移动终端整合解决方案.ppt-道客多多

资源描述

1、Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 1移动终端整合解决方案李嵩SBN Security TeamCisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 2 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3SOURCES: A, Public Filings, Morgan Stanley

2、 Research, Gartner, IDCPC/Web 时代后 -PC 时代移动优先时代 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4“如何掌控多种移动 OS?”“如何分发 APP应用，如何推进 BYOD?”“如何分发文档资料并保证安全 ?”“如何保证信息安全合规 ?”“我需要不停的去满足用户的新需求 , 同时还有确保安全合规 ” 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5无

3、线网络CiscoPrime Infrastructure有线网络CatalystSwitchesIdentity Services Engine (ISE)Cisco WLCMDM Mobile Device ManagerVPN接入 MDM ManagerMobility Services Engine(MSE)CiscoAnyConnect 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6Enterprise App Mgmt (Distribution, Config)Inv

4、entoryManagement Device Management (Backup, Remote Wipe, etc.)Policy Compliance (Jailbreak detection, PIN lock, etc.)Secure Data ContainersAcceptable Use Policy (AUP)Classification/ProfilingRegistrationSecure Network Access (Wireless, Wired, VPN)Context-Aware Access Control (Role, Location, etc.)Cer

5、t + Supplicant Provisioning User Device OwnershipMobile + PC设备管理网络层管控管控融合MDM 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 ISE通过和下面六家 MDM厂商合作，开放 API接口进行互联 Cisco 通过测试的厂商如下， ISE 1.3 我们会有更多的 MDM厂商加入 : AirWatch Version 6.2 MobileIron Version 5.5 SAP Afaria 7.0 SP3

6、 Citrix (Zenprise) Version 7.1 Good Technology Version 2.3 Fiberlink MaaS360 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 设备注册周期性的合规性检测非合规性修复通过 ISE 进行设备远程操作客户终端设备自管理功能 2010 Ci

7、sco and/or its affiliates. All rights reserved. Cisco Confidential 10User: Group: Certificates: Device Registered: Manufacturer: Model: OS Version: Apps:Encryption: Password: Compromised:Profiles:Ownership: Location: Cisco ISE MobileIron设备注册设备注册启用 VLAN 移除企业 Email启用 ACL 初始提示安装企业应用启用 group ACL 移

8、除被管控的企业应用启用 ToS (为 QoS使用 ) 移除企业应用访问权限URL 重定向移除企业数据Tag 数据包选择性擦除企业数据整机擦除数据应用企业网络及安全配置移除企业网络及安全配置设备状态 + 管控动作MobileIron深度设备状态识别Cisco ISE网络层管理动作 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11User: Group: Certificates: Device Registered: Manufacturer: Mo

9、del: OS Version: Apps:Encryption: Password: Compromised:Profiles:Ownership: Location: 模拟场景 : 未注册 iPad进入企业网络环境 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12注册成功 :设备网络策略部署完毕，给予企业内网访问权限终端状态 Posture实时检查设备是否合规User: UnknownGroup: UnknownCertificates: NoneDevice Registered: N

10、oManufacturer: UnknownModel: UnknownOS Version: UnknownApps: UnknownEncryption: UnknownPassword: UnknownCompromised: UnknownProfiles: UnknownOwnership: UnknownLocation: HQCisco ISE:授权访问 WiFi限制访问权限于客户 vLan重定向浏览器访问设备注册地址移交至 MobileIron设备注册MobileIron:设备注册 MDM配置设备安全策略 :- 锁屏密码- 数据加密策略- 禁用摄像头- 禁用 iCloud配置

11、企业 Email 加密附件策略分发企业应用 (初始化提醒安装 )- 配置 Cisco AnyConnect 配置企业侧 SharePoint的安全访问安装快捷图标访问 IT及财务门户模拟场景 : 未注册 iPad进入企业网络环境 ISE 及 MDM管控动作 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13移除违规 App后 :恢复所有网络权限SharePoint访问 , 企业电子邮件及企业应用 Apps自动重新部署User: Chris WilliamsGroup: FinanceCert

12、ificates: PresentDevice Registered: YesManufacturer: AppleModel: iPadOS Version: 6.1Apps: Violation - DropboxEncryption: EnabledPassword: EnabledCompromised: NoProfiles: PresentOwnership: CorporateLocation: HQCisco ISE:禁止访问企业文件服务器重定向浏览器访问 AUP用户规范内网页面设备处于隔离 vLan环境仅提供自我矫正所需的网络权限模拟场景 : 用户安装违规应用 Apps自动

13、矫正违规行为 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14基于域控 AD的策略变化 :所有的策略变化都基于企业 AD的变化User: Michelle JonesGroup: DirectorateCertificates: PresentDevice Registered: YesManufacturer: AppleModel: iPadOS Version: 6.1Apps: NoneEncryption: EnabledPassword: EnabledCompromised:

14、NoProfiles: PresentOwnership: CorporateLocation: HQCisco ISE:标记数据包启用加密传输标记 VOIP 优先传输授权访问内部加密文件模拟场景 : 用户提升为管理层与企业AD无缝集成自动授权Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 15 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16Access-AcceptRegistered D

15、evice NoMyDevicesISE BYOD RegistrationYesMDMRegistered NoISE Portal Link to MDM OnboardingYes 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 2010 Cisco and/or its affiliates. All rights reserve

16、d. Cisco Confidential 19这个需要注意证书中的FQDN 是域名还是 IP地址 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 导入 MDM证书到 ISE中 ISE和 MDM时间不能超过 5分钟。最后都设置 NTP服务器。 ISE 添加 MDM服务器时，可以用 IP也可以用 Domain name，但如果证书FQDN是 Domain Name 就必须使用统一的信息。分配 API权限给互联账户。 2010 Cis

17、co and/or its affiliates. All rights reserved. Cisco Confidential 21 ISE 能设置下面的 15种属性值，MDM合规属性可以提供更多的组合合规性检测类 : 此功能通 MDM服务器反馈验证结果移动设备合规检测 PIN密码检测越狱信息硬件厂商信息，包括厂商名字，型号类型，序列号，操作系统版本。每 4小时会重新检测一次，如果不合规会发送 CoA 中断认证会话合规性设置需要在 MDM合规性设置需要在 ISE配置 2010 Cisco and

18、/or its affiliates. All rights reserved. Cisco Confidential 22 移动终端登录需要进行安全合规检测Jail BrokenEncryptionISE Registered PIN LockedMDM Registered Jail Broken安全合规检测条件授权策略 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23Own Common Task 2010 Cisco and/or its affiliates

19、. All rights reserved. Cisco Confidential 24 为管理员和用户界面集成了 MDM功能，用户可以通过自管理页面发送请求给 MDM 服务器，进行远程操作 (例如 : 远程设备擦除 ) MyDevices Portal Endpoints Directory in ISE 编辑复原设备丢失处理删除全部擦除公司内容擦除 PIN锁定选项 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2525

20、2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 iOS 平台接入过程体验（以 iOS 7.x 为例） Andriod平台接入过程体验（以 Andriod 4.3 为例）部署配置文档下载 link： http:/hkg-filer03b-web/wg-s/security_solutions/Published/Chinese%20documents/Security%20Knowledge%20Share/ 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

展开阅读全文