accs ciscowlan security 04-19-06

7/31/2019 ACCS CiscoWLAN Security 04-19-06

1/41

1Cisco Confidential

Wireless LAN Security

Jim Tucker (Cisco)

Account Manager, Norfolk

Scott Clayton (Cisco)

Systems Engineer, Richmond

[email protected]

Dave Fraser (Cisco)

Systems Engineer, Herndon

[email protected]

[email protected]

Jason (Jed) Krisch (ALI)

Systems Engineer, Blacksburg

[email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/41

2Cisco Confidential

Agenda

Self-Defending Network Strategy

Deployment Example

Why Cisco?


3/41

3Cisco Confidential

Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

Keep Clients SafeKeep Clients Safe

Strong MutualAuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies

Endpoint

Protection

Protect theNetwork

Protect theNetwork

Rogue AP detectionand containmentMultilayer clientexclusions

Anomaly

and

IDS/IPS

Keep Clients HonestKeep Clients Honest

Network AdmissionControlGuest Access

AdmissionC

ontrol

An initiative to dramaticallyimprove the networks ability

to identify, prevent, andadapt to threats



Cisco strategy todramatically improve thenetworks ability

to identify, prevent, and

adapt to threats



adapt to threats

Integrated Management


4/414Cisco Confidential

Checklist for Secure Wireless LANs

Implementation Checklist

802.1X(EAP)

WPA2 (AES) or WPA (TKIP)

Management FrameProtection

Cisco CSA



Endpoint

Protection



Protected Access

Gold

WPA2/802.11iEAPAES

Gold

WPA2/802.11iEAPAES

What are WPA and WPA2?

Authentication and Encryptionstandards for Wi-Fi clients and APs

802.1X authentication

WPA uses TKIP encryption

WPA2 uses AES encryption

Which should I use?

Go for the Gold! Silver, if you have legacy clients

Lead, if you absolutely have no

other choice

Silver

WPAEAPTKIP

Silver

WPAEAPTKIP

Lead

dWEP (legacy)EAP/LEAP

VLANs + ACLs

Lead

dWEP (legacy)EAP/LEAP

VLANs + ACLs



How does Extensible AuthenticationProtocol (EAP) Authenticate Clients?

WLAN Client

CorporateNetwork

Access Point/Controller

RADIUS server

Client associates

Cannot send data untilData from client Blocked by AP

EAP authenticationcomplete

802.1x RADIUS

EAP

Client sends data Data from clientPassed by AP



EAP-FAST Simple, Versatile, andSecure

EAP-TL

S

PEAP-GTC

PEAP-MSCHAPv2

EAP-TTLS

AAAEAP-FAST tunnel

OTPMSCHAPv2

CertsUID/PW

VersatileVersatile Robust SupportFast Roaming (CCKM)IOS Local AuthenticationCisco NAC

Client stacks from Funk andMeetinghouse

SimpleSimple Simple to deploy No certs to provision or manage

Supports secure username/passwordauthentication

SecureSecure Support for multiple authenticationtypes (OTP, MSCHAPv2, Certs)

Open standard (on the path to RFC) Supported in CCXv4


8/41



Management Frame Protection (MFP)

A solution for clients and infrastructure (APs)

Clients and APs add a MIC (signature)into every management frame

Anomalies are detected instantly andreported to Wireless Control Server (WCS)

MFP Protected

MFP Protected



CCX- Driving Security Standardization

CCX v5

MFP

Client Policies

CCX v5

MFP

Client Policies

CCX v1


EAP-TLS & LEAP

Cisco pre-standard TKIP

Client Rogue reporting

CCX v1


EAP-TLS & LEAP

Cisco pre-standard TKIP

Client Rogue reporting

CCX v2 WPA compliance

Fast Roaming with CCKM

PEAP

CCX v2 WPA compliance

Fast Roaming with CCKM

PEAP

CCX v3

WPA2 compliance

EAP-FAST CCKM with EAP-FAST

AES encryption

CCX v3

WPA2 compliance

EAP-FAST CCKM with EAP-FAST

AES encryption

CCX v4 CCKM with EAP-TLS,

PEAP

WIDS

MBSSID

CCX v4 CCKM with EAP-TLS,

PEAP

WIDS

MBSSID



Security and WLAN Clients

Trend: Embedded adapters in most devices

Result: Adapter reference designs in mostdevices

How do you ensure that all of your client devicessupport your chosen 802.1X type(s) and encryptionoption(s)?

Options:

Try to standardize on adapters from one vendor

USE WPA/WPA2 extended EAP certified clients

Rely on what is available in Windows

Use a commercial supplicant suite

Support a mix of authentication types

Use Cisco Compatible Extensions (CCX) adapters



Cisco Security Agent (CSA)- Host Intrusion Prevention System

CSA Provides Day Zero Attack Protection

CSA stops day zero malicious code without reconfiguration orupdate.

CSA has the industrys best record of stopping Zero Day exploits,worms, and viruses over past 4 years:

2001 Code Red, Nimda (all 5 exploits), Pentagone (Gonner)

2002 Sircam, Debploit, SQL Snake, Bugbear,

2003 SQL Slammer, So Big, Blaster/Welchia, Fizzer2004 MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), BufferOverflow in Workstation service (MS03-049)

2005 Internet Explorer Command Execution Vulnerability

No reconfiguration of the CSA default configuration, or update to the CSAbinaries were required

CSA Wireless Awareness

Shutoff multiple network interfaces

Disable Ad Hoc mode

Connect to only corporate SSIDs


13/41

13Cisco Confidential




Endpoint

Protect

ion

Protect theNetwork

Protect theNetwork


Anomaly

and

IDS/IP

S



AdmissionC

ontrol







adapt to threats



adapt to threats



14/41



Implementation ChecklistCisco NAC for wired andwireless

Cisco CSA

Guest: Integrated captiveportal w/traffic tunnelingKeep Clients HonestKeep Clients Honest


AdmissionC

ontrol


15/41


The Need for Admission Control

Viruses, worms, spyware, etc. continueto plague organizations

Viruses still #1 cause of financial loss*(downtime, recovery, productivity, etc.)

Most usersare routinely authenticated,but their endpoint devices (laptops, PCs,PDAs, etc.) are not checked for policycompliance

Unprotected endpoint devices are often

responsible for spreading infectionEnsuring devices accessing the networkcomply with policy (security tools installed,enabled, and current) is difficult andexpensive

Endpoint systems are

vulnerable and represent themost likely point of infection

from which a virus or worm

can spread rapidly and cause

serious disruption and

economic damage. Burton Group

*2005 FBI/CSI Report


16/41


The NAC Solution

NAC ApplianceLeverages Cisco CleanAccess

Sold as virtual orintegrated appliance

Self-contained productintegrates with but does

not rely on partners

Offers customers a deployment timeframe choice Adapts to customers investment protection requirements

NAC Infrastructure

NAC Framework

Sold through NAC-enabled products

Integrated solutionleveraging Cisconetwork and vendorproducts


17/41


CCA Network Configuration

.1

.1

Internet

ACS / DHCP

192.168.1.x/24

.9

.2

172.18.10.x/24

.11

192.168.2.4

192.168.2.x/24

.21

10.1.1.x/24 Clean Access Manager

WirelessController

Clean Access Server

.8

192.168.3.x/24

.21


18/41


NAC2 Ubiquitous Admission ControlCTA-Capable Endpoints with NAC-Capable 802.1X Supplicants

CTA NetworkAccess Device

(NAD)

NetworkACS

VendorServer

802.1x

EAPo802.1xEAPoR

ADIUS HCAP

1

2

3

4

5

67

8

1. 802.1X connection setup between NAD and endpoint

2. NAD requests credentials from endpoint (EAPo802.1X)

This may include user, device, and/or posture

3. CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X)

4. NAD sends credentials to ACS (EAPoRADIUS)

5. ACS can proxy portions of posture authentication to vendor server (HCAP)

User/device credentials sent to authentication databases (LDAP, Active Directory, etc)

6. ACS validates credentials, determines authorization rights

E.g. visitors given GUEST access, unhealthy devices given QUARANTINE access

7. ACS sends authorization policy to NAD (VLAN assignment)

8. Host assigned VLAN, may then gain IP access (or denied, restricted)


19/41


Secure Guest Access

Captive portal native in thecontroller

Two options for guestaccess:

(1) Guest users can be placedon guest VLAN

(2) All guest traffic is tunneledto a guest controller

User DB can be local or

RADIUS

Robust administration

Ambassador login

Customizable web pages

SSID Client Default Gateway

= Internal

= GUEST

Switch-to-switchguest tunnel

EnterpriseNetwork

DMZGuest controller

Enterprise user Guest user

Ci U ifi d Wi l N k


20/41





Endpoint

Protection

Protect theNetwork

Protect theNetwork


Anomaly

and

IDS/IP

S



AdmissionC

ontrol





Cisco strategy todramatically improve the

networks abilityto identify, prevent, and

adapt to threats



adapt to threats



21/41



Implementation Checklist

Wireless IDS

Rogue Detect/Containment

FIPSProtect the

NetworkProtect the

Network


Anomaly

and

IDS/IP

S

Protect the Network:


22/41


Protect the Network:wIDS Detection and Containment

HYPE: External wIDS sensors are the best way to detect and remediate all wireless attacks

REALITY: Most attacks/events occur on the AP/Client channel

ROGUES and AD HOCs: Detected quickly via intelligent off channel scanning

802.11a Channel 152Valid client

802.11g Channel 6Valid client

802.11g Channel 6Attacker

802.11a Channel 153Rogue AP

802.11a Channel 153Rogue client

802.11g Channel 1Ad Hoc client

802.11g Channel 1

Ad Hoc client

RFCon

tainment

RF Containment

On-channel attack detectedOff channel rogue detectedAP contains rogue clientOff channel ad hoc net detectedAP contains ad

hoc net


23/41


A Complete Solution for Handling Rogues

1. Detect Rogue AP(Generate alarm)

2. Assess Rogue AP(Identity, Location, ..)

3. Contain Rogue AP 4. View HistoricalReport

Can be automated

Multiple rogues containedsimultaneously

Cisco WCS Centralized Security


24/41


C sco CS Ce t a ed Secu tyManagement

Cisco Unified Wireless Network


25/41





Endpo

int

Protection

Protect theNetwork

Protect theNetwork


Anomaly

and

IDS/IP

S



AdmissionControl







adapt to threats



adapt to threats



26/41


Security Management

CS-MARS

Network wide anomalydetection

Rules basedcorrelation

WCS Simple, Powerful

Dashboard

Robust Reporting


27/41


Checklist Summary


Network Admission

ControlGuest Access

Admissio

nControl


Strong Mutual

AuthenticationStrong EncryptionTrue Wireless IPSAdaptive ClientPolicies

Endp

oint

Prote

ction

Protect theNetwork

Protect theNetwork

Rogue AP detection

and containmentMultilayer clientexclusions

Anoma

lyand

IDS

/IPS

802.1X (EAP)

WPA2 (AES) orWPA (TKIP)

ManagementFrame Protection

Cisco CSA

Cisco NAC forwired and wireless

Cisco CSA

Guest: Integratedcaptive portal

w/traffic tunneling

Wireless IDS

RogueDetect/Contain

FIPS


28/41


Deployment Example

2005 Cisco Systems, Inc. All rights reserved.

Education:


29/41


Education:Campus-Wide Connectivity

Most U.S. college campuseshave either deployed or are

planning to deploy a WLAN Cheaper than wiring the

campus

Ubiquitous coverageincreases value of the network

Users more likely to bring theirlaptops when they haveconfidence about wirelesscoverage

Makes students less likely to setup a rogue AP in their dorm


30/41


Education Deployment Example

Collaborative learning applications aid studentsand teachers

Staff: Requirement to access student records

and other sensitive data over WLAN Deployment Goals:

Non-Standardized client environment for Students

Students: User Authentication only

Staff: User authentication and data confidentiality

Non-standardized client environment forstudents means:

Students are allowed to bring any device

Students could be using any OS

Students could be using any vendor WLAN NIC

Standardized device (OS and WLAN NIC) forStaff


31/41


Education Deployment Example Contd

Education deployment Example

Open with Mac Address authentication along with Web-based

authentication deployed for studentsData confidentiality not provided to students due to nonstandardized client environment

Client devices for staff standardized on Windows XP and 2000with Cisco PCM350 and CB21AG client adapters

EAP-FAST with WPA deployed for staff to provide user-basedauthentication and data confidentiality


32/41


Education Deployment Example Contd.

Education deployment Example

Centralized WLAN deployment provides a scalable WLAN

deployment modelMay use Cisco Clean Access to mitigate DoS attacks andviruses from infected WLAN hosts

Deploy WLAN intrusion detection (rogue AP, excessmanagement frame detection, etc.)

Use separate VLANs/SSIDs for student and staff WLAN access

Student WLAN configured for open access with webauthentication

Staff WLAN configured for EAP authentication, using an EAPtype which is compatible with deployed staff client devices


34/41


The WLAN Market Leader

57.9%

61.4%

12.6%

10.4%

3.1%4.5%

3.1%3.1%

0.4%1.2%1.6%1.3%

21%

18%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

CISCO SYMBOL ARUBA 3COM ALCATEL BLUESOCKET OTHER

3Q04

4Q041Q05

2Q05

61% WLAN MarketShare

4Xs Size NearestCompetitor

Continued Focuson WLAN Growth

Top 3 CiscoAdvancedTechnology

$100M YearInvestment inWireless R&D


35/41


Proven Customer Track Record

2.1+ Million Cisco APs deployed worldwide

70,000+ Cisco WLAN customers worldwide

95% of Fortune 500 companies use Ciscoproducts

45,000+ dual-band APs largest Ciscodeployment with Home Depot

Cisco ranked Top 10 Most PowerfulNetworking Company by Network World

Cisco # 1 for Innovations In IT byInformationWeek 500


36/41


Shaping the Industry

Wi-Fi Alliance founding member

Initial author of 802.11 and LWAPP (andsubsequent resources on the subject)

Chair of numerous IEEE Committees

(802.11i, 802.11r, 802.11m)

Founding contributors to Network

Worlds Wireless Wizards column Award winning CCIE Program


37/41


The Right Pieces for Success

Global Support Organization

24-hour, global access to a team of expert engineers

120 countries geographic coverage

Technical Support Services - 390+ CCIEs

Onsite field engineers

Global Partnerships

200,000 World Wide Partners

4000 Specialization Badges

IBM, Intel, HP, EDS, CG&Y, Microsoft

Full Services Portfolio - Lifecycle Support Advisory Services

Advanced Services

Technical Support Services

M t P bli l R i d I d t Pl tf


38/41


Most Publicly Recognized Industry Platform

Product Awards

Best of Show

Reommand

Head-to-Head Bakeoffs

Th Ci Wi l S


39/41


The Cisco Wireless Strategy

Enabling theSecure, Mobile,

Interactive

Workplace

Unification

InvestmentProtectionInnovation

Ed ti


40/41


Education

Campus-wide connectivity

Cheaper than wiring the

campus

Ubiquitous coverage increasesvalue of the network

Increased network security byreducing student rogue APs

Multipurpose WLAN forstudents, faculty, staffand business operations


41/41


accs ciscowlan security 04-19-06

Documents