1 © 2005 cisco systems, inc. all rights reserved. cisco public education vision & strategy...

1© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy

BITES 2006

Cisco [email protected]


Core aspects of BSF

• Transforming Education

Putting the Learner at the centre, Citizenship, Skills

• Efficiency

Workforce Reform, Buildings, Energy, Security

• Social Inclusion

Equal Access, Every Child Matters (ECM, ICS)

• Regeneration – Community & Economic

Extended Schools, Home Access, Business

• Long Term Partnerships


BSF?

• ‘Birmingham Society of the Future’

• Program & Procurement dominated or led by the needs of communities

• Steady and progressive transformation over a longer term

• Will learners be measured by Government or be asked for feedback about their learning environments


Agenda for today

• ‘Connected Learning’

• Multi Service Wireless

• Secure Wireless

• What you should be looking out for?


43

2 1

Four Steps To Transformation

Step 1: Connect all buildings and provide access to critical information

Step 2: Implement network-based applications to improve administrative efficiency

Step 3: Put teacher proficiency and productivity first

Step 4: Create a student-centered learning environment to achieve academic excellence


Intelligent Information Network IP

Net

wo

rkin

g A

do

pti

on

OPTIMISED SCHOOLS

EFFICIENT SCHOOLS

New Capabilities• Adaptive resources• Personalised learning (MLE’s)• Collaboration software• Rich communications• Automation• On-demand Data Center

New Capabilities• Adaptive resources• Personalised learning (MLE’s)• Collaboration software• Rich communications• Automation• On-demand Data Center

Opex Reduction• Communications

over IP• Integrated wiring on

Ethernet• Toll bypass• Data simplification

Opex Reduction• Communications

over IP• Integrated wiring on

Ethernet• Toll bypass• Data simplification

CONNECTED SCHOOLS

2006 2015

Network Simplification• Service virtualization• Data Center• Integrated security• Virtualised call control• User mobility• Virtual & e-learning

Network Simplification• Service virtualization• Data Center• Integrated security• Virtualised call control• User mobility• Virtual & e-learning


Cisco Connected Learning Solutions

IP Network

Academic Excellence Administrative Efficiency

Unified Communications

Video Infusion

Self Defending Network

Virtual Classroom

Intelligent Buildings

Secure Wireless

Transforming Education

IntelligentInformation

Network


Cisco Connected LearningModel for 21st Century Education

Education Model

Learning Environment

Curriculum

Teaching Learning Finance Operational

Business Applications Collaboration Applications

Infrastructure Services layer End client devices

School LA/LEA Virtual SchoolRegional &

National

IP Foundation Data Centre Cabling and Building Systems


1. Education Model

• Learning is an active process, and one that involves collaboration, problem solving, critical thinking with mentor support from teachers

• Government policy focused on transforming education using technology as a catalyst

• Student focused, catering for individual needs and personalisation.

• Relevant and authentic learning opportunities

• Prepares for lifelong learning

• Community focused and provides relevant skills and knowledge

• Open ended


2. Learning Environment

Organisational

• Technology as a teaching and learning tool

• Technology for assessment

• Flexible and adaptable VLE

Community

• Environment enables communities to be built

• Accessible from anywhere, anytime

• Builds structures for learning environment between home & schools & for lifelong learning

•Potential to involve all members of the community

•Schools as centres of the community

•Global and national reach


2. Learning Environment

Classroom organisation

• Structured for 21st century working and learning environment

• Flexible yet managed

• allows for group, individual and whole class work

Student focused environment

• Provides authentic and autonomous leaning

• Learning how to learn

• Peer teaching and learning opportunities

• Curriculum arises out of real community needs

• Development of autonomy and critical thinking and problem solving skills


Secure Wireless

• Teaching & Learning

Laptop, PDA, Projector, Wireless Slate

• Security

Access, Assets, mobile CCTV, mobile alerts/paging

• IP Telephony - staff communications

• Guest Access

Community, Parents, Inspections

• Outdoor (sports events, weather view)

• Flexible ICT during refurbishment


Secure Wireless


Secure Wireless

• Teaching & Learning

Laptop, PDA, Projector, Wireless Slate

• Security

Access, Assets, mobile CCTV, mobile alerts/paging

• IP Telephony - staff communications

• Guest Access

Community, Parents, Inspections

• Outdoor (sports events, weather view)

• Flexible ICT during refurbishment


Agenda

• Business Critical Wireless

• WLAN Security Leadership

• Cisco Unified Wireless Network

• Cisco Self-Defending Network

– Keep Clients Safe

– Keep Clients Honest

– Protect the Network


Wireless Goes Business CriticalThe Emerging Enterprise Market

Verticals, PWLAN

Initial Office Deployments

Mainstream Enterprise Office, Location, Mesh Networking

Dual Mode Voice

All Wireless Branch

FY ’04 FY ’05 FY ’06 FY ’07 FY ’08

Enterprise Wireless Market (Growing at 40% Per Annum)

1,000

$ Millions

2,000

3,000

$1400

$640

$2740

$1960

$1000

40% CAGR


Cisco WLAN Security Leadership and Innovation

• Industry's first implementation of 802.1X/EAP authentication and dynamic key derivation

• Chaired and led the 802.11i work group

• Wrote or co-wrote many EAP RFCs

• Technical leadership role in Fast Secure Roaming 802.11r

• Industry leading, patent pending rogue detection, mitigation and suppression

• Continuing to innovate with Self- Defending Network

Location enabled security; Access Control / IDS alerts

Invented host posture analysis (NAC)

Invented Management Frame Protection (MFP)

Invented Self Defending Network (NIC)


Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

Keep Clients SafeKeep Clients Safe

•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies

En

dp

oin

t P

rote

ctio

n

Protect the Network

Protect the Network

•Rogue AP detection and containment•Multilayer client exclusions

An

om

aly

and

ID

S/IP

S

Keep Clients HonestKeep Clients Honest

•Network Admission Control•Guest Access

Ad

mis

sio

n C

on

tro

l

An initiative to dramatically improve the network’s ability to identify, prevent, and adapt

to threats


to threats

Cisco strategy to dramatically improve the

network’s ability to

identify, prevent, and adapt to threats




Integrated Management


Checklist for Secure Wireless LANs

Implementation Checklist

802.1X(EAP)

WPA2 (AES) or WPA (TKIP)

Management Frame Protection

Cisco CSA



En

dp

oin

t P

rote

ctio

n


Protected Access

What are WPA and WPA2?

• Authentication and Encryption standards for Wi-Fi clients and APs

• 802.1X authentication

• WPA uses TKIP encryption

• WPA2 uses AES encryption

Which should I use?

• Go for the Gold!

• Silver, if you have legacy clients

• Lead, if you absolutely have no other choice (i.e. ASDs)

Gold

WPA2/802.11i•EAP•AES

Gold

WPA2/802.11i•EAP•AES

Silver

WPA•EAP•TKIP

Silver

WPA•EAP•TKIP

Lead

dWEP (legacy)•EAP/LEAP•VLANs + ACLs

Lead

dWEP (legacy)•EAP/LEAP•VLANs + ACLs


How does Extensible Authentication Protocol (EAP) Authenticate Clients?

Client associates CorporateNetwork

WLAN Client Access Point/Controller

RADIUS server

Cannot send data until… Data from client Blocked by AP

…EAP authentication complete

802.1x RADIUS

EAP

Client sends data Data from client Passed by AP


What makes 802.11 vulnerable to attacks?

Most common attacks are against management frames

Common Attacks:

• VOID11

• Aireplay

• File2air

• Airforge

• ASLEAP

• Jack attacks

• FakeAP

• Hunter/Killer

Cisco M

FP

Prote

cted


Management Frame Protection (MFP)

• A solution for clients and infrastructure (APs)

• Clients and APs add a MIC (signature)into every management frame

• Anomalies are detected instantly andreported to Wireless Control Server (WCS)

MFP Protected

MFP Protected


CCX v5

• MFP

• Client Policies

CCX v5

• MFP

• Client Policies

CCX- Driving Security Standardization

CCX v1


• EAP-TLS & LEAP

• Cisco pre-standard TKIP

• Client Rogue reporting

CCX v1


• EAP-TLS & LEAP

• Cisco pre-standard TKIP

• Client Rogue reporting

CCX v2

• WPA compliance

• Fast Roaming with CCKM

• PEAP

CCX v2

• WPA compliance

• Fast Roaming with CCKM

• PEAP

CCX v3

• WPA2 compliance

• EAP-FAST

• CCKM with EAP-FAST

• AES encryption

CCX v3

• WPA2 compliance

• EAP-FAST

• CCKM with EAP-FAST

• AES encryption

CCX v4

• CCKM with EAP-TLS, PEAP

• WIDS

• MBSSID

CCX v4

• CCKM with EAP-TLS, PEAP

• WIDS

• MBSSID


• Trend: Embedded adapters in most devices

• Result: Adapter reference designs in most devicesHow do you ensure that all of your client devices support your chosen 802.1X type(s) and encryption option(s)?

• Options:Try to standardize on adapters from one vendor

USE WPA/WPA2 “extended EAP” certified clients

Rely on what is available in Windows

Use a commercial supplicant suite

Support a mix of authentication types

Use Cisco Compatible Extensions (CCX) adapters

Security and WLAN Clients





En

dp

oin

t P

rote

ctio

n

Protect the Network

Protect the Network


An

om

aly

and

ID

S/IP

S



Ad

mis

sio

n C

on

tro

l


to threats


to threats











Cisco NAC for wired and wireless

Cisco CSA

Guest: Integrated captive portal w/traffic tunnelingKeep Clients HonestKeep Clients Honest


Ad

mis

sio

n C

on

tro

l


The Need for Admission Control

• Viruses, worms, spyware, etc. continue to plague organizations

Viruses still #1 cause of financial loss* (downtime, recovery, productivity, etc.)

• Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.) are not checked for policy compliance

• Unprotected endpoint devices are often responsible for spreading infection

Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive

“Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.”

– Burton Group*2005 FBI/CSI Report


NAC2 – Ubiquitous Admission ControlCTA-Capable Endpoints with NAC-Capable 802.1X Supplicants

CTA NetworkAccess Device

(NAD)

NetworkACS

VendorServer

802.1x

EAPo802.1xEAPoRADIUS HCAP

1

2

3

4

5

67

8

1. 802.1X connection setup between NAD and endpoint

2. NAD requests credentials from endpoint (EAPo802.1X)This may include user, device, and/or posture

3. CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X)

4. NAD sends credentials to ACS (EAPoRADIUS)

5. ACS can proxy portions of posture authentication to vendor server (HCAP)

User/device credentials sent to authentication databases (LDAP, Active Directory, etc)

6. ACS validates credentials, determines authorization rightsE.g. visitors given GUEST access, unhealthy devices given QUARANTINE access

7. ACS sends authorization policy to NAD (VLAN assignment)

8. Host assigned VLAN, may then gain IP access (or denied, restricted)


Secure Guest Access

SSID Client Default Gateway

= Internal

= GUEST

Enterprise user Guest user

Switch-to-switch guest tunnel

EnterpriseNetwork

DMZ Guest controller• Captive portal native in the

controller

• Two options for guest access:

(1) Guest users can be placed on guest VLAN

(2) All guest traffic is tunneled to a guest controller

• User DB can be local or RADIUS

• Robust administration

Ambassador login

Customizable web pages





En

dp

oin

t P

rote

ctio

n

Protect the Network

Protect the Network


An

om

aly

and

ID

S/IP

S



Ad

mis

sio

n C

on

tro

l


to threats


to threats











Wireless IDS

Rogue Detect/Containment

FIPS Protect the Network

Protect the Network


An

om

aly

and

ID

S/IP

S


A Complete Solution for Handling Rogues

4. View Historical Report

2. Assess Rogue AP (Identity, Location, ..)

1. Detect Rogue AP(Generate alarm)

3. Contain Rogue AP

• Can be automated• Multiple rogues contained

simultaneously


Cisco WCS – Centralized Security Management


Cisco WLAN FIPS statusFederal Information Processing Standard (FIPS)

• Pre-validated for FIPS 140-2 and Common Criteria

-4400 controller

-AP1200, AP1100 and BR1300 (LWAPP and Autonomous)

• FIPS Kit will be required; contents include:

- Tamper-evidence labels

- Download instructions for FIPS approved IOS images

- Download instructions for Security Policies





En

dp

oin

t P

rote

ctio

n

Protect the Network

Protect the Network


An

om

aly

and

ID

S/IP

S



Ad

mis

sio

n C

on

tro

l


to threats


to threats









Security Management

CS-MARS

• Network wide anomaly detection

• Rules based correlation

WCS

• Simple, Powerful Dashboard

• Robust Reporting


Checklist Summary

Wireless IDS

Rogue Detect/Contain

FIPS

802.1X (EAP)

WPA2 (AES) or WPA (TKIP)

Management Frame Protection

Cisco CSA

Cisco NAC for wired and wireless

Cisco CSA

Guest: Integrated captive portal w/traffic tunneling



En

dp

oin

t P

rote

ctio

n



Ad

mis

sio

n C

on

tro

l Protect the Network

Protect the Network

•Rogue AP detection and containment•Multilayer client exclusionsA

no

mal

y an

d

IDS

/IP

S


The Cisco Difference

• Unifying wireless and wire line

Utilizing all of Cisco’s security expertise and product line

Not reinventing the wheel

• Location, Location, Location

Only WLAN system with RF fingerprinting for rogue location accuracy

• INTEGRATED air monitoring

Only WLAN system that does not require separate air monitors

Built-in rogue protection and intrusion detection

• Security Designed for Real-Time Applications

Fast Secure roaming

• Active leadership in standards bodies

802.11i, 802.11r, 802.11w, 802.11k

1 © 2005 cisco systems, inc. all rights reserved. cisco public education vision & strategy...

Documents

cisco systems

learning model

learning environments

academic excellence

networkbased applications

ip integrated wiring

administrative efficiency

transformation step