Post on 30-Oct-2014
description
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Identity Service Engine Version 1.2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• All-in-One Enterprise Policy Control
3
Qui Quoi Ou Quand Comment
Virtual machine client, IP device, guest, employee, and remote user
Cisco® ISE
Wired Wireless VPN
Politiques d’entreprise
Replaces AAA and RADIUS, NAC, guest management, and device identity servers
Security Policy Attributes
Contexte
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
VPN
WIfi
Lan
Bureautique
VPN
Nadeige
Marketing
Alban
Développement
I.S.E
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cas d’usage pour le 802.1x
Lan
Intranet1
Imprimante = Vlan impression
ISE
camera = vlan video
Equipment spécifique = Mise en place ACL
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Profiling des Equipements
Gestion des invités Contrôle de conformité (NAC)
ISE
Authentification / Authorisation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 9
Policy
Groups
Authentication
Authorization
Policy Set
Condition
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
10
ISE Policy Server
VPN
Cisco Prime
Wired
Wireless
VPN
Supports Cisco and 3rd-Party solutions via standard RADIUS, 802.1X, EAP, and VPN
Protocols
RADIUS 802.1X = EAPoLAN
802.1X = EAPoLAN
SSL / IPsec
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ISE Node
• Maximum endpoints – 10,000 (platform dependent)
• Redundant sizing – 10,000 (platform dependent)
ISE Node
Primary
Admin
Primary
Monitoring
Secondary
Admin
Secondary
Monitoring
PSN
MnT
PAN
PSN
MnT
PAN
11
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Architecture redondante
• Jusqu’à 40 PSN
• 250 000 devices par
cluster
Data Center A DC B
Site A Site B
AP
AP AP
WLC 802.1X
AP
ASA VPN
Switch
802.1X
Switch
802.1X
Switch
802.1X
WLC 802.1X
Switch
802.1X
Admin (P)
Admin (S)
Monitor (P)
Monitor (S)
Policy Services Cluster
HA Inline Posture
Nodes
Distributed Policy
Services
AD/LDAP
(External ID/
Attribute Store) AD/LDAP
(External ID/
Attribute Store)
12
MnT PAN
PAN MnT
PSN PSN PSN PSN
PSN PSN
IPN
IPN
PSN Site C
AP
Switch
802.1X
PSN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Certificates
EAP-TLS
13
Encrypted
Tunnel
PEAP
EAP-FAST
EAP-TTLS
(not supported by ISE)
User Credentials
EAP-MSCHAPv2
user/passwd
EAP-GTC
user/passwd or OTP
Non Tunneling Standards: EAP-MD5, EAP-TLS
Tunneling Methods:
Inner
Supplicant AAA Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Intégration des bases externes
14
ISE Policy Server
VPN
Cisco Prime
• Ms Active Directory (2003, 2008, 2012)
• Serveurs LDAPv3
• Serveur Radius Externe
• RSA et serveur RFC-2865 (One-Time Password/Token)
• Serveur de certificats d’entreprise
• Password
• Certificats
• OTP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Solutions possibles :
1. Etablir une relation d’approbation bi-directionnelle entre mycorp.com et mycorp.fr
2. Utiliser un proxy RADIUS proxy pour renvoyer les requête *.mycorp.com à l’ISE des US
3. Utiliser des certificats de la CA globale de l’entreprise et faire de l’autorisation LDAP
domain.com domain.fr 1) Two-way trust
2) Proxy RADIUS alice.domain.com
3) mycorp root CA
alice c1sC0L1v
√
Cause principale :
Alice n’est pas dans le
domaine mycorp.fr
Alice, directrice des ventes US, n’a pas d’accès au site de Paris
15
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Postes Corporates Groupe IT Posture conforme
+ + =
Accès illimité
Ipad ou Tablette Android Group Marketing Non jailbreaké
+ + =
Accès Web + Email
SmartPhone Corp Employés Politique mdm
conforme
+ + =
Accès Email + intranet
SmartPhone non Corp Employés
+ =
Deny Access Site de Lyon
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Utilisateurs Custom Emplacement Type de Devices Date/heure Posture Méthode d’accès
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
18
dACL or Named ACL
• Less disruptive to endpoint
(no IP address change
required)
• Improved user experience
• Increased ACL management
VLANS
• Does not require switch
port ACL management
• Preferred choice for path
isolation
• Requires VLAN
proliferation and IP refresh
Security Group Access
• Simplifies ACL
management
• Uniformly enforces policy
independent of topology
• Fine-grained access control
Guest VLAN 4 VLAN 3
Remediation
Employees Contractor
Employee IP Any
Security Group Access—SXP,
SGT, SGACL, SGFW
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Classification of systems/users based on context (ex: user role, device, location, access method)
TrustSec allows context info from ISE to be shared between switches, routers, WLCs and firewalls to make real-time decisions
Allows forwarding, filtering or inspection decisions to be based upon intelligent tags
Tags can be applied to individual users, servers, networks or network connections
Provides virtual network segmentation, flexible access control and FW rule automation
Users,
Device
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Transport
Fin Servers SGT = 4
SGT = 10
ISE Directory Classification
SGT:5
SGA Overview
19
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
DC Access
WLC FW
Inline SGT Tagging
CMD Field
ASIC ASIC
Optionally Encrypted
SXP
SRC: 10.1.100.98
IP Address SGT SRC
10.1.100.98 50 Local
Hypervisor SW
SXP IP-SGT Binding Table
ASIC
L2 Ethernet Frame
SRC: 10.1.100.98
(No CMD)
Inline Tagging (data plane): If Device supports SGT in its ASIC
SXP (control plane): Shared between devices that do not have SGT-capable hardware
IP Address SGT
10.1.100.98 50
Campus Access Distribution Core DC Core EOR
SXP
Enterprise
Backbone
20
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Cat3750X Cat6500 Nexus 2248
WLC5508 ASA5585
Enterprise
Backbone
Nexus 2248
Cat6500 Nexus 7000 Nexus 5500
End user authenticated
Classified as Employee (5) FIB Lookup
Destination MAC/Port SGT 20
DST: 10.1.100.52
SGT: 20
ISE
SRC: 10.1.10.220
5 SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5 DST: 10.1.200.100
SGT: 30
Web_Dir
CRM
SRC\DST Web_Dir
(20) CRM (30)
Employee (5) SGACL-A SGACL-B
BYOD (7) Deny Deny
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
21
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
22
2
1
3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Mktg-server
AD, LDAP directories
ASA 9.01
SXP
Corp-servers Sgt = 003
ISE
AAA
Users,
Endpoints
Name to SGT table
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Security Group
SGT received from ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Profiling
Fonction Profiler
ISE
Equipements connectés au réseau
Vla
n
Imp
res
sio
n
Vla
n V
oix
SN
MP
on
ly
Vla
n
dyn
am
iqu
e
Vla
n V
ide
o
su
rve
illa
nc
e
Inte
rne
t
un
iqu
em
en
t
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
2
7
ISE Policy Server
VPN
Cisco Prime
CDP/LLDP/DHCP/mDNS/MSI/H323/RADIUS
HTTP/DHCP/RADIUS
SNMP
DNS
NMAP/SNMP
NMAP
DHCP/NetFlow
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Profiling des Devices via CDP, LLDP ou DHCP
MAB or EAP-OL
RADIUS Accounting
ISE
device-sensor filter-list dhcp list my_dhcp_list
option name host-name
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list my_dhcp_list
Filter dhcp, cdp or lldp options/TLV
Acivation Probe Radius
device-sensor filter-list cdp list my_cdp_list
tlv name device-name
tlv name platform-type
device-sensor filter-spec cdp include list my_cdp_list
device-sensor filter-list lldp list my_lldp_list
tlv name system-name
tlv name system-description
device-sensor filter-spec lldp include list my_lldp_list
device-sensor accounting
device-sensor notify all-changes
ip dhcp snooping
ip dhcp snooping vlan <x,y-z,…>
lldp run
interface <Interface>
lldp receive
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• Device Detection Based on DHCP and HTTP
RADIUS Accounting
ISE
Per Wlan Enable/Disable device
profiling
DHCP (7.2.110.0)
• Hostname, Class Identifier
HTTP / Both (7.3)
• User Agent
FlexConnect with Central Switching
supported:
DHCP
WLC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Profiling Windows
(User agent et/ou DHCP)
Profiling Windows 7
(User agent)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Profile Policies Use a Combination of Conditions to Identify Devices
Is the MAC Address
from Apple
DHCP:host-name
CONTAINS iPad
IP:User-Agent
CONTAINS iPad
Profile Library
Assign this MAC
Address to ID Group
“iPad”
I am fairly certain this
device is an iPad
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
RADIUS
DHCP
IP SNMP
Netflow
NMAP LLDP CDP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
ISE : Contrôle de posture
Analyse de la politique de sécurité du poste
patches de sécurité, Antivirus, Antispyware, FW
personnels, process …..
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Téléchargement automatique de la liste des éléments de posture
AV/AS supportés -> http://www.cisco.com/en/US/docs/security/ise/1.0.4/release_notes/win-avas-3-4-26-1.pdf
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
ISE éléments de posture
Fichiers
Clé de registre
Applications
Service
Conditions multiples
AntiVirus
AntiSpyware
Conditions custom
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
ISE : Contrôle de posture
Poste conforme
à la politique de
sécurité
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
ISE : Contrôle de posture poste non conforme
Mise en quarantaine
Remédiation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Posture remédiation
Mise à Jour AV/AS Installation Fichier Exécution programme
URL de remédiation Serveur Windows Update
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Exemple de rapport ISE
User2, poste windows 7 64 bits, Av McAfee, Antispyware, MS et McAfee, poste conforme à la politique
de sécurité
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Wifi
Lan
Internet
Portail Wireless et Filaire
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Etape 1:
Connexion sur le compte de
création de comptes invités
Etape 2:
Donner les informations sur
l’invité: nom, prenom, email,
société, raison de la visite
Etape 3:
Impression, Email ou sms des
paramètres du compte
temporaire
ISE : Création de comptes invités
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
“Je dois améliorer mon service client”
“Les membres de l’equipe doivent rester connecté avec leur Smartphone”
“Je veux offrir de nouveaux outils de collaboration”
“Je dois gérer un parc de smartphones et tablettes”
“Je dois garder une avance sur la compétition”
“Mes utilisateurs veulent utiliser leur devices et je doit proposer une solution”
“Je dois offrir aux partenaires, consultants et clients un accès réseau”
“J’ai un cas d’usage spécifique”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Déploiement du Wifi dans l’entreprise
Accès limité
Intégration des invités / partenaires/ clients Politique d’accès pour gérer l’accès au contenu
Basique
Infrastructure mobile pour tous les équipements, de n’importe ou, gestion du parc et des applications
standard
“Next Generation Workspace” sur un réseau intelligent
Advancé
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Le BYOD: un projet d’entreprise qui implique plusieurs départements
Ressources humaines
Finance et Régulation
Equipe Sécurité
Applications Systèmes
Poste de Travail Bureautique
Equipe réseau
et ouvre la porte à de multiples possibilités …
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
ISE
Authentification
WLC
Ceci est un iPad
profiling
Serveur de Certificats
Enregistrement
Equipement
Provisionning
Certificat / profile
Equipement non enregistré : Accès limité Equipement enregistré et provisionné
Accès complet au réseau d’entreprise
MDM / ISE API
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
51
Enterprise Software Distribution
Inventory Management
Management
(Backup, Remote Wipe, etc.)
AUP
Classification/ Profiling
Registration
Secure Unified Access (Wireless, Wired, VPN)
Context-Aware Access Control (Role, Location, etc.)
Cert + Supplicant Provisioning
User <-> Device Ownership
Mobile + PC
Policy Compliance (Jailbreak, Pin Lock, etc.)
Secure Data Containers
User/IT Co-Managed Device Device and Network-Based IT Control
User Managed Device Network-Based IT Control
NETWORK ENABLEMENT (ISE) FULL MANAGEMENT (MDM)
Cost Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Profile Encryption JailBroken Registered
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
• User / Administrator can issue remote actions on the device through MDM server (Example: remote wiping the device)
My Devices Portal (User Interface)
ISE Endpoints Directory (Admin Interface)
54
• Edit
• Reinstate
• Lost?
• Delete
• Full Wipe
• Corporate Wipe
• PIN Lock
Admin Interface
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
• Rapports ISE pour les MDMs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Introduction Authentification / autorisation Profiling Posture Guest BYOD Administration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Données additionnelles en provenance d’ISE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
• User 360°
Apple iPhone Microsoft Workstation
Utilisateur
Equipement
Politique
d’accès
Applications
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Syslog, Netflow Telemetry
Switches, Router Cisco et ASA 5500, IPS et autre
équipements de sécurité
Vue unifiée
Analyse des menaces & Contexte
ISE envoie les informations du contexte à l’equipement SIEM partenaire.
(Utilisateur, Device, …)
Logs, NetFlow
Cisco ISE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Mettre ces idées en action
• Quel est le “next step”?
BYOD n’est pas un produit mais une stratégie à Batir
Vous disposez déjà de beaucoup d’éléments
Chaque société a une vision différente du spectrum BYOD
Cisco peut vous accompagner dans le changement
Cisco dispose de l’ensemble des composants
Portfolio de produits, expertise, Vision architecturale
Let’s get started…
Thank you.