integrated security for wlans - faculty web serverfaculty.ccc.edu/mmoizuddin/cisco live...

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015Secure WLAN 2

Integrated Security for WLANs

BRKAGG-2015


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAGG-2015Secure WLAN

Introduction

The purpose of this session is to present how to integrate and extend general Enterprise network security to an Enterprise wireless LAN

Review specific security concerns and requirements

Present solutions to address them

The focus is on general network security componentsthat can be integrated and extended to a WLAN

General network security elements to leverage

Specific features available for WLAN security

Deployment and integration with a Unified WLAN

The goal being consistent security policies andenforcement across both wired and wirelessnetworks

Not a WLAN overlay


Network Security Fundamentals

Proactive SecurityHarden the network infrastructure

Protect the endpoints

Identify and enforce policy on users

Secure communication

Operational SecurityMonitor the network

Detect and correlate anomalies

Mitigate threats

Review and ImproveOngoing security audit, assessment and evolution

Security Policies


3


WLAN-Specific Elements

General Network Security Elements

Proactive Security

Harden the network infrastructure • Unified Wireless, LWAPP, MFP

• Infrastructure Hardening BCPs

Protect the endpoints • 802.1x/EAP (WPA/WPA2) • CSA, CSSC

Identify and enforce policy on users • WPA/WPA2, WLC • CSA, CSSC • NAC, FW

Secure communication • TKIP/AES (WPA/WPA2) • IPSec, VPN

Operational Security

Monitor the network • APs, WLC, WCS • AAA, SNMP, etc. • CS MARS

Detect & correlate anomalies Mitigate threats

• WLC, WCS • CS MARS, CSA, IPS

Network Security Fundamentals for a WLAN


General Network Security Elements to Leverage and Extend for a WLAN

Cisco Security Agent (CSA)Extended endpoint security and policy enforcement for roaming clients

Cisco NAC ApplianceIntegrating NAC for policy enforcement on a WLAN

Cisco FirewallIntegrating firewall policy enforcement on a WLAN

CS MARSExtending cross-network anomaly detection, correlation and mitigation to the WLAN

Cisco Wireless and Network IDS/IPSIntegrating wireless and network IDS/IPS for threat detection and mitigation on a WLAN


4


Services Block

Management Block

Secure WLAN Solution Architecture

LAP

Core

IPS

FW

WLAN ClientTraffic

LAP

WLC

NAC

WLAN clients with NAC Agent, CSA, CSSC

NoC

ACS for AAA

WCS CSA MC

NAC Manager

CS MARS

ASA

LWAPP Tunnel

FW


Does it all work together?

Secure Wireless 1.0 Design GuideCisco Unified Wireless

802.11 fundamental and enhanced security features

Cisco Security Agent (CSA) for WLAN Security

Cisco NAC Appliance Integration

Cisco Firewall Integration

Cisco IPS Integration

Are ALL these elements required?No, implement according to your network risk assessment and security policies

Watch this space for more upcoming collateralwww.cisco.com/go/cvd


5


CSA: Extended Endpoint Security for Roaming Clients


CSA General Endpoint Security

Branch office

Theft of Information

Policy EnforcementViruses

Spyware

Unauthorized Access

Worms

Enterprise Campus


6


Roaming Client Security Concerns

Branch office

Customer or Partner Site Airplane

Home

Hotspot

Enterprise Campus

Simultaneous Wired and Wireless

Are you bridging unauthorized devices into

the corporate network?



Branch office


Home

Hotspot

Enterprise Campus

Wireless Ad-Hoc Network

Are you connected to a rogue device?





7



Branch office


Home

Hotspot

Enterprise Campus


Rogue APNeighbor AP

Are you on the correct network?







Branch office


Home

Hotspot

Enterprise Campus

Rogue APNeighbor AP


Insecure Network

Is your VPN up?







8



Branch office


Home

Hotspot

Enterprise Campus

Insecure Network

Rogue APNeighbor AP


802.11 QoS AbuseAre business critical

apps resilient?


Is your VPN up?






CSA Endpoint Security for Roaming Clients

Location-aware policy enforcementDifferent policies automatically applied based on system state and network interface characteristics

Custom rules configurable based onrange of parameters

Pre-defined rules include:

Simultaneous wired and wireless

Wireless ad-hoc networks

Force corporate connectivitywhen out of office

802.11 Upstream QoS Policy Enforcement


9


CSA for Simultaneous Wired and Wireless

Prevent bridging of unauthorized devices into corporate networkIf both an Ethernet and a wireless connection are active, filter all wireless trafficNo impact on wired interface traffic

If using CSSC supplicant, leverage its simultaneous wired and wireless feature to disable WLAN connections when a wired connection is active

TCP

UDP

TCP

UDP

Enterprise If Ethernet active, drop traffic over any wireless interface


CSA for Wireless Ad-Hoc Connections

Prevent unauthorized and insecure wireless ad-hoc connectionsFilter traffic over any wireless ad-hoc connection

Complement with monitoring of wireless ad-hoc connections from network-side

Wireless IDS/IPS features of the WLC

Active Wireless

Ad-Hoc Connection

TCP

UDP

TCP

UDP

Drop traffic over any wireless ad-hoc interface


10


CSA for Forcing Corporate Connectivity

Force connectivity to corporate network when out of officeIf a network connection is active AND the CSA MC is unreachable, filter all network traffic until the CSA MC is reachableHTTP/HTTPS allowed for 5 minutes to allow hotspot sign-upPop-up notifies user to connect their VPN

TCP

UDP

TCP

UDP

Non-corporate network

Corporate network

CSA MC

XCSA MC

Unreachable

If CSA MC unreachable, drop traffic over all active interfaces

Active network connection


CSA

Corporate network

CSA for Upstream 802.11 QoS Policy

Ensure resiliency of business critical & latency-sensitive applicationsEnforce QoS policy on the 802.11 RF medium

Prevent QoS marking abuse and misuse by 802.11e & WMM devicesEnable QoS marking for legacy devices and applications

CSA Trusted Endpoint QoSSets or re-marks upstream QoS markings to ensure traffic is classified and prioritized according to policyAt a minimum, mark all traffic as best effort

QoS marking abuse

Incorrect markings

No QoS markings

QoS PolicyEnforced


11


NAC Appliance Integrationfor a WLAN


NAC’s: Four FunctionsUsing The Network to Enforce Policies Ensures That Incoming Devices Are Compliant

Scan and EvaluateAgent scan for required versions of hotfixes, AV, etc

Network scan for virus and worm infections and port vulnerabilities

Authenticate and AuthorizeEnforces authorization policies and privileges

Supports multiple user roles

Update and RemediateNetwork-based tools for vulnerability and threat remediation

Help-desk integration

Quarantine and EnforceIsolate non-compliant devices from rest of network

MAC and IP-based quarantine effective at a per-user level


12


IP WAN802.1q

NAC Manager

VPN

NAC NM

NAC In-Band

VPN, wireless, campus, and remote LANsEnforcement via NAC Appliance

WLAN Controller

VLAN 10

VLAN 110

VLAN 900

VLAN 110

VLAN 10

Posture Assessment

Authenticated Access

NAC ManagerNACAppliance

LAP

NAC Appliance Integration on a WLAN: Deployment Mode

NAC Appliance can be used for enforcement on both the wired and wireless networks


Services Module

Data CenterWAN Internet

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSi SiSi SiSi SiSi SiSi

WLAN

Distribution

Core

Access

Distribution

NAC Appliance Integration on a WLAN: Deployment Location

Here?

Or Here?


13


NAC Appliance Integration on a WLAN: Wireless Authentication and SSO

Two authentication events occur:Wireless 802.1X/EAPNAC Appliance

NAC Appliance authentication does not replace wireless 802.1x/EAP authentication

Both are necessary for strongest security

NAC Appliance and wireless 802.1X/EAP authentication can be integrated using Single Sign On (SSO) techniques

Prevents users from having to authenticate twiceOnce for 802.1X/EAP and once for NAC Appliance

Implemented using VPN or Active Directory (AD) SSO


NAC Appliance Integration on a WLAN: VPN SSO

WLC

intranet

NACAppliance

LWAPP

WLAN client with CA Agent

AP

NAC ApplianceManager (CAM)AAA

WLC RADIUS Accounting with VSAs

2

Wireless 802.1x/EAP Authentication

1

DNSRemediationServer

3

Wireless user added to online users list in CAM

4

NAC Agent Connects to CAM via SWISS for compliance check


14


NAC Appliance Integration on a WLAN: Active Directory SSO

WLC

intranet

NACAppliance

Active DirectoryServer

LWAPP

WLAN client with CA Agent

AP

NAC ApplianceManager (CAM)

AAA

Wireless 802.1x/EAP Authentication

1

NAC Appliance AD Query

3

Machine and Client AD authentication

2

DNSRemediationServer

4

NAC Agent Connects to CAM via SWISS for compliance check


NAC Appliance and Wireless Roaming Considerations


15


NAC Appliance and Wireless Roaming Considerations: Layer 2 Roaming

Layer 2 RoamingA client roam where the client subnet is unchanged, causes no issues as the traffic path through the NAC Appliance is maintained

Supported with NAC Appliance as In-band Virtual or IP Gateway

Between AP’s on same WLC

Between AP’s on different WLCs, same VLAN/subnet per WLC

Between AP’s in different AP groups, same WLC



Connectivity Before L2 Roam

Untrusted, VLANs 31-32

TrustedVLANs 131-132

WLAN Trusted 1

WLAN Trusted 2

Posture Assessment



16



Connectivity After L2 Roam



WLAN Trusted 1

WLAN Trusted 2

Posture Assessment




Layer 3 RoamingRequires symmetrical roaming tunnel support

WLC images 4.1 and later

Without a symmetrical tunnel traffic from the client is sent to the wrong NAC appliance

With symmetrical roaming, Layer 3 Roaming is supported with NAC Appliance In-band Virtual or real IP gateway

Between AP’s on different WLCs, different VLAN/subnets per WLC

Between AP’s in different AP groups on different WLCs


17



Connectivity Before L3 Roam



WLAN Trusted 1

WLAN Trusted 2

Posture Assessment




Connectivity After L3 Roam (Symmetrical Tunnel)



WLAN Trusted 1

WLAN Trusted 2

Posture Assessment



18


NAC Appliance and Wireless Roaming Considerations: Single Sign On

AD SSOMore compatible with L2 and L3 roaming events

Client state in AD doesn’t change with roaming

Supports fast roaming

VPN SSOInvolves updating client connectivity state via RADIUS accounting

Can introduce additional delay during roaming while waiting for NAC agent / CAM to determine client connectivity state

Supports fast roaming


NAC Appliance and WLAN in a Branch


19


NAC Appliance and WLAN in a BranchWireless Traffic Flow—Upstream

If a WLCM is used the WLAN subnets are router interfaces and a policy route is required to force traffic through the NAC ApplianceTraffic to local subnets cannot be forced through the NAC applianceThe NAC appliance can either be a network module or a standalone appliance

Trusted

Un-trusted

WLCM ISR

Policy Route

NAC-NMEIn band Real IP GW


Secure Wireless 2.0 NAC-NM + WLCMWireless Traffic Flow—Downstream

Downstream traffic to a WLCM cannot be forced through the NAC appliance

2100 series WLCs are a stand alone alternative to the WLCM if traffic paths are an issue

Trusted

Un-trusted

WLCM

NAC-NMEIn band Real IP GW

ISR


20


Firewall Integration on a WLAN


User Group Access Policy EnforcementFirewall Integration on a WLAN Sample Scenario

In some cases ACLs suffice, but legal or policy reasons may require a firewall

Different firewall policies for different classes of users sharing the same WLAN infrastructure

Basic

FireDepartment

Police Department

AdminUser

PoliceDepartment

Fire Department

Basic User


21


User Group Access Policy EnforcementFirewall Integration on a WLAN Sample Scenario

Restricts user group access to permitted network resources only

802.1X allows a common WLAN but different user group VLAN assignment based upon AAA policy

Single SSID with RADIUS-assigned VLAN upon successful 802.1X/EAP authentication

VLAN mapped to different firewall VLANs and subject to different firewall policy

VLAN mapped to a specific virtual context (user group) in the firewall

Firewall policy enforced per user group

Untrusted VLANs

Trusted VLANs


Firewalls and Wireless Roaming Considerations

Firewall technology maintains state information about traffic flows

If a client roams to a different WLC, their traffic must flow through the same firewall to ensure it has the appropriate stateinformation

Unified Wireless symmetric roaming feature can ensure all client traffic goes through the same firewall

WLC images 4.1 and later

If symmetric roaming is not used then client roaming must be limited to controllers sharing common VLANs


22


Firewalls and Wireless Roaming: Asymmetric Roaming

Client Roams

Traffic to client is tunneled

Traffic from client traffic attempts to go through different firewall

No state information in new firewall

Client traffic is blockedEoIP

Roam

X


Firewalls and Wireless Roaming: Symmetric Roaming

Client Roams

Traffic to client is tunneled

Traffic from client is tunneled

Symmetric roaming feature ensures all client traffic goes through the same firewall

Firewall state information is maintained and client traffic continues

EoIP

Roam


23


CS-MARS: Extending Cross-Network Anomaly Detection and Mitigation to the WLAN


CS-MARS: Cross-Network Anomaly Detection and Mitigation

Visibility into network status, traffic flows and events is key

Cross-network monitoring is critical to effective anomaly detection, correlation and mitigation

Event aggregation, analysis and consolidation

CS-MARS provides end-to-end visibility across the network

WLAN (WLC), CSA, IPS, FW, NAC, switches, routers

Complementary to WCS

LAP

Core

FWWLC

NoC

ACS for AAA

CSA MC

CS MARS

ASA IPS

NAC

WCS

NAC Manager


24


Wireless events include:802.11 DoS attacks

Rogue APs

802.11 probes

Ad-hoc networks

Client exclusions/blacklisting

WLAN operational status

WLAN-specific groups, rules and reports

WLAN operation, Rogue AP, WLAN DoS

Integrated into existing groups, rules and reports

Operation, DoS, Probe,...

CS-MARS: Anomaly Detection and Mitigation on the WLAN


Integrating Wireless and Network IDS/IPS for Threat Detection and Mitigation on a WLAN


25


Services Block

Management Block

Ad-hocNetworks

FWNoC

LWAPP Tunnel

LAP

Core

IPS

WLAN ClientTraffic

LAP

NAC

ACS for AAA

CSA MC

NAC Manager

CS MARS

ASA

FWWireless IDS/IPSfeatures of WLC

802.11 Attack & Reconnaissance

Tools

Rogue AP

RogueClientDoS

802.11 RF medium threats

WLAN threat detection and mitigation elements

WCS Cross-WLC Monitoring

Wireless IDS/IPS Features of WLC for 802.11 RF Medium Threats and Anomalies


Services Block

Management Block

FWNoC

LWAPP Tunnel

Cisco IPS for General Client Traffic Threats and Anomalies

LAP

Core

IPS

WLAN ClientTraffic

LAP

WLC

NAC

ACS for AAA

WCS

CS MARS

ASA

FW

Anomalous WLANClient Traffic

Viruses, worms, application abuse, etc.

Client traffic threats

WLAN threat detection and mitigation elements

CSA MC

NAC Manager


26


Core

Access Network

Cisco WLC and IPS Integration for Automated Threat Mitigation

WLC

LAP

IPS

Malicious WLANClient Traffic

1) Malicious client traffic detected by Cisco IPS

3) Updated shun list received by WLC with newly blocked client IP address

5) WLC disconnects the WLAN client and blocks re-connection attempts

4) WLC checks if blocked IP address matches an associated WLAN client.If yes, WLC creates a client exclusion

X

2) Host block initiated on Cisco IPS

Automated threat mitigation at the access edge


Cisco WLC and IPS Integration for Automated Threat Mitigation

Cisco IPS Host Block

Cisco WLC Shun List

Cisco WLC Client Exclusion


27


Cisco IPSIPS deployment mode

Both inline and promiscuous mode integration supported for collaboration with WLC

Action must be a “host block” action in order for enforcement to occur on the WLC

A “host block” action may be complemented by a “deny attacker” action on an in-line IPS to mitigate both at the access edge and on the inline IPS

Cisco WLCClient exclusion must be enabled on each WLAN profile where blocking enforcement is required

Note: Cisco IOS IPS for routing platforms does not currently support collaboration with a Cisco WLC

Cisco WLC and IPS Integration for Automated Threat Mitigation: Deployment Tips


Component Deployment Requirements

• Deployment Mode • Promiscuous (IDS) or in-line (IPS) mode

• Action • Action must be a “host block” action in order for enforcement to occur on the WLC

• Platforms

• Cisco IPS 4200 Series Appliances • Catalyst 6500 Series IDSM-2

(Intrusion Detection System Services Module) • Cisco ASA with IPS module (AIP SSM) • Cisco ISR with IPS module (IPS AIM)

IPS

• Software • IPS sensor software release v5.x or later

• WLAN Configuration • Client exclusion must be enabled on each WLAN profile where blocking enforcement is required WLC

• Software • WLC software release v4.0 or later

Cisco WLC and IPS Integration for Automated Threat Mitigation: Deployment Requirements

Note: Cisco IOS IPS for Routing Platforms Does Not Currently Support Collaboration with a Cisco WLC


28


Key Takeaways


Integrated Security for WLANs

Leverage the Cisco Unified Wireless security features802.1X/EAP, WPA/WPA2/802.11i, CCXManagement Frame Protection (MFP), Wireless IDS/IPS features of the WLC, Wireless Control System (WCS), Cisco Secure Services Client (CSSC)

Integrate and extend the general network security elements according to your network risk assessment and security policies

CSA: General client endpoint protection, location-aware policies, simultaneous wired and wireless, wireless ad-hoc, upstream QoS policy enforcementCisco NAC Appliance Integration: WLAN client security policy compliance through assessment and remediationCisco Firewall Integration: Fully featured, highly scalable firewalls for enhanced policy enforcementCS MARS: Cross-network anomaly visibility, detection, correlation and mitigationCisco WLC and IPS Integration: Automated threat mitigation with enforcement by the WLC on the access edge

Leverage the design guidesLots of detailed information, including step-by-step configurationwww.cisco.com/go/cvd


29


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


30


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


integrated security for wlans - faculty web serverfaculty.ccc.edu/mmoizuddin/cisco live...

Documents