Secure Borderless Networks Update

Download Report

Transcript Secure Borderless Networks Update 

Cisco Borderless
Networks
Enabling the Borderless Organisation
Mark Jackson, Technical Solutions Architect
[email protected]
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
Viruses
Main Campus
Unauthorized
Access
Denial of
Service
Branch Office
System
Penetration
© 2010 Cisco and/or its affiliates. All rights reserved.
Data Center
Telecom
Fraud
Cisco Confidential
2
Cisco Self-Defending Network
Integrated
Build security
into the network
Main Campus
Adaptive
Adjust defenses
based on events
and real time info
Collaborative
Make security
work together
as a system
© 2010 Cisco and/or its affiliates. All rights reserved.
Branch Office
Data Center
Cisco Confidential
3
Mobility
1.3 Billion New Networked
Mobile Devices in the
Next Three Years
Mobile Devices
Workplace
Experience
Video
Blurring the Borders:
Changing Way We Work
Consumer ↔ Workforce
Employee ↔ Partner
Physical ↔ Virtual
Video projected to quadruple IP
traffic by 2014 to 767 exabytes*
Anyone, Anything,
Anywhere, Anytime
IT Resources
Operational Efficiency Program
Government ICT Strategy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Mobile
Worker
IT Consumerisation
IaaS,SaaS
Video/
Cloud
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Public Sector Network
Government Cloud
Shared Services
Information Security and
Assurance
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
“Developments in ICT mean it is now
possible for different teams, offices or
even organisations to share the same
ICT infrastructure.”
“The Public Service Network will allow
the delivery of services to any location
and, through standards, will enable
unified communications in terms of voice,
video and collaboration capabilities.”
© 2010 Cisco and/or its affiliates. All rights reserved.
“…data sharing is an essential element of
joining up services and providing
personalisation. This means that there
must be effective, proportionate
management of information risk.”
“The need to continue to transform public
services and to use ICT to enable
transformation of the way the public
sector runs and operates has become
more pressing.”
Cisco Confidential
7
Device
Location
Application
More Diverse Users, Working from More Places, Using More Devices,
Accessing More Diverse Applications, and Passing Sensitive Data
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Enabling Mobility, Extending Security
Inside the Corp Environment
Outside the Corp Environment
802.1X, TrustSec,
MACsec, MediaNet
Always-On Integrated
Security and Policy
SECURITY
and POLICY
Citizens
Coffee Shop
Home Office
Local Data Center
Corporate Office
Software
as a Service
Platform
as a Service
Infrastructure
as a Service
X
as a Service
Attackers
Partners
Branch Office
Airport
Mobile User
CORP DMZ
BORDER
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
1
Identifies
Authorised
Users
2
Increases
Network
Visibility
3
Personalises
The
Network
4
Enforces
Access
Policy
© 2010 Cisco and/or its affiliates. All rights reserved.
Who are you?
An 802.1x or a Network Admission Control
(NAC) appliance authenticates the user.
What are you doing?
The user’s identity, location, and access
history are used for compliance & reporting.
What service level do you receive?
The user is assigned services based on role
and policy ( job, location, device, etc.).
Where can you go?
Based on authentication data, the network
controls user access.
Cisco Confidential
11
Current network access control segmentation methods (VLAN, ACL,
Subnet) are topology dependent and operationally intensive
SGTs
Security Group Tags are topology independent and streamline the
deployment of role-based access control
 Attribute based access control assigns an SGT to users, devices, or virtual
machines based on their role
SGACLs
 Security Group ACLs (SGACLs) enforce access policy based on source and
destination SGT
 Transport of SGTs is secured via NDAC & 802.1AE MACsec
 This is an emerging technology, expanding in platform availability and adoption
Individuals
Source
Authz Rules
Destination
Security Groups
Security Groups
Authz Rules
Resources
Access Rules
Partners
Internet
Employee
Confidential
Non-Europe
Employee
Access Rules
© 2010 Cisco and/or its affiliates. All rights reserved.
Print/Copy
Cisco Confidential
12
Next-Generation Security
Duplicated Infrastructure,
increased cost and complexity
Single unified platform
enforcing policy
D
D
D
D
D
D
D
D
D
V
V
V
V
V
V
V
V
V
Shared Workspace
Environment
Delivering a Platform to Enable Shared Services
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Network and Security Follows User—It Just Works
Broad Mobile Support
Corporate
Office
Mobile
User
Home
Office
 Fixed and semi-fixed platforms
 Mobile platforms
Persistent Connectivity
 Always-on connectivity
 Optimal gateway selection
Wired
Broadband
3G/Wi-Fi
 Automatic hotspot negotiation
 Seamless connection hand-offs
Next-Gen Unified Security
 User/device identity
 Posture validation
Secure,
Consistent
Access
 Integrated web security for always-on
security (hybrid)
Voice—Video—Apps—Data
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Choice
Diverse Endpoint Support
for Greater Flexibility
AnyConnect Client
Security
Data Loss Prevention
Rich, Granular Security
Integrated into the network
Threat Prevention
Acceptable Use
WSA
Access Control
ASA
Experience
Always-on Intelligent
Connection for Seamless
Experience and
Performance
Access Granted
Intranet
Corporate
File Sharing
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
Simple, Powerful Access – Anywhere, Any Device
Unmanaged Devices, Risk of
Data Loss, and Lack of Access
Secure Mobile Connectivity
Acceptable
Use
Access
Control
Data Loss
Prevention
Mobile Government
Worker
Enabling Seamless Remote and Mobile Working
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
Self-Defending Network
Firewall
Access
Intrusion
Prevention
Block Attacks
Keep the
Bad Guys
Out
Content
Security
Email & Web
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Self-Defending Network
New Security Requirements
Firewall
Access
Intrusion
Prevention
Block Attacks
Content
Security
Email & Web
© 2010 Cisco and/or its affiliates. All rights reserved.
Policy & Identity
Trusted Access
Keep the
Bad Guys
Out
Enable
Secure
Borderless
Access
Secure Mobility
Always On
Cloud Security
Hosted/Hybrid
Cisco Confidential
18
1
The Borderless
Organisation Needs
a Borderless
Network
Architecture.
© 2010 Cisco and/or its affiliates. All rights reserved.
2
Cisco Is Uniquely
Equipped to Deliver
That Architecture with
“Broad and Deep”
Network Innovation.
3
The Cisco
Borderless Network
delivers the Platform
to transform service
delivery.
Cisco Confidential
19