You are on page 1of 14

BRKDEV-1081

14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1

Policy-Based
Network Access

BRKDEV-1081

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1


Presentation_ID.scr
The
We Live
World
in We
a Complicated
Would Like World
to Live In

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Evolution of Network Access Policy

Cisco TrustSec
ƒ Networkwide, role-based access control
ƒ Network device access control
ƒ Consistent policies—multiple access type

Network Admission Control (NAC)


ƒ Posture validation endpoint compliance

Identity-Based Access Control


ƒ Flexible authentication options
ƒ Postadmission control options

Network Address-Based Access Control

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2


Presentation_ID.scr
Business Policy
Policy Is SharedProtect
Across
“Be Secure.
Our IP.
Domains
Be SOX-Compliant.”

Facilities Policy Computer Policy Application Policy Network Policy

“Laptops Locked to Desk. “Virus Protection. “Separation of Duties. “Network Segmentation.


One Entry per Badge Swipe. Personal Firewalls. Role-Based Access. Wired/Wireless Restrictions.
No Tailgating.” OS Patched Up to Date.” Strong Authentication.” Intrusion Detection.”

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Customer Problem

Situation
ƒ Business dynamics have changed
Complex relationships with customers, partners, suppliers
Distributed workforce
Increased regulatory compliance

ƒ Businesses are challenged to consistently apply


policies across different domains
Many technologies—network, desktop, app server, security,
applications, etc.
Many organizations and specializations—network ops, sec ops,
IT, Help Desk, CIO
More overlap and complexity between domains
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3


Presentation_ID.scr
Customer Problem (Cont.)

Complication
ƒ Technology/organizational/policy domains are
independent of each other

Effect
ƒ Administrative and efficiency cost
ƒ Difficulty with…
Interoperability
Business agility
Regulatory compliance

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Policy Concepts and Requirements


ƒ Policy is domain-specific—requires well-defined interfaces
ƒ Enterprises have multiple policy domains—requires
interoperability and composeability
ƒ Global namespaces and domain local namespaces
(hierarchy)
Domain namespaces require mechanism for provisioning
Domains, as authorities, must be able to assert attributes
ƒ Policy enforcement: entities (e.g., network elements, policy
apps) must provide a common set of enforcement directives
ƒ System-level troubleshooting within and across domains is
essential
ƒ Common trust and identity is required for domain
interoperability
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4


Presentation_ID.scr
Two Key Requirements
1. Provisioning
Drive top-level business policy into individual domains
Domains enforce top level policy in domain relevant ways
Centrally coordinate business policy
Increase efficiency, reduce complexity, cut costs
Simplify auditing/reporting
2. Sharing information between domains
Policy enforcement in a domain may use data from another domain
Better mapping to business policy
Centralized management of service delivery based on network,
location, health, identity, application
Comprehensive view on network and application access
Policy is only as good as the data it is based upon
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Identity and Access Policy


A Platform Approach

Requirements
ƒ Interoperability and nimbleness to manage
and enforce dynamic business policies
ƒ Federation among different policy domains
ƒ Information must be available and shared

Why a Platform?
ƒ Provides encapsulation of information and services
ƒ Enables extensibility and integration via interfaces

Identity and Access Policy Platform =


Cisco® Secure Access Control System (ACS)
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5


Presentation_ID.scr
How Are You Described?

Human

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Attributes Are Part of the


Way We Are Wired

Father of Three

Political Views

Network Engineer

Motorbike Racer

Fashion Statement
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6


Presentation_ID.scr
Work Attributes Are the Cornerstone for
Network Identity and Access Policy

Full-Time Employee

US Citizen

R&D Department

Group Leader

Accessing via VPN


BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Identity and Access Policy


Key Concepts

ƒ Symmetric policy model for users and devices


ƒ Attribute-based model
Several attributes used to classify entities accessing network assets
Consume from: AD, LDAP, SecurID, posture servers, audit servers, etc.
Assert: session state attributes (location, ID, etc.)

ƒ Simplicity—customers can easily create policies and reuse


objects
ƒ Flexibility and extensibility to accommodate simple/complex
policies and adapt to future functionality
ƒ Interfaces (UI, Web services, scripting, CLI)
SPMLv2 and XACML for provisioning
SAML for attribute assertions
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7


Presentation_ID.scr
Policy Model
Service View: 802.1X
Service A
802.1X

User ID Group
Authentication
Profile A
Location
Profile B
Session
Attributes Access Type
and Info Authorization Profile C
Date/Time Rules .
NAD Info, .
.
Attributes, .
.
Protocols,
.
Date/Time, Profile X
.
Credentials
.
.

Other?

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Policy Model
Service View: 802.1X/NAC/CTS
Service B
802.1X/NAC/CTS

User ID Group
Authentication
Host ID Group
Profile A
Location
Profile B
Session
Attributes Access Type
and Info Authorization Profile C
Date/Time Rules .
NAD Info, .
Attributes, Posture .
Protocols, Posture
Date/Time, Assessment Profile X
Audit Info
Credentials
.
.
.
Other?

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8


Presentation_ID.scr
Identity and Access Policy Interfaces
Provisioning
ƒ Policy management APIs to support integration with third-party
management tools
Provisioning of access policy, etc. via WSDL
Complete programmatic read/write access
ƒ Network enforcement policies can be provisioned consistently with
other domains
Information Sharing
ƒ Provide static and dynamic information about entities attached to
the network
Provide data for consumption by applications
Centralized query to both logged and real-time session data
ƒ Other domain enforcement can leverage session information
(e.g., location, host posture)
ƒ Asset management applications have visibility into what entities are on
the network
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Examples

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9


Presentation_ID.scr
Scenario: Automating Common Tasks

ƒ Sam the ACS admin wants to automate the process of


entering new devices into ACS; this saves time, allows
others to add devices, and minimizes errors
ƒ He needs to do the following:
Enter device name
Device IP addresses
Shared secret for RADIUS/T+
Associate the device to appropriate device group based on
geography

ƒ Sam is accustomed to using the ACS GUI, and he


wants to quickly set up a simple Perl script for adding
devices
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Scenario: Integration with


Enterprise System
ƒ “Enterprise” has a device repository; each device that is being
defined on that system needs also to be defined also on ACS to
allow it to function as AAA client
ƒ In order to avoid the duplicate data entry and possible errors the IT
department would like to automate the process, such that each
device defined on the device repository system is provisioned also
to ACS with the subset of attributes that is require for ACS

Enterprise Device Device Repository


Repository Administrator
Cisco Secure
ACS

Provisioning over Enterprise Setting


ACS DB
Web Services Device DB Device Data

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10


Presentation_ID.scr
Scenario: Helpdesk Automation
ƒ When users are unable to access a
resource (perhaps an application) they
call the helpdesk; in order to troubleshoot,
the helpdesk operator first needs to
determine if the problem has to do with
network access
ƒ The help desk team develops a script in
order to automate common network
access troubleshooting tasks
ƒ The administrator invokes the script with
the user name; the script runs three
different call over the ACS programmatic
interfaces
Get Session data—Is the user connected to the
network?
Get logged event—Were there any errors during ACS
session establishment?
Policy data—What authorizations were granted to
the user?
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Scenario: Network/Application-Integrated
Access Control
ƒ ACME Corp does not allow 7) Attributes
3) Session
Assertion
VPN access to sensitive 6) Policy Attribute Caching
financial data—in fact, the Evaluation
connection must be over a Application
wired switch port, and the ACS
Policy
network access must have
used an RSA SecurID token
5) Policy Decision
ƒ The finance Web application Request
gets real-time session
Web App 2) Access
information from ACS Request
(strength of authentication,
and connection type: wired, 4) Application
Resource Access
wireless, VPN, etc.)
ƒ The Web application 1) Network
developer uses the ACS Access
User
attribute assertion Web service
BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11


Presentation_ID.scr
Summary

ƒ Numerous policy systems will exist in enterprise


environments
ƒ Next-generation identity and access policy platform
(Cisco Secure Access Control System) provides
interfaces for integrating as part of your business
environment
ƒ ACS interfaces leverage open standards
(Web services, XML, SPML, XACML, SAML)

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Call to Action

ƒ Evaluate your automation requirements for network


identity and access policy
ƒ Investigate how your network access can more cleanly
fit as part of your enterprise defense in depth strategy
ƒ Learn more about Cisco’s “Identity-Enabled Networks”
solution
ƒ More info
www.cisco.com/go/acs
Matt Hur: mhur@cisco.com
Attend BRKDEV-1071 for architecture and interface drill down
(Thursday at 8 a.m.)

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12


Presentation_ID.scr
Q and A

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Recommended Reading

ƒ Continue your Cisco Live


learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store


BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13


Presentation_ID.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

BRKDEV-1081
14621_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14


Presentation_ID.scr