Mais conteúdo relacionado Semelhante a AnyConnect Secure Mobility (20) Mais de Cisco Canada (20) AnyConnect Secure Mobility2. • Solution Overview
• Deployment Scenarios
• Feature Highlights
• Q&A
• Wrap Up
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
3
4. Policy
Corporate Border Platform Infrastructure
Applications as a Service as a Service
Software X
and Data as a Service
as a Service
Corporate Office
Branch Office
Home Office
Airport
Mobile Coffee
© 2010 Cisco and/or its affiliates. All rights reserved.
User Attackers Partners Customers Shop Cisco Confidential 4
5. Personal Business
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6. Limited
Predominantly PC-based
Client Support
Manual
Numerous “clicks”
Non-persistent Connection
No Security or Visibility Security
Rarely-On
Intranet Only connected if / when
absolutely necessary
Corporate File
Sharing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7. Limited Clients
Predominantly PC-based
Client Support
– Data Loss Prevention Acceptable Use ü Limited Security
URL-filtering client unable
– Threat Prevention Access Control to address key use cases
Access No Access
No Access
Intranet Not integrated, requires
separate VPN client
Corporate File
Sharing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8. Choice
Diverse Endpoint
Support for Greater
Flexibility
ü Data Loss Prevention Acceptable Use ü Security
ü Threat Prevention Access Control ü Rich, Granular Security
Integrated Into the network
Access Granted Experience
Always-on Intelligent
Intranet Connection for Seamless
Experience and
Corporate File Performance
Sharing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9. Network and Security Follows User—It Just Works
Corporate Mobile Home
Broad Mobile Support Office User Office
§ Fixed and semi-fixed platforms
§ Mobile platforms
Persistent Connectivity
§ Always-on connectivity Wired Wi-Fi
§ Optimal gateway selection Cellular/Wi-Fi
§ Automatic hotspot negotiation
§ Seamless connection hand-offs
Next-Gen Unified Security Secure,
§ User/device identity Consistent
§ Posture validation including Managed vs Un Managed Access
Assets
§ Integrated web security for always-on security (hybrid)
§ Clientless and desktop virtualization
Voice—Video—Apps—Data
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10. Anyone Anything
Anywhere Anytime
Securely, Reliably, Seamlessly
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11. Inside the Corp Environment Outside the Corp Environment
802.1X, TrustSec, Always-On Integrated
MACsec Security and Policy
SECURITY
and POLICY
Customers Coffee Shop Home Office
Local Data Center
Software Platform Infrastructure X
as a Service
Corporate Office as a Service as a Service as a Service
Branch Office
Airport Mobile User Attackers Partners
CORP DMZ
© 2010 Cisco and/or its affiliates. All rights reserved.
BORDER Cisco Confidential 11
12. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13. Internet Trusted Network
News Email
User Identity
facebook.com
User
SSL VPN ASA WCCP
Cisco Web
Authenticates
Tunnel All Traffic Security Appliance
Corporate AD
Untrusted Network Social Networking Enterprise SaaS
AnyConnect ASA à WSA
• Always-on VPN (admin • Authentication handoff (SSO)
configurable)
• Identity and location aware
• Optimal head end auto-detect policy enforcement
• Transparent auth (certificate) • Location-aware reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14. ASA Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
IOS Config
ip wccp 80 redirect-list redirect-acl
interface eth0
ip wccp 80 redirect in
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15. ASA Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
wccp 80 redirect-list redirect-acl
wcpp iterface inside 80 redirect in
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16. ASA-1 Config
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
route inside 10.10.10.0 255.0.0.0 192.168.1.2
IOS Config
ip wccp 80 redirect-list redirect-acl
interface eth0
ip wccp 80 redirect in
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19. Trusted Network
Internet
facebook.com
IPSec / SSL VPN
Internal Data ASA
Untrusted Network
AnyConnect ScanSafe
• Always-on VPN (admin • Web 2.0 Content Control
configurable)
• Dynamic Web Classification
• Optimal head end auto-detect
• Search Ahead
• Transparent auth (certificate)
• Outbreak Intelligence
• Real-time Content Analysis
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20. Web Security with ScanSafe
ScanSafe
Internet bound web
communications
Internal
communications
AnyConnect Secure
Mobility Client
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
21. Web Security with ScanSafe
ScanSafe
Internet bound web
communications
Internal
communications
AnyConnect Secure
Mobility Client
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
22. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
23. Web Security Cloud Web
AnyConnect ASA Firewall
Appliance Security
§ Trusted Network § AnyConnect Secure § Remote Specific § Web 2.0 Content
Detection Mobility Head End Policy Control
§ Session Support § Application Controls § Dynamic Web
Persistence § Optimized WSA Classification
§ SaaS Access
§ Optimal Gateway Traffic handoff Control § HTTP/s Scanning
Selection § Simplified § Multi-layer malware § Search Ahead
§ Always-on VPN Management defense
§ Outbreak
§ Enhanced Device § Enterprise firewall § URL filtering & Intelligence
Support § Remote Access Dynamic
Categorization § Real-Time Content
§ IPSec IKEv2 Head End
Analysis
§ Network Access § BotNet Filter § Data Security
Manager § Application Visibility
§ Telemetry and Control
§ SCEP Enrollment
§ Acceptable Use / Control
§ Malware Defense
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
24. • Always On VPN extends the
virtual perimeter to the
endpoint
§ Security Persistence and
Security Enforcement Array
Location-aware
policy are administratively
Captive portal controlled
nearest headend
Auth persistence
§ If ASA head-end is
unreachable,
§ fail-open (direct network
access)
or
Security Persistence with Always On VPN § fail-close (no network
(Fail Closed or Fail Open) access)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
25. § Always-On, Failed Closed § Connection Status
§ No Network Access Available
§ Manual URL Entry is not Allowed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
26. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
27. Trusted Network Detection
§ Automatically connects or disconnects
under the following conditions:
§ In Office
§ Out of Office
§ Location determination made by
Default Domain Name or DNS server IP
§ Other checks likely in future
In Office Out of Office § Certificate authentication for seamless
reconnection
§ Administratively controlled policy
§ Windows XP, Vista, 7 & Mac OS X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
28. Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity
§ Trusted Network Detection is
Configurable VIA the AnyConnect
Profile
§ Trusted Networks can be Defined as
DNS Suffixes or DNS Server IP
Addresses Corporate Headquarters
§ DNS Suffixes and DNS Server IP
Addresses must be defined on the
Client Workstation Dynamically (DHCP) DHCP Request
§ If Both the Trusted DNS Suffix and DNS
Server IP Address are Defined, the
Entries will be ANDed to Determine the Home Office
Trusted Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
30. Feature Parameters:
London § Suspension Time Threshold (hours)
§ Performance Improvement Threshold (%)
Boston Time = 33ms Los Angeles
Time = 35ms
Time = 26ms
Time = 25ms Time = 28ms
Time = 23ms Time = 27ms
Time = 24ms Time = 25ms
New York
Connects to the Most Optimum Head-end
HTTPS Request Approximated by Fastest Round Trip Time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
32. § Always-On enforces VPN
connectivity.
§ If AnyConnect fails to connect, its
endpoint can fail closed, preventing
network connectivity to and from
the endpoint.
§ Always-On allows AnyConnect
users to remediate their Captive
Port prior to required VPN
establishment.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
33. User Experience
§ Captive Portal Remediation Required
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
35. Network Follows Users – It Just Works
§ VPN session remains connected
§ While user migrates between
networks (3G, WiFi, LAN, etc)
§ During loss of network
connectivity
§ During system hibernation /
standby
§ Administratively controlled policy
§ Compatible with all auth methods
Auto-detect and connect
Persistent Transparent handoff User does not re-authenticate after
Connectivity hibernation/standby
Session persistence
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
36. User Experience: User Indicator
§ Connection State: Reconnecting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
37. ASA-WSA Communication
Across SSL Connection
User Identity & Tunneled IP
News Email
facebook.com
User Authenticates
Adaptive Security Appliance Web Security Appliance
VPN Tunnel
Established VPN Tunnel User & Group
Authentication Authorization
Active Directory LDAP,
NTLMSSP, Basic
ASA WSA
1. AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA
2. ASA Extracts Username from Certificate or AAA Server
3. ASA Forwards Username and Tunneled IP Address to the WSA
4. WSA Verifies Username and Group Membership against Active Directory
5. WSA Applies Policies based on Username or Group Membership
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
38. ASA to WSA Communication
§ ASA & WSA Communication
Network
§ Enable Secure Mobility
Solution
§ Services Port
§ WSA Access Password
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
39. ASA to WSA Communication
§ Enable Secure Mobility Solution
§ Enable Cisco ASA Integration
§ ASA Hostname or IP Address &
Service Port & Access Password
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
40. Communication Test
§ Verify ASA > WSA Communication
§ Verify WSA > ASA Communication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
41. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
42. Security
Malware
Defense
Data
Security
Secure Mobility Internet
Control
Acceptable
Use Controls
SaaS Access
Controls
Centralized Management and Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
43. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
46. Finance Legal Marketing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
48. Finance Legal Marketing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
50. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
51. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
55. Regaining Visibility and Control Through Identity
SaaS
Corporate Single
Office Redirect @ Login Sign On
Branch
Office
SaaS
Home Single
Office Sign On
AnyConnect
Secure
Mobility Client User Directory
No Direct Access
X
Visibility | Centralized Enforcement | Single Source Revocation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
56. Seamless Single Sign-on
No login needed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
57. User Accesses Web Site Connection Proxied
Redirect to SAML SSO URL Redirect to SAML SSO URL
Browser Requests SSO URL
Javascript POST ACS URL
+ SAML response
POSTS SAML response POST proxied to website
Delivers Web User’s Portal User Logged Into Service
Authenticate
(if unknown)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
58. WSA Mobile User Reports
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
59. Simple investigative tool
Track User activity / Track a web site
Search by IP ranges
ü Know who is going to which web site
ü Know who went to a specific web site
ü And more…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
60. Web Security with Next Generation Remote Access
Choice
Diverse Endpoint
Support for Greater
Flexibility
Security
Data Loss Prevention Acceptable Use
Rich, Granular Security
Integrated
Threat Prevention Access Control into the network
Experience
Access Granted
Always-on Intelligent
Connection for Seamless
Intranet
Experience and
Performance
Corporate File
Sharing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
61. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
62. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
63. A pessimist sees the
difficulty in every
opportunity; an optimist
sees the opportunity in
every difficulty.
Winston Churchill
Notas do Editor Organizations that deliver the experience we just described, are truly borderless - Connecting anyone - employees, partners and customers, to anything, anywhere anytime. Delivering the same productivity, the same access to the information and the same responsiveness. We call it the borderless experience. …securely, reliably, and seamlesslyLet’s take a look [CLICK – Transition] at how Borderless Networks delivers on that vision.