令人愛恨交加的無線 網路, 如何用 NAC 讓 天空更安全

Willy Huang Product/Technical Manager Cisco Systems Taiwan Ltd. wihuang@cisco.com
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

1

議程

1 2 3 4
Presentation_ID

無線網路的安全概論

NAC 與無線網路的整合

NAC 在無線網路如何運作

Flash demo

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

無線網路安全迷思
No Wi-Fi = Good Security
Wrong!
• A single rogue access point creates enormous risk • Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc.) don’t address • Perpetrated unknowingly often by your own employees

A Handheld Walk-Around Survey Is Sufficient (i.e. AirMagnet) Wrong!

• Would you turn on your firewall only periodically? • Not practical for branch or remote offices with no local IT personnel • Laborious and expensive

I Use 802.11i, WPA or VPN, so My Network Is Secure Not at all!
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.

• Only protects authorized clients and infrastructure • No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)

Cisco Confidential

3

Inc. Cisco Confidential 4 .為何無線網路較易攻擊? Wired Security “Open air” No physical barriers to intrusion Physical Security Standard 802. All rights reserved.11 protocol Well-documented and -understood Target of most common attacks against WLAN networks: management frames Enterprise Network Unlicensed Easy access to inexpensive technology Wireless Access Outside Physical or Wired Boundaries Presentation_ID © 2006 Cisco Systems.

2007 Cisco Confidential 5 .11i and WPA/WPA2) Wireless and NAC single-sign-on Role-based access Client device validation. Inc.1X integration) Strong transport encryption (802. posture assessment and remediation Rogue detection through automatic RF monitoring Detect and prevent unauthorized wireless activities Unified wired and wireless IPS Threat mitigation Comprehensive security protection C97-408586-00 Presentation_ID © 2006 Cisco Systems. All rights reserved.思科無線網路安全方案 Integrated WLAN security foundation Strong user authentication (Cisco® EAP/EAP-FAST and 802.

1X. TKIP. MFP. Cisco Confidential 6 . DoS. Cisco EAP/EAP-FAST. Inc. WPA/WPA-2) Detection and prevention of rogue access points. RF scanning.階段性無線網路安全 Implementation Considerations Critical: WLAN Security Fundamentals Strong user authentication (802. clients.11i. special-purpose networks. (audits. etc. NAC. wireless IPS) Urgent: Traffic and Access Control Device posture assessment (NAC) Role-based network access (NAC) Threat mitigation (Unified wired and wireless IPS) Recommended: Endpoint Protection Endpoint connection policy and status (WLAN controller. AES. MFP) Endpoint malware mitigation (Cisco Security Agent) Threat-alert distribution (Cisco Security Agent + IPS + Cisco Security MARS) Best Practice: Network Visibility Comprehensive WLAN security management (wireless control system) Security event analysis and correlation (Cisco Security MARS) Presentation_ID © 2006 Cisco Systems. All rights reserved. ACS) Strong transport encryption (802.

Cisco Confidential CCX Program: • Cisco Compatible eXtensions • Ensures interoperability for a variety of 802.1X authentication types.1X TKIP + MIC Encryption: TKIP + MIC • Temporal Key Integrity Protocol • Message Integrity Check • Successor to WEP encryption CCX Program Presentation_ID © 2006 Cisco Systems. Inc. including LEAP & PEAP 7 .1X Authentication • Required as of Aug. All rights reserved.企業等級的無線安全防護 •Standardized •Optimized for Enterprise •Broad Adoption •Tested for Interoperability Wi-Fi Protected Access: • Mandates TKIP Encryption + MIC + 802.’03 Wi-Fi Protected Access (“WPA”) Authentication Encryption 802.

All rights reserved.11g Channel 1 Ad Hoc client 802.11a Channel 153 Off channel rogue detected Rogue AP AP contains rogue client Off channel ad hoc net detected AP contains ad 802. Cisco Confidential 8 .11g Channel 6 Attacker 802.無線入侵偵測與阻絕 On-channel attack detected 802.11g Channel 1 hoc net Ad Hoc client ent inm onta CRF Containment RF 802. Inc.11a Channel 153 Rogue client 802.11g Channel 6 Valid client 802.11a Channel 152 Valid client Presentation_ID © 2006 Cisco Systems.

Client to access point or controller 2. Shun implemented by controller Cisco ASA 5500 with IPS Presentation_ID © 2006 Cisco Systems. Controller query IPS 4. Malicious Traffic Event and Client Shunning: 1. Controller traffic to IPS 3. Deep Packet Inspection 3. All rights reserved.思科整合入侵偵測/防禦 Unified Intrusion Prevention: Layer 2 through Layer 7 Cisco WLAN Controller Cisco Access Point 4. Inc. Query IPS Enterprise Network 1. Client Shun 2. Cisco Confidential 9 .

階段性無線網路安全架構 Untrusted Public Cisco Security Agent Endpoint Protection • Host intrusion prevention • Endpoint malware mitigation Internet Guest Anchor Controller Cisco ASA 5500 with IPS Module WCS Enterprise Cisco NAC Appliance Server Cisco WLAN Controller Cisco Security MARS Wired Cisco NAC Appliance Manager Cisco Security Agent Server Traffic and Access Control • Device posture assessment • Dynamic.1X WPA2 MFP Guest WLAN Security Fundamentals • • • • Strong user authentication Strong transport encryption RF monitoring Secure guest access SSC Presentation_ID © 2006 Cisco Systems. role-based network access and managed connectivity • WLAN threat mitigation with IPS/IDS Trusted Wireless Cisco Access Point 802. All rights reserved. Cisco Confidential 10 . Inc.

All rights reserved.509. Web-Auth. Rogue detection User/Device X.11i. RF Coverage Area and Interference Avoidance.完整的無線安全防護方案 Physical User and Device Tracking. wIDS. Cisco Confidential 11 . Inc. IDS Application Network Access Control.1X (RADIUS). Firewall Presentation_ID © 2006 Cisco Systems. VPN. 802. Location Based Security Data 802.

Cisco Confidential 12 .com/wirelesssecurity For more information about Cisco NAC.com/go/nac For more information about Cisco Wireless products. All rights reserved. visit: http://www.cisco. visit: http://www.cisco.cisco.com/go/unifiedwireless Presentation_ID © 2006 Cisco Systems. Inc.cisco. visit: http://www.com/go/wireless For more information about the Cisco Unified Wireless Network. visit: http://www.參考資料 For more information about Cisco Secure Wireless Solution.

Cisco Confidential 13 . Inc. All rights reserved.議程 1 2 3 4 Presentation_ID 無線網路的安全概論 NAC 與無線網路的整合 NAC 在無線網路如何運作 Flash demo © 2006 Cisco Systems.

NAC 與無線網路的 整合 Presentation_ID © 2006 Cisco Systems. Cisco Confidential 14 . Inc. All rights reserved.

BPM. etc. WIRELESS BUILDING 2 Guest Compliance Restricted internet access only for guest users VPN User Compliance Intranet access only for compliant remote access users INTERNET CONFERENCE ROOM IN BUILDING 3 Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc.Cisco NAC Appliance 針對無線網路的應用 Endpoint Compliance Wireless Compliance Secured network access only for compliant wireless devices Network access only for compliant devices CAMPUS BUILDING 1 802. HRIS.1Q Intranet Access Compliance Ensure hosts are hardened prior to connecting to ERP. Cisco Confidential IPSec In-band 15 .

and remediates noncompliant endpoints Cisco NAC authenticates and controls guest and unmanaged assets Secured Remote Access Secured Wireless Access Secured LAN Access * Source: Current Analysis.IT人員的痛 Top Customer Pain Points* Role-based access control Enforce endpoint policy requirements Guests and unmanaged users Cisco NAC applies access and posture policies based on roles Cisco NAC assesses. All rights reserved. Inc. quarantines. July 2006 Presentation_ID © 2006 Cisco Systems. Cisco Confidential 16 .

All rights reserved. Cisco Confidential 17 . 檢驗無線 用戶的網路存取規則與安全政策要求 有效處理訪客與 unmanaged users Cisco NAC Appliance 可以強制認證與控管訪客以及 非本機構的人員以及設備對無線網路的存取 強制實施用戶端 (endpoint) 安全政策 Cisco NAC Appliance 評估隔離修補不符合安全政策 的無線用戶端 (endpoint) Source: Current Analysis. Inc.Cisco NAC 解決無線網路管理者的難題 實施 roles-based 的存取控制 Cisco NAC Appliance 可以依據使用者身份. July 2006 Presentation_ID © 2006 Cisco Systems.

Cisco Confidential 18 . All rights reserved. 合作安全廠商的軟 體狀態驗證 / 修補. 以及 role based 存取控制 Cisco 無線方案提供認證與 role based vlan mapping Cisco NAC Appliance 提供 wired 與 wireless 訪客的整合管理 Cisco 無線方案提供無線訪客登入網頁與管理 Presentation_ID © 2006 Cisco Systems. VPN 與 Remote Offices Cisco NAC Appliance 針對 managed 與 unmanaged 的無線設備提供一個 完善的 NAC 方案 Cisco 無線方案提供無線存取管理 Cisco NAC Appliance 提供安全政策規則自動更新. WLAN.Cisco NAC Appliance 強化 Cisco 無線方案 Cisco NAC Appliance 提供一個企業等級的 NAC 與集中管理解決方案. 可以完全適用於 LAN. Inc.

AV. and other software Network scan for virus and worm infections and port vulnerabilities 更新 & 修補 Network-based tools for vulnerability and threat remediation Help-desk integration Presentation_ID © 2006 Cisco Systems. Inc.Cisco NAC Appliance 主動執行安全政策 All-in-One Policy Compliance and Remediation Solution 認證 Enforces authorization policies and privileges Supports multiple user roles 隔離 Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level 掃描安全漏洞 & 評估安全狀態 Agent scan for required versions of hotfixes. Cisco Confidential 19 . All rights reserved.

Cisco NAC Appliance 的產品組合 Cisco NAC Appliance Manager (NAM) 讓管理人員. Cisco Confidential 20 . 技術支援人員依其不同權限. 重大 hot-fixes 以及其他 applications 資訊的更新 Presentation_ID © 2006 Cisco Systems. 負責進行 device-based registry 掃描並收集 設備的安全狀態 Rule-set 更新 可以自動在您指定的時間進行 anti-virus. All rights reserved. 集中管理 NAC M G R Cisco NAC Appliance Server (NAS) 網路存取的管制機制 Cisco NAC Appliance Agent (NAA) 免費的 client. Inc.

Cisco NAC Appliance: In-Band 模式 L3/L4 過濾隔離 支援 roles-based 存取控制 支援依據不同使用者身份的頻寬 管理(e. Inc. Cisco Confidential 21 .g. All rights reserved. “Guests" 或 “Quarantine") 非常適合 port-based 存取控制無法 實施的訪客環境: Hubs Wireless APs VoIP phones Shared media ports Non-Cisco environments NAC Appliance Manager M G R NAC Appliance Server Presentation_ID © 2006 Cisco Systems.

“Consultant" has 400kb/s downstream 針對不符合安全政策的 L3/L4 過濾隔離 “Quarantine" access to windows update only NAC Appliance Server 以 Radius 認證為基礎的稽核. Inc. “Trainee" to lab servers only “Guest" NAC Appliance Manager M G R 支援依據不同使用者身份的頻寬管理 has 200kb/s downstream. Cisco Confidential 22 . All rights reserved. VoIP phones Shared media ports and Non-Cisco environments Presentation_ID © 2006 Cisco Systems. 紀錄 login / logout. Wireless APs. 以登入時間為基準的訪客計費紀錄 非常適合 port-based 存取控制無法實施的訪 客環境: Hubs.Cisco NAC Appliance In-Band 模式: 訪客 支援 roles-based 存取控制 “Guest" to http/s only.

議程 1 2 3 4 Presentation_ID 無線網路的安全概論 NAC 與無線網路的整合 NAC 在無線網路如何運作 Flash demo © 2006 Cisco Systems. All rights reserved. Cisco Confidential 23 . Inc.

Inc. All rights reserved. Cisco Confidential 24 .NAC 在無線網路如 何運作 Presentation_ID © 2006 Cisco Systems.

10. 3.Cisco NAC Appliance 在無線網路的運作 Role: “Unauthenticated” Laptop IP: 192. Wireless user connects to WLC via LWAPP and authenticates to Auth Server (any auth methods including 802.168.2 User Traffic VLAN 50 Auth Server IP: 10.20.20 Radius Accounting Server IP: 10.10.30 L3 Switch IP: 192.50.168.20.25 M G R NAC Appliance Manager IP: 10.1.1.3 MgmtVLAN 60 192.10.1x) Wireless user obtains IP address from Auth Server WLC forwards Radius accounting login info to CAS Wireless user opens a browser and is redirected to download the NAC Agent (if they don’t already have it loaded) Presentation_ID © 2006 Cisco Systems.1.26 1.168.2 NAC Enforcement Point DNS Server IP: 10.10 NAC Appliance Server IP: 192.50.60.1. Inc.10.168. 4.1. All rights reserved.1. Cisco Confidential 25 .168. 2.1 Intranet Server IP: 10.3 WLC 192.

All rights reserved.1.168. Inc.1 NAC Appliance Server IP: 192.1.2 User Traffic VLAN 50 Laptop IP: 192.20 5. Presentation_ID © 2006 Cisco Systems.1.1.10.1.10 Radius Accounting Server IP: 10.50.3 MgmtVLAN 60 192.30 L3 Switch IP: 192. The Agent queries the NAC Appliance Server to discover if the wireless user is authenticated (which it will be by the radius accounting previously sent) The Agent performs posture assessment and forwards results to the Server to make the network admission decision.3 Auth Server IP: 10.50.10. Role: “Quarantine” WLC 192.Cisco NAC Appliance 在無線網路的運作 cont.2 Intranet Server IP: 10.26 NAC Enforcement Point DNS Server IP: 10.20.168. Cisco Confidential 26 . 6.1.20.10.10.60.168.168.168.25 M G R NAC Appliance Manager IP: 10.

2 User Traffic VLAN 50 Auth Server IP: 10.168.20 Presentation_ID © 2006 Cisco Systems.25 M G R NAC Appliance Manager IP: 10.1.1 Intranet Server IP: 10.Cisco NAC Appliance 在無線網路的運作 cont.1.50. Laptop IP: 192. Inc. NAC Manager sends remediation steps to NAC Agent.3 MgmtVLAN 60 192.2 NAC Enforcement Point DNS Server IP: 10.10 Radius Accounting Server IP: 10.20.1.1.30 L3 Switch IP: 192.50. NAC Server forwards posture report to NAC Manager. 8. Cisco Confidential 27 .168.1.10.1.3 WLC 192.” Role: “Quarantine” 10. 9.168.60. All rights reserved.10.168.168.20.10.26 NAC Appliance Server IP: 192. Manager determines that the user is NOT in compliance and instructs the Server to put the laptop into the “Quarantine Role.10.

10. The Agent guides remote user through step-by-step remediation with one-click update for remediation 13.168.168.168.60.3 L3 Switch IP: 192.1. The Agent informs the NAC server that the wireless user has been successfully remediated 14.168.2 User Traffic VLAN 50 Auth Server IP: 10. Inc.20.10.Cisco NAC Appliance 在無線網路的運作 cont.30 Laptop IP: 192. NAC Agent displays access time remaining in “Quarantine Role” for remote user 12.1.25 M G R NAC Appliance Manager IP: 10.20.10.1.1.1 Intranet Server IP: 10.168.2 NAC Enforcement Point DNS Server IP: 10. All rights reserved. Cisco Confidential 28 .50.10.10 NAC Appliance Server IP: 192.3 MgmtVLAN 60 192.26 11.50.1.20 Radius Accounting Server IP: 10.1. Role: “Quarantine” WLC 192. The NAC Server provides the user with an Acceptable User Policy (AUP) agreement Presentation_ID © 2006 Cisco Systems.

10.10.25 M G R NAC Appliance Manager IP: 10. Wireless user is now allowed to access to the Intranet server.20 Radius Accounting Server IP: 10.2 NAC Enforcement Point DNS Server IP: 10.30 Laptop IP: 192. Inc.1.168.20.2 User Traffic VLAN 50 Auth Server IP: 10. Presentation_ID © 2006 Cisco Systems.1.50.1.1.10. Upon AUP acceptance.168.3 L3 Switch IP: 192.60.1. the NAC Appliance Server assigns remote user to the “Wireless” role 16.10.20. NAC Appliance Server puts IP address of remote user into “Online User” list 17.168. Cisco Confidential 29 .50.1 Intranet Server IP: 10.168. All rights reserved. Role: “Wireless” WLC 192.3 MgmtVLAN 60 192.10 NAC Appliance Server IP: 192.1.Cisco NAC Appliance 在無線網路的運作 cont.26 15.168.

Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 30 . All rights reserved.Cisco NAC Agent 引導介面 正在執行漏洞掃描 (types of checks depend on user role) 不符合安全政策 執行修補 4.

Inc. All rights reserved. Cisco Confidential 31 .體驗整合NAC的無線網路 The Network Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco Systems.

Cisco Confidential 32 . Inc. All rights reserved.Presentation_ID © 2006 Cisco Systems.