Cisco Connect 2019Serbia, 19th March 2019

Local knowledge.

Cisco Connect 2019 Security

COM-4T DOO Belgrade

presenter: Branislav Ostojić

✕ ✕ ✓ ✓ ✕ ✕

✕ ✓ ✓ ✓ ✓ ✕

✓ ✕ ✓ ✓ ✓ ✓Trusted Asset

Trusted User

Partners

Tru

ste

d U

ser

Part

ners

Clo

ud A

pp A

Clo

ud A

pp B

Serv

er

A

Serv

er

B

Cloud

On Prem

Tru

ste

d A

pp /

Serv

ices

Non-T

ruste

d A

pp /

Serv

ices

Improved Visibility and DecisionSoftware-Defined Segmentation,

Service Access & EntitlementLocation-Free App/Service

Access

Vulnerability

Threats

Posture

Behavior

Time

Location

User-Groups Device-type

CISCO IDENTITY SERVICES ENGINE

Connecting trusted users and devices to trusted services

Customer

GUEST

CORPORATE

BYOD

WIRELESS

Use Case

Starts with Wireless

Non-disruptive due to SSIDs

WIRED

Control wired access

802.1X / MAB (with Profiling)

POSTURE

See Apps & HW inventory

Enforce system compliancy

Segmentation

Use SGTs for segmentation

Enforce Group based policies

RTC

Integrate with eco-system partners

Contain threats

COMPLIANCE | PCI, HIPAA, SOX, Financial and other regulations

VISIBILITY | Users, Devices, Location, Applications, Threats, Vulnerabilities

CONTROL | Authorized network access, Segmentation, Threat Containment

Not a standard or recommended approach | Each use case may be the end goal

Device Admin

Threat Control

Segmentation

BYOD Access

Guest Access

Access Control

Asset VisibilityCisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources.

Consistent access control across wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control.

Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience.

Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices

Topology independent Software-defined segmentation policy to contain network threats.

Protection against threats across the attack continuum, before, during and after an attack. Reduce time-to-detection from days to hours.

Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices

Context Exchange Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats.

AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)

Cisco ISE

The profiling service in Cisco ISE identifies the devices that connect to your network

ACIDex

Endpoints send

interesting

data, that

reveal their

device identity

DS

DSFeed Service

(Online/Offline)

1 million

# of supported Guest accounts Guest account notification

options

API

Manage guest accounts via REST

EMAIL PRINT SMS

Hotspot Self Registered Sponsored Guest Access

Immediate, un-credentialed Internet access

Self-registration by guests, Sponsors may approve access

Authorized sponsors create account and share credentials

The 3 types of guest access

Portal language customization

Social Media Login support

Facebook Facebook

Simple BYOD(Base License)

Full BYOD(Base + Plus License)

• Guest type ’internet only’ access to personal device Or

• Password based access to BYOD SSID, limited access

• Full automation of BYOD process – Device registration, Native supplicant configuration, Certificate installation, manage.

ISE internal CA for BYOD certificates

Access based on MDM policy

Single / Dual SSID provisioning

Native supplicant & cert provisioning

EMM integrationsDevice Support

Devic

es

Resources

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

PUBLIC

CORPORATE

iDevice

Android

MAC macOS

Windows

ChromeOS

MDM Policy Checks

Device registration status

Device compliance status

Disk encryption status

Pin lock status

Jailbreak status

Manufacturer

Model

IMEI

Serial number

OS version

Phone number

Posture Compliance assessment for Mobile devices

1. Register with ISE 2. Internet Access

3. Register with MDM 5. Allow Corp access

Cisco ISE

MDM

Internet

Corporate

4. Comply MDM Policy

Personal Device

GOOD SAPAbsolute Software IBM AirWatch

Tangoe MobileIron GloboJamf

softwareSymantec MaaS360

Posture

Remediation Actions

Anti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

File Remediations

Launch Program Remediations

Link Remediations

Patch Management Remediations

USB Remediations

Window Server Update Server

Windows Update Remediations

Posture defines the state of compliance with the company’s security policy

Posture Flow

Authenticate User/DevicePosture: Unknown/Non-Compliant ?

QuarantineLimited Access: VLAN/dACL/SGTs

Posture AssesmentCheck Hotfix, AV, Pin lock, USB Device, etc.

RemediationWSUS, Launch App, Scripts, MDM, etc.

Authorization ChangeFull Access – VLAN/dACL/SGTs.

Antivirus Update

Anti-Virus?

Posture

Anti-Malware Condition

Anti-Spyware Condition

Anti-Virus Condition

Application Condition

Compound Condition

Disk Encryption Condition

File Condition

Patch Management Condition

Registry Condition

Service Condition

USB Condition

Traditional Segmentation

BYOD

BYODVLAN

Supplier

GuestVLAN

VoiceVLAN

Voice

DataVLAN

Employee

Access Layer

EnterpriseBackbone

Aggregation Layer

Non-Compliant

QuarantineVLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on TopologyHigh cost and complex maintenance

Employee Tag

Supplier Tag

Non-Compliant Tag

VoiceVLAN

Voice

DataVLAN

Employee Supplier BYODNon-Compliant

Access Layer

DC Firewall / Switch

DC Servers

EnterpriseBackbone ISE

Group Based Policy

Use existing topology and automate security policy to reduce OpEx

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Policy

Directory Services

Vulnerability Scanners

System managers

Threat Intelligence

Mobility Services Engine

Mobile Device Managers

ENDPOINTS

CISCO ISE

Visibility and Access ControlISE builds context and applies access control restrictions to users and devices

Context Reuseby eco-system partners for analysis & control

Scalable Group

Who

What

When

Where

How

Posture

Threat

Vulnerability

STEALTHWATCH

FIREPOWER SERVICES

DNAC

+ 3rd PARTY PARTNERS

• pxGrid

• REST API

• Syslog

- Threat events

- CVSS

- IOC

- Vulnerability assessments

- Threat notifications

AMP Qualys

Cisco ISE

Endpoints

Cisco ISE protects your

network from data breaches

by segmenting compromised

and vulnerable endpoints for

remediation.

Compliments PostureVulnerability data tells endpoint’s posture from the outside

Expanded controldriven by threat intelligence and vulnerability assessment data

Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics

Who

What

When

Where

How

Posture

Threat

Vulnerability

Create ISE authorization policies based on the threat and vulnerability attributes

Network Access Policy

Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)

Employee

Employee

Supplier

Quarantine

SharedServer

Server

High RiskSegment

Internet

StealthWatchFirePower

or 3rd party AppSuch as Splunk

Event: XYZ

Source IP: 10.4.51.5

Role: Supplier

Response: Quarantine

ISE

Change Authorization

Quarantine

Network Fabric

Cisco DNA Center

Cisco DNA™ Center: Simple workflows

Design Provision

PolicyAssurance

Software-Defined Access

APIC-EMNetwork data

platform

Identity Services Engine

Wireless access points

Wireless LAN controllers

SwitchesRouters

Campus Fabric

Authentication

Authorization

Policies

Fabric

ManagementPolicy

Authoring

Workflows

Groups and

Policies

pxGridREST APIs

Cisco Identity Services Engine

Cisco DNA Center

Establishuser trustwith MFA

of breaches leverage stolen or weak passwords

81%

Source: Verizon 2018 Data Breach Investigations Report

● Compromised credentials

is a major security risk

● Cumbersome tokens and

one-time passwords;

not user friendly

REST

APIS

WEB SDK

RADIUS

SAML

OIDC

CustomVPN RA SSO

RRAS

Multicloud Email/MSFT On-Prem

Start Here Then Expand

Automatic Enrollment

Admins can import

users from existing

Azure, LDAP and

AD directories

Self Enrollment

Users can self-enroll

into Duo in less than

1 minute

Import Users

Provision users using

Duo’s REST API or

add users manual

one at a time or

through CSV

● Users can manage their own 2FA

devices during login.

● Add, Remove and Configure

Devices

● Reduce TCO by enabling the user to

easily manage their own device.

Learn more about Device Management

Assess the healthand security postureof any device

of vulnerabilities exploited

will be ones known by security

team for at least one year

(through 2021)

99%

Source: Gartner, Dale Gardner, 2018 Security Summit

● Attackers exploit known

vulnerabilities

● Patching devices (especially user

owned) is complex

● End users continue to access data

from potentially vulnerable devices

● Accessing critical data from

vulnerable devices can be risky

Duo’s Trusted Endpoints

integrates with endpoint

management systems to

detect if the device is

managed by your IT.

Security

Posture Visibility

Endpoint

Management Status

Duo’s Unified Endpoint

Visibility inspects the device at

the time of access without

installing any endpoint agents.

Corp managed asset status Biometrics (Touch/Face) status Screen lock status OS condition (tampered) status Encryption status Platform type Device OS type Device OS version Device owner Duo Mobile version

Corp managed asset status* Device owner OS type OS versions Browser type Browser versions Flash & Java plugins versions OS, browser and plugins status

Mobile Devices Laptops / Desktops

* Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus, etc.

iOS Android Windows Mac ChromeOS

Corporate owned

& managed

Employee owned &

corporate managed

Employee owned &

unmanaged (BYO)

Reliable inventory tracking and reporting of endpoints –>

fundamental requirement for compliance and risk management programs

Native: Microsoft AD, Ivanti (Landesk)

Script based: Symantec Altiris, Chef, Microsoft SCCM, AirWatch, etc.

Alternative: Duo has a generic deployment

Mobile Windows MacOS

Duo: Duo Mobile app can be used to trust mobile devices. (Great for customers w/o MDM)

Native: AirWatch, MobileIron, Google G Suite, Sophos

Native: Jamf

Script based: Symantec Altiris, Chef, Microsoft SCCM, AirWatch, etc.

Alternative: Duo has a generic deployment

Admins can

monitor whether

the devices used

are managed or not.

End users get just-in-time notification

about

out-of-date OS, browsers, Flash and

Java

If users do not update by a certain

day,

the endpoints are blocked

https://demo.duo.com/remediation

Manage and controlwho is allowed toaccess applications

● Customizable security policies

● Global, App & Group Level

controls

● Establishes a level of trust based

on users and devices

https://demo.duo.com/access-control

Learn more about Policy and Control

Learn more about Policy and Control

● Policies are centrally-managed in the Duo Admin panel

Map compliance / security requirements to Duo’s policies. Examples:

○ Block out-of-date and vulnerable devices from accessing any app

○ Step-up authentication for users coming from unknown IP

○ Step-down authentication for users coming from known geolocation

Policies can apply

○ Global → all users and applications

○ Application → only to specific application

○ Group (users) → only to specific group of users

Duo supports hundreds of apps out of the box

Integration documents are available at duo.com/docs

Duo Cloud Platform

Web/SSH(Duo Network

Gateway)

Multi-Factor Authentication

VPN, Virtual

Desktop, etc.

Duo Integrated

(azure-ad, rdp,

ssh, Windows,

app, api, etc)

Access Device

MFA Device

or

Cloud Apps

Device Policy Check

Device Visibility

User Policy

User Management

MFAManagement

Primary Auth(AD, Azure-AD, LDAP, etc.)

User

Duo Access

Gateway[SAML/SSO]

Duo Auth

Proxy[Radius/LDAP]

Public Internet

Security Groups

Tier 1

10.0.0.1-4

*.domain.local

192.0.0.1/24

Tier 2

Tier 3

DNG(443)

SSH

Trusted User

Trusted Device

Use Duo Beyond to secure access to internal networks and the public cloud.

• Duo Push

• Mobile Passcode

• Phone, SMS

• HOTP Token

• U2F/WebAuthN• Bypass

Core service and

policy engine is

always in the

cloud

Preferred Optional Limited

Use Duo Access Gateway (SAML) for ASA. Best user experience + Trusted Endpoints soon

Use Duo Auth Proxy (Radius). User receives automatic push. Consider for older versions and FTD.

Use LDAPS. No proxy required. End user experience requires 2nd password field, Device Trust only supported for web based sslvpn.

Requirements:1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read

more here.2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release3. AnyConnect 4.6 or later.

Requirements

1. Cisco ASA 8.3 or later

2. Cisco FTD 6.3 or later

3. Duo Authproxy

Learn more about AnyConnect RADIUS integration

Existing SSO/IdP

AD or SAML Directory

Duo Access Gateway

● Easily access all cloud applications from a single dashboard

● Enable consistent security controls across cloud applications

● Secure every cloud application

Duo SSO for Cloud apps

DAG Authentication SourcesThe DAG is an IdP that verifies authentication requests against an on-premises or cloud identity database.

Cloud Identity ProvidersThe DAG can be configured to use a SAML or OIDC for cloud identities through 3rd party providers.

• Bitium• CA SSO• Radiant Logic• F5• Juniper• Oracle• Many more!

• Shibboleth• Microsoft AD FS• Microsoft Azure

AD• G Suite (Google)• Okta• OneLogin• SecureAuth

• Microsoft Azure• G Suite (Google)

• Microsoft

AD

• Open LDAP

• SAML IdP

• OpenID

Connect

SAML Providers

OIDC Providers

CloudOn-premises

Duo Access Gateway Documentation

O365, RDP/Windows Logon, and Azure AD use cases

On-premises

Directory

On-premises

Directory

3rd Party

Identity

Provider

Duo Access

Gateway

Native SSO and

IdP Support

Native Azure-AD

Conditional Access

Integration with DAG/Duo SSO

Integration with ADFS Integration with Azure AD

Import users directly into Duo from

Azure without any on-premises software

Import users via LDAP from AD or

OpenLDAP directories. Requires

installation of Duo Authentication proxy

Learn more about directory sync

Learn how to set up Duo's RDP

Executive on a Plane Salesperson at Hotel Vendor at Customer

Users need to authenticate with MFA into their machines before they can access internet / secure portal

Duo Mobile Passcode● Use the smartphone you own● Enter one-time passcode

Universal Second Factor (U2F)● Yubico or other security keys● Just tap the key

● Deploy a Duo Network Gateway in the DMZ using Docker, with both “public” and “internal” access.

● Configure your SAML IdP for primary auth.

● Configure DNG with Duo for secondary auth.

● Configure a web application on the DNG for your protected “internal” application.

● Create public DNS entries for your protected internal web apps to point to the DNG’s public interface.

● Users access the “internal” app using their browser.

https://demo.duo.com/ssh-remote-access

Demo: SSH Access with Duo Beyond

CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.

Duo Traditional 2FADeployment Minimal cost

Duo doesn’t require or charge for professional services

High cost Professional installation required

Integrations Unlimited Support VPNs, RDP, cloud apps, more

Pay per integration May require custom connectors

Token deployment No tokens required Use Duo Mobile on smartphones

Several months Token distribution and shipping

Token replacement Lost, stolen or broken replacements

No token managementMost users prefer Duo Mobile

5-10% lost per month Tokens can also expire or malfunction

On-going maintenance Included Support included

Additional cost Support sold separately

Patches & updates For 2FA appliance

AutomatedUpdated by Duo in the cloud

ManualRequires extensive IT admin support

Help desk calls Average per user per year

1 Easy and intuitive for end-users

4 Clunky and confusing end-user experience

New user enrollment Time per user

2-3 min End-users can self-enroll

1 hour Requires end-user training

Time to authenticate 2 seconds Tap to approve Duo Push request

15-30 seconds Time to type OTP

Device visibility PCs, Macs, & mobile devices, BYOD

Included Requires additional products

Role-based user policies Security policies for various user groups

IncludedRequire more or less security based on user group

Requires additional products “Adaptive auth” needed

Popunite anketu, preuzmite poklon na pultu „Informacije” i učestvujte u izvlačenju nagrada na

zatvaranju konferencije

COM-4T DOO Belgrade

branislav.ostojic@com-4t.rs