Slide 1

Wireless Network SecurityAccessNetworksCore NetworksThe Current Internet: Connectivity and ProcessingTransit NetTransit NetTransit NetPrivatePeeringNAPPublicPeeringPSTNRegionalWirelineRegionalVoiceVoiceCellCellCell

CableModem

LANLANLANPremises-basedWLANWLANWLANPremises-basedOperator-based

H.323DataData

RASAnalog

DSLAM

H.3232The ISP likely has banks of many modems multiplexed onto a high capacity telephone cable that transports a large number of phone calls simultaneously (such as a T1, E1, ISDN PRI, etc.). This requires a concentrator or "remote access server" (RAS).

AgendaThe Cisco Unified Wireless NetworksCisco Security Agent (CSA)Cisco NAC Appliance Cisco FirewallCisco IPSCS-MARSCommon wireless threatsHow Cisco Wireless Security protects against them3Todays wireless network

4

Cisco Unified Wireless NetworkThe following five interconnected elements work together to deliver a unified enterprise-class wireless solution:Client devicesAccess pointsWireless controllersNetwork managementMobility services

5CSA Cisco Security AgentFull featured agent-based endpoint protection

Two components:Managed client - Cisco Security AgentSingle point of configuration - Cisco Management Center6CSA - Purpose

7CSA Wireless Perspective

8CSA Combined Wireless FeaturesGeneral CSA featuresZero-day virus protectionControl of sensitive dataProvide integrity checking before allowing full network accessPolicy management and activity reporting

CSA Mobility featuresAble to block access to unauthorized or ad-hoc networksCan force VPN in unsecured environmentsStop unauthorized wireless-to-wired network bridging

9CSA End User View05/30/200910

Cisco Network Admission Control (NAC)Determines the users, their machines, and their rolesGrant access to network based on level of security complianceInterrogation and remediation of noncompliant devicesAudits for security compliance

11NAC - Overview 05/30/200912

12Cisco NAC Architecture13

13Cisco NAC FeaturesClient identificationAccess via Active Directory, Clean Access Agent, or even web formCompliance auditingNon-compliant or vulnerable devices through network scans or Clean Access AgentPolicy enforcementQuarantine access and provide notification to users of vulnerabilities14

Cisco Firewall (Placement Options)Source: Cisco, Deploying Firewalls Throughout Your OrganizationWhy Placing Firewalls in Multiple Network Segments? Provide the first line of defense in network security infrastructuresPrevent access breaches at all key network juncturesWLAN separation with firewall to limit access to sensitive data and protect from data lossHelp organizations comply with the latest corporate and industry governance mandatesSarbanes-Oxley (SOX)Gramm-Leach-Bliley (GLB)Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)16-The rise of internal threats has come about by the emergence of new network perimeters that have formed inside the corporate LAN. 16Cisco IPSDesigned to accurately identify, classify and stop malicious trafficWorms, spyware, adware, network viruses which is achieved through detailed traffic inspectionCollaboration of IPS & WLC simplifies and automates threat detection & mitigation

17

CS-MARS:Cisco Security Monitoring, Analysis and Reporting SystemMonitor the networkDetect and correlate anomalies (providing visualization)Mitigate threats

18

Cross-Network Anomaly Detection and Correlation

MARS is configured to obtain the configurations of other network devices.Devices send events to MARS via SNMP.Anomalies are detected and correlated across all devices.

Configuration NotesSNMP community strings on MARS must match those on the devices.First add devices that detect attacks and false positives.Then add devices that can block an attack.Next add hosts such as critical database servers.Layer 3 devices can be discovered by CS-MARS.

19Group Quiz20For each of the business challenges below, which component(s) of CUWN protect against themMitigate network misuse, hacking and malware from WLAN clients by inspecting traffic flowsIdentify who is on the network and enforce granular policies to prevent exposure to viruses and malwareStreamline user experience, consolidate accounting, and improve password managementStandardize on wireless client connection policies while protecting them from suspect content and potential hackersSupporting and maintaining a diverse range of security products, correlating events and delivering concise reporting Offer secure, controlled access to network services for non employees and contractors

IPSCisco NAC NAC and CSACSACS-MARSNAC and firewall20Conclusions21Present unparalleled threats

The Cisco Unified Wireless Network Solution provides the best defense against these threats

AgendaThe Cisco Unified Wireless NetworksCisco Security Agent (CSA)Cisco NAC Appliance Cisco FirewallCisco IPSCS-MARSCommon wireless threatsHow Cisco Wireless Security protects against them22Rogue Access PointsRogue Access Points refer to unauthorized access points setup in a corporate networkTwo varieties:Added for intentionally malicious behaviorAdded by an employee not following policyEither case needs to be prevented

23Rogue Access Points - ProtectionCisco Wireless Unified Network security can:Detect Rogue APsDetermine if they are on the networkQuarantine and reportCS-MARS notification and reporting

Locate rogue APs

24Cisco Rogue AP Mapping25

Guest Wireless

26

Guest Wifi BenefitsNetwork segmentation

Policy management

Guest traffic monitoring

Customizable access portals

27In-Band Modes

When the NAC appliance is deployed in-band, all user traffic, both unauthenticated and authenticated, passes through the NAC appliance, which may be positioned logically or physically between end users and the network(s) being protected.When the NAC appliance is configured as a virtual gateway, it acts as a bridge between end users and the default gateway (router) for the client subnet being managed.When the NAC appliance is configured as a "real" IP gateway, it behaves like a router and forwards packets between its interfaces.28Compromised ClientsWifi ThreatSecurity ConcernCSA FeatureAd-hoc ConnectionsWide-open connectionsUnencryptedUnauthenticatedInsecurePre-defined ad-hoc policyConcurrent wired/wifi connectionContamenating secure wired environmentConcurrent wired/wifi pre-defined policyDisable wifi traffic if wired detectedAccess to unsecured wifiMay lack authentication / encryptionRisk of traffic cracking, rogue network devicesLocation based policiesRestrict allowed SSIDsEnforce stronger security policies

29Monitoring, Anomalies, & MitigationDiscover Layer 3 devices on networkEntire network can be mappedFind MAC addresses, end-points, topologyMonitors wired and wireless devicesUnified monitoring provides complete pictureAnomalies can be correlatedComplete view of anomalies (e.g. host names, MAC addresses, IP addresses, ports, etc.)Mitigation responses triggered using rulesRules can be further customized to extend MARS