Professional Documents
Culture Documents
1 2 3 4
Presentation_ID
NAC
NAC
Flash demo
Cisco Confidential
No Wi-Fi = Good Security
Wrong!
A single rogue access point creates enormous risk Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc.) dont address Perpetrated unknowingly often by your own employees
Would you turn on your firewall only periodically? Not practical for branch or remote offices with no local IT personnel Laborious and expensive
Only protects authorized clients and infrastructure No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)
Cisco Confidential
?
Wired Security
Open air
No physical barriers to intrusion
Physical Security
Enterprise Network
Unlicensed
Easy access to inexpensive technology
Wireless Access Outside Physical or Wired Boundaries
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Integrated WLAN security foundation
Strong user authentication (Cisco EAP/EAP-FAST and 802.1X integration) Strong transport encryption (802.11i and WPA/WPA2)
C97-408586-00 Presentation_ID
Cisco Confidential
Implementation Considerations
Critical: WLAN Security Fundamentals
Strong user authentication (802.1X, Cisco EAP/EAP-FAST, ACS) Strong transport encryption (802.11i, AES, TKIP, MFP, WPA/WPA-2) Detection and prevention of rogue access points, clients, special-purpose networks, DoS, etc. (audits, RF scanning, wireless IPS)
Presentation_ID
Cisco Confidential
Standardized Optimized for Enterprise Broad Adoption Tested for Interoperability
Wi-Fi Protected Access:
Mandates TKIP Encryption + MIC + 802.1X Authentication Required as of Aug.03
802.1X
TKIP + MIC
CCX Program
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
CCX Program:
Cisco Compatible eXtensions Ensures interoperability for a variety of 802.1X authentication types, including LEAP & PEAP
7
On-channel attack detected 802.11a Channel 153 Off channel rogue detected Rogue AP AP contains rogue client Off channel ad hoc net detected AP contains ad 802.11g Channel 1 hoc net Ad Hoc client ent inm onta CRF Containment RF
Presentation_ID
Cisco Confidential
/
Unified Intrusion Prevention: Layer 2 through Layer 7
Cisco WLAN Controller Cisco Access Point
Enterprise Network
1. Malicious Traffic
Untrusted Public
Cisco Security Agent
Endpoint Protection
Host intrusion prevention Endpoint malware mitigation
Internet
Guest Anchor Controller Cisco ASA 5500 with IPS Module WCS Enterprise Cisco NAC Appliance Server Cisco WLAN Controller Cisco Security MARS
Wired
Trusted
Wireless
SSC
Presentation_ID
Cisco Confidential
10
Physical User and Device Tracking; Location Based Security Data 802.11i; VPN;
User/Device X.509; 802.1X (RADIUS); Web-Auth; IDS Application Network Access Control; Firewall
Presentation_ID
Cisco Confidential
11
For more information about Cisco Secure Wireless Solution, visit:
http://www.cisco.com/wirelesssecurity
For more information about the Cisco Unified Wireless Network, visit:
http://www.cisco.com/go/unifiedwireless
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
12
1 2 3 4
Presentation_ID
NAC
NAC
Flash demo
Cisco Confidential
13
NAC
Presentation_ID
Cisco Confidential
14
CAMPUS BUILDING 1
802.1Q
WIRELESS BUILDING 2
Guest Compliance
Restricted internet access only for guest users
IPSec
In-band
15
IT
Top Customer Pain Points*
16
Cisco NAC
roles-based
Cisco NAC Appliance ,
unmanaged users
Cisco NAC Appliance
(endpoint)
Cisco NAC Appliance (endpoint)
Source: Current Analysis, July 2006
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
17
Presentation_ID
Cisco Confidential
18
Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level
&
Agent scan for required versions of hotfixes, AV, and other software Network scan for virus and worm infections and port vulnerabilities
&
Network-based tools for vulnerability and threat remediation Help-desk integration
Presentation_ID
Cisco Confidential
19
Rule-set
anti-virus, hot-fixes applications
Presentation_ID
Cisco Confidential
20
Presentation_ID
Cisco Confidential
21
L3/L4
Quarantine
Presentation_ID
Cisco Confidential
22
1 2 3 4
Presentation_ID
NAC
NAC
Flash demo
Cisco Confidential
23
NAC
Presentation_ID
Cisco Confidential
24
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
1. 2. 3. 4.
Wireless user connects to WLC via LWAPP and authenticates to Auth Server (any auth methods including 802.1x) Wireless user obtains IP address from Auth Server WLC forwards Radius accounting login info to CAS Wireless user opens a browser and is redirected to download the NAC Agent (if they dont already have it loaded)
Presentation_ID
Cisco Confidential
25
5. 6.
The Agent queries the NAC Appliance Server to discover if the wireless user is authenticated (which it will be by the radius accounting previously sent) The Agent performs posture assessment and forwards results to the Server to make the network admission decision.
Presentation_ID
Cisco Confidential
26
Role: Quarantine
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
Presentation_ID
Cisco Confidential
27
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
11. NAC Agent displays access time remaining in Quarantine Role for remote user 12. The Agent guides remote user through step-by-step remediation with one-click update for remediation 13. The Agent informs the NAC server that the wireless user has been successfully remediated 14. The NAC Server provides the user with an Acceptable User Policy (AUP) agreement
Presentation_ID
Cisco Confidential
28
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
15. Upon AUP acceptance, the NAC Appliance Server assigns remote user to the Wireless role 16. NAC Appliance Server puts IP address of remote user into Online User list 17. Wireless user is now allowed to access to the Intranet server.
Presentation_ID
Cisco Confidential
29
4.
Presentation_ID
Cisco Confidential
30
NAC
Presentation_ID
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32