Subjects covered will include mobile devices OS security, state of malware on mobile devices, data loss prevention, VPN and remote access, 802.1x and certificate deployment, profiling, posture, web security, MDMs and others. For more information please visit our website: http://www.cisco.com/web/CA/index.html
Alphorm.com Formation Microsoft Azure : Azure Active Directory 2021Alphorm
Azure Active Directory est le point central d’une solution cloud sur Azure ou Microsoft 365.
Cette formation Azure Active directory est axée sur la mise en place d'un annuaire Azure Active directory et également les aspects hybrides avec les extensions des Active Directory locaux vers Azure Active directory avec AAD Connect ainsi que les nouveaux concepts de provisioning tel que le cloud Sync
Cette formation Azure Active directory montre tous les aspects techniques et d'architecture d'Azure Active directory et surtout d'AAD Connect, le moteur de synchronisation vers Azure AD.
Cette formation contient et aborde toutes les fonctionnalités de sécurité Azure Active Directory présente dans Azure AD P1 et P2.
Voici les notions de sécurité abordées dans cette formation :
• Azure MFA
• Conditional Access
• Intégration d’Azure AD et Cloud App Security
• SSPR ( Self Service Password Reset)
• Password Protection
• Azure AD Identity Protection
• PIM (Privileged Identity Management)
• Break Glass Account
• PasswordLess avec FIDO2
•
Dans cette formation Azure Active directory, vous allez apprendre à administrer votre Azure AD en interface graphique via le nouveau portail Admin Center Azure AD et en PowerShell avec le Module Azure AD. Vous allez également apprendre à sécuriser votre environnement Azure Active Directory ainsi que votre environnement Microsoft 365 de manière granulaire et optimal.
RADIUS uses UDP for authentication and authorization, encrypting only the password field, while TACACS+ uses TCP and encrypts the entire payload. TACACS+ separates authentication, authorization, and accounting functions, allowing for different authentication mechanisms to be used, while RADIUS combines these steps. TACACS+ supports additional network protocols and provides more granular control over authorized commands.
WPA2 is the latest security standard for Wi-Fi networks. It uses AES encryption and 802.1X/EAP authentication to securely transmit data between wireless devices and access points. The four phase process establishes a secure communication context through agreeing on security policies, generating a master key, creating temporary keys, and using the keys to encrypt transmissions. WPA2 provides stronger security than previous standards like WEP and WPA through more robust encryption and authentication methods.
This Workshop is a fast track Course to cover the basic architecture and functionalities of the LTE-EPC from the Packet Core Perspective.
The course is a little bit advanced and the target Audience is requested to have a basic PS Foundations and Mobility Knowledge as a prerequisite.
The course will cover the LTE-EPC Architecture, Call flows, Mobility and session management in addition to introductory slides for the EPS Security and LTE-DNS.
This document provides an overview of 3GPP specifications and network functions related to 2G, 3G, 4G, and 5G mobile networks. It includes abbreviations for network nodes, interfaces, and protocols across the different generations of cellular standards. Release numbers are shown for 5G network functions introduced in 3GPP specifications.
The document discusses authentication, authorization, and accounting (AAA) and provides instructions for configuring AAA on Cisco routers. It begins with an introduction to the three A's of AAA - authentication, authorization, and accounting. It then covers identifying each component and implementing authentication using local services or external servers like TACACS+ and RADIUS. The document also discusses authenticating router access, configuring AAA on Cisco routers including enabling AAA globally and setting authentication lists, and troubleshooting AAA using debug commands.
Introduction to nexux from zero to HeroDhruv Sharma
The document provides information about Cisco Nexus switches, including the Nexus 7000 and 7700 series switches. It describes the key components of Nexus switches like chassis, I/O modules, supervisor engines, and fabric modules. It also compares different Nexus 7000 and 7700 chassis models in terms of specifications like slots, bandwidth, switching capacity, and port density. Additionally, it discusses some differences between Nexus switches and Cisco Catalyst switches, such as licensing requirements, user accounts, NX-OS image structure, and use of port profiles instead of macros. Finally, it provides an overview of features supported on Nexus switches like virtual device contexts (VDCs).
The document discusses securing networks in the cloud with FortiGate virtual appliances. It begins with an introduction to Fortinet and an overview of FortiGate 3950 series appliances, which provide scalable performance up to 120Gbps. It then covers features of FortiGate virtual machines, which support all key FortiGate capabilities in a virtual appliance running on hypervisors like VMware. Virtual domains allow dividing a single FortiGate VM into multiple logical units to securely partition networks and workloads in the cloud.
A big challenge for mobile network operators in the new, ever-evolving 5G era is the signaling security of the standardized protocols used in order to exchange data. Telecommunication companies face this challenge and have to be on the verge every time there is a potential hacker attack. What is the best way to approach these striking threats and even to be ready before it occurs?
In our webinar, Positive Technologies will offer you several breakthrough strategies on how to deal with security flaws in telecom.
Our expert will show you the evolution of protocol security, share insights into the potential activities of a hacker and give useful advice about compliance with security standards.
This document provides a comparison of commands between Cisco and Huawei routers. It lists Cisco commands along with their equivalent Huawei commands. For example, the Cisco command "configure terminal" is equivalent to the Huawei command "system". It also provides examples of basic Huawei configuration commands like setting the device name, viewing the configuration, and configuring an interface.
LTE network: How it all comes together architecture technical posterDavid Swift
The document provides an overview of an LTE network including:
1) The key components of an LTE network including the Evolved Packet Core (EPC), radio access network (eNodeB), and user equipment (UE).
2) Protocols and functions used within the LTE network for mobility, authentication, quality of service, charging, and multimedia services.
3) Interworking of the LTE network with external networks including legacy 3G networks, non-3GPP access like WiFi, IP Multimedia Subsystem (IMS) for voice, and IPX networks for roaming.
Dear Sir /Madam,
I was working in MNC as an IT Administrator .Now I am looking for a
job where i can match my careers & knowledge. I am also young,
energetic and committed to achieving corporate goals. Overall i have a
12 years’ experience in IT Administration ,Networking , Hardware
,Software ,Product development and Industry field. (10 years in GCC &
2 Years in India).
Hopefully i can handle this job with my academic achievements and work
experience. Please check the enclosed CV and let me know your valuable
reply for the interview.
*Dubai Driving License
*Qatar Driving License
*Oman Driving License.
Thanks & Regards
G.Gnanakumar
Skype:gkqems
Mobile:+974 33125335
This document contains a summary of Assan Samba's career experience and qualifications. He has over 15 years of experience in IT with a focus on network engineering. He has extensive experience working with Cisco routers, switches, firewalls, and wireless networks. Currently, he works as a Network Engineer where he manages network infrastructure for multiple sites, including firewalls, routers, switches, and access points.
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from and replaces the much less capable RADIUS protocol that preceded it. in this presentation I will try to familiarize you with the new AAA protocol and deep dive into the diameter protocol details, Credit Control Application (Gx,Gy and GZ) and sample use case for peering Sandvine PTS (Working as PCEF) with freePCRF.server and finally introduce you with seagull, a popular test tool to test different diameter-based scenarios. Hope you like it
basim.alyy@gmail.com
basimaly.wordpress.com
https://eg.linkedin.com/pub/basim-aly/38/774/228
ims registration call flow procedure volte sipVikas Shokeen
This PDF , VoLTE IMS Registration tutorial covers IMS Registration sip procedure in depth & Provides extract of 3GPP / GSMA Specs , I am covering below call flow in Depth :-
- LTE Attach & Default Internet EPS bearer
- Role of QCI-1 ( Voice ) , QCI-5 (SIP Signaling) , QCI-6 to 9 (Internet)
- Default Vs Dedicated Bearer in LTE
- Default IMS EPS bearer in LTE
- SIP and IMS Registration
- TAS Registration
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans FilAlphorm
La formation CCNP ENCOR 3/8 est pour objectif de la préparation à la certification 350-401 ENCOR. Ce cours permet d’apprendre, d’appliquer et de mettre en pratique les connaissances et les compétences de CCNP Enterprise grâce aux concepts théoriques à une série d'expériences pratiques approfondies qui renforce l’apprentissage. Avec cette formation et la formation CCNP ENCOR, vous possédera les outils pour envisager une inscription à l’examen de certification 350-401.
The document discusses key performance indicators (KPIs) for the E-UTRAN and EPC components of an LTE network, including accessibility, retainability, integrity, availability, and mobility metrics for E-UTRAN and accessibility, mobility, and utilization KPIs for EPC. It provides definitions and formulas for calculating various KPIs related to EPS attach success rate, dedicated bearer creation success rate, handover success rates, and other measures of network and service performance.
BYOD: Bring Your Own Device Implementation and Security IssuesHarsh Kishore Mishra
This document discusses Bring Your Own Device (BYOD) implementation and security issues. It begins with defining BYOD as a trend of allowing employees to use their personal mobile devices for work purposes. Some advantages of BYOD include increased productivity, lower costs for companies, and attracting talent. However, there are also security, privacy, infrastructure support, and device control issues that need to be addressed. The document recommends automating access policies, detecting threats, unifying security policies, and protecting infrastructure to implement BYOD securely. It concludes that BYOD improves productivity and costs but requires enforceable security policies.
Profiling Learners with Special Needs for Custom E-Learning Experiences, a Cl...Silvia Mirri
This document proposes a complete profiling approach for e-learners that combines learner profiles describing accessibility needs (ACCLIP) with device profiles describing technical capabilities (CC/PP). It presents two use cases where learner and device profiles are used to dynamically adapt e-learning content. The profiling approach has been implemented in a web-based learning system that can customize multimedia content based on learner needs and device capabilities.
Profiling is important for
mobile apps, in particular for the Android platform. This presentation summarizes the state
of the art in profiling Android applications as of Android version 4.3 "Jelly Bean"
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect Robb Boyd
Cisco plans to further integrate OpenDNS with its other security tools acquired through mergers and acquisitions. OpenDNS cannot directly block URLs based on geographic location but can identify suspicious destinations based on geo-related factors. To use the full capabilities discussed, a customer needs AnyConnect Plus or Apex software subscriptions as well as a separate Umbrella subscription, though the Umbrella Roaming Client provides standalone DNS redirection. AnyConnect Plus and Apex licenses can also be applied to ASA Service Modules.
Ruckus provides a solution for BYOD implementations using Dynamic Pre-Shared Keys (DPSK) and Zero-IT Activation that simplifies setup while maintaining security. DPSK assigns unique credentials to each user/device instead of using a shared passphrase. Zero-IT Activation automates configuration of client devices upon first connection by generating and deploying DPSKs without IT intervention. A provisioning network can also be created to securely configure mobile devices on an open wireless network and then connect them to the corporate network.
Increasing mobile usage and device choice have exposed the unnecessary complexity and limited device support of legacy Remote Access solutions. It has also left a security hole as users circumvent corporate policy in a borderless network. This session will focus on how the AnyConnect Secure Mobility solution combines Cisco's web security and next-generation remote access technology to deliver a robust and secure enterprise mobility solution. Customers will benefit from context-aware, comprehensive and preemptive security policy enforcement, an intelligent, seamless and always-on connectivity and secure mobility across today's proliferating managed and unmanaged mobile devices. At the end of the session, attendees will have an in-depth understanding of the Cisco AnyConnect Secure Mobility solution, which integrates the Cisco AnyConnect Client, the Cisco Adaptive Service Appliance (ASA) and the Cisco Web Security Appliance (WSA). Attendees will understand recommended AnyConnect Security Mobility architectures and understand the implementation of the new solution based on current security installations.
This document provides best practices and considerations for supporting mobile devices and BYOD in educational environments. It discusses trends like increased mobility, the need for technical support of user-owned devices, and challenges around managing access and data flows. The document offers recommendations around areas like mobile device management, network security, bandwidth monitoring, and appropriate resources and software to support these strategies.
1) Bring Your Own Design (BYOD) allows employees and students to use personal devices on corporate or educational networks.
2) Ruckus Wireless proposes simplifying BYOD through role-based access using technologies like Zero IT, dynamic pre-shared keys (D-PSK), and client fingerprinting.
3) These technologies allow devices to automatically authenticate, receive network permissions based on the user's role, and be securely onboarded and managed on the network.
This document discusses current trends in accounting and auditing, including the standardization of international financial reporting, the impact of technology integration, and digital mobility. Standardization of financial reporting will make it easier to compare results between countries and serve investor needs. Technology integration has increased efficiency and effectiveness in accounting and freed up time for strategic planning. Digital mobility through cloud computing allows accountants to collaborate globally and improve customer service through continuous interaction, while reducing costs. For companies to take advantage of these trends, leadership vision and effective communication are important.
An Introduction on Design and Implementation on BYOD and Mobile SecuritySina Manavi
Agenda:
What are mobile devices?
Mobile device threads
BYOD
BYOD Pros and Cons
4 Steps to design BYOD:
BYOD Strategy
Mobile Hacking techniques demo:
Android Phone
Mobile Application Security
Laptop
Pendrives
BYOD or BYOA
How to Secure the data storages and transportation
Cloud Security and Bring Your Own Device (BYOD) SecurityNicholas Davis
Today, in the Information Security survey course I teach at the University of Wisconsin-Madison, the lecture topics were Cloud Computing Security and Bring Your Own Device (BYOD) Security. Both of these topics are areas in which organizations continue to struggle, relative to identifying appropriate security controls. It is challenging to teach a class in which many of the students do not have an Information Technology background. My goal is assist them in seeing the big issues that they will face as managers, rather than focus on granular technical details. This presentation is intended to provide a survey view of background and challenges faced in these two areas.
Database Auditing Essentials... or... Who did what to which data when and how?
The combination of increasing government regulation and the need for securing corporate data has driven up the need to track who is accessing data in our corporate databases. This presentation discusses these drivers as well as presenting the requirements for auditing data access in corporate databases.
The goal of this presentation is to review the regulations impacting the need to audit, and then to discuss in detail the kinds of things that may need to be audited, along with the several ways of accomplishing this.
Network Access Protection (NAP) is a Windows Server 2008 feature that allows network administrators to control client access to network resources based on the client's compliance with health policies. NAP validates clients, enforces compliance through limited network access if needed, and facilitates automatic remediation to help clients meet policy requirements. NAP components work together to validate client health, restrict non-compliant clients, and provide updates to remedy issues and maintain ongoing compliance.
Authenticated and unrestricted auditing of big data space on cloud through v...IJMER
Cloud unlocks a different era in Information technology where it has the capability of providing the customers with a variety of scalable and flexible services. Cloud provides these services through a prepaid system, which helps the customers cut down on large investments on IT hardware
and other infrastructure. Also according to the Cloud viewpoint, customers don’t have control on their
respective data. Hence security of data is a big issue of using a Cloud service. Present work shows that
the data auditing can be done by any third party agent who is trusted and known as auditor. The auditor can verify the integrity of the data without having the ownership of the actual data. There are many disadvantages for the above approach. One of them is the absence of a required verification procedure among the auditor and service provider which means any person can ask for the verification of the file which puts this auditing at certain risk. Also in the existing scheme the data updates can be
done only for coarse granular updates i.e. blocks with the uneven size. And hence resulting in repeated communication and updating of auditor for a whole file block causing higher communication costs and
requires more storage space. In this paper, the emphasis is to give a proper breakdown for types of
fixed granular updates and put forward a design that will be capable to maintain authenticated and unrestricted auditing. Based on this system, there is also an approach for remarkably decreasing the communication costs for auditing little updates
This document discusses several topics related to cyber security including:
1. Windows security features such as User Account Control, BitLocker Drive Encryption, and Windows Firewall.
2. Network security challenges such as verifying user identity, protecting against DDoS attacks, and securing web applications.
3. Limitations of today's security solutions and how the modern workplace has increased risks from factors like telecommuting and use of mobile devices.
4. Types of internet security protocols and cryptography techniques as well as common forms of malicious software like viruses, worms, and trojan horses.
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.
1) The document discusses securing IoT devices and infrastructure through X.509 certificate-based identity and attestation, TLS-based encryption, and secure provisioning and management.
2) It describes securing the cloud infrastructure with Azure Security Center, Azure Active Directory, Key Vault, and policy-based access controls.
3) The document promotes building security into devices and infrastructure from the start through standards-based and custom secure hardware modules.
Digitization and increased mobility have complicated network visibility and security. Threats are more numerous, complex, and use encryption to evade detection. Cisco Stealthwatch provides holistic security through network-based visibility and analytics. It transforms networks into security sensors to see all traffic, contain threats, and detect encrypted threats. Advanced machine learning and behavioral modeling detect anomalies and threats without relying on endpoint agents. Stealthwatch integrates with Cisco Identity Services Engine to rapidly quarantine infected hosts.
Module 6 Lectures 8 hrs.
Security in Evolving Technology: Biometrics, Mobile Computing and Hardening on
android and ios, IOT Security, Web server configuration and Security. Introduction,
Basic security for HTTP Applications and Services, Basic Security for Web Services
like SOAP, REST etc., Identity Management and Web Services, Authorization Patterns,
Security Considerations, Challenges.
Open Source/ Free/ Trial Tools: adb for android, xcode for ios, Implementation of REST/
SOAP web services and Security implementations.
The document discusses several topics related to cyber security including biometrics, mobile device hardening, web application security, identity management for web services, authorization patterns, security considerations, and challenges. Specifically, it provides best practices for securing evolving technologies, mobile devices, web servers, web services, implementing identity management, common authorization patterns, important security considerations, and challenges related to implementing security.
Firewalls are used to securely interconnect private networks to the Internet and protect them from external threats. They implement an organization's security policy by filtering network traffic and only allowing authorized connections based on properties like source/destination addresses and ports. There are different types of firewalls that operate at various layers of the network model and use techniques like packet filtering, application proxies, authentication, and content inspection to enforce security. Organizations should choose a firewall configuration based on their specific security needs, from dual-homed gateways to screened subnets in demilitarized zones.
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceICS
This webinar explores the “secure-by-design” approach to medical device software development. During this important session, we will outline which security measures should be considered for compliance, identify technical solutions available on various hardware platforms, summarize hardware protection methods you should consider when building in security and review security software such as Trusted Execution Environments for secure storage of keys and data, and Intrusion Detection Protection Systems to monitor for threats.
This document summarizes two innovative approaches to enterprise security architecture: Google's BeyondCorp architecture and the Cloud Security Alliance's Software Defined Perimeters (SDP). BeyondCorp aims to remove network-based attacks by implementing zero-trust network access based on continuous device/user authentication and authorization. SDP uses cryptographic protocols and dynamic firewalls to create on-demand, air-gapped networks between initiating and accepting hosts. The document then discusses how organizations can implement these approaches using existing security tools and outlines steps to develop an enterprise security architecture.
A joint presentation of Gary Williams of Schneider Electric and Michael Coden of NextNine at the 10th Annual Conference of the American Petroleum institute. The presentation discusses benefits, disadvantages, and architectures for allowing 3rd party access.
NSA advisory about state sponsored cybersecurity threatsRonald Bartels
Chinese state-sponsored cyber actors exploit publicly known vulnerabilities in popular software to gain access to networks. The document lists vulnerabilities in products like Pulse Secure VPNs, F5 BIG-IP, Citrix ADC and Gateway, Microsoft Windows, and others that are being actively exploited. It is critical for network defenders to prioritize patching known vulnerabilities and implementing mitigations like disabling unnecessary services and enabling robust logging.
Learn what makes SCADAguardian (the Nozomi Networks flagship technology) so unique and powerful. From enterprise IT, to OT, we enable scalable security strategies for ICS.
This document provides an overview of SCADA (Supervisory Control and Data Acquisition) security challenges and strategies. It describes common SCADA system components and functionality. It then discusses increasing cyber threats to SCADA systems from sources like hostile governments and employees. The document outlines various physical and cyber vulnerabilities in SCADA systems and components. It recommends security standards from organizations like NIST, ISA, and NERC to help mitigate risks. The document also provides guidelines on physical asset security and cybersecurity strategies.
This document provides an overview of SCADA (Supervisory Control and Data Acquisition) security challenges and strategies. It describes common SCADA system components and functionality. It then discusses increasing cyber threats to SCADA systems from sources like hostile governments and employees. The document outlines various physical and cyber vulnerabilities in SCADA systems and components. It recommends security standards from organizations like NIST, ISA, and NERC to help mitigate risks. The document also provides guidelines on physical asset security and cybersecurity strategies.
This document discusses Internet of Things (IoT) cybersecurity compliance solutions and international security standards and certifications. It provides an overview of regulations and standards in the US and EU, including the EU Cybersecurity Act, ETSI EN 303 645, and FDA guidance on medical device cybersecurity. International security certifications like Common Criteria, FIPS 140-3, and IEC 62443 are summarized. Customer requirements from companies like Amazon and industry alliance like CTIA are covered. The document concludes with how manufacturers can respond by using Onward Security's security standards library and key factors for product security.
ICC's unified IP data networking solution also layers into its solution security features with a range of capabilities for the customer to select from. Inclusive of WDS, VLANs, DoS attack prevention, and a host of other capabilities, ICC's icXchange networking solutions are full features without additional licensing for enterprise features.
ICC's security philosophy is based on creating multiple layers of security to make hacking financially unwise. This includes edge devices with built-in firewalls and intrusion detection, controller-based aggregation layers with authentication, encryption, and advanced routing options, and broadband connectivity using military-grade encryption. The solution helps customers maintain PCI compliance by providing wireless scanning, rogue access point detection and mitigation, wireless usage enforcement, and network segmentation.
This document discusses network monitoring and network security. It begins by defining network monitoring as the oversight of a computer network using specialized management software tools to ensure network availability and performance. It then discusses how network monitoring tools like Wireshark can be used to monitor network traffic and troubleshoot issues. Finally, it outlines different types of network security measures that can be implemented, such as firewalls, antivirus software, and network segmentation to protect networks from malicious threats and exploits.
Similar to Mobile Devices & BYOD Security – Deployment & Best Practices (20)
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
The document discusses network slicing, which is the next step in virtualization for 4G/5G mobile networks. Network slicing allows the core network to be partitioned into multiple logical networks or "slices", each with its own network functions to support the requirements of different services. This approach enables network resources and functions to be allocated to specific services or customer segments in a flexible manner. It reduces complexity compared to existing networks that must support many different services and customers on a single common infrastructure. The key benefits of network slicing include improved network agility and the ability to support diverse service requirements.
The document summarizes a Cisco presentation on next-generation datacenter security. It discusses how the majority of security teams' time is spent securing servers and data in the datacenter. It then covers challenges such as budget constraints, product overload, and complexity of threats. The presentation introduces Cisco's architectural approach to datacenter security focusing on threat prevention, visibility, segmentation, threat intelligence, automation, and analytics. It provides examples of Cisco solutions that integrate to deliver firewall, access control, analytics, and other capabilities.
Cisco connect montreal 2018 vision mondiale analyse localeCisco Canada
The document discusses Cisco's multi-cloud strategy and products. It introduces Cisco Container Platform (CCP) as a solution that automates deploying, running, and operating containers on physical or virtual machines. CCP is based on Kubernetes and provides integrated networking, management, security and analytics capabilities while allowing containers to run in hybrid cloud environments across VM, bare metal, Cisco HyperFlex, ACI and public clouds.
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Canada
The document discusses Cisco's solutions for securing mobility, including Meraki SM, Cisco AMP for Endpoint, Cisco Umbrella, Cisco Cloudlock, Cisco Cloud Email Security, Cisco Threat Response, Identity Service Engine, and Cisco DUO Security. Representatives from Cisco provide overviews of each solution for securing users, data, and applications across SaaS, PaaS, and IaaS environments.
Cisco connect montreal 2018 collaboration les services webex hybridesCisco Canada
Cisco Connect Montreal provided information on Cisco's Webex Hybrid Services which allow for integration between on-premises and cloud collaboration solutions. The key services discussed included Hybrid Directory Service for user synchronization, Hybrid Calendar Service for calendaring integration, Hybrid Call Service for calling capabilities, Hybrid Message Service for messaging interoperability, and the new Cisco Webex Edge service for enhanced audio, video mesh, and media experiences.
Integration cisco et microsoft connect montreal 2018Cisco Canada
The document discusses Cisco and Microsoft integrations for collaboration. It describes major areas of integration including calling, messaging, meetings, email/calendar, content management, and instant messaging. It provides details on Cisco and Microsoft integrations for meetings, with examples of joining internal and external participants. The document also discusses Cisco Spark and Webex capabilities for open collaboration across organizations and platforms.
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco Canada
This document summarizes a presentation on model-driven programmability for Cisco IOS XR. The presentation covers data models, management protocols like NETCONF and gRPC, the YANG Development Kit (YDK) SDK, and telemetry. It defines key concepts like model-driven manageability, native and open data models, protocol operations, and the benefits of the YDK for simplifying application development through model-driven abstractions. Example code demonstrates basic YDK usage and a potential peering configuration use case is outlined. Resources for further information are also provided.
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco Canada
The document discusses Cisco SD-WAN and its advantages over traditional and legacy WAN architectures. It highlights how Cisco SD-WAN uses a centralized control plane and software-defined intelligence to provide automated, predictive, and intent-based networking. This allows for flexible, scalable, and secure connectivity across hybrid WAN transports in a way that is simpler to manage and operate than hardware-centric WAN solutions.
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Canada
The document discusses Cisco's DNA Center and its capabilities for automating network management. It covers:
- Why intent-based networking is needed to reduce costs and errors from manual network changes
- How DNA Center supports intent-based networking by allowing administrators to define policies and have them automatically implemented across the network
- Key automation use cases DNA Center addresses like onboarding new devices, managing software upgrades, creating configuration templates, and deploying wireless networks
- Demonstrations of DNA Center's capabilities for plug-and-play deployment, software management, template configuration, and wireless provisioning
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
Robert Barton from Cisco presented on Cisco Kinetic, an IoT analytics platform. Cisco Kinetic consists of three modules: the Gateway Management Module for onboarding and managing IoT gateways at scale, the Edge and Fog Processing Module for analyzing IoT data in real-time at the edge, and the Data Control Module for securely routing IoT data between edge, fog, and cloud according to data policies. Cisco Kinetic aims to enable end-to-end IoT analytics across the entire network from device to cloud.
Cisco Connect Toronto 2018 DevNet OverviewCisco Canada
Hank Preston, a Cisco engineer, gave a presentation on DevNet and how it is helping developers. He discussed how DevNet has grown significantly, now with over 100,000 members and 500,000 learning labs completed. DevNet provides resources like APIs, sandboxes, and training to help developers build applications and automate networks. Preston emphasized that networks are becoming more programmable and automated through DevNet tools and platforms.
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
The document discusses Cisco's DNA Assurance solution. It provides an agenda that covers business requirements, context, learning, user requirements, technology requirements, and the various components of DNA Assurance including client assurance, network assurance, application assurance, and machine learning. It discusses challenges around network operations including time spent troubleshooting and replicating issues. It also covers how DNA Assurance uses concepts like context, learning, and design thinking to provide insights and automate remediation.
Cisco Connect Toronto 2018 network-slicingCisco Canada
The document discusses network slicing, which is the partitioning of network resources and functions to run selected applications, services, or connections in isolation from each other for specific business purposes. This allows mobile operators to offer virtual private networks on a common infrastructure through network slicing on an end-to-end basis across access, transport, and core networks. Slicing enables new revenue opportunities through network slices optimized for different vertical industries while simplifying service delivery and management.
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Canada
The document discusses Cisco Meraki's intelligent network and SD-WAN capabilities. It highlights that Meraki has over 14,000 customers using its SD-WAN, it has a renewal rate over 95%, and its newest product is WAN assurance. The presentation provides an overview of Meraki's cloud-managed solutions for wireless, switching, security, and other IT functions. It demonstrates Meraki's network monitoring and troubleshooting tools through examples and a demo of its capabilities.
Cisco Connect Toronto 2018 sixty to zeroCisco Canada
The document discusses automating security tasks through various solutions from Cisco. It introduces the Cisco Advanced Malware Protection (AMP) solution, which uses machine learning to detect known and unknown malware across endpoints, networks, and email. It also introduces Cisco Cognitive Threat Analytics, which analyzes web traffic using machine learning to detect anomalous and malicious activity inside organizations. The document provides examples of how these solutions can automate tasks like hunting for threats, detecting anomalies, and attributing suspicious activity to specific entities. It includes demos of the AMP and Cognitive Intelligence user interfaces.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
An invited talk given by Mark Billinghurst on Research Directions for Cross Reality Interfaces. This was given on July 2nd 2024 as part of the 2024 Summer School on Cross Reality in Hagenberg, Austria (July 1st - 7th)
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionBert Blevins
Cybersecurity is a major concern in today's connected digital world. Threats to organizations are constantly evolving and have the potential to compromise sensitive information, disrupt operations, and lead to significant financial losses. Traditional cybersecurity techniques often fall short against modern attackers. Therefore, advanced techniques for cyber security analysis and anomaly detection are essential for protecting digital assets. This blog explores these cutting-edge methods, providing a comprehensive overview of their application and importance.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Mitigating the Impact of State Management in Cloud Stream Processing Systems
Mobile Devices & BYOD Security – Deployment & Best Practices
2. Mobile Devices and BYOD Security:
Deployment and Best Practices
BRKSEC-2045
Sylvain Levesque
Security Consulting Systems Engineer
slevesqu@cisco.com
5. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Test bed Used
A number of tests were conducted for this session to document the behavior of mobile devices with different Cisco
security solutions.
A group of devices under test was used to represent the major mobile platforms on the market today. Recent releases
of operating systems were used and therefore the behavior documented in this presentation might vary with older OS
releases.
5
Toshiba AT300
Tab/Android ICS 4.0.3
Samsung Galaxy Tab2 4.1+
Samsung:
Nexus/Google Android JB 4.4+
Galaxy S2/SS Android JB 4.1.2
RIM/Blackberry:
Bold 9900 7.1.0
Z10 10.0.10+
Microsoft Surface
Windows 8 RT+
Apple iPad3 tablet/
iOS 6.1.2+
Anyconnect 3.xASA 9.1(4) WSA 7.5(0)-833 ISE 1.2 Airwatch Cloud-Based
MDM 6.3.1.2
*ICS=Ice Cream Sandwich *JB=Jelly Bean
Microsoft Certificate
Services Windows 2008
Enterprise R2
7. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Mobile Devices Market
Android currently dominates the Mobile OS market followed by iOS
While iOS devices are pretty current, a large percentage of Android devices still uses
outdated releases that could be subject to security vulnerabilities
7
Source: IDC Source: developer.android.com
iOS Versions Android Versions
8. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
State of Malware
Interesting statistics can be found on
malware, exploits and mobile devices in
this report:
• Malware on Android up 2,577%
• 99% of mobile malware target Android
• Encounters with web malware: 70%
Android, Apple iOS 22% percent
• Malware on mobile devices: 1.2% of all
web malware found (up from 0.42%)
• Most exploits with Java: sparse support
on mobile devices
The Cisco 2014 Annual Security Report describes the evolution of exploits and
malware and is a great reference for any IT or Security professional:
http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
8
9. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Other Interesting Facts and Conclusions
9
25%+ of malware on mobile devices
come from porn sites… • Phishing: still a major malware infection
vector as with PCs
• Users click on a link in an email that
has them installing an App from an
untrusted application store
Typical exploits on Android:
• subscription to premium SMS services
• botnet infection and remote control
• banking information theft
2012 -> first Android botnet in the wild
2013 -> large Android botnets
observed in China (1 million + devices)
The use of non-managed mobile devices
could expose your organization to
infection or data theft (Android or others)
10. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Other Interesting Facts and Conclusions
10
25% of malware on mobile devices
come from porn sites… • Phishing: still a major malware infection
vector as with PCs
• Users click on a link in an email that
has them installing an App from an
untrusted application store
Typical exploits on Android:
• subscription to premium SMS services
• botnet infection and remote control
• banking information theft
2012 -> first Android botnet in the wild
2013 -> large Android botnets
observed in China (1 million + devices)
The use of non-managed mobile devices
could expose your organization to
infection or data theft (Android or others)
Cisco Annual Security Report:
“The impact of BYOD and the proliferation of devices cannot be overstated, but
organizations should be more concerned with threats such as accidental data loss,
ensuring employees do not “root” or “jailbreak” their devices, and only install
applications from official and trusted distribution channels”
12. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
802.1x is used to provide authentication of a user or a device to the network
3 main components are involved in a 802.1x authentication:
- Supplicant: Provides Identity Information to the network. Supplicant software is embedded in all modern
Operating Systems. Ex: Apple iOS, Android, Windows 8, etc.
- Authenticator: Device that controls access to the network, participates in the initial EAP (Extensible
Authentication Protocol) exchange and acts as a relay between the Supplicant and the Authentication
Server. Ex: Switch, Wireless Controller
- Authentication Server: RADIUS Server that validates the identity information provided and sends
authorization attributes such as a VLAN, Access-List, Session timeout, URL for redirection. The identity
can be optionally validated by an external Identity Store. Ex: ISE, ACS
Network-Based Authentication using 802.1X - Review
Authentication
Server (RADIUS)
Supplicant Authenticator
EAP over RADIUSEAP/WPA2
EAP session
12
13. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
802.1x Identity Information Types
Different types for different mobility use cases:
1. Username/Password Combination
- User authentication (also Machine Auth for Windows)
- Active Directory/LDAP/RADIUS ID Stores
- EAP types: PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST
2. Two-Factor Authentication
- Something you know, you have, you are
- Mostly for user authentication
- RSA SecurID and other token-based ID Systems
- EAP types: PEAP-GTC, EAP-FAST/EAP-GTC
3. Digital Certificates
- Signed/emitted by a public or private Certificate Authority
- Can be used for user and/or device authentication
- Microsoft AD Certificate Services, Entrust, Verisign, etc.
- EAP types: EAP-TLS, EAP-FAST
EAP
Extensible Authentication Protocol
PEAP
Protected EAP
GTC
Generic Token Card
FAST
Flexible Authentication
via Secure Tunneling
TLS
Transport Layer Security
13
14. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Device & User Authentication/Authorization
14
Machine AuthC
PEAP-MSCHAPv2*
EAP-TLS
host/MTLLAB-W500
User AuthC
PEAP-MSCHAPv2
EAP-TLS
CISCOslevesqu2
1
21 +
2 PHASES
POSSIBLE
Same EAP Type with Native Supplicant
*Windows RT/Phone can not join Active Directory and can not use PEAP-MSCHAPv2 for Machine Authentication
1 PHASE
ONLY
AuthC=AuthentiCation
AuthZ=AuthoriZation
CN=Common Name
SAN=Subject Alternate Name
= Certificate
PEAP-MSCHAPv2
EAP-TLS
slevesqu User AuthC
User AuthZ
Hybrid AuthZ
Device AuthZ
CN=slevesqu
SAN=00:21:6A:AB:0C:8E
CN=slevesqu
SAN=00:21:6A:AB:0C:8E
15. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
2-Factor Authentication Workaround with 802.1X
and Central Web Authentication
802.1X EAP-TLS
authentication with Certificate
1
Central Web Authentication
with User AD Account
2
Factor 1: Device
Certificate!!!
Factor 2: Employee User
Credentials!!!
ISE
16. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
EAP-Type
Win 8
Pro/Enter
prise
Win RT
Apple
iOS
Android BB7/10 ACS 5.x ISE 1.x AD LDAP
EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes
PEAP
MSCHAPv2
Yes Yes Yes Yes Yes Yes Yes Yes No
PEAP
EAP-GTC
No1 No Yes Yes Yes Yes Yes Yes Yes
EAP-FAST No1 No Yes2 No3 Yes Yes Yes Yes No
Common 802.1X EAP Types and Compatibility
1. Supported through 3rd-party supplicants such as Anyconnect NAM
2. Configuration required through Apple Configuration Utility or MDM
3. No native support. Supported through Cisco Compatible Extensions (CCX) with
specific mobile devices manufacturers. More information:
http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
No native support for token based
systems such as RSA SecurID
16
BRKSEC-2691: Identity Based Networking: IEEE 802.1X and beyondMore on 802.1X!
17. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
802.1X Configuration:
PEAP-MSCHAPv2 User Authentication Example
Touch-hold
1
2
3 4
1 2
3
1 2
3
4
6
5
19. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
ISE Profiler Review
The ISE Profiler service uses a number of probes to capture the traffic generated by an endpoint device
It then extracts information from this traffic and compares patterns with profiling rules that are either pre-
defined or custom-built to match an endpoint type and a profile
An Authorization rule can then use this information to assign network access privileges based on the device
profile (iPhone/iPad vs Android vs Blackberry vs Windows)
Probe Data Provided
RADIUS OUI, MAC Address
DHCP DHCP attributes, hostname
DNS FQDN, hostname
HTTP User-Agent
NMAP OS fingerprint
NETFLOW TCP/UDP ports used
SNMP MIB strings
Probes Currently
Used to Profile
Mobile Devices
BRKSEC-3698: Advanced ISE and Secure Access Deployment
19
More on Profiling!!
20. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Example of Profiling Rules for iPad
21. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Analyzing HTTP User Agents
Compatibility with Mozilla’s Rendering Engine
OS and Version
Device Model
HTML Layout Engine
Browser and Extensions
Mozilla/5.0 (Linux; Android 4.0.3; AT300 Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166
Safari/535.19
21
22. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Sample HTTP User Agents
Apple iPad
Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
Windows RT
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; ARM; Trident/6.0; Touch)
Android Samsung Tab2 tablet
Mozilla/5.0 (Linux; U; Android 4.1.2; en-ca; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Android LG Google Nexus 5 smartphone
Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Mobile
Safari/537.36
Blackberry Z10 smartphone
Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.2.1.1925 Mobile Safari/537.35+
22
View your own user-agent at: http://whatsmyuseragent.com!!
23. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Viewing Endpoint Profiling Data
23
Profiling data
Profiling data
25. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Certificates, Trust and 802.1X
Public Key Cryptography (PKI) uses the concept of trusted Certification Authorities (CA). A list of public
CAs on the Internet is embedded in the certificate store as Trusted Roots in every device
Many organizations typically deploy a private enterprise Certification Authority that allow them better
control and scalability. The Root Certificate and certification chain of this private CA has to be
provisioned in corporate devices in order for them to trust it
Non-corporate mobile devices will not trust by default the certificates generated by a private CA and the
802.1X behavior of mobile devices in this scenario will vary:
– Apple iOS: User notification-> users might refuse to install the certificate and call the help desk
– Android: Will accept non-trusted certificates by default without warning!
– Windows RT/8: User notification -> users might refuse it as well
– Blackberry 7: No notification -> Access rejected
– Blackberry 10: Will accept non-trusted certificates by default without warning!
Windows RT/8 and BB 7: Validation of the server certificate can be disabled for PEAP/EAP-TLS. Useful
for lab testing or proof-of-concept, but not recommended for production where we should use certificates
from Public CAs to avoid end user issues
25
26. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Certificates Installation and Enrollment
Non-trusted Root and user/device Certificates can be created and provisioned on
mobile devices using a number of methods that can be manual or automated:
Copy it to the device. Ex: Corporate mobile devices
Push computer or user certificates through Group-Policy Objects (GPOs) for
Windows corporate devices
The administrator can create the certificate or email it to the user the device. Ex:
BYOD personal device
Certificate Server web portal (administrator or user)
The certificate creation and provisioning can be automated the Simple Certificate
Enrollment Protocol (SCEP). A few options are available:
– SCEP from the mobile device itself (support vary by mobile platform)
– SCEP with the Anyconnect VPN client
– SCEP Proxy with the Anyconnect VPN client and the ASA
– Identity Services Engine (ISE) with the Onboarding service for 802.1x, SCEP with Mobile
Device Management solutions
26
27. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Anyconnect Profile:
SCEP Host = myCA.bn-
lab.local
Certificate Enrollment using SCEP and VPN
SCEP with Anyconnect:
SCEP Proxy with Anyconnect and the ASA:
IPSec/SSL tunnel
SCEP Request
IPSec/SSL tunnel
SCEP Request
SCEP Request
1. ASA performs policy enforcement
2. ASA inserts machine device-id from
posture
• Initiated by the user
• No Certificate renewal
• Needs direct access to CA
• Requires Anyconnect 2.4+ASA
ASA SCEP Proxy
• Controlled by the head-end (ASA)
• Pre-enrollment policy enforcement
• Device-ID for Authorization
• Automatic Certificate renewal
• Only ASA communicates with CA
• Requires Anyconnect 3.0+
28. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Onboarding with ISE on Wired/WLAN
Access Point
ISE
Mary User Name = Mary
Password = *******
1
Mary connects to Secure SSID
3 Register Device
Provision Certificate
Configure Supplicant
Mary Reconnects to Secure SSID
2
Redirect to Self Provisioning
Portal
2
BYOD-Secure
SSID’sPersonal asset
Wireless LAN Controller
AD/LDAP
N.B.: A dual-SSID option can also be
used where the 2nd Open SSID is
used for the onboarding process
28
CA
29. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
ISE Authorization Using Certificate Attributes
Registered Devices: Indicates the device
went through the BYOD onboarding process
Network Access only allows EAP-TLS
authentication with Certificate
The Radius attribute Calling-Station-ID
contains the MAC address of the device
which is compared against the SAN in the
Certificate
The AD username is read from the Subject-
Name and sent to AD where its attributes are
retrieved for authorization
Different Permissions Assigned
(VLAN, ACLs, etc)
29
30. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Method
Win 8
Pro/Enterp
rise
Win RT
Apple
iOS
Android BB7 BB10
Email Yes Yes Yes No1 Yes No
Copy To Device Yes Yes Yes2 Yes Yes Yes
Web (CA
Server)
Yes Yes Yes Yes Yes No
Anyconnect
SCEP
Yes No Yes Yes No No
SCEP Proxy Yes No Yes Yes No No
ISE
Onboarding3 Yes No Yes Yes No No
Certificates Installation Summary
1. Can not be installed from email directly but can be saved and installed from storage
2. Via the iPhone Configuration Utility or an MDM
3. More details on supported platforms:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321
30
31. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Certificate Management
1
2
3
4
1
2
3
1
3
4
5
Swipe-In
5
2
4
6
7
33. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
ASA Remote Access VPN Options review
Clientless SSL
Basic Web, Email
and CIFS Access
Customized User
Screen
Thin-Client SSL
Plugins
(SSH,VNC,
Telnet,RDP, Citrix)
Smart Tunnels
Client-Based
SSL or IPSec
AnyConnect
33
34. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Citrix Mobile Receiver Support
ASA release 9.0 introduces the support of the Citrix Mobile Receiver
application directly in clientless SSLVPN for most desktop OSes and for
Apple iOS and Android
̶ Allows the ASA to communicate directly to XenApp 6.5 or XenDesktop 5.5, 5.6
Access GatewayFirewall
User Device
Connected Using
Citrix Online Plug-Ins
Internet
Web Interface
Installed Behind the
Access Gateway
Server Farm
Firewall
Cisco® ASA
34
35. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Websockets HTML5 Access
ASA release 9.1(4) introduces the support of Websockets and HTML5 proxy
Enables a “fully clientless” solution homogeneously across differents OSes using
a browser that supports HTML5 – No more dependencies on Java and ActiveX!
Uses 3rd-party Websockets gateways that converts HTML5 to a client protocol
such as RDP/VNC/etc
The HTML5 resource is a simple bookmark accessed on the ASA clientless Web
Portal
Mobile Device
with an HTML5
browser
Internet
35
ASA
SSL SSL RDP, VNC, CIFS, etc
ApplicationWebsockets
Gateway/Ser
ver
Intranet
Data
Center
36. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Method
Win 8
Pro/Enterprise
Win RT/Phone Apple iOS Android BB7/10
Anyconnect – SSL transport Yes No1 Yes Yes No1
Anyconnect – IPSec/IKEv2 Yes No1 Yes Yes No1
Websockets – HTML5 Yes Yes Yes Yes Yes
Native VPN support Yes Yes Yes Yes No
Clientless/Smartunnels/Plugins/ Yes No No No No
Clientless – Mobile Citrix Receiver No No Yes (v4+) Yes (v2+) No
Mobile Devices VPN Support Summary
1. RIM/BB and Microsoft do now allow the development of Anyconnect (or other VPN clients) on BBOS and Windows RT/Phone
• For more detailed information on device/OS support, please consult the ASA Supported VPN Platforms document:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp177602
• For more information on features supported on Anyconnect with Android and Apple iOS, please consult their respective release notes:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-android.html
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html#wp1148532
36
37. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Corporate vs BYOD
2 methods can be used to match device-specific identity information that will allow a differentiation of
policies:
1. Use of certificates for authentication and authorization: Certificate attributes can be defined for uses
cases like Corporate & BYOD. These attributes can be matched to different authorization policies in
the ASA and ISE
2. With posture: The posture service on the ASA for VPN and ISE can gather information on the device
that can include the device type, OS type, processes/services running, Windows registry information,
file information, certificate information.
– If a corporate device is for example only a Windows PC domain member, the posture service could look for a specific
piece of information like the registry entry defining the AD Domain, something that a mobile device would not have
– If no mobile devices are to be allowed to connect, the posture service could use rules that would deny access to all
mobile devices types
How can I apply different access policies to a corporate device and a personal BYOD?
How can I prevent a personal BYOD from connecting to my network?
37
38. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Mobile Posture with Anyconnect
ASA Release 8.2(5) introduced the ability to pass posture endpoint attributes from
Anyconnect to ASA Dynamic Access Policies (DAP)
Can be used to control VPN connections from mobile endpoints and assign them specific
access policies.
Posture is also used with SCEP proxy in ASA 9.0 to embed unique device identity in
certificate enrollment requests
The Mobile Endpoint attributes include:
‒ Version of the Anyconnect client (e.g. “3.0.x”)
‒ Client Platform (“apple-ios”, “android”, etc)
‒ Client OS version (e.g. “5.0”)
‒ Type of device (varies per client platform but can be used to differentiate iPad from iPhone)
‒ Device UniqueID (varies per client platform, consists of Device UDID for iOS, opaque hash of
IMEI/MEID/ESN or MAC+AndroidID for Android mobiles)
38
39. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Mobile Posture Configuration
39
40. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Mobile Posture Configuration
40
Choose Anyconnect as the
Endpoint Attribute Type
41. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Mobile Posture Configuration
41
Select an Access Policy for
the DAP defined
42. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Mobile VPN Authorization with Certificates
• Certificate maps can be used with the ASA to allow matching of received
certificate DN values and then map them to a Connection Profile.
• Can be used with IPSec VPN and SSL VPN
• Can be used with the Local CA feature on the ASA or with certificates
generated from a 3rd-party CA
• The following values from the certificate can be used for mapping:
1. Alt-subject-name
2. Subject-name
3. Issuer-name
4. Extended Key Usage (EKU) extensions
BRKSEC-2053: Practical PKI for VPN
More on Certificates
for VPN
42
43. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
ASA Certificate Matching Configuration for VPN
43
44. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Licensing on the ASA
AnyConnect Essentials enables the use of Anyconnect for a full-tunnel VPN
with SSL or IPSec IKEv2. One license if required per ASA
Anyconnect Premium activates advanced features such as the Clientless
Portal, Smartunnels, Plugins, Posture and Mobile Posture. One license per
concurrent user is required.
Anyconnect Essentials and Premium are mutually exclusive on an ASA
The Anyconnect Mobile license is required on top of Anyconnect Essentials
or Anyconnect Premium licenses for mobile devices to establish a VPN tunnel
with the ASA!! One license is required per ASA
For ASA releases 8.2 and below, 2 licenses per failover pair are required.
Starting from ASA release 8.3, only one license is required per failover pair
Recommendation: Always include the Anyconnect Mobile License when
purchasing a new ASA for VPN
44
46. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Web Security Gateway - Deployment Methods
Web Security Gateways such as the Cisco Web Security Appliance (WSA)
provide a number of security services at an organization’s perimeter such as
URL Filtering, Web Reputation Filtering, Anti-Malware Filtering, Granular
Application Control, Data Loss Prevention and others
These gateways typically do not sit inline the traffic and therefore Web user
traffic must be redirected to these gateways
3 methods can be used for this redirection:
‒ Explicit Forward Mode: A proxy server entry is configured manually or automatically with the Web-
Proxy Auto-configuration Protocol (WPAD) in the web browser to redirect its traffic to the Web
Security Gateway
‒ Transparent Mode: The Web Cache Control Protocol (WCCP) is used between the Web Security
Gateway and a network or security device to redirect user traffic to the Web Security Gateway
‒ Load-Balancers: For larger deployments. A Load-Balancer redirects the user traffic to the Web
Security Gateway farms
46
47. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Web Security Gateway – User Authentication
Organizations typically require users to authenticate to an enterprise directory such as
Active Directory before accessing Internet resources to allow for enforcement of
Acceptable Use Policies per role and to provide auditing for reporting and compliance
purposes
3 methods can be used to authenticate users:
‒ Basic Browser Authentication: The user is prompted to enter his credentials which can be sent to
Active Directory/LDAP for authentication. Credentials can be cached by the browser to prevent the
user to be prompted in the future. The user’s AD/LDAP attributes are also fetched for authorization
and mapping to Access Policies. Appropriate for BYOD, guests or consultants.
‒ NTLMSSP Browser Authentication: The user’s Windows login credentials are fetched transparently
from the browser using an NTLM challenge-response authentication and sent to Active Directory for
authentication. The user’s AD attributes are also fetched for authorization and mapping to Access
Policies. Appropriate for Windows corporate assets.
‒ Passive Identification: The Web Gateway uses the user’s IP address and sends a request to the
Active Directory/Novell Directory Server that maintains the mapping of usernames/IP addresses seen
when users log in. The Web Gateway then fetches the user’s AD/LDAP attributes for authorization
and mapping to Access Policies. Appropriate for Windows corporate assets.
47
48. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Feature
Win 8
Pro/Enter
prise
Win
RT
Apple
iOS
Android BB7 BB10
Proxy
Configuration
Yes Yes Yes Yes No1 Yes
PAC-WPAD Yes Yes Yes No No Yes
PAC-GPO Yes No No No No No
PAC-MDM3 Yes No Yes No No No
Basic
Authentication
Yes Yes Yes Yes Yes Yes
NTLMSSP Yes Yes
2 Yes2 Yes2 No Yes2
Passive
Identification
Yes No No No No No
Proxy and Authentication Methods Support
1. No support on native browser on Wifi. Supported with the Opera mini-browser and 3rd-party applications (not tested)
2. No Single Sign-On
3. Using the Airwatch MDM. Other MDMs may have different capabilities
48
BRKSEC-3771: Advanced Web Security Deployment with WSA and ASA-CXMore on WSA
50. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Security policies relative to the use of personal devices in the corporate environment
should be created before a BYOD deployment
Business units owners should be involved to define the requirements and uses cases
that will drive the architecture of the solution for mobile devices
User education and awareness is key! A BYOD deployment should include training and
guidelines for users on how to use their personal mobile device to lower the risk of
having their device compromised and exploited
A private Certification Authority should be considered for deployments requiring
differentiation of access privileges between corporate and personal mobile devices
Profiling and VPN posture can be used to differentiate mobile devices from
laptops/desktops and are great tools for device identification and inventory
A Virtual Desktop Infrastructure (VDI) architecture can help reduce the risk of data
leakage and improve the user experience
Deployment Recommendations
50
51. Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Don’t forget to activate your Cisco Live Virtual
account for access to all session material,
communities, and on-demand and live
activities throughout the year. Activate your
account at the Cisco booth in the World of
Solutions or visit www.ciscolive.com.
Complete Your Online Session Evaluation
Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points
for each session evaluation
you complete.
Complete your session evaluation
online now (open a browser
through our wireless network to
access our portal) or visit one of
the Internet stations throughout
the Convention Center.
Note: This slide is now a Layout choice
51