Home >Technology >Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

Date post:19-Jan-2015
Category:
View:2,612 times
Download:3 times
Share this document with a friend
Description:
An hour technical discussion on becoming BYOD-ready (Bring Your Own Device) first hop with two protocols and a single security policy. As BYOD becomes more and more prevalent, it is important to keep in mind that most of the devices support both IPv4 and IPv6 - thus, even if you do not provide yet IPv6 connectivity, you still need to maintain the same protection as with IPv4. In this webinar you will briefly refresh available first hop security measures for IPv4, and focus on the new features that provide the matching functionality for IPv6.
Transcript:
  • 1. Cisco TechAdvantage WebinarsPreparing for IPv6 and BYOD with aSingle Security Policy This webinar will provide an overview on how BYOD is challenging L2 domain security, and how in this scenario IPv6 requires others capabilities no present in IPv4 to face it. Andrew and RafaelAndrew YourtchenkoRafael Maranon-Abreu will highlight what is new, what are the threats on the link layer and what solutions are available today at Cisco to mitigate them. 2012 Cisco and/or its affiliates. All rights reserved. Follow [email protected]

2. Register for a Technical Seminar with our Cisco Software SMEs:http://www.ciscolive.com/london/registration-packages/ Session Title Session Number Advanced LISP TechtorialTECIPM-3191 Advanced Network Automation TECNMS-3601 Application Awareness in the network; the Route to Application Visibility and Control TECRST-2672 Converged Access: Wired/Wireless System Architecture, Design and Operations TECCRS-2678 Enterprise QoS Design StrategyTECRST-2501 IP Mobility Deep Dive TECSPG-3668 IPv6 for Dummies: An Introduction to IPv6 TECMPL-2192 IPv6 Security TECRST-2680 Scaling the IP NGN with Unified MPLSTECNMS-3601 Software Defined Networking and Use Cases TECSPG-2667 Understanding and Deploying IP Multicast Networks TECIMP-1008 2012 Cisco and/or its affiliates. All rights reserved.2 3. Speakers Panelists Andrew YourtchenkoRafael Maranon-Abreu Ralph SchmiederDavid Lapier Technical Leader Product ManagerTechnical EngineerProduct Manager [email protected] [email protected]@[email protected] 2012 Cisco and/or its affiliates. All rights reserved.3 4. Submit questions in Q&A panel and send to All Panelists Avoid CHAT window for better access to panelists For WebEx audio, select COMMUNICATE > Join Audio Broadcast For WebEx call back, click ALLOW phone button at the bottom of participants side panel Where can I get the presentation? Or send email to: [email protected] Please complete the post-event survey Join us January 9th for our next TechAdvantage Webinar: Enhancing Application Performance with PfR www.cisco.com/go/techadvantage 2012 Cisco and/or its affiliates. All rights reserved. 4 5. Introduction to BYOD, IPv6 and L2 Domain Security IPv6 vs IPv4, what is new? Threats on the link layer Mitigations 2012 Cisco and/or its affiliates. All rights reserved. 5 6. http://www.forbes.com/sites/sap/2012/03/05/cisco-the-biggest-mobile-byod-deployment-around/ 2012 Cisco and/or its affiliates. All rights reserved.6 7. Top two perceived benefits of BYOD: Improved employee productivity (more opportunities to collaborate) Greater job satisfaction (flexibility and work-life balance) Two of five college students and young employees said they would accept a lower-paying job that had more flexibility with regard to device choice, social media access, and mobility than a higher-paying job with less flexibility. Regarding security-related issues in the workplace, three of five employees believe they are not responsible for protecting corporate information and devices. The Cisco Connected World Technology Report 2011 2012 Cisco and/or its affiliates. All rights reserved.7 8. 2+ BYOD per employee. 1 BYOD per employee. 0 BYOD per employee. 2012 Cisco and/or its affiliates. All rights reserved. 8 9. More DevicesFaster Broadband SpeedsNearly 19 Billion Connections4-Fold Speed IncreaseGrowth More Internet Users Catalysts More Rich Media Content3.4 Billion Internet Users 1.2 M Video Minutes per Second Source: Cisco VNI Global Forecast, 20112016 2012 Cisco and/or its affiliates. All rights reserved.9 10. Launch activated3000+ Websites50 Network (ISPs)4 Home Router VendorsPublic Sector in 1st 100 sign ups (3006 total) *National Library of MedicineNASADepartment of StateDepartment of EducationREMSDoingwhatworksUSGSU Penn, UNC, U Wisconsin, NCSU, U UtahUSDAVANational Park ServiceUS Census BureauSource : http://www.worldipv6launch.org/participants/?q=1 11. Outside InInternet EvolutionBusiness ContinuityB2C, B2BIPv4 EnterpriseIPv6 Internet Inside Out Globalization Technology Leadership Industry mandate BYOD-Security-Visibility Flatten management planeDual-Stack Enterprise IPv4 Internet http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html 2012 Cisco and/or its affiliates. All rights reserved. 11 12. No plans 24 months 12 months 6 months Done 2012 Cisco and/or its affiliates. All rights reserved. 12 13. When are you planning to deploy IPv6 in productionJuly 2010 March 2012No plans40%No plans15%24 months 24 months12 months 12 months6 months 32% 6 months 65% In ProgressDone 0 1020 30 40 50 60 0 10 20 3040 50 60 2012 Cisco and/or its affiliates. All rights reserved. 13 14. AD/LDAP NCS PrimeISE MDM MgrCisco Catalyst Cisco WLAN SwitchesController ASAFirewallUser X User YCSM / ASDMiOS orAndroid Devices 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 15. Operations contained within the link boundaries, necessary for a node tocommunicate with its neighbors, including the link exit points. It encompasses: Address configuration parameters Address initialization Address resolution Default gateway discovery Local network configuration Neighbor reachability tracking 2012 Cisco and/or its affiliates. All rights reserved. 15 16. Example of Inside Attacks exploiting IPv6 Link Operations Data Security at Edge Si SiAuthenticated DeviceSi Si The Challenge Attacks Inside the networkIPv6 Link Operations can The attacker can spoof a user The attacker can become The attacker can disablebe easily attacked address by snooping Neighborthe local default gateway the local IPv6 network byinside the local network Solicitation and poisoningby sending rogue Router poisoning Duplicate Neighbor AdvertisementAdvertisementsAddress Detection 2012 Cisco and/or its affiliates. All rights reserved.16 17. Catalyst Integrated Security Features (CISF) 17 2012 Cisco and/or its affiliates. All rights reserved. For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf 18. Intelligent Perimeter at the edge Pre-configure port roles and Data Security at EdgeTrack IPv6 devices by snooping neighbor and dynamically learn a trustedrouter solicitations, DHCP requests and query domain of routers/DHCPtheir status when they become inactive servers Si Si IntfIPv6 MAC VLAN StateAuthenticated Device g1/0/10 ::001A 001A110ActiveSi Si g1/0/11 ::001B 001B110Active NS DAD NS NDDHCPg1/0/11 ::001C 001C110Stale RS RA g1/0/15 ::001D 001D110Active g1/0/16 ::001E 001E200Verifying g1/0/17 ::0020 0020200Active g1/0/21 ::0021 0021200Active The Solution IPv6 Snooping and GuardIPv6 First HopBlock rogue advertisementsMonitor deviceMaintain a trustworthySecurity in the from illegitimate routers and address assignmentdatabase of IPv6 devices and access switchDHCP servers with RA Guardwith Binding Integrityblock illegitimate IPv6 dataand DHCPV6 GuardGuard traffic with Source Guard 2012 Cisco and/or its affiliates. All rights reserved. 18 19. Securing IPv6 Networks Quick IntroIPv6 FHS RADHCPv6 Source/Prefix DestinationRA ND MulticastGuard GuardGuardGuardThrottler Suppress Protection: Protection: Protection: Protection:Facilitates:Reduces: Rouge or Invalid DHCP Invalid source DoS attacks Scale Control trafficmalicious RAOffersaddress Scanning convertingnecessary for MiM attacks DoS attacks Invalid prefix Invalidmulticast traffic proper link MiM attacks Source addressdestinationto unicastoperations tospoofingaddressimprove performanceCore Features Advance FeaturesScalability & Performance* IPv6 Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table 2012 Cisco and/or its affiliates. All rights reserved. 19* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking 20. Prevent Rogue Router Advertisements from taking down the network Before RA Guard After RA GuardHost A Host AFirst Hop Switch First Hop Switch RA RAI am a Yea! I am aNot accordingrouterThanksrouterto me 2012 Cisco and/or its affiliates. All rights reserved.20 21. Prevent Rogue DHCP responses from misleading the clientBefore DHCP GuardAfter DHCP Guard DHCP Server I am a DHCP DHCP Server I am a DHCPServerServerHostFirst Hop Switch HostFirst Hop Switch DHCP RequestDHCP RequestI am a DHCPI am a DHCPServer Server 2012 Cisco and/or its affiliates. All rights reserved. 21 22. Instrumental link-operation security feature that analyzes control/data switchtraffic, detect IP address, and store/update them in Binding Table to ensurerogue users cannot spoof or steal addresses. Deep control packet Inspection IPv6 Binding Table Address Glean (ND , DHCP, data) IntfIPv6 MAC VLAN State Address watch g1/0/10 ::001A 001A110Active Binding Guard g1/0/11 ::001C 001C110Stale g1/0/16 ::001E 001E200VerifyingIPv6 IPv6 Source Destination Device TrackingGuard Guard 2012 Cisco and/or its affiliates. All rights reserved. 22 23. Securing IPv6 Networks Quick IntroIPv6 FHS RADHCPv6 Source/Prefix DestinationRA ND MulticastGuard GuardGuardGuardThrottler Suppress Protection: Protection: Protection: Protection:Facilitates:Reduces: Rouge or Invalid DHCP Invalid source DoS attacks Scale Control trafficmalicious RAOffersaddress Scanning convertingnecessary for MiM attacks DoS attacks Invalid prefix Invalidmulticast traffic proper link MiM attacks Source addressdestinationto unicastoperations tospoofingaddressimprove performanceCore Features Advance FeaturesScalability & Performance* IPv6 Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table 2012 Cisco and/or its affiliates. All rights reserved. 23* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking 24. Very important. Important. Neutral. Not imp

Popular Tags:

Click here to load reader

Reader Image
Embed Size (px)
Recommended