Secure Borderless

156

Transcript of Secure Borderless

Page 1: Secure Borderless
Page 2: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 2

Securing Borderless Networks BRKSEC-2000

Page 3: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 3

Christopher Heffner, CCIE #8211 Security Consulting Engineer

[email protected]

Page 4: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 4

Housekeeping

We value your feedback- don't forget to complete your online session

evaluations after each session & complete the Overall Conference

Evaluation which will be available online from Thursday

Please remember this is a 'non-smoking' venue!

Please set your mobile phones to stun mode

Please make use of the recycling bins provided

Please remember to wear your badge at all times

NO discussions on future products

Please remember your NDAs when asking questions

Page 5: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 5

Session Abstract

This session will explain the security technology behind the Cisco

Borderless Networks.

We will compare and contrast the networkers of yesterday verses today

and the issues that network and security administrator face with these

evolving networks.

A business case will be presented to introduce common network security

challenges and how Borderless Network technology solves them.

The technologies that will be covered include Secure Mobility, Web and

Email Security, AnyConnect SSL VPN, user & device authorization,

Network Device Profiling, supplicant agents, posture assessment, Guest

Access, Security Group Access (SGA), and IEEE 802.1AE (MacSec).

Page 6: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 6

Session Objectives

• The Cisco Borderless Network Architecture

• The technology that makes up Borderless Networks portfolio including Cisco Firewall, IPS, Content Security

• How to design and implement Secure Mobility

• Benefits of TrustSec and MacSec technologies

At the end of the session, you should understand:

• Have questions for the Q&A section of the session

• Provide us with feedback via the Cisco Live online survey

• Attend related sessions that interest you

You should also:

Page 7: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 7

Agenda

Networks of Yesterday

Networks of Today

Borderless Networks – What does that mean?

Case Study – Future Healthcare

Cisco AnyConnect Secure Mobility Design

Cisco TrustSec Design

Q&A

Page 8: Secure Borderless

Networks of Yesterday

Page 9: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 9

Networks of Yesterday

Page 10: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 10

Network Security of Yesterday

Corporate Assets

Corporate Connectivity

Limited Remote Connectivity

Employees Only Access

Routers

Firewalls

Switches

Page 11: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 11

Network Security Policy Yesterday

Authentication

Authorization

Accounting

Secure Access Control

Page 12: Secure Borderless

Networks of Today

Page 13: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 13

Networks of Today

Page 14: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 14

Networks Security of Today

Corporate and Commercialized Assets

Corporate, Partner, Public, Cloud Connectivity

Employees, Contractors and Guests Access

Routers, Switches, Firewalls, IPS

Virtualized Data Centers

ISE, NAC, Posture Control

Wireless Infrastructures

Email and Web Security

Unified Communications

Mobile Smart Devices – The iRevolution

Page 15: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 15

Network Security Policy Today

Who are you?

‒ Employee, Partner, Contractor, Guest

What are you doing?

‒ Data Entry, Access HR Records, Accessing Payroll

Where are you going?

‒ Intranet, Extranet, Internet, Cloud Services

When are you connecting?

‒ 8am-5pm, After Hours, Weekends

How are you connecting?

‒ Corporate Wired, Corporate Wireless, Public Wireless

‒ Hotel Guest Network, Home Network

Page 16: Secure Borderless

Borderless Networks Evolution

Page 17: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 17

Borderless Networks Evolution

Self-Defending Networks

SAFE Blueprints

Borderless Networks Architecture

Page 18: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 18

Self-Defending Networks

Network and Endpoint Security

Content Security

Application Security

System Management and Control

Page 19: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 19

SAFE Blueprints

SAFE Small Business

SAFE Medium Business

SAFE Enterprise Business

SAFE Remote

SAFE Campus

SAFE Data Center

SAFE Internet

SAFE Wide Area Network

Page 20: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 20

Borderless Networks Architecture

What it is:

‒ Architecture for secure connectivity of:

• Any Device

• Any Place

• Any Time

What it does (its vision):

‒ Provides consistent user experience & security policies on any device, any place

at any time.

What it does (business benefit):

‒ Simplifies Secure Connections to resources

‒ Improves workforce productivity through flexibility.

Page 21: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 21

Borderless Networks Architecture

Technology Benefit

‒ Borderless Networks transforms the way IT governs networks by linking users,

devices, applications, and business processes - together.

Value Proposition:

‒ Cisco Borderless Networks securely, reliably, and seamlessly connects people,

information, and devices.

Page 22: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 22

Borderless Networks Design Benefits

Secure – Risk mitigation to protect corporate assets and data

Reliable – Business continuity

Seamless – Productivity-driven growth

Accelerates Business Innovation and Transformation

Page 23: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 23

Borderless Networks Design Elements

BORDERLESS INFRASTRUCTURE

Application Networking/ Optimization

Switching Security Routing Wireless

BORDERLESS NETWORK SYSTEMS

BORDERLESS NETWORK SERVICES

BORDERLESS END-POINT/USER SERVICES

Securely, Reliably, Seamlessly: AnyConnect

Mobility: Motion

App Performance: App Velocity

Energy Management: EnergyWise

Multimedia Optimization:

Medianet

Security: TrustSec

Architecture for Agile Delivery of the Borderless Experience

Extended Edge

Extended Cloud

Unified Access

CISCO

LIFECYCLE

SERVICES

POLICY

CISCO SMART

SERVICES

MANAGEMENT

APIs

Core Fabric

Page 24: Secure Borderless

Case Study –

Future HealthCare

Page 25: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 25

Future HealthCare

Employees need secure remote access to corporate intranet and email

systems

Doctors need secure remote access to patient information and email

systems

Doctors want access to patient data and internet

Employees want access to the internet and email

Patients want access to the internet and web mail

CTO has security and regulation requirements

CSO needs prevention of email spear-phishing attacks

IT needs corporate devices secure while still providing network access to

commercialized mobile devices

IT Network Issues

Page 26: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 26

Secure Remote Access

Question:

‒ How does IT provide employees secure remote access to corporate intranet and

email systems?

Answer:

‒ Virtual Private Network (VPNs)

‒ Typically IPSec and/or SSL VPN tunnel connections

‒ Firewalls, Routers and IPS

Issues:

‒ Full Tunneling

‒ Split Tunneling

‒ Internet Access

Page 27: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 27

Cisco AnyConnect Secure Mobility

Question:

‒ How does IT provide employees secure remote access to corporate intranet and

email systems?

Answer:

‒ Cisco AnyConnect Secure Mobility

The New Answer

Page 28: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 28

Cisco AnyConnect Secure Mobility

AnyConnect SSL VPN client software connects to the corporate ASA

Firewall VPN endpoint.

The ASA group policy configuration enforces full tunneling option only.

(No Split Tunnel)

Use route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled command point all

VPN traffic to inside endpoint.

Inside endpoint (router/L3 switch) redirects traffic back to ASA using

default route.

ASA WCCP configuration will now redirect web traffic to the IronPort Web

Security Appliance for proxy services.

What is it and How Does it Work?

Page 29: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 29 29

Cisco AnyConnect 2.5

Cisco IronPort WSA 7.0 Cisco ASA 8.3

Cisco AnyConnect Secure Mobility

Page 30: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 30

Cisco Secure Mobility

Cisco ASA Firewall

‒ SSL VPN Peer Licenses based on remote user count

‒ AnyConnect Essentials or Premium License

‒ AnyConnect for Mobile License

Cisco IronPort Web Security Appliance

‒ AsyncOS version 7.x

‒ Cisco Mobile User Security Feature Key License

Cisco AnyConnect VPN Client

‒ Version 3.0 or higher (recommend)

Licensing Requirements

Page 31: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 31

Features and Licensing Matrix:

Cisco AnyConnect

Ess = Essentials, Prem = Premium, SM = Secure Mobility

Cisco® AnyConnect Features AnyConnect Ess

Only

AnyConnect Ess +

SM

AnyConnect Prem

Only

AnyConnect Prem

+ SM

Auto headend detection

Tethered device support (phone

synchronization)

Access to local printers through endpoint

firewall rules

Always-on VPN

Fail-open and fail-close policy support

Captive portal

Clientless VPN

Cisco Secure Desktop

Quarantine indication if posture assessment

fails

Web security

Page 32: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 32

ASA Licensing

ASA-5510# show version

....

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active 365 days

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled 365 days

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

SSL VPN Peers : 25 365 days

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Enabled 365 days

AnyConnect for Cisco VPN Phone : Enabled 365 days

AnyConnect Essentials : Enabled perpetual

Advanced Endpoint Assessment : Enabled 365 days

UC Phone Proxy Sessions : 26 365 days

Total UC Proxy Sessions : 26 365 days

Botnet Traffic Filter : Enabled 365 days

Intercompany Media Engine : Disabled perpetual

….

Show Version

Page 33: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 33

Cisco IronPort WSA Feature Keys Cisco Mobile User Security License

Page 34: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 34

Cisco Secure Mobility

See Cisco ASA Secure Mobility Configuration Appendix for step-by-step

ASDM configuration guide for setting up Cisco AnyConnect SSL VPN

network.

Configuration

Page 35: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 35

Configure Secure Mobility on ASA

From ASDM – Configuration > Remote Access VPN > Network (Client)

Access > Secure Mobility Solution

‒ Click Add button

‒ Choose Interface to communicate to WSA (typically Inside or DMZ interface)

‒ IP Address of the WSA and Subnet Mask

‒ Click OK

‒ Make sure “Enable Mobile User Security” checkbox is enabled and the service

port is 11999 (default)

‒ Set password to secure communications

‒ Click Apply

IronPort WSA Mobile User Security Configuration

Page 36: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 36

Configure Secure Mobility on ASA ASDM Configuration

Page 37: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 37

Verify Secure Mobility on ASA Show WSA Sessions

Page 38: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 38

Configure Secure Mobility on WSA

Login to Web Security Appliance

Navigate to Web Security Manager > Identities

Click Add Identities

Define Members by User Location: Remote Users Only

Define Members by Protocol: HTTP/HTTPS Only

Define Members by Authentication: Identity Users Transparently

through Cisco ASA Integration

Authentication Surrogate for Transparent Proxy Mode: IP Address

Click Submit and Commit

Unique Access Policies can now be set for “Remote Users”

WSA Identity Configuration

Page 39: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 39

Configure Secure Mobility on WSA

WSA Configuration

Page 40: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 40

Configure WCCP Access Lists on ASA

Configure access list for WCCP appliance

access-list WSA extended permit ip host 10.1.1.15 any

Configure access list for redirected proxy traffic

access-list WSA-Redirect extended deny ip host 10.1.1.15 any

access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq www

access-list WSA-Redirect extended permit tcp 10.1.254.0 255.255.255.0 any eq https

Assign the redirect proxy traffic to the WCCP appliance

wccp 90 redirect-list WSA-Redirect group-list WSA

wccp interface inside 90 redirect in

Access Lists Configuration Example

Page 41: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 41

Configure WCCP Service Groups on ASA

From ASDM – Configuration > Device Management > Advanced > WCCP

> Service Groups

‒ Click Add button

‒ Service: Dynamic Service Number: 90

‒ Options: Redirect List: WSA-Redirect

‒ Options: Group List: WSA

‒ Click OK

Cisco ASDM Configuration

Page 42: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 42

Cisco WCCP Service Groups on ASA Cisco ASDM Example

Page 43: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 43

Configure WCCP Redirection on ASA

From ASDM – Configuration > Device Management > Advanced > WCCP

> Redirection

‒ Click Add button

‒ Interface: Inside

‒ Service Group: 90

‒ Click OK

‒ Click Apply

‒ Click Save

Cisco ASDM Configuration

Page 44: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 44

Cisco WCCP Service Groups on ASA Cisco ASDM Example

Page 45: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 45

Cisco ASA 5500 Series Portfolio Comprehensive Solutions from SOHO to the Data Center

Multi-Service (Firewall/VPN and IPS)

Per

form

ance

an

d S

cala

bili

ty

Data Center Campus Branch Office Internet Edge

ASA 5585-X SSP-20 (10 Gbps, 125K cps)

ASA 5585-X SSP-60 (40 Gbps, 350K cps)

ASA 5585-X SSP-40 (20 Gbps, 200K cps)

ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X

(4 Gbps,50K cps)

NEW ASA 5545-X (3 Gbps,30K cps)

NEW ASA 5525-X

(2 Gbps,20K cps)

NEW ASA 5512-X

(1 Gbps, 10K cps)

NEW

ASA 5515-X (1.2 Gbps,15K cps)

NEW

ASA 5510 (300 Mbps, 9K cps)

ASA 5510 + (300 Mbps, 9K cps)

ASA 5520 (450 Mbps, 12K cps)

ASA 5540 (650 Mbps, 25K cps)

ASA 5550 (1.2 Gbps, 36K cps)

Firewall/VPN Only

SOHO

ASA 5505 (150 Mbps, 4K cps)

Page 46: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 46

Cisco ASA 5500 Series Product Lineup Mid-Range Solutions

Cisco ASA 5505

Cisco ASA 5510

Cisco ASA 5520

Cisco ASA 5540

Typical Deployment

Performance

Max Firewall

Max Firewall + IPS

Max IPSec VPN

Max IPSec/SSL VPN Peers

Platform Capabilities

Max Firewall Conns

Max Conns/Second

Packets/Second (64 byte)

Base I/O

VLANs Supported

HA Supported

SOHO

150 Mbps

Future

100 Mbps

25/25

10,000/25,000

4000

85,000

8-port FE switch

3/20 (trunk)

Stateless A/S

(Security Plus)

Branch Office

300 Mbps

300 Mbps

170 Mbps

250/250

50,000/130,000

9000

190,000

5 FE

50/100

A/A and A/S

(Security Plus)

Internet Edge

450 Mbps

375 Mbps

225 Mbps

750/750

280,000

12,000

320,000

4 GE + 1 FE

150

A/A and A/S

Internet Edge

650 Mbps

450 Mbps

325 Mbps

5000/2500

400,000

25,000

500,000

4 GE + 1 FE

200

A/A and A/S

Cisco ASA 5550

Data Center

1.2 Gbps

1.2 Gbps

425 Mbps

5000/5000

650,000

36,000

600,000

8 GE + 1 FE

400

A/A and A/S

Page 47: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 47

Next Generation ASA Mid-Range Appliances

64Bit Multi-Core Processor

Up to 16GB of Memory

Built-In Multi-Core Crypto Accelerator Hardware

Dedicated IPS Hardware Acceleration Card

Up to 14 1GE Ports

Copper & Fiber I/O options

Firewall, VPN & IPS Services

Dedicated OOB Management Port

Performance

Density

Flexibility

Integrated Services

Management Consolidation

ASA 5500-X H/W Features

Customer Benefits

Page 48: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 48

Next Generation Security Services Appliances 5 New Models to Meet Varied Throughput Demands

ASA 5512-X 1 Gbps Firewall

Throughput

ASA 5515-X 1.2 Gbps Firewall

Throughput

ASA 5525-X 2 Gbps Firewall Throughput

ASA 5545-X 3 Gbps Firewall Throughput

ASA 5555-X 4 Gbps Firewall Throughput

1. Multi-Gig Performance To meet growing throughput

requirements

2. Accelerated Integrated

Services (no extra hardware required) To support changing business needs

3. Next-gen services

enabled platform To provide investment protection

Page 49: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 49

Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X

Platform Base 1RU Short chassis

19” Rack Mountable

1RU Short chassis

19” Rack Mountable

1RU Short chassis

19” Rack Mountable

1RU Long chassis

19” Rack Mountable

1RU Long chassis

19” Rack Mountable

CPU 1x 2.8 Ghz Intel 2C/2T 1 x 3.06 Ghz Intel 2C/4T 1x 2.40 Ghz Intel 4C/4T

1x 2.66 Ghz Intel 4C/8T 1x 2.80 Ghz Intel 4C/8T

DRAM 4GB 8 GB 8GB 12GB 16GB

Regex Accel Mezz Card

N/A N/A 1 1 1

Compact Flash 4GB eUSB 8GB eUSB 8GB eUSB

8GB eUSB

8GB eUSB

I/O Ports 6 x 1GbE Cu

1 x 1GbE Cu Mgmt.

6 x 1GbE Cu

1 x 1GbE Cu Mgmt.

8 x 1GbE Cu

1 x 1GbE Cu Mgmt.

8 x 1GbE Cu

1 x 1GbE Cu Mgmt.

8 x 1GbE Cu

1 x 1GbE Cu Mgmt.

Optional I/O Module 6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

Power Single Fixed AC Power Supply

Single Fixed AC Power

Supply

Single Fixed AC Power

Supply

Dual Hot-Swappable Redundant AC Power

Supply

Dual Hot-Swappable Redundant AC Power

Supply

Crypto Capacity 1 x Crypto Chip

4C

1 x Crypto Chip

4C

1 x Crypto Chip

4C

1 x Crypto Chip

8C

1 x Crypto Chip

8C

Cisco ASA 55xx-X Series Product Lineup

Page 50: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 50

Cisco ASA 5585-X Series Product Lineup Enterprise Solutions

ASA 5585-X with SSP-10

ASA 5585-X with SSP-20

ASA 5585-X with SSP-40

ASA 5585-X with SSP-60

Data Center

4 Gbps

2 Gbps

1 Gbps

5,000 / 5,000

1,000,000

65,000

1,500,000

8 GE + 2 10GE

1024

A/A and A/S

Data Center

10 Gbps

3 Gbps

2 Gbps

10,000 / 10,000

2,000,000

140,000

3,200,000

8 GE + 2 10GE

1024

A/A and A/S

Data Center

20 Gbps

5 Gbps

3 Gbps

10,000 / 10,000

4,000,000

240,000

6,000,000

6 GE + 4 10GE

1024

A/A and A/S

Data Center

40 Gbps

10 Gbps

5 Gbps

10,000 / 10,000

10,000,000

350,000

10,500,000

6 GE + 4 10GE

1024

A/A and A/S

Typical Deployment

Performance

Max Firewall

Max Firewall + IPS

Max IPSec VPN

Max IPSec/SSL VPN Peers

Platform Capabilities

Max Firewall Conns

Max Conns/Second

Packets/Second (64 byte)

Base I/O

VLANs Supported

HA Supported

Page 51: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 51

Web Security

• Anti-malware protection

• Web content analysis

• Script emulation

Cisco ScanSafe Cloud Services

Web Filtering

• Web Usage Controls

• Application Visibility

• Bi-directional control

Centralized Reporting

Secure Mobility

Page 52: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 52

Cisco ScanSafe Cloud Services Solution Overview

ScanSafe offers consistent, enforceable, high performance Web security and policy, regardless of where or how users access the internet.

Page 53: Secure Borderless

Cisco Secure Mobility Demo

Page 54: Secure Borderless

Case Study – Review

Future HealthCare

Page 55: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 55

Future HealthCare Goals

Employees need secure remote access to corporate intranet and email

systems

Doctors need secure remote access to patient information and email

systems

Doctors want access to patient data and internet

Employees want access to the internet and email

Patients want access to the internet and web mail

CTO has security and regulation requirements

CSO needs prevention of email spear-phishing attacks

IT needs corporate devices secure while still providing network access to

commercialized mobile devices

Review IT Network Issues

Page 56: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 56

Future HealthCare Review

Need to provide security by providing real-time visibility into and control

over all users and devices on your network.

Need to enable effective corporate compliance by creating consistent

polices across the corporate infrastructure.

Need to help stream-line IT and network staff productivity by automating

labor-intensive tasks.

What Still Needs to be Done?

Page 57: Secure Borderless

TrustSec

Page 58: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 58

What is TrustSec?

TrustSec is an umbrella term used to describe and cover all things that

have to do with “Identities”

TrustSec is all about providing identity-based access policies to tell

network and security administrators who and what is connecting to your

networks.

In general terms think of TrustSec as the next generation of network

admission control (NAC)

Page 59: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 59

Benefits of TrustSec

Identity users and/or devices before granting access to network resources

Extend access enforcement throughout the network

Guest access

Identity non-authenticating IP-based devices

Capability to know what is on your network

Controlling access to restricted devices and/or data

Secure sensitive data

Page 60: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 60

TrustSec Technologies

IEEE 802.1x (Dot1x) Wired/Wireless

Secure Group Access (SGA)

MACSec (IEEE 802.1AE)

Profiling

Guest Services

Page 61: Secure Borderless

Identity Services Engine

Page 62: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 62

How do we do this?

Identity Services Engine (ISE) is a Cisco Security policy engine that

allows security administrators to control and manage access to the

corporate network for

Any One

Any Device

Any Where

Any Time

Page 63: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 63

Non-User Devices • How do I discover

non-user devices?

• Can I determine what they are?

• Can I control their access?

• Are they being spoofed?

Questions You Should be Asking Yourself? ISE: Policies for People and Devices

• Can I allow guests Internet-only access?

• How do I manage guest access?

• Can this work in wireless and wired?

• How do I monitor guest activities?

Guest Access • How can I restrict access to my

network?

• Can I manage the risk of using personal PCs, tablets, smart-devices?

• Access rights on-prem, at home, on the road?

• Devices are healthy?

Authorized Access

Page 64: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 64

Future HealthCare Business Case Review

Now we are able to identity when a doctor, nurse or corporate employee is

logging in to the network.

From the user identity, we can define policies that grant, limit and/or

restrict access to network devices and data.

Contractors, vendors, patients and guests users we can provide Internet

and printer.

Non-authenticated devices such as medical devices, printers, badge

readers, security cameras and phones we can secure network access.

Permit, restrict or deny access based on posture assessment of a device

real time.

How Does this Help our Business Case?

Page 65: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 65

Advantages of Identity Services Engine Consolidated Services,

Software Packages

Simplify Deployment & Admin

ACS

NAC Profiler

NAC Guest

NAC Manager

NAC Server ISE

Location

User ID Access Rights

Session Directory

Tracks Active Users & Devices

Flexible Service Deployment

Optimize Where Services Run

Admin Console

Distributed PDPs

M&T All-in-One HA

Pair

Policy Extensibility

Link in Policy Information Points

Manage Security Group Access

Keep Existing Logical Design

System-wide Monitoring & Troubleshooting

Consolidate Data, Three-Click Drill-In

SGT Public Private

Staff

Guest

Permit

Deny

Permit

Permit

Device (& IP/MAC)

Page 66: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 66

ISE Packaging and Licensing

Appliance Platforms

Base Feature Set Perpetual Licensing

Advanced Feature Set Term Licensing

• Authentication / Authorization

• Guest Provisioning

• Link Encryption Policies

• Device Profiling

• Host Posture

• Security Group Access

Small 3315/1121 | Medium 3355 | Large 3395 | Virtual Appliance

Page 67: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 67

ISE Sample Topology

Page 68: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 68

A Practical Example of Policies

Internet

Campus Network

“Printers should only ever

communicate internally”

“Employees should be able to

access everything but have limited

access on personal devices”

“Everyone’s traffic

should be encrypted” Internal Resources

Cisco Wireless LAN Controller

Cisco Access Point

Cisco® Identity Services Engine Cisco Switch

Cisco Switch

Page 69: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 69

ISE Administration Web-based GUI Environment

https://x.x.x.x/admin

Page 70: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 70

ISE Home Page

Page 71: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 71

Operations > Authentications

Page 72: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 72

Operations > Reports

Page 73: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 73

Operations > Troubleshoot

Page 74: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 74

Policy > Authentication

Page 75: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 75

Policy > Authorization

Page 76: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 76

Policy > Profiling

Page 77: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 77

Policy > Profiling > Apple-iPad

Page 78: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 78

Policy > Posture

Page 79: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 79

Policy > Client Provisioning

Page 80: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 80

Policy > Security Group Access

Page 81: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 81

Policy > Policy Elements > Conditions >

Authentications

Page 82: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 82

Policy > Policy Elements > Conditions >

Profiling

Page 83: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 83

Administration > Identity Management >

External Identity Sources

Page 84: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 84

Administration > Network Resources >

Network Devices

Page 85: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 85

Administration > Web Portal Management

Page 86: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 86

ISE Sponsor Portal

https://x.x.x.x:8443/sponsorportal

Page 87: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 87

Sponsor Portal Administration

Page 88: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 88

Sponsor Portal Administration

Create Single User Guest Account

Page 89: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 89

Sponsor Portal Administration

Guest Account Created

Page 90: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 90

ISE Guest Access Portal

https://x.x.x.x:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

Page 91: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 91

Case Study – Review

Future HealthCare

Page 92: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 92

Future HealthCare Goals

Employees need secure remote access to corporate intranet and email

systems

Doctors need secure remote access to patient information and corporate

email systems

Doctors want access to patient data and internet

Employees want access to the internet and email

Patients want access to the internet and web mail

CTO has security and regulation requirements

CSO needs prevention of email spear-phishing attacks

IT needs corporate devices secure while still providing network access to

commercialized mobile devices

Review IT Network Issues

Page 93: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 93

Future HealthCare Review

Need to provide security for sensitive data from the end-user’s computer

and throughout the network infrastructure.

What Still Needs to be Done?

Page 94: Secure Borderless

MACSec

Page 95: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 95

MACSec

IEEE 802.1AE-based Encryption

‒ Provides strong 128-bit AES-GCM* encryption

‒ NIST approved encryption algorithm

‒ Line-rate encryption/decryption

‒ Standards-based key management: IEEE 802.1X-Rev

Benefits

‒ Protects against man-in-the-middle attacks including snooping, tampering and

replay attacks

‒ Network service amenable to hop-by-hop (link-based) approach as compared to

end-to-end approach

What is it and How Does it Benefit Us?

* NIST Special Publication 800-38D http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

* Galois/Counter Mode (GCM)

Page 96: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 96

MACSec - How Does it Work?

Wiring Closet

Switch

AAA

1 User bob connects.

2 Bob’s policy indicates endpoint must encrypt.

3 Key exchange using MKA, 802.1AE encryption complete.

User is placed in corporate VLAN. Session is secured.

4 User Steve connects

User: Bob

Policy: encryption

User: Steve

Policy: encryption

5 Steve’s policy indicates endpoint must encrypt.

6 Endpoint is not MACSec enabled.

Assigned to guest VLAN.

802.1X-Rev Components

• MACSec enabled switches Cisco 3560X/3750X 12.2.(52) SE2

• AAA server 802.1X-Rev aware Cisco Identity Services Engine

• Supplicant supporting MKA and 802.1AE encryption Cisco AnyConnect Client

Steve –

Non

MACSec

client

Campus Network

Bob - MACSec enabled client

Page 97: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 97

MACSec Access Port (Crypto)

Standards-based encryption on user ports* (IEEE 802.1AE)

MacSec Key Agreement (MKA) standards-based key exchange protocol

(IEEE 802.1X-REV MACSec Key Agreement)

Some newer Intel LOM chip sets support MacSec

MACSec-ready hardware:

Intel 82576 Gigabit Ethernet Controller

Intel 82599 10 Gigabit Ethernet Controller

Intel ICH10 - Q45 Express Chipset (1Gbe LOM)

(Dell, Lenova, Fujitsu, and HP have desktops shipping with this LOM.)

* Please check CCO for the latest MACSec capable switches - www.cisco.com/go/trustsec

Page 98: Secure Borderless

Case Study – Review

Future HealthCare

Page 99: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 99

Future HealthCare Goals

Employees need secure remote access to corporate intranet and email

systems

Doctors need secure remote access to patient information and corporate

email systems

Doctors want access to patient data and internet

Employees want access to the internet and email

Patients want access to the internet and web mail

CTO has security and regulation requirements

CSO needs prevention of email spear-phishing attacks

IT needs corporate devices secure while still providing network access to

commercialized mobile devices

Review IT Network Issues

Page 100: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 100

Future HealthCare Review

Need to prevent sensitive corporate data from traversing the Internet while

maintaining compliance with corporate and mandated regulations.

What Still Needs to be Done?

Page 101: Secure Borderless

Data Loss Prevention

Page 102: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 102

What is Data Loss Prevention?

Data Loss Prevention otherwise known as DLP is technology to inspect

and prevent sensitive data from leaking from your corporate network

DLP helps CxO maintain corporate and regulations-based policies

Examples include HIPAA, GLBA, SOX and PCI compliance

DLP is the technology enforcer to prevent accidental or intentional data

leakage

Page 103: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 103

IronPort Email Security Appliance

Cisco IronPort ESA has onboard RSA DLP blade technologies

Allows inspection, remediation and compliance with corporate and

regulation-based policies

DLP remediation actions include:

Notify

BCC

Quarantine

Encrypt

Bounce

Drop

RSA Data Loss Prevention

Page 104: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 104

IronPort ESA DLP Policy Manager

Page 105: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 105

RSA DLP Blades

Page 106: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 106

DLP Blade Example – HIPAA

Page 107: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 107

Assigned DLP Policies

Page 108: Secure Borderless

Case Study – Review

Future HealthCare

Page 109: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 109

Future HealthCare Goals

Employees need secure remote access to corporate intranet and email

systems

Doctors need secure remote access to patient information and corporate

email systems

Doctors want access to patient data and internet

Employees want access to the internet and email

Patients want access to the internet and web mail

CTO has security and regulation requirements

CSO needs prevention of email spear-phishing attacks

IT needs corporate devices secure while still providing network access to

commercialized mobile devices

Review IT Network Issues

Page 110: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 110

Future HealthCare Review

Need to prevent end-users from email spear-phishing attacks that could

lead to end-uses giving sensitive corporate data such as user account and

password.

What Still Needs to be Done?

Page 111: Secure Borderless

IronPort Outbreak Filters

Page 112: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 112

IronPort Email Security Appliance

Cisco IronPort ESA has updated and rebrand the Virus Outbreak Filters to

the newer technology called Outbreak Filters

Outbreak Filters still continue to provide Day-Zero Virus Protection

Outbreak Filters also now provide Spear-Phishing prevention by rewriting

suspicious URLs embedded in email messages

Rewritten URLs will be proxy to the ScanSafe Towers (data centers) for

web page inspection which is transparent to the end user when they click

on the embedded URL in the email

If web site is malicious then the end users will receive a “Block” page

If web site is found to be good then the web objects for the web page are

sent to the end user via the ScanSafe towers

Outbreak Filters

Page 113: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 113

Outbreak Filters Configuration

Page 114: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 114

Preventing Spear-Phishing Attacks

Page 115: Secure Borderless

Summary

Page 116: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 116

Summary / Glossary

What is Secure Mobility?

‒ Remote SSL VPN technology that allows integration of the Cisco AnyConnect,

Cisco ASA Firewall and Cisco IronPort Web Security Appliance to back haul

browser-based web traffic for proxy filtering

What is TrustSec?

‒ Umbrella Term Related to all “Identity Networking”

‒ Systems-Approach to Identity Networking

Page 117: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 117

Summary / Glossary

What is Identity Services Engine (ISE)?

‒ ISE is the next-generation policy engine for TrustSec

‒ Combines Identity with 802.1X, Posture, Profiling and Guest Lifecycle into a

single platform.

What is MACSec (IEEE 802.1AE)?

‒ Layer-2 encryption from device to network

What is Data Loss Prevention (DLP)?

‒ Technology to inspect and prevent sensitive data from leaking from your corporate

network

‒ DLP is the technology enforcer to prevent accidental or intentional data leakage

Page 118: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 118

Related Sessions

BRKSEC-2022 – Demystifying TrustSec, Identity, NAC and ISE

BRKSEC-2046 – Cisco TrustSec and Security Group Tagging

BRKSEC-3000 – Advanced Securing Borderless Networks

BRKSEC-3032 – Deploying TrustSec In Enterprise Branch and WAN

Networks

BRKSEC-3040 – TrustSec and ISE Deployment Best

TECSEC-3030 – Advanced Network Access Control with ISE

Other TrustSec Security Sessions at Cisco Live 2012

Page 119: Secure Borderless

Q&A

Page 120: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 120

Complete Your Online

Session Evaluation Give us your feedback and you

could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points for each

session evaluation you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

Don’t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

Page 121: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 121

Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco

booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-

demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

Page 122: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public

Page 123: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 123

Christopher Heffner, CCIE #8211 Security Consulting Engineer

[email protected]

Page 124: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 124

Cisco ASA Secure Mobility Configuration

Appendix

Page 125: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 125

Cisco ASA Secure Mobility

1. SSL Certificate Creation

2. Associate trustpoint to Interface

3. LDAP Integration

4. Connection Profile

5. Group Policy

6. AnyConnect Packages

7. Activate SSL VPN Configuration

Configuration Setup

Page 126: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 126

Cisco ASA Secure Mobility Configuration

Cisco Secure Mobility requires the use of the Cisco SSL VPN Client

software – AnyConnect

In order to use AnyConnect SSL VPN software, Cisco ASA must be

configured with SSL Certificate

SSL Certificate can be signed by a trusted root authority such as VeriSign or

Entrust

-or-

Use self-signed SSL certificate generated on the ASA appliance

Step 1 - SSL Certificate Creation

Page 127: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 127

Cisco ASA Self-Signed Certificates Certificate Assigned to Trustpoint

To verify from the ASA CLI

show run crypto ca

show crypto ca cert

Page 128: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 128

Cisco ASA Self-Signed Certificates

Associate new trustpoint to outside interface

A. Configuration > Device Management > Advanced > SSL Settings

B. Associate the new certificate with the outside interface by selecting the outside

interface and click the Edit button.

C. In the Primary Enrollment Certificate drop-down, select the trustpoint name,

click OK.

D. Click the Apply button.

Step 2. Associate Trustpoint to Interface

Page 129: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 129

Cisco Self-Signed Certificates Certificate Assigned to Outside Interface

Page 130: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 130

Cisco ASA Secure Mobility

1. SSL Certificate Creation

2. Associate trustpoint to Interface

3. LDAP Integration

Configuration Setup

Page 131: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 131

LDAP Integration

Authenticate Remote SSL VPN users via LDAP integration to back-end

Active Directory environment

A. From ASDM - Configuration > Device Management > Users/AAA > AAA

Server Groups

B. From the AAA Server Group table, click the ADD button

C. Enter Server Group name (user defined)

D. Select LDAP from Protocol drop-down box

E. Leave remaining values at default settings

F. Click OK button

AAA Server Group Configuration

Page 132: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 132

LDAP Integration ASDM Output Example

Page 133: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 133

LDAP Integration

G. Single click the newly created LDAP AAA server group

H. Servers in the Selected Group (bottom table) select the ADD button to define the AAA

Server(s)

I. Enter the configuration values for LDAP integration

Interface: Inside

Server Name or IP Address: IP address for AD Server

Port: 389

Server Type: Microsoft

Base DN: domain name base DN

Scope: All levels beneath the Base DN

Naming Attributes(s): sAMAccountName

Login DN: Username for LDAP Authentication

Login Password: password

J. Click OK

K. Click Apply

AAA Server Group Configuration (cont.)

Page 134: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 134

LDAP Integration ASDM Output Example

Page 135: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 135

LDAP Integration

J. Click Test button to verify LDAP authentication configuration

Change the Radio button from Authorization to Authentication

Enter valid domain username and password

Receive a windows that reads:

“Authentication test to host X.X.X.X is successful.”

AAA Server Group Configuration (cont.)

Page 136: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 136

LDAP Integration ASDM Output Example

Page 137: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 137

Cisco ASA Secure Mobility

1. SSL Certificate Creation

2. Associate trustpoint to interface

3. LDAP Integration

4. Connection Profile

Configuration Setup

Page 138: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 138

Connection Profiles

Connection Profiles in ASDM are another name for tunnel-groups within

the CLI.

They provide a means to apply very specific connection attributes to

remote users.

Once a user is mapped to a connection profile, we can then associate

group-level policies.

Any attribute not mapped in a connection profile or group-policy will be

inherited from the top-level Default Group Policy.

Page 139: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 139

Connection Profiles

Setup SSL VPN Connection Profile

A. From ASDM - Configuration > Remote Access VPN > Network (Client)

Access > AnyConnect Connection Profiles

B. Click the ADD button to create a new Connection Profile

C. Enter Connection Profile Name

D. Enter Connection Profile Alias

E. Define Authentication parameters

Method – AAA

AAA Server Group – LDAP

Configuration

Note: The connection profile alias allows administrators to provide custom group names to the end users when they browse

to the webpage of the ASA and also defines the group names seen in the AnyConnect client.

Page 140: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 140

Connection Profiles ASDM Output Example

Page 141: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 141

Connection Profiles

F. Define the Client Address Pool

G. Click the Select … button to create client address pool

H. Click Add button

Enter IP Pool Name

Enter Starting IP Address

Enter Ending IP Address

Enter Subnet Mask

I. Click OK button

J. Single click the new address pool name

K. Click Assign button

L. Click OK button

M. Click OK button

Configuration (cont.)

Page 142: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 142

Connection Profiles ASDM Output Example

Page 143: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 143

Cisco ASA Secure Mobility

1. SSL Certificate Creation

2. Associate trustpoint to interface

3. LDAP Integration

4. Connection Profile

5. Group Policy

Configuration Setup

Page 144: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 144

Group Policy

VPN Group Policies are a collection of authorization based attribute/value

pairs that can be stored in the ASA Configuration or on a Radius/LDAP

server.

Customized group attributes include:

Tunneling Protocols Connection Profile Lock

NAC Policy Access Hours

Idle Timeout Maximum Connection Time

DNS Servers Split Tunneling

Split Tunneling SSL VPN Client Settings

SSL VPN Client Settings IPSec Client Settings

Banner Login Address Pools

Page 145: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 145

Group Policy

Setup Group Policy

A. From the new configured Connection Profile main page Default Group Policy

– click Manage …

B. Click ADD Button

C. Enter Group Policy Name

D. Single click on the “More Options” gray bar

E. Uncheck the Inherit button for Tunneling Protocols and select “SSL VPN

Client” checkbox only. Uncheck any other remaining protocols.

F. Select “Servers” menu option. Uncheck the Inherit button for DNS and enter

your internal DNS server IP address.

Configuration

Page 146: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 146

Group Policy

G. Open the “More Options” and uncheck the inherit button for “Default

Domain” and enter your domain name.

H. Click OK

I. Click OK

Configuration (cont.)

Page 147: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 147

Group Policy ASDM Output Example

Page 148: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 148

Group Policy

G. From the Connection Profile main window – Default Group Policy select the

newly created group policy from the drop down box.

H. Select the checkbox for “Enable SSL VPN Client Protocol”

I. Click OK

J. Click Apply

Configuration (cont.)

Page 149: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 149

Group Policy ASDM Output Example

Page 150: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 150

Group Policy ASDM Output Example

Page 151: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 151

Cisco ASA Secure Mobility

1. SSL Certificate Creation

2. Associate trustpoint to interface

3. LDAP Integration

4. Connection Profile

5. Group Policy

6. AnyConnect Packages

Configuration Setup

Page 152: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 152

AnyConnect Client Preparation

Two options for getting Cisco AnyConnect client installed on to end user’s

computer

‒ Option #1 – Use pre-install client package for Windows (.msi) or Mac (.dmg)

Standard install application or can be pre-deployed and pre-configured.

‒ Option #2 – Download AnyConnect client from ASA clientless SSL VPN web

portal.

Requires preparation by uploading and configuring the Cisco ASA for deployment

of AnyConnect via SSL web portal.

Page 153: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 153

Cisco ASA AnyConnect Deployment

First step is to identity the correct AnyConnect images needed for the end

user operating systems and versions that are required for your

organization.

‒ Supported Operating Systems

‒ Windows 32/64 bit operating system versions

‒ anyconnect-win-<version>-k9.pkg

‒ Mac OS X Intel platforms

‒ anyconnect-macosx-i386-<version>-k9.pkg

‒ Linux 32/64 bit operating system versions

‒ anyconnect-linux-<version>-k9.pkg

‒ anyconnect-linux-64-<version>-k9.pkg

Make Sure You Download the Proper Version for ASA Deployment and Not Pre-

deployment Versions.

Page 154: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 154

Cisco ASA AnyConnect Deployment

Download the proper AnyConnect images and configure the software

client for the ASA.

‒ From ASDM – Configuration > Remote Access SSL VPN > Network (Client)

Access > AnyConnect Client Settings

‒ Download the AnyConnect Packages using link from ASDM or pre-download from

CCO directly

‒ Upload the AnyConnect Packages from your desktop to disk0:/ on the ASA

Firewall

Configuration Steps

Page 155: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 155

Cisco ASA Secure Mobility

1. SSL Certificate Creation

2. Associate trustpoint to interface

3. LDAP Integration

4. Connection Profile

5. Group Policy

6. AnyConnect Packages

7. Activate SSL VPN Configuration

Configuration Setup

Page 156: Secure Borderless

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-2000 Cisco Public 156

Activate SSL VPN Configuration

From ASDM – Configuration > Remote Access VPN > Network (Client)

Access > AnyConnect Connection Profiles

‒ Click on the “Allow Access” check-box for the Outside interface.

‒ Click on the “Enable Cisco AnyConnect VPN Client” access check-box on the

Outside interface.

‒ Click the Apply Button