Posture / MDM Enhancements - Cisco · BYOD / Certificate Enhancements and the New Portal Agenda !...

§  ISE 2.0 - overview

§  UI Update with Work Centers

§  TACACS+ and Device Admin Work Center

§  Deployment / Operational Enhancements

§  pxGrid, ANC, Fire & ISE

§  TrustSec Enhancements & Work Center

§  BYOD / Certificate Enhancements and the New Portal

Agenda

§  Posture / MDM Enhancements §  Location / MSE Integration

§  EAP-TTLS

§  3rd Party NAD Support

§  Easy Wired Access (EWA)

§  ISE Express

§  Q&A

Role-Based Secure Access with ISE Confidential

Patient Records

Internal Employee Intranet

Internet

ü  Acquires Important Context & Identity from the Network ü  Implements Context-Aware Classification & Policy ü  Provides Differentiated Access to the Network

Who: Guest What: iPad Where: Office

Who: Doctor What: Laptop Where: Office

Who: Doctor What: iPad Where: Office

The Different Ways Customers Use ISE

Guest Access Management Easily provide visitors secure guest Internet access

BYOD and Enterprise Mobility Seamlessly classify & securely onboard devices with the right levels of access

Secure Access Control across the Entire Network Streamline enterprise network access policy over wired, wireless, & VPN

Cisco TrustSec® Software-Defined Segmentation Simplify Network Segmentation and Enforcement to Contain Network Threats

Context and Policy Architecture Improve Security Operations with Deeper Visibility and Shared Context through Cisco pxGrid








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A

5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

•  ISE 2.0 has begun a transition to a new UI to: •  Modernize the UI Technologies for better Browser & Technology Support •  Bring the UI into a more homogeneous design pattern

•  The Navigation framework was changed first •  Some of the pages remain the same, and just the navigation has changed •  Systematically replacing the old pages and “widgets” •  The re-vamped GUI will be a multi-release process •  Flash is being phased out. J

Goals of the User Interface Update in ISE 2.0


Example: Revamped the Endpoints Identity Page

Clicking Filters Below








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Role-based access control

Simplify security management with role-based access

•  Role-based access control •  Flow-based user experience •  Command level authorization with detailed logs for auditing •  Dedicated TACACS+ workcenter for network administrators •  Support for core ACS5 features

Capabilities

TACACS+ Device Administration

Benefits

What’s new for ISE 2.0? Customers can now use Terminal Access Controller Access Control System Plus (TACACS+) with ISE to simplify device administration and enhance security through flexible, granular control of access to network devices.

Simplified, centralized device administration Increase security, compliancy, auditing for a full range of administration use cases

Flexible, granular control Control and audit the configuration of network devices

Security Admin Team

TACACS+ Work Center

Network Admin Team

TACACS+ Work Center

TACACS+ Device Administration Support for ISE 2.0

Holistic, centralized visibility Get a comprehensive view of TACACS+ configurations with the TACACS+ administrator work center


ISE T+ versus ACS T+

Feature Reason IPv6 T+ --- Customizable ports It’s fixed as 49 in 2.0,

customization comes in 2.1 Max Sessions Per Node Coming in 2.1 Command-Set Import/Export Coming in 2.1 No Hit Counts & Policy Table Customization

Different UI


Device Admin Service is not Enabled by Default


Device Administration License Up to Max # of Network Devices

One License. NTE $4500

Requires 1+ Base To Enable ISE Product


•  Download from the Overview page for Device Administration

Migration Tool








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


New Upgrade For Your Reference For Your Reference


Pre-Defined Policy Elements, Rules and Flows


•  In 1.3 & 1.4 we added some pre-built defaults •  We continued that mission within 2.0

•  Goal: To speed up time to deployment •  The most common things are created FOR the customer/partner/CSE out

of the box now

•  Goal: To show customers what is possible

•  Rules for: BYOD, Guest, MDM

Pre-Configured Default Rules


Other Serviceability Enhancements


Test Repository from GUI








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Rapid threat containment With Cisco FireSIGHT Management Center (FMC) and Identity Service Engine (ISE)

What’s new for ISE 2.0? Cisco FireSIGHT Management Center integration with ISE identifies and addresses suspicious activity, based on pre-defined security policies.

Benefits

•  Integrate with Cisco Advanced Malware Protection (AMP) for malware protection

•  Trigger quarantine actions, per policy with Cisco FireSight and ISE integration

•  Admit or deny access to contractor portal

Automate threat defense Leveraging ISE ANC to alert the network of suspicious activity according to policy

Detect threats early FireSight scans activity and publishes events to pxGrid

Leverage a growing ecosystem of partners that provide rapid threat containment by integrating with ISE

Capabilities

Automatically defend against threats with FMC and ISE FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious

Device is contained for remediation or mitigation—access is denied per security policy

Corporate user downloads file

FMC scans the user activity and downloaded file

Based on the new tag, ISE automatically enforces policy on the network


Cisco Rapid Threat Containment Solution: FMC and ISE

§  Cisco ASA with Firepower Services

§  Firepower NGIPS Appliances

§  Cisco AMP for Networks §  Firepower on Cisco ISR

§  Cisco FireSIGHT Management Center

§  Automated Contextual Analysis and Threat Qualification

§  Continuous Threat Intelligence Updates to Threat Sensors

§  Cisco FireSIGHT and Cisco ISE Automate Containment

§  Policy Enforcement from Cisco TrustSec, Downloadable ACL, or VLAN

Threat Visibility: FMC Automated Enforcement: ISE Advanced Threat Sensors


What versions are Required?

FMC 5.4.x supported 6.0 does not support RTC 6.1 (summer 2016) will support RTC

ISE Version 1.3 and later








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Streamline management using a single workspace

•  New TrustSec administrator console and services –  TrustSec dashboard –  Matrix overhaul –  Automatic SGT creation –  ISE as SXP speaker / listener

•  Revised UX –  Improved menu structure for ease of navigation –  Search capability within the GUI

•  Enhanced reporting –  PDF print and local save reintroduced –  Improved filtering for live log and reports

Capabilities

Intuitive work center and access policy matrix

What’s new for ISE 2.0? TrustSec updated user experience, based on a new work center, allows simplified and streamlined deployment, troubleshooting and monitoring. .

Benefits

Simplify management with a dedicated work centers, allowing you to visualize, comprehend and manage policy in a single place

Enable TrustSec rapidly for initial use cases, including user-to-datacenter access control and user-to-user segmentation

With TrustSec’s new user interface

Automate configuration of new SGT policies and authorization rules

TrustSec Work Center

Access policy matrix

Guest

Contractor

Employee

Infected

Source

Destination

Internet Contractor Resources

HR Server Employee

Resources

Remediation

Permit IP

Permit IP

Permit IP Permit IP Permit IP

Permit IP

Permit IP

Permit IP

Permit IP

Permit IP

Deny IP Deny IP Deny IP

Deny IP

Deny IP

Deny IP

Deny IP

Deny IP Deny IP Deny IP


New TrustSec Dashboard & WorkCenter


Improved Matrix, Color Coded + Condensed








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


•  In ISE 1.4, added the Certificate provisioning API. •  Now, in 2.0 – we have a customizable portal.

•  Customize it to look like the guest portals •  Configure which templates may be used like you would sponsor groups to

a portal page..

•  Signing CSR’s

•  Generating Full Key-Pairs •  Multiple choices for download

Certificate Provisioning Portal


Admin UI


CoA-Terminate after Certificate revocation


ISE 1.3/1.4 Device is Using a Cert Issued By ISE

ISE Cube

PSN-1

PSN-2

PAN

ISE Admin

MnT

i-Net

NGFW

Admin Revokes Certificate

Traffic is Still Flowing Until Next Re-Auth


ISE 2.0 Device is Using a Cert Issued By ISE

ISE Cube

PSN-1

PSN-2

PAN

ISE Admin

MnT

i-Net

NGFW

1. Admin Revokes Certificate

2. If Cert has Active Session,

Send CoA


ISE 2.0 Device is Using a Cert Issued By ISE

ISE Cube

PSN-1

PSN-2

PAN

ISE Admin

MnT

i-Net

NGFW

2. If Cert has Active Session,

Send CoA X








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


What is Posture? Are my Endpoints Compliant with the Company Security Policy ?


Posture for all Devices Desktop Posture vs Mobile Posture

Focused on Mobile Devices Posture ONLY

Requires devices to comply with MDM policy

PINLock, JailBroken, APP check and More …

ISE + MDM Together

Mobile Posture

SOLUTION

Desktop Compliance checks for Windows and OSx Variety of Checks ranging from OS, Hotfix, AV / AS, Patch Management and More…

ISE can enforce Network Access based on Compliance

Desktop Posture

ISE can enforce Network Access based on MDM Compliance

Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

MDM Enhancements Are My Mobile Endpoints Compliant?

ISE 2.0 Highlights Description Better flows for on-boarding in Brown Field Environments

Devices are Pre-Enrolled in to MDM before ISE Authentication

Meraki Integration Enhanced on-boarding experience

Differentiated portal for MDM X

Vendor based logo display on MDM pages

Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Desktop Posture Enhancements Are My Desktop Endpoints Compliant?

ISE 2.0 Highlights Description File Check Enhancements Enhanced Osx File Checks, SHA 256, plist on OSx, Windows User directories

such as “Desktop” and “User Profile”

OSx Daemon Check User Agent Check , User based process check

Disk Encryption Check Checks can be based on Installation, location and Disk Encryption State

Reporting Report based on Condition name and Condition State








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Enhance control with location-based authorization

Location-based authorization Admin defines location hierarchy and grants users specific access rights based on their location.

Benefits

What’s new for ISE 2.0? The integration of Cisco Mobility Services Engine (MSE) allows administrators to leverage ISE to authorize network access based on user location.

Enhanced policy enforcement with automated location check and reauthorization

Simplified management by configuring authorization with ISE management tools

Granular control of network access with location-based authorization for individual users

Capabilities •  Enables configuration of location hierarchy across all location entities •  Applies MSE location attributes in authorization policy

•  Checks MSE periodically for location changes (5 mins), one way communication from ISE to MSE.

•  Reauthorizes access based on new location (i.e. if the location changes apply COA)

•  Requires a PLUS license in ISE

With the integration of Cisco Mobility Services Engine (MSE)

Lobby Patient room Lab ER

Doctor

No access to patient data

Access to patient data

No access to patient data

Access to patient data

Patient data

Patient data access locations

Patient room

ER

Lab

Lobby


Location Based Authorization Authorize user access to the Network based on their location

ISE 2.0

MSE 8.0 UI to Configure MSE

I have Location Data Campus:Building:Floor:Zone








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


TLS Version Support

•  ISE 1.3/1.4 support TLS 1.0 Only

•  ISE 2.0 adds support for TLS 1.1 and 1.2

•  ISE 2.0 negotiates TLS 1.2 as preferred TLS version.

•  Downgrade to TLS 1.0 / 1.1 is still supported during version negotiation between client and ISE for compatibility with legacy clients.

•  The lower versions of the protocol (SSL 3 and below) are not supported.

•  Clients not capable of TLS 1.0 or higher will be rejected.

On a Topic Related to TLS Support…


EAP-TTLS

•  EAP-TTLS = “Tunneled” TLS

•  Developed by Funk (now Juniper) and Certicom (now RIM)

•  EAP type that uses TLS to securely pass AV pairs such as client credentials (inner identity) over a secure tunnel established using TLS.

•  Supports virtually any EAP type for inner method (inc. clear text) while not exposing client identity.

•  Client authenticates server using TLS. Client auth using certs to secure TLS tunnel optional, so no cert required on client.

•  Most popular usage is EduRoam, but prevalence of PEAP support across broader client platforms has reduced general usage. Specific EduRoam participants may still use EAP-TTLS to authenticate local user base, but support not required by RADIUS proxies.

•  Native support for EAP-TTLS in Windows 8 and ISE will likely result in uptake of its deployment.

•  Whitepaper on PEAP vs EAP-TTLS: http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf

What Is It? Why Would I Use It?


EAP-TTLS

•  Microsoft •  Windows v8+ •  Microsoft Windows Phone v8.1+ •  Note: Windows Mobile does not support EAP-TTLS

•  Apple •  Mac OS •  iOS version 3.1.3+ (default EAP type = MSCHAPv2)

•  Android v2.1 and higher

•  Google Chrome OS (for Chromebooks)

•  Blackberry 6A+

Native Supplicant Support








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Customers can now deploy ISE services such as Profiling, Posture, Guest and BYOD on Network Access Devices (NADs) manufactured by non-Cisco vendors.

Get the same great security across more devices

Benefits

What’s new for ISE 2.0?

Protect consistently Deploy ISE across network devices, including non-Cisco NADs

Simplify administration Leverage pre-configured profile templates for automatically configuring non-Cisco NAD access

Maximize value Realize additional value from your existing infrastructure

Compatible device vendors*

Aruba Wireless HP Wireless

Motorola Wireless Brocade Wired

HP Wired Ruckus Wireless

•  Templatized MAB configuration for select non-Cisco vendor devices

•  CoA and URL re-direction to work with ISE •  Non-Cisco NADs enabled to drive regular

802.1x operations

Capabilities

ISE services now available for non-Cisco network access devices

With non-Cisco device integration

ISE 1.0 802.1x

New with ISE 2.0

Profiling

Posture

Guest

BYOD

*For additional information, refer to the Cisco Compatibility Matrix


“Smart” Conditions

•  No need to create separate Policy Rule for each vendor’s implementation for MAB, 802.1X, or WebAuth

•  ISE matches request based on NAD profile configuration.

Match Flow Conditions for Multiple Vendors in Single Rule !


Current Vendor Test Results Vendor

Verified Series

Tested Model / Firmware

Supported / Validated use cases

CoA Profiler Posture Guest /BYOD

Aruba Wireless 7000, InstantAP 7005-US/6.4.1.0 ✔ ✔ ✔ ✔ Motorola Wireless RFS 4000 Wing v5.5 ✔ ✔ ✔ ✔

HP Wireless 830 (H3C) 8P/3507P35 ✔ ✔ ✔ ✔ HP Wired HP 5500 HI Switch

Series (H3C) A5500-24G-4SFP HI/5.20.99 ✔ ✖ ✖ ✖

HP Wired HP 3800 Switch Series (ProCurve)

3800-24G-POE-2SFP (J9573A) KA.15.16.000. 6

✖ ✖ ✖ ✖

Brocade Wired ICX 6610 24/08.0.20aT7f3 ✔ ✔ ✖ ✖ Ruckus Wireless ZD1200 9.9.0.0 build 205 ✔ ✔ ✖ ✖

Additional 3rd party NAD Support: v  Requires identification of device properties/capabilities and to creation of a

custom NAD profile in ISE. More detailed guide to be published.

✔ Requires CoA

support

Requires CoA & url-

redirect support

Requires CoA & url-

redirect support








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Simplify access management while staying secure

Capabilities •  Active-session monitoring

across both AD and Network log-ins

•  Session maintenance from Wired MAB clients to NADs

•  Directory notification publication via PxGrid

•  Appointment of VLANs, dACLs, SGTs and more for users authorized via EWA

Identity mapping

Most secure with integrated 802.1x, supplicants and certificates

Basic with whitelisting

Access

Security

Better and flexible with ISE Easy Wired Access

Benefits

What’s new for ISE 2.0? The addition of Easy Wired Access (EWA) offers customers enhanced attachment of ISE security to wired ports and deployments.

With ISE Easy Wired Access (EWA)

Increased visibility into active network sessions authenticated against AD

Enhanced control with options for Monitoring-only Mode or Enforcement-Mode

Flexible deployment that doesn’t require a supplicant or PKI, allowing ISE to issue COA for added security

Complexity

Identity

mapping

Monitor-only mode Enforcement–Mode User 1

Active Directory Login

User 1

Network Login

Publish to pxGrid

Admin 1

ISE

Access Security

Complexity

Access

Security Complexity

EWA, a secure alternative to whitelisting


What’s Easy About EWA?

•  NO Supplicant required to implement this technology!

•  NO PKI/cert requirements!

•  Leverages existing AD logins to provide identity to network connections

•  Visibility mode only needs RADIUS Accounting or Device Sensor on switch

•  Enforcement mode requires only basic MAB config on switch

•  AD lookups and authorization based on AD login identity without RADIUS authentication (802.1X, MAB, etc) so more seamless and transparent to client

•  Simple integration with pxGrid for publishing session info related to Identity Mapping and EWA

•  Seamless integration with TrustSec via ISE SXP for AD-authenticated sessions


What’s Not So Easy About EWA?

•  Configuring AD domain controllers •  Each DC that services logins must be configured to allow

WMI from ISE •  Patches/Registry changes/DCOM updates/FW rules verified

•  Non-Windows/headless endpoints •  EWA is for Microsoft AD joined computers – primarily

Windows only •  EWA identity based on AD User login, not AD Machine login •  EWA and MAB Authentication are mutually exclusive


Easy Wired Access Differentiator Major Technical Outcome Major Business Outcome Easy Wired Access Deploying ISE w/o Configuring Endpoints Shorter time to PoV

Streamlined Enterprise Rollouts Identity Services Engine

Microsoft Active Directory

Domain Controllers

Network Access Devices w/o 802.1X

AD Logins

User Mappings Derived from AD Logins

Passive Login, FULL Control (No 802.1X)

Non-intrusive

Uses What’s Already There (AD)

Full Visibility/Control w/o Touching Endpoints

Faster, Simpler Deployments for software-defined segmentation

SXP

Rest of Network








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Cisco ISE Base vs. Cisco ISE Express

Cisco ISE Base Cisco ISE Express Features/Capabilities? ü Guess Access; RADIUS/

AAA ü Same

High availability ü YES ü NO

Platform Included with Licensing?

ü NO—Purchase HW or VM and Licensing

ü YES—Bundle Includes One (1) ISE VM + 150 Licenses

List Price? ü  $6,990 US (ISE VM: $5,990 + Base: $1,000, for 200 Licenses)

ü  $2,500 US


Cisco ISE Express Enterprise Guest for Less

Easy, Affordable Guest Services Now Available: Entry-Level Bundle for the

Market-Leading Cisco ISE The Offer: One (1) ISE VM (5,000 Active Licensed

Endpoints) with ISE Base Licenses for 150 Endpoints* for Single Site Deployment (Non-Distributed, No High-Availability)

The Features: Guest, RADIUS/AAA, Unlimited Custom Portals with ISE Portal Builder; Easy Installation Guide

The Price: $2,500 US

*SKU upgrade planned so the VM can be used for up to 10,000 endpoints and in high availability and distribution.


ISE Express Installation Wizard •  Free, downloadable application •  Simplifies ISE and wireless controller

installation •  Provisions Hotspot, Self-Registered or

Sponsor services •  Modifies guest portals with logo and colors •  Go to ISE Cisco Software Download

on CCO

What’s New








Agenda


§  EAP-TTLS



§  ISE Express

§  Q&A


Tech updates and Webinar - DK

http://www.cisco.com/web/DK/learn_events/seminarkalender2016.html

Posture / MDM Enhancements - Cisco · BYOD / Certificate Enhancements and the New Portal Agenda !...

Documents

Transcript of Posture / MDM Enhancements - Cisco · BYOD / Certificate Enhancements and the New Portal Agenda !...