Connecting & SecuringSyria’s Refugees

Rakesh Bharania, NCE

Cisco Tactical Operations

NetHope Solutions Center1 December 2016

NetHope Emergency Response

Agenda:

Refugee Connectivity: Design for Mass Communication

Network Architectures

Built in Security and Quality

Lessons Learned

3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Principles of Mass Communication

Cisco Public 44© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Historically, Hastily Formed Networks (HFNs) havebeen deployed to support humanitarian workers only.

Relatively low number of users, small number of sites

On the refugee crisis, providing communicationsto a mass population was the primary goal. (similar to UN ETC 2020 CwC)

Tens/hundreds of thousands of users, multiple sites, broad geography. Internet accessessential for asylum applications in Greece

This forced us to make several design assumptions…

Mass Communications: What Made This Different.

Cisco Public 55© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Our networks had to be …

Standardized: One design that could be replicated multiple times across dozensof locations.

Portable: The smaller/lighter the hardware, the easier it was to transport and deploy.

Supportable: Ensure the networks could be supported and managed over the long-termwith few resources on the ground.

Equitable: Networks had to support the maximum number of users, prevent “super users” from using too much bandwidth. Consider social dynamics (ensure gender equity, etc)

Designing Networks Differently

Cisco Public 66© 2013-2014 Cisco and/or its affiliates. All rights reserved.

To support large numbers of users over a long duration, we needed…

Advanced Cybersecurity – advanced threat protection for refugee and humanitarian workerdevices, even though we had no ability to enforce policy on any device.

Content Management – Block malware sites, peer-to-peer (network stability),adult content (cultural/social)

Traffic Shaping / QoS - Prioritize voice/video traffic to ensure quality

Rate Limiting – Allow software updates to download w/o saturating network

Network management – networks continually managed for performance, break/fixwith little/no persistent on-site staff

We couldn’t use “dumb pipe” networks.

7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Design

Cisco Public 88© 2013-2014 Cisco and/or its affiliates. All rights reserved.

INTERNET

DSL – 4Mbps x 1Mbps

TOOWAY VSAT – 10 Mbps x 1Mbps Groundstation

INTERNET

3GCradlepoint 2100

MX64 FW/gateway

MR72-GRE-007-AP1

GatewayMR72-

GRE-007-AP2Gateway

Ubiquiti M5Ubiquiti M5

INTERNET DSL – 4Mbps x 1Mbps

MX64 FW/gateway

MR66- KIT-013-AP1

Command PoleGATEWAY

MR66- KIT-013-AP5

Repeater

MR66- KIT-013-AP2 Runway Pole

Repeater

MR66- KIT-013-AP3 Wash AreaRepeater

MR66- KIT-013-AP4

Repeater

MR66- KIT-013-AP6

Repeater

Equipment :

Router – Meraki MX64Cloud managedFirewall, IPS, AMPContent Filtering

Access Point – Meraki MR66/72Cloud managedDual Band MESHIdentity based firewall

PtP Wireless – Ubiquiti M55GHz

BackHaul –Cradlepoint AER 2100Cloud-managedDual Modem — Multi-carrier

Eutelsat Tooway VSAT

Cisco Public 99© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Public 1010© 2013-2014 Cisco and/or its affiliates. All rights reserved.

First teams deployed:November 2015

Nine Deployment Teams (NH Teams A – I)

Total Meraki Sites Deployed62 (14 decommissioned)

Number of users supportedsince November 2015:

400,000+

11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security

Cisco Public 1212© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Protect the mission

Protect the vulnerable

Keep bad things out.

Keep critical services running

Know what’s happeningon the network and devices

Balance security and access

Get it right every time.

Security: What are We Really Trying to Do

Cisco Public 1313© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Humanitarian cybersecurity is different than the enterprise…

Cisco Public 1414© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Advanced refugee protection: Meraki MX + OpenDNS

INTERNET

MALWARE

C2/BOTNETS

PHISHING

AV

AV

AV AV

MERAKI MX

AV AV

MERAKI MX

SANDBOX

PROXY

NGFW

NETFLW

AV AV

AV AV

MID

LAYER

LAST

LAYERMID

LAYER

LAST

LAYER

MID

LAYER

FIRST

LAYER

Perimeter

Perimeter Perimeter

Endpoint

Endpoint

MERAKI MX

Advanced security architecturefor humanitarian response.

Meraki MX Security Appliance:

• SourceFire AMPstops malware on site –220M known malicious files,1.5M eval daily

• Snort based IPS/IDS

• Webroot BrightCloud content filtering

OpenDNS Umbrella – DNSsecurity in the cloud, constantlyupdated with botnet, malwaresites in real-time.

Cisco Public 1515© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Results – Automated, multi-layered threat defense

24/7 advanced security protection at every location, w/real-time updates(16,000 weekly clients, 18 TB/week)

320,000 IPS block events / month (all sites)

Stopping novel/new mobile malware/rootkitswithout touching any client devices.

1.7-2.4 million DNS queries analyzed for threatevery 24 hours. Credible threats stopped in the cloud.

Cisco Public 1616© 2013-2014 Cisco and/or its affiliates. All rights reserved.

What does this mean for vulnerable refugees?

Android malware is the number one threat.

Example Android malware: Kemoge (android rootkit), Triada (financial fraud malware)

We are protecting vulnerable refugees from theft of sensitive information on their devices, keeping their limited money out of the hands of organized crime.

We are protecting NetHope NGO & UN aid workers’ devices from these threats too!

17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Lessons Learned

Cisco Public 1818© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cloud management of all infrastructure is essential when you have no personnel on the ground.

Advanced security is no longer a luxury in humanitarian tech operations. Attacks are routine.

SSID naming “#NETHOPE_FREE_WIFI” special character allowed the network to be easily distinguished compared to any other nearby network.

Mesh WLAN deployments should include no more than two repeaters per gateway access point

Consider placement of WLAN APs from a social, not just technical perspective. People tend to congregate where signal is best. Physical security concerns and equitable access.

What did we learn?(Things that worked well)

Cisco Public 1919© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Camps grow so overbuild everything. The capacity you need today isn’t what you’ll need three months from now.

Electricity always a challenge people would unplug AP injectors to recharge phones. Run PoEinstead of mesh to mitigate risk. UPS/Power protection too – we have lost unprotected devices.

Use larger Meraki MX at larger sites – consider MX 84/100/etc at largest sites. MX64/65 not sufficient (overwhelmed CPU leads to dropped traffic) – review MX sizing guide.

What did we learn?(Challenges)

20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Public 2121© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Connect with us!

On Cisco.com – www.cisco.com/go/tacops

Cisco CSR Reporting: csr.cisco.com -> “Critical human needs”

Facebook: facebook.com/cisco.tacops

Slideshare: slideshare.net/CiscoTACOPS

Twitter: @CiscoTACOPS

Thank you.