Bring Your Own Device

(1)

Bring Your Own Device

Cisco Values in BYOD

Eric NG ([email protected])

Technical Solution Architect

(2)

(3)

(4)

OLD WAY

EXECUTIVE

EMPLOYEE

• Anywhere, anytime,

any device usage

• Work is a function—

globally dispersed,

mixed device ownership

• Change in IT control

and management

paradigm — granularity

beyond device

• Security lives in the

network to allow for

BYOD

• Enterprise provided

and managed user

devices

• Work is a place you

go to—limited off

campus access

• IT visibility and control

into user devices and

applications

• Security lived on the

IT managed endpoint

(5)

Device Diversity is here to stay

89%

10%

1%

User Wants

• Consistent experience on

multiple devices

• Seamless transitions

between devices

• Separation of work and

personal data

• Keep up with tech and

social trends

IT Wants

• Proactive adoption of

consumer/mobile devices

• Embrace BYOD without

sacrificing security,

management, business

standards

• Lower organizational costs

• Improved agility

23%

36%

26%

75%

22%

(6)

Human

Resources

Compliance

Operations

Security

Operations

Application

Team

Endpoint

Team

Network

Team

(7)

Denied or Restricted

Allowe

Encouraged

Bought in

d

Environment requires

tight controls

Corp Only Device

Mfg Environment

Trading Floor

Classified Gov Networks

Traditional Enterprise

Focus on basic services,

easy access, almost

anybody

Broader Device Types But

Internet Only

Edu Environments

Public Institutions

Simple Guest

Enable differentiated services,

on-boarding with security but

no ownership

Multiple Device Types +

Access Methods, VDI

Healthcare

Early BYOD Enterprise Adopters

Contractor Enablement

Corp native apps, new

services, full control

Multiple Device Types,

Corp Issued, MDM

Innovative Enterprises

Retail on Demand

Mobile Sales Services (Video,

(8)

Building blocks of

(9)

Policy

Next Generation Workspace

Management

Security

Unified Access

(10)

VPN

External Wi-

_Fi

Internal Wi-Fi

Wired

D

eny

or

R

es

tric

t

Bought

In

Enc

ourage

d

Allo

w

Devices Layer

Smartphones

Desktop/Notebooks

FW

Router

Wireless

Wired

ISE

Tablets

Thin/VirtualClients

Connectivity Layer

Prime Infrastructure

(11)

CleanAir

Chip level proactive and automatic electronic

beamforming

Simplified advanced RF management

Chip level wired multicast over a Wireless

network

ClientLink

VideoStream

Chip level proactive and automatic

interference mitigation

Radio

Resource

Management

Best-of-Breed and

Best-in-Class Mobility Predictability

Best-of-Breed and Best-in-Class

Policy and Network Management

ISE

(Control)

PI

(Visibility)

Who? What? When? Where?

How?

BandSelect

Proactive and automatic band steering for

_{5GHz capable clients}

FW

Router

Wireless

Wired

Unified Access

ISE

Policy

NCS Prime

(12)

Policy

Profiling

VLAN 10

VLAN 20

Personal

Employee

Corporate

Wireless LAN

Controller

Corporate

Resources

Restricted

Internet Only

USER

LOCATION

TIME

Access Method

DHCP

RADIUS

SNMP

NETFLOW

Corporate Issued Device

1. User Authentication and Authorization

2. Profiling to identify device

3. Policy decision

4. Policy enforce to “VLAN 10” on same SSID

PERSONAL Device

1. User Authentication and Authorization

2. Profiling to identify device

3. Policy decision

4. Policy enforce to “VLAN 10 or 20” on same SSID

HTTP

DNS

DEVICE

Centralized

Policy Engine

Unified Access

Management

Single

SSID

ISE

Policy

(13)

VPN

External

Wi-Fi

Internal Wi-Fi

Wired

D

eny

or

R

es

tric

t

Bought

In

Enc

ourage

d

Allo

w

Devices Layer

Smartphones

Desktop/Notebooks

FW

Router

Wireless

Wired

ISE

Tablets

Thin/VirtualClients

Connectivity Layer

ISE

NCS Prime

AnyConnect

ScanSafe

ESA/WSA

NCS Prime

(14)

Acceptable Use

Access Control

Data Loss Prevention

Choice

Diverse endpoint

support for greater

flexibility

Security

Rich, granular security

integrated into the

network

Experience

Always-on intelligent

connection for seamless

experience and performance

_Intranet

Access Granted

AnyConnect Client

Threat Prevention

_WSA

_ASA

AnyConnect

ScanSafe

ASA/WSA

(15)

VPN

External

Wi-Fi

Internal Wi-Fi

Wired

D

eny

or

R

es

tric

t

Bought

In

Enc

ourage

d

Allo

w

Devices Layer

Smartphones

Desktop/Notebooks

FW

Router

Wireless

Wired

ISE

Tablets

Thin/VirtualClients

Connectivity Layer

ISE

NCS Prime

AnyConnect

ScanSafe

ASA/WSA

. . .

ISE

NCS Prime

VXI

Quad

Jabber

Webex

(16)

Only Cisco can tie all the pieces together!

NCS Prime

ISE

Cisco

WLAN

Controller

Wired

Network

Devices

Cisco

Catalyst

Switches

AC NAM

3

rd

_Party

MDM Appliance

CSM / ASDM

MDM Manager

IronPort WSA

(17)

Control and Visibility for IT—Predictability for Users

Access Switches

Compact

2960-S

3750-X/3850

4500E

Distribution

Switches

6500 Series

Access Points

600 Series

Teleworker

3500p Series

Density

1550 Series

Outdoor

1600

2600

3700

Indoor

3600

Mobility Services Engine

3310 and 3355

Physical or Virtual

Wireless LAN Controllers

2500 Series WLC on SRE

5500 Series

WiSM2

7500

Identity and Policy

Data Integration

ISE

NCS

Physical

or Virtual

8500

vWLC

(18)

• Now Add

• AnyConnect

• IronPort

• ScanSafe

• Wired/Wireless/FW Infra

• ISE

• Prime Infrastructure

Deny or Restrict

Allow

Encouraged

Bought In

• Now Add

• MDM

• Apps (Webex,

(19)