securely designing your wireless lan for threat mitigation...

Securely DesigningYour Wireless LAN forThreat Mitigation, Policy and BYOD

Kanu Gupta, Technical Marketing Engineer, CCIE – 40465 (Wireless)

BRKEWN-2005

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKEWN-2005Cisco Spark spaces will be available until July 3, 2017.


Session Objectives

BRKEWN-2005 4

ISE in detail

Configuration details

Version discrepancies

IPV6

Fabric

Roadmap

We wont talk about

Harden Infrastructure

Protect the Air

Secure Client Access

Solution Level

Protection

• APIC Plug n Play • aWIPS• ISE

• Guest & BYOD

Management

• TrustSec

• NetFlow/StealthWatch

• Cisco Umbrella

Inbuilt

Advanced

• Securing AP-WLC

communication

• 802.1x AP port

security

• Default Best

Practices

• Base WIPS

• Rogue Detection

• Clean Air

• 802.11w

• Client Access

Methods (802.1x,

iPSK, WebAuth)

• Native Policy

Management

• Application Visibility

& Control

• URL Filtering


For your reference

• There are slides in your PDF that will not be presented, or quickly presented.

• They are valuable, but included only “For your reference”.

For your reference

For your reference

BRKEWN-2005 5

• Infrastructure Hardening

• Over the Air Security

• Secure Access

• Solution Level Security

• Enterprise Use Case

Agenda


Cisco Digital Network Architecture for mobility

Automation

• Plug n Play

• EasyQOS

• ISE: .1x, BYOD and Guest

Open APIs: Modular Aps with Restful APIs

Cloud Service Management• CMX 10.x with Context and Guest

Platforms & Virtualization

Assurance

• Restful APIs on WLC

• Netflow Export

• Apple Network Optimization

& FastLane

Principles

• Modular AP’s with Restful API’s

• DNA Optimized Controllers: 3504, 5520, 8540

• Various VM Models: ESXi, KVM, HyperV, AWS

Insights and

Experiences

Automation

and Assurance

Security and

Compliance

Outcomes

BRKEWN-2005 8


Embedded

Security

Built for

Today’s Threats

Security Expertise

and Innovation

Evidence

of Trust

Organizations can no longer rely on

perimeter devices to protect the network

from cyber intrusions… There has never

been a greater need to improve network

infrastructure security

Alert TA16-251A, September 2016

“

”

9BRKEWN-2005

Trustworthy SystemsProtect the Device

Learn more:

• Visit trust.cisco.com

• See: BRKARC-1010 “Protecting the Device:

Cisco Trustworthy Systems & Embedded Security”

• Meet the Engineer: Topic: “Security and Trust Architecture”

https://www.cisco.com/c/en/us/about/trust-transparency-center/overview.html


Cisco Trustworthy Systems LevelsEnterprise Wireless

Protects

the Network

Counterfeit Protections

Image Signing

Secure Boot

ModernCrypto

Hardware Trust Anchor

Secure Device

Onboarding

ISE Stealthwatch

Solution Level Attack Protection

IP Source Guard ACLs

WIPS/RogueDHCP Snooping Secure Transport

Protections Against Attack

802.11w,r,i TrustSec Netflow

Security

CulturePSIRT

AdvisoriesSecurity Training

Product Security Baseline

Threat Modeling

Open Source Registration

Supply Chain Management

Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”

Platform

Integrity

Umbrella

BRKEWN-2005 10

Secure the Infrastructure


Infrastructure Hardening

Best Practices

802.11

Encryption

MFP, 802.11W

Plug n Play

12


AP control at the access layer802.1X credentials for the AP

Layer 2 Point-to-(Multi)Point Layer 3 Link

Authenticator AuthC ServerSupplicant EAP over LAN

(EAPoL)RADIUS

Access Point(AP)

AP# capwap ap dot1x username [USER] password [PWD]

* Not supported today on 1800/2800/3800 APs.

BRKEWN-2005 13

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005

Securing the AP-WLC communicationCAPWAP tunnels

CAPWAP Control

DTLS, UDP 5246

CAPWAP Data

(DTLS) UDP 5247

(Cisco Controller) >config ap link-encryption enable all/[AP-NAME]

BRKEWN-2010

• CAPWAP Control encrypted by default

• CAPWAP Data encapsulated but not encrypted by default

• Support for DTLS Data encryption between AP and WLC

14


CAPWAP

Securing the AP-WLC communicationLocal Significant Certificate (LSC)

Your PKI

Example:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html

BRKEWN-2005 15

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html


Vegas AP Group

APIC-EM Plug-n-Play (PnP)

APIC-EM

AP SN #123 > Config. File (WLC IP, Vegas AP Group, etc.)

AP(SN #123)

WLC

AP(SN #456)

APIC-EM IP in DHCP option 43or DNS resolution for pnpserver.<dhcp-domain-option>

AP PnP Deployment Guide:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html

AP SN #456 > Not in any Project list > Claim list

BRKEWN-2005

For secure provisioning of Access Points

16

http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html


Out-of-Box

Vegas

AP GroupOut-of-Box

Out-of-Box

Out-of-

Box

Securing the AP-WLC communicationOut-of-Box AP Group and RF Profile (v7.3+)

Vegas AP Group > Radios Enabled

Out-of-Box AP Group > Radios Disabled

Example:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870

BRKEWN-2005 17

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKEWN-2005

End to End Encryption of Mobility Tunnel

CAPWAP v4 with DTLS encryption between Wireless LAN Controllers

8.5

Over the Air Security and Threat Mitigation


Over the Air SecurityawIPS, ELM

Rogue Detection

Cisco CleanAir®

Off-Channel

Scanning

FRA Radio

EDRM

24


wireless Intrusion Prevention System (wIPS)

Denial of Service

Service disruption

Evil Twin/Honeypot APHACKER’S

AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

Non-802.11 Attacks

Backdoor access

BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

Rogue Access Points

HACKER

Detected by CleanAir and tracked by MSE

BRKEWN-2005 25


wIPS Process Flow and Component Interactions

BRKEWN-2005 26

1

Prime Infrastructure

SNMP trap

4

wIPS AP Wireless Controller

CAPWAP

2

wIPS MSE 8.x

NMSP

3

Solution

Components

Functions Licensing

Base IDS WLC, AP and Prime

Infrastructure

(optional)

Supports 17 native

signatures. Supports

rogue detection &

containment

Does not require any

licensing

Adaptive WIPS WLC, AP, MSE and

Prime Infrastructure

Offers

comprehensive over

the air threat

detection &

mitigation

Licensed feature on

MSE


wIPS with Cisco Mobility Services Engine (MSE) 8.0Prime

WLCWLC

APAP AP AP

SOAP/XML over

HTTP/HTTPS

MSE

BRKEWN-2005 27


AWIPS: Accurate Detection & Mitigation

Device Inventory AnalysisSignature & Anomaly Detection Network Traffic AnalysisOn/Off Channel Scanning

Cla

ssific

ation • Default tuning profiles

• Customizable event

auto-classification

• Wired-side tracing

• Physical location Notification

• Unified PI security

dashboard

• Flexible staff

notification

• Device location Mitig

ation

• Wired port disable

• Over-the-air mitigation

• Auto or manual

• Uses all APs for

superior scale

Managem

ent • Role-based with audit

trails

• Customizable event

reporting

• PCI reporting

• Full event forensics

Detection

Threats

Rogue

AP/Clients

Ad-Hoc

ConnectionsOver-the-Air Attacks

CrackingRecon

DoS

BRKEWN-2005 28


Supported AP modes for wIPS

Data on 2.4 and 5 GHz

wIPS on all channels



Data on 5GHz




“best effort”

Cisco Adaptive wIPS Deployment Guide:http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500


5GHz. / 2.4GHz.

.5GHz. / Security

Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference

Good Better Best

Features ELM Monitor Mode AP ELM with FRA

Monitor Mode

Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs

Client Serving with Security

Monitoring

Y N Y

wIPS Security Monitoring 50 ms off-channel scan on selected

channels on 2.4 and 5 GHz

7 x 24 All Channels on 2.4GHz and

5GHz


5GHz

CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and

5GHz


5GHz

Serving channel Serving channelOff-Ch Off-Ch

Serving channel Serving channelOff-Ch Off-Ch

Enhanced Local Mode

Access Point

GOOD

2.4 GHz

5 GHz

t

t

Monitor Mode

Access Point

BETTER

2.4 GHz

5 GHz

t

t

Ch11Ch2

Ch38

Ch1

Ch36

…Ch11Ch2Ch1

…

Ch11Ch2Ch1

…

…

Ch161Ch157 Ch38Ch36

…… …

t

2.4 GHz

5 GHz

tCh11Ch2Ch1

…

Ch38Ch36 Ch161Ch157

…… …ELM with FRA Wireless Security

Monitoring

BEST

Serving channel Serving channelOff-Ch Off-Ch5 GHz t


Rogue Access PointsWhat are they?

• A rogue AP is an AP that does not belong to our deployment.

• We might need to care (malicious/on network) or not (friendly).

• Sometimes we can disable them, sometimes we can mitigate them.

“I don’t know it.” “Me neither.”

BRKEWN-2005 33


Serve Client on 2.4 GHz

50 ms off-channel

Serve Clients on 5

GHz

50 ms off-channel

Rogue Detection and Mitigation

Rogue Classification and

Containment

• Rogue Rules

• Manual Classification –

Friendly/Malicious

• Manual and Auto

Containment

CleanAir with Rogue AP

Types

• WiFi Invalid Channel

• WiFi Inverted

Rogue Location

• Real-time with PI, MSE,

CleanAir

• Location of Rogue APs

and Clients , Ad-hoc

Rogue, Non-wifi

interferers

Data Serving AP

Scan

1.2s per channel

Monitor Mode AP

FRA with MM

Serve Client on dedicated 5

GHz

Scan 1.2s per channel

BRKEWN-2005 34


Optimize Wi-Fi with CleanAir

6

11

1

RRM

BRKEWN-2005 36

Quickly Identify and Mitigate Wi-Fi Impacting Interference


6

1

RRM11

6

11

1

BRKEWN-2005 37

Optimize Wi-Fi with CleanAirQuickly Identify and Mitigate Wi-Fi Impacting Interference


6

1

RRM

6

11

1

116

X

BRKEWN-2005 38

Optimize Wi-Fi with CleanAirQuickly Identify and Mitigate Wi-Fi Impacting Interference


CleanAir detectable AttacksSome examples

IP and Application

Attacks & Exploits

WiFi Protocol

Attacks & Exploits

RF Signaling

Attacks & Exploits

Traditional IDS/IPSLayer 3-7

wIPSLayer 2

CleanAirLayer 1

Dedicated to L1 Exploits

Rogue

Threats“undetectable” rogues

Wi-Fi

Jammers“classic” interferers

2.4

GHz

5

GHz

BRKEWN-3010

BRKEWN-2005 40

Secure Access to Corporate Network

• ISE

• Access methods

• Guest Management


802.1x

MAC Auth

Webauth

Guest Access

BYOD

NAC RADIUS

Secure Access to Corporate Network

Classification

46

Identity Services Engine


• Centralized Policy

• RADIUS Server

• Posture Assessment

• Guest Access Services

• Device Profiling

• Client Provisioning

• MDM

• Monitoring & Troubleshooting

• Device Admin / TACACS+

ACS

NAC

Profiler

Guest

Server

NAC

Manager

NAC

Server

Identity

Services

Engine

Cisco Identity Services Engine (ISE)

BRKSEC-3697

BRKSEC-3699

48BRKEWN-2005


Authentication and AuthorizationWhat are they?

802.1X /iPSK/ MAB / WebAuth

It tells who/what the

endpoint is.

It tells what the

endpoint has access to.

VLAN

Access Control List

Quality of Service

Application Control

Bonjour Service Policy

URL Redirect

Policy Elements

49BRKEWN-2005


URL RedirectCentral Web Auth, Client Provisioning, Posture

• Url-Redirection: for CWA, Client Provisioning, Posture and MDM, URL value is returned as a Cisco AV-pair RADIUS attribute. e.g. cisco:cisco-av-pair=url-redirect=

https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

• Url-Redirect-Acl: this ACL specifies traffic to be permitted (bypass redirection) or denied (trigger redirection). The ACL is returned as a named ACL on the WLC.

e.g. cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT

ACL entries defined traffic subject to redirection (deny) and traffic to bypass redirection (permit)

50

https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa


Client attributes and traffic for ProfilingHow RADIUS, HTTP, DNS, DHCP (and other traffic) are used to classify clients

• The ISE uses multiple attributes to build a complete picture of the end client’s device profile.

• Information is collected from sensors which capture different attributes.

RADIUS

DHCP

HTTP UserAgent

Mobile devices are quite chatty for

web applications, or they can also be

redirected to one of ISE’s portals.ISE

3

DHCP/

HTTP

Sensor

The Client’s DHCP/HTTP

Attributes are captured

by the AP and provided

in RADIUS Accounting

messages by the WLC.

2

The MAC

address is

checked

against the

known vendor

OUI database.

1

HTTP

BRKEWN-2005 56


Profiling Example from ISE

I have some

certainty that this

device is an iPad

DHCP:host-name

CONTAINS iPad

IP:User-Agent

CONTAINS iPad

Is the MAC Address

from Apple

57


MAC address checked against

vendor OUI database

Client’s DHCP attributes captured by AP

UserAgent payload on custom HTTP port inspected by HTTP

Sensor

Collection

Analysis Pre-Defined Device Signatures and in-built MAC OUI Dictionary

Local (WLC) Device Classification

MAC OUI and device profiles can be dynamically updated on WLC independent of controller image

DHCP

HTTP

1

2

3

BRKEWN-2005 58


Profile based Policy EnforcementPractical Examples of Policies

Product Bookings

Facebook.com

Corporate laptop

Personal iPad

Employee

User Role Device Service Action

Employee Corporate

Asset

Product Bookings/

Facebook.com

Permit

Employee iPad Facebook.com Permit

Employee iPad Product Bookings Deny

x

59

Methods Client Access

• 802.1x

• Identity PSK

• MAB

• WebAuth


Device Awareness- Identity is the Base

IP network

Authorized Users IP Phones IoT Devices Guests

802.1x Identity PSK Web auth

Various Authentication Mechanisms

ISE

Security Benefits Drawback

802.1x • Robust

• Industry standard

• strong encryption and

authentication

• Requires 802.1x

supplicant

• Complex to configure,

implement and

manage

Identity

PSK

• Easy to configure

• Strong encryption

• Works with existing

infrastructure

• Manually key in the

passphrase for client

Web

authentic

ation

• Used with MAB and profiler

to trigger guest process for

secure onboarding and

resources for guest access

• Web auth by itself

offers per client access

rather than group

level.

Managed Devices/Users Non 802.1 Devices Non 802.1 Users

61


802.1XWhy 802.1X?

Supplicant Authenticator Authentication Server

EAPoL RADIUSAP, WLC ISE

How does it work?

Industry standard

approach to

identity

Most secure

user/device

authentication

Complements

other switch

security features

Various

deployment

options

Foundation for

services like

posture, policy

implementation


EAP Authentication Types Different Authentication Options Leveraging Different Credentials

Tunnel-Based

EAP-PEAP

EAP-FAST

Inner Methods

EAP-GTC EAP-TLS EAP-MSCHAPv2

• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.

This provides security for the inner method, which may be vulnerable by itself.

• Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.

Certificate-Based

EAP-TLS

BRKEWN-2005 64


RADIUS Change of Authorization (CoA)• RADIUS protocol is initiated by the network devices (NAD)

• No way to change authorization from the ISE

• Now the network device listens to CoA requests from ISE

RADIUS

CoA (UDP:1700/3799)

• Re-authenticate session

• Terminate session

• Terminate session with port bounce

• Disable host port

Now I can control

ports when I want to!(config)#aaa server radius dynamic-author

client {PSN} server-key {RADIUS_KEY}

BRKEWN-2005 65


Identity PSK: Multiple PSKs per SSID allows for advanced security encryption across all devices

Increased demand for IoT

devices

Identity security without 802.1x

Simple Operations

High Scale

Cost Effective

• Private PSK with RADIUS integration

• Per client AAA override (VLAN / ACL etc)

8.5

BRKEWN-2005 67


Identity PSK

Wireless LAN Controller

Device MAC Group Private PSK

IOT Devices aabbcc

Sensors xxyyzz

Employees ---

PSK WLAN

MAC Filtering

AAA Override

✓

✓

✓IOT Devices

Sensors

Employees

Cisco-AVPair += "psk-mode=ascii”

Cisco-AVPair += "psk=aabbcc"

Cisco-AVPair += "psk-mode=ascii”

Cisco-AVPair += "psk=xxyyzz"

No PSK attributes

WLAN PSK

xxyyzz

aabbcc

ISEAccess Point

8.5


AP-WLC DHCP/DNS ISE Server

Host Acquires IP Address, Triggers Session State

4

• Open SSID with

MAC Filtering

enabled

1

AuthC success; AuthZ for unknown MAC returned:

Redirect/filter ACL, portal URL

Host Opens Browser – WLC redirects browser to ISE web page

Login Page

Host Sends Username/Password

5

Web Auth Success results in CoA

Server

authorizes

user

6

MAB re-auth

MAB Success

Session lookup – policy matched

Authorization ACL/VLAN returned.7

First authentication session2

3

.

Central Web Authentication (CWA)

BRKEWN-2005 70

CWA is a URL-Redirect scenario

Redirection URL and the redirect ACL are centrally configured on ISE and communicated to WLC via RADIUS


Other URL-Redirect scenarios (Posture, MDM)AP-WLC DHCP/DNS ISE Server

Host Acquires IP Address, Triggers Session State

4

• SSID configured

for 802.1X / MAB1

AuthC success; AuthZ returned:

Redirect/filter ACL, URL for posture/MDM/etc.

Host Opens Browser – WLC redirects browser to ISE for other services

Posture check, MDM check, client provisioning, etc.5

RADIUS CoA

Server

authorizes

user

6

802.1X/MAB re-auth

802.1X/MAB Success

Session lookup – policy matched

Authorization ACL/VLAN returned.7

First authentication session2

3Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB.

BRKEWN-2005 72


MDM Integration

Jail BrokenPIN Locked

EncryptionISE Registered PIN LockedMDM Registered Jail Broken

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Guest Management


Managing Guest User Lifecycle with ISE

PROVISIONING

Create Guest Accounts

Create Single Guest Account

Import CSV file for multiple Guest Accounts

NOTIFICATION

Give Accounts to Guests

Print Account Details

Send Account Details via Email

Send Account Details via Text

MANAGEMENT REPORTING

Manage Guest Accounts Report on Guests

View, edit, suspend Guest Accounts

Manage batches of created accounts

View, audit reports on Individual Guest accounts

Display Management reports on Guest Accounts


ISE – Sponsor Portal• Customizable sponsor

pages

• Sponsor privileges tied to defined sponsor policy

o Roles sponsor can create

o Time profiles can be assigned

o Management of other guest accounts

o Single or bulk account creation

BRKEWN-2005 76


ISE – Guest Self-Service

BRKEWN-2005 77

Network Based Security


TrustSec SXP

Inline Tagging

AVC/ Netflow

URL Filtering

Local Policy w/

AVC, Umbrella

AAA Override

VLAN, ACL, QoS

Solution Level Attack Protection


Integrating Security IN the Network

Network as a Security Sensor (NaaS)

Network as a Security Enforcer (NaaE)

Detect Anomalous Traffic

Detect User access violations

Obtain broad Visibility of Network Traffic

Software Defined Segmentation to contain attack

Dynamic User Groups and consistent Policy Across the Network, Users and Devices

Access Control to protect resources

81

Network as a Sensor

• Application Visibility & Control

• NetFlow


The Network Gives Deep and Broad Visibility

Network

Segmentation

Discover and Classify Assets

Understand

Behavior

Design and Model Policy

Enforce Policy

Active Monitoring

Network: key asset for threat detection and control

83


Cisco Prime

Infrastructure

StealthWatch, Live

Action and others

App Visibility &

User Experience Report

Reporting Tool

Static

Netflow

Perf. Collection &

Exporting

How AVC Works on Cisco WirelessNetwork Visibility, Control, Context and Analytics

DPI engine (NBAR2)

identifies applications

using L7 signatures

Deep Packet

Inspection

Collect application info and

exports to controller every

90 seconds

App BW Transaction

Time

…

WebEx 3 Mb 150 ms …

Citrix 10 Mb 500 ms …

Use QoS Rate Limiting

to control application

bandwidth usage for

performance

Control

High

Med

Low

NBAR on AP

AireOS 8.1

BRKEWN-2005 84

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ





AVC on FlexConnect Access Points

WAN

BRANCH

WLC

NetFlow Export from AP to WLC

Gen2 AP

Real time information for

last 90 seconds

Stateful context

transfer on roam

• AVC supported on Gen 2 FlexConnect Access Points (AireOS8.1). Protocol Pack 14 with upgraded NBAR engine 23

• Stateful context transfers supported for Intra Flexconnect Group roams

8.1

BRKEWN-2005 85


NetFlow- The heart to network as a sensor record

Client MAC

Client IP

SSIDAccess Point MAC

Packet Count

Byte Count

ToS- DSCP Value

Application Tag

NetFlow

Netflow statistics sent at an interval of 30 seconds

Netflow record sent even for unclassified applications

Username sent for dot1x authentication

Who Where

WhenWhat

86

Network as an Enforcer

• Wireless StealthWatch Integration

• TrustSec for Policy Enforcement

• Policy Management with ISE

• Native Policy Management on WLC


Wireless StealthWatch IntegrationNetwork as a Sensor, Network as an Enforcer

WLC

ISE

Flow Telemetry from Network Devices

Identity, MAC Address, Device Type

StealthWatchManagement Console

(upto 25 Flow Collectors)

StealthWatch Flow Collectors

(collect and analyze)

pxGrid notifications

Quarantine

Netflow v9 records

CoA

BRKSEC-3014

AireOS 8.2 on 5520/8510/8540 WLC

BRKEWN-2005 88


access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

89

Cisco TrustSec Enabled Network Segmentation

Simplifying Enforcement

Traditional Security Policy

Dynamic Policy & Enforcement

TrustSec Security Policy

Employee Supplier App

ServerNon

Compliant

Shared

Server

Identity-enabled

Infrastructure

Internet

Data Center

Intranet

8.4


Wireless TrustSec Support

5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static & Dynamic

Assignments

A B

Propagation

Inline SGT & SXP

Enforcement

Security Group ACL

SXPv4 on AP Inline Tagging on AP SGACL Enforcement

Local NO NO YES

Flex YES YES YES

Mesh NO NO YES (Indoor only)

Topology, location independent

Policy (SGT) stays with endpoint.

Simplifies ACL management traffic

BRKEWN-2005 90


Egress Policy Matrix

Default Rule, Can be

Permit or Deny


Ingress classification, Egress Enforcement

Cat3850 Cat6800 Nexus 2248

WLC5508

Nexus 2248

Cat6800 Nexus 7000 Nexus 5500

User authenticated

Classified as Marketing (5)

Lookup

Destination SGT 20

DST: 10.1.100.52

SGT: 20

SRC: 10.1.10.220DST: 10.1.200.100

SGT: 30

Web_Dir

CRM

DST

SRC

Web_Dir

(20)

CRM

(30)

Marketing

(5)Permit Deny

BYOD

(7)Deny SGACL-A

Destination Classification

Web_Dir: SGT 20

CRM: SGT 30

Enterprise

Backbone

5

SRC:10.1.10.220

DST: 10.1.100.52

SGT: 5

BRKEWN-2005 92


TrustSecEast-West Traffic Use Case Role Based Segmentation

VLAN: Data-1VLAN: Data-2

Wired/Wireless

Data Center

DC Switch

Application

Servers

ISE

Enterprise

Backbone

Remediation

Wired/Wireless

Employee SupplierEmployeeSupplier

Shared

Services

Employee Tag

Supplier Tag

TrustSec enabled WLC &

AP receives policy for only

what is connected

Access control based on

the Role of the user

TrustSec Demo


How about policies?

Differentiating user groups

Keeping untrusted devices out

Basic access vs Full Access

BRKEWN-2005 96


ISE for Network-Wide Unified Policy Enforcement

WHO WHAT WHERE WHEN HOW

CONTEXT

IDENTITY

WIRELESS LAN CONTROLLER, ACCESS POINTS, SWITCHES, ROUTERS

Personal iPad

Employee Owned

Franklo

Guest

9 am

TonyS

Consultant

6 pm

KG

Employee

2 pm

Profiling

Posture

Guest Access

802.1X

iPSK

MAB

WebAuth

BRKEWN-2005 97


Client Context and PoliciesControl and Enforcement

IDENTITY PROFILING

Wireless LAN Controller

DHCP

RADIUS

SNMP

NETFLOW

HTTP

DNS

ISE

Unified Access Management

Access Point

802.1X EAP Machine/User Authentication

HQ

2:38pm

Profiling to

identify device

Full or partial access granted

Personalasset

Company asset

Posture of the device

PolicyDecision

4

6

Corporate

Resources

Internet Only

1

2

3 5

EnforcementdACL, VLAN,

SGT

100


Local Profiling and Policy on WLCBuild BYOD: Native WLC Options

Access Method

User Role

Device Type

Time of Day

Authentication Type

VLAN

Access Control List

Quality of Service

AVC

Bonjour Service Policy

VLAN

Inputs: Conditions Results: Enforcement Elements

ISE WIRELESS LAN CONTROLLER

Profiling using RADIUS probes, DHCP probes, HTTP, SNMP,

DNS, NETFLOW

Profiling based on MAC OUI, DHCP, HTTP based User-Agent

Multiple attributes for Policy action supported Policy action attributes - VLAN, ACL, Session Timeout, QoS

Profiling rules can be customized Default profiling rules

ISE and Wireless LAN Controller Profiling Support


Policies for Applications and Services

1. Cisco Umbrella

2. URL Filtering

3. AVC

4. mDNS and Bonjour Services

WLC integration with Cisco UmbrellaPolicy tie-in to Cisco Umbrella


Cisco Umbrella for Content Filtering

Why care about DNS?

CLOUD BASED WEB FILTERING THREAT MANAGEMENT INSIGHTFUL REPORTING

Network EndpointMobile Virtual Cloud Apps

Low cost

architectureData analysis

methods

Uses Recursive

DNS

Powerful reporting

and analytics

8.4


Internet

ACME

ACME

Policies

block gaming sites

DNS

Query

DNS

Response

Cisco Umbrella with WLC

208.67.220.220

DNS Server

(or external DNS

proxy to)

10.1.1.1

BRKEWN-2005 109

• WLC intercepts DNS packet, redirects query to Umbrella cloud server at 208.67.220.220

• Content filtering and whitelisting at DNS layer at WLAN, AP Group, Policy level

208.67.220.220


Role Based Policy with Cisco UmbrellaOpenDNS Profile Mapping in Local Policy

Contractor Employee

AAA user role

Contractor

Policy Employee

Policy


Role Based Policy with Cisco Umbrella

Cisco Umbrella

Cloud

DNS query

DNS response

BRKEWN-2005 111


Role Based Policy with Cisco Umbrella

DNS query

DNS response

BRKSEC-2980

LABSEC-2006

BRKEWN-2005 112


Location Based Policy with Cisco UmbrellaOpenDNS Profile Mapping in AP Group

Corporate

HQ Branch Office

Corporate

Policy

Branch

Policy

BRKEWN-2005 113

Cisco Umbrella Demo

Application Visibility and Control

Policy tie-in to AVC


ROLE BASED APPLICATION POLICY

• Alice(Sales) and Bob(IT Admin) are both employees

• Both Alice and Bob are connected to the same SSID

• Alice can access certain applications (YouTube), Bob cannot

ROLE BASED + DEVICE TYPE APPLICATION POLICY

• Alice can access inventory info on an IT provisioned Windows Laptop

• Alice cannot access inventory info on her personal iPAD

ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY

• Alice has limited access (rate limit) to Jabber on her iPhone

7.4AVC

7.5Dynamic

protocol pack

update

7.6Jabber, Lync

2013 support

8.0• User and device aware

policies

• Ability to classify

Apple iOS, Windows,

Android upgrades

121BRKEWN-2005

Granular Filtering with Policy tie-in to AVC

8.1• User & device aware

policies

• Ability to classify Apple

iOS, Windows, Android

upgrades

8.2• Wi-Fi calling

• Skype for business

• UserId + IPFlow for

Netflow export

• Stealthwatch

Collector


Employee

YouTube

Employee Contractor

RADIUSWLC

Facebook Skype BitTorrent

AVC (Application Visibility and Control)Per-user profiles via AAA

Contractor

Facebook Skype

cisco-av-pair = avc-profile-name = AVC-Employee

cisco-av-pair = avc-profile-name = AVC-Contract

BRKEWN-2005 122

mDNS Bonjour Service

Policy tie-in to mDNS


Teacher NetworkStudent Network

AirPrint AirPlay File

Share

Teacher

Service Profile

AirPlay File

Share

Student

Service Profile

iTunes

SharingAirPrint

mDNS Service Instances Groups

Apple TV1 Apple TV1

Apple TV2

Teacher Service

Instance ListStudent Service

Instance List

mDNS and Bonjour ServicesFilter by WLAN and VLAN

mDNS Profiles – Select

services

mDNS Profile with Local

Policy – Services per-user

and per-device

mDNS Policies – Services

based on AP Location and

user role

BRKEWN-2005 124

Consolidate, Secure and Segment

Enterprise Use Case for Workforce, IoT and Guest Access


Consolidate, Secure, Segment

Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID

User CategoryEmployees, Contractors,

BYOD Devices

IOT devices like Sensors,

Robots etc.Guest users

Secure the Clients

Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication

Policy based on User-role,

Device, time of day, auth-typeACL, QoS, AVC Profile, mDNS Profile, OpenDNS Policy

Secure the Air

Rogue detection, Basic wIPS, Advanced wIPS, CleanAir for interferers

Management Frame protection using MFP and 802.11w

Segment and Secure

the Network

AAA Override

VLAN based segmentation

based on user-role, identity

with a single SSID


based on IOT device groups

with a single PSK SSID

Specific users can be

quarantined or rate-limited

SGT TrustSecSegmentation by function for

eg. Marketing, Sales, HR

SGT override for IOT device

groups

Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy

StealthWatch Integration

Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor

Secure connection between WLC and AP using DTLS

Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities

(UC) Approved Products List (APL).

Wireless Security for Workforce

BRKEWN-2005 126


Enterprise SSID Security and Segmentation

WLCAccess Point

Contractor VLAN ID = 20

user-role = Marketing

user-role = Contractor

user-role = Sales

Enterprise

Backbone

ISE AAA

Override

✔

✔

802.1x

✔✔

Employee VLAN ID = 10

User role VLAN

Marketing 10

Sales 10

Contractor 20

Enterprise SSID

SGT = 4 SGT = 5

SGT = 6

SGT

4

5

6

Marketing SalesContractor

sServer

Marketing

Sales

Contractors

Server

Backend

Servers

PERMIT

PERMIT

DENY

Micro-segmentation

using Cisco TrustSec

Apple devices

Controlled access via

mDNS Profile

Category-Based Filtering

Based on Umbrella Policy

Role Based Access Control Based

on Scalable Group Tags and SGACLs

VLAN-Based Segmentation

Using AAA Override

Application

Mark Webex,

Jabber

Mark Webex,

Jabber

Drop Youtube

Apple devices

Apple TV,

Printer, iTunes

Apple TV,

Printer, iTunes

Printer Only

Umbrella

Policy

Block ebay

Block ebay

Block ebay,

CNN, BBC

Facebook

Policy Classification Engine


Consolidate, Secure, Segment



BYOD Devices

IOT devices like Sensors,

Robots etc.Guest users

Secure the Clients




Secure the Air



Segment and Secure

the Network

AAA Override



with a single SSID






SGT TrustSecSegmentation by function for

eg. Marketing, Sales, HR

SGT override for IOT device

groups

Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy




Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities

(UC) Approved Products List (APL).

Wireless Security for IOT

BRKEWN-2005 128


IOT SSID Security and Segmentation

WLCAccess Point

Enterprise

Backbone

ISE AAA

Override

IOT Sensors

VLAN ID = 30

IPSK

IOT Lighting

VLAN ID = 10

Smart Devices

VLAN = 20

IOT Sensors

PSK = aabbcc

IOT Lighting

PSK = eeffgg

Smart devices

PSK = xxyyzz

✔✔

✔

IOT SSID

IOT Sensors IOT Lighting Smart Devices

IOT Sensors

IOT Lighting

Smart Devices

Identity

PSK VLAN

IOT

Sensorsaabbcc 30

IOT Lighting eeffgg 10

Smart

Devices xxyyzz 20

ACL

PERMIT

PERMIT

DENY

SGTBackend

Servers

4 PERMIT

5 DENY

6 DENY

SGT = 4 SGT = 5

SGT = 6

✔

BRKEWN-2005 129


Consolidate, Secure, Segment Wireless Security for Guest



BYOD Devices

Mission-specific IOT devices

like Sensors, Robots etc.Guest users

Secure the Clients




Secure the Air



Segment and Secure

the Network

AAA Override



with a single SSID






Segmentation

TrustSec assignment by

function for eg. Marketing,

Sales, HR

TrustSec override for IOT

device groups

Segmentation using

Anchoring traffic to DMZ

Cisco Umbrella Policy based on SSID, AP Group, Local Policy




Trust Wireless Common Criteria (CC) , Federal Information Processing Standard (FIPS), and the Department of Defense Unified

Capabilities (UC) Approved Products List (APL).


Application

Mark Webex,

Jabber

Drop Youtube

Guest SSID Security and Segmentation

WLCAccess Point

Enterprise

Backbone

Guest SSID ISE AAA

Override

Anchor

WLC

Category-Based Filtering

Based on Umbrella Policy

Guest VLAN ID = 50

User role VLAN

Guest 50

QoS

Rate-limit

Umbrella

Policy

Block news,

sports

Policy Classification Engine

SGT

7

Backend

Servers

DENY

Web

auth

SGT = 7

Employee Server Guest

Employee

Server

Guest

Role Based Access Control Based

on Scalable Group Tags and SGACLs

VLAN 50


Key Takeaways for an End to End Wireless Security Solution

• Take a defense in depth approach to security. Add security layers that complement one another and at difference places in the IT network. What one misses, the other catches.

• “Complexity and security are inversely proportional”. Take a simple approach to design network security policy. Break your overall policy into smaller managed pieces to simplify creating an efficient policy.

• BYOD strategy must consider all mobile worker types and functions before deploying solutions. Give it a try (e.g. PoC) before network wide implementation.

BRKEWN-2005 132


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/us

http://ciscolive.com/Online

http://ciscolive.com/Online

http://www.ciscolive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKEWN-2005 134

Thank you

securely designing your wireless lan for threat mitigation...

Documents