Анонс новых решений по безопасности Cisco с выставки Interop 2014:
- Cisco ISE 1.3
- AnyConnect 4.0
- Cyber Threat Defense 2.0
- новые партнеры в рамках pxGRID
Как развернуть кампусную сеть Cisco за 10 минут? Новые технологии для автомат...
Анонс новых решений по безопасности Cisco с выставки Interop 2014
1. Cisco Security Q1FY15 Launch
Обеспечение контроля с учетом контекста в корпоративной сети
(Защищенный доступ и мобильность) + Cyber Threat Defense (CTD)
Алексей Лукацкий
06/10/14
4. Cisco ISE – ядро архитектуры безопасности Cisco
ISE обеспечивает видимость, контекст и контроль в рамках всего
жизненного цикла
ДО
Контроль
Внедрение
политик
Усиление
ВО ВРЕМЯ ПОСЛЕ
Обнаружение
Блокирование
Отражение
Локализация
Изоляция
Восстановление
Жизненный цикл атаки
МСЭ
NGFW
VPN
UTM
NGIPS
Web + Email Security
Защита от вредоносного кода
Анализ сетевого поведения
Сервисы IAM + NAC pxGrid + TrustSec
13. Cisco AnyConnect 4.0
Расширение контроля с учетом контекста для удаленного доступа
Доступ
Контекст Соответствие Соединение Безопасность
Сервисы
Унифицированный агент для Cisco ISE
Обеспечение множества сервисов ИБ
Для множества методов доступа
GOALS:
* Introduce and position Identity Services Engine (ISE) 1.3 as the market leader in securing access for wired, wireless and remote connected devices
* Promote ISE’s revamped Guest Access and Enterprise Mobility onboarding as superior and competitive offerings for improving end user experience and reducing IT support costs
* Launch ISE as a context-sharing platform that provides improved visibility, threat remediation and compliance through integration with best in class network, mobility and security partners
* Introduce Cyber Threat Defense v2.0 to sales, partners, and the market at large
* Demonstrate how CTD 2.0 can drive EN refresh opportunities
* Increase the deal size by integrating security technologies into the overall opportunity
Customer Care-abouts:
* Cisco and partner security technologies fully integrated into a next-gen network infrastructure increase an organization’s overall resiliency to cyber threats
* Securely enable remote, guest, and internal resources with increased visibility and control over network activity
* Quickly identify and mitigate cyber threats before they affect customer organizations
Takeaway: More connected devices on the network – however they connect – expands the surface that enterprises need to protect from attack.
Ever since we first started networking, we started controlling who and what had access.
First generation was easy – we had corporate managed endpoints, so we had greater control over those devices and users accessing the network. We had greater control over how they accessed and configured accordingly.
Then, we started recognizing the need to let guests onto a network. Maybe they were visitors, contractors, vendors, but they needed access in order to do their job as more and more resources were networked or in the cloud. There was some control…but primarily these guests were either given carte blanche access (as networks were just opened up to accommodate the additional users who needed access to network-resources) or were put on a separate SSID (which limited their access to network resources).
Growing BYOD trends (e.g., employees’ desires, financial pressures, mobility needs) created pressure on enterprises and their IT staffs to accommodate the onboarding of many new consumer phones and devices onto their networks. Who gets access to what? Also, are these devices secured? They’re not managed and provisioned by IT anymore… IoT is the latest business trend where more and more network-enabled devices are launching every day.
Ultimately, as more and more devices have become network enabled and as more and more work resources are networked and/or in the cloud, the attack surface for enterprises has expanded exponentially out of their control. The need to efficiently and consistently secure access for employees is paramount in a mobile, networked world
CISCO SECURITY NOW HAS THE INDUSTRY’S MOST COMPREHENSIVE ADVANCED THREAT PROTECTION COVERING THE ENTIRE ATTACK CONTINUUM AND THE INDUSTRY’S BROADEST SET OF ENFORCEMENT AND REMEDIATION OPTIONS AT ATTACK VECTORS WHERE THREATS MANIFEST.
And Cisco ISE is a core component for the entire Security Product portfolio – providing the visibility, context, and control needed by enterprises to effectively implement security across the entire attack continuum.
Considering 50-75% of breaches or malware attacks stem from inside the organization, Cisco ISE plays a large part here in not only providing the RIGHT levels secure access to the RIGHT people at the RIGHT times BEFORE an attack but can also leverage its pxGrid / SIEM/TD integrations to ensure that people/devices behave appropriately in order to continue having access to those resources.
Visibility into potential threats or unauthorized access…Context to provide granular data about users, devices, location, etc.,…and Control to allow administrators to easily take control of the situation – whether through ISE or physically.
(1) Theme – Better Visibility + Context More Accurate Identification Easier Onboarding + Greater Security + Consistent Secure Access Policy
(2) Cisco ISE is able to uniquely provide the following:
Unified Secure Access Control by centralizing and streamlining network access policy creation and management within ISE that permits consistent secure network access for end-users, regardless of how they connect (e.g., wired, wireless, VPN).
Superior Visibility into all users and connected devices (e.g., endpoints, mobile devices, security cameras, printers) on a network that allows for more accurate identification of users/devices and easier user/device onboarding.
A Robust Context-Sharing Platform, collecting large amounts of contextual information from wide and varied sources (including, for example, Mobile Data Management (MDM), Security Information and Event Management (SIEM), identity stores, and device agents), that permit ISE to prevent inappropriate access and detect and minimize the spread of network threats across the network.
(3) Real-life Customer Use Case: On college campuses, university IT administrators leverage ISE to support their demanding and extreme BYOD environment (potentially more devices per person than the norm, when you consider all the network-enabled gadgets). With ISE, all devices are accurately identified, profiled, and then onboarded easily. Both students and faculty get access to the resources they need, students are blocked from faculty resources, and IT spends less time supporting the BYOD programs.
(4) Talking Points:
Cisco is the #1 Market Leader in NAC with 5,000+ customers managing more than 18,000,000 endpoints.
Cisco (and ISE) recognized by Gartner again as a leader in the Magic Quadrant for NAC. The most recent report demonstrated improvement on our position (“up and to the right”) in the leaders quadrant from 2012.
- Connect to up to 50 Completely Disparate Active Directory Forests
- Search up to 2,000 Domains Across the Enterprise*
- Easily Support M&As and Business Changes Through:
1) Active Directory Scopes
2) Ambiguous Identity Resolution
3) Authentication Domains
- Eliminate Need for 2-way Domain Trust
This scale is important for organizations who may have many branch locations or who have gone through many acquisitions and now have multiple Active Directories to contend with since we can easily scale to handle these trusted queries as well as resolve any ambiguous or duplicated identity (e.g., usernames).
Scale to Handle the Most Demanding Enterprise Environments
Description: Support for multiple Active Directory domains, ISE 1.3 enables authentication and attribute collection across the largest enterprise by scaling to support 50 disparate, connected Active Directory “forests”, eliminating the need for two-way trust relationship between domains and leverarging advanced algorithms for dealing with identical usernames.
Customer Value: Allows organizations to deploy Cisco Identity Services Engine within large Enterprise networks, especially those with multiple ADs for branches or from M&A activities.
Cisco Field Value: Greatly increases the Identity Services engine scale to meet the demands of our largest customers.
http://themeroller.jquerymobile.com/
Guest Access with new Admin Work Centers
Guest Access will deliver a simplified user interface to set-up guest access policies and processes designed to quickly and easily on-board guest devices while at the same time assuring compliance. This Guest access can be applied to multiple types of guests, including:
Visitors (Access the network for brief periods of time)
Guests (Access the network for more than a few hours)
Partners (Access the network for multiple days)
Contractors (Access the network for weeks to months)
The Guest access capabilities are completely customizable to allow the organization to maintain their brand on guest access portals with a consistent look and feel that aligns to other corporate assets.
ISE 1.3 also streamlines the self-service portal with approvals allowing a guest to request a guest account and require a sponsor to approve the account before the guest receives credentials. It also delivers the ability to view, create, update and suspend guest credentials via REST API.
Customer Value: Improves the usability and Increases the feature and functionality of the Cisco Identity Services Engine.
Enterprise-Class Guest Access with Minimal IT Investment
Easy to Set Up (10 minutes) with real-time previews and out-of-the-box guest workflows
Reduction in support calls via intuitive user engagement
Provide extension from secure guest access to secure enterprise mobility initiatives
Sophisticated, effortless user experiences
Immediate, self-service access for any level of user
Straightforward guest sponsor capability
Corporate branding via customizable portal creation
Integrated enterprise-wide security
Segmenting and securing corporate assets from guests
Comprehensive Guest visibility for security auditing and compliance
Broad security built into entire infrastructure
Cisco Field Value: Improved usability allows Cisco to offer a highly competitive guest access solution within competitive situations with Aruba and Ruckus (Our top Wireless competitors). Also delivers more compelling Policy story within our Cisco Unified Access solution story.
BYOD
New BYOD functionality delivers out-of-the-box workflows that walk users through the onboarding process. It delivers fully customizable user experience with themes and gives end-users control to add and manage their devices.
ISE 1.3 also simplifies the task of managing certificates for BYOD devices. In order to reduce the complexity of and expense of managing BYOD certificates via the Microsoft Public Key infrastructure. ISE 1.3 Certificate Authority is designed to work in concert as a self-contained solution or with existing Enterprise Public Key Infrastructure (PKI) to simplify BYOD deployments: by managing endpoints and the certificates. Ex: When an endpoint is deleted ISE deletes the certificate.
Streamlined threat Defense (For informational purposes only - Not Mobility-centric and will be launched separately to Security audience)
Description: The pxGrid functionality available within Cisco Identity Services Engine 1.3 allows for organizations to share and receive context from several systems simultaneously.
Customer Value: Allows organizations to leverage virtually every platform in the IT infrastructure to gain network-wide context and create and enforce policies based on that context. This allows them to have a more accurate view of threats to accelerate the remediation of business impacting problems.
Cisco Field Value: Allows Cisco to lead the way of combining multiple sources of information into a many-to-many sharing solution. It also increase Cisco’s reach to further build our Security Partner Ecosystem.
IMPROVED DEVICE RECOGNITION: Superior, market-leading profiling technology and feed service reduces unknown device, on average, by 74%
- This number was calculated based on the ISE Device Profile Feed Service and a sample of our participating deployments, who went down, on average, from 35% unknown devices to 9% - garnering a 74% reduction in unknown devices. (35-9)/35 = 74%
BRANDED EXPERIENCES:For guests, employees, and administrators across your pages, including banners and advertising.
Gives end-users control over managing all of their devices from just one easy-to-use self-service portal
OUT-OF-THE-BOX ONBOARDING:Accelerates user productivity through simplified device onboarding and easy, self-service device management
COMPREHENSIVE DEVICE SECURITY: Ensures OS and endpoint security is up-to-date, confirms device compliance, manages 3rd-party MDM
No need to rely on LDAP
5000 Concurrent Active Directory Domains up from 1 AD in previous versions – This is improtant for organizations who may have many branch locations or who have gone through many acquisitions and now have multiple Active Directories to contend with.
Increased Scale
Description: Support for multiple Active Directory domains, ISE 1.3 enables authentication and attribute collection across the largest enterprise by scaling to support 5000 concurrent Active Directory domains, eliminates need for two-way trust relationship between domains and uses advanced algorithms for dealing with identical usernames.
Customer Value: Allows organizations to deploy Cisco Identity Services Engine within large Enterprise networks.
Cisco Field Value: Greatly increases the Identity Services engine scale to meet the demands of our largest customers. .
On the previous slide we outlined how broadly applicable ISE is as a context/control platform across IT infrastructure. This requires the ability to share and receive context from a lot of systems…simultaneously. So how are we (Cisco) going to execute on that? pxGrid.
Build 1: Illustrates that most every platform in the IT infrastructure has information to share, but also information it needs to do its job better.
Build 2: The way the industry typically has platforms interface is via APIs. But that is typically for sharing specific pieces of info with specific systems.
Build 3 & 4: So having a bunch of systems integrate via disparate APIs, is a non-starter in many-to-many platform integration like we’re talking about here.
Build 5: pxGrid, on the other hand, enables exactly this sort of many-to-many sharing. It is a single context exchange framework that enables platforms to adopt once and share with many. This is what we’ll use to enable the ISE ecosystem, but it can also be used for any pxGrid adopting platform to share with any other pxGrid adopting platform. And, importantly, pxGrid allows the platforms to customize what specific pieces of information they want to share and with which specific systems. Thus it can share XYZ with System 1 and ABC with System 2…simultaneously. (This is the “direct, secured interfaces”).
Per-App VPN:
Access to network resources from mobile devices to only enterprise-approved applications reducing threats from non-approved applications
Offers secure access to business resources over VPN, consistent with on-premise user experience
Checks endpoints to ensure that they meet enterprise compliance requirements before entering network
Granular enablement of enterprise-approved applications from mobile endpoints
Customers can now achieve tighter security controls while enabling direct, secure, per-app access to corporate applications via remote mobile devices.
THEME: Visibility & Control for Remote Access
STORY: WIP
Streamlines remote access experience
Access enterprise mobile applications transparently
Offers secure access to business resources over VPN, consistent with on-premise user experience
Provides flexible deployment models for employees, contractors and partners
Extends Secure Access to Off-premise Endpoints…(further decreasing the threat vector)
Checks endpoints to ensure that they meet enterprise compliance requirements before entering network
Controls application access to network resources from mobile devices to only enterprise-approved applications reducing threats from non-approved applications– (with or without MDM software)
Granular enablement of enterprise-approved applications from mobile endpoints
Increases Visibility of Endpoints Off-premises
Shares endpoint context with the network to ensure more effective security operations
Simplifies secure remote access leveraging role-base tagging (TrustSec)
Provides real time endpoint insight to IT to optimize the network
WHAT IT IS:
Anyconnect 4.0 enhanced features include:
- Per App VPN (Andriod/IOS)
- Unified Agent with ISE-TrustSec —
Cisco AnyConnect 4.0 extends unified policy to off-premises mobile endpoints by securing remote access at the application-level through endpoint VPN. With Cisco AnyConnect, mobile endpoints are checked to ensure compliance before allowed access to the network, preventing compromised endpoints from gaining access to critical enterprise networks. Cisco AnyConnect 4.0 enables policy-defined, segmented access via Cisco TrustSec at the edge with the Cisco ASA. With Cisco, customers can now achieve tighter security controls while enabling direct, secure, per-app access to corporate applications via remote mobile iOS and Samsung Android devices.
The lifecycle of AnyConnect/ISE posture agent starts with a change in the network.
Discovery starts when a network change is detected. The network change for AC ISE Posture happens when the default primary interface change. Note that when VPN is connected, VPN always becomes the primary interface.
Some examples:
Use Case 1:
WiFi is connected
Connect LAN
If LAN is the primary, agent will restart discovery.
Use Case 2:
Wi-Fi and LAN are connected
Disconnect Wi-Fi
If LAN is the primary, agent will NOT restart discovery
Per Application VPN Access
Description: Allows an organization to choose and prioritize which mobile applications are tunneled through the VPN and by default which ones are carried through the cellular or local Wi-Fi network.
Customer Value: Provides more control to the organization, while improving performance of mobile applications by conserving corporate bandwidth.
Cisco Field Value: Allows Cisco to show how we can intelligently manage application traffic for remote, telecommuter and end-users on-the-move.
Per-App VPN: iOS 7 and later, Samsung Knox 2.0