fixed AC Power Supply
Single Fixed AC Power
Supply
Single Fixed AC Power
Supply
Dual Hot-Swappable Redundant AC Power
Supply
Dual Hot-Swappable Redundant AC Power
Supply
Crypto Capacity 1 x Crypto Chip
4C
1 x Crypto Chip
4C
1 x Crypto Chip
4C
1 x Crypto Chip
8C
1 x Crypto Chip
8C
Cisco ASA 55xx-X Series Product Lineup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 50
Cisco ASA 5585-X Series Product Lineup Enterprise Solutions
ASA 5585-X with SSP-10
ASA 5585-X with SSP-20
ASA 5585-X with SSP-40
ASA 5585-X with SSP-60
Data Center
4 Gbps
2 Gbps
1 Gbps
5,000 / 5,000
1,000,000
65,000
1,500,000
8 GE + 2 10GE
1024
A/A and A/S
Data Center
10 Gbps
3 Gbps
2 Gbps
10,000 / 10,000
2,000,000
140,000
3,200,000
8 GE + 2 10GE
1024
A/A and A/S
Data Center
20 Gbps
5 Gbps
3 Gbps
10,000 / 10,000
4,000,000
240,000
6,000,000
6 GE + 4 10GE
1024
A/A and A/S
Data Center
40 Gbps
10 Gbps
5 Gbps
10,000 / 10,000
10,000,000
350,000
10,500,000
6 GE + 4 10GE
1024
A/A and A/S
Typical Deployment
Performance
Max Firewall
Max Firewall + IPS
Max IPSec VPN
Max IPSec/SSL VPN Peers
Platform Capabilities
Max Firewall Conns
Max Conns/Second
Packets/Second (64 byte)
Base I/O
VLANs Supported
HA Supported
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 51
Web Security
• Anti-malware protection
• Web content analysis
• Script emulation
Cisco ScanSafe Cloud Services
Web Filtering
• Web Usage Controls
• Application Visibility
• Bi-directional control
Centralized Reporting
Secure Mobility
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 52
Cisco ScanSafe Cloud Services Solution Overview
ScanSafe offers consistent, enforceable, high performance Web security and policy, regardless of where or how users access the internet.
Cisco Secure Mobility Demo
Case Study – Review
Future HealthCare
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 55
Future HealthCare Goals
Employees need secure remote access to corporate intranet and email
systems
Doctors need secure remote access to patient information and email
systems
Doctors want access to patient data and internet
Employees want access to the internet and email
Patients want access to the internet and web mail
CTO has security and regulation requirements
CSO needs prevention of email spear-phishing attacks
IT needs corporate devices secure while still providing network access to
commercialized mobile devices
Review IT Network Issues
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 56
Future HealthCare Review
Need to provide security by providing real-time visibility into and control
over all users and devices on your network.
Need to enable effective corporate compliance by creating consistent
polices across the corporate infrastructure.
Need to help stream-line IT and network staff productivity by automating
labor-intensive tasks.
What Still Needs to be Done?
TrustSec
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 58
What is TrustSec?
TrustSec is an umbrella term used to describe and cover all things that
have to do with “Identities”
TrustSec is all about providing identity-based access policies to tell
network and security administrators who and what is connecting to your
networks.
In general terms think of TrustSec as the next generation of network
admission control (NAC)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 59
Benefits of TrustSec
Identity users and/or devices before granting access to network resources
Extend access enforcement throughout the network
Guest access
Identity non-authenticating IP-based devices
Capability to know what is on your network
Controlling access to restricted devices and/or data
Secure sensitive data
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 60
TrustSec Technologies
IEEE 802.1x (Dot1x) Wired/Wireless
Secure Group Access (SGA)
MACSec (IEEE 802.1AE)
Profiling
Guest Services
Identity Services Engine
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 62
How do we do this?
Identity Services Engine (ISE) is a Cisco Security policy engine that
allows security administrators to control and manage access to the
corporate network for
Any One
Any Device
Any Where
Any Time
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 63
Non-User Devices • How do I discover
non-user devices?
• Can I determine what they are?
• Can I control their access?
• Are they being spoofed?
Questions You Should be Asking Yourself? ISE: Policies for People and Devices
• Can I allow guests Internet-only access?
• How do I manage guest access?
• Can this work in wireless and wired?
• How do I monitor guest activities?
Guest Access • How can I restrict access to my
network?
• Can I manage the risk of using personal PCs, tablets, smart-devices?
• Access rights on-prem, at home, on the road?
• Devices are healthy?
Authorized Access
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 64
Future HealthCare Business Case Review
Now we are able to identity when a doctor, nurse or corporate employee is
logging in to the network.
From the user identity, we can define policies that grant, limit and/or
restrict access to network devices and data.
Contractors, vendors, patients and guests users we can provide Internet
and printer.
Non-authenticated devices such as medical devices, printers, badge
readers, security cameras and phones we can secure network access.
Permit, restrict or deny access based on posture assessment of a device
real time.
How Does this Help our Business Case?
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 65
Advantages of Identity Services Engine Consolidated Services,
Software Packages
Simplify Deployment & Admin
ACS
NAC Profiler
NAC Guest
NAC Manager
NAC Server ISE
Location
User ID Access Rights
Session Directory
Tracks Active Users & Devices
Flexible Service Deployment
Optimize Where Services Run
Admin Console
Distributed PDPs
M&T All-in-One HA
Pair
Policy Extensibility
Link in Policy Information Points
Manage Security Group Access
Keep Existing Logical Design
System-wide Monitoring & Troubleshooting
Consolidate Data, Three-Click Drill-In
SGT Public Private
Staff
Guest
Permit
Deny
Permit
Permit
Device (& IP/MAC)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 66
ISE Packaging and Licensing
Appliance Platforms
Base Feature Set Perpetual Licensing
Advanced Feature Set Term Licensing
• Authentication / Authorization
• Guest Provisioning
• Link Encryption Policies
• Device Profiling
• Host Posture
• Security Group Access
Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 67
ISE Sample Topology
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 68
A Practical Example of Policies
Internet
Campus Network
“Printers should only ever
communicate internally”
“Employees should be able to
access everything but have limited
access on personal devices”
“Everyone’s traffic
should be encrypted” Internal Resources
Cisco Wireless LAN Controller
Cisco Access Point
Cisco® Identity Services Engine Cisco Switch
Cisco Switch
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 69
ISE Administration Web-based GUI Environment
https://x.x.x.x/admin
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 70
ISE Home Page
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 71
Operations > Authentications
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 72
Operations > Reports
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 73
Operations > Troubleshoot
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 74
Policy > Authentication
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 75
Policy > Authorization
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 76
Policy > Profiling
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 77
Policy > Profiling > Apple-iPad
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 78
Policy > Posture
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 79
Policy > Client Provisioning
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 80
Policy > Security Group Access
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 81
Policy > Policy Elements > Conditions >
Authentications
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 82
Policy > Policy Elements > Conditions >
Profiling
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 83
Administration > Identity Management >
External Identity Sources
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 84
Administration > Network Resources >
Network Devices
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 85
Administration > Web Portal Management
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 86
ISE Sponsor Portal
https://x.x.x.x:8443/sponsorportal
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 87
Sponsor Portal Administration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 88
Sponsor Portal Administration
Create Single User Guest Account
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 89
Sponsor Portal Administration
Guest Account Created
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 90
ISE Guest Access Portal
https://x.x.x.x:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 91
Case Study – Review
Future HealthCare
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 92
Future HealthCare Goals
Employees need secure remote access to corporate intranet and email
systems
Doctors need secure remote access to patient information and corporate
email systems
Doctors want access to patient data and internet
Employees want access to the internet and email
Patients want access to the internet and web mail
CTO has security and regulation requirements
CSO needs prevention of email spear-phishing attacks
IT needs corporate devices secure while still providing network access to
commercialized mobile devices
Review IT Network Issues
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 93
Future HealthCare Review
Need to provide security for sensitive data from the end-user’s computer
and throughout the network infrastructure.
What Still Needs to be Done?
MACSec
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 95
MACSec
IEEE 802.1AE-based Encryption
‒ Provides strong 128-bit AES-GCM* encryption
‒ NIST approved encryption algorithm
‒ Line-rate encryption/decryption
‒ Standards-based key management: IEEE 802.1X-Rev
Benefits
‒ Protects against man-in-the-middle attacks including snooping, tampering and
replay attacks
‒ Network service amenable to hop-by-hop (link-based) approach as compared to
end-to-end approach
What is it and How Does it Benefit Us?
* NIST Special Publication 800-38D http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
* Galois/Counter Mode (GCM)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 96
MACSec - How Does it Work?
Wiring Closet
Switch
AAA
1 User bob connects.
2 Bob’s policy indicates endpoint must encrypt.
3 Key exchange using MKA, 802.1AE encryption complete.
User is placed in corporate VLAN. Session is secured.
4 User Steve connects
User: Bob
Policy: encryption
User: Steve
Policy: encryption
5 Steve’s policy indicates endpoint must encrypt.
6 Endpoint is not MACSec enabled.
Assigned to guest VLAN.
802.1X-Rev Components
• MACSec enabled switches Cisco 3560X/3750X 12.2.(52) SE2
• AAA server 802.1X-Rev aware Cisco Identity Services Engine
• Supplicant supporting MKA and 802.1AE encryption Cisco AnyConnect Client
Steve –
Non
MACSec
client
Campus Network
Bob - MACSec enabled client
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 97
MACSec Access Port (Crypto)
Standards-based encryption on user ports* (IEEE 802.1AE)
MacSec Key Agreement (MKA) standards-based key exchange protocol
(IEEE 802.1X-REV MACSec Key Agreement)
Some newer Intel LOM chip sets support MacSec
MACSec-ready hardware:
Intel 82576 Gigabit Ethernet Controller
Intel 82599 10 Gigabit Ethernet Controller
Intel ICH10 - Q45 Express Chipset (1Gbe LOM)
(Dell, Lenova, Fujitsu, and HP have desktops shipping with this LOM.)
* Please check CCO for the latest MACSec capable switches - www.cisco.com/go/trustsec
Case Study – Review
Future HealthCare
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 99
Future HealthCare Goals
Employees need secure remote access to corporate intranet and email
systems
Doctors need secure remote access to patient information and corporate
email systems
Doctors want access to patient data and internet
Employees want access to the internet and email
Patients want access to the internet and web mail
CTO has security and regulation requirements
CSO needs prevention of email spear-phishing attacks
IT needs corporate devices secure while still providing network access to
commercialized mobile devices
Review IT Network Issues
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 100
Future HealthCare Review
Need to prevent sensitive corporate data from traversing the Internet while
maintaining compliance with corporate and mandated regulations.
What Still Needs to be Done?
Data Loss Prevention
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 102
What is Data Loss Prevention?
Data Loss Prevention otherwise known as DLP is technology to inspect
and prevent sensitive data from leaking from your corporate network
DLP helps CxO maintain corporate and regulations-based policies
Examples include HIPAA, GLBA, SOX and PCI compliance
DLP is the technology enforcer to prevent accidental or intentional data
leakage
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 103
IronPort Email Security Appliance
Cisco IronPort ESA has onboard RSA DLP blade technologies
Allows inspection, remediation and compliance with corporate and
regulation-based policies
DLP remediation actions include:
Notify
BCC
Quarantine
Encrypt
Bounce
Drop
RSA Data Loss Prevention
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 104
IronPort ESA DLP Policy Manager
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 105
RSA DLP Blades
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 106
DLP Blade Example – HIPAA
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 107
Assigned DLP Policies
Case Study – Review
Future HealthCare
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 109
Future HealthCare Goals
Employees need secure remote access to corporate intranet and email
systems
Doctors need secure remote access to patient information and corporate
email systems
Doctors want access to patient data and internet
Employees want access to the internet and email
Patients want access to the internet and web mail
CTO has security and regulation requirements
CSO needs prevention of email spear-phishing attacks
IT needs corporate devices secure while still providing network access to
commercialized mobile devices
Review IT Network Issues
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 110
Future HealthCare Review
Need to prevent end-users from email spear-phishing attacks that could
lead to end-uses giving sensitive corporate data such as user account and
password.
What Still Needs to be Done?
IronPort Outbreak Filters
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 112
IronPort Email Security Appliance
Cisco IronPort ESA has updated and rebrand the Virus Outbreak Filters to
the newer technology called Outbreak Filters
Outbreak Filters still continue to provide Day-Zero Virus Protection
Outbreak Filters also now provide Spear-Phishing prevention by rewriting
suspicious URLs embedded in email messages
Rewritten URLs will be proxy to the ScanSafe Towers (data centers) for
web page inspection which is transparent to the end user when they click
on the embedded URL in the email
If web site is malicious then the end users will receive a “Block” page
If web site is found to be good then the web objects for the web page are
sent to the end user via the ScanSafe towers
Outbreak Filters
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 113
Outbreak Filters Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 114
Preventing Spear-Phishing Attacks
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 116
Summary / Glossary
What is Secure Mobility?
‒ Remote SSL VPN technology that allows integration of the Cisco AnyConnect,
Cisco ASA Firewall and Cisco IronPort Web Security Appliance to back haul
browser-based web traffic for proxy filtering
What is TrustSec?
‒ Umbrella Term Related to all “Identity Networking”
‒ Systems-Approach to Identity Networking
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 117
Summary / Glossary
What is Identity Services Engine (ISE)?
‒ ISE is the next-generation policy engine for TrustSec
‒ Combines Identity with 802.1X, Posture, Profiling and Guest Lifecycle into a
single platform.
What is MACSec (IEEE 802.1AE)?
‒ Layer-2 encryption from device to network
What is Data Loss Prevention (DLP)?
‒ Technology to inspect and prevent sensitive data from leaking from your corporate
network
‒ DLP is the technology enforcer to prevent accidental or intentional data leakage
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 118
Related Sessions
BRKSEC-2022 – Demystifying TrustSec, Identity, NAC and ISE
BRKSEC-2046 – Cisco TrustSec and Security Group Tagging
BRKSEC-3000 – Advanced Securing Borderless Networks
BRKSEC-3032 – Deploying TrustSec In Enterprise Branch and WAN
Networks
BRKSEC-3040 – TrustSec and ISE Deployment Best
TECSEC-3030 – Advanced Network Access Control with ISE
Other TrustSec Security Sessions at Cisco Live 2012
Q&A
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 120
Complete Your Online
Session Evaluation Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
Don’t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 121
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 123
Christopher Heffner, CCIE #8211 Security Consulting Engineer
chheffne@cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 124
Cisco ASA Secure Mobility Configuration
Appendix
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 125
Cisco ASA Secure Mobility
1. SSL Certificate Creation
2. Associate trustpoint to Interface
3. LDAP Integration
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
7. Activate SSL VPN Configuration
Configuration Setup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 126
Cisco ASA Secure Mobility Configuration
Cisco Secure Mobility requires the use of the Cisco SSL VPN Client
software – AnyConnect
In order to use AnyConnect SSL VPN software, Cisco ASA must be
configured with SSL Certificate
SSL Certificate can be signed by a trusted root authority such as VeriSign or
Entrust
-or-
Use self-signed SSL certificate generated on the ASA appliance
Step 1 - SSL Certificate Creation
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 127
Cisco ASA Self-Signed Certificates Certificate Assigned to Trustpoint
To verify from the ASA CLI
show run crypto ca
show crypto ca cert
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 128
Cisco ASA Self-Signed Certificates
Associate new trustpoint to outside interface
A. Configuration > Device Management > Advanced > SSL Settings
B. Associate the new certificate with the outside interface by selecting the outside
interface and click the Edit button.
C. In the Primary Enrollment Certificate drop-down, select the trustpoint name,
click OK.
D. Click the Apply button.
Step 2. Associate Trustpoint to Interface
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 129
Cisco Self-Signed Certificates Certificate Assigned to Outside Interface
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 130
Cisco ASA Secure Mobility
1. SSL Certificate Creation
2. Associate trustpoint to Interface
3. LDAP Integration
Configuration Setup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 131
LDAP Integration
Authenticate Remote SSL VPN users via LDAP integration to back-end
Active Directory environment
A. From ASDM - Configuration > Device Management > Users/AAA > AAA
Server Groups
B. From the AAA Server Group table, click the ADD button
C. Enter Server Group name (user defined)
D. Select LDAP from Protocol drop-down box
E. Leave remaining values at default settings
F. Click OK button
AAA Server Group Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 132
LDAP Integration ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 133
LDAP Integration
G. Single click the newly created LDAP AAA server group
H. Servers in the Selected Group (bottom table) select the ADD button to define the AAA
Server(s)
I. Enter the configuration values for LDAP integration
Interface: Inside
Server Name or IP Address: IP address for AD Server
Port: 389
Server Type: Microsoft
Base DN: domain name base DN
Scope: All levels beneath the Base DN
Naming Attributes(s): sAMAccountName
Login DN: Username for LDAP Authentication
Login Password: password
J. Click OK
K. Click Apply
AAA Server Group Configuration (cont.)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 134
LDAP Integration ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 135
LDAP Integration
J. Click Test button to verify LDAP authentication configuration
Change the Radio button from Authorization to Authentication
Enter valid domain username and password
Receive a windows that reads:
“Authentication test to host X.X.X.X is successful.”
AAA Server Group Configuration (cont.)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 136
LDAP Integration ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 137
Cisco ASA Secure Mobility
1. SSL Certificate Creation
2. Associate trustpoint to interface
3. LDAP Integration
4. Connection Profile
Configuration Setup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 138
Connection Profiles
Connection Profiles in ASDM are another name for tunnel-groups within
the CLI.
They provide a means to apply very specific connection attributes to
remote users.
Once a user is mapped to a connection profile, we can then associate
group-level policies.
Any attribute not mapped in a connection profile or group-policy will be
inherited from the top-level Default Group Policy.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 139
Connection Profiles
Setup SSL VPN Connection Profile
A. From ASDM - Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Connection Profiles
B. Click the ADD button to create a new Connection Profile
C. Enter Connection Profile Name
D. Enter Connection Profile Alias
E. Define Authentication parameters
Method – AAA
AAA Server Group – LDAP
Configuration
Note: The connection profile alias allows administrators to provide custom group names to the end users when they browse
to the webpage of the ASA and also defines the group names seen in the AnyConnect client.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 140
Connection Profiles ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 141
Connection Profiles
F. Define the Client Address Pool
G. Click the Select … button to create client address pool
H. Click Add button
Enter IP Pool Name
Enter Starting IP Address
Enter Ending IP Address
Enter Subnet Mask
I. Click OK button
J. Single click the new address pool name
K. Click Assign button
L. Click OK button
M. Click OK button
Configuration (cont.)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 142
Connection Profiles ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 143
Cisco ASA Secure Mobility
1. SSL Certificate Creation
2. Associate trustpoint to interface
3. LDAP Integration
4. Connection Profile
5. Group Policy
Configuration Setup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 144
Group Policy
VPN Group Policies are a collection of authorization based attribute/value
pairs that can be stored in the ASA Configuration or on a Radius/LDAP
server.
Customized group attributes include:
Tunneling Protocols Connection Profile Lock
NAC Policy Access Hours
Idle Timeout Maximum Connection Time
DNS Servers Split Tunneling
Split Tunneling SSL VPN Client Settings
SSL VPN Client Settings IPSec Client Settings
Banner Login Address Pools
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 145
Group Policy
Setup Group Policy
A. From the new configured Connection Profile main page Default Group Policy
– click Manage …
B. Click ADD Button
C. Enter Group Policy Name
D. Single click on the “More Options” gray bar
E. Uncheck the Inherit button for Tunneling Protocols and select “SSL VPN
Client” checkbox only. Uncheck any other remaining protocols.
F. Select “Servers” menu option. Uncheck the Inherit button for DNS and enter
your internal DNS server IP address.
Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 146
Group Policy
G. Open the “More Options” and uncheck the inherit button for “Default
Domain” and enter your domain name.
H. Click OK
I. Click OK
Configuration (cont.)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 147
Group Policy ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 148
Group Policy
G. From the Connection Profile main window – Default Group Policy select the
newly created group policy from the drop down box.
H. Select the checkbox for “Enable SSL VPN Client Protocol”
I. Click OK
J. Click Apply
Configuration (cont.)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 149
Group Policy ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 150
Group Policy ASDM Output Example
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 151
Cisco ASA Secure Mobility
1. SSL Certificate Creation
2. Associate trustpoint to interface
3. LDAP Integration
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
Configuration Setup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 152
AnyConnect Client Preparation
Two options for getting Cisco AnyConnect client installed on to end user’s
computer
‒ Option #1 – Use pre-install client package for Windows (.msi) or Mac (.dmg)
Standard install application or can be pre-deployed and pre-configured.
‒ Option #2 – Download AnyConnect client from ASA clientless SSL VPN web
portal.
Requires preparation by uploading and configuring the Cisco ASA for deployment
of AnyConnect via SSL web portal.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 153
Cisco ASA AnyConnect Deployment
First step is to identity the correct AnyConnect images needed for the end
user operating systems and versions that are required for your
organization.
‒ Supported Operating Systems
‒ Windows 32/64 bit operating system versions
‒ anyconnect-win-<version>-k9.pkg
‒ Mac OS X Intel platforms
‒ anyconnect-macosx-i386-<version>-k9.pkg
‒ Linux 32/64 bit operating system versions
‒ anyconnect-linux-<version>-k9.pkg
‒ anyconnect-linux-64-<version>-k9.pkg
Make Sure You Download the Proper Version for ASA Deployment and Not Pre-
deployment Versions.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 154
Cisco ASA AnyConnect Deployment
Download the proper AnyConnect images and configure the software
client for the ASA.
‒ From ASDM – Configuration > Remote Access SSL VPN > Network (Client)
Access > AnyConnect Client Settings
‒ Download the AnyConnect Packages using link from ASDM or pre-download from
CCO directly
‒ Upload the AnyConnect Packages from your desktop to disk0:/ on the ASA
Firewall
Configuration Steps
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 155
Cisco ASA Secure Mobility
1. SSL Certificate Creation
2. Associate trustpoint to interface
3. LDAP Integration
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
7. Activate SSL VPN Configuration
Configuration Setup
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 156
Activate SSL VPN Configuration
From ASDM – Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Connection Profiles
‒ Click on the “Allow Access” check-box for the Outside interface.
‒ Click on the “Enable Cisco AnyConnect VPN Client” access check-box on the
Outside interface.
‒ Click the Apply Button
top related