Upload
sandeep-yadav
View
130
Download
0
Embed Size (px)
Citation preview
ISE
IPS
ACS
JECRC University
Enterprise Network Design and Deployment
Sandeep Yadav1202061074
ASA
WSA
WLC
ISEController
A centralised security solution that automates context-aware access to
network resources and shares contextual dataIdentity Profilingand Posture Netw
ork Resources
Who
What
When
Where
How
Compliant
llISE
Role-Based Policy Access
Guest Access
BYOD Access
Role-Based Access
(Identity Services Engine)
Guest / Users
ISE-Sponsor Portal
ISE-Guest Self Service
1
2 3
Initial Connection using PEAPRedirection to Android MarketTo install provisioning utility
Provisioning Using Cisco Wi-Fi Setup Assistant
Change of AuthorizationFuture Connection using EAP-TLS
Android Device Provisioning
WLC (Wireless Lan Controller)
Wireless controllers centrally manage, secure, and configure access points throughout the organization.
WLC
WLC CAPWAP APWireless Client
WSA (Web Security Appliance)
WWW
Web Reputation
Web Filtering
Application Visibility
and ControlWebpage Parallel
AVScanning
FileReputation
Data LossPrevention
Advance MalwareProtection
CognitiveThreat Analysis
It combines Advanced Malware Protection (AMP), application visibility and control (AVC), acceptable-use policies, insightful reporting. We can address the challenges of securing and controlling web traffic.
ACS (Access Control System)
• It offers central management of access policies for device administration and for wireless and wired 802.1X network access scenarios.
• Receive support for two distinct protocols: RADIUS for network access control and TACACS+ for network device access control
• Use multiple databases concurrently for maximum flexibility in enforcing access policy
Supplicant
IP Phone
Endpoint Device
Catalyst Switch
Wireless Lan Controller
Campus Network
Nexus 7000
Protected Resources
ACS
AD
AAA• These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components.• Unauthorized access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment services and data • Using a Cisco AAA architecture enables consistent, systematic and scalable access security
Cisco provides two ways of implementing AAA services for Cisco routers, network access servers
• Self-contained AAA• Cisco Secure ACS Solution Engine
Authentication Authorization and Accounting
AAA ProtocolsAAA Protocols TACACS+ RADIUS
Layer 3 Protocols
Encryption
Standard Cisco
Entire Body
TCP/IP UDP/IP
Password Only
Open
ASA (Adaptive Security Appliance)
• A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.• Firewalls have been a first line of defence in network security• They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
Internal Network
L3 Switch
L3 Switch
L3 Switch
L3 Switch
InsideOutside
Outside
Active Firewall
Standby Firewall
Failover Link TrunkTrunk
Foundational Functionality
Stateful Firewalling VPN Capabilities Policy Enforcement Point for ISE
Stateful Firewalling
TCP Normalization
TCP Intercept
IP Options Inspection
IP Fragmentation
NAT
Routing Access Control List
VPN CapabilitiesDiverse Endpoint Support Split Tunneling Capabilities
Mobile and non-mobile devices
Cisco and Non-Cisco devices
Corporate and Sensitive info
Personal and Generic info
IPS (Intrusion Prevention System)
Intrusion prevention system is intended to prevent malicious events from occurring by preventing attacks as they are happening. There are a number of different attack types that can be prevented using an IPS including (among others):• Denial of Service• Distributed Denial of Service• Exploits (Various types)• Worms• Viruses
Edge Device
Firewall
DMZ
Inside
IPS 2
IPS 1Web Servers
Application Database
Priority 1
Priority 2
Priority 3
Automatically correlates information from intrusion events with network assets to prioritize threat investigation
Protects the Network more effectively
Blended Threats and attacks coming through multiple vectors are quickly identified
Protects the Network more effectively
Thank You