Transcript
Mobile Devices and BYOD Security: Deployment and Best Practices BRKSEC-2045 Sylvain Levesque Security Consulting Systems Engineer
[email protected]
Agenda Test bed Used State of Malware on Mobile Devices 802.1X Network Authentication Device Profiling with the Identity Services Engine Digital Certificates Usage and Provisioning Methods
Remote Access VPN Web Security Recommendations and Conclusion
Presentation_ID
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Test bed Used
Test bed Used A number of tests were conducted for this session to document the behavior of mobile devices with different Cisco security solutions. A group of devices under test was used to represent the major mobile platforms on the market today. Recent releases of operating systems were used and therefore the behavior documented in this presentation might vary with older OS releases.
Apple iPad3 tablet/
Toshiba AT300
Samsung:
RIM/Blackberry:
Microsoft Surface
iOS 6.1.2+
Tab/Android ICS 4.0.3
Nexus/Google Android JB 4.4+
Bold 9900 7.1.0
Windows 8 RT+
Samsung Galaxy Tab2 4.1+
Galaxy S2/SS Android JB 4.1.2
Z10 10.0.10+
ASA 9.1(4)
Anyconnect 3.x
*ICS=Ice Cream Sandwich BRKSEC-2045
WSA 7.5(0)-833
ISE 1.2
*JB=Jelly Bean Cisco and/or its affiliates. All rights reserved.
Microsoft Certificate Services Windows 2008 Enterprise R2 Cisco Public
Airwatch Cloud-Based MDM 6.3.1.2
5
State of Malware on Mobile Devices
Mobile Devices Market Android currently dominates the Mobile OS market followed by iOS While iOS devices are pretty current, a large percentage of Android devices still uses outdated releases that could be subject to security vulnerabilities
iOS Versions
Source: IDC
BRKSEC-2045
Android Versions
Source: developer.android.com
Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
State of Malware The Cisco 2014 Annual Security Report describes the evolution of exploits and malware and is a great reference for any IT or Security professional: http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html Interesting statistics can be found on malware, exploits and mobile devices in this report: • Malware on Android up 2,577% • 99% of mobile malware target Android • Encounters with web malware: 70% Android, Apple iOS 22% percent • Malware on mobile devices: 1.2% of all web malware found (up from 0.42%) • Most exploits with Java: sparse support on mobile devices BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
Other Interesting Facts and Conclusions 25%+ of malware on mobile devices come from porn sites…
• Phishing: still a major malware infection vector as with PCs • Users click on a link in an email that has them installing an App from an untrusted application store
Typical exploits on Android: • subscription to premium SMS services • botnet infection and remote control • banking information theft 2012 -> first Android botnet in the wild 2013 -> large Android botnets observed in China (1 million + devices) The use of non-managed mobile devices could expose your organization to infection or data theft (Android or others)
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Other Interesting Facts and Conclusions 25% of malware on mobile devices come from porn sites…
Cisco Annual
• Phishing: still a major malware infection vector as with PCs • Users click on a link in an email that Security Report: has them installing an App from an untrusted application store
“The impact of BYOD and the proliferation of devices cannot be overstated, but Typical exploits on Android: should be more concerned with threats such as accidental data loss, organizations • subscription to premium SMS services ensuring employees • botnet infection and remote control do not “root” or “jailbreak” their devices, and only install applications from official and trusted distribution channels” • banking information theft 2012 -> first Android botnet in the wild 2013 -> large Android botnets observed in China (1 million + devices) The use of non-managed mobile devices could expose your organization to infection or data theft (Android or others)
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Secure Access with 802.1X, Remote Access VPN and Web Security
Network-Based Authentication using 802.1X - Review 802.1x is used to provide authentication of a user or a device to the network 3 main components are involved in a 802.1x authentication: EAP session EAP/WPA2
Supplicant
EAP over RADIUS
Authenticator
Authentication Server (RADIUS)
- Supplicant: Provides Identity Information to the network. Supplicant software is embedded in all modern Operating Systems. Ex: Apple iOS, Android, Windows 8, etc. - Authenticator: Device that controls access to the network, participates in the initial EAP (Extensible Authentication Protocol) exchange and acts as a relay between the Supplicant and the Authentication Server. Ex: Switch, Wireless Controller - Authentication Server: RADIUS Server that validates the identity information provided and sends authorization attributes such as a VLAN, Access-List, Session timeout, URL for redirection. The identity can be optionally validated by an external Identity Store. Ex: ISE, ACS BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
802.1x Identity Information Types Different types for different mobility use cases: 1. Username/Password Combination - User authentication (also Machine Auth for Windows) - Active Directory/LDAP/RADIUS ID Stores - EAP types: PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST 2. Two-Factor Authentication - Something you know, you have, you are - Mostly for user authentication - RSA SecurID and other token-based ID Systems - EAP types: PEAP-GTC, EAP-FAST/EAP-GTC
EAP Extensible Authentication Protocol PEAP Protected EAP GTC Generic Token Card FAST Flexible Authentication via Secure Tunneling
3. Digital Certificates - Signed/emitted by a public or private Certificate Authority - Can be used for user and/or device authentication - Microsoft AD Certificate Services, Entrust, Verisign, etc. - EAP types: EAP-TLS, EAP-FAST BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
TLS Transport Layer Security
Cisco Public
13
Device & User Authentication/Authorization 1
Machine AuthC
2
User AuthC
PEAP-MSCHAPv2* EAP-TLS
PEAP-MSCHAPv2
+
2
CISCO\slevesqu
EAP-TLS
2 PHASES POSSIBLE 1
host/MTLLAB-W500
Same EAP Type with Native Supplicant
*Windows RT/Phone can not join Active Directory and can not use PEAP-MSCHAPv2 for Machine Authentication
slevesqu
PEAP-MSCHAPv2
EAP-TLS
1 PHASE ONLY
BRKSEC-2045
= Certificate
User AuthC
CN=slevesqu
User AuthZ
SAN=00:21:6A:AB:0C:8E
Device AuthZ
CN=slevesqu SAN=00:21:6A:AB:0C:8E
Hybrid AuthZ
Cisco and/or its affiliates. All rights reserved.
AuthC=AuthentiCation AuthZ=AuthoriZation CN=Common Name SAN=Subject Alternate Name
Cisco Public
14
2-Factor Authentication Workaround with 802.1X and Central Web Authentication 1
802.1X EAP-TLS authentication with Certificate
2
Central Web Authentication with User AD Account
Factor 2: Employee User Credentials!!!
Factor 1: Device Certificate!!!
ISE BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Common 802.1X EAP Types and Compatibility
EAP-Type
Win 8 Pro/Enter prise
Win RT
Apple iOS
Android
BB7/10
ACS 5.x
ISE 1.x
AD
LDAP
EAP-TLS
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
PEAP MSCHAPv2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
PEAP EAP-GTC
No1
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
EAP-FAST
No1
No
Yes2
No3
Yes
Yes
Yes
Yes
No
No native support for token based systems such as RSA SecurID
1.
Supported through 3rd-party supplicants such as Anyconnect NAM
2.
Configuration required through Apple Configuration Utility or MDM
3.
No native support. Supported through Cisco Compatible Extensions (CCX) with specific mobile devices manufacturers. More information:
http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
More on 802.1X! BRKSEC-2045
BRKSEC-2691: Identity Based Networking: IEEE 802.1X and beyond Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
802.1X Configuration: PEAP-MSCHAPv2 User Authentication Example
2
Touch-hold
1
1
2 1
3
3
2
3 6
4
4
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
Device Profiling with the Identity Services Engine
ISE Profiler Review
The ISE Profiler service uses a number of probes to capture the traffic generated by an endpoint device
It then extracts information from this traffic and compares patterns with profiling rules that are either predefined or custom-built to match an endpoint type and a profile
An Authorization rule can then use this information to assign network access privileges based on the device profile (iPhone/iPad vs Android vs Blackberry vs Windows)
More on Profiling!! BRKSEC-2045
Probe
Data Provided
RADIUS
OUI, MAC Address
DHCP
DHCP attributes, hostname
DNS
FQDN, hostname
HTTP
User-Agent
NMAP
OS fingerprint
NETFLOW
TCP/UDP ports used
SNMP
MIB strings
Probes Currently Used to Profile Mobile Devices
BRKSEC-3698: Advanced ISE and Secure Access Deployment Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Example of Profiling Rules for iPad
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Analyzing HTTP User Agents Compatibility with Mozilla’s Rendering Engine Browser and Extensions
Device Model
Mozilla/5.0 (Linux; Android 4.0.3; AT300 Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari/535.19
OS and Version
BRKSEC-2045
HTML Layout Engine
Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
Sample HTTP User Agents View your own user-agent at: http://whatsmyuseragent.com!!
Apple iPad
Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
Windows RT Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; ARM; Trident/6.0; Touch)
Android Samsung Tab2 tablet Mozilla/5.0 (Linux; U; Android 4.1.2; en-ca; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Android LG Google Nexus 5 smartphone Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Mobile Safari/537.36
Blackberry Z10 smartphone Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.2.1.1925 Mobile Safari/537.35+
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Viewing Endpoint Profiling Data
Profiling data Profiling data
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Digital Certificates Usage and Provisioning Methods
Certificates, Trust and 802.1X Public Key Cryptography (PKI) uses the concept of trusted Certification Authorities (CA). A list of public CAs on the Internet is embedded in the certificate store as Trusted Roots in every device Many organizations typically deploy a private enterprise Certification Authority that allow them better control and scalability. The Root Certificate and certification chain of this private CA has to be provisioned in corporate devices in order for them to trust it Non-corporate mobile devices will not trust by default the certificates generated by a private CA and the 802.1X behavior of mobile devices in this scenario will vary: – Apple iOS: User notification-> users might refuse to install the certificate and call the help desk – Android: Will accept non-trusted certificates by default without warning!
– Windows RT/8: User notification -> users might refuse it as well – Blackberry 7: No notification -> Access rejected – Blackberry 10: Will accept non-trusted certificates by default without warning! Windows RT/8 and BB 7: Validation of the server certificate can be disabled for PEAP/EAP-TLS. Useful for lab testing or proof-of-concept, but not recommended for production where we should use certificates from Public CAs to avoid end user issues
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Certificates Installation and Enrollment Non-trusted Root and user/device Certificates can be created and provisioned on mobile devices using a number of methods that can be manual or automated: Copy it to the device. Ex: Corporate mobile devices Push computer or user certificates through Group-Policy Objects (GPOs) for Windows corporate devices The administrator can create the certificate or email it to the user the device. Ex: BYOD personal device Certificate Server web portal (administrator or user) The certificate creation and provisioning can be automated the Simple Certificate Enrollment Protocol (SCEP). A few options are available: – – – –
SCEP from the mobile device itself (support vary by mobile platform) SCEP with the Anyconnect VPN client SCEP Proxy with the Anyconnect VPN client and the ASA Identity Services Engine (ISE) with the Onboarding service for 802.1x, SCEP with Mobile Device Management solutions
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Certificate Enrollment using SCEP and VPN Anyconnect Profile: SCEP Host = myCA.bnlab.local
SCEP with Anyconnect:
• Initiated by the user
IPSec/SSL tunnel
• No Certificate renewal
• Needs direct access to CA
SCEP Request
• Requires Anyconnect 2.4+
ASA
SCEP Proxy with Anyconnect and the ASA:
1. ASA performs policy enforcement 2. ASA inserts machine device-id from posture
• Controlled by the head-end (ASA) • Pre-enrollment policy enforcement
IPSec/SSL tunnel
• Device-ID for Authorization SCEP Request
SCEP Request
ASA SCEP Proxy
• Automatic Certificate renewal
• Only ASA communicates with CA • Requires Anyconnect 3.0+
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Onboarding with ISE on Wired/WLAN Mary
User Name = Mary Password = ******* Mary connects to Secure SSID
1 SSID’s BYOD-Secure
Personal asset 22
Redirect to Self Provisioning Portal Access Point
Wireless LAN Controller
3
N.B.: A dual-SSID option can also be used where the 2nd Open SSID is used for the onboarding process BRKSEC-2045
ISE Cisco and/or its affiliates. All rights reserved.
AD/LDAP
Register Device Provision Certificate Configure Supplicant Mary Reconnects to Secure SSID
CA Cisco Public
28
ISE Authorization Using Certificate Attributes
Registered Devices: Indicates the device went through the BYOD onboarding process
Network Access only allows EAP-TLS authentication with Certificate
The Radius attribute Calling-Station-ID contains the MAC address of the device which is compared against the SAN in the Certificate BRKSEC-2045
Different Permissions Assigned (VLAN, ACLs, etc)
The AD username is read from the SubjectName and sent to AD where its attributes are retrieved for authorization Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Certificates Installation Summary Method
Win 8 Pro/Enterp rise
Win RT
Apple iOS
Android
BB7
BB10
Email
Yes
Yes
Yes
No1
Yes
No
Copy To Device
Yes
Yes
Yes2
Yes
Yes
Yes
Web (CA Server)
Yes
Yes
Yes
Yes
Yes
No
Anyconnect SCEP
Yes
No
Yes
Yes
No
No
SCEP Proxy
Yes
No
Yes
Yes
No
No
ISE Onboarding3
Yes
No
Yes
Yes
No
No
1. Can not be installed from email directly but can be saved and installed from storage
2. Via the iPhone Configuration Utility or an MDM 3. More details on supported platforms: http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321 BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Certificate Management
2 1
Swipe-In
2
1
2
1 3
3
4 4
3
5
5
6
7
4 BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Remote Access VPN
ASA Remote Access VPN Options review
Clientless SSL
Thin-Client SSL
Basic Web, Email and CIFS Access
Plugins (SSH,VNC, Telnet,RDP, Citrix)
Client-Based SSL or IPSec
AnyConnect Customized User Screen
BRKSEC-2045
Smart Tunnels
Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Citrix Mobile Receiver Support ASA release 9.0 introduces the support of the Citrix Mobile Receiver application directly in clientless SSLVPN for most desktop OSes and for Apple iOS and Android ̶ Allows the ASA to communicate directly to XenApp 6.5 or XenDesktop 5.5, 5.6 Server Farm
Cisco® ASA
User Device Connected Using Citrix Online Plug-Ins
BRKSEC-2045
Internet
Firewall
Firewall
Access Gateway
Web Interface Installed Behind the Access Gateway
Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
Websockets HTML5 Access ASA release 9.1(4) introduces the support of Websockets and HTML5 proxy Enables a “fully clientless” solution homogeneously across differents OSes using a browser that supports HTML5 – No more dependencies on Java and ActiveX! Uses 3rd-party Websockets gateways that converts HTML5 to a client protocol such as RDP/VNC/etc The HTML5 resource is a simple bookmark accessed on the ASA clientless Web Portal SSL
SSL
RDP, VNC, CIFS, etc
Data Center
Intranet
Mobile Device with an HTML5 browser BRKSEC-2045
Internet
ASA
Cisco and/or its affiliates. All rights reserved.
Websockets Gateway/Ser ver
Application
Cisco Public
35
Mobile Devices VPN Support Summary Method
Win 8 Pro/Enterprise
Win RT/Phone
Apple iOS
Android
BB7/10
Anyconnect – SSL transport
Yes
No1
Yes
Yes
No1
Anyconnect – IPSec/IKEv2
Yes
No1
Yes
Yes
No1
Websockets – HTML5
Yes
Yes
Yes
Yes
Yes
Native VPN support
Yes
Yes
Yes
Yes
No
Clientless/Smartunnels/Plugins/
Yes
No
No
No
No
Clientless – Mobile Citrix Receiver
No
No
Yes (v4+)
Yes (v2+)
No
1.
•
RIM/BB and Microsoft do now allow the development of Anyconnect (or other VPN clients) on BBOS and Windows RT/Phone
For more detailed information on device/OS support, please consult the ASA Supported VPN Platforms document:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp177602 •
For more information on features supported on Anyconnect with Android and Apple iOS, please consult their respective release notes:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-android.html http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html#wp1148532 BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
Corporate vs BYOD How can I apply different access policies to a corporate device and a personal BYOD?
How can I prevent a personal BYOD from connecting to my network? 2 methods can be used to match device-specific identity information that will allow a differentiation of policies: 1. Use of certificates for authentication and authorization: Certificate attributes can be defined for uses cases like Corporate & BYOD. These attributes can be matched to different authorization policies in the ASA and ISE 2. With posture: The posture service on the ASA for VPN and ISE can gather information on the device that can include the device type, OS type, processes/services running, Windows registry information, file information, certificate information. – –
If a corporate device is for example only a Windows PC domain member, the posture service could look for a specific piece of information like the registry entry defining the AD Domain, something that a mobile device would not have If no mobile devices are to be allowed to connect, the posture service could use rules that would deny access to all mobile devices types
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
Mobile Posture with Anyconnect
ASA Release 8.2(5) introduced the ability to pass posture endpoint attributes from Anyconnect to ASA Dynamic Access Policies (DAP)
Can be used to control VPN connections from mobile endpoints and assign them specific access policies.
Posture is also used with SCEP proxy in ASA 9.0 to embed unique device identity in certificate enrollment requests
The Mobile Endpoint attributes include: ‒
Version of the Anyconnect client (e.g. “3.0.x”)
‒
Client Platform (“apple-ios”, “android”, etc)
‒
Client OS version (e.g. “5.0”)
‒
Type of device (varies per client platform but can be used to differentiate iPad from iPhone)
‒
Device UniqueID (varies per client platform, consists of Device UDID for iOS, opaque hash of IMEI/MEID/ESN or MAC+AndroidID for Android mobiles)
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Mobile Posture Configuration
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
Mobile Posture Configuration
Choose Anyconnect as the Endpoint Attribute Type
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
Mobile Posture Configuration
Select an Access Policy for the DAP defined
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
Mobile VPN Authorization with Certificates • • • •
Certificate maps can be used with the ASA to allow matching of received certificate DN values and then map them to a Connection Profile. Can be used with IPSec VPN and SSL VPN Can be used with the Local CA feature on the ASA or with certificates generated from a 3rd-party CA The following values from the certificate can be used for mapping: 1. Alt-subject-name 2. Subject-name 3. Issuer-name 4. Extended Key Usage (EKU) extensions
More on Certificates for VPN BRKSEC-2045
BRKSEC-2053: Practical PKI for VPN Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
ASA Certificate Matching Configuration for VPN
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Licensing on the ASA
AnyConnect Essentials enables the use of Anyconnect for a full-tunnel VPN with SSL or IPSec IKEv2. One license if required per ASA
Anyconnect Premium activates advanced features such as the Clientless Portal, Smartunnels, Plugins, Posture and Mobile Posture. One license per concurrent user is required.
Anyconnect Essentials and Premium are mutually exclusive on an ASA
The Anyconnect Mobile license is required on top of Anyconnect Essentials or Anyconnect Premium licenses for mobile devices to establish a VPN tunnel with the ASA!! One license is required per ASA
For ASA releases 8.2 and below, 2 licenses per failover pair are required. Starting from ASA release 8.3, only one license is required per failover pair
Recommendation: Always include the Anyconnect Mobile License when purchasing a new ASA for VPN
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Web Security
Web Security Gateway - Deployment Methods
Web Security Gateways such as the Cisco Web Security Appliance (WSA) provide a number of security services at an organization’s perimeter such as URL Filtering, Web Reputation Filtering, Anti-Malware Filtering, Granular Application Control, Data Loss Prevention and others
These gateways typically do not sit inline the traffic and therefore Web user traffic must be redirected to these gateways
3 methods can be used for this redirection: ‒ Explicit Forward Mode: A proxy server entry is configured manually or automatically with the WebProxy Auto-configuration Protocol (WPAD) in the web browser to redirect its traffic to the Web Security Gateway ‒ Transparent Mode: The Web Cache Control Protocol (WCCP) is used between the Web Security Gateway and a network or security device to redirect user traffic to the Web Security Gateway ‒ Load-Balancers: For larger deployments. A Load-Balancer redirects the user traffic to the Web Security Gateway farms
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Web Security Gateway – User Authentication
Organizations typically require users to authenticate to an enterprise directory such as Active Directory before accessing Internet resources to allow for enforcement of Acceptable Use Policies per role and to provide auditing for reporting and compliance purposes
3 methods can be used to authenticate users: ‒ Basic Browser Authentication: The user is prompted to enter his credentials which can be sent to Active Directory/LDAP for authentication. Credentials can be cached by the browser to prevent the user to be prompted in the future. The user’s AD/LDAP attributes are also fetched for authorization and mapping to Access Policies. Appropriate for BYOD, guests or consultants. ‒ NTLMSSP Browser Authentication: The user’s Windows login credentials are fetched transparently from the browser using an NTLM challenge-response authentication and sent to Active Directory for authentication. The user’s AD attributes are also fetched for authorization and mapping to Access Policies. Appropriate for Windows corporate assets. ‒ Passive Identification: The Web Gateway uses the user’s IP address and sends a request to the Active Directory/Novell Directory Server that maintains the mapping of usernames/IP addresses seen when users log in. The Web Gateway then fetches the user’s AD/LDAP attributes for authorization and mapping to Access Policies. Appropriate for Windows corporate assets.
BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
Proxy and Authentication Methods Support Feature
Win 8 Pro/Enter prise
Win RT
Apple iOS
Android
BB7
BB10
Proxy Configuration
Yes
Yes
Yes
Yes
No1
Yes
PAC-WPAD
Yes
Yes
Yes
No
No
Yes
PAC-GPO
Yes
No
No
No
No
No
PAC-MDM3
Yes
No
Yes
No
No
No
Basic Authentication
Yes
Yes
Yes
Yes
Yes
Yes
NTLMSSP
Yes
Yes 2
Yes2
Yes2
No
Yes2
Passive Identification
Yes
No
No
No
No
No
1.
No support on native browser on Wifi. Supported with the Opera mini-browser and 3rd-party applications (not tested)
2.
No Single Sign-On
3.
Using the Airwatch MDM. Other MDMs may have different capabilities
More on WSA BRKSEC-2045
BRKSEC-3771: Advanced Web Security Deployment with WSA and ASA-CX Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Recommendations and Conclusion
Deployment Recommendations
Security policies relative to the use of personal devices in the corporate environment should be created before a BYOD deployment
Business units owners should be involved to define the requirements and uses cases that will drive the architecture of the solution for mobile devices
User education and awareness is key! A BYOD deployment should include training and guidelines for users on how to use their personal mobile device to lower the risk of having their device compromised and exploited
A private Certification Authority should be considered for deployments requiring differentiation of access privileges between corporate and personal mobile devices
Profiling and VPN posture can be used to differentiate mobile devices from laptops/desktops and are great tools for device identification and inventory
A Virtual Desktop Infrastructure (VDI) architecture can help reduce the risk of data leakage and improve the user experience BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Note: This slide is now a Layout choice BRKSEC-2045
Cisco and/or its affiliates. All rights reserved.
Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com. Cisco Public
51
