Brksec 2000

Securing Borderless Networks
BRKSEC-2000
BRKSEC-2000
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Christopher Heffner, CCIE #8211

Security Consulting Engineer
chheffne@cisco.com
BRKSEC-2000
Cisco Public
Housekeeping
We value your feedback- don't forget to complete your online session
evaluations after each session & complete the Overall Conference
Evaluation which will be available online from Thursday
Please remember this is a 'non-smoking' venue!
Please set your mobile phones to stun mode
Please make use of the recycling bins provided
Please remember to wear your badge at all times

NO discussions on future products
Please remember your NDAs when asking questions
BRKSEC-2000
Cisco Public
Session Abstract
This session will explain the security technology behind the Cisco
Borderless Networks.
We will compare and contrast the networkers of yesterday verses today
and the issues that network and security administrator face with these
evolving networks.
A business case will be presented to introduce common network security
challenges and how Borderless Network technology solves them.
The technologies that will be covered include Secure Mobility, Web and
Email Security, AnyConnect SSL VPN, user & device authorization,
Network Device Profiling, supplicant agents, posture assessment, Guest
Access, Security Group Access (SGA), and IEEE 802.1AE (MacSec).
BRKSEC-2000
Cisco Public
Session Objectives
At the end of the session, you should understand:
The Cisco Borderless Network Architecture

The technology that makes up Borderless Networks portfolio including
Cisco Firewall, IPS, Content Security
How to design and implement Secure Mobility
Benefits of TrustSec and MacSec technologies
You should also:
Have questions for the Q&A section of the session
Provide us with feedback via the Cisco Live online survey

Attend related sessions that interest you
BRKSEC-2000
Cisco Public
Agenda
Networks of Yesterday
Networks of Today
Borderless Networks What does that mean?
Case Study Future Healthcare

Cisco AnyConnect Secure Mobility Design
Cisco TrustSec Design
Q&A
BRKSEC-2000
Cisco Public
BRKSEC-2000
Cisco Public
Network Security of Yesterday

Corporate Assets
Corporate Connectivity
Limited Remote Connectivity
Employees Only Access

Routers
Firewalls
Switches
BRKSEC-2000
Cisco Public
10
Network Security Policy Yesterday

Secure Access Control
Authentication
Authorization
Accounting
BRKSEC-2000
Cisco Public
11
Networks of Today
Networks of Today
BRKSEC-2000
Cisco Public
13
Networks Security of Today

Corporate and Commercialized Assets
Corporate, Partner, Public, Cloud Connectivity
Employees, Contractors and Guests Access
Routers, Switches, Firewalls, IPS

Virtualized Data Centers
ISE, NAC, Posture Control
Wireless Infrastructures
Email and Web Security
Unified Communications
Mobile Smart Devices The iRevolution
BRKSEC-2000
Cisco Public
14
Network Security Policy Today

Who are you?
Employee, Partner, Contractor, Guest
What are you doing?

Data Entry, Access HR Records, Accessing Payroll
Where are you going?

Intranet, Extranet, Internet, Cloud Services
When are you connecting?

8am-5pm, After Hours, Weekends
How are you connecting?

Corporate Wired, Corporate Wireless, Public Wireless
Hotel Guest Network, Home Network
BRKSEC-2000
Cisco Public
15
Borderless Networks Evolution
Borderless Networks Evolution

Self-Defending Networks
SAFE Blueprints
Borderless Networks Architecture
BRKSEC-2000
Cisco Public
17
Self-Defending Networks
Network and Endpoint Security
Content Security
Application Security
System Management and Control
BRKSEC-2000
Cisco Public
18
SAFE Blueprints
SAFE Small Business
SAFE Medium Business
SAFE Enterprise Business
SAFE Remote
SAFE Campus
SAFE Data Center
SAFE Internet
SAFE Wide Area Network
BRKSEC-2000
Cisco Public
19

What it is:
Architecture for secure connectivity of:
Any Device
Any Place
Any Time
What it does (its vision):

Provides consistent user experience & security policies on any device, any place
at any time.
What it does (business benefit):

Simplifies Secure Connections to resources
Improves workforce productivity through flexibility.
BRKSEC-2000
Cisco Public
20

Technology Benefit
Borderless Networks transforms the way IT governs networks by linking users,
devices, applications, and business processes - together.
Value Proposition:
Cisco Borderless Networks securely, reliably, and seamlessly connects people,
information, and devices.
BRKSEC-2000
Cisco Public
21
Borderless Networks Design Benefits

Accelerates Business Innovation and Transformation
Secure Risk mitigation to protect corporate assets and data

Reliable Business continuity
Seamless Productivity-driven growth
BRKSEC-2000
Cisco Public
22
Borderless Networks Design Elements

Architecture for Agile Delivery of the Borderless Experience
BORDERLESS ENDPOINT/USER SERVICES
POLICY
Securely, Reliably, Seamlessly: AnyConnect

MANAGEMENT
CISCO SMART
SERVICES
CISCO
LIFECYCLE
SERVICES
BORDERLESS NETWORK
SERVICES
Mobility:
Motion
BORDERLESS
NETWORK
SYSTEMS
Energy
Management:
EnergyWise
Unified
Access
Security:
TrustSec
Core
Fabric
Extended
Edge
APIs
BORDERLESS
INFRASTRUCTURE
BRKSEC-2000
Wireless
Routing
Multimedia
Optimization:
Medianet
App
Performance:
App Velocity
Switching
Cisco Public
Extended
Cloud
Application
Networking/
Optimization
Security
23
Case Study
Future HealthCare
Future HealthCare
IT Network Issues
Employees need secure remote access to corporate intranet and email

systems
Doctors need secure remote access to patient information and email
systems
Doctors want access to patient data and internet
Employees want access to the internet and email
Patients want access to the internet and web mail

CTO has security and regulation requirements
CSO needs prevention of email spear-phishing attacks
IT needs corporate devices secure while still providing network access to

commercialized mobile devices
BRKSEC-2000
Cisco Public
25
Secure Remote Access

Question:
How does IT provide employees secure remote access to corporate intranet and
email systems?
Answer:
Virtual Private Network (VPNs)
Typically IPSec and/or SSL VPN tunnel connections
Firewalls, Routers and IPS
Issues:
Full Tunneling
Split Tunneling
Internet Access
BRKSEC-2000
Cisco Public
26
Cisco AnyConnect Secure Mobility

The New Answer
Question:
How does IT provide employees secure remote access to corporate intranet and
email systems?
Answer:
BRKSEC-2000
Cisco Public
27

What is it and How Does it Work?
AnyConnect SSL VPN client software connects to the corporate ASA

Firewall VPN endpoint.
The ASA group policy configuration enforces full tunneling option only.
(No Split Tunnel)
Use route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled command point all
VPN traffic to inside endpoint.
Inside endpoint (router/L3 switch) redirects traffic back to ASA using
default route.
ASA WCCP configuration will now redirect web traffic to the IronPort Web
Security Appliance for proxy services.
BRKSEC-2000
Cisco Public
28
Cisco AnyConnect 2.5
Cisco ASA 8.3
BRKSEC-2000
Cisco IronPort WSA 7.0
Cisco Public
29
29
Cisco Secure Mobility

Licensing Requirements
Cisco ASA Firewall

SSL VPN Peer Licenses based on remote user count
AnyConnect Essentials or Premium License
AnyConnect for Mobile License
Cisco IronPort Web Security Appliance

AsyncOS version 7.x
Cisco Mobile User Security Feature Key License
Cisco AnyConnect VPN Client

Version 3.0 or higher (recommend)
BRKSEC-2000
Cisco Public
30
Features and Licensing Matrix:

Cisco AnyConnect
AnyConnect Ess
Only
AnyConnect Ess +
SM
AnyConnect Prem
Only
AnyConnect Prem
+ SM
Auto headend detection
Tethered device support (phone

synchronization)
Access to local printers through endpoint

firewall rules
Always-on VPN
Fail-open and fail-close policy support
Captive portal
Clientless VPN
Cisco Secure Desktop
Quarantine indication if posture assessment

fails
Web security
Cisco AnyConnect Features
Ess = Essentials, Prem = Premium, SM = Secure Mobility

BRKSEC-2000
Cisco Public
31
ASA Licensing
Show Version
ASA-5510# show version
....
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs
: 100
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
:2
GTP/GPRS
: Disabled
SSL VPN Peers
: 25
Total VPN Peers
: 250
Shared License
: Disabled
AnyConnect for Mobile
: Enabled
AnyConnect for Cisco VPN Phone : Enabled
AnyConnect Essentials
: Enabled
Advanced Endpoint Assessment : Enabled
UC Phone Proxy Sessions
: 26
Total UC Proxy Sessions
: 26
Botnet Traffic Filter
: Enabled
Intercompany Media Engine : Disabled
perpetual
perpetual
perpetual
365 days
perpetual
365 days
perpetual
perpetual
365 days
perpetual
perpetual
365 days
365 days
perpetual
365 days
365 days
365 days
365 days
perpetual
.
BRKSEC-2000
Cisco Public
32
Cisco IronPort WSA Feature Keys

Cisco Mobile User Security License
BRKSEC-2000
Cisco Public
33
Cisco Secure Mobility

Configuration
See Cisco ASA Secure Mobility Configuration Appendix for step-by-step

ASDM configuration guide for setting up Cisco AnyConnect SSL VPN
network.
BRKSEC-2000
Cisco Public
34
Configure Secure Mobility on ASA

IronPort WSA Mobile User Security Configuration
From ASDM Configuration > Remote Access VPN > Network (Client)
Access > Secure Mobility Solution
Click Add button
Choose Interface to communicate to WSA (typically Inside or DMZ interface)
IP Address of the WSA and Subnet Mask
Click OK
Make sure Enable Mobile User Security checkbox is enabled and the service
port is 11999 (default)
Set password to secure communications
Click Apply
BRKSEC-2000
Cisco Public
35
Configure Secure Mobility on ASA

ASDM Configuration
BRKSEC-2000
Cisco Public
36
Verify Secure Mobility on ASA

Show WSA Sessions
BRKSEC-2000
Cisco Public
37
Configure Secure Mobility on WSA

WSA Identity Configuration
Login to Web Security Appliance

Navigate to Web Security Manager > Identities
Click Add Identities
Define Members by User Location: Remote Users Only

Define Members by Protocol: HTTP/HTTPS Only
Define Members by Authentication: Identity Users Transparently
through Cisco ASA Integration
Authentication Surrogate for Transparent Proxy Mode: IP Address
Click Submit and Commit
Unique Access Policies can now be set for Remote Users
BRKSEC-2000
Cisco Public
38
Configure Secure Mobility on WSA

WSA Configuration
BRKSEC-2000
Cisco Public
39
Configure WCCP Access Lists on ASA

Access Lists Configuration Example
Configure access list for WCCP appliance

access-list WSA extended permit ip host 10.1.1.15 any
Configure access list for redirected proxy traffic

access-list WSA-Redirect extended deny ip host 10.1.1.15 any
access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq www
access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq https
Assign the redirect proxy traffic to the WCCP appliance

wccp 90 redirect-list WSA-Redirect group-list WSA
wccp interface inside 90 redirect in
BRKSEC-2000
Cisco Public
40
Configure WCCP Service Groups on ASA

Cisco ASDM Configuration
From ASDM Configuration > Device Management > Advanced > WCCP
> Service Groups
Click Add button
Service: Dynamic Service Number: 90
Options: Redirect List: WSA-Redirect
Options: Group List: WSA
Click OK
BRKSEC-2000
Cisco Public
41
Cisco WCCP Service Groups on ASA

Cisco ASDM Example
BRKSEC-2000
Cisco Public
42
Configure WCCP Redirection on ASA

Cisco ASDM Configuration
From ASDM Configuration > Device Management > Advanced > WCCP
> Redirection
Click Add button
Interface: Inside
Service Group: 90
Click OK
Click Apply
Click Save
BRKSEC-2000
Cisco Public
43
Cisco WCCP Service Groups on ASA

Cisco ASDM Example
BRKSEC-2000
Cisco Public
44
Cisco ASA 5500 Series Portfolio
ASA 5585-X SSP-60

(40 Gbps, 350K cps)
Comprehensive Solutions from SOHO to the Data Center
ASA 5585-X SSP-40

(20 Gbps, 200K cps)
ASA 5585-X SSP-20
(10 Gbps, 125K cps)
Performance and Scalability
Multi-Service
(Firewall/VPN and IPS)
ASA 5555-X
(4 Gbps,50K cps)
ASA 5545-X
(3 Gbps,30K cps)
ASA 5525-X
(2 Gbps,20K cps)
ASA 5515-X
(1.2 Gbps,15K cps)
ASA 5512-X
(1 Gbps, 10K cps)
NEW
ASA 5505
(150 Mbps, 4K cps)
ASA 5510
(300 Mbps, 9K cps)
SOHO
BRKSEC-2000
ASA 5510 +
(300 Mbps, 9K cps)
Branch Office
NEW
NEW
NEW
ASA 5540
(650 Mbps, 25K cps)
NEW
ASA 5585-X SSP-10

(4 Gbps, 50K cps)
ASA 5550
(1.2 Gbps, 36K cps)
Firewall/VPN Only
ASA 5520
(450 Mbps, 12K cps)
Internet Edge
Campus
Cisco Public
Data Center
45
Cisco ASA 5500 Series Product Lineup

Mid-Range Solutions
Cisco
ASA 5505
Cisco
ASA 5510
Cisco
ASA 5520
Cisco
ASA 5540
SOHO
Branch Office
Internet Edge
Internet Edge
Data Center
Max Firewall
150 Mbps
300 Mbps
450 Mbps
650 Mbps
1.2 Gbps
Max Firewall + IPS
Future
300 Mbps
375 Mbps
450 Mbps
1.2 Gbps
Max IPSec VPN
100 Mbps
170 Mbps
225 Mbps
325 Mbps
425 Mbps
Max IPSec/SSL VPN Peers
25/25
250/250
750/750
5000/2500
5000/5000
Max Firewall Conns
10,000/25,000
50,000/130,000
280,000
400,000
650,000
Max Conns/Second
4000
9000
12,000
25,000
36,000
Packets/Second (64 byte)
85,000
190,000
320,000
500,000
600,000
Base I/O
8-port FE switch
5 FE
4 GE + 1 FE
4 GE + 1 FE
8 GE + 1 FE
VLANs Supported
3/20 (trunk)
50/100
150
200
400
HA Supported
Stateless A/S
(Security Plus)
A/A and A/S

(Security Plus)
A/A and A/S
A/A and A/S
A/A and A/S
Typical Deployment
Cisco
ASA 5550
Performance
Platform Capabilities
BRKSEC-2000
Cisco Public
46
Next Generation ASA Mid-Range Appliances

ASA 5500-X H/W Features
Customer Benefits
Performance
Density
Flexibility
Integrated Services
Management Consolidation
64Bit Multi-Core Processor

Up to 16GB of Memory
Built-In Multi-Core Crypto Accelerator
Hardware
Dedicated IPS Hardware
Acceleration Card
Up to 14 1GE Ports
Copper & Fiber I/O options

Firewall, VPN & IPS Services
Dedicated OOB Management Port
BRKSEC-2000
Cisco Public
47
Next Generation Security Services Appliances

5 New Models to Meet Varied Throughput Demands
1. Multi-Gig Performance
ASA 5512-X
To meet growing throughput

requirements
1 Gbps Firewall
Throughput
ASA 5515-X
2. Accelerated Integrated
Services
1.2 Gbps Firewall

Throughput
ASA 5525-X
(no extra hardware required)
2 Gbps Firewall Throughput
To support changing business needs
ASA 5545-X
3. Next-gen services
enabled platform
To provide investment protection
ASA 5555-X
BRKSEC-2000
Cisco Public
48
Cisco ASA 55xx-X Series Product Lineup

Specification
ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
1RU Short chassis
1RU Short chassis
1RU Short chassis
1RU Long chassis
1RU Long chassis
19 Rack Mountable
19 Rack Mountable
19 Rack Mountable
19 Rack Mountable
19 Rack Mountable
1x 2.8 Ghz Intel 2C/2T
1 x 3.06 Ghz Intel 2C/4T
1x 2.40 Ghz Intel

4C/4T
DRAM
4GB
8 GB
8GB
12GB
16GB
Regex Accel Mezz

Card
N/A
N/A
4GB eUSB
8GB eUSB
8GB eUSB
8GB eUSB
8GB eUSB
6 x 1GbE Cu
6 x 1GbE Cu
8 x 1GbE Cu
8 x 1GbE Cu
8 x 1GbE Cu
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
6 x 1GbE Cu or 6 x
1GbE SFP
6 x 1GbE Cu or 6 x
1GbE SFP
6 x 1GbE Cu or 6 x
1GbE SFP
6 x 1GbE Cu or 6 x 1GbE
SFP
6 x 1GbE Cu or 6 x 1GbE
SFP
Single Fixed AC Power

Supply
Dual Hot-Swappable
Redundant AC Power
Supply
Dual Hot-Swappable
Redundant AC Power
Supply
Platform Base
CPU
Compact Flash
I/O Ports
Optional I/O Module

Power

Supply
Crypto Capacity
BRKSEC-2000

Supply
1 x Crypto Chip
1 x Crypto Chip
1 x Crypto Chip
1 x Crypto Chip
1 x Crypto Chip
4C
4C
4C
8C
8C
Cisco Public
49
Cisco ASA 5585-X Series Product Lineup

Enterprise Solutions
ASA 5585-X
with SSP-10
Typical Deployment
ASA 5585-X
with SSP-20
ASA 5585-X
with SSP-40
ASA 5585-X
with SSP-60
Data Center
Data Center
Data Center
Data Center
Max Firewall
4 Gbps
10 Gbps
20 Gbps
40 Gbps
Max Firewall + IPS
2 Gbps
3 Gbps
5 Gbps
10 Gbps
Max IPSec VPN
1 Gbps
2 Gbps
3 Gbps
5 Gbps
Max IPSec/SSL VPN Peers
5,000 / 5,000
10,000 / 10,000
10,000 / 10,000
10,000 / 10,000
Max Firewall Conns
1,000,000
2,000,000
4,000,000
10,000,000
Max Conns/Second
65,000
140,000
240,000
350,000
Packets/Second (64 byte)
1,500,000
3,200,000
6,000,000
10,500,000
Base I/O
8 GE + 2 10GE
8 GE + 2 10GE
6 GE + 4 10GE
6 GE + 4 10GE
VLANs Supported
1024
1024
1024
1024
HA Supported
A/A and A/S
A/A and A/S
A/A and A/S
A/A and A/S
Performance
Platform Capabilities
BRKSEC-2000
Cisco Public
50
Cisco ScanSafe Cloud Services

Web Filtering
Web Security
Web Usage Controls

Application Visibility
Bi-directional control
Anti-malware protection
Web content analysis
Script emulation
Centralized Reporting
Secure Mobility
BRKSEC-2000
Cisco Public
51
Cisco ScanSafe Cloud Services

Solution Overview
ScanSafe offers consistent, enforceable, high performance Web security

and policy, regardless of where or how users access the internet.
BRKSEC-2000
Cisco Public
52
Cisco Secure Mobility Demo
Case Study Review

Future HealthCare
Future HealthCare Goals

Review IT Network Issues

systems
Doctors need secure remote access to patient information and email
systems


BRKSEC-2000
Cisco Public
55
Future HealthCare Review

What Still Needs to be Done?
Need to provide security by providing real-time visibility into and control

over all users and devices on your network.
Need to enable effective corporate compliance by creating consistent
polices across the corporate infrastructure.
Need to help stream-line IT and network staff productivity by automating
labor-intensive tasks.
BRKSEC-2000
Cisco Public
56
TrustSec
What is TrustSec?
TrustSec is an umbrella term used to describe and cover all things that
have to do with Identities
TrustSec is all about providing identity-based access policies to tell
network and security administrators who and what is connecting to your
networks.
In general terms think of TrustSec as the next generation of network
admission control (NAC)
BRKSEC-2000
Cisco Public
58
Benefits of TrustSec
Identity users and/or devices before granting access to network resources
Extend access enforcement throughout the network
Guest access
Identity non-authenticating IP-based devices

Capability to know what is on your network
Controlling access to restricted devices and/or data
Secure sensitive data
BRKSEC-2000
Cisco Public
59
TrustSec Technologies
IEEE 802.1x (Dot1x) Wired/Wireless
Secure Group Access (SGA)
MACSec (IEEE 802.1AE)
Profiling
Guest Services
BRKSEC-2000
Cisco Public
60
Identity Services Engine
How do we do this?
Identity Services Engine (ISE) is a Cisco Security policy engine that
allows security administrators to control and manage access to the
corporate network for
Any One
Any Device
Any Where
Any Time
BRKSEC-2000
Cisco Public
62
Questions You Should be Asking Yourself?

ISE: Policies for People and Devices
Authorized Access
Guest Access
Non-User Devices
How can I restrict access to my

network?
Can I allow guests Internet-only

access?
How do I discover
non-user devices?
Can I manage the risk of using

personal PCs, tablets, smartdevices?
How do I manage guest access?
Can I determine what

they are?
Access rights on-prem, at

home, on the road?
How do I monitor guest

activities?
Can this work in wireless and

wired?
Can I control their access?

Are they being spoofed?
Devices are healthy?

BRKSEC-2000
Cisco Public
63
Future HealthCare Business Case Review

How Does this Help our Business Case?
Now we are able to identity when a doctor, nurse or corporate employee is

logging in to the network.
From the user identity, we can define policies that grant, limit and/or
restrict access to network devices and data.
Contractors, vendors, patients and guests users we can provide Internet
and printer.
Non-authenticated devices such as medical devices, printers, badge
readers, security cameras and phones we can secure network access.
Permit, restrict or deny access based on posture assessment of a device
real time.
BRKSEC-2000
Cisco Public
64
Advantages of Identity Services Engine

Consolidated Services,
Software Packages
NAC Manager
ACS
NAC Profiler
NAC Server
Session Directory
Access Rights
User ID
All-in-One HA
Pair
ISE
NAC Guest
Flexible Service Deployment
Location
Admin
Console
M&T
Distributed PDPs
Device (& IP/MAC)
Simplify Deployment & Admin
Tracks Active Users & Devices
Optimize Where Services Run
Policy Extensibility
Manage Security
Group Access
System-wide Monitoring &

Troubleshooting
Link in Policy Information Points

BRKSEC-2000
SGT
Public
Private
Staff
Permit
Permit
Guest
Permit
Deny
Keep Existing Logical Design

Cisco Public
Consolidate Data,
Three-Click Drill-In
65
ISE Packaging and Licensing
Base Feature Set
Advanced Feature Set
Perpetual Licensing
Term Licensing
Authentication / Authorization
Guest Provisioning
Link Encryption Policies
Device Profiling
Host Posture
Security Group Access
Appliance Platforms
Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance
BRKSEC-2000
Cisco Public
66
ISE Sample Topology
BRKSEC-2000
Cisco Public
67
A Practical Example of Policies

Employees should be able to
access everything but have limited
access on personal devices
Internet
Everyones traffic
should be encrypted
Printers should only ever

communicate internally
Cisco Access
Point
BRKSEC-2000
Internal Resources
Campus
Network
Cisco Switch
Cisco Switch
Cisco Identity Services Engine
Cisco Wireless
LAN Controller
Cisco Public
68
ISE Administration
Web-based GUI Environment
https://x.x.x.x/admin
BRKSEC-2000
Cisco Public
69
ISE Home Page
BRKSEC-2000
Cisco Public
70
Operations > Authentications
BRKSEC-2000
Cisco Public
71
Operations > Reports
BRKSEC-2000
Cisco Public
72
Operations > Troubleshoot
BRKSEC-2000
Cisco Public
73
Policy > Authentication
BRKSEC-2000
Cisco Public
74
Policy > Authorization
BRKSEC-2000
Cisco Public
75
Policy > Profiling
BRKSEC-2000
Cisco Public
76
Policy > Profiling > Apple-iPad
BRKSEC-2000
Cisco Public
77
Policy > Posture
BRKSEC-2000
Cisco Public
78
Policy > Client Provisioning
BRKSEC-2000
Cisco Public
79
Policy > Security Group Access
BRKSEC-2000
Cisco Public
80
Policy > Policy Elements > Conditions >

Authentications
BRKSEC-2000
Cisco Public
81
Policy > Policy Elements > Conditions >

Profiling
BRKSEC-2000
Cisco Public
82
Administration > Identity Management >

External Identity Sources
BRKSEC-2000
Cisco Public
83
Administration > Network Resources >

Network Devices
BRKSEC-2000
Cisco Public
84
Administration > Web Portal Management
BRKSEC-2000
Cisco Public
85
ISE Sponsor Portal
https://x.x.x.x:8443/sponsorportal
BRKSEC-2000
Cisco Public
86
Sponsor Portal Administration
BRKSEC-2000
Cisco Public
87

Create Single User Guest Account
BRKSEC-2000
Cisco Public
88

Guest Account Created
BRKSEC-2000
Cisco Public
89
ISE Guest Access Portal
https://x.x.x.x:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
BRKSEC-2000
Cisco Public
90
Case Study Review

Future HealthCare
BRKSEC-2000
Cisco Public
91


systems
Doctors need secure remote access to patient information and corporate
email systems


BRKSEC-2000
Cisco Public
92

Need to provide security for sensitive data from the end-users computer
and throughout the network infrastructure.
BRKSEC-2000
Cisco Public
93
MACSec
MACSec
What is it and How Does it Benefit Us?
IEEE 802.1AE-based Encryption

Provides strong 128-bit AES-GCM* encryption
NIST approved encryption algorithm
Line-rate encryption/decryption
Standards-based key management: IEEE 802.1X-Rev
Benefits
Protects against man-in-the-middle attacks including snooping, tampering and
replay attacks
Network service amenable to hop-by-hop (link-based) approach as compared to
end-to-end approach
* NIST
Special Publication 800-38D http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
* Galois/Counter Mode (GCM)

BRKSEC-2000
Cisco Public
95
User: Steve
Policy: encryption
MACSec - How Does it Work?

Bob MACSec
enabled
client
User: Bob
Policy: encryption
Campus
Network
AAA
Wiring Closet
Switch
Steve
Non
MACSec
client
802.1X-Rev Components
MACSec enabled switches

Cisco 3560X/3750X
12.2.(52) SE2
User bob connects.
Bobs policy indicates endpoint must encrypt.
Key exchange using MKA, 802.1AE encryption complete.

User is placed in corporate VLAN. Session is secured.
User Steve connects
Steves policy indicates endpoint must encrypt.
Endpoint is not MACSec enabled.

Assigned to guest VLAN.
BRKSEC-2000
AAA server 802.1X-Rev aware

Cisco Identity Services Engine
Supplicant supporting MKA and
802.1AE encryption
Cisco AnyConnect Client
Cisco Public
96
MACSec Access Port (Crypto)

Standards-based encryption on user ports* (IEEE 802.1AE)
MacSec Key Agreement (MKA) standards-based key exchange protocol
(IEEE 802.1X-REV MACSec Key Agreement)
Some newer Intel LOM chip sets support MacSec

MACSec-ready hardware:
Intel 82576 Gigabit Ethernet Controller
Intel 82599 10 Gigabit Ethernet Controller
Intel ICH10 - Q45 Express Chipset (1Gbe LOM)
(Dell, Lenova, Fujitsu, and HP have desktops shipping with this LOM.)
* Please check CCO for the latest MACSec capable switches - www.cisco.com/go/trustsec
BRKSEC-2000
Cisco Public
97
Case Study Review

Future HealthCare


systems
email systems


BRKSEC-2000
Cisco Public
99

Need to prevent sensitive corporate data from traversing the Internet while
maintaining compliance with corporate and mandated regulations.
BRKSEC-2000
Cisco Public
100
Data Loss Prevention
What is Data Loss Prevention?

Data Loss Prevention otherwise known as DLP is technology to inspect
and prevent sensitive data from leaking from your corporate network
DLP helps CxO maintain corporate and regulations-based policies
Examples include HIPAA, GLBA, SOX and PCI compliance
DLP is the technology enforcer to prevent accidental or intentional data
leakage
BRKSEC-2000
Cisco Public
102
IronPort Email Security Appliance

RSA Data Loss Prevention
Cisco IronPort ESA has onboard RSA DLP blade technologies

Allows inspection, remediation and compliance with corporate and
regulation-based policies
DLP remediation actions include:
Notify
BCC
Quarantine
Encrypt
Bounce
Drop
BRKSEC-2000
Cisco Public
103
IronPort ESA DLP Policy Manager
BRKSEC-2000
Cisco Public
104
RSA DLP Blades
BRKSEC-2000
Cisco Public
105
DLP Blade Example HIPAA
BRKSEC-2000
Cisco Public
106
Assigned DLP Policies
BRKSEC-2000
Cisco Public
107
Case Study Review

Future HealthCare


systems
email systems


BRKSEC-2000
Cisco Public
109

Need to prevent end-users from email spear-phishing attacks that could

lead to end-uses giving sensitive corporate data such as user account and
password.
BRKSEC-2000
Cisco Public
110
IronPort Outbreak Filters
IronPort Email Security Appliance

Outbreak Filters
Cisco IronPort ESA has updated and rebrand the Virus Outbreak Filters to
the newer technology called Outbreak Filters
Outbreak Filters still continue to provide Day-Zero Virus Protection
Outbreak Filters also now provide Spear-Phishing prevention by rewriting
suspicious URLs embedded in email messages
Rewritten URLs will be proxy to the ScanSafe Towers (data centers) for
web page inspection which is transparent to the end user when they click
on the embedded URL in the email
If web site is malicious then the end users will receive a Block page
If web site is found to be good then the web objects for the web page are
sent to the end user via the ScanSafe towers
BRKSEC-2000
Cisco Public
112
Outbreak Filters Configuration
BRKSEC-2000
Cisco Public
113
Preventing Spear-Phishing Attacks
BRKSEC-2000
Cisco Public
114
Summary
Summary / Glossary
What is Secure Mobility?
Remote SSL VPN technology that allows integration of the Cisco AnyConnect,
Cisco ASA Firewall and Cisco IronPort Web Security Appliance to back haul
browser-based web traffic for proxy filtering
What is TrustSec?
Umbrella Term Related to all Identity Networking
Systems-Approach to Identity Networking
BRKSEC-2000
Cisco Public
116
Summary / Glossary
What is Identity Services Engine (ISE)?
ISE is the next-generation policy engine for TrustSec
Combines Identity with 802.1X, Posture, Profiling and Guest Lifecycle into a
single platform.
What is MACSec (IEEE 802.1AE)?

Layer-2 encryption from device to network
What is Data Loss Prevention (DLP)?

Technology to inspect and prevent sensitive data from leaking from your corporate
network
DLP is the technology enforcer to prevent accidental or intentional data leakage
BRKSEC-2000
Cisco Public
117
Related Sessions
Other TrustSec Security Sessions at Cisco Live 2012
BRKSEC-2022 Demystifying TrustSec, Identity, NAC and ISE

BRKSEC-2046 Cisco TrustSec and Security Group Tagging
BRKSEC-3000 Advanced Securing Borderless Networks
BRKSEC-3032 Deploying TrustSec In Enterprise Branch and WAN

Networks
BRKSEC-3040 TrustSec and ISE Deployment Best
TECSEC-3030 Advanced Network Access Control with ISE
BRKSEC-2000
Cisco Public
118
Q&A
Complete Your Online

Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
BRKSEC-2000
Dont forget to activate your

Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
Cisco Public
120
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, ondemand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
LinkedIn Group: http://linkd.in/CiscoLI
BRKSEC-2000
Cisco Public
121
BRKSEC-2000
Cisco Public
Christopher Heffner, CCIE #8211

Security Consulting Engineer
chheffne@cisco.com
BRKSEC-2000
Cisco Public
123
Cisco ASA Secure Mobility Configuration

Appendix
BRKSEC-2000
Cisco Public
124
Cisco ASA Secure Mobility

Configuration Setup
1. SSL Certificate Creation

2. Associate trustpoint to Interface
3. LDAP Integration
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
7. Activate SSL VPN Configuration
BRKSEC-2000
Cisco Public
125
Cisco ASA Secure Mobility Configuration

Step 1 - SSL Certificate Creation
Cisco Secure Mobility requires the use of the Cisco SSL VPN Client
software AnyConnect
In order to use AnyConnect SSL VPN software, Cisco ASA must be
configured with SSL Certificate
SSL Certificate can be signed by a trusted root authority such as VeriSign or
Entrust
-orUse self-signed SSL certificate generated on the ASA appliance
BRKSEC-2000
Cisco Public
126
Cisco ASA Self-Signed Certificates

Certificate Assigned to Trustpoint
To verify from the ASA CLI

show run crypto ca
show crypto ca cert
BRKSEC-2000
Cisco Public
127
Cisco ASA Self-Signed Certificates

Step 2. Associate Trustpoint to Interface
Associate new trustpoint to outside interface

A.
Configuration > Device Management > Advanced > SSL Settings
B.
Associate the new certificate with the outside interface by selecting the outside
interface and click the Edit button.
C.
In the Primary Enrollment Certificate drop-down, select the trustpoint name,

click OK.
D.
Click the Apply button.
BRKSEC-2000
Cisco Public
128
Cisco Self-Signed Certificates

Certificate Assigned to Outside Interface
BRKSEC-2000
Cisco Public
129

Configuration Setup

2. Associate trustpoint to Interface
3. LDAP Integration
BRKSEC-2000
Cisco Public
130
LDAP Integration
AAA Server Group Configuration
Authenticate Remote SSL VPN users via LDAP integration to back-end

Active Directory environment
A.
From ASDM - Configuration > Device Management > Users/AAA > AAA
Server Groups
B.
From the AAA Server Group table, click the ADD button
C.
Enter Server Group name (user defined)
D.
Select LDAP from Protocol drop-down box
E.
Leave remaining values at default settings
F.
Click OK button
BRKSEC-2000
Cisco Public
131
LDAP Integration
ASDM Output Example
BRKSEC-2000
Cisco Public
132
LDAP Integration
AAA Server Group Configuration (cont.)
G.
Single click the newly created LDAP AAA server group
H.
Servers in the Selected Group (bottom table) select the ADD button to define the AAA
Server(s)
I.
Enter the configuration values for LDAP integration

Interface: Inside
Server Name or IP Address: IP address for AD Server
Port: 389
Server Type: Microsoft
Base DN: domain name base DN
Scope: All levels beneath the Base DN
Naming Attributes(s): sAMAccountName
Login DN: Username for LDAP Authentication
Login Password: password
J.
Click OK
K.
Click Apply
BRKSEC-2000
Cisco Public
133
LDAP Integration
ASDM Output Example
BRKSEC-2000
Cisco Public
134
LDAP Integration
AAA Server Group Configuration (cont.)
J.
Click Test button to verify LDAP authentication configuration

Change the Radio button from Authorization to Authentication
Enter valid domain username and password
Receive a windows that reads:
Authentication test to host X.X.X.X is successful.
BRKSEC-2000
Cisco Public
135
LDAP Integration
ASDM Output Example
BRKSEC-2000
Cisco Public
136

Configuration Setup

2. Associate trustpoint to interface
3. LDAP Integration
BRKSEC-2000
Cisco Public
137
Connection Profiles
Connection Profiles in ASDM are another name for tunnel-groups within
the CLI.
They provide a means to apply very specific connection attributes to
remote users.
Once a user is mapped to a connection profile, we can then associate
group-level policies.
Any attribute not mapped in a connection profile or group-policy will be
inherited from the top-level Default Group Policy.
BRKSEC-2000
Cisco Public
138
Connection Profiles
Configuration
Setup SSL VPN Connection Profile
A.
From ASDM - Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Connection Profiles
B.
Click the ADD button to create a new Connection Profile
C.
Enter Connection Profile Name
D.
Enter Connection Profile Alias
E.
Define Authentication parameters

Method AAA
AAA Server Group LDAP
Note: The connection profile alias allows administrators to provide custom group names to the end users when they browse
to the webpage of the ASA and also defines the group names seen in the AnyConnect client.
BRKSEC-2000
Cisco Public
139
Connection Profiles
ASDM Output Example
BRKSEC-2000
Cisco Public
140
Connection Profiles
Configuration (cont.)
F.
Define the Client Address Pool
G. Click the Select button to create client address pool

H.
Click Add button

Enter IP Pool Name
Enter Starting IP Address
Enter Ending IP Address
Enter Subnet Mask
I.
Click OK button
J.
Single click the new address pool name
K.
Click Assign button
L.
Click OK button
M. Click OK button
BRKSEC-2000
Cisco Public
141
Connection Profiles
ASDM Output Example
BRKSEC-2000
Cisco Public
142

Configuration Setup

3. LDAP Integration
5. Group Policy
BRKSEC-2000
Cisco Public
143
Group Policy
VPN Group Policies are a collection of authorization based attribute/value
pairs that can be stored in the ASA Configuration or on a Radius/LDAP
server.
Customized group attributes include:
BRKSEC-2000
Tunneling Protocols
Connection Profile Lock
NAC Policy
Access Hours
Idle Timeout
Maximum Connection Time
DNS Servers
Split Tunneling
Split Tunneling
SSL VPN Client Settings
SSL VPN Client Settings
IPSec Client Settings
Banner Login
Address Pools
Cisco Public
144
Group Policy
Configuration
Setup Group Policy

A.
From the new configured Connection Profile main page Default Group Policy
click Manage
B.
Click ADD Button
C.
Enter Group Policy Name
D.
Single click on the More Options gray bar
E.
Uncheck the Inherit button for Tunneling Protocols and select SSL VPN
Client checkbox only. Uncheck any other remaining protocols.
F.
Select Servers menu option. Uncheck the Inherit button for DNS and enter
your internal DNS server IP address.
BRKSEC-2000
Cisco Public
145
Group Policy
G. Open the More Options and uncheck the inherit button for Default
Domain and enter your domain name.
H.
Click OK
I.
Click OK
BRKSEC-2000
Cisco Public
146
Group Policy
ASDM Output Example
BRKSEC-2000
Cisco Public
147
Group Policy
G. From the Connection Profile main window Default Group Policy select the
newly created group policy from the drop down box.
H.
Select the checkbox for Enable SSL VPN Client Protocol
I.
Click OK
J.
Click Apply
BRKSEC-2000
Cisco Public
148
Group Policy
ASDM Output Example
BRKSEC-2000
Cisco Public
149
Group Policy
ASDM Output Example
BRKSEC-2000
Cisco Public
150

Configuration Setup

3. LDAP Integration
5. Group Policy
BRKSEC-2000
Cisco Public
151
AnyConnect Client Preparation

Two options for getting Cisco AnyConnect client installed on to end users
computer
Option #1 Use pre-install client package for Windows (.msi) or Mac (.dmg)
Standard install application or can be pre-deployed and pre-configured.
Option #2 Download AnyConnect client from ASA clientless SSL VPN web
portal.
Requires preparation by uploading and configuring the Cisco ASA for deployment
of AnyConnect via SSL web portal.
BRKSEC-2000
Cisco Public
152
Cisco ASA AnyConnect Deployment

Make Sure You Download the Proper Version for ASA Deployment and Not Predeployment Versions.
First step is to identity the correct AnyConnect images needed for the end
user operating systems and versions that are required for your
organization.
Supported Operating Systems
Windows 32/64 bit operating system versions

anyconnect-win-<version>-k9.pkg
Mac OS X Intel platforms
anyconnect-macosx-i386-<version>-k9.pkg
Linux 32/64 bit operating system versions
anyconnect-linux-<version>-k9.pkg
anyconnect-linux-64-<version>-k9.pkg
BRKSEC-2000
Cisco Public
153
Cisco ASA AnyConnect Deployment

Configuration Steps
Download the proper AnyConnect images and configure the software

client for the ASA.
From ASDM Configuration > Remote Access SSL VPN > Network (Client)
Access > AnyConnect Client Settings
Download the AnyConnect Packages using link from ASDM or pre-download from
CCO directly
Upload the AnyConnect Packages from your desktop to disk0:/ on the ASA
Firewall
BRKSEC-2000
Cisco Public
154

Configuration Setup

3. LDAP Integration
5. Group Policy
7. Activate SSL VPN Configuration
BRKSEC-2000
Cisco Public
155
Activate SSL VPN Configuration

From ASDM Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Connection Profiles
Click on the Allow Access check-box for the Outside interface.
Click on the Enable Cisco AnyConnect VPN Client access check-box on the
Outside interface.
Click the Apply Button
BRKSEC-2000
Cisco Public
156

Brksec 2000

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2000

Uploaded by

Copyright:

Available Formats

Securing Borderless Networks

2012 Cisco and/or its affiliates. All rights reserved.

Christopher Heffner, CCIE #8211

2012 Cisco and/or its affiliates. All rights reserved.

Please remember to wear your badge at all times

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

The Cisco Borderless Network Architecture

You should also:

Have questions for the Q&A section of the session

Provide us with feedback via the Cisco Live online survey

2012 Cisco and/or its affiliates. All rights reserved.

Case Study Future Healthcare

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Network Security of Yesterday

Employees Only Access

2012 Cisco and/or its affiliates. All rights reserved.

Network Security Policy Yesterday

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Networks Security of Today

Routers, Switches, Firewalls, IPS

2012 Cisco and/or its affiliates. All rights reserved.

Network Security Policy Today

What are you doing?

Where are you going?

When are you connecting?

How are you connecting?

2012 Cisco and/or its affiliates. All rights reserved.

Borderless Networks Evolution

Borderless Networks Evolution

2012 Cisco and/or its affiliates. All rights reserved.

System Management and Control

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Borderless Networks Architecture

What it does (its vision):

What it does (business benefit):

2012 Cisco and/or its affiliates. All rights reserved.

Borderless Networks Architecture

2012 Cisco and/or its affiliates. All rights reserved.

Borderless Networks Design Benefits

Secure Risk mitigation to protect corporate assets and data

2012 Cisco and/or its affiliates. All rights reserved.

Borderless Networks Design Elements

BORDERLESS ENDPOINT/USER SERVICES

Securely, Reliably, Seamlessly: AnyConnect

2012 Cisco and/or its affiliates. All rights reserved.

Employees need secure remote access to corporate intranet and email

Patients want access to the internet and web mail

IT needs corporate devices secure while still providing network access to

2012 Cisco and/or its affiliates. All rights reserved.

Secure Remote Access

2012 Cisco and/or its affiliates. All rights reserved.

Cisco AnyConnect Secure Mobility

2012 Cisco and/or its affiliates. All rights reserved.

Cisco AnyConnect Secure Mobility

AnyConnect SSL VPN client software connects to the corporate ASA

2012 Cisco and/or its affiliates. All rights reserved.

Cisco AnyConnect Secure Mobility

Cisco AnyConnect 2.5

Cisco ASA 8.3