I just returned from Cancun after delivering a BYOD seminar, as part of Cisco Live Mexico 2012. Bring your own device (BYOD) was a hot topic at Cisco Live in Cancun. There were several in-depth presentations regarding the architecture, design, implementation, and troubleshooting of all the technologies related to BYOD. I had the pleasure and opportunity to deliver a presentation related to remote access VPN implementations related to BYOD, as part of an 8-hour seminar:

  • TECRST-2020 – Bring Your Own Device – Architectures, Design and Operation.

Other BYOD-related sessions delivered this week were:

  • BRKEWN-2020 – Securely Managing the BYOD Phenomena
  • BRKCOC-1567 – Inside Cisco IT: BYOD… Coping with the Explosion of Mobile Devices in the Enterprise

Imran Bashir provided a detailed introduction about BYOD and the key considerations when implementing BYOD solutions and technologies in your environment. He then went into the details about the Cisco BYOD solution and the integration with the Mobile Device Management (MDM) solutions from other vendors and partners. This was followed by product demonstrations for device on-boarding, profiling, posture/compliance check and the integration with MDM third-party solutions.

Cisco Identity Services Engine (ISE) is one of the key-products/technologies that are part of Cisco’s BYOD solution. ISE enables organizations to offer mobile business freedom while providing the capability of enforcing policy for when, where and how users may access the network. Device sensor capabilities offer the most accurate identification of new device types in the network, including a wide range of device types, offering the industry’s most scalable and comprehensive view across the network. ISE also provides real-time endpoint scans based on policy to gain more relevant insight. These automated features result in a better user experience and more secure devices.

Jazib Frahim continued on the foundation laid by Imran to delve into the security considerations of a BYOD solution. He discussed the concerns that many customers have around deploying BYOD. Jazib addressed frequently asked questions such as “will I still be compliant with PCI if I allow employee-owned devices on the network?” or “how will I know what employees are doing once their devices are on my corporate network?”. Jazib discussed the building block of Cisco’s Identity solutions (such as 802.1x, TrustSec, ISE, profiling, MAB and Guest Services). He then wrapped up his presentation by discussing the BYOD security design considerations by comparing the pros and cons of many different options such as centralized vs. distributed deployments.

The following figure illustrates a high-level architecture of the Cisco ISE.

Cisco ISE High-Level Architecture

Cisco ISE provides a very robust administrative interface that allows an administrator to perform basic and advanced tasks with ease (i.e., view logs to monitor tasks, users, and other transactions; view and modify the configuration of policies using the policy service node (PSN)). The PSN provides user services including:

  • Authentication Services (RADIUS)
  • Profiling Services
  • Guest Portal Services
  • Posture Services

Cisco is the only vendor to offer a single source of policy across the entire organization for wired, wireless and VPN networks, dramatically increasing organization-wide security and simplifying management. Carlos Alcantara provided an overview of the BYOD trend and how it impacts wireless designs. He covered the building blocks and gave an overview of a controller-based architecture. And finally talked about some of the key features of the Cisco Unified Wireless Network (CUWN) that are typically used in BYOD deployments that rely on the wireless network as one of the access mechanisms. Nelson Figueroa and Fernando Macias provided a detailed description of the Cisco Validated Designs (CVD) for BYOD.

Note: CVD consist of systems and solutions that are designed, tested, and documented to facilitate and improve customer deployments. These designs incorporate a wide range of technologies and products into a portfolio of solutions that have been developed to address the business needs of our customers.

As part of the techtorial (TECRST-2020) I delivered, I included a presentation detailing how remote access is a critical aspect of BYOD. In this presentation, I covered the Cisco AnyConnect Secure Mobility client and the Cisco 5500 Series Adaptive Security Appliance (ASA) . AnyConnect provides end-users with a seamless and always-on connectivity across managed and unmanaged mobile devices. According to the Cisco Visual Networking Index (VNI) by 2016, Wi-Fi will account for nearly half of all IP traffic. The Cisco AnyConnect Secure Mobility client allows organizations to provide secure and consistent access to corporate resources despite the method of access. The following figure shows how end-users using wired, cellular connectivity, or Wi-Fi can use AnyConnect to access corporate resources by creating an SSL VPN or IKEv2 tunnel to a Cisco ASA.

Cisco AnyConnect and Cisco ASA

My presentation also detailed how the Cisco AnyConnect Posture Module and the Host Scan feature allows administrators to identify the operating system, security software (such as antivirus, personal firewalls, and others) installed on the end-user’s machine. The Cisco ASA integrates the Host Scan feature with dynamic access policies (DAP). With DAP you can control who can access corporate resources (what), from what location (where), and how these resources are being accessed, as illustrated in the following figure:

Who, What, Where, and How?

At the end of my presentation, I provided several examples and tips that can be used for troubleshooting remote access BYOD scenarios in both the Cisco ASA and the Cisco AnyConnect Secure Mobility client.

The presentation titled “Inside Cisco IT: BYOD… Coping with the Explosion of Mobile Devices in the Enterprise” (delivered by folks from Cisco IT) provided real-life examples on how Cisco is deploying and adopting BYOD technologies within our infrastructure. On a related note, on a recent blog post, Sheila Jordan, Senior Vice President of Communication and Collaboration IT at Cisco, explains how Cisco is addressing mobility and BYOD. Sheila states:

Today, Cisco’s network accommodates nearly 60,000 employee-owned smartphones, almost 13,000 of which are tablets—and about 1,000 new mobile devices join the corporate network each month. Mobile apps are added all the time. It is easy to see why most CIOs view the BYOD trend as a cost driver; but here at Cisco, even with a 98 percent increase in devices and 51 percent increase in users, we’re actually experiencing the lowest service cost we’ve ever seen—and our employees get the flexibility and choice they crave, which equals a better work experience.

Well, by now you get the point how “hot” BYOD is nowadays and how technology is transforming the way we work, play and attempt to secure our networks. All the presentations I mentioned in this post were recorded and will be uploaded to Cisco Live 365 within the next 30 days or so.