Professional Documents
Culture Documents
Summary
Mobile devices are transforming our culture and posing significant security challenges
for IT managers. People bring their personal devices to the workplace and connect
them to corporate networks. Every smartphone and tablet brings inherent security risks
to an organizations resources and data. The organization cannot control what software
users put on personal mobile devices. Mobile devicesand the data on themmay
become lost or stolen. They can bring malware into a corporate IT network. These
risks expose the corporation to potential security incidents and any resulting lawsuits.
Therefore, IT managers need visibility and control to track what those devices are, who
is using them, and where and when they connect to the network. Organizations need
to then establish and enforce security policies for mobile devices that protect sensitive
and confidential assets from inadvertent or overt compromise.
Cisco Systems offers a BYOD solution, built upon the end-to-end reference
architecture, device configurations, and best practices of CVD. CVD is designed for
Cisco partners seeking fully integrated, out-of-the-box solutions that can be replicated
for multiple customer deployments. CVD is rapid to deploy, easy to manage, and
scalable for future growth.
Combining proven best practices and fully tested reference architectures, the CVD
BYOD solution is a foundational set of security solutions and configurations designed
to monitor and manage onsite and remote mobile device access into a customers
wireless network. Cisco BYOD is a proven solution for Cisco partners that want to offer
their customers greater visibility and control over mobile devices on their networks. The
experts at Cisco have done the planning, integration, testing, and implementation of the
security components and services that protect a wireless access infrastructure from
the security risks of mobile devices.
This white paper offers Cisco partners an overview of the business challenges the
solution addresses, the Cisco solution components, a spectrum of deployment options,
and the benefits of CVD BYOD for end customers.
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
White Paper
Business Challenges
CVD BYOD offers a smart, cost-effective approach that addresses these critical customer needs:
Proliferation of mobile devices inside and outside the organization. The line between personal and work devices has blurred or
vanished altogether. Customer organizations may not own the devices that are accessing their networks, so customer security
managers cannot control the software and data on mobile devices. These devices may introduce malware or other security
vulnerabilities such as loss or theft that present unacceptable risks to confidential and proprietary applications or data.
Anytime, anywhere wireless access to services and applications. Mobile workers expect to be able to use their smartphone or
tablet to access the Internet and corporate services such as email, calendars, and CRM applications, automatically roaming through
any public or private wireless network without cumbersome or repetitive login procedures.
Consistent security policy enforcement to mobile devices. Security managers may choose to impose a different set of security
policies depending upon the type of device accessing the network. Mobile devices are easily lost or stolen, and security managers
need the ability to deny access to confidential or proprietary information. Further, security systems must adapt to new device types
and operating systems as they come to market.
Regulatory compliance that requires detailed logs of network usage, including mobile devices.
Internet
Cisco Wireless
Controllers
Cisco ASA
Active
Directory
Cisco Identity
Services Engine
(ISE)
Cisco Aironet
Access Points
Intelligent
Access
Server Room
or Data Center
1026
Cisco AnyConnect
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
White Paper
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
White Paper
Internet
Guest Wireless
LAN Controller
Cisco ASA
Active
Directory
Internal
Network
Cisco Identity
Services Engine
(ISE)
Guest Traffic
Authenticated Guest Traffic
Tunneled Traffic
Web Auth Redirect
Wireless LAN
Controller
LDAP Request
Guest
1027
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
White Paper
Cisco ISE includes a complete provisioning and reporting system that provides temporary network access for guests. To enable
guest access, a sponsor within the organization logs into the Cisco ISE sponsor portal and sets up a guest-level account for known
individuals. Cisco ISE acts as a RADIUS server for authentication and accounting. Cisco ISE queries Active Directory to authenticate
the sponsor and then allows creation of a guest account and registers it with the Cisco WLC designated for guest access. The
sponsor can specify start and end dates and times in order to coincide with a contract period or a specific visit.
For example, a sponsor has a visitor coming the following day for a meeting. She sets up a guest account, and the system sends an
SMS text message to the visitors smartphone or tablet with login details. The guest can log in as soon as he arrives for the meeting
and check his email and calendar. After the meeting is over, Cisco ISE notifies the network that the account has expired, and the
guest can no longer log into the guest network.
This solution lets customers offer limited Internet access privileges to guests and track when and where specific guests log in and log
off, providing visibility into guest activities that help the organization protect itself.
Identification and Authentication
This reference design grants all mobile devices unrestricted access to both the Internet and to internal services and applications. This
architecture supports phased deployment of wireless identity services without affecting existing connectivity. Cisco ISE can profile
device types and track their usage. It tracks device activity such as when the device logged in, from which port, and when it logged
off. This setup is valuable for organizations that wish to monitor mobile device activity for regulatory compliance or to gather realtime, contextual information about mobile device usage for developing advanced wireless security policies (Figure 3).
Figure3: CVD BYOD Identification and Authentication
Certificate
Authority
Wireless
LAN Controller
Internet Edge
Active
Directory
Core
Cisco ISE
Data Center
Distribution
Remote Site
RADIUS
DHCP
LDAP
1028
Access
As with guest access, Cisco ISE acts as a RADIUS server for wireless 802.1X authentication and accounting. Cisco ISE configures
Cisco WLCs to accept login requests from mobile devices at both headquarters and remote sites. (A dedicated Cisco WLC manages
guest access as described in the previous section.) Using monitor mode, Cisco ISE logs the MAC address of any mobile device
requesting access and grants unrestricted access without higher-layer authentication and authorization.
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
White Paper
Wireless
LAN Controller
Access
Point
Active
Directory
Tablet
Access
Cisco ISE
RADIUS
LDAP
DHCP
CAPWAP
1029
Data Center
As with the guest access option, this architecture uses Cisco ISE to authenticate mobile devices using Active Directory services. The
architecture then permits or denies access to the internal network, making proactive policy decisions by correlating device identity
with network elements such as access switches, Cisco WLCs, and VPN gateways.
Remote Mobile Device Access
True mobility fulfills its greatest potential when users can securely access corporate applications and services, with the device of
their choice, from anywhere. The device must support a secure VPN with automatic roaming capabilities. For example, a sales
representative depends upon a smartphone to maintain constant access to email, voicemail, and a CRM application as she travels
from meeting to meeting throughout her region. The phone roams between wireless and cellular networks, even from carrier to
carrier, without the user noticing (Figure 5).
Figure5: CVD BYOD Remote Mobile Device Access
VPN Tunnel
Internet
Internal
Network
W ww
Website
Web
Security
1030
RA VPN
Client
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
White Paper
Remote mobile device access uses Cisco AnyConnect Secure Mobile Client software to establish a roaming SSL-encrypted VPN
connection with Cisco ASA at the Internet edge of the corporate network. Behind the firewall, Cisco ISE manages authentication
and authorization as described in previous sections. The device accesses the Internet through the VPN tunnel at the Internet edge,
allowing the corporation to apply firewall, intrusion prevention, and other Web security capabilities in order to protect both the mobile
device and the internal network from malware and other security risks.
CVD
2013 Cisco and/or its affiliates. All rights reserved. Cisco, the Cisco logo, and Cisco Systems are registered trademarks or trademarks of Cisco and/or its affiliates in
the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1002R)