secure borderless

Download Secure Borderless

Post on 13-Nov-2014

31 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

Securing Borderless NetworksBRKSEC-2000

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Christopher Heffner, CCIE #8211Security Consulting Engineer chheffne@cisco.com

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3

Housekeeping We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Please remember this is a 'non-smoking' venue! Please set your mobile phones to stun mode Please make use of the recycling bins provided

Please remember to wear your badge at all times NO discussions on future products Please remember your NDAs when asking questions

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

4

Session Abstract This session will explain the security technology behind the Cisco Borderless Networks. We will compare and contrast the networkers of yesterday verses today and the issues that network and security administrator face with these evolving networks. A business case will be presented to introduce common network security challenges and how Borderless Network technology solves them. The technologies that will be covered include Secure Mobility, Web and Email Security, AnyConnect SSL VPN, user & device authorization, Network Device Profiling, supplicant agents, posture assessment, Guest Access, Security Group Access (SGA), and IEEE 802.1AE (MacSec).BRKSEC-2000 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Session ObjectivesAt the end of the session, you should understand:

The Cisco Borderless Network Architecture The technology that makes up Borderless Networks portfolio including Cisco Firewall, IPS, Content Security How to design and implement Secure Mobility Benefits of TrustSec and MacSec technologies

You should also:

Have questions for the Q&A section of the session

Provide us with feedback via the Cisco Live online survey Attend related sessions that interest you

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

6

Agenda Networks of Yesterday Networks of Today Borderless Networks What does that mean?

Case Study Future Healthcare Cisco AnyConnect Secure Mobility Design Cisco TrustSec Design Q&A

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

7

Networks of Yesterday

Networks of Yesterday

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

9

Network Security of Yesterday Corporate Assets Corporate Connectivity Limited Remote Connectivity

Employees Only Access Routers Firewalls Switches

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Network Security Policy YesterdaySecure Access Control

Authentication Authorization Accounting

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

Networks of Today

Networks of Today

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Networks Security of Today Corporate and Commercialized Assets Corporate, Partner, Public, Cloud Connectivity Employees, Contractors and Guests Access

Routers, Switches, Firewalls, IPS Virtualized Data Centers ISE, NAC, Posture Control Wireless Infrastructures Email and Web Security Unified Communications Mobile Smart Devices The iRevolutionBRKSEC-2000 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Network Security Policy Today Who are you? Employee, Partner, Contractor, Guest

What are you doing? Data Entry, Access HR Records, Accessing Payroll

Where are you going? Intranet, Extranet, Internet, Cloud Services

When are you connecting? 8am-5pm, After Hours, Weekends

How are you connecting? Corporate Wired, Corporate Wireless, Public Wireless Hotel Guest Network, Home NetworkBRKSEC-2000 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Borderless Networks Evolution

Borderless Networks Evolution Self-Defending Networks SAFE Blueprints Borderless Networks Architecture

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Self-Defending Networks Network and Endpoint Security Content Security Application Security

System Management and Control

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

SAFE Blueprints SAFE Small Business SAFE Medium Business SAFE Enterprise Business

SAFE Remote SAFE Campus SAFE Data Center SAFE Internet SAFE Wide Area Network

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Borderless Networks Architecture What it is: Architecture for secure connectivity of: Any Device Any Place Any Time

What it does (its vision): Provides consistent user experience & security policies on any device, any place at any time.

What it does (business benefit): Simplifies Secure Connections to resources Improves workforce productivity through flexibility.BRKSEC-2000 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Borderless Networks Architecture Technology Benefit Borderless Networks transforms the way IT governs networks by linking users, devices, applications, and business processes - together.

Value Proposition: Cisco Borderless Networks securely, reliably, and seamlessly connects people, information, and devices.

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

Borderless Networks Design BenefitsAccelerates Business Innovation and Transformation

Secure Risk mitigation to protect corporate assets and data Reliable Business continuity Seamless Productivity-driven growth

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Borderless Networks Design ElementsBORDERLESS ENDPOINT/USER SERVICES

Architecture for Agile Delivery of the Borderless ExperienceSecurely, Reliably, Seamlessly: AnyConnect

POLICY MANAGEMENT CISCO SMART SERVICES CISCO LIFECYCLE SERVICES APIs

BORDERLESS NETWORK SERVICESBORDERLESS NETWORK SYSTEMS

Mobility: Motion

Energy Management: EnergyWiseUnified Access

Security: TrustSecCore Fabric

App Performance: App VelocityExtended Edge

Multimedia Optimization: MedianetExtended Cloud

BORDERLESS INFRASTRUCTURE

Wireless

Routing

Switching

Application Networking/ Optimization

Security

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

Case Study Future HealthCare

Future HealthCareIT Network Issues

Employees need secure remote access to corporate intranet and email systems Doctors need secure remote access to patient information and email systems Doctors want access to patient data and internet Employees want access to the internet and email

Patients want access to the internet and web mail CTO has security and regulation requirements CSO needs prevention of email spear-phishing attacks

IT needs corporate devices secure while still providing network access to commercialized mobile devicesBRKSEC-2000 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Secure Remote Access Question: How does IT provide employees secure remote access to corporate intranet and email systems?

Answer: Virtual Private Network (VPNs) Typically IPSec and/or SSL VPN tunnel connections Firewalls, Routers and IPS

Issues: Full Tunneling

Split Tunneling Internet AccessBRKSEC-2000 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Cisco AnyConnect Secure MobilityThe New Answer

Question: How does IT provide employees secure remote access to corporate intranet and email systems?

Answer: Cisco AnyConnect Secure Mobility

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Cisco AnyConnect Secure MobilityWhat is it and How Does it Work?

AnyConnect SSL VPN client software connects to the corporate ASA Firewall VPN endpoint. The ASA group policy configuration enforces full tunneling option only. (No Split Tunnel) Use route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled command point all VPN traffic to inside endpoint. Inside endpoint (router/L3 switch) redirects traffic back to ASA using default route. ASA WCCP configuration will now redirect web traffic to the IronPort Web Security Appliance for proxy services.

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Cisco AnyConnect Secure Mobility

Cisco AnyConnect 2.5

Cisco ASA 8.3

Cisco IronPort WSA 7.0

BRKSEC-2000

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

29

Cisco Secure MobilityLicensing Requirements

Cisco ASA Firewall SSL VPN Peer Licenses based on remote user count AnyConnect Essentials or Premium License AnyConnect for Mobile License