aladdin etoken solutions for cisco integrated services routers cisco vpn client cisco identity-based...
TRANSCRIPT
Aladdin eToken Solutions for
Cisco Integrated Services RoutersCisco VPN Client
Cisco Identity-Based Networking
Aladdin Knowledge SystemsNovember 2005
Agenda
Aladdin Overview Solutions Overview eToken Solutions:
− Snapshot: About eToken
− Aladdin eToken & Cisco ISR
− Token Management System (TMS)
− Cisco ECT & eToken Solution
− eToken Password Management
− Aladdin eToken & Cisco VPN
− Online Demo of ISR provisioning and secure VPN access
Aladdin Knowledge Systems (NASDAQ: ALDN) is a global provider of software protection and network security solutions since 1985.
With a distribution network of more than 50 partners in over five continents, Aladdin provides unmatched service and support to its customers.
Identifies who users are
Comprehensive solution for software vendors’ protection and licensing needs
Hardware or software-based
Portable device for two-factor authentication, password and digital identity management
Robust enterprise management
Gateway-based anti-virus protection & content security
Web browsing security with anti-spyware & application filtering
Proactive email security with spam management
Aladdin Product Lines
Software Digital Rights Management
Enterprise Security
Controls what users can do Ensures safe access to content
Overview of Aladdin-Cisco eToken Offerings
Cisco Integrated Services Routers (ISR) eToken-based ISR secure provisioning eToken-based portable credential storage for
site-to-site VPN
Enterprise Class Teleworker (ECT)
Cisco VPN eToken-based Strong Authentication for VPN
client
Online Demo Online demo for Cisco ISR and VPN
Aladdin eToken &
Cisco ISR
eToken ISR Solutions
Two main functionalities of eToken with Cisco ISR:1. Secure configuration storage and distribution with eToken
− Provisions ISR config into eToken, sends Token to location− Router loads ISR config off the eToken when turned on, or
merges configuration when eToken is plugged into router− Supports boot-strap or secondary configuration
2. Portable Credential storage for VPN RSA Key Pairs with eToken
− Provides off-platform storage, generation of VPN Credentials− Loads encryption keys when eToken plugged in, and removes
when eToken removed
Yet another important feature:− Router brings up IPSEC VPN tunnel until eToken is removed,
then tunnel comes down (after configurable timeout)
Note: Support provided only for eToken PRO
Secure Configuration Storage and Distribution with eToken
1. Orders router and eToken
2. Provisioning Center receives eToken and loads configuration file
3. Sets custom PIN on eToken
VMS+TMS
1. Router is shipped directly to customer site
2. eToken can be shipped to the customer location separately
1. Installation technician plugs in eToken
2. Enters CLI to boot router from eToken config, including PIN
1
2
3
Portable Credential Storage for VPN RSA Key Pairs with eToken
Portable Credentials− Stores router VPN credentials on the eToken
− When inserted, the router passes the PIN to unlock the eToken and retrieves the credentials
− Router brings up IPSEC tunnel until eToken is removed, then tunnel comes down (after configurable timeout)
IPInternet
Head End
Values to Cisco Channel Substantial cost savings:
− Routers are shipped to customers blank, as there is no need for physical router configuration
Easy eToken configuration: − Utilizes smooth integration of Token Management System
(TMS) and Cisco VMS
Automation and Batch processing of eToken/router configuration:− TMS is able to enroll batch/bulk of tokens; no need to
manually deal with each config file
Easy technical support:− Configuration can be reloaded to the router, no need to
send technicians
Web service:− Re-provisioning or change in configuration can be done over
the web using eToken TMS (i.e., no need to send technician AGAIN to fix config problems)
Values to Cisco Customers
Security:− Router configuration is securely stored on the eToken
Security:− eToken stores the router’s root certificate (RSA keys)
Ease:− Customer is free to purchase routers from any Cisco store
Delivery:− Timely implementation, support and updates
Self service:− Ability to provision and re-provision router over the web
What Is Aladdin Token Management System (TMS)?
A system for deploying, managing and
using security tokens in an Enterprise
TMS offers a LINK between:
- Users- Organizational rules- Security device(s)- Security application(s)
Token Management System (TMS) & Cisco ISR TMS uses special Cisco ISR connector to provision eToken
with ISR configuration TMS can provision tokens as web service using web browser or
in a standalone mode ISR configuration may be generated with any tool such as
Cisco Security Manager (VMS)TMS
Cisco ISR TMS Connector
Token Management System (TMS)
Provisioning the eTokens
#2: Using CLI− Create configuration
file− Enroll with CA− Reset PIN − Unlock eToken− Copy configuration
to eToken− Copy VPN
credentials to eToken
GUI will replace CLI Refer to Cisco video
for details on router config.
#1: Using TMS(TMS=Token Management System)
− Create configuration file in text editor
− Reset User PIN and Admin PIN
− Manage tokens across the organization by SN
− Copy configuration and credential files to eToken
Router Provisioning Processes: Old vs. eToken-Based
Buys/receives blank router from channel Receives personalized eToken from channel Plugs router to network Plugs eToken into router Router goes live
Installs VMS and TMS Transfers bootstrap batch file to eToken Ships eToken to customer Ships blank router to customer
eToken Process
Plugs router into network Router goes live
OR: >>>>>>> Technician arrives and configures router on site.
Installs VMS Receives router from distributor Configures router manually Ships router to customer OR >>>>>>>
Old Process
UserChannel Flow:
What is ECT?
Cisco Enterprise Class Teleworker (ECT) solution provides an end-to-end integrated security and management solution for Remote Access (Business Ready Teleworker) and;Site-to-Site Access (Business Ready Branch)
Key benefits of the ECT solution include: Layered and integrated Security for router, network, device, user
and applications (voice, video, and wireless). DMVPN, the ECT baseline architecture, seamlessly integrates
security, dynamic routing, and the dynamically meshed VPN deployment.
Zero Touch Deployment reduces the complexity of support and the loss of corporate control.
Security Features safeguard the corporate network and prevent unguarded entrances to the network.
Quality of Service provides application availability and guaranteed bandwidth for key applications and users.
ECT & eToken Solution The Need
CPE Provisioning & Security Enhance and simplify the Zero Touch Deployment (ZTD)
mechanisms Secure the CPE credential provisioning Secure the spoke-to-spoke VPN tunnel Push security policies changes by administration Support CPE Re-provisioning or Replacement CPE Image management
Password Management Password management for enterprise applications
Strong Authentication for Network Access Secure VPN access Secure network logon (Network logon; 802.1x & NAC)
ECT & eToken Solution The Solution
eToken and TMS provide a framework for CPE provisioning & Security;Maintenance & support;Password management and; Network/VPN access
Two tokens are suggested in the framework:
eToken for CEP: • Secure and easy provisioning • Secure VPN tunnel• Support capabilities
eToken for End user:• Passwords management (web & win app)• Strong authentication for remote login to corporate infrastructure• Strong authentication for network logon (LAN), 802.1x & Cisco
IBNS (LAN card), and NAC (granular LAN access)
ECT & eToken Solution The Solution
Teleworkers
Corporate
eToken
Internet
Roaming User
Router/FW/VPN
Roaming UserISR eToken
User eToken
Corporate User
Application Servers
Router
ISR configuration, RSA VPN keys, Re-provisioning,
Support
Password Management, VPN Client,Web Access
Network Access (Logon),NAC,
802.1x
TMS
Service Provider
TMS / TMS Web
eTokenPassword Management
eToken Password Management Solution
Password Management Administrator or service provider uses eToken Simple Sign-On
(SSO) and eToken Web Sign-On (WSO) to push corporate applications’ credentials on eToken
eToken stores all necessary logon information including username, passwords, PIN numbers, etc
WSO/SSO fills out automatically the respective web page or logon window credentials.
Great end-user benefit – can cash its personal credentials too
Secure and automatic access
Aladdin eToken &
Cisco VPN Client
eToken & Cisco VPN
eToken supports all prevalent Cisco VPN access modes with various authentication methods:
Cisco VPN access modes:− SSL VPN− IPSec VPN− Wireless VPN
Authentication methods:− PKI− OTP
The solution combines every possible pair
Note: Support provided for all eTokens. Aladdin promotes eToken NG-OTP
Access Scenarios
VPN Remote Access over IPSec
VPN Remote Access over SSL
WiFi Remote Access over the Web
Solution Components Cisco:
− VPN Concentrator− Cisco VPN Client − Cisco PIX− Cisco ACS RADIUS− Cisco ISR− Cisco ASA− Cisco Aironet Access
Point
Aladdin:− eToken NG/Pro− eToken CSP− TMS (Token Management
System) – Unified backend!
Certificate Authority:
− MS
− VeriSign
− Other…
Benefits and Differentiators
Value to Customers− Integrated end-to-end solution
− Remote access based on two-factor authentication providing top notch security
− Flexibility in access methods and authentication methods
− Shorter implementation/deployment cycle
− Best TCO and ROI
Differentiators− The only integrated solution, from only 2 vendors,
that encompasses all remote access needs
− Can be provided either as an on-site installation, or as a managed service
Benefits and Differentiators
Value to Cisco Channel− Better offering to customers
− Fits into channel’s offering based on Cisco gear
− Increased demand for access solutions
− Shorter sales cycle
− Up-sell opportunities with eToken TMS and other security applications
− Opportunity to sell more services (integration, maintenance, etc.)
Differentiators− The only integrated solution, from only 2 vendors,
that encompasses all remote access needs
− Can be provided either as an on-site installation, or as a managed service
Online Demo for Cisco ISR and VPN
Online Demo for Cisco ISR and VPN
Aladdin-Cisco Online Demo • Enables Cisco SE, Channel or Customer to register
and apply for eToken, enroll the eToken and run one of two demos:
•ISR demo: Enables upload of a given router configuration on board eToken
•VPN Demo: Enables experience of two live VPN access scenarios- SSL VPN + eToken OTP authentication- IPSec VPN + eToken certificate-based authentication (PKI)
Key Benefits:• Great demonstration tool to be used by SEs, channels and customers• It is real, and works with Aladdin/Cisco back-end, available 24x7• TMS web interface shows its most powerful feature – online
provisioning of (blank) tokens• Once a user receives its credentials, the demo can be run
repetitively, with no limits• Sponsored by Cisco which provides the back-end equipment (PIX,
ACS, and Concentrator)• Best practice would be to….. Try it yourself
https://ciscodemo.aladdin.com