techwisetv workshops - cisco › web › in › solutions › smb › files › ... · in office...
TRANSCRIPT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 1
TechWiseTV WorkShops
Jimmy Ray Purser
Chief Geek
www.techwisetv.com
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 2
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
Shop Customers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a Service X
as a Service Software
as a Service
Concern: Security in the Borderless World
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 3
Business Personal
Personal Choice vs Corporate Policy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 4
Traditional Remote Access VPN
Limited
Predominantly PC-based Client Support
Manual
Numerous “clicks” Non-persistent Connection
Rarely-On
Only connected if / when absolutely necessary
No Security or Visibility Security
Intranet
Corporate File Sharing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 5
Traditional Mobile Web Security
Limited Clients
Predominantly PC-based Client Support
Limited Security
URL-filtering client unable to address key use cases
No Access
Not integrated, requires separate VPN client
Data Loss Prevention
Threat Prevention
– Acceptable Use Access Control –
No Access Access
Intranet
Corporate File Sharing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 6
Web Security with Next Generation
Remote Access
Choice
Diverse Endpoint Support for Greater
Flexibility
Security
Rich, Granular Security Integrated Into the network
Experience
Always-on Intelligent Connection for Seamless
Experience and Performance
Acceptable Use Access Control
Intranet
Corporate File Sharing
Access Granted
Data Loss Prevention
Threat Prevention
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 7
AnyConnect Secure Mobility Client Network and Security Follows User—It Just Works
Next-Gen Unified Security
User/device identity
Posture validation including Managed vs Un Managed Assets
Integrated web security for always-on security (hybrid)
Clientless and desktop virtualization
Persistent Connectivity
Always-on connectivity
Optimal gateway selection
Automatic hotspot negotiation
Seamless connection hand-offs
Corporate
Office
Mobile
User
Home
Office
Secure,
Consistent
Access
Voice—Video—Apps—Data
Broad Mobile Support
Fixed and semi-fixed platforms
Mobile platforms
Wired
Cellular/Wi-Fi
Wi-Fi
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 8
Deployment Scenarios
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 9
Cisco AnyConnect Secure Mobility with Web Security Appliance
ASA WSA
• Authentication handoff (SSO)
• Identity and location aware policy enforcement
• Location-aware reporting
AnyConnect
• Always-on VPN (admin configurable)
• Optimal head end auto-detect
• Transparent auth (certificate)
News Email
Social Networking Enterprise SaaS
Cisco Web Security Appliance
Corporate AD
ASA
Internet
SSL VPN Tunnel All Traffic
User Authenticates
User Identity
facebook.com
Untrusted Network
Trusted Network
WCCP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 10
Transparent Redirection – Single ASA (WCCP on Router)
IOS Config
ip wccp 80 redirect-list redirect-acl
interface eth0
ip wccp 80 redirect in
ASA Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 11
Transparent Redirection – Single ASA (WCCP on ASA)
ASA Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
wccp 80 redirect-list redirect-acl
wccp interface inside 80 redirect in
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 12
Transparent Redirection Alternate Egress
IOS Config
ip wccp 80 redirect-list redirect-acl
interface eth0
ip wccp 80 redirect in
ASA-1 Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 13
Explicit Proxy Redirection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 14
Cisco AnyConnect Secure Mobility with Cloud Web Security
ScanSafe
• Web 2.0 Content Control
• Dynamic Web Classification
• Search Ahead
• Outbreak Intelligence
• Real-time Content Analysis
AnyConnect
• Always-on VPN (admin configurable)
• Optimal head end auto-detect
• Transparent auth (certificate)
ASA
Internet
Untrusted Network
Trusted Network
IPSec / SSL VPN Internal Data
facebook.com
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 15
AnyConnect Secure Mobility Client
Internet bound web communications
Internal communications
ScanSafe
AnyConnect 3.0 Web Security with ScanSafe
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 16
Feature Highlights
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 17
Cisco AnyConnect Secure Mobility Features
AnyConnect ASA Firewall Web Security
Appliance
Trusted Network Detection
Session Persistence
Optimal Gateway Selection
Always-on VPN
Enhanced Device Support
IPSec IKEv2
Network Access Manager
Telemetry
SCEP Enrollment
Cloud Web
Security
AnyConnect Secure Mobility Head End Support
Optimized WSA Traffic handoff
Simplified Management
Enterprise firewall
Remote Access Head End
BotNet Filter
Remote Specific Policy
Application Controls
SaaS Access Control
Multi-layer malware defense
URL filtering & Dynamic Categorization
Data Security
Application Visibility and Control
Web 2.0 Content Control
Dynamic Web Classification
HTTP/s Scanning
Search Ahead
Outbreak Intelligence
Real-Time Content Analysis
Acceptable Use / Control
Malware Defense
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 18
Cisco AnyConnect Secure Mobility Always On
• Always On VPN extends the virtual perimeter to the endpoint
Security Persistence and policy are administratively controlled
If ASA head-end is unreachable,
fail-open (direct network access)
or
fail-close (no network access)
Location-aware Captive portal nearest headend Auth persistence
Security Enforcement Array
Security Persistence with Always On VPN (Fail Closed or Fail Open)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 19
Connection Status Always-On, Failed Closed
No Network Access Available
Manual URL Entry is not Allowed
Cisco AnyConnect Secure Mobility Session Persistence
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 20
AnyConnect Always-On ASDM Profile Configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 21
Trusted Network Detection
Trusted Network Detection Intelligent Mobility
Automatically connects or disconnects under the following conditions:
In Office
Out of Office
Location determination made by Default Domain Name or DNS server IP
Other checks likely in future
Certificate authentication for seamless reconnection
Administratively controlled policy
Windows XP, Vista, 7 & Mac OS X
In Office Out of Office
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 22
Trusted Network Detection
DHCP Request
Trusted Network Detection is Configurable VIA the AnyConnect Profile
Trusted Networks can be Defined as DNS Suffixes or DNS Server IP Addresses
DNS Suffixes and DNS Server IP Addresses must be defined on the Client Workstation Dynamically (DHCP)
If Both the Trusted DNS Suffix and DNS Server IP Address are Defined, the Entries will be ANDed to Determine the Trusted Network
Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
Corporate Headquarters
Home Office
DNS Address 161.44.124.22
DNS Suffix cisco.com
Trusted DNS Configuration
DHCP Request DHCP Response
DHCP Response
Trusted Network
Untrusted Network DNS Server IP 68.87.78.130
DNS Suffix comcast.net
Untrusted DNS Configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 23
Trusted Network Detection ASDM Profile Configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 24
Optimal Gateway Selection
Los Angeles Boston
Connects to the Most Optimum Head-end HTTPS Request Approximated by Fastest Round Trip Time
London
Time = 25ms
Time = 24ms
Time = 23ms
Time = 33ms
Time = 26ms
Time = 35ms
Time = 28ms
Time = 25ms
Time = 27ms
New York
Feature Parameters:
Suspension Time Threshold (hours)
Performance Improvement Threshold (%)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 25
Optimal Gateway Selection ASDM Profile Configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 26
Captive Portal Detection
Always-On enforces VPN connectivity.
If AnyConnect fails to connect, its
endpoint can fail closed, preventing
network connectivity to and from the
endpoint.
Always-On allows AnyConnect users to
remediate their Captive Port prior to
required VPN establishment.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 27
Captive Portal Detection User Experience
Captive Portal Remediation Required
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 28
Captive Portal ASDM Profile Configuration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 29
AnyConnect Session Persistence Network Follows Users – It Just Works
VPN session remains connected
While user migrates between networks (3G, WiFi, LAN, etc)
During loss of network connectivity
During system hibernation / standby
Administratively controlled policy
Compatible with all auth methods
User does not re-authenticate after hibernation/standby
Auto-detect and connect
Transparent handoff
Session persistence
Persistent
Connectivity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 30
Session Persistence User Experience: User Indicator
Connection State: Reconnecting
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 31
ASA WSA
1. AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA
2. ASA Extracts Username from Certificate or AAA Server
3. ASA Forwards Username and Tunneled IP Address to the WSA
4. WSA Verifies Username and Group Membership against Active Directory
5. WSA Applies Policies based on Username or Group Membership
Web Security Appliance
Active Directory LDAP, NTLMSSP, Basic
Adaptive Security Appliance
News Email
User Authenticates
User Identity & Tunneled IP
Cisco AnyConnect Secure Mobility ASA – WSA Communication
facebook.com
Across SSL Connection
VPN Tunnel
Authentication User & Group
Authorization
VPN Tunnel
Established
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 32
ASA & WSA Communication
Network
Enable Secure Mobility Solution
Services Port
WSA Access Password
ASA > WSA Configuration ASA to WSA Communication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 33
Enable Secure Mobility Solution
Enable Cisco ASA Integration
ASA Hostname or IP Address &
Service Port & Access Password
WSA > ASA Configuration ASA to WSA Communication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 34
Verify WSA > ASA Communication
ASA > WSA Configuration Communication Test
Verify ASA > WSA Communication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 35
Policy Enforcement
Control / Security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 36
Control
Data Security
Secure Mobility
Security
Malware Defense
Acceptable Use Controls
SaaS Access Controls
Cisco IronPort Web Security Appliance
Industry Leading Secure Web Gateway
Internet
Centralized Management and Reporting
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 37
Controls in Action
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 38
Bandwidth Control Corporate Approved
Full Bandwidth
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 39
Web Security Appliance Configuration Allow Business Relevant Video
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 40
Bandwidth Control Restricted
Finance Legal Marketing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 41
Web Security Appliance Configuration Restrict Media
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 42
Bandwidth Control Customized
Finance Legal Marketing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 43
Web Security Appliance Configuration Override Restrictions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 44
Facebook Controls
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 45
Facebook Controls
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 46
Web Security Appliance Configuration Facebook Control
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 47
Facebook Controls
P E R M I S S I O N
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 48
Web Security Appliance Configuration Override Restrictions
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 49
Visibility | Centralized Enforcement | Single Source Revocation
SaaS Access Control Regaining Visibility and Control Through Identity
Branch Office
Corporate Office
Home Office
SaaS Single Sign On
AnyConnect Secure Mobility Client
SaaS Single Sign On Redirect @ Login
User Directory
No Direct Access
X
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 50
SaaS Single Sign On
Seamless Single Sign-on No login needed
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 51
SaaS Single Sign-On
User Accesses Web Site Connection Proxied
Redirect to SAML SSO URL
Authenticate (if unknown)
User Logged Into Service Delivers Web User’s Portal
Redirect to SAML SSO URL
Browser Requests SSO URL
Javascript POST ACS URL + SAML response
POSTS SAML response POST proxied to website
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 52
Secure Mobility Reporting WSA Mobile User Reports
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 53
Secure Mobility Reporting Simple investigative tool
Track User activity /
Search by IP ranges
Track a web site
Know who is going to which web site
Know who went to a specific web site
And more…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2050 54
Diverse Endpoint Support for Greater
Flexibility
Rich, Granular Security Integrated
into the network
Always-on Intelligent Connection for Seamless
Experience and Performance
Choice
Security
Experience
Acceptable Use
Access Control
Data Loss Prevention
Threat Prevention
Intranet
Corporate File Sharing
Access Granted
Cisco AnyConnect Secure Mobility Web Security with Next Generation Remote Access