borderless security vt: borderless secure mobility · explicit / transparent comparison explicit...

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Robin Sundin [email protected]

Håkan Nohre [email protected]

Borderless Security VT:Borderless Secure Mobility

mailto:[email protected]

mailto:[email protected]


Persistent Security and Policy EnforcementSeamless User Experience

ASA WSA

Authentication handoff (SSO)

Identity and location aware policy enforcement

Location-aware reporting

AnyConnect

Always-on VPN (admin configurable)

Optimal head end auto-detect

Transparent auth (certificate)

Cisco Web Security Appliance

Corporate AD

ASA

News Email

Social Networking Enterprise SaaS

Internet

User Authenticates

User Identity

Untrusted Network

Trusted Network

Always-On VPN

WCCP

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


Persistent Security and Policy EnforcementSeamless User Experience

ASA WSA

Authentication handoff (SSO)

Identity and location aware policy enforcement

Location-aware reporting

AnyConnect

Always-on VPN (admin configurable)

Optimal head end auto-detect

Transparent auth (certificate)

Cisco Web Security Appliance

Corporate AD

ASA

News Email

Social Networking Enterprise SaaS

Internet

SSL VPN Tunnel All Traffic

User Identity

facebook.com

Untrusted Network

Trusted Network

Always-On VPN

WCCP

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


Demo


AnyConnect Secure Mobility OverviewAgenda

• Stateful Firewall

• BotNet Filter

• Protocol Inspections

• ASA / WSA SSO Communications

ASA

• Session Persistence

• Trusted Network Detection

• Always-on VPN

• Captive Portal Detection

• Optimum Head End Detection

• AnyConnect/Personal Firewall

• Quarantine and Always-On VPN enforcement via DAP

Any Connect

• Acceptable Usage Policy

• Application Visibility Control

• DVS / Anti-Malware

• Outbound Malware

• SaaS SSO• Web Reputation

• DLP

• Secure Mobility

WSASe

cu

re M

ob

ility


AnyConnect Session PersistenceNetwork Follows User – It Just Works

AnyConnect 2.3

VPN session remains connected

While user migrates between networks (3G, WiFi, LAN, etc)

During loss of network connectivity

During system hibernation / standby

Administratively controlled policy

Compatible with all auth methods

User does not re-authenticate after hibernation/standby

Auto-detect and connect

Transparent handoff

Session persistence

Persistent

Connectivity


AnyConnect Secure Mobility Session Persistence User Experience: User Indicator

Connection State: Reconnecting


Trusted Network Detection

Trusted Network Detection (TND)Intelligent Mobility

Automatically connects or disconnects under the following conditions:

In Office

Out of Office

Location determination made by Default Domain Name or DNS server IP

Other checks likely in future

Certificate authentication for seamless reconnection

Administratively controlled policy

Windows XP, Vista, 7 & Mac OS X

AnyConnect 2.4

In Office Out of Office


Untrusted NetworkDNS Address

161.44.124.22

DNS Suffixcisco.com

Trusted DNS Configuration

Trusted Network DetectionSettings

Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity

Corporate Headquarters

Home Office

DHCP Request

DHCP Response


Untrusted NetworkDNS Address

161.44.124.22

DNS Suffixcisco.com

Trusted DNS Configuration




Home Office


DNS Server IP68.87.78.130

DNS Suffixcomcast.net

Untrusted DNS Configuration

DHCP Request




Home Office

DHCP Response

Trusted Network


DNS Server IP68.87.78.130

DNS Suffixcomcast.net

Untrusted DNS Configuration




Home Office

Trusted Network


AnyConnect Secure MobilitySecurity Persistence

• Always On VPN extends the virtual perimeter to the endpoint

Security Persistence and policy are administratively controlled

If ASA head-end is unreachable,

fail-open (direct network access)

or

fail-close (no network access)

Location-awareCaptive portalnearest headendAuth persistence

Security Enforcement Array

Security Persistence with Always On VPN(Fail Closed or Fail Open)


AnyConnect Secure Mobility Solution

Connection Status

Always-On, Failed Closed

No Network Access Available

Manual URL Entry is not Allowed

AnyConnect Secure MobilityUser Experience: User Indicators


Secure Mobility – Always On Captive Portal Detection


Always-On enforces VPN connectivity.

If AnyConnect fails to connect, its

endpoint can fail closed, preventing

network connectivity to and from the

endpoint.

Always-On allows AnyConnect users to

remediate their Captive Port prior to

required VPN establishment.


AnyConnect Secure Mobility Captive Portal User Experience: User Indicator

Captive Portal Remediation Required


AnyConnect Secure Mobility Captive Portal User Experience: User Indicator

Captive Portal Remediation Timer

Expired


Client Firewall Rules Selective Local LAN access

Utilizes embedded OS FW to configure Public (split tunneling address on the physical

adapter) Private (virtual adapter) interface firewall rules

If Public rules cannot be configured, client will revert to ALL tunneling

FW rules supported are: Basic ACLs for IPv6 Port rules for IPv4 No app-based FW rules

Windows XP SP2, Vista, Windows 7, and Mac OS X

AnyConnect 2.5

Sample FW allow options:Local PrintingTethered Device (i.e. Smartphone)


AnyConnect Secure Mobility Local LAN/Client Firewall User Experience: User Indicator


Local LAN (Split Exclude) Client Firewall Rules (Local Printing)

AnyConnect Client Profile:

Preferences(Cont)


AnyConnect Secure Mobility- QuarantineSolution Benefits

Provides an indication to the user that posture assessment has failed

Leverages existing DAP functionality – and a new “Quarantine” action on ASA

Similar to existing “Continue” action on the ASA, except for the notification sent to the client

ASA applies restricted ACL’s to the session based upon the selected DAP record. The endpoint is then in a restricted state. User to take corrective action and remediate

Messages are administrator configurable


Posture Assessment and QuarantineFailure to comply with endpoint policy

Administrator communicates why

end-user is not being granted full

network access.

DAP Quarantine messages will

be shown in the inline GUI banner.

Once rectified, user will need to

“Reconnect” to be re-evaluated.


Cisco Secure Remote AccessOptimal Gateway Selection

Los AngelesBoston

Connects to the Most Optimum Head-endHTTPS Request Approximated by Fastest Round Trip Time

London

Time = 25ms

Time = 24ms

Time = 23ms

Time = 33ms

Time = 26ms

Time = 35ms

Time = 28ms

Time = 25ms

Time = 27ms

New York



Los AngelesBoston


London

Time = 23ms

Time = 26ms

Time = 25ms

New York



Los AngelesBoston


London

Time = 23ms

New York

Feature Parameters:

Suspension Time Threshold (hours)

Performance Improvement Threshold (%)


Optimal Gateway SelectionUser Indicator

Gateway Selections are found in

the AnyConnect Client Profile


ASA WSA

1. AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA

2. ASA Extracts Username from Certificate or AAA Server

3. ASA Forwards Username and Tunneled IP Address to the WSA

4. WSA Verifies Username and Group Membership against Active Directory

5. WSA Applies Policies based on Username or Group Membership

Web Security Appliance

Active Directory LDAP, NTLMSSP, Basic

Adaptive Security Appliance

News Email

User Authenticates

User Identity & Tunneled IP

Cisco AnyConnect Secure MobilityASA–WSA Communication

facebook.com

Across SSL Connection

VPN Tunnel

AuthenticationUser & Group

Authorization

VPN Tunnel

Established


Rich AUP

Controls

List-based URL Filtering

User Identity

Time-Based Controls

Dynamic URL Filtering

Bandwidth Controls

Application Control

Collaboration Control

Next Generation Web ControlsExtended with Whitney

Current

Whitney


SaaS Single Sign-On


Extending Security and Control to SaaSIdentity Integration with SAML Enabled Gateway

AD / User Dir

Internal

Users SAML

SAML enabled

gateway

• Usability: Sign into SaaS applications using same AD credentials

• Security: Zero-day revocation of SaaS permissions

• Simplicity: Integrated SAML Identity Provider

Remote Users

Enterprise

Edge


SaaS Access Control: How it works

Step-by-step process diagram of user auth to WSA, WSA auth to SaaS app on their behalf

In this case “Partner” is WSA


Deployment Options


Explicit / Transparent Comparison

Explicit Transparent

Server-Side Deployment Team +

PAC / GPO / WPAD / Proxy Settings +

Network Deployment Team +

WCCP / Policy-Based Routing +

Seamless to End User + +

Fault-Tolerance + +

Load-Balancing + +

AuthenticationProxy Aware

+

Auth Redirect

-

Unknown Web Apps - +


AnyConnect Secure MobilityDeployment Options

Transparent Proxy

a. Single ASA for Internet Egress

WCCP on ASA or

WCCP on Router

b. Dedicated ASA for VPN, alternate egress point

WCCP on Router

WCCP on Egress ASA

Explicit Proxy


Transparent Redirection – Single ASA(WCCP on Router)

Transparent Proxy requires a WCCP enabled router which removes the

requirement for AnyConnect users to configure their browser application

with a web proxy. Their target URL request is automatically redirected to

the WSA for policy enforcement.


ASA Config

route inside 10.10.10.0

255.0.0.0 192.168.1.2

route inside 0.0.0.0 0.0.0.0

192.168.1.2 tunneled

IOS Config

ip wccp 80 redirect-list

redirect-acl

interface eth0

ip wccp 80 redirect in


Transparent Redirection – Single ASA(WCCP on ASA)

Transparent Proxy requires a WCCP enabled router which removes the

requirement for AnyConnect users to configure their browser application

with a web proxy. Their target URL request is automatically redirected to

the WSA for policy enforcement.


ASA Config

route inside 10.10.10.0

255.0.0.0 192.168.1.2

route inside 0.0.0.0 0.0.0.0

192.168.1.2 tunneled

wccp 80 redirect-list redirect-acl

Wcpp iterfance inside 80 redirect in


Explicit Proxy Redirection

Explicit Proxy Mode requires AnyConnect users to know about the proxy

configuration and in some cases define the appropriate proxy settings in

their browser application.



Q and A

borderless security vt: borderless secure mobility · explicit / transparent comparison explicit...

Documents