© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 1
Secure Unified Wireless and Mobility Solutions for Government
Jim Ransome, Ph.D., CISSP, CISMSenior Director, Secure Unified Wireless and Mobility Applications Corporate Security Programs Organization and Global Government Solutions GroupGeneral Dynamics Unified Information Assurance User Conference 2008
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 2
10+ years senior corporate executive information and physical securityCSO Roles CISO Roles
23 years government serviceNational Lab computer scientist/national security analyst, NCIS federal special agent, retired naval reserve intelligence officer, former marine corps sergeant
Ph.D. in information systems specializing in information securityDissertation: Developed/tested a converged wired-wireless network security modelNSA/DHS Center of Academic Excellence in Information Assurance Education
Graduate CertificatesInternational business and international affairs
CertificationsCertified Information Security Professional (CISSP) Certified Information Security Manager (CISM)
Adjunct Professor for a masters-level information security curriculumPublications (Elsevier - Digital Press)
Operational Wireless Security, VoIP Security, IM Security, Business Continuity and Disaster Recovery for InfoSec Managers
About The Speaker
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 3
Agenda
Securing the core, defending the edge
Can wireless LANs really be secured?
Building secure unified wireless and mobility government solutions
Wireless and mobility solutions for classified environments
The future of secure wireless and mobility solutions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 4
Securing the Core,Defending the Edge
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 5
What Does This Mean For Wireless And Mobility?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 6
Remember… Wireless Enables Mobility
How We Get There
Where We Were Where We Want To Be
Unified Networks, Unified Communications
Unified Security
It Takes Us From…
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 7
Can Wireless LANs Really Be Secured?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 8
NAC Appliance
L2 IDS
L3-7 IDS
RF Containment
802.11aRogue AP
802.11a Rogue Client
Fine-grained Mapping and Authentication
Location services enable precise mapping of clients and threats, allowing fine-grained authentication and quick removal
Wired IDS Integration
Unified wired and wireless IDS ensures malicious wireless clients are disconnected from the network
Wireless Endpoint ComplianceNAC prevents wireless endpoints from introducing viruses, spyware, malware, etc.
Wireless IDS/IPSComprehensive wireless threat identification and over-the-air prevention
Offsite Endpoint Protection
IPS detects and prevents offsite wireless threats such as ad hoc networks
Building on 802.11i: A Unified Wireless Security Approach to End-to-End Security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 9
Enterprise userGuest user
Switch-to-switch guest tunnel
EnterpriseNetwork
DMZ Guest controller
Wireless Security Policy
Rogue AP
Campus
Contractor
Guest
Contractor
Guest
Contractor
Network Segmentation
Key to providing Guest Access by controlling and prioritizing access to business resources
Wireless Network Location Services
Quick Location of rogue access points and other wireless threats
Guest ServicesPath Isolation/Guest traffic never mixes with enterprise traffic
Wireless Security Policy
Wireless client connection policy enforcement
Building on 802.11i: Other Key Elements of a Unified Wireless Security Solution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 10
Detect, classify, and locate
RF interference
Case StudiesA Phased Approach
Building on 802.11i: Real-time RF Management and Integrated Spectrum Intelligence
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 11
Building Secure Unified Wireless and Mobility Government Solutions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 12
Challenges of a Secure and Interoperable Unified Communications InfrastructureProducts and Solutions Vendors
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 13
Wireless and Mobility Products
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 14
Secure routing and communications
for Mobile Ad Hoc Networks (MANETs)
Tactical Communication Kits
Integrated Spectrum Intelligence
IPv6 and Mobile IPv6
The Rapid Acceleration of Secure Unified Government Wireless and Mobility Applications
Mobile Access Routers
FIPS Validated (FIPS 140-2) MESH Solution
Type-1/HAIPE device solutions for wireless
LANs architected to meet all
federal requirements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 15
Mobile Access RouterFacilitating The Acceleration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 16
Cisco IP Interoperability and Collaboration System (IPICS)Integrated Networks Critical for Effective Operations and Emergency Management
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 17
Cisco IPICS Serverand Policy Engine
Cisco IP Phonesw/ PTT Services
IPICS Management Console
Cisco IPICS PMC Client
VHF/UHF/NextelPTT Radios
SecureVoIP NetworkLMR Gateway
and Media Services
PSTN
PSTN/CellularPhones
VoIP GatewayVoIP
VoIP
VoIP
VoIP
Server Administration
Console
Ops Views Policy Engine
Push-to-talk (PTT) client for PC users
Cisco IP Interoperability and Collaboration System (IPICS)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 18
Outdoor Wireless and Mobility Solutions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 19
Wireless and Mobility Solutions for Classified Environments
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 20
The Future of Secure Wireless and Mobility Solutions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 21
Secretary of Commerce - FIPS 140-1 (1994) updated to FIPS 140-2 (2001)
FIPS certification required for federal agencies
FIPS 140-3 targeted 2009
DoD Directive 8100.2 WLAN follow-on (June 2006)Standards based - WiFi certified / IEEE 802.11i security (WPA2)
FIPS 140-2 Certification
Common Criteria Certification / U.S. Government Protection Profiles
WIDS w/location tracking (wired and wireless nets)
DISA Wireless STIG (draft version 5, release 2.01)
OSD (NII) DoD follow-on policy security boundaryhttps://acc.dau.mil/CommunityBrowser.aspx?id=153484&lang=en-US
Federal Wireless Policies
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 22
Cisco Unified Wireless Network802.11i End-To-End Wireless Security
DoD compliant and FIPS validatedAPs authenticate into DoD network with X.509 certs as CC trusted network devicesController/APs establish FIPS 140-2 validated assured control channel APs enforce 802.1X port access control & terminate FIPS 140-2
encryption/decryption services at the edge of the DoD security borderController centrally manages 802.1x state machine providing secure mobility
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 23
HAIPE
WPAv2, FIPS 140-2, WIDS, Location, L3 VPN
SBU and/or UnclassifiedWireless and Wired LAN/WANClassified Classified
HAIPE
WPAv2, FIPS 140-2, WIDS, location, L3 VPN
SBU and/or unclassifiedwireless and wired LAN/WANClassified Classified
Securing Wireless and Mobile NetworksSecurity is never a “one size fits all” solution
Type 1 over WLAN requires a layered approachIP Security (High Assurance IP Encryption - HAIPE)
Link Security (WPA, FIPS, WIDS, VPN, Location Awareness...)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 24
Type 1 Architecture for Wireless and Mobile NetworksEnd-to-End Wireless Security
DoD compliant and FIPS validatedAPs authenticate into DoD network with X.509 certs as CC trusted network devicesController/APs establish FIPS 140-2 validated assured control channel APs enforce 802.1X port access control & terminate FIPS 140-2
encryption/decryption services at the edge of the DoD security borderController centrally manages 802.1x state machine providing secure mobility
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 25
Type 1 Architecture for Wireless and Mobile NetworksExample: Red Data Center Extension WLAN Deployments
Secure WLAN Client connects over Black WLAN to Red EnclaveRed Enclave can use a WLAN or other HAIPE device to connect to Black WLAN
Extends Red Services without physical extension of Red NetworkOnly need to configure two tunnels per client HAIPE device
Red Router will route between clients
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 26
Type 1 Architecture for Wireless and Mobile NetworksExample: Red Data Center Extension WLAN Deployments
Using Type-1 WLAN and Type 1 Ethernet HAIPEs to connect VoSIP or video enclaves over a wireless backbone (indoor or outdoor)
Opportunities to interoperate with SME-PED
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 27
Type 1 Architecture for Wireless and Mobile Networks Example: Red Data Center w/Integration of HAIPE Router
Type-1 WLAN client connects over Black WLAN then to HAIPE head-end router
HAIPE Router routes intra-client traffic and can route out to the SIPRNET
Client only needs to terminate two HAIPE Tunnels
Extends Red Services without physical extension of Red Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 28
Wireless Security Integration
Need to take a holistic view of the network to create a defense in-depth Architecture
Security at each layer plays a critical role
Only by integrating each piece can attacks be detected and mitigated efficiently
All aspects must be analyzed and utilized for efficient spectrum utilization
WLAN security is about more than encrypting data-in-transit
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 29
Cisco Wireless Federal Solution
Cisco 2710 Wireless Location
Appliance
Cisco Wireless ControlSystem (WCS)
Centralized WLANManagement
Cisco Aironet FIPS 140-2 APs
Cisco Secure ACS FIPS 140-2 AAA RADIUS
Cisco WLAN FIPS 140-2 Controllers
WIDS WIDS WIDS
FIPS & Common Criteria Certified
Type-1 Certified
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 30
Cisco Wireless FIPS 802.11i (WPA2) SolutionFIPS 140-2
802.11i SupplicantFIPS 140-2AAA RADIUS
FIPS 140-2WLAN Controllers
FIPS 140-2Aironet APs
IEEE 802.11i (WPA2) Security
WLC4402 - 12, 25, 50 APsWLC4404 - 100 APs
Cat6K WiSM - 300 APs
Cat3750G - 25/50 APsFIPS Pre-val
ACS FIPS Pre-val
Cisco Solutions+ 3eTI802.11i FIPS/CC Client
Compatible with all WPA/2 certified
FIPS supplicants
Cisco Secure Services Client
(FIPS Dev)
1242 / 1131 /1232IOS / LWAPP
BR1310 IOS
1522 MeshLWAPP
FIPS Pre-val
1250 802.11nLWAPP
(FIPS Dev)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 31