Avatar

This year I was honored to be able to present and participate at Cisco Live Cancun, which took place last week. Many attendees from North, Central and South America and the Caribbean came to discover innovative ways that networking technologies can help them reach new markets and understand which solutions are right for their specific challenges.

Security was a hot topic this year!

Customers were able to connect with numerous experts for guidance and advice on security IT challenges that their company may be facing. Maintaining an appropriate security posture in “Bring Your Own Device” (BOYD) environments can be a challenge. This year I delivered a presentation about BYOD Security and Cisco’s TrustSec in an 8 ½ hour session titled “Bring Your Own Device – Architectures, Design and Operation” (TECRST-2020). Implementing BYOD requires a comprehensive solution that ensures the security and reliability of the network while enhancing user experience and productivity. The exponential growth of consumer devices and the need to maintain continuous connectivity to corporate and Internet resources has brought new challenges to corporate networks. Network managers struggle to provide adequate connectivity to employees while protecting corporate data. This session focused on the architecture and framework required to deploy the proper network infrastructure, security components and device management to support different endpoints, each with unique permissions into the network. A combination of lectures and live demos provided the information needed for customers to build an effective BYOD solution. The latest Cisco Validated Design guide (CVD) 2.5 for BYOD was covered highlighting different BYOD use cases, including TrustSec, converged access and the integration with Mobile Device Managers (MDM) to receive device posture information.

Cisco TrustSec uniquely provides a policy-based platform, the Cisco Identity Services Engine (ISE), which offers integrated posture, profiling and guest services to make security control decisions. This solution provides a growing mobile and complex workforce with appropriate and more secure access from any device and lowers security risks by providing comprehensive visibility about who and what is connecting to the wired or wireless network. In this presentation, I covered in detail the use of Security Group Tags (SGTs). SGTs allow customers to keep existing logical design at the access layer; change and apply policy to meet today’s business requirements; and distribute policy from a central management server (Cisco ISE). This solution provides a topology independent access control based on roles and allows for a scalable ingress tagging and egress filtering via Source Group Access Control Lists (SGACLs). Endpoint admission is enforced via 802.1X authentication, MAC Auth Bypass (MAB), or Web Auth and network device admission control is based on 802.1X to create a trusted networking environment.

As part of this BYOD marathon, Imran Bashir provided an overview of the BYOD architectures and ISE implementations; Jazib Frahim provided an overview of BYOD Security Architectures; Carlos Alcantara provided an overview of wireless architectures; and Fernando Macias and Nelson Figueroa covered the Cisco Validated Design (CVD), customer use cases, and advanced mobile device management integration topics.

I was also able to present and proctor the following labs:

  • LABSEC-2123: Designing and Deploying AnyConnect and Cisco ASA SSL VPNs – SSL VPN and Secure Mobility are rapidly evolving technologies that can be deployed in clientless mode and/or with the Cisco AnyConnect Secure Mobility Client. The Cisco AnyConnect Secure Mobility Client provides full network access to remote users, similar to Cisco IPSec VPN client. This session provided two hours of lecture and practice labs that covered topics in an easy to follow, goal-oriented step-by-step approach. In the lab, students learned different deployment scenarios, tips, and methodologies that will help them in real world scenarios on the Cisco Adaptive Security Appliance (Cisco ASA).
  • LABSEC-2234: Troubleshooting AnyConnect SSL VPNs – This session provided two hours of lecture and practice labs that focused on troubleshooting many real world scenarios on the Cisco ASA and Cisco AnyConnect Secure Mobility Client. This session was suited for customers who had deployed SSL VPNs and responsible for managing the day-to-day operations. Attendees were able troubleshoot configuration and network operations using recommended techniques and methodologies.
  • LABSEC-2345: Designing and Deploying Clientless SSL VPNs – In the clientless mode, SSL VPN provides you the capability to create a VPN tunnel by using a web browser; without the need of installing a client. This lecture and lab provided attendees with an opportunity to learn about various features such as portal customization, authentication, and policy enforcement using Dynamic Access Policies (DAP).

After my sessions each day, I participated in three “Meet the Expert” events discussing several security topics in private sessions with customers from different verticals (including financial services, mobile service providers, and industrial customers). The topics included datacenter security, emerging security threats, as well deep-technical discussions about next-generation firewalls.

One of the hottest topics discussed during the conference was the introduction of Cisco’s Application Centric Infrastructure (ACI). As Chris Young explained in his recent post , ACI plays a huge role in security. It provides proper isolation and SLAs for different tenants, while providing a consistent security policy across physical and virtual applications. Administrators can define security and networking policies using a common policy language abstraction. ACI leverages Cisco’s Open Network Environment (ONE), with open APIs, open source, and open standards.

Security is clearly top-of-mind for Cisco customers. Cisco Live global conferences provide deep-technical training designed to help customers master the practical steps necessary for defending their networks against the ever evolving security threat landscape. I was very fortunate to be able to share best practices and talk to customers from many different backgrounds and industries.



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations