© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015Secure WLAN 2
Integrated Security for WLANs
BRKAGG-2015
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAGG-2015Secure WLAN
Introduction
The purpose of this session is to present how to integrate and extend general Enterprise network security to an Enterprise wireless LAN
Review specific security concerns and requirements
Present solutions to address them
The focus is on general network security componentsthat can be integrated and extended to a WLAN
General network security elements to leverage
Specific features available for WLAN security
Deployment and integration with a Unified WLAN
The goal being consistent security policies andenforcement across both wired and wirelessnetworks
Not a WLAN overlay
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAGG-2015Secure WLAN
Network Security Fundamentals
Proactive SecurityHarden the network infrastructure
Protect the endpoints
Identify and enforce policy on users
Secure communication
Operational SecurityMonitor the network
Detect and correlate anomalies
Mitigate threats
Review and ImproveOngoing security audit, assessment and evolution
Security Policies
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAGG-2015Secure WLAN
WLAN-Specific Elements
General Network Security Elements
Proactive Security
Harden the network infrastructure • Unified Wireless, LWAPP, MFP
• Infrastructure Hardening BCPs
Protect the endpoints • 802.1x/EAP (WPA/WPA2) • CSA, CSSC
Identify and enforce policy on users • WPA/WPA2, WLC • CSA, CSSC • NAC, FW
Secure communication • TKIP/AES (WPA/WPA2) • IPSec, VPN
Operational Security
Monitor the network • APs, WLC, WCS • AAA, SNMP, etc. • CS MARS
Detect & correlate anomalies Mitigate threats
• WLC, WCS • CS MARS, CSA, IPS
Network Security Fundamentals for a WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAGG-2015Secure WLAN
General Network Security Elements to Leverage and Extend for a WLAN
Cisco Security Agent (CSA)Extended endpoint security and policy enforcement for roaming clients
Cisco NAC ApplianceIntegrating NAC for policy enforcement on a WLAN
Cisco FirewallIntegrating firewall policy enforcement on a WLAN
CS MARSExtending cross-network anomaly detection, correlation and mitigation to the WLAN
Cisco Wireless and Network IDS/IPSIntegrating wireless and network IDS/IPS for threat detection and mitigation on a WLAN
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAGG-2015Secure WLAN
Services Block
Management Block
Secure WLAN Solution Architecture
LAP
Core
IPS
FW
WLAN ClientTraffic
LAP
WLC
NAC
WLAN clients with NAC Agent, CSA, CSSC
NoC
ACS for AAA
WCS CSA MC
NAC Manager
CS MARS
ASA
LWAPP Tunnel
FW
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKAGG-2015Secure WLAN
Does it all work together?
Secure Wireless 1.0 Design GuideCisco Unified Wireless
802.11 fundamental and enhanced security features
Cisco Security Agent (CSA) for WLAN Security
Cisco NAC Appliance Integration
Cisco Firewall Integration
Cisco IPS Integration
Are ALL these elements required?No, implement according to your network risk assessment and security policies
Watch this space for more upcoming collateralwww.cisco.com/go/cvd
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAGG-2015Secure WLAN
CSA: Extended Endpoint Security for Roaming Clients
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAGG-2015Secure WLAN
CSA General Endpoint Security
Branch office
Theft of Information
Policy EnforcementViruses
Spyware
Unauthorized Access
Worms
Enterprise Campus
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKAGG-2015Secure WLAN
Roaming Client Security Concerns
Branch office
Customer or Partner Site Airplane
Home
Hotspot
Enterprise Campus
Simultaneous Wired and Wireless
Are you bridging unauthorized devices into
the corporate network?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAGG-2015Secure WLAN
Roaming Client Security Concerns
Branch office
Customer or Partner Site Airplane
Home
Hotspot
Enterprise Campus
Wireless Ad-Hoc Network
Are you connected to a rogue device?
Simultaneous Wired and Wireless
Are you bridging unauthorized devices into
the corporate network?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKAGG-2015Secure WLAN
Roaming Client Security Concerns
Branch office
Customer or Partner Site Airplane
Home
Hotspot
Enterprise Campus
Wireless Ad-Hoc Network
Rogue APNeighbor AP
Are you on the correct network?
Are you connected to a rogue device?
Simultaneous Wired and Wireless
Are you bridging unauthorized devices into
the corporate network?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAGG-2015Secure WLAN
Roaming Client Security Concerns
Branch office
Customer or Partner Site Airplane
Home
Hotspot
Enterprise Campus
Rogue APNeighbor AP
Wireless Ad-Hoc Network
Insecure Network
Is your VPN up?
Are you connected to a rogue device?
Are you on the correct network?
Simultaneous Wired and Wireless
Are you bridging unauthorized devices into
the corporate network?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKAGG-2015Secure WLAN
Roaming Client Security Concerns
Branch office
Customer or Partner Site Airplane
Home
Hotspot
Enterprise Campus
Insecure Network
Rogue APNeighbor AP
Wireless Ad-Hoc Network
802.11 QoS AbuseAre business critical
apps resilient?
Are you connected to a rogue device?
Is your VPN up?
Are you on the correct network?
Simultaneous Wired and Wireless
Are you bridging unauthorized devices into
the corporate network?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAGG-2015Secure WLAN
CSA Endpoint Security for Roaming Clients
Location-aware policy enforcementDifferent policies automatically applied based on system state and network interface characteristics
Custom rules configurable based onrange of parameters
Pre-defined rules include:
Simultaneous wired and wireless
Wireless ad-hoc networks
Force corporate connectivitywhen out of office
802.11 Upstream QoS Policy Enforcement
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAGG-2015Secure WLAN
CSA for Simultaneous Wired and Wireless
Prevent bridging of unauthorized devices into corporate networkIf both an Ethernet and a wireless connection are active, filter all wireless trafficNo impact on wired interface traffic
If using CSSC supplicant, leverage its simultaneous wired and wireless feature to disable WLAN connections when a wired connection is active
TCP
UDP
TCP
UDP
Enterprise If Ethernet active, drop traffic over any wireless interface
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAGG-2015Secure WLAN
CSA for Wireless Ad-Hoc Connections
Prevent unauthorized and insecure wireless ad-hoc connectionsFilter traffic over any wireless ad-hoc connection
Complement with monitoring of wireless ad-hoc connections from network-side
Wireless IDS/IPS features of the WLC
Active Wireless
Ad-Hoc Connection
TCP
UDP
TCP
UDP
Drop traffic over any wireless ad-hoc interface
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAGG-2015Secure WLAN
CSA for Forcing Corporate Connectivity
Force connectivity to corporate network when out of officeIf a network connection is active AND the CSA MC is unreachable, filter all network traffic until the CSA MC is reachableHTTP/HTTPS allowed for 5 minutes to allow hotspot sign-upPop-up notifies user to connect their VPN
TCP
UDP
TCP
UDP
Non-corporate network
Corporate network
CSA MC
XCSA MC
Unreachable
If CSA MC unreachable, drop traffic over all active interfaces
Active network connection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAGG-2015Secure WLAN
CSA
Corporate network
CSA for Upstream 802.11 QoS Policy
Ensure resiliency of business critical & latency-sensitive applicationsEnforce QoS policy on the 802.11 RF medium
Prevent QoS marking abuse and misuse by 802.11e & WMM devicesEnable QoS marking for legacy devices and applications
CSA Trusted Endpoint QoSSets or re-marks upstream QoS markings to ensure traffic is classified and prioritized according to policyAt a minimum, mark all traffic as best effort
QoS marking abuse
Incorrect markings
No QoS markings
QoS PolicyEnforced
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAGG-2015Secure WLAN
NAC Appliance Integrationfor a WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKAGG-2015Secure WLAN
NAC’s: Four FunctionsUsing The Network to Enforce Policies Ensures That Incoming Devices Are Compliant
Scan and EvaluateAgent scan for required versions of hotfixes, AV, etc
Network scan for virus and worm infections and port vulnerabilities
Authenticate and AuthorizeEnforces authorization policies and privileges
Supports multiple user roles
Update and RemediateNetwork-based tools for vulnerability and threat remediation
Help-desk integration
Quarantine and EnforceIsolate non-compliant devices from rest of network
MAC and IP-based quarantine effective at a per-user level
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAGG-2015Secure WLAN
IP WAN802.1q
NAC Manager
VPN
NAC NM
NAC In-Band
VPN, wireless, campus, and remote LANsEnforcement via NAC Appliance
WLAN Controller
VLAN 10
VLAN 110
VLAN 900
VLAN 110
VLAN 10
Posture Assessment
Authenticated Access
NAC ManagerNACAppliance
LAP
NAC Appliance Integration on a WLAN: Deployment Mode
NAC Appliance can be used for enforcement on both the wired and wireless networks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAGG-2015Secure WLAN
Services Module
Data CenterWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi SiSi SiSi SiSi SiSi
WLAN
Distribution
Core
Access
Distribution
NAC Appliance Integration on a WLAN: Deployment Location
Here?
Or Here?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKAGG-2015Secure WLAN
NAC Appliance Integration on a WLAN: Wireless Authentication and SSO
Two authentication events occur:Wireless 802.1X/EAPNAC Appliance
NAC Appliance authentication does not replace wireless 802.1x/EAP authentication
Both are necessary for strongest security
NAC Appliance and wireless 802.1X/EAP authentication can be integrated using Single Sign On (SSO) techniques
Prevents users from having to authenticate twiceOnce for 802.1X/EAP and once for NAC Appliance
Implemented using VPN or Active Directory (AD) SSO
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAGG-2015Secure WLAN
NAC Appliance Integration on a WLAN: VPN SSO
WLC
intranet
NACAppliance
LWAPP
WLAN client with CA Agent
AP
NAC ApplianceManager (CAM)AAA
WLC RADIUS Accounting with VSAs
2
Wireless 802.1x/EAP Authentication
1
DNSRemediationServer
3
Wireless user added to online users list in CAM
4
NAC Agent Connects to CAM via SWISS for compliance check
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAGG-2015Secure WLAN
NAC Appliance Integration on a WLAN: Active Directory SSO
WLC
intranet
NACAppliance
Active DirectoryServer
LWAPP
WLAN client with CA Agent
AP
NAC ApplianceManager (CAM)
AAA
Wireless 802.1x/EAP Authentication
1
NAC Appliance AD Query
3
Machine and Client AD authentication
2
DNSRemediationServer
4
NAC Agent Connects to CAM via SWISS for compliance check
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Layer 2 Roaming
Layer 2 RoamingA client roam where the client subnet is unchanged, causes no issues as the traffic path through the NAC Appliance is maintained
Supported with NAC Appliance as In-band Virtual or IP Gateway
Between AP’s on same WLC
Between AP’s on different WLCs, same VLAN/subnet per WLC
Between AP’s in different AP groups, same WLC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Layer 2 Roaming
Connectivity Before L2 Roam
Untrusted, VLANs 31-32
TrustedVLANs 131-132
WLAN Trusted 1
WLAN Trusted 2
Posture Assessment
Authenticated Access
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Layer 2 Roaming
Connectivity After L2 Roam
Untrusted, VLANs 31-32
TrustedVLANs 131-132
WLAN Trusted 1
WLAN Trusted 2
Posture Assessment
Authenticated Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Layer 3 Roaming
Layer 3 RoamingRequires symmetrical roaming tunnel support
WLC images 4.1 and later
Without a symmetrical tunnel traffic from the client is sent to the wrong NAC appliance
With symmetrical roaming, Layer 3 Roaming is supported with NAC Appliance In-band Virtual or real IP gateway
Between AP’s on different WLCs, different VLAN/subnets per WLC
Between AP’s in different AP groups on different WLCs
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Layer 3 Roaming
Connectivity Before L3 Roam
Untrusted, VLANs 31-32
TrustedVLANs 131-132
WLAN Trusted 1
WLAN Trusted 2
Posture Assessment
Authenticated Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Layer 3 Roaming
Connectivity After L3 Roam (Symmetrical Tunnel)
Untrusted, VLANs 31-32
TrustedVLANs 131-132
WLAN Trusted 1
WLAN Trusted 2
Posture Assessment
Authenticated Access
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAGG-2015Secure WLAN
NAC Appliance and Wireless Roaming Considerations: Single Sign On
AD SSOMore compatible with L2 and L3 roaming events
Client state in AD doesn’t change with roaming
Supports fast roaming
VPN SSOInvolves updating client connectivity state via RADIUS accounting
Can introduce additional delay during roaming while waiting for NAC agent / CAM to determine client connectivity state
Supports fast roaming
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKAGG-2015Secure WLAN
NAC Appliance and WLAN in a Branch
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAGG-2015Secure WLAN
NAC Appliance and WLAN in a BranchWireless Traffic Flow—Upstream
If a WLCM is used the WLAN subnets are router interfaces and a policy route is required to force traffic through the NAC ApplianceTraffic to local subnets cannot be forced through the NAC applianceThe NAC appliance can either be a network module or a standalone appliance
Trusted
Un-trusted
WLCM ISR
Policy Route
NAC-NMEIn band Real IP GW
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAGG-2015Secure WLAN
Secure Wireless 2.0 NAC-NM + WLCMWireless Traffic Flow—Downstream
Downstream traffic to a WLCM cannot be forced through the NAC appliance
2100 series WLCs are a stand alone alternative to the WLCM if traffic paths are an issue
Trusted
Un-trusted
WLCM
NAC-NMEIn band Real IP GW
ISR
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAGG-2015Secure WLAN
Firewall Integration on a WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKAGG-2015Secure WLAN
User Group Access Policy EnforcementFirewall Integration on a WLAN Sample Scenario
In some cases ACLs suffice, but legal or policy reasons may require a firewall
Different firewall policies for different classes of users sharing the same WLAN infrastructure
Basic
FireDepartment
Police Department
AdminUser
PoliceDepartment
Fire Department
Basic User
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAGG-2015Secure WLAN
User Group Access Policy EnforcementFirewall Integration on a WLAN Sample Scenario
Restricts user group access to permitted network resources only
802.1X allows a common WLAN but different user group VLAN assignment based upon AAA policy
Single SSID with RADIUS-assigned VLAN upon successful 802.1X/EAP authentication
VLAN mapped to different firewall VLANs and subject to different firewall policy
VLAN mapped to a specific virtual context (user group) in the firewall
Firewall policy enforced per user group
Untrusted VLANs
Trusted VLANs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAGG-2015Secure WLAN
Firewalls and Wireless Roaming Considerations
Firewall technology maintains state information about traffic flows
If a client roams to a different WLC, their traffic must flow through the same firewall to ensure it has the appropriate stateinformation
Unified Wireless symmetric roaming feature can ensure all client traffic goes through the same firewall
WLC images 4.1 and later
If symmetric roaming is not used then client roaming must be limited to controllers sharing common VLANs
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAGG-2015Secure WLAN
Firewalls and Wireless Roaming: Asymmetric Roaming
Client Roams
Traffic to client is tunneled
Traffic from client traffic attempts to go through different firewall
No state information in new firewall
Client traffic is blockedEoIP
Roam
X
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAGG-2015Secure WLAN
Firewalls and Wireless Roaming: Symmetric Roaming
Client Roams
Traffic to client is tunneled
Traffic from client is tunneled
Symmetric roaming feature ensures all client traffic goes through the same firewall
Firewall state information is maintained and client traffic continues
EoIP
Roam
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAGG-2015Secure WLAN
CS-MARS: Extending Cross-Network Anomaly Detection and Mitigation to the WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAGG-2015Secure WLAN
CS-MARS: Cross-Network Anomaly Detection and Mitigation
Visibility into network status, traffic flows and events is key
Cross-network monitoring is critical to effective anomaly detection, correlation and mitigation
Event aggregation, analysis and consolidation
CS-MARS provides end-to-end visibility across the network
WLAN (WLC), CSA, IPS, FW, NAC, switches, routers
Complementary to WCS
LAP
Core
FWWLC
NoC
ACS for AAA
CSA MC
CS MARS
ASA IPS
NAC
WCS
NAC Manager
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAGG-2015Secure WLAN
Wireless events include:802.11 DoS attacks
Rogue APs
802.11 probes
Ad-hoc networks
Client exclusions/blacklisting
WLAN operational status
WLAN-specific groups, rules and reports
WLAN operation, Rogue AP, WLAN DoS
Integrated into existing groups, rules and reports
Operation, DoS, Probe,...
CS-MARS: Anomaly Detection and Mitigation on the WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAGG-2015Secure WLAN
Integrating Wireless and Network IDS/IPS for Threat Detection and Mitigation on a WLAN
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAGG-2015Secure WLAN
Services Block
Management Block
Ad-hocNetworks
FWNoC
LWAPP Tunnel
LAP
Core
IPS
WLAN ClientTraffic
LAP
NAC
ACS for AAA
CSA MC
NAC Manager
CS MARS
ASA
FWWireless IDS/IPSfeatures of WLC
802.11 Attack & Reconnaissance
Tools
Rogue AP
RogueClientDoS
802.11 RF medium threats
WLAN threat detection and mitigation elements
WCS Cross-WLC Monitoring
Wireless IDS/IPS Features of WLC for 802.11 RF Medium Threats and Anomalies
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAGG-2015Secure WLAN
Services Block
Management Block
FWNoC
LWAPP Tunnel
Cisco IPS for General Client Traffic Threats and Anomalies
LAP
Core
IPS
WLAN ClientTraffic
LAP
WLC
NAC
ACS for AAA
WCS
CS MARS
ASA
FW
Anomalous WLANClient Traffic
Viruses, worms, application abuse, etc.
Client traffic threats
WLAN threat detection and mitigation elements
CSA MC
NAC Manager
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAGG-2015Secure WLAN
Core
Access Network
Cisco WLC and IPS Integration for Automated Threat Mitigation
WLC
LAP
IPS
Malicious WLANClient Traffic
1) Malicious client traffic detected by Cisco IPS
3) Updated shun list received by WLC with newly blocked client IP address
5) WLC disconnects the WLAN client and blocks re-connection attempts
4) WLC checks if blocked IP address matches an associated WLAN client.If yes, WLC creates a client exclusion
X
2) Host block initiated on Cisco IPS
Automated threat mitigation at the access edge
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAGG-2015Secure WLAN
Cisco WLC and IPS Integration for Automated Threat Mitigation
Cisco IPS Host Block
Cisco WLC Shun List
Cisco WLC Client Exclusion
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAGG-2015Secure WLAN
Cisco IPSIPS deployment mode
Both inline and promiscuous mode integration supported for collaboration with WLC
Action must be a “host block” action in order for enforcement to occur on the WLC
A “host block” action may be complemented by a “deny attacker” action on an in-line IPS to mitigate both at the access edge and on the inline IPS
Cisco WLCClient exclusion must be enabled on each WLAN profile where blocking enforcement is required
Note: Cisco IOS IPS for routing platforms does not currently support collaboration with a Cisco WLC
Cisco WLC and IPS Integration for Automated Threat Mitigation: Deployment Tips
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAGG-2015Secure WLAN
Component Deployment Requirements
• Deployment Mode • Promiscuous (IDS) or in-line (IPS) mode
• Action • Action must be a “host block” action in order for enforcement to occur on the WLC
• Platforms
• Cisco IPS 4200 Series Appliances • Catalyst 6500 Series IDSM-2
(Intrusion Detection System Services Module) • Cisco ASA with IPS module (AIP SSM) • Cisco ISR with IPS module (IPS AIM)
IPS
• Software • IPS sensor software release v5.x or later
• WLAN Configuration • Client exclusion must be enabled on each WLAN profile where blocking enforcement is required WLC
• Software • WLC software release v4.0 or later
Cisco WLC and IPS Integration for Automated Threat Mitigation: Deployment Requirements
Note: Cisco IOS IPS for Routing Platforms Does Not Currently Support Collaboration with a Cisco WLC
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAGG-2015Secure WLAN
Key Takeaways
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAGG-2015Secure WLAN
Integrated Security for WLANs
Leverage the Cisco Unified Wireless security features802.1X/EAP, WPA/WPA2/802.11i, CCXManagement Frame Protection (MFP), Wireless IDS/IPS features of the WLC, Wireless Control System (WCS), Cisco Secure Services Client (CSSC)
Integrate and extend the general network security elements according to your network risk assessment and security policies
CSA: General client endpoint protection, location-aware policies, simultaneous wired and wireless, wireless ad-hoc, upstream QoS policy enforcementCisco NAC Appliance Integration: WLAN client security policy compliance through assessment and remediationCisco Firewall Integration: Fully featured, highly scalable firewalls for enhanced policy enforcementCS MARS: Cross-network anomaly visibility, detection, correlation and mitigationCisco WLC and IPS Integration: Automated threat mitigation with enforcement by the WLC on the access edge
Leverage the design guidesLots of detailed information, including step-by-step configurationwww.cisco.com/go/cvd
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAGG-2015Secure WLAN
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAGG-2015Secure WLAN
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAGG-2015Secure WLAN
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAGG-2015Secure WLAN