《云的零信任身份.pdf》由会员分享,可在线阅读,更多相关《云的零信任身份.pdf(65页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveJerry Lin,Principal Security ArchitectGlobal Security Architecture TeamBRKSEC-2104Zero Trust Identity for the CloudA look at SAML authentication 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Jerry Lin20+years at Cisco;Security CCIE#6469Distingui
2、shed Speaker Hall of Fame at Cisco LiveCoauthor;“NAC Appliance:Enforcing Host Security with CleanAccess”,CiscopressCisco Security Reference Architecture Favorite sport;marathons!BostonCL Hall of FameC BRKSEC-21044 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your
3、personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be
4、 moderated by the speaker until June 9,2023.12345https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-21045Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionApplications in the CloudSAML Authentication explainedSAML use cases&demosSummaryB
5、RKSEC-21046 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAll roads lead to the CloudMass application migration to the CloudZero Trust is needed to prevent unauthorized accessSASE is the new normalWebexAppsAppsAppsAppsAppsAppsAppsAppsBRKSEC-21047 2023 Cisco and/or its af
6、filiates.All rights reserved.Cisco Public#CiscoLiveCloud Access ChallengesCorp Data CentersInternetDirect Internet AccessRadius or LDAPPrivate/Public CloudVPN or no VPN?SASE?Radius LDAP?SoHoWebexBRKSEC-21048 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Zero Trust
7、ArchitectureCloud/On-PremisesOn networks you control,establish trust-based access control for users/devices and including IoTWorkload/Application/DataMinimizing the attack surface while enforcing least privilege access to/from our workloadsUser/Device SecurityEstablish trust of users and devices to
8、determine their application access privilegesBRKSEC-21049 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat Zero Trust Means to UsNever Assume Trust.Always Verify.Enforce least privilege,risk-based access control.BRKSEC-210410 2023 Cisco and/or its affiliates.All rights reserved.
9、Cisco Public#CiscoLiveAuthentication ProtocolsActive Directory(AD)/Lightweight Directory Access Protocol(LDAP)Remote Authentication Dial-In User Service(RADIUS)Security Assertion Markup Language(SAML 2.0)Adopted in 2005 by OASIS ConsortiumUses Extensible Markup Language(XML)for communicationCloud an
10、d Web application focusedBRKSEC-210411 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAuthentication language between identity providers(IdP)and service providers(SP)SAML enables Single-Sign On(SSO)SAML Authentication(2.0)SimplifiedOne user credential for many SPs Allows
11、SaaS solutions while using a secure federated identity management systemService ProviderIdPUser login1SP redirects user to IdP2IdP responds with authorization3SP grants access4BRKSEC-210412 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive3 Commonly used Identity Providers(
12、IdP)todayOkta cloud servicesOffers AD Connections Duo SSO(Cloud Hosted)Not an IdP but good IdP&SAML proxy On-Prem typically Synchronizes with Azure Cloud services for hybrid deployment MS Azure AD services Pure Cloud offeringIdPProxyBRKSEC-210413 2023 Cisco and/or its affiliates.All rights reserved.
13、Cisco Public#CiscoLiveSAML Use CasesSaaS and private application protection via Duo Cloud SSOCorpVPNRemote Access VPN via SAMLRadius or LDAPUmbrella SIGVPNBranch or SOHOFTD+othersSIG=Secure Internet Gateway132BRKSEC-210414 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFi
14、repower NGFWDuo SSO(optional)Webex1324SAML authorization response5User access grantedUse case#1:Anyconnect RAVPN with SAMLBRKSEC-210415Anyconnect SAML+Cert Demo#1Anyconnect SAML with Duo SSO+PasswordlessDemo#2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210417 2
15、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC 7.3(FMC)DevicesVPNRemote AccessBRKSEC-210418 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD 6.7 Anyconnect/SAML integrationsFTD 6.7 Anyconnect/Okta integrationhttps:/youtu.be/wgttyx7UFMIFTD
16、6.7 Anyconnect/DuoSSOintegrationhttps:/youtu.be/cKpOruEkojY FTD 6.7 Anyconnect/Azure integrationhttps:/youtu.be/LpFIr9swEWMBRKSEC-210419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCommon issueIdP TrustBRKSEC-210420 2023 Cisco and/or its affiliates.All rights reserved.
17、Cisco Public#CiscoLiveBRKSEC-210421 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC 7.3(FMC)DevicesVPNRemote AccessDuo PasswordlessBRKSEC-210422 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirepower NGFWDuo SSOSAML*SAML(future)Use case:Du
18、o PWL flowLeverage AD while transitioning to cloudIdPAD ConnectorBRKSEC-210423 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210424 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLooking Ahead to Azure AD With AD ConnectorLegacy/On-Prem
19、ises AppsCloud/SAML AppsBRKSEC-210425Use case,SaaS and Private Apps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse case#2:SaaS and Private AppsDuo SSO portalWebexSAML 2.0 IdPService ProviderLegacy on-premapplicationsDNGSSO=Single Sign-OnIdP=Identity ProviderDNG=Duo Ne
20、twork GatewayOn-PremApplication proxySaaSBRKSEC-210427 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Private App:Cisco Internal NetworkUS-EastDNG Controller“Portal”“Portal”“Portal”Load BalancerUS-Central-1“Portal”“Portal”“Portal”Load BalancerUS-Central-2“Portal”“Po
21、rtal”“Portal”Load BalancerGlobal Server Load BalancerAdmin ServerAdmin ServerAdmin ServerBRKSEC-210428 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210429 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow do I publish more application
22、s?Duo SSO portalSAML 2.0 IdP(Okta or Azure)Legacy on-premapplicationsDNGSSO=Single Sign-OnIdP=Identity ProviderDNG=Duo Network GatewayApplication proxyBRKSEC-210430 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210431 2023 Cisco and/or its affiliates.All rights re
23、served.Cisco Public#CiscoLiveBRKSEC-210432 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRole-Based Access ControlWhat Identity to use for blocking access to selected applications?BRKSEC-210433 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUs
24、ers Groups ApplicationsBRKSEC-210434 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOktaSAMLBRKSEC-210435 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn Duo PortalCopy From Duo Portal to Okta PortalCopy from Okta PortalBRKSEC-210436 2023 Cis
25、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn Okta Portal,login as AdminDuoSSOapplicationCopy from Duo admin portalBRKSEC-210437 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn Okta PortalCopy to Duo admin portalBRKSEC-210438 2023 Cisco and/or it
26、s affiliates.All rights reserved.Cisco Public#CiscoLiveAzureSAMLBRKSEC-210439 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn Duo PortalCopy From Duo Portal to Azure PortalCopy from Azure PortalBRKSEC-210440 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
27、lic#CiscoLiveIn the Azure Portal,Copy from Duo admin portalCopy to Duo admin portalDownload Azure certificate(Base64)to Duo admin portalBRKSEC-210441 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePublishing Apps in Duo CentralBRKSEC-210442 2023 Cisco and/or its affiliate
28、s.All rights reserved.Cisco Public#CiscoLiveDNGOrYour ApplicationBRKSEC-210443 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDuo Network Gateway SetupBRKSEC-210444Duo SSO Demo-Cloud App Protection-On-prem Private App Protection 2023 Cisco and/or its affiliates.All rights
29、 reserved.Cisco Public#CiscoLiveDuo SSO(optional)WebexIdPUse case#3;Secure branch/SOHO via Umbrella Secure Web Gateway+SAMLFTD+othersSDWANVPNUmbrella SIGDNS securitySecure web gatewayCloud firewall SDWAN/IPSecVPN to Umbrella SIGUmbrella SIG provides application and content securityUser identity/auth
30、entication added via SAML by Umbrella SIGSIG=Secure Internet GatewayUser TrafficBRKSEC-210447 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUmbrella Portal:Adding FTD DeviceBRKSEC-210448 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUmbrella
31、TunnelsBRKSEC-210449 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn FMC 7.3,New in 7.3BRKSEC-210450 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn Firepower Management Center,BRKSEC-210451 2023 Cisco and/or its affiliates.All rights reser
32、ved.Cisco Public#CiscoLiveUmbrella Web PolicyAuthenticationBRKSEC-210452 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDuo SSO(optional)WebexIdPUse case#3;Secure branch+SIGSDWANUmbrella SIGDNS securitySecure web gatewayCloud firewall SAMLAuthCInternetOn-PremAD ConnectorA
33、uthenticationAuthorizationBRKSEC-210453 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210454SASE/Network EdgeUmbrella SAML DemoSummary 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReview of Use CasesSaaS and private application protec
34、tion via Duo Cloud SSOCorpVPNRemote Access VPN via SAMLRadius or LDAPUmbrella SIGVPNBranch or SOHOFTD+othersSIG=Secure Internet Gateway132BRKSEC-210458 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour Takeaways:Extending Identity into the Cloud using SAMLAlready have S
35、AML IDP,Active Directory,RAVPN2 weeksTry SAML+Cert for Anyconnect RAVPNDuo PWL SSOAlready have corporate apps in the cloudExample:Active Directory or SAMLDNG:Clientless or https/RDP/SSH/SMBSDWAN with Direct Internet Access(DIA)Need Umbrella or Cisco Secure AccessEnable AD+SAML1 month3 monthsBRKSEC-2
36、10459 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWho Should Attend?Who Should Attend?Roles responsible for:Deployment and management of security solutionsImplementing tools to support zero-trust securitySecurity architectureWorkshop AgendaWorkshop AgendaEstablish user
37、 and device trustAdaptive policiesExplore VPN and VPN-less accessZero-trust network accessModern application accessSecure Access Service EdgeZero Trust Implement&Execute WorkshopThe Zero Trust Implement&Execute(I&E)workshop engages attendees in a hands-on technical lab exploring 3 zero trust use cas
38、es:Streamline the User Experience,Secure Remote Work,and Protect a Hybrid Workforce.Workshop FormatWorkshop FormatSecure Access by DuoCisco UmbrellaSecure EndpointAnyConnect Secure Mobility Client3 lab modules(Bonus modules now include SecureX&Secure Workload)Learn MoreBRKSEC-210460 2023 Cisco and/o
39、r its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances
40、 of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-210461 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the En
41、gineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL Edge NetworkOn-Premises NetworkSecurity Reference ArchitectureXDR SECURITY OPERATIONS TOOLSETTALOS THREAT INTELLIGENCEActionable threat intelligence
42、Collective responsesComprehensive visibilitySignal identificationThreat research&analysisSERVICESDevice discovery&insightsNetwork detection&responseEndpoint detection&responseCAPABILITIESOpen API platform&3rd party native integrationsRisk-based vulnerability managementSecurityanalyticsSecurity orche
43、stration,automation&responseThreat visibility,incident response&threat huntingKenna|Secure Analytics|SecureX Secure Client|Talos Incident ResponseWorkload,Application,and Data SecuritySASE/Security Service EdgeDuo|Secure Connect|UmbrellaIndustrial Threat DefenseDNAC|CyberVision|Industrial Networking
44、 ISE|Secure Firewall|Secure Network Analytics In the Office/Managed LocationCatalyst|DNAC|ISE|Meraki|Secure FirewallSecure Network Analytics|Web ApplianceZERO TRUSTCustom threat research on demandIncident response retainerImplement and manageManaged detection&responseStrategy&assessmentUser/Device S
45、ecuritySASE/SDWANMeraki|Secure FirewallThousandEyes|Viptela mitigationVisibilitySegmentationSecurity analytics&loggingv3.1SASE/REMOTE WORKER:Cisco Secure Client(AnyConnect)|Umbrella|Secure Endpoint|Meraki Systems Manager|Duo|Secure E-mail|ThousandEyesDNS-layersecurityAnomaly detectionComplianceIdent
46、ity/pxGridGroup tag classification Applicationnetwork gatewayConfiguration orchestrationContent filteringEncrypted visibilityAnalyticsApplication performance optimizationCloud based orchestrationCloud OnRampCloud access security brokerRuggedizedThreat mitigationVisibilityIdentity/pxGridCloudNetwork
47、access controlNetwork security analyticsDigital experience monitoringIPSec VPNIntegrated securitySegmentationFWaaSSecure web gatewayNGFWMiddle mileoptimizationAnti-virus/Anti-malwareCloud managedContinuous trustMobile device managementEmail,Phishing,SPAM,BEC,DLP,content filteringDigital experience m
48、onitoring Host FWPostureTelemetry/VisibilityQueryPasswordlessRisk-based MFADNS-layersecurityEndpoint detection&responseSecure WebVPNDevicetrustHYBRID MULTI-CLOUD:ACI|Cloud Insights|Panoptica|Radware|Secure Application|Secure Endpoint|Secure Firewall|Secure Cloud Analytics|Secure WorkloadGroup tag cl
49、assificationNGIPSData loss preventionRemote browserisolationZero Trust Network AccessCloud malware detectionRAaaSTenant restrictionsBrowser accesscontrolIdentity/postureGroup tag propagationCloud analyticsAnti-virus/Anti-malwareAPI securityApp discoveryCloud Native SecurityCloud Posture ManagementDD
50、oS,WAF/BotIdentity/pxGridMicro/Macro SegmentationRun-time applicationTelemetryThreat mitigationVisibilityData access&IntegrityThank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123465 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-210465#CiscoLive