Scribd
Upload
78 views63 pages

ISE-Architecture Fundamentals-Security

Technical documentation

Uploaded by

Juan Garcia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
78 views63 pages

ISE-Architecture Fundamentals-Security

Technical documentation

Uploaded by

Juan Garcia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 63

Architecture Fundamentals

Security Basics Series:


Identity Services Engine (ISE)
Virtual Engineering
Americas Partner Organization

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
• Solution Overview
• Design

Agenda • New Features


• Resources

Slides and Recordings available here:


https://communities.cisco.com/docs/DOC-52899
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Evolving Workplace

Solution • TrustSec

Overview • ISE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Our Users Have New Expectations
The Evolving Workplace Landscape

DEVICE
PROLIFERATION
On Average Every Person Has
3–4 Devices On Them
15 Billion Devices that Connects to the Network
by 2015 that Will Be Connecting to
Your Network

40% of Staff Are Bringing


Their Own Devices to Work

DEVICE NEXT GENERATION


VIRTUALIZATION
PROLIFERATION WORKFORCE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Our Users Have New Expectations
The Evolving Workplace Landscape

NEXT GENERATION
WORKFORCE

People Are Willing to Take a Pay Cut 70% percent of end users admit to
Work Is No Longer a Place
as Long as They Are Able to Work breaking IT policy to make their
You Go to Work
from Home lives easier

Need Anywhere, Anytime, Any Device Access

DEVICE NEXT GENERATION


VIRTUALIZATION
PROLIFERATION WORKFORCE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Our Users Have New Expectations
The Evolving Workplace Landscape

VIRTUALIZATION
“60% of server workloads will be
virtualized by 2013”

“20% of professional PCs will be managed


under a hosted virtual desktop model by 2013.”

Datacenters are evolving, Applications are now objects


moving through the network

DEVICE NEXT GENERATIKON


VIRTUALIZATION
PROLIFERATION WORKFORCE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Cisco Identity Services Engine (ISE)
Delivering the Visibility, Context and Control for Secure Network Access

NETWORK / USER PARTNER CONTEXT


CONTEXT DATA

Who What

When Where How

CONSISTENT SECURE ACCESS POLICY


ACROSS WIRED, WIRELESS and VPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cisco ISE is Core to Cisco Security
Attack Continuum

BEFORE DURING AFTER


Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Firewall VPN NGIPS Advanced Malware Protection

NGFW UTM Web + Email Security Network Behavior Analysis

Identity Services + NAC pxGrid + TrustSec

ISE Provides Visibility, Context, and Control Across the Entire Continuum
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Cisco TrustSec Solution Portfolio

Policy
Administration
Policy Decision Identity Services Engine (ISE)
Identity Access Policy System

Policy
Enforcement
Cisco 2900/3560/3700/3800/4500/6500, Cisco ASA, ISR, ASR 1000
TrustSec Powered Nexus 5000/7000 switches, Wireless and Routing Infrastructure

Policy
Information NAC Agent Web Agent 802.1X Supplicant
No-Cost Persistent and Temporal Clients AnyConnect or
TrustSec Powered for Posture, and Remediation OS-Embedded Supplicant

Identity-Based Access Is a Feature of the Network


Spanning Wired, Wireless, and VPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Comprehensive Visibility
Comprehensive Visibility
Identity and Context Awareness
Guest Access
Profiling
Posture WHO WHAT WHERE WHEN HOW

CONTEXT

Security Camera G/W Francois Didier Personal iPad


Agentless Asset Consultant Employee Owned
Chicago Branch HQ—Strategy Wireless HQ
Remote Access
6 p.m.

Vicky Sanchez Frank Lee


Employee, Marketing Guest
Wireline Wireless
3 p.m. 9 a.m.

IDENTITY
802.1X
MAB
WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTS

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Comprehensive Visibility

Identity Awareness
Leveraging Your Infrastructure Network

Cisco Catalyst® Switch


Identity Differentiators
Monitor Mode

Flexible Authentication Sequence

IP Telephony Support

Support for Virtual Desktop Environments

Authorized Users Tablets IP Phones Network Device Guests

802.1X MAB and Profiling Web Auth

Authentication Features

IEEE 802.1X MAC Auth Bypass Web Auth

Consistent identity features supported on all Catalyst switch models


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Device Identification
Manual Device Classification and Policy Enforcement

The Challenge TYPICAL DEPLOYMENT SCENARIO


Device Proliferation Multitude of Devices Need to Have Need Assurance
and Identification for Policy on the Network, Wired Policy Control for That a Device Conforms With
Enforcement and Wireless Each Device Type Fingerprint
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Comprehensive Visibility

Device Identification Cisco


Innovation

Automated Device Classification Using Cisco Infrastructure


DEVICE PROFILING
For wired and wireless networks

POLICY

Printer Personal iPad


ISE
Access Point
Personal
Printer Policy CDP CDP
LLDP
DHCP
LLDP
DHCP
iPad Policy
MAC MAC
[place on VLAN X] [restricted access]

Access
Point

The Solution DEPLOYMENT SCENARIO WITH CISCO DEVICE SENSORS


Efficient Device Classification COLLECTION CLASSIFICATION AUTHORIZATION
Leveraging Infrastructure Switch Collects Device Related Data ISE Classifies Device, Collects Flow ISE Executes Policy Based on User
and Sends Report to ISE Information and Provides Device Usage and Device
Report
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Comprehensive Visibility
Evolution of Device Identity:
Broad and Deep Cisco
Innovation

Integrated Profiling—
Visibility in Scale
Network Infrastructure Provides Local Sensing Function
Contextual data passed via RADIUS to ISE

Active Endpoint
Scanning

Active Scanning—
Enhanced Accuracy
ISE Augments Passive Network Telemetry With Active
Endpoint Telemetry Data
ISE

Device Feed
Device Feed—
Identity in Scale
Manufacturers and Ecosystem Provides Constant Device Sensor
Updates to New Devices (network-based)
Customers Pull Bundled Data Feed
Cisco Device Sensor
from Cisco
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Comprehensive Visibility

Context Awareness: Posture Assessment


ISE Posture Ensures Endpoint Health before Network Access

Wired, Wireless,
VPN User

Temporary Limited Network


Non-
Compliant
Access Until Remediation Is
Complete

Sample Employee Policy: Challenge: Value:


• Microsoft patches updated • Understanding health of device • Temporal (web-based) or
• McAfee AV installed, • Varying level of control over devices Persistence Agent
running, and current • Cost of Remediation • Automatic Remediation
• Corp asset checks • Differentiated policy enforcement
• Enterprise application running based on role
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Comprehensive Visibility

Context Awareness: Guest Management


ISE Guest Service for managing guests

Guest Policy Web Authentication

Internet

Wireless or Wired Guests


Access
Internet-Only Access

Provision: Manage: Notify: Report:


Guest Accounts via Sponsor Sponsor Privileges, Guests of Account Details by On All Aspects of Guest Accounts
Portal Guest Accounts and Policies, Guest Print, Email, or SMS
Portal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Exceptional Control

Exceptional Control
Delivers Policy-Based Enforcement
Wireless Wired User Devices Thin Client
Remote VPN User User

Policy-Based Access Scalable


Control Enforcement
VLANs
IDENTITY and CONTEXT AWARE Access Control Lists
NETWORK
Secure Group Tags *

MACsec Encryption *

*=
Cisco
Innovation
Data Center Intranet Internet Security Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Exceptional Control
TrustSec Authorization and
Enforcement Cisco
Innovation

dACL or Named ACL VLANS Security Group Access

Employee
IP Any
Se
cu
rity
Remediation Ta Gro
g up

Contractor Employees Guest


Security Group Access—SXP, SGT, SGACL,
VLAN 3 VLAN 4 SGFW

• Less disruptive to endpoint (no IP • Does not require switch port ACL • Simplifies ACL management
address change required) management
• Uniformly enforces policy
• Improved user experience • Preferred choice for path isolation independent of topology
• Fine-grained access control

Flexible Enforcement Mechanisms in your infrastructure

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Exceptional Control

Security Group Access


Marking traffic with context
Patient Records
(confidential)

Doctor

Unrestricted for Employees

Finance

Internet

Guest Cisco
Innovation

The Solution DEPLOYMENT SCENARIO WITH SECURITY GROUP ACCESS


Scalable Enforcement Independent (SGA)
of Network Topology SCALABLE AND CONSISTENT REDUCED OPERATIONAL INCREASED BUSINESS AGILITY
POLICY ENFORCEMENT EXPENSE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Exceptional Control
MACsec Encryption Data Protection
with Policy-Based Encrypted Access Cisco
Innovation

802.1AE Encrypted 802.1AE Encrypted

Cipher Data Cipher Data


Flows Visible for Policy
Enforcement CORPORATE RESOURCES

Decrypt On Encrypt On
Ingress Interface Egress Interface

The Solution Typical Deployment Scenario


Data Confidentiality Hop by Hop L2 encryption Visibility into the flows for Security and QoS Security Group Tag integrity
with Visibility policy enforcement

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Effective Management

Secure Mobile Device Management


MDM Ecosystem
INTEGRATION WITH LEADING MDM
AD/LDAP
VENDORS *

ISE
Contextual Policy MDM Mgr

? • Ecosystem offering choice for


customers

Cisco Catalyst
Switches
Cisco WLAN
Controller FEATURES:

• Comprehensive Device Provisioning


User X User Y

• Detailed User and Device Context

• Increased Device and Application Security

Window or OS X Computers Smartphones including iOS or Android


Devices
Wired or Wireless Wireless

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Upgrades and Migrations

ACS NAC Guest NAC Profiler NAC Manager NAC Server

• Current ACS and NAC hardware is software upgradeable


(1121/3315/3355/3395/3415/3495)
• Migration program for older hardware at large discount levels
• License migration program for all software licenses
• Data and Configurations migration tools available*

Identity Services Engine *ACS available today

Existing Investments Protected


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
ISE ATP
• Newer technologies coming together
Why ATP? • Sets partners up for success
• Wireless Only SKUs are outside of ATP

• Advanced Routing, Switching, and Security specializations


Selection Criteria • Wired 802.1X or NAC deployment experience
• Active Directory practice

• AM: Online training


Requirements • SE: Online training and one exam
• FE: 5 day ILT, 3 day ELT, and two exams

• 3 HLDs reviewed per partner by business unit


HLD Reviews • Technical and business exit interviews
• After completion, whitelisted for future opportunities

• Contact your PDM to engage the ATP team


Next Steps • Monitor www.ciscosecurityatp.com for updates

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
ISE Professional Services
1. Cisco Advanced Services – (Enterprise)
2. Cisco Collaborative Professional Services – (Commercial) http
://www.cisco.com/web/partners/services/programs/collaborative/index.html#~acc~strategy

3. ISE Partner Augmentation


• SecurView - http://securview.com/
• Priveon - http://priveon.com/services/Cisco-ISE
• C2 Company - http://www.c2company.com/

Planning & Readiness


• Minimize Project Risks Assessment
Design
• Jump-start New Practice
Managed
• Improving Existing Practice Areas Services

• Fill Service Gaps Deployment


PoC / Pilot
• Shorten Sales Cycle

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Personas & Architecture
• Deployment Models
Design • Sizing / Design Guidance
• Tips & Caveats

Slides and Recordings available here:


https://communities.cisco.com/docs/DOC-52899
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Identity Services Engine
Policy Server Designed for TrustSec

ACS
• Centralized Policy
• RADIUS Server
NAC
Profiler
• Posture Assessment
• Guest Access Services
NAC Guest
• Device Profiling

NAC
Identity • Monitoring
Services
Manager Engine
• Troubleshooting
NAC • Reporting
Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Node Types

Policy Service Node (PSN)


Makes policy decisions
RADIUS server & destination for profiling data

Policy Administration Node (PAN)


Interface to configure policies and manage ISE deployment
Writeable access to the database

Monitoring & Troubleshooting Node (MnT)


Interface to reporting and logging
Destination for syslog from NADs
IPN
Inline Posture Node (IPN)
Enforces policy

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Policy Service Node (PSN)

• Per policy decision, responsible for: • Directly communicates to external identity store
Network access (AAA RADIUS services) for user authentication
Posture
• Provides Portal for sponsors, agent download,
Guest access (web portals)
guests access, device registration, and device on-
Profiling
boarding
Client Provisioning

Posture/
WebAuth/ Client
Provisioning

AD/LDAP
/RADIUS
RADIUS/Profiling

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Standalone Deployment Model

All Personas on a Single Node (or ISE Node ISE Node


Redundant Pair)
3315/3355/3395 Secondary
Max 2,000 endpoints per deployment Primary Admin Admin

3415
Max 5,000 endpoints per deployment Primary
Secondary
Monitoring Monitoring
3495
Max 10,000 endpoints per deployment

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Multi-Node Deployment Model
Dedicated Node for Each Persona, Admin, MnT, and
PSN
Each PAN/MnT
2x Dedicated Admin, 2x Dedicated MnT = 1 Node
Max 40 Dedicated Policy Service Nodes

3395 Admin, 3395 MnT


Max 100,000 endpoints per deployment

3495 Admin, 3495 MnT


Max 250,000 endpoints per deployment Each PSN = 1
Node

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Dedicated PSN – Max Endpoints
Maximum endpoints for a dedicated PSN

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html#ID-1413
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
ISE 3400 Series Appliances
VMware Appliance Sizing Reference
Cisco UCS Based Appliances
• VM Design Guidance is to match or exceed the ISE physical appliance specifications upon which node
sizing is based

• Hard disks with 10K or higher RPM are highly recommended


Cisco SNS-3415 Cisco SNS-3495
(Small Appliance) (Large Appliance)
Processor 1 - QuadCore Intel Xeon 2 - QuadCore Intel Xeon
2.4 GHz 2.4 GHz
CPU Model E5-2609 E5-2609
# Cores per CPU 4 (4 total cores) 4 (8 total cores)
Memory 16 GB DDR3-1066 (4 x 4GB) 32 GB DDR3-1066 (8 x 4GB)
Hard disk 1- 2.5 Inch 2- 2.5 Inch
600 GB SAS 10K RPM 600 GB SAS 10K RPM
RAID No Yes - RAID 1 (600 GB Total Storage)
LSI 2008 SAS RAID Mezzanine Card
Ethernet NICs 4 (2 on board; 2 on NIC) 4 (2 on board; 2 on NIC)
Power Supplies 1 x 650W 2 x 650W
SSL Acceleration Card No Yes
Concurrent Endpoints 5,000 (PSN function) 20,000 (PSN function)
http://http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_ovr.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Deployment Types: Centralized
Centralized Deployment All ISE Persona’s Deployed in a Single Site
Admin Monitor Policy Services Cluster

HA Inline AD/LDAP
Posture Nodes (External ID/Attribute
ASA VPN Store)
Data
Center A

WLC Switch
802.1X 802.1X

AP

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Deployment Types: Distributed
Distributed Deployment All ISE Persona’s Deployed Across Multiple Sites
Admin Monitor Policy Services Cluster
Distributed
Admin (S) Monitor (S) Policy Services

HA Inline AD/LDAP
Posture Nodes (External ID/Attribute
ASA VPN Store)
AD/LDAP
Data Data (External ID/Attribute
Center A Center B Store)

WLC Switch Switch WLC


802.1X 802.1X 802.1X 802.1X

AP AP

Branch A Branch B

Switch Switch
AP 802.1X AP 802.1X

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Distributed Deployments Design Guidance
• Field Advisory and WAN Calculator

Distributed deployments require an understanding of network bandwidth and latency


requirements for DB replication.
Calculator Based on ISE 1.2
ISE Latency and Bandwidth Calculator:

Download Here.
http://www.ciscosecurityatp.com/resourcelib.asp?id=108
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Tips & Caveats
• No TACACS support (Recommend ACS for functionality)

• Advanced functions like Central Web Authentication (CWA), Change of Authorization (CoA),
Security Group Access, and downloadable ACLs, are only supported on Cisco devices.
• See Compatibility guide for supported device software version, Identity Stores (AD, LDAP, AAA),
Browsers, and Client O/S, Supplicants, Agents

• Review TrustSec Design Zone documents for best practices http://www.cisco.com/go/trustsec

• Release Notes http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html

• Compatibility Guide http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Release
Review & ISE 1.3
Changes

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Why Change?
• ISE
o Line up licenses with enterprise specific use cases (e.g. profiling + BYOD)
o Break out 3rd Party MDM/EMM integration
o Ensure consistent selling motion with AC (same as all the other headends)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
1.3 License Changes – Use Case Focused
O
L Base (Perpetual Lic.) Plus
Plus(Term
(TermLic.)
Lic.) Advanced (Term Lic.)
D  AAA  BYOD  BYOD  Endpoint Protection Svcs.
 802.1X  Profiling & Feed Service  Profiling  MDM – 3rd Party
 Guest  TrustSec SGT  Feed Service  Endpoint Compliance &
 Endpoint Protection Svcs  TrustSec SGT Remediation

N Base (Perpetual Lic.) Plus (Term Lic.) Apex (Term Lic.) AC Apex (Term Lic.)
E  
AAA BYOD  Unified Endpoint
W  MDM – 3 Party
rd
 802.1X  Internal CA Compliance &
  Compliance
 Enhanced Guest Profiling & Feed Service Remediation
 TrustSec  EPS
 Multiple APIs  pxGrid

 Base License  Plus License Remains The  Advanced decomposed into Plus and Apex and
Remains The Same In ISE 1.3 then Apex into Headend (ISE Apex) and
Same In ISE 1.3
© 2010 Cisco and/or its affiliates. All rights reserved.
Endpoint (AC Apex) Cisco Confidential 39
Upgrade to 1.3 – What Happens With Licenses
Count A / Count B /Term C Count B /Term C
ISE 1.2 Perpetual

BASE PLUS ADVANCED

APEX
ATP ATP ATP

Count A /Perpetual Count B /Term C Count B /Term C Count B /Term C


+

ISE 1.3 BASE PLUS PLUS APEX

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Wireless -> Mobility
WIRELESS (Term)
WIRELESS UPGRADE (Term)
ISE 1.2 • All ISE Services
• Add Wired Services
>Wireless Devices ONLY

No ATP ATP

Mobility Adds VPN Access (But Same SKUs As


Wireless)
- AC Apex Ordered Separately
MOBILITY-BASE
MOBILITY (Term) (Term)
•• Basic
All ISERADIUS
NEW!
AAA as existing
services (same
“Wireless” Lic) NEW!
MOBILITY UPGRADE (Term)
• Add Wired Services
ISE 1.3 •• Only for Wireless & Remote Access (No
Guest Services
Wired Services)
• Option to add AC Apex
• Device Registered via Guest Portal
ATP
>Wireless & Remote Access Devices AC APEX
No ATP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Existing ISE Adv Customer + AC
Motion – Grandfathered under old model
- Get as many AC Apex as needed for remainder of Adv term
- At renewal decide how much Plus, Apex and AC Apex is needed

Wireless -> Mobility – Exact same motion ($0 PO for AC Apex)

ISE 1.2 (or Upgrade to 1.3 Renewal AC APEX


APEX
lower)

ADVANCED
+ AC APEX PLUS

$0 PO for
as many
BASE
BASE users as
required
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Selling Motion
Old New
Subset Subset
AC APEX
Compliance
ADVANCED APEX Verification of user-based compute
platforms

Everywhere
Context
Visibility and sharing throughout
PLUS network

Everywhere Everywhere

BASE BASE
Access
Core AAA services throughout the
network

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
What Does Stacked Mean
✖ APEX
AC APEX

✔ AC APEX
APEX

BASE


PLUS

✖ PLUS

BASE
BASE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Examples - I Want Basic Access + Guest

BASE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Examples – I Want BYOD + Profiling

PLUS

BASE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Examples – I Want Profiling + 3rd Party MDM

APEX

PLUS

BASE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Examples – I Want It All (Profiling, Posture, etc)

AC APEX
APEX

PLUS

BASE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Historically, Securing Access Was Complicated

The Past ISE 1.3

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Simplifying Guest Access for the Enterprise

Desktop
Corporate Branding and Themes & Mobile
Ready!
Create Accounts
Print Email SMS

Streamlined Guest Creation

Your credentials

Mobile Guest Sponsorship


username: trex42
password: littlearms

Guest Access Notification via SMS

Design Easily in Minutes, Deploy Securely in Just Hours 50


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Easy-to-Deploy Guest and BYOD Access

Admin Friendly
Set up a Guest or BYOD
workflow in just a few clicks.

End User Visibility


ISE updates the portal workflow
in real-time with each change.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
ASA/ISE Integration
• Support VPN posture specifically between the ASA & ISE deployments
• Remove the requirements for IPN (Inline Posture Node) in ASA/VPN/ISE
deployments.
• IPN is a device that would sit behind the ASA and enforce ISE policy

CoA
Cisco.com
ISE
Policy Intranet
ASA Server
Limited
VPN Full Access
Access
Database
Posture
Agent

Non-Compliant
Compliant
AV Server

Requires: ISE 1.2 patch 5 and ASA 9.2.1

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Enterprise Mobility Management Integrations
Enforce True Device Compliance for All Mobile Devices

Sees unregistered devices on the network? Sees ALL devices on the network
Forces EMM Policy Compliance? Requires devices to comply with EMM policy
Keeps noncompliant devices off network? Provides guest access to non-EMM devices

SOLUTION
EMM Cisco ISE
Secures Actual Device Secures Network Access

ISE + EMM
Together

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Cisco Platform Exchange Grid (pxGrid) NEW
Accelerating Partner Technology Efficiencies via Context Sharing

For security, which is more useful information?


“The compromised device is 192.168.100.123”
- OR -
“The compromised device is Paul Russell’s iPad in Bldg. 200”
Cisco ISE collects contextual “big data” from multiple
sources across the network. Via Cisco pxGrid technology,
this contextual data is shared with partners.

With ISE contextual data, Partner Solutions can more accurately


and more quickly identify, mitigate, and remediate security
threats across the network.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Cisco AnyConnect 4.0 and Cisco ISE 1.3
Delivering a Unified Agent for Posture Remediation and Secure VPN

Prevents Non-Compliant Endpoints from Gaining Remote Access to Network


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
AnyConnect 4.0 Per-App VPN
Intelligently Transporting Approved Applications over VPN

Selectively Tunnels WWW


Traffic Through VPN • Provides unified agent that improves
VPN bandwidth management in place
of using multiple parallel VPN agents
• Leverages Cisco ASA and Cisco
Local
VP N Network TrustSec to provide end-to-end
application traffic segmentation
• Extends traditional VPN edge to mobile
to prevent non-business apps from
Corporate gaining corporate access
Network

Per-App VPN Support: iOS 7+, Samsung Knox 2.0+


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Support Resources
Resources Additional Training

Slides and Recordings available here:


https://communities.cisco.com/docs/DOC-52899
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Support Resources
• ISE Product - http://www.cisco.com/go/ise

• TrustSec - http://www.cisco.com/go/trustsec

• ATP Partner Resource Center (for ISE) - http://www.ciscosecurityatp.com/solutionfrontpage.asp?sid=1

• ISE ATP Requirements


http://www.cisco.com/web/partners/partner_with_cisco/channel_partner_program/resale/atp/ise.html

• ISE Demos https://communities.cisco.com/docs/DOC-52570

• dCloud BYOD Hosted Demos (Unified Access v2 BYOD/Guest Demos) http://www.cisco.com/go/byoddemo

• NFR Lab Software for Partners (1.2 Available)


Cisco Marketplace - $42 VMware image, Base/Adv perpetual license, 20 endpoints https://communities.cisco.com/docs/DOC-52753

• Sales Acceleration Center (SAC) - Webpage: http://tinyurl.com/sacucs


Program-related questions: [email protected] or 1-800-225-0905

• Partner Plus/Cisco Virtual Engineering


http://www.cisco.com/web/partners/sell/technology/borderless/sales_initiatives/partner_plus.html

• Your Cisco PDM and CSE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Thank you.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Tech Talks – Security Deep-Dives
https://communities.cisco.com/docs/DOC-30977
• AnyConnect • Content Security
• AnyConnect VPN • Email Security
• AnyConnect NAM • Web Security (WSA)
• AnyConnect Mobile • Web Security (CWS)
• AnyConnect Advanced • Web Security (ASA CX)
• AnyConnect TAC Tips • Content TAC Tips 1
• Content TAC Tips 2
• TrustSec & ISE Archives
• TrustSec & ISE Overview • Sourcefire
• AAA, 802.1X, MAB • Sourcefire System Overview: 5/28
• ISE Profiling • Threat Control: 6/11
• Web Auth, Guest & Device Registration • Application Control: 7/2
• Bring Your Own Device
• File Control: 7/16
• FireAMP Overview: 7/30
• Posture & Security Group Access
• FireAMP Outbreak Control 8/6
• Troubleshooting and Best Practices
• ISE TAC Tips 1
• ISE TAC Tips 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Cisco Virtual Engineering
Scale & Augment Virtual
Engineering
Virtual Engineering serves as an extension of your team that allows you to accelerate
business, expand technical expertise and scale.

Accelerate Expand Scale How to Engage


Sales cycles/ turnaround with Your technical expertise with a Increase your presales capacity
customers team of specialized Cisco Virtual and be able to touch more Monday through Friday
(6 Hour SLA.) SEs opportunities 24 hours a day

Services and Technologies

Assemble Cisco Enterprise Technologies


Architecture
Cisco
Assistance
Presentation
Phone: 1 800 553 NETS

Security & Mobility


passcode: 24726 (CISCO)

Data Center &


Collaboration

Virtualization
Participate in
Design

Routing &
Switching
Customer
Engagement Assistance

www
Competitive Cisco
Support Product
Information
Web Form
Validated www.cisco.com/go/ph
BoM Technology Architectures

e-mail video conference WebEx audio conference


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Available for PH+ entitled partners enrolled in Partner Plus
Cisco Partner Plus Program
Partner Plus Accelerators
Cisco Partner Plus features five accelerators that
help drive sustained business growth.
Premium Enablement
Use the Partner Plus accelerators to help you
differentiate yourself in the market and accelerate Virtual Engineering
sustained and profitable business growth. The
accelerators focus on sales and marketing efforts, from
demand generation to sales excellence training, presales
technical support, and financial incentives and rewards.

• Virtual Engineering: Gives you access to expert


presales technical services with defined SLAs to Improve performance
help you scale scarce engineering expertise and at every stage of the
drive customer success.
sales cycle
• Premium Enablement: Provides sales excellence Customer
learning modules to help accelerate revenue Intelligence
and margin as well as to quickly ramp up the
productivity of new partner sales representatives. Partner Plus
Incentives
• Customer Intelligence: Delivers rich customer
information to help improve marketing and sales
efforts while reducing the cost of sales.

• Premium Marketing: Offers regionally specific Premium


co-marketing support, resources, and campaigns Marketing
to enable effective demand generation.

• Partner Plus Incentives: Provides financial rewards


for reinvestment in business-building activities.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Training/Certification Requirements

Role Training Duration Delivery

Account • How to sell ISE/Cisco TrustSec solutions 15 min. VoD (five 3 min. VoDs)
Manager
Systems • How to sell ISE/Cisco TrustSec solutions 15 min. VoD
Engineer • Cisco Identity Services Engine for ISE 5 ½ hr. VoD
• Introducing Cisco Identity Services Engine for System Engineer Exam 45 min. Online PAISESE 650-474
Field • Implementing Cisco Identity Services Engine Secure Solutions 5 days Instructor-led Training
Engineer • Introduction to 802.1X Operations for Cisco Security Professionals 3 days ILT or Online
• Introduction to 802.1X Operations for Cisco Security Professionals Exam 1 hr. Online S802DT1X-650-472
• Implementing Cisco Identity Services Engine Secure Solutions Exam 1 hr. Online ISE-650-473

ISE Certified Training Partners


• www.fastlaneus.com

• www.globalknowledge.com

• www.skyline-ats.com

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63

You might also like