1. Establishing TrustWithin the Enterpriseand BeyondSecurely Enabling Your Business with Policy Based Access ControlKevin Manwiller Manager Federal Security and Mobility SolutionsJamie Sanbower Technical Solutions ArchitectMarch 21st, 2012 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 1

2. Agenda The role of establishing Trust Why the Network is the place to address Trust 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 2 3. Why do I need TrustBuilt into theNetwork? DoD Requirements Network STIG V8R1 (Aug 2010) NET-NAC-009 CAT I NIST Guidelines - 800-53 Controls Explosion of new mobile devices Bring Your Own Device (BYOD) Handhelds and tablets used in both enterpriseand tactical environments Better visibility You cant properly protect it if you dont know itsthere (Identity) Cyber Operations, Mission Assurance,Continuous Monitoring, Incident response 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 3 4. 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 4 5. The Evolving Workplace Landscape DEVICEPROLIFERATION DEVICE NEXT GENERATIKON VIRTUALIZATIONPROLIFERATIONWORKFORCE 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 5 6. The Evolving Workplace Landscape NEXT GENERATION WORKFORCEPeople Are Willing to Take a 70% percent of end usersWork Is No Longer a Pay Cut as Long as They admit to breaking IT policy Place You Go to WorkAre Able to Work from to make their lives easierHome DEVICENEXT GENERATIKON VIRTUALIZATIONPROLIFERATION WORKFORCE 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 6 7. The Evolving Workplace Landscape VIRTUALIZATION 60% of server workloads will be virtualized by 201320% of professional PCs will be managed under a hosted virtual desktop model by 2013.Datacenters are evolving, Applicationsare now objects moving through thenetwork DEVICE NEXT GENERATIKON VIRTUALIZATIONPROLIFERATIONWORKFORCE 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 7 8. The Burden Falls on IT How do I manage the risk of employeesbringing their own devices? How do I ensure consistentexperience on all devices? How do I implement multiplesecurity policies per user, device? How and What do I support?DEVICE PROLIFERATION 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 8 9. The Burden Falls on IT Am I hindering my workforce from being competitive? How do I retain top talent? How do I ensure compliance withFISMA, DIACAP, STIG, etc? Can I handle partners, consultants,guest appropriately? CHANGING WORKFORCE 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 9 10. The Burden Falls on IT How do I know who is accessing my virtual desktop infrastructure? How do I secure access to my data across the cloud in a scalable way? Can I ensure compliance across geographic boundaries?VIRTUALIZATION 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 10 11. 73 Million2104 OnlineCisco Cius814412,290 Meetings a Year Apple iPadsRIM BlackBerryTablets Devices-1.6% Growth 6700+Linux Desktops2185 Other Devices -3.8% Growth 87,000+ Microsoft 5234 Windows PCsAndroid Devices 9.5% Growth12,000+ 20,581Apple Macs Apple iPhones 3.9% GrowthC97-701828-00 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 12. 59%32%20% More devicesMore UsersFewer Cases 30 Minutes 25% 17 Weeks per Day per Year Savings Faster Acquisition More Productivity Using Cisco VXIIntegrationC97-701828-00 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 13. Securely Enables Your Business with Policy Based Access Control Wireless / Employee Guest User VM Client Comprehensive RemoteComprehensive VPN UserIP Devices Contextual Awareness of the Who, What, VisibilityWhere, When, How Leverage Network to Secure Access to Your ExceptionalIdentity and Context Critical Resources, ControlAware Infrastructure Mitigating Risk and Ensuring Compliance CentralizedEffectiveManagement of SecureData CenterIntranet InternetSecurity Zones Access Services and ManagementScalable Enforcement Leveraging Your Infrastructure 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 13 14. PolicyAdministrationPolicy DecisionIdentity Services Engine (ISE) Identity Access Policy System PolicyEnforcementCisco 2900/3560/3700/4500/6500, Nexus 5000/7000 Cisco ASA, ISR, ASR 1000TrustSec Powered switches, Wireless and Routing InfrastructurePolicy InformationNAC Agent Web Agent802.1x SupplicantNo-Cost Persistent and Temporal ClientsAnyConnect or TrustSec Powered for Posture, and Remediation OS-Embedded SupplicantIdentity-Based Access Is a Feature of the NetworkSpanning Wired, Wireless, and VPN 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 14 15. Comprehensive Visibility Guest Access Profiling Posture WHO WHATWHERE WHENHOWCONTEXT Security Camera G/WFrancois Didier Personal iPad Agentless AssetConsultantEmployee Owned Chicago Branch HQStrategy Wireless HQRemote Access6 p.m. Vicky SanchezFrank Lee Employee, MarketingGuest Wireline Wireless 3 p.m. 9 a.m. IDENTITY802.1X MAB WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTSIdentity (802.1X)-Enabled Network 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 16 16. Comprehensive Visibility Leveraging Your Infrastructure NetworkCisco Catalyst SwitchIdentity DifferentiatorsMonitor ModeFlexible AuthenticationSequenceIP Telephony SupportSupport for Virtual DesktopAuthorized Tablets IP Network Device Guests EnvironmentsUsersPhones802.1X MAB and ProfilingWeb AuthAuthentication Features IEEE 802.1xMAC Auth Bypass WebAuthenticationConsistent identity features supported on all Catalyst switch models 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 17 17. Manual Device Classification and Policy EnforcementThe Challenge TYPICAL DEPLOYMENT SCENARIO Device ProliferationMultitude of DevicesNeed to Have Need Assuranceand Identification for on the Network, Wired Policy Control for That a Device Conforms Policy Enforcementand WirelessEach Device Type With Fingerprint 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 18 18. Comprehensive Visibility Cisco InnovationAutomated Device Classification Using Cisco InfrastructureDEVICE PROFILINGFor wired and wireless networksPrinterPersonal iPad ISEAccess Point Personal Printer PolicyCDP CDP LLDP DHCP LLDP DHCPiPad Policy MAC MAC[place on VLAN X] [restricted access]Access PointThe Solution DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS Efficient DeviceCOLLECTION CLASSIFICATION AUTHORIZATIONClassification Switch Collects Device ISE Classifies Device, CollectsISE Executes Policy Based LeveragingRelated Data and Sends Flow Information and Provideson User and Device Report to ISEDevice Usage ReportInfrastructure 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 19 19. Comprehensive Visibility Cisco InnovationIntegrated ProfilingVisibility in ScaleNetwork Infrastructure Provides LocalSensing FunctionContextual data passed via RADIUS to ISEActiveEndpointScanningActive ScanningEnhanced AccuracyISE Augments Passive Network TelemetryWith Active Endpoint Telemetry DataISEDevice FeedDevice Feed*Identity in ScaleManufacturers and Ecosystem ProvidesConstant Updates to New DevicesDevice Sensor (network-based)Customers Pull Bundled Data Feedfrom Cisco Cisco Device Sensor* Scheduled for Fall 2012 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 20 20. Comprehensive VisibilityISE Posture Ensures Endpoint Health before Network AccessWired, Wireless, VN UserTemporary LimitedNon-Compliant Network Access UntilRemediation Is CompleteSample Employee Policy: Challenge: Value:Microsoft patches updated Understanding health of Temporal (web-based)device or Persistence AgentMcAfee AV installed, running, and current Varying level of control Automatic Remediationover devices Differentiated policyCorp asset checks Cost of Remediationenforcement based onEnterprise application running 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012roleCisco Confidential 21 21. Comprehensive VisibilityISE Guest Service for managing guests Guest Policy WebAuthenticationInternet Wireless orGuestsWired Access Internet-OnlyAccessProvision:Manage: Notify: Report:Guest Accounts viaSponsor Privileges,Guests of Account On All Aspects of Guest Sponsor PortalGuest Accounts and Details by Print, Email,Accounts Policies, Guest Portal or SMS 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 22 22. Exceptional ControlDelivers Policy-Based Enforcement Remote VPN WirelessWired User Devices Virtual DesktopUser User Policy-BasedScalableAccess ControlEnforcementVLANsIDENTITY and CONTEXT AWAREAccess Control ListsNETWORKSecure Group Tags *MACsec Encryption **= Cisco SecurityInnovationData CenterIntranet InternetZones 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 23 23. Exceptional Control Cisco Innovation DACL or Named ACLVLANSSecurity Group Access EmployeeIP AnySGr ecurRemediation ou itypT agContractorEmployees Guest Security Group AccessSXP, VLAN 3 VLAN 4SGT, SGACL, SGFW Less disruptive to Does not require switch Simplifies ACLendpoint (no IP address port ACL management managementchange required) Preferred choice for path Uniformly enforces Improved user experienceisolation policy independent oftopology Fine-grained accesscontrol Flexible Enforcement Mechanisms in your infrastructureRange of options available to customer 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 24 24. Policies Based on Role BasedDistinct Technical Language Policy Access TableIndividual Users PermissionsResourcesPolicy MatrixDoctorsIntranet Email Financial Patient D1S1 (10.156.78.100)PortalServer ServersRecords(10.10.24.13)PatientDoctorWebIMAPNo AccessWeb File S2D2 RecordsShare(10.10.28.12)FinanceWebIMAPWeb No AccessD3Web, SQL,Full (10.156.54.200) IT Admin SSH AccessSQLSQLFinance S3 Email D4 Intranet Doctor - Patient Record ACL(10.10.36.10) permit tcpdst eq443 permit tcpdst eq80 permit tcpdst eq445 D5permit tcpdst eq135IT Admins(10.156.100.10) deny ip S4(10.10.135.10) D6 Financepermittcp S1 D1 eq httpspermittcp S1 D1 eq 8081Time Consumingdenyip S1 D1 SimpleManualpermittcp S4 D6 eq https Flexiblepermittcp S4 D6 eq 8081Error Prone denyip S4 D6 Business Relevant 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 25 25. Exceptional ControlMarking traffic with contextPatient Records (confidential) Doctor Unrestricted forEmployeesFinanceInternet GuestCiscoInnovationThe Solution DEPLOYMENT SCENARIO WITH SECURITY Scalable EnforcementGROUP ACCESS (SGA) Independent of Network SCALABLE ANDREDUCED INCREASED BUSINESS Topology CONSISTENT POLICY OPERATIONAL AGILITYENFORCEMENT EXPENSE 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 26 26. DEPLOYMENT USE CASESHealthcare: Ensure Privacy of Patient Data by Enforcing RolesBased Access and Segmentation Across the Network Retail: Intra Store Communication for Networked Devices While . Ensuring That Only Authorized Users and Devices Have Access to PCI DataTechnology: Allowing Approved Employee-Owned TabletsAccess to Internal Portals and Corporate App Store Manufacturing: Marking Extranet Traffic to Allow PLC Vendor Remote Access to Specific Manufacturing Zone Only, and Offshore Development Partners Access to Development Servers Only 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 27 27. Exceptional Control Cipher Data No Visibility No VisibilityCORPORATE RESOURCES L3/L4 Encryption The Challenge Typical Deployment Scenario Encryption disablesEncryption at IP No visibility into the visibility for policyor application flows for Security andlayers QoS policy enforcement enforcement 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 28 28. Exceptional ControlCiscoInnovation 802.1X 802.1X AE EncryptedAE Encrypted Cipher Data Cipher DataFlows Visible forFlows Visible for Policy PolicyCORPORATE RESOURCESEnforcementEnforcementDecrypt On Encrypt On Ingress Interface Egress InterfaceThe Solution Typical Deployment Scenario Data Confidentiality Hop by Hop L2 Visibility into the flows for Security Security Group Tag with Visibilityencryptionand QoS policy enforcement integrity 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 29 29. Effective ManagementOperationsConverged Security and Policy MonitoringContextual status and monitoring dashboards acrosswired and wireless networksCentrally organizes Day 1-to-nmanagement tasksInstructional configuration workflowsReduces the time to troubleshootIntegration with Cisco NCS Prime 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 30 30. Effective ManagementDetermine, Document and Implement PoliciesUserDevice Type Location Posture Time Access Method Custom 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 31 31. Effective ManagementPutting the End User in ControlReduced Burden on IT StaffDevice On-boarding, Self Registration, SupplicantProvisioning *Reduced Burden on Help Desk StaffSeamless, Intuitive End user experienceSelf Service ModelMy Device Registration Portal*, Guest SponsorshipPortal* Scheduled for Summer 2012 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 32 32. Effective ManagementMDM EcosystemINTEGRATION WITH LEADING AD/LDAP MDM VENDORS * ISE MobileIron, Airwatch, Zenprise Contextual MDM Mgr Policy Ecosystem offering choice for ? customersCisco CatalystSwitches Cisco WLANController FEATURES: Comprehensive Device Provisioning User X User Y Detailed User and Device Context Increased Device and Application SecurityWindow or OS XSmartphones including iOSComputersor Android Devices* Scheduled for Fall 2012 Wired or WirelessWireless 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 33 33. ISE Base ISE AdvancedISE Wireless LicenseLicenseLicense NEW TRUSTSEC FEATURES IN EXISTING SWITCH PACKAGING:Are My Endpoints Are My Endpoints Campus (Cat 3K/4K):Authorized? Compliant? Base + AdvancedLAN Base802.1X, SXP, IOS sensor, MACsec Authentication/ Device Profiling All Base ServicesIP BaseSGT, SGACLAuthorization Host Posture All Advanced Aggregation (Cat 6K): Guest Provisioning Security Group Access Services Link Encryption PoliciesIP Base802.1X, SXP, SGT, SGACLRouter (ASR 1K/ISR):Perpetual Licensing3 / 5 Year Term Licensing5 Year Term LicensingBase packagingSXPAdvanced/SecuritySG FW Appliance PlatformsData Center (Nexus):Small 3315/1121 | Medium 3355 | Large 3395 | Virtual ApplianceAdvanced LAN License Base Package Built into Headend Note: Advanced License does not include BaseAnyconnect 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 34 34. Different from CompetitorsOne Policy for Wired, Most comprehensive policy-driven Wireless and VPNBYOD solution supporting fullrange of business needs Integrated Lifecycle Services Flexible and Scalable (Posture, Profiling, Guest)Authorization Options Leveraging your Infrastructure Differentiated Identity Features Standards based Data Layer(Multiple Auth Methods, Flexible Encryption to ProtectSequencing Auth, Monitor Mode) Communications 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 35 35. Monitor LoggingLoggingView Logs/ ReportsPolicy External Admin ServiceData View/ Query ConfigureAttributesPoliciesRequest/ReLoggingsponse ContextEndpoint Enforce ResourceAccess ResourceRequest Access 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 36 36. Centralized DeploymentAll ISE Personas Deployed in a Single Site AdminMonitorPolicy Services Cluster HA InlineAD/LDAP Posture Nodes(External ASA VPNID/Attribute Store)Data Center A WLCSwitch802.1X802.1X AP 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 37 37. Distributed DeploymentAll ISE Personas Deployed Across Multiple Sites AdminMonitorPolicy Services ClusterDistributedAdmin (S) Monitor (S) Policy Services HA Inline AD/LDAP Posture Nodes (External ASA VPN ID/Attribute Store)AD/LDAPData Data (External Center A Center BID/Attribute Store) WLCSwitch Switch WLC802.1X802.1X 802.1X802.1X AP APBranch A Branch BSwitchSwitch AP 802.1X AP 802.1X 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 38 38. ConvergedUnifiedIdentity-BasedPolicy Platform Agent Firewall NAC ACSGuest ISEProfiler SALES HR User Group UKEnforcement Offers Cisco AnyConnect technology: Employees AAA, 802.1X, guest, profiler, posture On- and off-premises security System monitor and diagnosis Extends 802.1X and VPN client + NAC User, group, device based policy ISE: Next-generation ACS + NAC Extends management to Positron ASA and Positron platformsEnhanced DeviceNetwork Infection System-Wide MonitoringProfilingContainmentand Troubleshooting Network DeviceIdentityCisco SecurityProvisioningPolicy Intelligence Ops ClientMonitoring and Management Troubleshooting Cisco delivered device template feed Streamline the locate, contain, and Switches collect and forward device remediation process Single admin pane-of-glassfingerprint, no traffic re-engineering Leverage reputation and NIPS feeds Wired and wireless infrastructure 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 39 39. Visibility and BYODSecure DataControlBring Your Center Own Device ISE Advanced + BaseISE Wireless Offer, Identity/SGA + Offer Expand to WiredISE Advanced TrustSec Securely Enables Your Business with Policy based access control 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012Cisco Confidential 40 40. Thank you. 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 41 41. 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 42