Download - BITES 2006 Cisco Systems sijones@cisco
1© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
BITES 2006
Cisco [email protected]
2© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Core aspects of BSF
• Transforming Education
Putting the Learner at the centre, Citizenship, Skills
• Efficiency
Workforce Reform, Buildings, Energy, Security
• Social Inclusion
Equal Access, Every Child Matters (ECM, ICS)
• Regeneration – Community & Economic
Extended Schools, Home Access, Business
• Long Term Partnerships
3© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
BSF?
• ‘Birmingham Society of the Future’
• Program & Procurement dominated or led by the needs of communities
• Steady and progressive transformation over a longer term
• Will learners be measured by Government or be asked for feedback about their learning environments
4© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Agenda for today
• ‘Connected Learning’
• Multi Service Wireless
• Secure Wireless
• What you should be looking out for?
5© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
43
2 1
Four Steps To Transformation
Step 1: Connect all buildings and provide access to critical information
Step 2: Implement network-based applications to improve administrative efficiency
Step 3: Put teacher proficiency and productivity first
Step 4: Create a student-centered learning environment to achieve academic excellence
6© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Intelligent Information Network IP
Net
wo
rkin
g A
do
pti
on
OPTIMISED SCHOOLS
EFFICIENT SCHOOLS
New Capabilities• Adaptive resources• Personalised learning (MLE’s)• Collaboration software• Rich communications• Automation• On-demand Data Center
New Capabilities• Adaptive resources• Personalised learning (MLE’s)• Collaboration software• Rich communications• Automation• On-demand Data Center
Opex Reduction• Communications
over IP• Integrated wiring on
Ethernet• Toll bypass• Data simplification
Opex Reduction• Communications
over IP• Integrated wiring on
Ethernet• Toll bypass• Data simplification
CONNECTED SCHOOLS
2006 2015
Network Simplification• Service virtualization• Data Center• Integrated security• Virtualised call control• User mobility• Virtual & e-learning
Network Simplification• Service virtualization• Data Center• Integrated security• Virtualised call control• User mobility• Virtual & e-learning
7© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco Connected Learning Solutions
IP Network
Academic Excellence Administrative Efficiency
Unified Communications
Video Infusion
Self Defending Network
Virtual Classroom
Intelligent Buildings
Secure Wireless
Transforming Education
IntelligentInformation
Network
8© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco Connected LearningModel for 21st Century Education
Education Model
Learning Environment
Curriculum
Teaching Learning Finance Operational
Business Applications Collaboration Applications
Infrastructure Services layer End client devices
School LA/LEA Virtual SchoolRegional &
National
IP Foundation Data Centre Cabling and Building Systems
9© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
1. Education Model
• Learning is an active process, and one that involves collaboration, problem solving, critical thinking with mentor support from teachers
• Government policy focused on transforming education using technology as a catalyst
• Student focused, catering for individual needs and personalisation.
• Relevant and authentic learning opportunities
• Prepares for lifelong learning
• Community focused and provides relevant skills and knowledge
• Open ended
10© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
2. Learning Environment
Organisational
• Technology as a teaching and learning tool
• Technology for assessment
• Flexible and adaptable VLE
Community
• Environment enables communities to be built
• Accessible from anywhere, anytime
• Builds structures for learning environment between home & schools & for lifelong learning
•Potential to involve all members of the community
•Schools as centres of the community
•Global and national reach
11© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
2. Learning Environment
Classroom organisation
• Structured for 21st century working and learning environment
• Flexible yet managed
• allows for group, individual and whole class work
Student focused environment
• Provides authentic and autonomous leaning
• Learning how to learn
• Peer teaching and learning opportunities
• Curriculum arises out of real community needs
• Development of autonomy and critical thinking and problem solving skills
12© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Secure Wireless
• Teaching & Learning
Laptop, PDA, Projector, Wireless Slate
• Security
Access, Assets, mobile CCTV, mobile alerts/paging
• IP Telephony - staff communications
• Guest Access
Community, Parents, Inspections
• Outdoor (sports events, weather view)
• Flexible ICT during refurbishment
13© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Secure Wireless
14© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Secure Wireless
• Teaching & Learning
Laptop, PDA, Projector, Wireless Slate
• Security
Access, Assets, mobile CCTV, mobile alerts/paging
• IP Telephony - staff communications
• Guest Access
Community, Parents, Inspections
• Outdoor (sports events, weather view)
• Flexible ICT during refurbishment
15© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Agenda
• Business Critical Wireless
• WLAN Security Leadership
• Cisco Unified Wireless Network
• Cisco Self-Defending Network
– Keep Clients Safe
– Keep Clients Honest
– Protect the Network
16© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Wireless Goes Business CriticalThe Emerging Enterprise Market
Verticals, PWLAN
Initial Office Deployments
Mainstream Enterprise Office, Location, Mesh Networking
Dual Mode Voice
All Wireless Branch
FY ’04 FY ’05 FY ’06 FY ’07 FY ’08
Enterprise Wireless Market (Growing at 40% Per Annum)
1,000
$ Millions
2,000
3,000
$1400
$640
$2740
$1960
$1000
40% CAGR
17© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco WLAN Security Leadership and Innovation
• Industry's first implementation of 802.1X/EAP authentication and dynamic key derivation
• Chaired and led the 802.11i work group
• Wrote or co-wrote many EAP RFCs
• Technical leadership role in Fast Secure Roaming 802.11r
• Industry leading, patent pending rogue detection, mitigation and suppression
• Continuing to innovate with Self- Defending Network
Location enabled security; Access Control / IDS alerts
Invented host posture analysis (NAC)
Invented Management Frame Protection (MFP)
Invented Self Defending Network (NIC)
18© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies
En
dp
oin
t P
rote
ctio
n
Protect the Network
Protect the Network
•Rogue AP detection and containment•Multilayer client exclusions
An
om
aly
and
ID
S/IP
S
Keep Clients HonestKeep Clients Honest
•Network Admission Control•Guest Access
Ad
mis
sio
n C
on
tro
l
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Integrated Management
19© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Checklist for Secure Wireless LANs
Implementation Checklist
802.1X(EAP)
WPA2 (AES) or WPA (TKIP)
Management Frame Protection
Cisco CSA
Keep Clients SafeKeep Clients Safe
•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies
En
dp
oin
t P
rote
ctio
n
20© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Protected Access
What are WPA and WPA2?
• Authentication and Encryption standards for Wi-Fi clients and APs
• 802.1X authentication
• WPA uses TKIP encryption
• WPA2 uses AES encryption
Which should I use?
• Go for the Gold!
• Silver, if you have legacy clients
• Lead, if you absolutely have no other choice (i.e. ASDs)
Gold
WPA2/802.11i•EAP•AES
Gold
WPA2/802.11i•EAP•AES
Silver
WPA•EAP•TKIP
Silver
WPA•EAP•TKIP
Lead
dWEP (legacy)•EAP/LEAP•VLANs + ACLs
Lead
dWEP (legacy)•EAP/LEAP•VLANs + ACLs
21© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
How does Extensible Authentication Protocol (EAP) Authenticate Clients?
Client associates CorporateNetwork
WLAN Client Access Point/Controller
RADIUS server
Cannot send data until… Data from client Blocked by AP
…EAP authentication complete
802.1x RADIUS
EAP
Client sends data Data from client Passed by AP
23© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
What makes 802.11 vulnerable to attacks?
Most common attacks are against management frames
Common Attacks:
• VOID11
• Aireplay
• File2air
• Airforge
• ASLEAP
• Jack attacks
• FakeAP
• Hunter/Killer
Cisco M
FP
Prote
cted
24© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Management Frame Protection (MFP)
• A solution for clients and infrastructure (APs)
• Clients and APs add a MIC (signature)into every management frame
• Anomalies are detected instantly andreported to Wireless Control Server (WCS)
MFP Protected
MFP Protected
25© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
CCX v5
• MFP
• Client Policies
CCX v5
• MFP
• Client Policies
CCX- Driving Security Standardization
CCX v1
• 802.1X authentication
• EAP-TLS & LEAP
• Cisco pre-standard TKIP
• Client Rogue reporting
CCX v1
• 802.1X authentication
• EAP-TLS & LEAP
• Cisco pre-standard TKIP
• Client Rogue reporting
CCX v2
• WPA compliance
• Fast Roaming with CCKM
• PEAP
CCX v2
• WPA compliance
• Fast Roaming with CCKM
• PEAP
CCX v3
• WPA2 compliance
• EAP-FAST
• CCKM with EAP-FAST
• AES encryption
CCX v3
• WPA2 compliance
• EAP-FAST
• CCKM with EAP-FAST
• AES encryption
CCX v4
• CCKM with EAP-TLS, PEAP
• WIDS
• MBSSID
CCX v4
• CCKM with EAP-TLS, PEAP
• WIDS
• MBSSID
26© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
• Trend: Embedded adapters in most devices
• Result: Adapter reference designs in most devicesHow do you ensure that all of your client devices support your chosen 802.1X type(s) and encryption option(s)?
• Options:Try to standardize on adapters from one vendor
USE WPA/WPA2 “extended EAP” certified clients
Rely on what is available in Windows
Use a commercial supplicant suite
Support a mix of authentication types
Use Cisco Compatible Extensions (CCX) adapters
Security and WLAN Clients
28© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies
En
dp
oin
t P
rote
ctio
n
Protect the Network
Protect the Network
•Rogue AP detection and containment•Multilayer client exclusions
An
om
aly
and
ID
S/IP
S
Keep Clients HonestKeep Clients Honest
•Network Admission Control•Guest Access
Ad
mis
sio
n C
on
tro
l
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Integrated Management
29© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Checklist for Secure Wireless LANs
Implementation Checklist
Cisco NAC for wired and wireless
Cisco CSA
Guest: Integrated captive portal w/traffic tunnelingKeep Clients HonestKeep Clients Honest
•Network Admission Control•Guest Access
Ad
mis
sio
n C
on
tro
l
30© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
The Need for Admission Control
• Viruses, worms, spyware, etc. continue to plague organizations
Viruses still #1 cause of financial loss* (downtime, recovery, productivity, etc.)
• Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.) are not checked for policy compliance
• Unprotected endpoint devices are often responsible for spreading infection
Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive
“Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.”
– Burton Group*2005 FBI/CSI Report
31© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
NAC2 – Ubiquitous Admission ControlCTA-Capable Endpoints with NAC-Capable 802.1X Supplicants
CTA NetworkAccess Device
(NAD)
NetworkACS
VendorServer
802.1x
EAPo802.1xEAPoRADIUS HCAP
1
2
3
4
5
67
8
1. 802.1X connection setup between NAD and endpoint
2. NAD requests credentials from endpoint (EAPo802.1X)This may include user, device, and/or posture
3. CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X)
4. NAD sends credentials to ACS (EAPoRADIUS)
5. ACS can proxy portions of posture authentication to vendor server (HCAP)
User/device credentials sent to authentication databases (LDAP, Active Directory, etc)
6. ACS validates credentials, determines authorization rightsE.g. visitors given GUEST access, unhealthy devices given QUARANTINE access
7. ACS sends authorization policy to NAD (VLAN assignment)
8. Host assigned VLAN, may then gain IP access (or denied, restricted)
32© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Secure Guest Access
SSID Client Default Gateway
= Internal
= GUEST
Enterprise user Guest user
Switch-to-switch guest tunnel
EnterpriseNetwork
DMZ Guest controller• Captive portal native in the
controller
• Two options for guest access:
(1) Guest users can be placed on guest VLAN
(2) All guest traffic is tunneled to a guest controller
• User DB can be local or RADIUS
• Robust administration
Ambassador login
Customizable web pages
33© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies
En
dp
oin
t P
rote
ctio
n
Protect the Network
Protect the Network
•Rogue AP detection and containment•Multilayer client exclusions
An
om
aly
and
ID
S/IP
S
Keep Clients HonestKeep Clients Honest
•Network Admission Control•Guest Access
Ad
mis
sio
n C
on
tro
l
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Integrated Management
34© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Checklist for Secure Wireless LANs
Implementation Checklist
Wireless IDS
Rogue Detect/Containment
FIPS Protect the Network
Protect the Network
•Rogue AP detection and containment•Multilayer client exclusions
An
om
aly
and
ID
S/IP
S
36© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
A Complete Solution for Handling Rogues
4. View Historical Report
2. Assess Rogue AP (Identity, Location, ..)
1. Detect Rogue AP(Generate alarm)
3. Contain Rogue AP
• Can be automated• Multiple rogues contained
simultaneously
37© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco WCS – Centralized Security Management
38© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco WLAN FIPS statusFederal Information Processing Standard (FIPS)
• Pre-validated for FIPS 140-2 and Common Criteria
-4400 controller
-AP1200, AP1100 and BR1300 (LWAPP and Autonomous)
• FIPS Kit will be required; contents include:
- Tamper-evidence labels
- Download instructions for FIPS approved IOS images
- Download instructions for Security Policies
39© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Keep Clients SafeKeep Clients Safe
•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies
En
dp
oin
t P
rote
ctio
n
Protect the Network
Protect the Network
•Rogue AP detection and containment•Multilayer client exclusions
An
om
aly
and
ID
S/IP
S
Keep Clients HonestKeep Clients Honest
•Network Admission Control•Guest Access
Ad
mis
sio
n C
on
tro
l
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Integrated Management
40© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Security Management
CS-MARS
• Network wide anomaly detection
• Rules based correlation
WCS
• Simple, Powerful Dashboard
• Robust Reporting
41© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
Checklist Summary
Wireless IDS
Rogue Detect/Contain
FIPS
802.1X (EAP)
WPA2 (AES) or WPA (TKIP)
Management Frame Protection
Cisco CSA
Cisco NAC for wired and wireless
Cisco CSA
Guest: Integrated captive portal w/traffic tunneling
Keep Clients SafeKeep Clients Safe
•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies
En
dp
oin
t P
rote
ctio
n
Keep Clients HonestKeep Clients Honest
•Network Admission Control•Guest Access
Ad
mis
sio
n C
on
tro
l Protect the Network
Protect the Network
•Rogue AP detection and containment•Multilayer client exclusionsA
no
mal
y an
d
IDS
/IP
S
42© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy
The Cisco Difference
• Unifying wireless and wire line
Utilizing all of Cisco’s security expertise and product line
Not reinventing the wheel
• Location, Location, Location
Only WLAN system with RF fingerprinting for rogue location accuracy
• INTEGRATED air monitoring
Only WLAN system that does not require separate air monitors
Built-in rogue protection and intrusion detection
• Security Designed for Real-Time Applications
Fast Secure roaming
• Active leadership in standards bodies
802.11i, 802.11r, 802.11w, 802.11k
43© 2005 Cisco Systems, Inc. All rights reserved. Cisco PublicEducation Vision & Strategy