Professional Documents
Culture Documents
BRKSEC-2000
BRKSEC-2000
Cisco Public
BRKSEC-2000
Cisco Public
Housekeeping
We value your feedback- don't forget to complete your online session
evaluations after each session & complete the Overall Conference
Evaluation which will be available online from Thursday
Please remember this is a 'non-smoking' venue!
Please set your mobile phones to stun mode
Please make use of the recycling bins provided
BRKSEC-2000
Cisco Public
Session Abstract
This session will explain the security technology behind the Cisco
Borderless Networks.
We will compare and contrast the networkers of yesterday verses today
and the issues that network and security administrator face with these
evolving networks.
A business case will be presented to introduce common network security
challenges and how Borderless Network technology solves them.
The technologies that will be covered include Secure Mobility, Web and
Email Security, AnyConnect SSL VPN, user & device authorization,
Network Device Profiling, supplicant agents, posture assessment, Guest
Access, Security Group Access (SGA), and IEEE 802.1AE (MacSec).
BRKSEC-2000
Cisco Public
Session Objectives
At the end of the session, you should understand:
BRKSEC-2000
Cisco Public
Agenda
Networks of Yesterday
Networks of Today
Borderless Networks What does that mean?
BRKSEC-2000
Cisco Public
Networks of Yesterday
Networks of Yesterday
BRKSEC-2000
Cisco Public
BRKSEC-2000
Cisco Public
10
Authentication
Authorization
Accounting
BRKSEC-2000
Cisco Public
11
Networks of Today
Networks of Today
BRKSEC-2000
Cisco Public
13
Cisco Public
14
Cisco Public
15
BRKSEC-2000
Cisco Public
17
Self-Defending Networks
Network and Endpoint Security
Content Security
Application Security
BRKSEC-2000
Cisco Public
18
SAFE Blueprints
SAFE Small Business
SAFE Medium Business
SAFE Enterprise Business
SAFE Remote
SAFE Campus
SAFE Data Center
SAFE Internet
SAFE Wide Area Network
BRKSEC-2000
Cisco Public
19
Cisco Public
20
Value Proposition:
Cisco Borderless Networks securely, reliably, and seamlessly connects people,
information, and devices.
BRKSEC-2000
Cisco Public
21
BRKSEC-2000
Cisco Public
22
POLICY
BORDERLESS NETWORK
SERVICES
Mobility:
Motion
BORDERLESS
NETWORK
SYSTEMS
Energy
Management:
EnergyWise
Unified
Access
Security:
TrustSec
Core
Fabric
Extended
Edge
APIs
BORDERLESS
INFRASTRUCTURE
BRKSEC-2000
Wireless
Routing
Multimedia
Optimization:
Medianet
App
Performance:
App Velocity
Switching
Cisco Public
Extended
Cloud
Application
Networking/
Optimization
Security
23
Case Study
Future HealthCare
Future HealthCare
IT Network Issues
Cisco Public
25
Answer:
Virtual Private Network (VPNs)
Typically IPSec and/or SSL VPN tunnel connections
Firewalls, Routers and IPS
Issues:
Full Tunneling
Split Tunneling
Internet Access
BRKSEC-2000
Cisco Public
26
Question:
How does IT provide employees secure remote access to corporate intranet and
email systems?
Answer:
Cisco AnyConnect Secure Mobility
BRKSEC-2000
Cisco Public
27
BRKSEC-2000
Cisco Public
28
BRKSEC-2000
Cisco Public
29
29
BRKSEC-2000
Cisco Public
30
AnyConnect Ess +
SM
AnyConnect Prem
Only
AnyConnect Prem
+ SM
Always-on VPN
Captive portal
Clientless VPN
Web security
Cisco Public
31
ASA Licensing
Show Version
ASA-5510# show version
....
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs
: 100
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
:2
GTP/GPRS
: Disabled
SSL VPN Peers
: 25
Total VPN Peers
: 250
Shared License
: Disabled
AnyConnect for Mobile
: Enabled
AnyConnect for Cisco VPN Phone : Enabled
AnyConnect Essentials
: Enabled
Advanced Endpoint Assessment : Enabled
UC Phone Proxy Sessions
: 26
Total UC Proxy Sessions
: 26
Botnet Traffic Filter
: Enabled
Intercompany Media Engine : Disabled
perpetual
perpetual
perpetual
365 days
perpetual
365 days
perpetual
perpetual
365 days
perpetual
perpetual
365 days
365 days
perpetual
365 days
365 days
365 days
365 days
perpetual
.
BRKSEC-2000
Cisco Public
32
BRKSEC-2000
Cisco Public
33
BRKSEC-2000
Cisco Public
34
From ASDM Configuration > Remote Access VPN > Network (Client)
Access > Secure Mobility Solution
Click Add button
Choose Interface to communicate to WSA (typically Inside or DMZ interface)
IP Address of the WSA and Subnet Mask
Click OK
Make sure Enable Mobile User Security checkbox is enabled and the service
port is 11999 (default)
Set password to secure communications
Click Apply
BRKSEC-2000
Cisco Public
35
BRKSEC-2000
Cisco Public
36
BRKSEC-2000
Cisco Public
37
Cisco Public
38
BRKSEC-2000
Cisco Public
39
Cisco Public
40
From ASDM Configuration > Device Management > Advanced > WCCP
> Service Groups
Click Add button
Service: Dynamic Service Number: 90
Options: Redirect List: WSA-Redirect
Options: Group List: WSA
Click OK
BRKSEC-2000
Cisco Public
41
BRKSEC-2000
Cisco Public
42
From ASDM Configuration > Device Management > Advanced > WCCP
> Redirection
Click Add button
Interface: Inside
Service Group: 90
Click OK
Click Apply
Click Save
BRKSEC-2000
Cisco Public
43
BRKSEC-2000
Cisco Public
44
Multi-Service
(Firewall/VPN and IPS)
ASA 5555-X
(4 Gbps,50K cps)
ASA 5545-X
(3 Gbps,30K cps)
ASA 5525-X
(2 Gbps,20K cps)
ASA 5515-X
(1.2 Gbps,15K cps)
ASA 5512-X
(1 Gbps, 10K cps)
NEW
ASA 5505
(150 Mbps, 4K cps)
ASA 5510
(300 Mbps, 9K cps)
SOHO
BRKSEC-2000
ASA 5510 +
(300 Mbps, 9K cps)
Branch Office
NEW
NEW
NEW
ASA 5540
(650 Mbps, 25K cps)
NEW
ASA 5550
(1.2 Gbps, 36K cps)
Firewall/VPN Only
ASA 5520
(450 Mbps, 12K cps)
Internet Edge
Campus
Cisco Public
Data Center
45
Cisco
ASA 5510
Cisco
ASA 5520
Cisco
ASA 5540
SOHO
Branch Office
Internet Edge
Internet Edge
Data Center
Max Firewall
150 Mbps
300 Mbps
450 Mbps
650 Mbps
1.2 Gbps
Future
300 Mbps
375 Mbps
450 Mbps
1.2 Gbps
100 Mbps
170 Mbps
225 Mbps
325 Mbps
425 Mbps
25/25
250/250
750/750
5000/2500
5000/5000
10,000/25,000
50,000/130,000
280,000
400,000
650,000
Max Conns/Second
4000
9000
12,000
25,000
36,000
85,000
190,000
320,000
500,000
600,000
Base I/O
8-port FE switch
5 FE
4 GE + 1 FE
4 GE + 1 FE
8 GE + 1 FE
VLANs Supported
3/20 (trunk)
50/100
150
200
400
HA Supported
Stateless A/S
(Security Plus)
Typical Deployment
Cisco
ASA 5550
Performance
Platform Capabilities
BRKSEC-2000
Cisco Public
46
Customer Benefits
Performance
Density
Flexibility
Integrated Services
Management Consolidation
BRKSEC-2000
Cisco Public
47
1. Multi-Gig Performance
ASA 5512-X
1 Gbps Firewall
Throughput
ASA 5515-X
2. Accelerated Integrated
Services
ASA 5525-X
ASA 5545-X
3. Next-gen services
enabled platform
ASA 5555-X
4 Gbps Firewall Throughput
BRKSEC-2000
Cisco Public
48
ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
19 Rack Mountable
19 Rack Mountable
19 Rack Mountable
19 Rack Mountable
19 Rack Mountable
DRAM
4GB
8 GB
8GB
12GB
16GB
N/A
N/A
4GB eUSB
8GB eUSB
8GB eUSB
8GB eUSB
8GB eUSB
6 x 1GbE Cu
6 x 1GbE Cu
8 x 1GbE Cu
8 x 1GbE Cu
8 x 1GbE Cu
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
1 x 1GbE Cu Mgmt.
6 x 1GbE Cu or 6 x
1GbE SFP
6 x 1GbE Cu or 6 x
1GbE SFP
6 x 1GbE Cu or 6 x
1GbE SFP
6 x 1GbE Cu or 6 x 1GbE
SFP
6 x 1GbE Cu or 6 x 1GbE
SFP
Dual Hot-Swappable
Redundant AC Power
Supply
Dual Hot-Swappable
Redundant AC Power
Supply
Platform Base
CPU
Compact Flash
I/O Ports
Crypto Capacity
BRKSEC-2000
1 x Crypto Chip
1 x Crypto Chip
1 x Crypto Chip
1 x Crypto Chip
1 x Crypto Chip
4C
4C
4C
8C
8C
Cisco Public
49
ASA 5585-X
with SSP-20
ASA 5585-X
with SSP-40
ASA 5585-X
with SSP-60
Data Center
Data Center
Data Center
Data Center
Max Firewall
4 Gbps
10 Gbps
20 Gbps
40 Gbps
2 Gbps
3 Gbps
5 Gbps
10 Gbps
1 Gbps
2 Gbps
3 Gbps
5 Gbps
5,000 / 5,000
10,000 / 10,000
10,000 / 10,000
10,000 / 10,000
1,000,000
2,000,000
4,000,000
10,000,000
Max Conns/Second
65,000
140,000
240,000
350,000
1,500,000
3,200,000
6,000,000
10,500,000
Base I/O
8 GE + 2 10GE
8 GE + 2 10GE
6 GE + 4 10GE
6 GE + 4 10GE
VLANs Supported
1024
1024
1024
1024
HA Supported
Performance
Platform Capabilities
BRKSEC-2000
Cisco Public
50
Web Security
Anti-malware protection
Web content analysis
Script emulation
Centralized Reporting
Secure Mobility
BRKSEC-2000
Cisco Public
51
Cisco Public
52
Cisco Public
55
BRKSEC-2000
Cisco Public
56
TrustSec
What is TrustSec?
TrustSec is an umbrella term used to describe and cover all things that
have to do with Identities
TrustSec is all about providing identity-based access policies to tell
network and security administrators who and what is connecting to your
networks.
In general terms think of TrustSec as the next generation of network
admission control (NAC)
BRKSEC-2000
Cisco Public
58
Benefits of TrustSec
Identity users and/or devices before granting access to network resources
Extend access enforcement throughout the network
Guest access
BRKSEC-2000
Cisco Public
59
TrustSec Technologies
IEEE 802.1x (Dot1x) Wired/Wireless
Secure Group Access (SGA)
MACSec (IEEE 802.1AE)
Profiling
Guest Services
BRKSEC-2000
Cisco Public
60
How do we do this?
Identity Services Engine (ISE) is a Cisco Security policy engine that
allows security administrators to control and manage access to the
corporate network for
Any One
Any Device
Any Where
Any Time
BRKSEC-2000
Cisco Public
62
Authorized Access
Guest Access
Non-User Devices
How do I discover
non-user devices?
Cisco Public
63
BRKSEC-2000
Cisco Public
64
ACS
NAC Profiler
NAC Server
Session Directory
Access Rights
User ID
All-in-One HA
Pair
ISE
NAC Guest
Location
Admin
Console
M&T
Distributed PDPs
Policy Extensibility
Manage Security
Group Access
SGT
Public
Private
Staff
Permit
Permit
Guest
Permit
Deny
Cisco Public
Consolidate Data,
Three-Click Drill-In
65
Perpetual Licensing
Term Licensing
Authentication / Authorization
Guest Provisioning
Link Encryption Policies
Device Profiling
Host Posture
Security Group Access
Appliance Platforms
Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance
BRKSEC-2000
Cisco Public
66
BRKSEC-2000
Cisco Public
67
Internet
Everyones traffic
should be encrypted
Cisco Access
Point
BRKSEC-2000
Internal Resources
Campus
Network
Cisco Switch
Cisco Switch
Cisco Wireless
LAN Controller
Cisco Public
68
ISE Administration
Web-based GUI Environment
https://x.x.x.x/admin
BRKSEC-2000
Cisco Public
69
BRKSEC-2000
Cisco Public
70
BRKSEC-2000
Cisco Public
71
BRKSEC-2000
Cisco Public
72
BRKSEC-2000
Cisco Public
73
BRKSEC-2000
Cisco Public
74
BRKSEC-2000
Cisco Public
75
BRKSEC-2000
Cisco Public
76
BRKSEC-2000
Cisco Public
77
BRKSEC-2000
Cisco Public
78
BRKSEC-2000
Cisco Public
79
BRKSEC-2000
Cisco Public
80
BRKSEC-2000
Cisco Public
81
BRKSEC-2000
Cisco Public
82
BRKSEC-2000
Cisco Public
83
BRKSEC-2000
Cisco Public
84
BRKSEC-2000
Cisco Public
85
https://x.x.x.x:8443/sponsorportal
BRKSEC-2000
Cisco Public
86
BRKSEC-2000
Cisco Public
87
BRKSEC-2000
Cisco Public
88
BRKSEC-2000
Cisco Public
89
https://x.x.x.x:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
BRKSEC-2000
Cisco Public
90
BRKSEC-2000
Cisco Public
91
Cisco Public
92
Need to provide security for sensitive data from the end-users computer
and throughout the network infrastructure.
BRKSEC-2000
Cisco Public
93
MACSec
MACSec
What is it and How Does it Benefit Us?
Benefits
Protects against man-in-the-middle attacks including snooping, tampering and
replay attacks
Network service amenable to hop-by-hop (link-based) approach as compared to
end-to-end approach
* NIST
Cisco Public
95
User: Steve
Policy: encryption
User: Bob
Policy: encryption
Campus
Network
AAA
Wiring Closet
Switch
Steve
Non
MACSec
client
802.1X-Rev Components
Cisco Public
96
* Please check CCO for the latest MACSec capable switches - www.cisco.com/go/trustsec
BRKSEC-2000
Cisco Public
97
Cisco Public
99
Need to prevent sensitive corporate data from traversing the Internet while
maintaining compliance with corporate and mandated regulations.
BRKSEC-2000
Cisco Public
100
BRKSEC-2000
Cisco Public
102
Notify
BCC
Quarantine
Encrypt
Bounce
Drop
BRKSEC-2000
Cisco Public
103
BRKSEC-2000
Cisco Public
104
BRKSEC-2000
Cisco Public
105
BRKSEC-2000
Cisco Public
106
BRKSEC-2000
Cisco Public
107
Cisco Public
109
BRKSEC-2000
Cisco Public
110
Cisco IronPort ESA has updated and rebrand the Virus Outbreak Filters to
the newer technology called Outbreak Filters
Outbreak Filters still continue to provide Day-Zero Virus Protection
Outbreak Filters also now provide Spear-Phishing prevention by rewriting
suspicious URLs embedded in email messages
Rewritten URLs will be proxy to the ScanSafe Towers (data centers) for
web page inspection which is transparent to the end user when they click
on the embedded URL in the email
If web site is malicious then the end users will receive a Block page
If web site is found to be good then the web objects for the web page are
sent to the end user via the ScanSafe towers
BRKSEC-2000
Cisco Public
112
BRKSEC-2000
Cisco Public
113
BRKSEC-2000
Cisco Public
114
Summary
Summary / Glossary
What is Secure Mobility?
Remote SSL VPN technology that allows integration of the Cisco AnyConnect,
Cisco ASA Firewall and Cisco IronPort Web Security Appliance to back haul
browser-based web traffic for proxy filtering
What is TrustSec?
Umbrella Term Related to all Identity Networking
Systems-Approach to Identity Networking
BRKSEC-2000
Cisco Public
116
Summary / Glossary
What is Identity Services Engine (ISE)?
ISE is the next-generation policy engine for TrustSec
Combines Identity with 802.1X, Posture, Profiling and Guest Lifecycle into a
single platform.
BRKSEC-2000
Cisco Public
117
Related Sessions
Other TrustSec Security Sessions at Cisco Live 2012
BRKSEC-2000
Cisco Public
118
Q&A
BRKSEC-2000
Cisco Public
120
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, ondemand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
LinkedIn Group: http://linkd.in/CiscoLI
BRKSEC-2000
Cisco Public
121
BRKSEC-2000
Cisco Public
BRKSEC-2000
Cisco Public
123
BRKSEC-2000
Cisco Public
124
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
7. Activate SSL VPN Configuration
BRKSEC-2000
Cisco Public
125
Cisco Secure Mobility requires the use of the Cisco SSL VPN Client
software AnyConnect
In order to use AnyConnect SSL VPN software, Cisco ASA must be
configured with SSL Certificate
SSL Certificate can be signed by a trusted root authority such as VeriSign or
Entrust
-orUse self-signed SSL certificate generated on the ASA appliance
BRKSEC-2000
Cisco Public
126
BRKSEC-2000
Cisco Public
127
B.
Associate the new certificate with the outside interface by selecting the outside
interface and click the Edit button.
C.
D.
BRKSEC-2000
Cisco Public
128
BRKSEC-2000
Cisco Public
129
BRKSEC-2000
Cisco Public
130
LDAP Integration
AAA Server Group Configuration
From ASDM - Configuration > Device Management > Users/AAA > AAA
Server Groups
B.
From the AAA Server Group table, click the ADD button
C.
D.
E.
F.
Click OK button
BRKSEC-2000
Cisco Public
131
LDAP Integration
ASDM Output Example
BRKSEC-2000
Cisco Public
132
LDAP Integration
AAA Server Group Configuration (cont.)
G.
H.
Servers in the Selected Group (bottom table) select the ADD button to define the AAA
Server(s)
I.
J.
Click OK
K.
Click Apply
BRKSEC-2000
Cisco Public
133
LDAP Integration
ASDM Output Example
BRKSEC-2000
Cisco Public
134
LDAP Integration
AAA Server Group Configuration (cont.)
J.
BRKSEC-2000
Cisco Public
135
LDAP Integration
ASDM Output Example
BRKSEC-2000
Cisco Public
136
4. Connection Profile
BRKSEC-2000
Cisco Public
137
Connection Profiles
Connection Profiles in ASDM are another name for tunnel-groups within
the CLI.
They provide a means to apply very specific connection attributes to
remote users.
Once a user is mapped to a connection profile, we can then associate
group-level policies.
Any attribute not mapped in a connection profile or group-policy will be
inherited from the top-level Default Group Policy.
BRKSEC-2000
Cisco Public
138
Connection Profiles
Configuration
A.
From ASDM - Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Connection Profiles
B.
C.
D.
E.
Note: The connection profile alias allows administrators to provide custom group names to the end users when they browse
to the webpage of the ASA and also defines the group names seen in the AnyConnect client.
BRKSEC-2000
Cisco Public
139
Connection Profiles
ASDM Output Example
BRKSEC-2000
Cisco Public
140
Connection Profiles
Configuration (cont.)
F.
I.
Click OK button
J.
K.
L.
Click OK button
M. Click OK button
BRKSEC-2000
Cisco Public
141
Connection Profiles
ASDM Output Example
BRKSEC-2000
Cisco Public
142
4. Connection Profile
5. Group Policy
BRKSEC-2000
Cisco Public
143
Group Policy
VPN Group Policies are a collection of authorization based attribute/value
pairs that can be stored in the ASA Configuration or on a Radius/LDAP
server.
Customized group attributes include:
BRKSEC-2000
Tunneling Protocols
NAC Policy
Access Hours
Idle Timeout
DNS Servers
Split Tunneling
Split Tunneling
Banner Login
Address Pools
Cisco Public
144
Group Policy
Configuration
From the new configured Connection Profile main page Default Group Policy
click Manage
B.
C.
D.
E.
Uncheck the Inherit button for Tunneling Protocols and select SSL VPN
Client checkbox only. Uncheck any other remaining protocols.
F.
Select Servers menu option. Uncheck the Inherit button for DNS and enter
your internal DNS server IP address.
BRKSEC-2000
Cisco Public
145
Group Policy
Configuration (cont.)
G. Open the More Options and uncheck the inherit button for Default
Domain and enter your domain name.
H.
Click OK
I.
Click OK
BRKSEC-2000
Cisco Public
146
Group Policy
ASDM Output Example
BRKSEC-2000
Cisco Public
147
Group Policy
Configuration (cont.)
G. From the Connection Profile main window Default Group Policy select the
newly created group policy from the drop down box.
H.
I.
Click OK
J.
Click Apply
BRKSEC-2000
Cisco Public
148
Group Policy
ASDM Output Example
BRKSEC-2000
Cisco Public
149
Group Policy
ASDM Output Example
BRKSEC-2000
Cisco Public
150
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
BRKSEC-2000
Cisco Public
151
BRKSEC-2000
Cisco Public
152
First step is to identity the correct AnyConnect images needed for the end
user operating systems and versions that are required for your
organization.
Supported Operating Systems
anyconnect-linux-<version>-k9.pkg
anyconnect-linux-64-<version>-k9.pkg
BRKSEC-2000
Cisco Public
153
Download the AnyConnect Packages using link from ASDM or pre-download from
CCO directly
Upload the AnyConnect Packages from your desktop to disk0:/ on the ASA
Firewall
BRKSEC-2000
Cisco Public
154
4. Connection Profile
5. Group Policy
6. AnyConnect Packages
7. Activate SSL VPN Configuration
BRKSEC-2000
Cisco Public
155
BRKSEC-2000
Cisco Public
156