Date post: | 19-Jan-2015 |
Category: |
Documents |
Upload: | securitycrunch |
View: | 408 times |
Download: | 1 times |
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cybersecurity: Wireless Integrity
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2
Wireless Integrity
What is Cisco’s Role?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3
Secure Borderless Network Architecture
Infrastructure
Borderless End-Point/User Services
Mobility WorkplaceExperience
Video
AnyConnect, Mobile Collaboration
Borderless Network ServicesBorderless Management
and Policy Switching
Wireless
WAAS
Routing
Security
Mobility:Motion
Security:TrustSec
Voice/Video: Medianet
Green:EnergyWise
Application Performance: Application
Velocity
PROFESSIONAL SERVICES: Products to Systems to Architectures
Architecture for Agile Delivery of the Secure Borderless Experience
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4
Wireless Cyber SecuritySecurity…Solving Today’s Security issues
• Wireless makes it virtually impossible to contain the signal• Must be able to prevent access to the network and content given access to the
signal.• Must be able to detect rouge devices intended to allow remote access of the
network.• 802.11i Designed to address access
• All standards based solution• 802.1X Authentication• AES Encryption
• wIDS + Clean Air designed to detect• Provide detection while providing service• Clean Air provides unprecedented visibility and classification of emitters• You need today’s technology to detect today’s threats
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 5
Denial of Service
DENIAL OF SERVICE
Service disruption
Wireless Security ThreatsTop Attacks
Evil Twin/Honeypot APHACKER’SAP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
Non-802.11 Attacks
Backdoor access
BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Rogue Access Points
Backdoor network access
HACKER
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Cisco Adaptive Wireless Intrusion PreventionFunctional Overview
Rogue Detection and Mitigation
System Functions
Usage Scenarios
Over-the-Air Threat Detection
Security Vulnerability Assessment
Performance Monitoring and Self-Healing
Proactive Threat Prevention
SYSTEM ARCHITECTUREwIPS Integrated in WLAN InfrastructureSYSTEM ARCHITECTUREwIPS Integrated in WLAN Infrastructure
Security and Compliance Reporting
Detect and Mitigate Rogue APs and Clients
Detect External Hackers & Thieves
Ensure Strong Network Security Posture
Ensure Consistent WLAN Performance
Internal Security Reporting/Audit
External Compliance Audit Reporting
Monitoring, Reporting
Monitoring, Reporting
Over-the-Air DetectionOver-the-Air Detection
Network Detection & Correlation
Network Detection & Correlation
Complex Attack Analysis, Forensics, Events
Complex Attack Analysis, Forensics, Events
AP
WLC
WCS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 7
Adaptive wIPS Threat Detection and Mitigation
Rogue AP/Clients AdHoc Connections
CrackingRecon
DoS
Over-the-Air AttacksThre
ats
Device Inventory Analysis
Signatures & Anomaly Detection
Network Traffic AnalysisDetection
Clas
sific
ation
DetectDetect ClassifyClassify MitigateMitigateNotifyLog
NotifyLog
Report ArchiveReport Archive
Noti
ficati
on
Miti
gatio
n
Man
agem
ent
AccountabilityAccountability
•Default Tuning Profiles •Customizable Event Auto-Classification•Wired-Side Tracing •Physical Location
•Unified WCS Security Dashboard•Flexible Staff Notification•Device Location
•Wired Port Disable•Over-the-Air Mitigation•Auto or Manual•Uses all APs for superior scale
•Role-based with Audit Trails•Customizable Event Reporting•PCI Reporting•Full Event Forensics
On/Off Channel Scanning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 8
Wi-Fi and Spectrum Knowledge – Why is silicon important?
• A Wi-Fi chip is a communications processor – a MODEM
• It only knows– Energy that can be demodulated = Wi-Fi– Energy that can not be demodulated = Noise
• Noise is complicated –– Collisions, fragments, corruption– Wi-Fi that is below sensitivity threshold of the receiver
• Peaks in Wi-Fi activity can cause all of the above to occur
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9
Detecting Non-802.11 Threats: Cisco CleanAir
IP and ApplicationAttacks & Exploits
WiFi ProtocolAttacks & Exploits
RF SignalingAttacks & Exploits
Traditional IDS/IPSLayer 3-7
wIPSLayer 2
CleanAirLayer 1
Monitors Exploits Invisible to existing Systems
New RogueThreats
Detects new ‘undetectable’ Rogue/Clients
Off-Channel
Inverted
WiFi Jammers
Locates and Expedite Interference Removal
2.4GHz
5GHz
RF SignalingAttacks & Exploits
CleanAirLayer 1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 10
High Resolution = Visibility!
Typical Wi-Fi chipsetSpectral Resolution at 5 MHz
Cisco CleanAir Wi-Fi chipsetSpectral Resolution at 78 to 156 KHz
‘Chip View Visualization’ of Microwave oven and BlueTooth Interference
Microwave oven
BlueTooth
Microwave ovenMicrowave oven
BlueToothBlueTooth
Pow
er
Pow
er
?
The Industry’s ONLY in-line high-resolution spectrum analyzer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 11
Managing Wireless Security: Awareness
Composite Security View, Detailed Event ReportingComposite Security View, Detailed Event Reporting
Consolidated Security Event DashboardSingle screen summary of all security events
Security Events Mapped to Physical Location
Rogue APs and clientsRogue state indicated by color – alert, pending, contained, etc.
Granular ReportsCustomizable rogue AP Alert reportsAdhoc client event reports for specific time durationReports by vendor typeFully queryable system-wide event logRegulatory compliance reports
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 12
“At-a-Glance” WCS Security DashboardSingle, Unified View for Overall Network Security Posture
Dynamic Event Population
• Only shows current alarms
• Grouped by attack type
Cisco Wired IPS Events
• Shows wireless client abuse of wired network
• Detects malware & other L3-7 attacks
Dynamic Security Index
• Provides automated, persistent vulnerability assessment
• Summarizes top issues for easy status update
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 13
Integrated, Graphical Wireless Threat/Detection KnowledgebaseSecurity Expertise Embedded in WCS Eases Operations
System with Security Expertise Security intelligence embedded in WCS
reduces reliance on operator
Enables Greater Accuracy Eases detection tuning, thus reducing
false positives
Stay Current Continually updated as threats evolve
and new attacks emerge
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 14
Clean AirNon-802.11 Devices
RF Airspace Protection
Wireless Intrusion PreventionRogue Detection/Containment
Wireless Hacking/ Network and SignatureIntrusion Detection
Layer 1
Layer 2
Layers 2-7
Hardened Network Foundation
Proactive Prevention
Infrastructure AuthenticationManagement Frame Protection
Automated Vulnerability Analysis
Cisco Wireless Security SummaryComprehensive Layer 1-7 Protection & Prevention
Wired-Side Security CollaborationInappropriate Client Activity
Malware Detection/MitigationAdmission Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 15
Introducing CleanAir
Detect and Classify
Mitigate
Locate
Cisco CleanAirA system-wide feature that uses silicon-level intelligence to automatically mitigate the impact of wireless interference, optimize network performance and reduce troubleshooting costs
New!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 16© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4
Older 802.11a/b/g Networks Cannot Meet the New Network Demands
Example: 5Mbps high definition video stream scaling across 802.11a/g versus 802.11n
802.11 a/g
Usable bandwidth = 22Mbps
Number of Cius’s supported by 802.11a/g network = 4
802.11n
Usable bandwidth = 170-220Mbps
Number of Cius’s supported by 802.11n network = 20
Assumptions: •The Cius is only supporting video and no other application•The networks are free from interference and any source of degradation
Cisco 802.11n networks offer 5X client density
Cisco 802.11n Delivers Enterprise Class Application Performance for More Clients!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 17
Enterprise Class Wireless - 802.11n
• Throughput—Up to 6 times greater than existing networks• Reliability—Fewer packet retries• Predictability—Consistent coverage and throughput• Compatibility—Backwards support for 802.11a/b/g clients• Future-Proofing—Guaranteed Interoperability –Tested/Validated
Better end-user experience for data, voice and video
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 18
Reduction in Coverage Holes for 11a/g devices Higher data rates with fewer
dropped packets
Performance Benefits of ClientLinkMiercom Testing Validation
ClientLink Benefits Miercom Testing Results
Increases overall wireless system channel capacity Faster 11a/g transactions
opens airtime to increase 11n performance
Improves throughput for existing 802.11a/g devices Extends useful life of older
devices, saving upgrade costs
Throughput vs. Distance Up to 65% increase in
throughput for 11a/g devices
Up to 27% Improvement in
Channel Capacity
Fewer coverage holes in dynamic RF environments
ClientLink Disabled ClientLink Enabled
Channel Util of 74.2%Channel Util of 74.2% Channel Util of 45.2%Channel Util of 45.2%
ClientLink Disabled ClientLink Enabled
< 14 Mbps
> 14 Mbps
25%
75%56%44%
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 19
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 20
The Efficiency of Integration in the WLAN InfrastructureUtilize the Entire Infrastructure for Security
Leverage the WLAN Footprint for Stronger wIPS Leverage all wIPS and data mode APs for rogue detection,
mitigation and location Leverage all wIPS and data mode APs for rogue detection,
mitigation and location
Flexible Deployment Architectures
Deploy dedicated APs, leverage traffic APs or both Deploy dedicated APs, leverage traffic APs or both
No “One-Off” Hardware or Management
One hardware, software and management system for wIPS, location and WLAN
One hardware, software and management system for wIPS, location and WLAN
Streamlined, Real-Time, Reliable Workflows
AP and client device inventory always up-to-date – no double-entry or cross-vendor issues
AP and client device inventory always up-to-date – no double-entry or cross-vendor issues
wIPS AP Traffic AP
• Mitigate• Locate
WCS
wIPS Mgmt.
WLAN Mgmt.
Shared AP Dedicated AP
WCS
Cisco Unified Wireless Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 21
Proactive Threat Prevention TechniquesProviding an “Ounce of Prevention”
Harden the Network to Render Attacks Ineffective
Maintaining a Secure Network Posture:Automated Vulnerability Monitoring
Keep the Bad Users Out: Client Exclusion Policies
Defuse Recon, MITM: Management Frame Protection (MFP) & 802.11w
Secure Access and Traffic: Client Encryption and Authentication - WPA2
Lock-Out Rogue APs: Strong Infrastructure Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 22
Collaboration with Cisco Wired-Network Security
Better Protection Through Layered Defense and Self-Defending Network Collaboration
Mitigating Malware and Client Misbehavior: Cisco (Wired-Side) IPS
Enforcing Client Posture: Cisco NAC
Controlling Client Connectivity: Cisco Security Agent and Cisco Secure Services Client
Unified Wired/Wireless Event and Mitigation Management: Cisco MARS and 3rd Party SIEM Systems
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 23
Cisco Wired+Wireless Security CollaborationCisco Validated Design Architectures
• An end-to-end architecture• Integration of wireless and security• Industry-leading security services
Complete
An Architecture that Builds on the Inherent Security of the Cisco Unified Wireless Network to Combine Best of Breed Security Services for Unparalleled Control of Business Resources to Meet Compliance Needs
Unified wired and wireless IPS/IDS Client validation, posture assessment and remediation Wireless single sign on and 802.1X integration Integrated firewall for secure guest access Host intrusion prevention
Key Features
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 24
Backup Slides