borderless security vt: borderless secure mobility · explicit / transparent comparison explicit...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Robin Sundin [email protected]
Håkan Nohre [email protected]
Borderless Security VT:Borderless Secure Mobility
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Persistent Security and Policy EnforcementSeamless User Experience
ASA WSA
Authentication handoff (SSO)
Identity and location aware policy enforcement
Location-aware reporting
AnyConnect
Always-on VPN (admin configurable)
Optimal head end auto-detect
Transparent auth (certificate)
Cisco Web Security Appliance
Corporate AD
ASA
News Email
Social Networking Enterprise SaaS
Internet
User Authenticates
User Identity
Untrusted Network
Trusted Network
Always-On VPN
WCCP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Persistent Security and Policy EnforcementSeamless User Experience
ASA WSA
Authentication handoff (SSO)
Identity and location aware policy enforcement
Location-aware reporting
AnyConnect
Always-on VPN (admin configurable)
Optimal head end auto-detect
Transparent auth (certificate)
Cisco Web Security Appliance
Corporate AD
ASA
News Email
Social Networking Enterprise SaaS
Internet
SSL VPN Tunnel All Traffic
User Identity
facebook.com
Untrusted Network
Trusted Network
Always-On VPN
WCCP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Demo
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
AnyConnect Secure Mobility OverviewAgenda
• Stateful Firewall
• BotNet Filter
• Protocol Inspections
• ASA / WSA SSO Communications
ASA
• Session Persistence
• Trusted Network Detection
• Always-on VPN
• Captive Portal Detection
• Optimum Head End Detection
• AnyConnect/Personal Firewall
• Quarantine and Always-On VPN enforcement via DAP
Any Connect
• Acceptable Usage Policy
• Application Visibility Control
• DVS / Anti-Malware
• Outbound Malware
• SaaS SSO• Web Reputation
• DLP
• Secure Mobility
WSASe
cu
re M
ob
ility
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
AnyConnect Session PersistenceNetwork Follows User – It Just Works
AnyConnect 2.3
VPN session remains connected
While user migrates between networks (3G, WiFi, LAN, etc)
During loss of network connectivity
During system hibernation / standby
Administratively controlled policy
Compatible with all auth methods
User does not re-authenticate after hibernation/standby
Auto-detect and connect
Transparent handoff
Session persistence
Persistent
Connectivity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
AnyConnect Secure Mobility Session Persistence User Experience: User Indicator
Connection State: Reconnecting
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Trusted Network Detection
Trusted Network Detection (TND)Intelligent Mobility
Automatically connects or disconnects under the following conditions:
In Office
Out of Office
Location determination made by Default Domain Name or DNS server IP
Other checks likely in future
Certificate authentication for seamless reconnection
Administratively controlled policy
Windows XP, Vista, 7 & Mac OS X
AnyConnect 2.4
In Office Out of Office
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Untrusted NetworkDNS Address
161.44.124.22
DNS Suffixcisco.com
Trusted DNS Configuration
Trusted Network DetectionSettings
Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
Corporate Headquarters
Home Office
DHCP Request
DHCP Response
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Untrusted NetworkDNS Address
161.44.124.22
DNS Suffixcisco.com
Trusted DNS Configuration
Trusted Network DetectionSettings
Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
Corporate Headquarters
Home Office
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
DNS Server IP68.87.78.130
DNS Suffixcomcast.net
Untrusted DNS Configuration
DHCP Request
Trusted Network DetectionSettings
Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
Corporate Headquarters
Home Office
DHCP Response
Trusted Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
DNS Server IP68.87.78.130
DNS Suffixcomcast.net
Untrusted DNS Configuration
Trusted Network DetectionSettings
Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
Corporate Headquarters
Home Office
Trusted Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
AnyConnect Secure MobilitySecurity Persistence
• Always On VPN extends the virtual perimeter to the endpoint
Security Persistence and policy are administratively controlled
If ASA head-end is unreachable,
fail-open (direct network access)
or
fail-close (no network access)
Location-awareCaptive portalnearest headendAuth persistence
Security Enforcement Array
Security Persistence with Always On VPN(Fail Closed or Fail Open)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
AnyConnect Secure Mobility Solution
Connection Status
Always-On, Failed Closed
No Network Access Available
Manual URL Entry is not Allowed
AnyConnect Secure MobilityUser Experience: User Indicators
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Secure Mobility – Always On Captive Portal Detection
AnyConnect Secure Mobility Solution
Always-On enforces VPN connectivity.
If AnyConnect fails to connect, its
endpoint can fail closed, preventing
network connectivity to and from the
endpoint.
Always-On allows AnyConnect users to
remediate their Captive Port prior to
required VPN establishment.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
AnyConnect Secure Mobility Captive Portal User Experience: User Indicator
Captive Portal Remediation Required
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
AnyConnect Secure Mobility Captive Portal User Experience: User Indicator
Captive Portal Remediation Timer
Expired
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Client Firewall Rules Selective Local LAN access
Utilizes embedded OS FW to configure Public (split tunneling address on the physical
adapter) Private (virtual adapter) interface firewall rules
If Public rules cannot be configured, client will revert to ALL tunneling
FW rules supported are: Basic ACLs for IPv6 Port rules for IPv4 No app-based FW rules
Windows XP SP2, Vista, Windows 7, and Mac OS X
AnyConnect 2.5
Sample FW allow options:Local PrintingTethered Device (i.e. Smartphone)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
AnyConnect Secure Mobility Local LAN/Client Firewall User Experience: User Indicator
AnyConnect Secure Mobility Solution
Local LAN (Split Exclude) Client Firewall Rules (Local Printing)
AnyConnect Client Profile:
Preferences(Cont)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
AnyConnect Secure Mobility- QuarantineSolution Benefits
Provides an indication to the user that posture assessment has failed
Leverages existing DAP functionality – and a new “Quarantine” action on ASA
Similar to existing “Continue” action on the ASA, except for the notification sent to the client
ASA applies restricted ACL’s to the session based upon the selected DAP record. The endpoint is then in a restricted state. User to take corrective action and remediate
Messages are administrator configurable
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Posture Assessment and QuarantineFailure to comply with endpoint policy
Administrator communicates why
end-user is not being granted full
network access.
DAP Quarantine messages will
be shown in the inline GUI banner.
Once rectified, user will need to
“Reconnect” to be re-evaluated.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Cisco Secure Remote AccessOptimal Gateway Selection
Los AngelesBoston
Connects to the Most Optimum Head-endHTTPS Request Approximated by Fastest Round Trip Time
London
Time = 25ms
Time = 24ms
Time = 23ms
Time = 33ms
Time = 26ms
Time = 35ms
Time = 28ms
Time = 25ms
Time = 27ms
New York
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Cisco Secure Remote AccessOptimal Gateway Selection
Los AngelesBoston
Connects to the Most Optimum Head-endHTTPS Request Approximated by Fastest Round Trip Time
London
Time = 23ms
Time = 26ms
Time = 25ms
New York
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Cisco Secure Remote AccessOptimal Gateway Selection
Los AngelesBoston
Connects to the Most Optimum Head-endHTTPS Request Approximated by Fastest Round Trip Time
London
Time = 23ms
New York
Feature Parameters:
Suspension Time Threshold (hours)
Performance Improvement Threshold (%)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Optimal Gateway SelectionUser Indicator
Gateway Selections are found in
the AnyConnect Client Profile
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
ASA WSA
1. AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA
2. ASA Extracts Username from Certificate or AAA Server
3. ASA Forwards Username and Tunneled IP Address to the WSA
4. WSA Verifies Username and Group Membership against Active Directory
5. WSA Applies Policies based on Username or Group Membership
Web Security Appliance
Active Directory LDAP, NTLMSSP, Basic
Adaptive Security Appliance
News Email
User Authenticates
User Identity & Tunneled IP
Cisco AnyConnect Secure MobilityASA–WSA Communication
facebook.com
Across SSL Connection
VPN Tunnel
AuthenticationUser & Group
Authorization
VPN Tunnel
Established
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Rich AUP
Controls
List-based URL Filtering
User Identity
Time-Based Controls
Dynamic URL Filtering
Bandwidth Controls
Application Control
Collaboration Control
Next Generation Web ControlsExtended with Whitney
Current
Whitney
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
SaaS Single Sign-On
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Extending Security and Control to SaaSIdentity Integration with SAML Enabled Gateway
AD / User Dir
Internal
Users SAML
SAML enabled
gateway
• Usability: Sign into SaaS applications using same AD credentials
• Security: Zero-day revocation of SaaS permissions
• Simplicity: Integrated SAML Identity Provider
Remote Users
Enterprise
Edge
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
SaaS Access Control: How it works
Step-by-step process diagram of user auth to WSA, WSA auth to SaaS app on their behalf
In this case “Partner” is WSA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Deployment Options
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Explicit / Transparent Comparison
Explicit Transparent
Server-Side Deployment Team +
PAC / GPO / WPAD / Proxy Settings +
Network Deployment Team +
WCCP / Policy-Based Routing +
Seamless to End User + +
Fault-Tolerance + +
Load-Balancing + +
AuthenticationProxy Aware
+
Auth Redirect
-
Unknown Web Apps - +
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
AnyConnect Secure MobilityDeployment Options
Transparent Proxy
a. Single ASA for Internet Egress
WCCP on ASA or
WCCP on Router
b. Dedicated ASA for VPN, alternate egress point
WCCP on Router
WCCP on Egress ASA
Explicit Proxy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Transparent Redirection – Single ASA(WCCP on Router)
Transparent Proxy requires a WCCP enabled router which removes the
requirement for AnyConnect users to configure their browser application
with a web proxy. Their target URL request is automatically redirected to
the WSA for policy enforcement.
AnyConnect Secure Mobility Solution
ASA Config
route inside 10.10.10.0
255.0.0.0 192.168.1.2
route inside 0.0.0.0 0.0.0.0
192.168.1.2 tunneled
IOS Config
ip wccp 80 redirect-list
redirect-acl
interface eth0
ip wccp 80 redirect in
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Transparent Redirection – Single ASA(WCCP on ASA)
Transparent Proxy requires a WCCP enabled router which removes the
requirement for AnyConnect users to configure their browser application
with a web proxy. Their target URL request is automatically redirected to
the WSA for policy enforcement.
AnyConnect Secure Mobility Solution
ASA Config
route inside 10.10.10.0
255.0.0.0 192.168.1.2
route inside 0.0.0.0 0.0.0.0
192.168.1.2 tunneled
wccp 80 redirect-list redirect-acl
Wcpp iterfance inside 80 redirect in
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Explicit Proxy Redirection
Explicit Proxy Mode requires AnyConnect users to know about the proxy
configuration and in some cases define the appropriate proxy settings in
their browser application.
AnyConnect Secure Mobility Solution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Explicit Proxy Redirection
Explicit Proxy Mode requires AnyConnect users to know about the proxy
configuration and in some cases define the appropriate proxy settings in
their browser application.
AnyConnect Secure Mobility Solution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39