Beruflich Dokumente
Kultur Dokumente
Scott Clayton (Cisco) Systems Engineer, Richmond sclayton@cisco.com Dave Fraser (Cisco) Systems Engineer, Herndon davfrase@cisco.com
Jim Tucker (Cisco) Account Manager, Norfolk jtucker@cisco.com Jason (Jed) Krisch (ALI) Systems Engineer, Blacksburg jasonk@ali-inc.com
Cisco Confidential
1
Agenda
Cisco Confidential
Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control
Endpoint Protection
Integrated Management
Cisco Confidential
Implementation Checklist 802.1X(EAP) WPA2 (AES) or WPA (TKIP) Management Frame Protection Cisco CSA
Endpoint Protection
Cisco Confidential
Protected Access
What are WPA and WPA2? Authentication and Encryption standards for Wi-Fi clients and APs 802.1X authentication WPA uses TKIP encryption WPA2 uses AES encryption Which should I use? Go for the Gold! Silver, if you have legacy clients Lead, if you absolutely have no other choice
Gold
WPA2/802.11i
EAP AES
Silver
WPA
EAP TKIP
Lead
dWEP (legacy)
EAP/LEAP VLANs + ACLs
Cisco Confidential
RADIUS server
Client associates
Blocked by AP
EAP
802.1x
RADIUS
Passed by AP
Cisco Confidential
AAA
PEAP-GTC
EA P S TL -
Simple
Simple to deploy No certs to provision or manage Supports secure username/password authentication Robust Support
Fast Roaming (CCKM) IOS Local Authentication Cisco NAC
EA P -TT LS
H A P v2
PEAP-MSC
Versatile
Secure
Support for multiple authentication types (OTP, MSCHAPv2, Certs) Open standard (on the path to RFC) Supported in CCXv4
Cisco Confidential
7
Common Attacks: VOID11 Aireplay File2air Airforge ASLEAP Jack attacks FakeAP Hunter/Killer
P F M ed o ct c e is t C ro P
Cisco Confidential
8
Cisco Confidential
Cisco Confidential
10
Options:
Try to standardize on adapters from one vendor USE WPA/WPA2 extended EAP certified clients Rely on what is available in Windows Use a commercial supplicant suite Support a mix of authentication types Use Cisco Compatible Extensions (CCX) adapters
Cisco Confidential
11
No reconfiguration of the CSA default configuration, or update to the CSA binaries were required
Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control
Endpoint Protection
Integrated Management
Cisco Confidential
13
Cisco CSA
Admission Control
Cisco Confidential
14
Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.) are not checked for policy compliance Unprotected endpoint devices are often responsible for spreading infection
Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive
*2005 FBI/CSI Report
Cisco Confidential
15
Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.
Burton Group
NAC Framework
Sold through NACenabled products Integrated solution leveraging Cisco network and vendor products
NAC Appliance
Leverages Cisco Clean Access Sold as virtual or integrated appliance Self-contained product integrates with but does not rely on partners
NAC Infrastructure
Offers customers a deployment timeframe choice Adapts to customers investment protection requirements
Cisco Confidential
16
.11
10.1.1.x/24
192.168.2.4
.9
Wireless Controller
Internet
192.168.1.x/24
172.18.10.x/24
.1
VLAN 172 & 173
.8
.1
.10
.2
Intranet
172.18.10.0/24
172.19.10.0/24
Cisco Confidential
EAPo802.1x
ACS
EAP o RA DIU S
7 6 5
CTA
HCAP
1. 2. 3. 4. 5. 6. 7. 8.
802.1X connection setup between NAD and endpoint NAD requests credentials from endpoint (EAPo802.1X)
This may include user, device, and/or posture
CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X) NAD sends credentials to ACS (EAPoRADIUS) ACS can proxy portions of posture authentication to vendor server (HCAP)
User/device credentials sent to authentication databases (LDAP, Active Directory, etc)
ACS sends authorization policy to NAD (VLAN assignment) Host assigned VLAN, may then gain IP access (or denied, restricted)
Cisco Confidential
18
Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control
Endpoint Protection
Integrated Management
Cisco Confidential
20
Cisco Confidential
21
On-channel attack detected 802.11a Channel 153 Off channel rogue detected Rogue AP AP contains rogue client Off channel ad hoc net detected AP contains ad 802.11g Channel 1 hoc net Ad Hoc client ent inm onta CRF Containment RF
3. Contain Rogue AP
Cisco Confidential
23
Cisco Confidential
24
Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control
Endpoint Protection
Integrated Management
Cisco Confidential
25
Security Management
CS-MARS Network wide anomaly detection Rules based correlation
Cisco Confidential
26
Checklist Summary
Admission Control
Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies
Endpoint Protection
802.1X (EAP) WPA2 (AES) or WPA (TKIP) Management Frame Protection Cisco CSA
Cisco NAC for wired and wireless Cisco CSA Guest: Integrated captive portal w/traffic tunneling
Cisco Confidential
27
Deployment Example
Cisco Confidential
28
Staff
Cisco Confidential
30
Cisco Confidential
31
Cisco Confidential
32
Why Cisco?
Cisco Confidential
33
61.4%
60.0%
57.9%
61% WLAN Market Share 4Xs Size Nearest Competitor Continued Focus 3Q04 on WLAN Growth Top 3 Cisco Advanced Technology $100M Year Investment in Wireless R&D
OTHER
50.0%
40.0%
30.0%
20.0%
12.6%
18%
10.0%
10.4%
4.5%
3.1%
3.1% 3.1%
0.0%
CISCO SYMBOL ARUBA 3COM
1.2% 0.4%
ALCATEL
1.6% 1.3%
BLUESOCKET
Cisco Confidential
34
Cisco Confidential
35
Cisco Confidential
36
Global Partnerships
200,000 World Wide Partners 4000 Specialization Badges IBM, Intel, HP, EDS, CG&Y, Microsoft
E DS
37
Head-to-Head Bakeoffs
Best of Show
Reommand
Cisco Confidential
38
Unification
Cisco Confidential
39
Education
Campus-wide connectivity Cheaper than wiring the campus Ubiquitous coverage increases value of the network Increased network security by reducing student rogue APs Multipurpose WLAN for students, faculty, staff and business operations
Cisco Confidential
40
Cisco Confidential
41