Break-1659 – Building and Managing

a Secure BYOD Environment

Tuesday, Mar 12, 9:45 AM - 10:45 AM

Timothy Guy- Solutions Architect

Brad Garczynski -Systems Engineer
 Building and Managing a Secure BYOD Environment
One to one initiatives have flooded k-12 classrooms with
new devices. The cost associated with these devices
continues to pose a large financial burden.
It is widely thought that allowing students to bring his or
her device into the classroom (BYOD) would dramatically
reduce this burden.
The challenge is to incorporate a management solution that
provides a secure and effective BYOD environment
• Discussion Topics:
– How to properly secure a BYOD environment
– How to deliver educational content across various
devices
– Allowing secure device access to district applications
How did we get here?

3
 Topics
– How did we get here Story
– Right Priority, Unpopular Message
– Identity Service Engine (ISE) 101
– Live ISE Demo of ISE - Dynamic ACL/Dynamic
Vlans/Web Auth/Reporting/User Integration
– Mobile Device Management Solutions (MDM)
– Live CX Next Generation of firewalls for
applications
– Questions
Right Priority, Unpopular Message
1. Solid, switched, virtualized network
2. Pervasive RF in all areas where students will be
focused, with Central Web Authorization
3. Internet capacity to allow consumption without
frustration & ensure filtering is accurate
4. High capacity virtualized server environment for
applications
5. Add Identity Services posture and profile services to
Authorization with NCS Prime for Management
6. Utilize an MDM for rapid deployment
ISE 101

6
7
Solutions Overview
9
1
1
1
1
1
What we have done so far….

Start
Here

Single no
Service
Access-Reject

yes

Access-Accept

1
 What is the flow of a Policy in ISE…
Start Here

Registered No
Student No
Guest

Access-Reject
Yes
Yes

Registered
i-Device Yes No
Device

No Yes

Access-Accept
Internet Only

1
 Live Demo of ISE

– Dynamic ACL
– Dynamic Vlans
– Web Authentication
– Reporting
– User Integration
ISE Deep Dive

1
 ISE Personas
Administration Node
– Interface to configure policies

Monitoring Node
– Interface for logging and report data

Policy Service Node (PSN)

– Engine that makes policy decisions

Network Access Device (NAD)/Inline Posture Node

– Interface that queries Policy Service node and enforces policy

External Attribute Stores

– Interface to retrieve policy or policy information
 Basic 2-Node ISE Deployment
(Redundant)
 Maximum endpoints – 2000
 Redundant sizing - 2000

ISE Node ISE Node

Admin Admin
Primary Secondary
Admin Admin

Monitoring Monitoring
Secondary Primary
Monitoring Monitoring

Policy Policy
Service Service
 Distributed Deployment
•Administration + Monitoring on same
appliance; Policy Service on dedicated
appliance
Admin
Mon • 2 x Admin+Monitor
Admin
Mon

• Max 5 PSNs
• Max 10k endpoints
Policy
Svcs
Policy
Svcs
Policy
Svcs
Policy
Svcs
Policy
Svcs
 Typical ISE Deployment
Example Small School District
A/S Admin, Monitoring,
Policy Service nodes
AD/LDAP
(External ID/
Attribute Store)

HA Inline Posture
Nodes

Campus A
ASA VPN

WLC
802.1X
Switch
AP 802.1X

Branch A Branch B

Switch Switch
AP 802.1X AP
802.1X
 Typical ISE Deployment
Example Medium 2 Building Campus

A/S Admin + Policy Service Cluster

Monitoring AD/LDAP Distributed Policy
nodes (External ID/ Service node
Attribute Store)

HA Inline Posture
Nodes
Distributed Inline
Campus A Campus B Posture Node

ASA VPN WLC

Switch
WLC
802.1X
Switch
AP
AP 802.1X

Branch A Branch B

Switch Switch
AP 802.1X AP
802.1X
Mobile Device Management

2
 Cisco
Prime
Infrastructure Mobile Device
Mobility Management
w/ Assurance Identity
Services Engine Services Engine
(MSE) (ISE)

Catalyst Cisco
Switches
WLC

Cisco
AnyConnect

Wired Network Wireless Network Remote Access

Network

2
 ISE & MDM Are Complimentary
AUP
Mobile + PC Enterprise Software
Distribution
Classification/ Registration Management
Profiling User <-> Device
Ownership (Backup, Remote Wipe,
etc.)
Policy Compliance
Secure Network Access Cert + Supplicant (Jailbreak, Pin Lock, etc.)
(Wireless, Wired, VPN) Provisioning
Secure Data
Context-Aware Access Control Containers
(Role, Location, etc.) Inventory
Management

= Network Enablement (ISE) = Mobile Device Management

2
Mobile Device Management Flow
Multi Context NG Firewall

2
Multiple Context’s -One Firewall

BYOD
Segments

Student
Wired
Segments

Guest
Segments
 Closing discussion
– Topics to take away and respond to
 Leave you with these questions
• What is your BYOD policy?
• Where are your BYOD roadmap?
• How do you know what is on your network any given
time? And what they are doing?
• How do you allow contractors access to your network?
• How do you profile devices?
• How do you ensure data loss prevention in devices?
• How would you minimize the risk of your rollout of
802.1X implementation without risking outages?
• How would you segment data center access?
Reference Slides
 Solution: Cisco TrustSec

Remote VPN
Wireless User VPN User Devices Devices
User

Guest Access VLANs

Identity-Enabled Netech
Profiling Infrastructure dACLs Demo at
Posture SGTs
End of
Scalable Enforcement Presentation
Policy-Based Access
and Services:
Identity Services
Engine (ISE)
Security
Data Center Intranet Internet
Zones
 Device Profiling – 1st defense
• Allows different access levels to be
automatically applied to different devices,
even when using the same credentials.
– For example:
• Mobile devices = Internet + AirPlay
• Laptops allowed full access with posture assessment
– No need for certificates, etc.
– Can isolate or deny access to certain device types
as well
 Posture assessment – 2nd defense
• Performs additional checks to verify the
workstation is yours before allowing full
network access
– Can validate just about anything on the device
before allowing network access
 Inline Posture Node High Availability
Remote Access Example
ISE Inline
ACTIVE

ASA HA: A/S or

VPN Cluster VLAN 11
eth2 (HB Link)
eth1 eth0

Internet External ASA VLAN 12

Router Switch vpn
VPN Client HA: VPN
outside
to single ASA HA IP
or VPN Cluster IP inside VLAN 15
ISP A VLAN 14 L3 Switch

Inline Inline
FO State Service IP Trunk: Service IP Internal
Internet VLANs Network
Link Link eth1 eth0
VPN 11-15
User
ISP B

outside inside

Internet External vpn

Router Switch ASA L3 Switch
VLAN 12
VLANS eth1 eth0
• VLAN 11: (ASA VPN; Inline node untrusted)
eth2 (HB Link)
• VLAN 12: (Inline node trusted)
• VLAN 13: (Inline Heartbeat Link) VLAN 11
• VLAN 14: (ASA Inside) ASA Redundant
• VLAN 15: (Internal Network) Links ISE Inline
STANDBY
 School Issues Addressed by CS
School Issue

Student
Mobile Device Management on Cloud
• For Cloud Based Solutions, Bandwidth and Latency will
need to be considered.
• Scalability = 30 Calls per second.
• Survivability:
– If the MDM is not available, the rule will not match.
– Will (by default) stick the user in the “Register with MDM”
state.
• Ability for administrator and user in ISE to issue remote
actions on the device through
– the MDM server (eg: remote wiping the device)
• MyDevices Portal
– Endpoints Directory in ISE
 Mobile Device Management API
• With the API, we can query on:
– General Compliant or ! Compliant (Macro level) -or-
– Disk encryption is one
– Pin lock
– Jail broken
– Bulk re-check against the MDM every 4 hours.
– But we are not using the cached data in the AuthZ
• If result of Bulk Re-check shows that a device is
no longer compliant – we will send a CoA Change
of Authorization to terminate session.
• Works same with all 4 vendors.
Mobile Device Management Solutions

– Cisco Published Specs to 4 vendors

• AirWatch 6.2
• Mobile Iron 5.0
• ZenPrise 7.1
• Good Version 2.3
– Require API to be open
– Only one MDM at a time
Local LAN Auth Example
 Monitoring - Distributed Log
Collection
• ISE supports distributed log collection across all nodes to optimize local data
collection , aggregation, and centralized correlation and storage.
• Each ISE node collects logs locally from itself; Policy Service nodes running Profiler
Services may also collect log (profile) data from NADs.
• Each node buffers and transports collected data to each Monitoring node as Syslog
• NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity
logging, diagnostics, and troubleshooting.

NADs Policy Service Syslog Monitoring External Log

(UDP/20514), Nodes
HTTP SPAN, Nodes Profiler Syslog
Servers
DHCP
SPAN/Helper/Proxy (UDP/30514)

Netflow,
SNMP Traps,
RADIUS Alarm-triggered
Syslog

External Log Targets: Syslog (UDP/20514)

Syslog (UDP/20514)
Administration HA and Synchronization
• Changes made via Primary Administration DB are automatically synced to
Secondary Administration and all Policy Service nodes.

Admin Node Policy Service

(Secondary) Node

Policy Sync
Policy Service
Admin Node Node
(Primary) Policy Sync
Policy Service
Admin Node
User Logging

Monitoring Monitoring
Node (Primary) Node (Secondary)