1、Cisco Confidential 2010 Cisco and/or its affiliates.All rights reserved.1移动终端整合解决方案李 嵩SBN Security TeamCisco Confidential 2010 Cisco and/or its affiliates.All rights reserved.2 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential3SOURCES:A,Public Filings,Morgan Stanley Research,Ga
2、rtner,IDCPC/Web 时代后-PC 时代移动优先 时代 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential4“如何掌控多种移动 OS?”“如何分发APP应用,如何推进 BYOD?”“如何分发文档资料并保证安全?”“如何保证信息安全合规?”“我需要不停的去满足用户的新需求,同时还有确保安全合规”2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential5无无线线网网络络CiscoPrime Infrastruct
3、ure有有线线网网络络CatalystSwitchesIdentity Services Engine(ISE)Cisco WLCMDM Mobile Device ManagerVPN接入接入 MDM ManagerMobility Services Engine(MSE)CiscoAnyConnect 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential6Enterprise App Mgmt(Distribution,Config)InventoryManagement Device Managem
4、ent(Backup,Remote Wipe,etc.)Policy Compliance(Jailbreak detection,PIN lock,etc.)Secure Data ContainersAcceptable Use Policy(AUP)Classification/ProfilingRegistrationSecure Network Access(Wireless,Wired,VPN)Context-Aware Access Control(Role,Location,etc.)Cert+Supplicant Provisioning User Device Owners
5、hipMobile+PC设备管理网络层管控管控融合MDM 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential7ISE通过和下面六家MDM厂商合作,开放API接口进行互联Cisco 通过测试的厂商如下,ISE 1.3 我们会有更多的MDM厂商加入:AirWatch Version 6.2 MobileIron Version 5.5 SAP Afaria 7.0 SP3 Citrix(Zenprise)Version 7.1 Good Technology Version 2.3 Fiberlink Ma
6、aS360 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential8 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential9设备注册周期性的合规性检测非合规性修复通过ISE 进行设备远程操作客户终端设备自管理功能 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential10User:Group:Certificates:Device
7、Registered:Manufacturer:Model:OS Version:Apps:Encryption:Password:Compromised:Profiles:Ownership:Location:Cisco ISEMobileIron设备注册设备注册启用 VLAN移除企业Email启用 ACL初始提示安装企业应用启用 group ACL移除被管控的企业应用启用 ToS(为 QoS使用)移除企业应用访问权限URL 重定向移除企业数据Tag 数据包选择性擦除企业数据整机擦除数据应用企业网络及安全配置移除企业网络及安全配置设备状态+管控动作MobileIron深度设备状态识别Cisc
8、o ISE网络层管理动作 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential11User:Group:Certificates:Device Registered:Manufacturer:Model:OS Version:Apps:Encryption:Password:Compromised:Profiles:Ownership:Location:模拟场景:未注册iPad进入企业网络环境 2010 Cisco and/or its affiliates.All rights reserved.Cis
9、co Confidential12注册成功:设备网络策略部署完毕,给予企业内网访问权限终端状态Posture实时检查设备是否合规User:UnknownGroup:UnknownCertificates:NoneDevice Registered:NoManufacturer:UnknownModel:UnknownOS Version:UnknownApps:UnknownEncryption:UnknownPassword:UnknownCompromised:UnknownProfiles:UnknownOwnership:UnknownLocation:HQCisco ISE:授权访问
10、WiFi限制访问权限 于客户 vLan重定向浏览器访问设备注册地址移交至MobileIron设备注册MobileIron:设备注册 MDM配置设备安全策略:-锁屏密码-数据加密策略-禁用摄像头-禁用 iCloud配置企业Email 加密附件策略分发企业应用(初始化提醒安装)-配置 Cisco AnyConnect 配置企业侧SharePoint的安全访问安装快捷图标 访问IT及财务门户模拟场景:未注册iPad进入企业网络环境 ISE 及MDM管控动作 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential1
11、3移除违规App后:恢复所有网络权限SharePoint访问,企业电子邮件及企业应用Apps自动重新部署User:Chris WilliamsGroup:FinanceCertificates:PresentDevice Registered:YesManufacturer:AppleModel:iPadOS Version:6.1Apps:Violation-DropboxEncryption:EnabledPassword:EnabledCompromised:NoProfiles:PresentOwnership:CorporateLocation:HQCisco ISE:禁止访问企业文
12、件服务器重定向浏览器访问AUP用户规范内网页面设备处于隔离vLan环境 仅提供自我矫正所需的网络权限MobileIron:通过短消息SMS或Email通知用户:“您已违反企业应用App策略”移除 SharePoint 企业数据移除 企业Email 访问权限移除 企业应用Apps模拟场景:用户安装违规应用Apps自动矫正违规行为 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential14基于域控AD的策略变化:所有的策略变化都基于企业AD的变化User:Michelle JonesGroup:Director
13、ateCertificates:PresentDevice Registered:YesManufacturer:AppleModel:iPadOS Version:6.1Apps:NoneEncryption:EnabledPassword:EnabledCompromised:NoProfiles:PresentOwnership:CorporateLocation:HQCisco ISE:标记数据包启用加密传输标记 VOIP 优先传输授权访问内部加密文件MobileIron:允许开启摄像头使用强制启用 强密码 策略提示安装新的企业应用:-“Directors Desk HD”-Mobil
14、eEcho模拟场景:用户提升为管理层与企业AD无缝集成自动授权Cisco Confidential 2010 Cisco and/or its affiliates.All rights reserved.15 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential16Access-AcceptRegistered DeviceNoMyDevicesISE BYOD RegistrationYesMDMRegisteredNoISE Portal Link to MDM OnboardingYes 2010
15、 Cisco and/or its affiliates.All rights reserved.Cisco Confidential17 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential18 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential19这个需要注意证书中的FQDN 是域名还是IP地址 2010 Cisco and/or its affiliates.All rights reserved.Cisco
16、 Confidential20导入MDM证书到ISE中 ISE和MDM时间不能超过5分钟。最后都设置NTP服务器。ISE 添加MDM服务器时,可以用IP也可以用Domain name,但如果证书FQDN是Domain Name 就必须使用统一的信息。分配API权限给互联账户。2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential21ISE 能设置下面的15种属性值,MDM合规属性可以提供更多的组合合规性检测类:此功能通MDM服务器反馈验证结果 移动设备合规检测 PIN密码检测 越狱信息硬件厂商信息,包括厂商
17、名字,型号类型,序列号,操作系统版本。每4小时会重新检测一次,如果不合规会发送CoA 中断认证会话合规性设置需要在MDM合规性设置需要在ISE配置 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential22移动终端登录需要进行安全合规检测Jail BrokenEncryptionISE RegisteredPIN LockedMDM RegisteredJail Broken安全合规检测条件授权策略 2010 Cisco and/or its affiliates.All rights reserved.C
18、isco Confidential23Own Common Task 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential24为管理员和用户界面集成了MDM功能,用户可以通过自管理页面发送请求给MDM 服务器,进行远程操作(例如:远程设备擦除)MyDevices Portal Endpoints Directory in ISE 编辑 复原设备 丢失处理 删除 全部擦除 公司内容擦除 PIN锁定选项 2010 Cisco and/or its affiliates.All rights reserved.
19、Cisco Confidential2525 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential26iOS 平台接入过程体验(以iOS 7.x 为例)Andriod平台接入过程体验(以Andriod 4.3 为例)部署配置文档下载link:http:/hkg-filer03b-web/wg-s/security_solutions/Published/Chinese%20documents/Security%20Knowledge%20Share/2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential28 2010 Cisco and/or its affiliates.All rights reserved.Cisco Confidential29
