accs ciscowlan security 04-19-06
TRANSCRIPT
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
1/41
1Cisco Confidential
Wireless LAN Security
Jim Tucker (Cisco)
Account Manager, Norfolk
Scott Clayton (Cisco)
Systems Engineer, Richmond
Dave Fraser (Cisco)
Systems Engineer, Herndon
Jason (Jed) Krisch (ALI)
Systems Engineer, Blacksburg
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
7/31/2019 ACCS CiscoWLAN Security 04-19-06
2/41
2Cisco Confidential
Agenda
Self-Defending Network Strategy
Deployment Example
Why Cisco?
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
3/41
3Cisco Confidential
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
Strong MutualAuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies
Endpoint
Protection
Protect theNetwork
Protect theNetwork
Rogue AP detectionand containmentMultilayer clientexclusions
Anomaly
and
IDS/IPS
Keep Clients HonestKeep Clients Honest
Network AdmissionControlGuest Access
AdmissionC
ontrol
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve thenetworks ability
to identify, prevent, and
adapt to threats
Cisco strategy todramatically improve thenetworks ability
to identify, prevent, and
adapt to threats
Integrated Management
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
4/414Cisco Confidential
Checklist for Secure Wireless LANs
Implementation Checklist
802.1X(EAP)
WPA2 (AES) or WPA (TKIP)
Management FrameProtection
Cisco CSA
Keep Clients SafeKeep Clients Safe
Strong MutualAuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies
Endpoint
Protection
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
5/415Cisco Confidential
Protected Access
Gold
WPA2/802.11iEAPAES
Gold
WPA2/802.11iEAPAES
What are WPA and WPA2?
Authentication and Encryptionstandards for Wi-Fi clients and APs
802.1X authentication
WPA uses TKIP encryption
WPA2 uses AES encryption
Which should I use?
Go for the Gold! Silver, if you have legacy clients
Lead, if you absolutely have no
other choice
Silver
WPAEAPTKIP
Silver
WPAEAPTKIP
Lead
dWEP (legacy)EAP/LEAP
VLANs + ACLs
Lead
dWEP (legacy)EAP/LEAP
VLANs + ACLs
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
6/416Cisco Confidential
How does Extensible AuthenticationProtocol (EAP) Authenticate Clients?
WLAN Client
CorporateNetwork
Access Point/Controller
RADIUS server
Client associates
Cannot send data untilData from client Blocked by AP
EAP authenticationcomplete
802.1x RADIUS
EAP
Client sends data Data from clientPassed by AP
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
7/417Cisco Confidential
EAP-FAST Simple, Versatile, andSecure
EAP-TL
S
PEAP-GTC
PEAP-MSCHAPv2
EAP-TTLS
AAAEAP-FAST tunnel
OTPMSCHAPv2
CertsUID/PW
VersatileVersatile Robust SupportFast Roaming (CCKM)IOS Local AuthenticationCisco NAC
Client stacks from Funk andMeetinghouse
SimpleSimple Simple to deploy No certs to provision or manage
Supports secure username/passwordauthentication
SecureSecure Support for multiple authenticationtypes (OTP, MSCHAPv2, Certs)
Open standard (on the path to RFC) Supported in CCXv4
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
8/41
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
9/419Cisco Confidential
Management Frame Protection (MFP)
A solution for clients and infrastructure (APs)
Clients and APs add a MIC (signature)into every management frame
Anomalies are detected instantly andreported to Wireless Control Server (WCS)
MFP Protected
MFP Protected
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
10/4110Cisco Confidential
CCX- Driving Security Standardization
CCX v5
MFP
Client Policies
CCX v5
MFP
Client Policies
CCX v1
802.1X authentication
EAP-TLS & LEAP
Cisco pre-standard TKIP
Client Rogue reporting
CCX v1
802.1X authentication
EAP-TLS & LEAP
Cisco pre-standard TKIP
Client Rogue reporting
CCX v2 WPA compliance
Fast Roaming with CCKM
PEAP
CCX v2 WPA compliance
Fast Roaming with CCKM
PEAP
CCX v3
WPA2 compliance
EAP-FAST CCKM with EAP-FAST
AES encryption
CCX v3
WPA2 compliance
EAP-FAST CCKM with EAP-FAST
AES encryption
CCX v4 CCKM with EAP-TLS,
PEAP
WIDS
MBSSID
CCX v4 CCKM with EAP-TLS,
PEAP
WIDS
MBSSID
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
11/4111Cisco Confidential
Security and WLAN Clients
Trend: Embedded adapters in most devices
Result: Adapter reference designs in mostdevices
How do you ensure that all of your client devicessupport your chosen 802.1X type(s) and encryptionoption(s)?
Options:
Try to standardize on adapters from one vendor
USE WPA/WPA2 extended EAP certified clients
Rely on what is available in Windows
Use a commercial supplicant suite
Support a mix of authentication types
Use Cisco Compatible Extensions (CCX) adapters
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
12/4112Cisco Confidential
Cisco Security Agent (CSA)- Host Intrusion Prevention System
CSA Provides Day Zero Attack Protection
CSA stops day zero malicious code without reconfiguration orupdate.
CSA has the industrys best record of stopping Zero Day exploits,worms, and viruses over past 4 years:
2001 Code Red, Nimda (all 5 exploits), Pentagone (Gonner)
2002 Sircam, Debploit, SQL Snake, Bugbear,
2003 SQL Slammer, So Big, Blaster/Welchia, Fizzer2004 MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), BufferOverflow in Workstation service (MS03-049)
2005 Internet Explorer Command Execution Vulnerability
No reconfiguration of the CSA default configuration, or update to the CSAbinaries were required
CSA Wireless Awareness
Shutoff multiple network interfaces
Disable Ad Hoc mode
Connect to only corporate SSIDs
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
13/41
13Cisco Confidential
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
Strong MutualAuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies
Endpoint
Protect
ion
Protect theNetwork
Protect theNetwork
Rogue AP detectionand containmentMultilayer clientexclusions
Anomaly
and
IDS/IP
S
Keep Clients HonestKeep Clients Honest
Network AdmissionControlGuest Access
AdmissionC
ontrol
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve thenetworks ability
to identify, prevent, and
adapt to threats
Cisco strategy todramatically improve thenetworks ability
to identify, prevent, and
adapt to threats
Integrated Management
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
14/41
14Cisco Confidential
Checklist for Secure Wireless LANs
Implementation ChecklistCisco NAC for wired andwireless
Cisco CSA
Guest: Integrated captiveportal w/traffic tunnelingKeep Clients HonestKeep Clients Honest
Network AdmissionControlGuest Access
AdmissionC
ontrol
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
15/41
15Cisco Confidential
The Need for Admission Control
Viruses, worms, spyware, etc. continueto plague organizations
Viruses still #1 cause of financial loss*(downtime, recovery, productivity, etc.)
Most usersare routinely authenticated,but their endpoint devices (laptops, PCs,PDAs, etc.) are not checked for policycompliance
Unprotected endpoint devices are often
responsible for spreading infectionEnsuring devices accessing the networkcomply with policy (security tools installed,enabled, and current) is difficult andexpensive
Endpoint systems are
vulnerable and represent themost likely point of infection
from which a virus or worm
can spread rapidly and cause
serious disruption and
economic damage. Burton Group
*2005 FBI/CSI Report
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
16/41
16Cisco Confidential
The NAC Solution
NAC ApplianceLeverages Cisco CleanAccess
Sold as virtual orintegrated appliance
Self-contained productintegrates with but does
not rely on partners
Offers customers a deployment timeframe choice Adapts to customers investment protection requirements
NAC Infrastructure
NAC Framework
Sold through NAC-enabled products
Integrated solutionleveraging Cisconetwork and vendorproducts
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
17/41
17Cisco Confidential
CCA Network Configuration
.1
.1
Internet
ACS / DHCP
192.168.1.x/24
.9
.2
172.18.10.x/24
.11
192.168.2.4
192.168.2.x/24
.21
10.1.1.x/24 Clean Access Manager
WirelessController
Clean Access Server
.8
192.168.3.x/24
.21
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
18/41
18Cisco Confidential
NAC2 Ubiquitous Admission ControlCTA-Capable Endpoints with NAC-Capable 802.1X Supplicants
CTA NetworkAccess Device
(NAD)
NetworkACS
VendorServer
802.1x
EAPo802.1xEAPoR
ADIUS HCAP
1
2
3
4
5
67
8
1. 802.1X connection setup between NAD and endpoint
2. NAD requests credentials from endpoint (EAPo802.1X)
This may include user, device, and/or posture
3. CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X)
4. NAD sends credentials to ACS (EAPoRADIUS)
5. ACS can proxy portions of posture authentication to vendor server (HCAP)
User/device credentials sent to authentication databases (LDAP, Active Directory, etc)
6. ACS validates credentials, determines authorization rights
E.g. visitors given GUEST access, unhealthy devices given QUARANTINE access
7. ACS sends authorization policy to NAD (VLAN assignment)
8. Host assigned VLAN, may then gain IP access (or denied, restricted)
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
19/41
19Cisco Confidential
Secure Guest Access
Captive portal native in thecontroller
Two options for guestaccess:
(1) Guest users can be placedon guest VLAN
(2) All guest traffic is tunneledto a guest controller
User DB can be local or
RADIUS
Robust administration
Ambassador login
Customizable web pages
SSID Client Default Gateway
= Internal
= GUEST
Switch-to-switchguest tunnel
EnterpriseNetwork
DMZGuest controller
Enterprise user Guest user
Ci U ifi d Wi l N k
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
20/41
20Cisco Confidential
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
Strong MutualAuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies
Endpoint
Protection
Protect theNetwork
Protect theNetwork
Rogue AP detectionand containmentMultilayer clientexclusions
Anomaly
and
IDS/IP
S
Keep Clients HonestKeep Clients Honest
Network AdmissionControlGuest Access
AdmissionC
ontrol
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve the
networks abilityto identify, prevent, and
adapt to threats
Cisco strategy todramatically improve the
networks abilityto identify, prevent, and
adapt to threats
Integrated Management
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
21/41
21Cisco Confidential
Checklist for Secure Wireless LANs
Implementation Checklist
Wireless IDS
Rogue Detect/Containment
FIPSProtect the
NetworkProtect the
Network
Rogue AP detectionand containmentMultilayer clientexclusions
Anomaly
and
IDS/IP
S
Protect the Network:
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
22/41
22Cisco Confidential
Protect the Network:wIDS Detection and Containment
HYPE: External wIDS sensors are the best way to detect and remediate all wireless attacks
REALITY: Most attacks/events occur on the AP/Client channel
ROGUES and AD HOCs: Detected quickly via intelligent off channel scanning
802.11a Channel 152Valid client
802.11g Channel 6Valid client
802.11g Channel 6Attacker
802.11a Channel 153Rogue AP
802.11a Channel 153Rogue client
802.11g Channel 1Ad Hoc client
802.11g Channel 1
Ad Hoc client
RFCon
tainment
RF Containment
On-channel attack detectedOff channel rogue detectedAP contains rogue clientOff channel ad hoc net detectedAP contains ad
hoc net
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
23/41
23Cisco Confidential
A Complete Solution for Handling Rogues
1. Detect Rogue AP(Generate alarm)
2. Assess Rogue AP(Identity, Location, ..)
3. Contain Rogue AP 4. View HistoricalReport
Can be automated
Multiple rogues containedsimultaneously
Cisco WCS Centralized Security
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
24/41
24Cisco Confidential
C sco CS Ce t a ed Secu tyManagement
Cisco Unified Wireless Network
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
25/41
25Cisco Confidential
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
Strong MutualAuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies
Endpo
int
Protection
Protect theNetwork
Protect theNetwork
Rogue AP detectionand containmentMultilayer clientexclusions
Anomaly
and
IDS/IP
S
Keep Clients HonestKeep Clients Honest
Network AdmissionControlGuest Access
AdmissionControl
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve the
networks abilityto identify, prevent, and
adapt to threats
Cisco strategy todramatically improve the
networks abilityto identify, prevent, and
adapt to threats
Integrated Management
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
26/41
26Cisco Confidential
Security Management
CS-MARS
Network wide anomalydetection
Rules basedcorrelation
WCS Simple, Powerful
Dashboard
Robust Reporting
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
27/41
27Cisco Confidential
Checklist Summary
Keep Clients HonestKeep Clients Honest
Network Admission
ControlGuest Access
Admissio
nControl
Keep Clients SafeKeep Clients Safe
Strong Mutual
AuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies
Endp
oint
Prote
ction
Protect theNetwork
Protect theNetwork
Rogue AP detection
and containmentMultilayer clientexclusions
Anoma
lyand
IDS
/IPS
802.1X (EAP)
WPA2 (AES) orWPA (TKIP)
ManagementFrame Protection
Cisco CSA
Cisco NAC forwired and wireless
Cisco CSA
Guest: Integratedcaptive portal
w/traffic tunneling
Wireless IDS
RogueDetect/Contain
FIPS
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
28/41
28Cisco Confidential
Deployment Example
2005 Cisco Systems, Inc. All rights reserved.
Education:
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
29/41
29Cisco Confidential
Education:Campus-Wide Connectivity
Most U.S. college campuseshave either deployed or are
planning to deploy a WLAN Cheaper than wiring the
campus
Ubiquitous coverageincreases value of the network
Users more likely to bring theirlaptops when they haveconfidence about wirelesscoverage
Makes students less likely to setup a rogue AP in their dorm
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
30/41
30Cisco Confidential
Education Deployment Example
Collaborative learning applications aid studentsand teachers
Staff: Requirement to access student records
and other sensitive data over WLAN Deployment Goals:
Non-Standardized client environment for Students
Students: User Authentication only
Staff: User authentication and data confidentiality
Non-standardized client environment forstudents means:
Students are allowed to bring any device
Students could be using any OS
Students could be using any vendor WLAN NIC
Standardized device (OS and WLAN NIC) forStaff
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
31/41
31Cisco Confidential
Education Deployment Example Contd
Education deployment Example
Open with Mac Address authentication along with Web-based
authentication deployed for studentsData confidentiality not provided to students due to nonstandardized client environment
Client devices for staff standardized on Windows XP and 2000with Cisco PCM350 and CB21AG client adapters
EAP-FAST with WPA deployed for staff to provide user-basedauthentication and data confidentiality
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
32/41
32Cisco Confidential
Education Deployment Example Contd.
Education deployment Example
Centralized WLAN deployment provides a scalable WLAN
deployment modelMay use Cisco Clean Access to mitigate DoS attacks andviruses from infected WLAN hosts
Deploy WLAN intrusion detection (rogue AP, excessmanagement frame detection, etc.)
Use separate VLANs/SSIDs for student and staff WLAN access
Student WLAN configured for open access with webauthentication
Staff WLAN configured for EAP authentication, using an EAPtype which is compatible with deployed staff client devices
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
33/41
33Cisco Confidential
Why Cisco?
2005 Cisco Systems, Inc. All rights reserved.
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
34/41
34Cisco Confidential
The WLAN Market Leader
57.9%
61.4%
12.6%
10.4%
3.1%4.5%
3.1%3.1%
0.4%1.2%1.6%1.3%
21%
18%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
CISCO SYMBOL ARUBA 3COM ALCATEL BLUESOCKET OTHER
3Q04
4Q041Q05
2Q05
61% WLAN MarketShare
4Xs Size NearestCompetitor
Continued Focuson WLAN Growth
Top 3 CiscoAdvancedTechnology
$100M YearInvestment inWireless R&D
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
35/41
35Cisco Confidential
Proven Customer Track Record
2.1+ Million Cisco APs deployed worldwide
70,000+ Cisco WLAN customers worldwide
95% of Fortune 500 companies use Ciscoproducts
45,000+ dual-band APs largest Ciscodeployment with Home Depot
Cisco ranked Top 10 Most PowerfulNetworking Company by Network World
Cisco # 1 for Innovations In IT byInformationWeek 500
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
36/41
36Cisco Confidential
Shaping the Industry
Wi-Fi Alliance founding member
Initial author of 802.11 and LWAPP (andsubsequent resources on the subject)
Chair of numerous IEEE Committees
(802.11i, 802.11r, 802.11m)
Founding contributors to Network
Worlds Wireless Wizards column Award winning CCIE Program
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
37/41
37Cisco Confidential
The Right Pieces for Success
Global Support Organization
24-hour, global access to a team of expert engineers
120 countries geographic coverage
Technical Support Services - 390+ CCIEs
Onsite field engineers
Global Partnerships
200,000 World Wide Partners
4000 Specialization Badges
IBM, Intel, HP, EDS, CG&Y, Microsoft
Full Services Portfolio - Lifecycle Support Advisory Services
Advanced Services
Technical Support Services
M t P bli l R i d I d t Pl tf
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
38/41
38Cisco Confidential
Most Publicly Recognized Industry Platform
Product Awards
Best of Show
Reommand
Head-to-Head Bakeoffs
Th Ci Wi l S
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
39/41
39Cisco Confidential
The Cisco Wireless Strategy
Enabling theSecure, Mobile,
Interactive
Workplace
Unification
InvestmentProtectionInnovation
Ed ti
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
40/41
40Cisco Confidential
Education
Campus-wide connectivity
Cheaper than wiring the
campus
Ubiquitous coverage increasesvalue of the network
Increased network security byreducing student rogue APs
Multipurpose WLAN forstudents, faculty, staffand business operations
-
7/31/2019 ACCS CiscoWLAN Security 04-19-06
41/41
41Cisco Confidential