View
4.269
Download
3
Category
Tags:
Preview:
DESCRIPTION
Subjects covered will include mobile devices OS security, state of malware on mobile devices, data loss prevention, VPN and remote access, 802.1x and certificate deployment, profiling, posture, web security, MDMs and others. For more information please visit our website: http://www.cisco.com/web/CA/index.html
Citation preview
Mobile Devices and BYOD Security: Deployment and Best Practices
BRKSEC-2045
Sylvain Levesque
Security Consulting Systems Engineer
slevesqu@cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
Test bed Used
State of Malware on Mobile Devices
802.1X Network Authentication
Device Profiling with the Identity Services Engine
Digital Certificates Usage and Provisioning Methods
Remote Access VPN
Web Security
Recommendations and Conclusion
3
Test bed Used
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Test bed Used
A number of tests were conducted for this session to document the behavior of mobile devices with different Cisco security solutions.
A group of devices under test was used to represent the major mobile platforms on the market today. Recent releases of operating systems were used and therefore the behavior documented in this presentation might vary with older OS releases.
5
Toshiba AT300
Tab/Android ICS 4.0.3
Samsung Galaxy Tab2 4.1+
Samsung:
Nexus/Google Android JB 4.4+
Galaxy S2/SS Android JB 4.1.2
RIM/Blackberry:
Bold 9900 7.1.0
Z10 10.0.10+
Microsoft Surface
Windows 8 RT+
Apple iPad3 tablet/
iOS 6.1.2+
Anyconnect 3.x ASA 9.1(4) WSA 7.5(0)-833 ISE 1.2 Airwatch Cloud-Based
MDM 6.3.1.2
*ICS=Ice Cream Sandwich *JB=Jelly Bean
Microsoft Certificate
Services Windows 2008
Enterprise R2
State of Malware on Mobile Devices
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Mobile Devices Market
Android currently dominates the Mobile OS market followed by iOS
While iOS devices are pretty current, a large percentage of Android devices still uses outdated releases that could be subject to security vulnerabilities
7
Source: IDC Source: developer.android.com
iOS Versions Android Versions
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
State of Malware
Interesting statistics can be found on malware, exploits and mobile devices in this report:
• Malware on Android up 2,577%
• 99% of mobile malware target Android
• Encounters with web malware: 70%
Android, Apple iOS 22% percent
• Malware on mobile devices: 1.2% of all
web malware found (up from 0.42%)
• Most exploits with Java: sparse support
on mobile devices
The Cisco 2014 Annual Security Report describes the evolution of exploits and malware and is a great reference for any IT or Security professional:
http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
8
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Other Interesting Facts and Conclusions
9
25%+ of malware on mobile devices come from porn sites…
• Phishing: still a major malware infection
vector as with PCs
• Users click on a link in an email that
has them installing an App from an
untrusted application store
Typical exploits on Android:
• subscription to premium SMS services
• botnet infection and remote control
• banking information theft 2012 -> first Android botnet in the wild
2013 -> large Android botnets
observed in China (1 million + devices)
The use of non-managed mobile devices
could expose your organization to
infection or data theft (Android or others)
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Other Interesting Facts and Conclusions
10
25% of malware on mobile devices come from porn sites…
• Phishing: still a major malware infection
vector as with PCs
• Users click on a link in an email that
has them installing an App from an
untrusted application store
Typical exploits on Android:
• subscription to premium SMS services
• botnet infection and remote control
• banking information theft 2012 -> first Android botnet in the wild
2013 -> large Android botnets
observed in China (1 million + devices)
The use of non-managed mobile devices
could expose your organization to
infection or data theft (Android or others)
Cisco Annual Security Report:
“The impact of BYOD and the proliferation of devices cannot be overstated, but
organizations should be more concerned with threats such as accidental data loss,
ensuring employees do not “root” or “jailbreak” their devices, and only install
applications from official and trusted distribution channels”
Secure Access with 802.1X, Remote Access VPN and Web Security
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
802.1x is used to provide authentication of a user or a device to the network
3 main components are involved in a 802.1x authentication:
- Supplicant: Provides Identity Information to the network. Supplicant software is embedded in all modern
Operating Systems. Ex: Apple iOS, Android, Windows 8, etc.
- Authenticator: Device that controls access to the network, participates in the initial EAP (Extensible
Authentication Protocol) exchange and acts as a relay between the Supplicant and the Authentication
Server. Ex: Switch, Wireless Controller
- Authentication Server: RADIUS Server that validates the identity information provided and sends
authorization attributes such as a VLAN, Access-List, Session timeout, URL for redirection. The identity
can be optionally validated by an external Identity Store. Ex: ISE, ACS
Network-Based Authentication using 802.1X - Review
Authentication
Server (RADIUS) Supplicant Authenticator
EAP over RADIUS EAP/WPA2
EAP session
12
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
802.1x Identity Information Types
Different types for different mobility use cases:
1. Username/Password Combination
- User authentication (also Machine Auth for Windows)
- Active Directory/LDAP/RADIUS ID Stores
- EAP types: PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST
2. Two-Factor Authentication
- Something you know, you have, you are
- Mostly for user authentication
- RSA SecurID and other token-based ID Systems
- EAP types: PEAP-GTC, EAP-FAST/EAP-GTC
3. Digital Certificates
- Signed/emitted by a public or private Certificate Authority
- Can be used for user and/or device authentication
- Microsoft AD Certificate Services, Entrust, Verisign, etc.
- EAP types: EAP-TLS, EAP-FAST
EAP
Extensible Authentication Protocol
PEAP
Protected EAP
GTC
Generic Token Card
FAST
Flexible Authentication
via Secure Tunneling
TLS
Transport Layer Security
13
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Device & User Authentication/Authorization
14
Machine AuthC PEAP-MSCHAPv2*
EAP-TLS
host/MTLLAB-W500
User AuthC PEAP-MSCHAPv2
EAP-TLS
CISCO\slevesqu 2
1
2 1 +
2 PHASES
POSSIBLE Same EAP Type with Native Supplicant
*Windows RT/Phone can not join Active Directory and can not use PEAP-MSCHAPv2 for Machine Authentication
1 PHASE
ONLY
AuthC=AuthentiCation
AuthZ=AuthoriZation
CN=Common Name
SAN=Subject Alternate Name
= Certificate
PEAP-MSCHAPv2
EAP-TLS
slevesqu User AuthC
User AuthZ
Hybrid AuthZ
Device AuthZ
CN=slevesqu
SAN=00:21:6A:AB:0C:8E
CN=slevesqu
SAN=00:21:6A:AB:0C:8E
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
2-Factor Authentication Workaround with 802.1X and Central Web Authentication
802.1X EAP-TLS authentication with Certificate
1
Central Web Authentication with User AD Account
2
Factor 1: Device
Certificate!!!
Factor 2: Employee User
Credentials!!!
ISE
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
EAP-Type
Win 8
Pro/Enter
prise
Win RT Apple
iOS Android BB7/10 ACS 5.x ISE 1.x AD LDAP
EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes
PEAP
MSCHAPv2 Yes Yes Yes Yes Yes Yes Yes Yes No
PEAP
EAP-GTC No1 No Yes Yes Yes Yes Yes Yes Yes
EAP-FAST No1 No Yes2 No3 Yes Yes Yes Yes No
Common 802.1X EAP Types and Compatibility
1. Supported through 3rd-party supplicants such as Anyconnect NAM
2. Configuration required through Apple Configuration Utility or MDM
3. No native support. Supported through Cisco Compatible Extensions (CCX) with specific mobile devices manufacturers. More information:
http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
No native support for token based systems such as RSA SecurID
16
BRKSEC-2691: Identity Based Networking: IEEE 802.1X and beyond More on 802.1X!
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
802.1X Configuration: PEAP-MSCHAPv2 User Authentication Example
Touch-hold
1
2
3 4
1 2
3
1 2 3
4
6
5
Device Profiling with the Identity Services Engine
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
ISE Profiler Review
The ISE Profiler service uses a number of probes to capture the traffic generated by an endpoint device
It then extracts information from this traffic and compares patterns with profiling rules that are either pre-
defined or custom-built to match an endpoint type and a profile
An Authorization rule can then use this information to assign network access privileges based on the device
profile (iPhone/iPad vs Android vs Blackberry vs Windows)
Probe Data Provided
RADIUS OUI, MAC Address
DHCP DHCP attributes, hostname
DNS FQDN, hostname
HTTP User-Agent
NMAP OS fingerprint
NETFLOW TCP/UDP ports used
SNMP MIB strings
Probes Currently
Used to Profile
Mobile Devices
BRKSEC-3698: Advanced ISE and Secure Access Deployment
19
More on Profiling!!
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Example of Profiling Rules for iPad
20
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Analyzing HTTP User Agents
Compatibility with Mozilla’s Rendering Engine
OS and Version
Device Model
HTML Layout Engine
Browser and Extensions
Mozilla/5.0 (Linux; Android 4.0.3; AT300 Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166
Safari/535.19
21
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Sample HTTP User Agents
Apple iPad
Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
Windows RT
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; ARM; Trident/6.0; Touch)
Android Samsung Tab2 tablet
Mozilla/5.0 (Linux; U; Android 4.1.2; en-ca; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Android LG Google Nexus 5 smartphone
Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Mobile
Safari/537.36
Blackberry Z10 smartphone
Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.2.1.1925 Mobile Safari/537.35+
22
View your own user-agent at: http://whatsmyuseragent.com!!
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Viewing Endpoint Profiling Data
23
Profiling data Profiling data
Digital Certificates Usage and Provisioning Methods
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Certificates, Trust and 802.1X
Public Key Cryptography (PKI) uses the concept of trusted Certification Authorities (CA). A list of public
CAs on the Internet is embedded in the certificate store as Trusted Roots in every device
Many organizations typically deploy a private enterprise Certification Authority that allow them better
control and scalability. The Root Certificate and certification chain of this private CA has to be
provisioned in corporate devices in order for them to trust it
Non-corporate mobile devices will not trust by default the certificates generated by a private CA and the
802.1X behavior of mobile devices in this scenario will vary:
– Apple iOS: User notification-> users might refuse to install the certificate and call the help desk
– Android: Will accept non-trusted certificates by default without warning!
– Windows RT/8: User notification -> users might refuse it as well
– Blackberry 7: No notification -> Access rejected
– Blackberry 10: Will accept non-trusted certificates by default without warning!
Windows RT/8 and BB 7: Validation of the server certificate can be disabled for PEAP/EAP-TLS. Useful for lab testing or proof-of-concept, but not recommended for production where we should use certificates from Public CAs to avoid end user issues
25
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Certificates Installation and Enrollment
Non-trusted Root and user/device Certificates can be created and provisioned on mobile devices using a number of methods that can be manual or automated:
Copy it to the device. Ex: Corporate mobile devices
Push computer or user certificates through Group-Policy Objects (GPOs) for Windows corporate devices
The administrator can create the certificate or email it to the user the device. Ex: BYOD personal device
Certificate Server web portal (administrator or user)
The certificate creation and provisioning can be automated the Simple Certificate Enrollment Protocol (SCEP). A few options are available: – SCEP from the mobile device itself (support vary by mobile platform) – SCEP with the Anyconnect VPN client – SCEP Proxy with the Anyconnect VPN client and the ASA – Identity Services Engine (ISE) with the Onboarding service for 802.1x, SCEP with Mobile
Device Management solutions
26
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Anyconnect Profile: SCEP Host = myCA.bn-lab.local
Certificate Enrollment using SCEP and VPN
27
SCEP with Anyconnect:
SCEP Proxy with Anyconnect and the ASA:
IPSec/SSL tunnel
SCEP Request
IPSec/SSL tunnel
SCEP Request SCEP Request
1. ASA performs policy enforcement 2. ASA inserts machine device-id from posture
• Initiated by the user
• No Certificate renewal
• Needs direct access to CA
• Requires Anyconnect 2.4+ ASA
ASA SCEP Proxy
• Controlled by the head-end (ASA)
• Pre-enrollment policy enforcement
• Device-ID for Authorization
• Automatic Certificate renewal
• Only ASA communicates with CA
• Requires Anyconnect 3.0+
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Onboarding with ISE on Wired/WLAN
Access Point
ISE
Mary User Name = Mary Password = *******
1
Mary connects to Secure SSID
3 Register Device Provision Certificate Configure Supplicant
Mary Reconnects to Secure SSID
2 Redirect to Self Provisioning
Portal 2
BYOD-Secure
SSID’s
Personal asset
Wireless LAN Controller
AD/LDAP
N.B.: A dual-SSID option can also be
used where the 2nd Open SSID is
used for the onboarding process
28
CA
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
ISE Authorization Using Certificate Attributes
Registered Devices: Indicates the device
went through the BYOD onboarding process
Network Access only allows EAP-TLS
authentication with Certificate
The Radius attribute Calling-Station-ID
contains the MAC address of the device
which is compared against the SAN in the
Certificate
The AD username is read from the Subject-
Name and sent to AD where its attributes are
retrieved for authorization
Different Permissions Assigned
(VLAN, ACLs, etc)
29
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Method
Win 8
Pro/Enterp
rise
Win RT Apple
iOS Android BB7 BB10
Email Yes Yes Yes No1 Yes No
Copy To Device Yes Yes Yes2 Yes Yes Yes
Web (CA
Server) Yes Yes Yes Yes Yes No
Anyconnect
SCEP Yes No Yes Yes No No
SCEP Proxy Yes No Yes Yes No No
ISE
Onboarding3 Yes No Yes Yes No No
Certificates Installation Summary
1. Can not be installed from email directly but can be saved and installed from storage
2. Via the iPhone Configuration Utility or an MDM
3. More details on supported platforms:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321
30
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Certificate Management
1
2
3
4
1 2
3
1 3
4
5
Swipe-In
5
2
4
6
7
Remote Access VPN
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
ASA Remote Access VPN Options review
Clientless SSL
Basic Web, Email and CIFS Access
Customized User Screen
Thin-Client SSL
Plugins (SSH,VNC,
Telnet,RDP, Citrix)
Smart Tunnels
Client-Based SSL or IPSec
AnyConnect
33
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Citrix Mobile Receiver Support
ASA release 9.0 introduces the support of the Citrix Mobile Receiver application directly in clientless SSLVPN for most desktop OSes and for Apple iOS and Android
Allows the ASA to communicate directly to XenApp 6.5 or XenDesktop 5.5, 5.6
Access Gateway Firewall User Device
Connected Using
Citrix Online Plug-Ins
Internet
Web Interface
Installed Behind the
Access Gateway
Server Farm
Firewall
Cisco® ASA
34
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Websockets HTML5 Access
ASA release 9.1(4) introduces the support of Websockets and HTML5 proxy
Enables a “fully clientless” solution homogeneously across differents OSes using a browser that supports HTML5 – No more dependencies on Java and ActiveX!
Uses 3rd-party Websockets gateways that converts HTML5 to a client protocol such as RDP/VNC/etc
The HTML5 resource is a simple bookmark accessed on the ASA clientless Web Portal
Mobile Device
with an HTML5
browser
Internet
35
ASA
SSL SSL RDP, VNC, CIFS, etc
Application Websockets
Gateway/Ser
ver
Intranet Data Center
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Method Win 8
Pro/Enterprise Win RT/Phone Apple iOS Android BB7/10
Anyconnect – SSL transport Yes No1 Yes Yes No1
Anyconnect – IPSec/IKEv2 Yes No1 Yes Yes No1
Websockets – HTML5 Yes Yes Yes Yes Yes
Native VPN support Yes Yes Yes Yes No
Clientless/Smartunnels/Plugins/ Yes No No No No
Clientless – Mobile Citrix Receiver No No Yes (v4+) Yes (v2+) No
Mobile Devices VPN Support Summary
1. RIM/BB and Microsoft do now allow the development of Anyconnect (or other VPN clients) on BBOS and Windows RT/Phone
• For more detailed information on device/OS support, please consult the ASA Supported VPN Platforms document:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp177602
• For more information on features supported on Anyconnect with Android and Apple iOS, please consult their respective release notes:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-android.html
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html#wp1148532
36
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Corporate vs BYOD
2 methods can be used to match device-specific identity information that will allow a differentiation of policies:
1. Use of certificates for authentication and authorization: Certificate attributes can be defined for uses cases like Corporate & BYOD. These attributes can be matched to different authorization policies in the ASA and ISE
2. With posture: The posture service on the ASA for VPN and ISE can gather information on the device that can include the device type, OS type, processes/services running, Windows registry information, file information, certificate information.
– If a corporate device is for example only a Windows PC domain member, the posture service could look for a specific piece of information like the registry entry defining the AD Domain, something that a mobile device would not have
– If no mobile devices are to be allowed to connect, the posture service could use rules that would deny access to all mobile devices types
How can I apply different access policies to a corporate device and a personal BYOD?
How can I prevent a personal BYOD from connecting to my network?
37
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Mobile Posture with Anyconnect
ASA Release 8.2(5) introduced the ability to pass posture endpoint attributes from
Anyconnect to ASA Dynamic Access Policies (DAP)
Can be used to control VPN connections from mobile endpoints and assign them specific
access policies.
Posture is also used with SCEP proxy in ASA 9.0 to embed unique device identity in
certificate enrollment requests
The Mobile Endpoint attributes include:
‒ Version of the Anyconnect client (e.g. “3.0.x”)
‒ Client Platform (“apple-ios”, “android”, etc)
‒ Client OS version (e.g. “5.0”)
‒ Type of device (varies per client platform but can be used to differentiate iPad from iPhone)
‒ Device UniqueID (varies per client platform, consists of Device UDID for iOS, opaque hash of IMEI/MEID/ESN or MAC+AndroidID for Android mobiles)
38
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Mobile Posture Configuration
39
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Mobile Posture Configuration
40
Choose Anyconnect as the
Endpoint Attribute Type
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Mobile Posture Configuration
41
Select an Access Policy for
the DAP defined
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Mobile VPN Authorization with Certificates
• Certificate maps can be used with the ASA to allow matching of received certificate DN values and then map them to a Connection Profile.
• Can be used with IPSec VPN and SSL VPN
• Can be used with the Local CA feature on the ASA or with certificates generated from a 3rd-party CA
• The following values from the certificate can be used for mapping:
1. Alt-subject-name
2. Subject-name
3. Issuer-name
4. Extended Key Usage (EKU) extensions
BRKSEC-2053: Practical PKI for VPN More on Certificates
for VPN
42
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
ASA Certificate Matching Configuration for VPN
43
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Licensing on the ASA
AnyConnect Essentials enables the use of Anyconnect for a full-tunnel VPN
with SSL or IPSec IKEv2. One license if required per ASA
Anyconnect Premium activates advanced features such as the Clientless
Portal, Smartunnels, Plugins, Posture and Mobile Posture. One license per
concurrent user is required.
Anyconnect Essentials and Premium are mutually exclusive on an ASA
The Anyconnect Mobile license is required on top of Anyconnect Essentials
or Anyconnect Premium licenses for mobile devices to establish a VPN tunnel
with the ASA!! One license is required per ASA
For ASA releases 8.2 and below, 2 licenses per failover pair are required.
Starting from ASA release 8.3, only one license is required per failover pair
Recommendation: Always include the Anyconnect Mobile License when
purchasing a new ASA for VPN 44
Web Security
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Web Security Gateway - Deployment Methods
Web Security Gateways such as the Cisco Web Security Appliance (WSA)
provide a number of security services at an organization’s perimeter such as
URL Filtering, Web Reputation Filtering, Anti-Malware Filtering, Granular
Application Control, Data Loss Prevention and others
These gateways typically do not sit inline the traffic and therefore Web user
traffic must be redirected to these gateways
3 methods can be used for this redirection:
‒ Explicit Forward Mode: A proxy server entry is configured manually or automatically with the Web-
Proxy Auto-configuration Protocol (WPAD) in the web browser to redirect its traffic to the Web
Security Gateway
‒ Transparent Mode: The Web Cache Control Protocol (WCCP) is used between the Web Security
Gateway and a network or security device to redirect user traffic to the Web Security Gateway
‒ Load-Balancers: For larger deployments. A Load-Balancer redirects the user traffic to the Web
Security Gateway farms
46
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Web Security Gateway – User Authentication
Organizations typically require users to authenticate to an enterprise directory such as
Active Directory before accessing Internet resources to allow for enforcement of
Acceptable Use Policies per role and to provide auditing for reporting and compliance
purposes
3 methods can be used to authenticate users:
‒ Basic Browser Authentication: The user is prompted to enter his credentials which can be sent to
Active Directory/LDAP for authentication. Credentials can be cached by the browser to prevent the
user to be prompted in the future. The user’s AD/LDAP attributes are also fetched for authorization
and mapping to Access Policies. Appropriate for BYOD, guests or consultants.
‒ NTLMSSP Browser Authentication: The user’s Windows login credentials are fetched transparently
from the browser using an NTLM challenge-response authentication and sent to Active Directory for
authentication. The user’s AD attributes are also fetched for authorization and mapping to Access
Policies. Appropriate for Windows corporate assets.
‒ Passive Identification: The Web Gateway uses the user’s IP address and sends a request to the
Active Directory/Novell Directory Server that maintains the mapping of usernames/IP addresses seen
when users log in. The Web Gateway then fetches the user’s AD/LDAP attributes for authorization
and mapping to Access Policies. Appropriate for Windows corporate assets.
47
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Feature
Win 8
Pro/Enter
prise
Win
RT
Apple
iOS Android BB7 BB10
Proxy
Configuration Yes Yes Yes Yes No1 Yes
PAC-WPAD Yes Yes Yes No No Yes
PAC-GPO Yes No No No No No
PAC-MDM3 Yes No Yes No No No
Basic
Authentication Yes Yes Yes Yes Yes Yes
NTLMSSP Yes Yes2 Yes2 Yes2 No Yes2
Passive
Identification Yes No No No No No
Proxy and Authentication Methods Support
1. No support on native browser on Wifi. Supported with the Opera mini-browser and 3rd-party applications (not tested)
2. No Single Sign-On
3. Using the Airwatch MDM. Other MDMs may have different capabilities
48
BRKSEC-3771: Advanced Web Security Deployment with WSA and ASA-CX More on WSA
Recommendations and Conclusion
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Security policies relative to the use of personal devices in the corporate environment
should be created before a BYOD deployment
Business units owners should be involved to define the requirements and uses cases
that will drive the architecture of the solution for mobile devices
User education and awareness is key! A BYOD deployment should include training and
guidelines for users on how to use their personal mobile device to lower the risk of
having their device compromised and exploited
A private Certification Authority should be considered for deployments requiring
differentiation of access privileges between corporate and personal mobile devices
Profiling and VPN posture can be used to differentiate mobile devices from
laptops/desktops and are great tools for device identification and inventory
A Virtual Desktop Infrastructure (VDI) architecture can help reduce the risk of data
leakage and improve the user experience
Deployment Recommendations
50
Cisco and/or its affiliates. All rights reserved. BRKSEC-2045 Cisco Public
Don’t forget to activate your Cisco Live Virtual
account for access to all session material,
communities, and on-demand and live
activities throughout the year. Activate your
account at the Cisco booth in the World of
Solutions or visit www.ciscolive.com.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Note: This slide is now a Layout choice
51
Recommended