BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Policy-Based Network Access

BRKDEV-1081

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

1

The Live in We Would Like World In We World a Complicated to Live

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

Evolution of Network Access Policy

Cisco TrustSec
Networkwide, role-based access control Network device access control Consistent policies—multiple access type

Network Admission Control (NAC)
Posture validation endpoint compliance

Identity-Based Access Control
Flexible authentication options Postadmission control options

Network Address-Based Access Control
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2

Policy Is Shared“Be Secure. Across Domains Protect Our IP.
Be SOX-Compliant.”

Business Policy

Facilities Policy
“Laptops Locked to Desk. One Entry per Badge Swipe. No Tailgating.”

Computer Policy
“Virus Protection. Personal Firewalls. OS Patched Up to Date.”

Application Policy
“Separation of Duties. Role-Based Access. Strong Authentication.”

Network Policy
“Network Segmentation. Wired/Wireless Restrictions. Intrusion Detection.”

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Customer Problem
Situation Business dynamics have changed
Complex relationships with customers, partners, suppliers Distributed workforce Increased regulatory compliance

Businesses are challenged to consistently apply policies across different domains
Many technologies—network, desktop, app server, security, applications, etc. Many organizations and specializations—network ops, sec ops, IT, Help Desk, CIO More overlap and complexity between domains
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

6

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

3

Customer Problem (Cont.)
Complication Technology/organizational/policy domains are independent of each other

Effect Administrative and efficiency cost Difficulty with…
Interoperability Business agility Regulatory compliance
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

7

Policy Concepts and Requirements
Policy is domain-specific—requires well-defined interfaces Enterprises have multiple policy domains—requires interoperability and composeability Global namespaces and domain local namespaces (hierarchy)
Domain namespaces require mechanism for provisioning Domains, as authorities, must be able to assert attributes

Policy enforcement: entities (e.g., network elements, policy apps) must provide a common set of enforcement directives System-level troubleshooting within and across domains is essential Common trust and identity is required for domain interoperability
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

8

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

4

Two Key Requirements
1. Provisioning
Drive top-level business policy into individual domains Domains enforce top level policy in domain relevant ways Centrally coordinate business policy Increase efficiency, reduce complexity, cut costs Simplify auditing/reporting

2. Sharing information between domains
Policy enforcement in a domain may use data from another domain Better mapping to business policy Centralized management of service delivery based on network, location, health, identity, application Comprehensive view on network and application access Policy is only as good as the data it is based upon
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

9

Identity and Access Policy
A Platform Approach Requirements
Interoperability and nimbleness to manage and enforce dynamic business policies Federation among different policy domains Information must be available and shared

Why a Platform?
Provides encapsulation of information and services Enables extensibility and integration via interfaces

Identity and Access Policy Platform = Cisco® Secure Access Control System (ACS)
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

10

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

5

How Are You Described?
Human

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Attributes Are Part of the Way We Are Wired
Father of Three

Political Views

Network Engineer

Motorbike Racer

Fashion Statement
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

6

Work Attributes Are the Cornerstone for Network Identity and Access Policy
Full-Time Employee

US Citizen

R&D Department

Group Leader

Accessing via VPN
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

13

Identity and Access Policy
Key Concepts
Symmetric policy model for users and devices Attribute-based model
Several attributes used to classify entities accessing network assets Consume from: AD, LDAP, SecurID, posture servers, audit servers, etc. Assert: session state attributes (location, ID, etc.)

Simplicity—customers can easily create policies and reuse objects Flexibility and extensibility to accommodate simple/complex policies and adapt to future functionality Interfaces (UI, Web services, scripting, CLI)
SPMLv2 and XACML for provisioning SAML for attribute assertions
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

14

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

7

Policy Model
Service View: 802.1X
Service A 802.1X

Authentication

User ID Group Profile A Location

Session Attributes and Info
NAD Info, Attributes, Protocols, Date/Time, Credentials

Profile B Authorization Rules Profile C
. . .

Access Type Date/Time
. . . . . .

Profile X

Other?

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Policy Model
Service View: 802.1X/NAC/CTS
Service B 802.1X/NAC/CTS

Authentication

User ID Group Host ID Group Location Profile A Profile B Authorization Rules Profile C
. . .

Session Attributes and Info
NAD Info, Attributes, Protocols, Date/Time, Credentials

Access Type Date/Time Posture Assessment Posture Audit Info
. . .

Profile X

Other?

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

8

Identity and Access Policy Interfaces
Provisioning
Policy management APIs to support integration with third-party management tools
Provisioning of access policy, etc. via WSDL Complete programmatic read/write access

Network enforcement policies can be provisioned consistently with other domains

Information Sharing
Provide static and dynamic information about entities attached to the network
Provide data for consumption by applications Centralized query to both logged and real-time session data

Other domain enforcement can leverage session information (e.g., location, host posture) Asset management applications have visibility into what entities are on the network
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

Examples

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

9

Scenario: Automating Common Tasks
Sam the ACS admin wants to automate the process of entering new devices into ACS; this saves time, allows others to add devices, and minimizes errors He needs to do the following:
Enter device name Device IP addresses Shared secret for RADIUS/T+ Associate the device to appropriate device group based on geography

Sam is accustomed to using the ACS GUI, and he wants to quickly set up a simple Perl script for adding devices
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

19

Scenario: Integration with Enterprise System
“Enterprise” has a device repository; each device that is being defined on that system needs also to be defined also on ACS to allow it to function as AAA client In order to avoid the duplicate data entry and possible errors the IT department would like to automate the process, such that each device defined on the device repository system is provisioned also to ACS with the subset of attributes that is require for ACS
Cisco Secure ACS Enterprise Device Repository Device Repository Administrator

ACS DB
BRKDEV-1081 14621_05_2008_x1

Provisioning over Web Services
Cisco Public

Enterprise Device DB

Setting Device Data
20

© 2008 Cisco Systems, Inc. All rights reserved.

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

10

Scenario: Helpdesk Automation
When users are unable to access a resource (perhaps an application) they call the helpdesk; in order to troubleshoot, the helpdesk operator first needs to determine if the problem has to do with network access The help desk team develops a script in order to automate common network access troubleshooting tasks The administrator invokes the script with the user name; the script runs three different call over the ACS programmatic interfaces
Get Session data—Is the user connected to the network? Get logged event—Were there any errors during session establishment? Policy data—What authorizations were granted to the user?
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

ACS

21

Scenario: Network/Application-Integrated Access Control
ACME Corp does not allow VPN access to sensitive financial data—in fact, the connection must be over a wired switch port, and the network access must have used an RSA SecurID token The finance Web application gets real-time session information from ACS (strength of authentication, and connection type: wired, wireless, VPN, etc.) The Web application developer uses the ACS attribute assertion Web service
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

6) Policy Evaluation

7) Attributes Assertion

3) Session Attribute Caching

Application Policy

ACS

5) Policy Decision Request Web App 4) Application Resource Access 1) Network Access
22

2) Access Request

User

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

11

Summary
Numerous policy systems will exist in enterprise environments Next-generation identity and access policy platform (Cisco Secure Access Control System) provides interfaces for integrating as part of your business environment ACS interfaces leverage open standards (Web services, XML, SPML, XACML, SAML)

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Call to Action
Evaluate your automation requirements for network identity and access policy Investigate how your network access can more cleanly fit as part of your enterprise defense in depth strategy Learn more about Cisco’s “Identity-Enabled Networks” solution More info
www.cisco.com/go/acs Matt Hur: mhur@cisco.com Attend BRKDEV-1071 for architecture and interface drill down (Thursday at 8 a.m.)
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

24

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

12

Q and A

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKDEV-1081 14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

26

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

13

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

BRKDEV-1081 14621_05_2008_x1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

14