Tvr wireless gtri

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cybersecurity: Wireless Integrity


Wireless Integrity

What is Cisco’s Role?


Secure Borderless Network Architecture

Infrastructure

Borderless End-Point/User Services

Mobility WorkplaceExperience

Video

AnyConnect, Mobile Collaboration

Borderless Network ServicesBorderless Management

and Policy Switching

Wireless

WAAS

Routing

Security

Mobility:Motion

Security:TrustSec

Voice/Video: Medianet

Green:EnergyWise

Application Performance: Application

Velocity

PROFESSIONAL SERVICES: Products to Systems to Architectures

Architecture for Agile Delivery of the Secure Borderless Experience


Wireless Cyber SecuritySecurity…Solving Today’s Security issues

• Wireless makes it virtually impossible to contain the signal• Must be able to prevent access to the network and content given access to the

signal.• Must be able to detect rouge devices intended to allow remote access of the

network.• 802.11i Designed to address access

• All standards based solution• 802.1X Authentication• AES Encryption

• wIDS + Clean Air designed to detect• Provide detection while providing service• Clean Air provides unprecedented visibility and classification of emitters• You need today’s technology to detect today’s threats


Denial of Service

DENIAL OF SERVICE

Service disruption

Wireless Security ThreatsTop Attacks

Evil Twin/Honeypot APHACKER’SAP

Connection to malicious AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

On-Wire Attacks Over-the-Air Attacks

Non-802.11 Attacks

Backdoor access

BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

Rogue Access Points

Backdoor network access

HACKER

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Cisco Adaptive Wireless Intrusion PreventionFunctional Overview

Rogue Detection and Mitigation

System Functions

Usage Scenarios

Over-the-Air Threat Detection

Security Vulnerability Assessment

Performance Monitoring and Self-Healing

Proactive Threat Prevention

SYSTEM ARCHITECTUREwIPS Integrated in WLAN InfrastructureSYSTEM ARCHITECTUREwIPS Integrated in WLAN Infrastructure

Security and Compliance Reporting

Detect and Mitigate Rogue APs and Clients

Detect External Hackers & Thieves

Ensure Strong Network Security Posture

Ensure Consistent WLAN Performance

Internal Security Reporting/Audit

External Compliance Audit Reporting

Monitoring, Reporting

Monitoring, Reporting

Over-the-Air DetectionOver-the-Air Detection

Network Detection & Correlation

Network Detection & Correlation

Complex Attack Analysis, Forensics, Events

Complex Attack Analysis, Forensics, Events

AP

WLC

WCS


Adaptive wIPS Threat Detection and Mitigation

Rogue AP/Clients AdHoc Connections

CrackingRecon

DoS

Over-the-Air AttacksThre

ats

Device Inventory Analysis

Signatures & Anomaly Detection

Network Traffic AnalysisDetection

Clas

sific

ation

DetectDetect ClassifyClassify MitigateMitigateNotifyLog

NotifyLog

Report ArchiveReport Archive

Noti

ficati

on

Miti

gatio

n

Man

agem

ent

AccountabilityAccountability

•Default Tuning Profiles •Customizable Event Auto-Classification•Wired-Side Tracing •Physical Location

•Unified WCS Security Dashboard•Flexible Staff Notification•Device Location

•Wired Port Disable•Over-the-Air Mitigation•Auto or Manual•Uses all APs for superior scale

•Role-based with Audit Trails•Customizable Event Reporting•PCI Reporting•Full Event Forensics

On/Off Channel Scanning


Wi-Fi and Spectrum Knowledge – Why is silicon important?

• A Wi-Fi chip is a communications processor – a MODEM

• It only knows– Energy that can be demodulated = Wi-Fi– Energy that can not be demodulated = Noise

• Noise is complicated –– Collisions, fragments, corruption– Wi-Fi that is below sensitivity threshold of the receiver

• Peaks in Wi-Fi activity can cause all of the above to occur


Detecting Non-802.11 Threats: Cisco CleanAir

IP and ApplicationAttacks & Exploits

WiFi ProtocolAttacks & Exploits

RF SignalingAttacks & Exploits

Traditional IDS/IPSLayer 3-7

wIPSLayer 2

CleanAirLayer 1

Monitors Exploits Invisible to existing Systems

New RogueThreats

Detects new ‘undetectable’ Rogue/Clients

Off-Channel

Inverted

WiFi Jammers

Locates and Expedite Interference Removal

2.4GHz

5GHz

RF SignalingAttacks & Exploits

CleanAirLayer 1


High Resolution = Visibility!

Typical Wi-Fi chipsetSpectral Resolution at 5 MHz

Cisco CleanAir Wi-Fi chipsetSpectral Resolution at 78 to 156 KHz

‘Chip View Visualization’ of Microwave oven and BlueTooth Interference

Microwave oven

BlueTooth

Microwave ovenMicrowave oven

BlueToothBlueTooth

Pow

er

Pow

er

?

The Industry’s ONLY in-line high-resolution spectrum analyzer


Managing Wireless Security: Awareness

Composite Security View, Detailed Event ReportingComposite Security View, Detailed Event Reporting

Consolidated Security Event DashboardSingle screen summary of all security events

Security Events Mapped to Physical Location

Rogue APs and clientsRogue state indicated by color – alert, pending, contained, etc.

Granular ReportsCustomizable rogue AP Alert reportsAdhoc client event reports for specific time durationReports by vendor typeFully queryable system-wide event logRegulatory compliance reports


“At-a-Glance” WCS Security DashboardSingle, Unified View for Overall Network Security Posture

Dynamic Event Population

• Only shows current alarms

• Grouped by attack type

Cisco Wired IPS Events

• Shows wireless client abuse of wired network

• Detects malware & other L3-7 attacks

Dynamic Security Index

• Provides automated, persistent vulnerability assessment

• Summarizes top issues for easy status update


Integrated, Graphical Wireless Threat/Detection KnowledgebaseSecurity Expertise Embedded in WCS Eases Operations

System with Security Expertise Security intelligence embedded in WCS

reduces reliance on operator

Enables Greater Accuracy Eases detection tuning, thus reducing

false positives

Stay Current Continually updated as threats evolve

and new attacks emerge


Clean AirNon-802.11 Devices

RF Airspace Protection

Wireless Intrusion PreventionRogue Detection/Containment

Wireless Hacking/ Network and SignatureIntrusion Detection

Layer 1

Layer 2

Layers 2-7

Hardened Network Foundation

Proactive Prevention

Infrastructure AuthenticationManagement Frame Protection

Automated Vulnerability Analysis

Cisco Wireless Security SummaryComprehensive Layer 1-7 Protection & Prevention

Wired-Side Security CollaborationInappropriate Client Activity

Malware Detection/MitigationAdmission Control


Introducing CleanAir

Detect and Classify

Mitigate

Locate

Cisco CleanAirA system-wide feature that uses silicon-level intelligence to automatically mitigate the impact of wireless interference, optimize network performance and reduce troubleshooting costs

New!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 16© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4

Older 802.11a/b/g Networks Cannot Meet the New Network Demands

Example: 5Mbps high definition video stream scaling across 802.11a/g versus 802.11n

802.11 a/g

Usable bandwidth = 22Mbps

Number of Cius’s supported by 802.11a/g network = 4

802.11n

Usable bandwidth = 170-220Mbps

Number of Cius’s supported by 802.11n network = 20

Assumptions: •The Cius is only supporting video and no other application•The networks are free from interference and any source of degradation

Cisco 802.11n networks offer 5X client density

Cisco 802.11n Delivers Enterprise Class Application Performance for More Clients!


Enterprise Class Wireless - 802.11n

• Throughput—Up to 6 times greater than existing networks• Reliability—Fewer packet retries• Predictability—Consistent coverage and throughput• Compatibility—Backwards support for 802.11a/b/g clients• Future-Proofing—Guaranteed Interoperability –Tested/Validated

Better end-user experience for data, voice and video


Reduction in Coverage Holes for 11a/g devices Higher data rates with fewer

dropped packets

Performance Benefits of ClientLinkMiercom Testing Validation

ClientLink Benefits Miercom Testing Results

Increases overall wireless system channel capacity Faster 11a/g transactions

opens airtime to increase 11n performance

Improves throughput for existing 802.11a/g devices Extends useful life of older

devices, saving upgrade costs

Throughput vs. Distance Up to 65% increase in

throughput for 11a/g devices

Up to 27% Improvement in

Channel Capacity

Fewer coverage holes in dynamic RF environments

ClientLink Disabled ClientLink Enabled

Channel Util of 74.2%Channel Util of 74.2% Channel Util of 45.2%Channel Util of 45.2%

ClientLink Disabled ClientLink Enabled

< 14 Mbps

> 14 Mbps

25%

75%56%44%



The Efficiency of Integration in the WLAN InfrastructureUtilize the Entire Infrastructure for Security

Leverage the WLAN Footprint for Stronger wIPS Leverage all wIPS and data mode APs for rogue detection,

mitigation and location Leverage all wIPS and data mode APs for rogue detection,

mitigation and location

Flexible Deployment Architectures

Deploy dedicated APs, leverage traffic APs or both Deploy dedicated APs, leverage traffic APs or both

No “One-Off” Hardware or Management

One hardware, software and management system for wIPS, location and WLAN

One hardware, software and management system for wIPS, location and WLAN

Streamlined, Real-Time, Reliable Workflows

AP and client device inventory always up-to-date – no double-entry or cross-vendor issues

AP and client device inventory always up-to-date – no double-entry or cross-vendor issues

wIPS AP Traffic AP

• Mitigate• Locate

WCS

wIPS Mgmt.

WLAN Mgmt.

Shared AP Dedicated AP

WCS

Cisco Unified Wireless Network


Proactive Threat Prevention TechniquesProviding an “Ounce of Prevention”

Harden the Network to Render Attacks Ineffective

Maintaining a Secure Network Posture:Automated Vulnerability Monitoring

Keep the Bad Users Out: Client Exclusion Policies

Defuse Recon, MITM: Management Frame Protection (MFP) & 802.11w

Secure Access and Traffic: Client Encryption and Authentication - WPA2

Lock-Out Rogue APs: Strong Infrastructure Authentication


Collaboration with Cisco Wired-Network Security

Better Protection Through Layered Defense and Self-Defending Network Collaboration

Mitigating Malware and Client Misbehavior: Cisco (Wired-Side) IPS

Enforcing Client Posture: Cisco NAC

Controlling Client Connectivity: Cisco Security Agent and Cisco Secure Services Client

Unified Wired/Wireless Event and Mitigation Management: Cisco MARS and 3rd Party SIEM Systems


Cisco Wired+Wireless Security CollaborationCisco Validated Design Architectures

• An end-to-end architecture• Integration of wireless and security• Industry-leading security services

Complete

An Architecture that Builds on the Inherent Security of the Cisco Unified Wireless Network to Combine Best of Breed Security Services for Unparalleled Control of Business Resources to Meet Compliance Needs

Unified wired and wireless IPS/IDS Client validation, posture assessment and remediation Wireless single sign on and 802.1X integration Integrated firewall for secure guest access Host intrusion prevention

Key Features


Backup Slides

Date post:	19-Jan-2015
Category:	Documents
Upload:	securitycrunch
View:	408 times
Download:	1 times

Tvr wireless gtri

Documents