+ All Categories
Home > Technology > AnyConnect Secure Mobility

AnyConnect Secure Mobility

Date post: 18-Nov-2014
Category:
Upload: cisco-canada
View: 3,574 times
Download: 4 times
Share this document with a friend
Description:
Increasing mobile usage and device choice have exposed the unnecessary complexity and limited device support of legacy Remote Access solutions. It has also left a security hole as users circumvent corporate policy in a borderless network. This session will focus on how the AnyConnect Secure Mobility solution combines Cisco's web security and next-generation remote access technology to deliver a robust and secure enterprise mobility solution. Customers will benefit from context-aware, comprehensive and preemptive security policy enforcement, an intelligent, seamless and always-on connectivity and secure mobility across today's proliferating managed and unmanaged mobile devices. At the end of the session, attendees will have an in-depth understanding of the Cisco AnyConnect Secure Mobility solution, which integrates the Cisco AnyConnect Client, the Cisco Adaptive Service Appliance (ASA) and the Cisco Web Security Appliance (WSA). Attendees will understand recommended AnyConnect Security Mobility architectures and understand the implementation of the new solution based on current security installations.
64
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 #CNSF2011
Transcript
Page 1: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

#CNSF2011

Page 2: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Solution Overview

• Deployment Scenarios

• Feature Highlights

• Q & A

• Wrap Up

Page 3: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 3

Page 4: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers

Home Office

Coffee ShopCustomers

Airport

Mobile User Partners

Platformas a Service

Infrastructureas a Service

Xas a Service

Softwareas a Service

Page 5: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

BusinessPersonal

Page 6: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

LimitedPredominantly PC-based

Client Support

ManualNumerous “clicks”

Non-persistent Connection

Rarely-OnOnly connected if / when

absolutely necessary

No Security or Visibility Security

Intranet

Corporate File Sharing

Page 7: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Limited ClientsPredominantly PC-based

Client Support

Limited SecurityURL-filtering client unable to address key use cases

No AccessNot integrated, requires

separate VPN client

Data Loss Prevention

Threat Prevention

– Acceptable Use üAccess Control–

No AccessAccess

Intranet

Corporate File Sharing

Page 8: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

ChoiceDiverse Endpoint

Support for Greater Flexibility

SecurityRich, Granular Security

Integrated Into the network

ExperienceAlways-on Intelligent

Connection for SeamlessExperience and

Performance

Acceptable Use üAccess Control ü

Intranet

Corporate File Sharing

Access Granted

Data Loss Prevention

Threat Preventionüü

Page 9: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Network and Security Follows User—It Just Works

Next-Gen Unified Security§ User/device identity§ Posture validation including Managed vs Un Managed

Assets§ Integrated web security for always-on security (hybrid)§ Clientless and desktop virtualization

Persistent Connectivity§ Always-on connectivity§ Optimal gateway selection§ Automatic hotspot negotiation§ Seamless connection hand-offs

Broad Mobile Support§ Fixed and semi-fixed platforms § Mobile platforms

Corporate Office

Mobile User

Home Office

Secure, Consistent Access

Voice—Video—Apps—Data

Wired

Cellular/Wi-Fi

Wi-Fi

Page 10: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

Anywhere

Anyone

Anytime

Anything

Securely, Reliably, Seamlessly

Page 11: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Corporate Office

Branch Office

Local Data Center

SECURITY and POLICY

Airport Mobile User Attackers Partners

Customers Coffee Shop Home Office

Always-On Integrated Security and Policy

802.1X, TrustSec, MACsec

Outside the Corp EnvironmentInside the Corp Environment

CORP DMZ BORDER

Xas a ServiceInfrastructure

as a ServiceSoftware

as a ServicePlatform

as a Service

Page 12: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Page 13: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

ASA àWSA• Authentication handoff (SSO)

• Identity and location aware policy enforcement

• Location-aware reporting

AnyConnect• Always-on VPN (admin

configurable)

• Optimal head end auto-detect

• Transparent auth (certificate)

News Email

Social Networking Enterprise SaaS

Cisco Web Security Appliance

Corporate AD

ASA

Internet

SSL VPN Tunnel All Traffic

UserAuthenticates

User Identityfacebook.com

Untrusted Network

Trusted Network

WCCP

Page 14: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

IOS Configip wccp 80 redirect-list redirect-acl

interface eth0ip wccp 80 redirect in

ASA Configroute inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneledroute inside 10.10.10.0 255.0.0.0 192.168.1.2

Page 15: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

ASA Configroute inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneledroute inside 10.10.10.0 255.0.0.0 192.168.1.2

wccp 80 redirect-list redirect-aclwcpp iterface inside 80 redirect in

Page 16: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

IOS Configip wccp 80 redirect-list redirect-acl

interface eth0ip wccp 80 redirect in

ASA-1 Configroute inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneledroute inside 10.10.10.0 255.0.0.0 192.168.1.2

Page 17: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

Page 18: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Page 19: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

ScanSafe• Web 2.0 Content Control

• Dynamic Web Classification

• Search Ahead

• Outbreak Intelligence

• Real-time Content Analysis

AnyConnect• Always-on VPN (admin

configurable)

• Optimal head end auto-detect

• Transparent auth (certificate)

ASA

Internet

Untrusted Network

Trusted Network

IPSec / SSL VPNInternal Data

facebook.com

Page 20: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

Web Security with ScanSafe

AnyConnect Secure Mobility Client

Internet bound web communications

Internal communications

ScanSafe

Page 21: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

Web Security with ScanSafe

AnyConnect Secure Mobility Client

Internet bound web communications

Internal communications

ScanSafe

Page 22: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Page 23: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

AnyConnect ASA Firewall Web SecurityAppliance

§ Trusted Network Detection

§ Session Persistence

§ Optimal Gateway Selection

§ Always-on VPN

§ Enhanced Device Support

§ IPSec IKEv2

§ Network Access Manager

§ Telemetry

§ SCEP Enrollment

Cloud Web Security

§ AnyConnect Secure Mobility Head End Support

§ Optimized WSA Traffic handoff

§ Simplified Management

§ Enterprise firewall

§ Remote Access Head End

§ BotNet Filter

§ Remote Specific Policy

§ Application Controls

§ SaaS Access Control

§ Multi-layer malware defense

§ URL filtering & Dynamic Categorization

§ Data Security

§ Application Visibility and Control

§ Web 2.0 Content Control

§ Dynamic Web Classification

§ HTTP/s Scanning

§ Search Ahead

§ Outbreak Intelligence

§ Real-Time Content Analysis

§ Acceptable Use / Control

§ Malware Defense

Page 24: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

• Always On VPN extends the virtual perimeter to the endpoint§ Security Persistence and

policy are administratively controlled § If ASA head-end is

unreachable,§ fail-open (direct network

access) or § fail-close (no network

access)

Location-awareCaptive portalnearest headendAuth persistence

Security Enforcement Array

Security Persistence with Always On VPN(Fail Closed or Fail Open)

Page 25: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

§ Connection Status§ Always-On, Failed Closed§ No Network Access Available§ Manual URL Entry is not Allowed

Page 26: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Page 27: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Trusted Network Detection§ Automatically connects or disconnects

under the following conditions:§ In Office § Out of Office

§ Location determination made by Default Domain Name or DNS server IP§ Other checks likely in future

§ Certificate authentication for seamless reconnection§ Administratively controlled policy§ Windows XP, Vista, 7 & Mac OS X

In Office Out of Office

Page 28: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

DHCP Request

§ Trusted Network Detection is Configurable VIA the AnyConnectProfile

§ Trusted Networks can be Defined as DNS Suffixes or DNS Server IP Addresses

§ DNS Suffixes and DNS Server IP Addresses must be defined on the Client Workstation Dynamically (DHCP)

§ If Both the Trusted DNS Suffix and DNS Server IP Address are Defined, the Entries will be ANDed to Determine the Trusted Network

Detects Trusted or Untrusted Network Infrastructures for Secure Connectivity

Corporate Headquarters

Home Office

Page 29: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

ASDM Profile Configuration

Page 30: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Los AngelesBoston

Connects to the Most Optimum Head-endHTTPS Request Approximated by Fastest Round Trip Time

London

Time = 25ms

Time = 24msTime = 23ms

Time = 33ms

Time = 26msTime = 35ms

Time = 28ms

Time = 25msTime = 27ms

New York

Feature Parameters:

§ Suspension Time Threshold (hours)

§ Performance Improvement Threshold (%)

Page 31: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

ASDM Profile Configuration

Page 32: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

§ Always-On enforces VPN connectivity.

§ If AnyConnect fails to connect, its endpoint can fail closed, preventing network connectivity to and from the endpoint.

§ Always-On allows AnyConnectusers to remediate their Captive Port prior to required VPN establishment.

Page 33: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

User Experience

§ Captive Portal Remediation Required

Page 34: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

ASDM Profile Configuration

Page 35: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

Network Follows Users – It Just Works

§ VPN session remains connected§ While user migrates between

networks (3G, WiFi, LAN, etc)§ During loss of network

connectivity§ During system hibernation /

standby§ Administratively controlled policy§ Compatible with all auth methods

User does not re-authenticate after hibernation/standby

Auto-detect and connect

Transparent handoff

Session persistence

PersistentConnectivity

Page 36: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

User Experience: User Indicator

§ Connection State: Reconnecting

Page 37: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

ASA WSA1. AnyConnect Authenticates and Establishes a VPN Tunnel to the ASA2. ASA Extracts Username from Certificate or AAA Server3. ASA Forwards Username and Tunneled IP Address to the WSA4. WSA Verifies Username and Group Membership against Active Directory5. WSA Applies Policies based on Username or Group Membership

Web Security Appliance

Active Directory LDAP, NTLMSSP, Basic

Adaptive Security Appliance

News Email

User Authenticates

User Identity & Tunneled IP

ASA-WSA Communication

facebook.com

Across SSL Connection

VPN TunnelAuthentication

User & GroupAuthorization

VPN Tunnel Established

Page 38: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

§ ASA & WSA Communication Network

§ Enable Secure Mobility Solution

§ Services Port

§ WSA Access Password

ASA to WSA Communication

Page 39: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

§ Enable Secure Mobility Solution

§ Enable Cisco ASA Integration

§ ASA Hostname or IP Address & Service Port & Access Password

ASA to WSA Communication

Page 40: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

§ Verify WSA > ASA Communication

Communication Test

§ Verify ASA > WSA Communication

Page 41: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41

Page 42: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

Control

Data Security

Secure Mobility

Security

Malware Defense

Acceptable Use Controls

SaaS Access Controls

Internet

Centralized Management and Reporting

Page 43: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

Page 44: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

Full Bandwidth

Page 45: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

Allow Business Relevant Video

Page 46: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

Finance Legal Marketing

Page 47: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47

Restrict Media

Page 48: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

Finance Legal Marketing

Page 49: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49

Override Restrictions

Page 50: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

Page 51: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51

Page 52: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52

Facebook Control

Page 53: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53

P E R M I S S I O N

Page 54: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54

Override Restrictions

Page 55: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55

Visibility | Centralized Enforcement | Single Source Revocation

Regaining Visibility and Control Through Identity

Branch Office

Corporate Office

Home Office

SaaSSingle Sign On

AnyConnect Secure Mobility Client

SaaSSingle Sign OnRedirect @ Login

User Directory

No Direct Access

X

Page 56: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56

Seamless Single Sign-onNo login needed

Page 57: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57

User Accesses Web Site Connection Proxied

Redirect to SAML SSO URL

Authenticate(if unknown)

User Logged Into ServiceDelivers Web User’s Portal

Redirect to SAML SSO URL

Browser Requests SSO URL

Javascript POST ACS URL+ SAML response

POSTS SAML response POST proxied to website

Page 58: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58

WSA Mobile User Reports

Page 59: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59

Track User activity /Search by IP ranges

Track a web site

ü Know who is going to which web site

ü Know who went to a specific web site

ü And more…

Simple investigative tool

Page 60: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60

Diverse EndpointSupport for Greater

Flexibility

Rich, Granular SecurityIntegrated

into the network

Always-on IntelligentConnection for Seamless

Experience andPerformance

Choice

Security

Experience

Acceptable Use

Access Control

Data Loss Prevention

Threat Prevention

Intranet

Corporate File Sharing

Access Granted

Web Security with Next Generation Remote Access

Page 61: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61

Page 62: AnyConnect Secure Mobility

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62

Page 63: AnyConnect Secure Mobility

A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.

Winston Churchill

Page 64: AnyConnect Secure Mobility

Thank you.


Recommended