Cisco Navy Tech Day

Jay Pitcher – Technical Solution Architect - Mobility

Ubiquitous WLAN Access…… with access to NIPR in every Unclass space… with access to NIPR in large outdoor training and testing areas… for Guest users in public areas… for contractors in all work environments… for students in all training areas… ALL DoD Users should have Internet Access at all DoD Locations!

Goal for DoD Wireless

Via additional layers of Security…… provide wireless users access to high side networks… provide all network users access to high side networks… secure high side network transport over untrusted networks

Goal for Secure DoD Wireless

DoD Reference Architecture• Separate Management Network

• APs in Separate Network• APs are Network devices and must be secured

• WLAN & LAN Management in Separate Network

• Wireless Clients in own network• Client Must Route to NIPR

• Optional Components• Prime Infrastructure• Authentication Server Optional

• Utilize Sites Existing Resources – ACS/NPS

• ISE Does significantly more, Integration with PI

• MSE is optional

• AD Integration

Secure Client Connectivity for NIPR Access1. AP Enforces 802.1X Authentication2. WLC (Authenticator) Terminates .1X protocol

then uses RADIUS for forward Authentication to Authentication Server.

3. Client uses EAP Protocol to Authenticate against Authentication Server. For DoD client should use EAP-TLS where the client certificate comes from the CAC.

4. End to End EAP-TLS Conversation between Client (Supplicant) and ISE (Authentication Server).

5. Once Authorized, ISE derives the PMK and distributes to the WLC and the Client.

6. Client and WLC Mutually Derive the PTK (session encryption key) and WLC Securely distributes to the AP

7. AP and Client establish Secure WPA2 (AES Encrypted) Connection

8. Client Bridged to the Network at WLC

5

43

2

1

6

6

7

8

5

5

PMKPMK

PTK

PTK

Wired & Wireless Network

Scalable network policy management for all forms of network access: LAN, WLAN & VPN

Secure Group Access (SGA): simplified role-based access control and enforcement based on context, avoids manual ACL/VLAN configs

Comprehensive guest management

Cisco Unified Access PillarsUnified Policy Unified Management Unified Network

Single view for managing wired and wireless network elements

Application visibility and assurance: deterministic end user application experience across wired and wireless

Third-party device management

Common programmable Fabric (UADP ASIC) – SDN Ready

Consistent functionality across wired and wireless

Application Visibility & Control (AVC)

Subsecond stateful Switchover (SSO)

CertCert

Cert

Identity Services Engine (ISE)

Prime Infrastructure

Certified Cisco Wireless Access = Portfolio Leadership

WLAN Controllers WLAN Access Points

Large EnterpriseCert8510

Medium Locations

Small Locations

5508

Cert2504 ME

Cert

Cert

3702 2702Cert

Indoor APs

Outdoor APs

Cert

1700 1850/30

1572 1532

Cert Cert

5520 APL

8540 APL2802 APL

3802 APL

Cisco Wireless Government CertificationsWhat’s Certified:

• All Cisco 11ac wave 1 & 2 APs• All appliance and integrated controllers• MSE 8.0 /CMX 10.4# and PI 2.2/3.2#

• APL Listing for WLAS, WAB,WIDSPredictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers

Feature consistency and deployment flexibility

Certification 8.0 8.3

FIPS *

CC

UCAPL

CSfC

USGv6

Comprehensive certified end-end solution* FIPS via Compliance today, full eval in process# Certification scheduled for later this year

Commercial Solutions for Classified Program

• NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data

• This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years

• CSfC program requirements are customer-driven– CSfC vendors do not request features or drive requirements

– http://www.nsa.gov/ia/programs/csfc_program/index.shtml

CSfC “Layered” Architectures for Classified• Architectural, defense-in-depth (e.g. “layers”), approach to security

• SECRET require 2 Layers of ‘countable’ Crypto mLoS 128• TOP SECRET requires 2 layers of ‘countable’ Crypto mLoS 192

• Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information

Suite B VPN / Countable Layer #1

Suite B Application Layer Security / Countable Layer #2

Approved Encryption Technologies can vary at each Layer

Outer Tunnel

Cisco Wireless Infrastructure APL ListedOver 20 Product Categories across 8 CSfC Components

Campus WLAN Capability Package• WLAN Provides outer layer of security

• Common Outer Layer can support multiple inner layers – based on 1.8 draft

• Tunnel to to unclass network

• Use VPN for Inner layer of security• Any Connect

WPA2

Suite B VPN Countable Layer

Outer Tunnel

AES-256 Encrypted CAPWAPOuter Tunnel

Inner Tunnel

Campus WLAN Capability Package Cont…• Potential Unwritten requirements

• 500m Standoff from facility perimeter• Over the air AES-256 Crytpo

• Requires an approved WLAN Client• Client hardening requirements

https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client

Mobile Access Capability Package• Security traverses Unclassifed Network

• Security Enclave is relevant to LAN, WAN & WLAN

• CSfC Security is an Enterprise network resource

Suite B VPN/Application Layer Security / Countable Layer #2

Outer Tunnel

Suite B VPN / Countable Layer #1

Inner Tunnel

Mobile Access Capability Package Cont…• Primary CP being used for WLAN deployments

• Allows for the WLAN to stay black• Support Unclass networks

• Allows for Application layer security for 2nd tunnel• Secure VDI, Jabber, any application• Coexists with VPN Tunnel

• Cisco 5921 Now listed as approved VPN Client• Can now provide 2 layers of VPN

Plan for CSfC Success

• Understand the effort for an approved solution• Engagement with CSfC• Registering the system

• Engage with CSfC Trusted Integrator• Keep Simple then grow (Crawl, Walk, Run, Fly….)

• Site to Site• Site to Site over Wireless mesh

• Portable solution over WLAN to client device• Laptop over WLAN• Mobile device over WLAN

• AVC• StealthWatch Integration• SGA Support• EAP Chaining• SourceFire Integration• wIDS & CleanAir• Location

Security is more than Confidentiality

Employee

YouTube

Employee Contractor

RADIUSWLC

Facebook Skype BitTorrent

AVC (Application Visibility and Control)Per-user profiles via AAA

Contractor

Facebook Skype

cisco-av-pair = avc-profile-name = AVC-Employee

cisco-av-pair = avc-profile-name = AVC-Contract

18

19

WLC integration with StealthWatchAs of AireOS 8.2 on 5520/8510/8540 WLC

ISE

WLC

BitTorrent

Netflow v9 records

pxGrid notifications

Quarantine

CoA

VLAN 100

MAB

WebAuth

Agent-less Device

Campus Network

Untagged Frame Tagged Frame

SGT Enforcement

Security Group Access (SGA)AireOS 8.3 and before – SXP peering from the WLC

802.1X

Users,Endpoints

IT Portal (SGT 4)10.1.100.10

Catalyst 3k-X Cat 6500Distribution

The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X)

IP Address SGT

10.1.10.102 5

10.1.10.110 14

10.1.99.100 12

SXP

Speaker Listener

SGT=5SGT=5ISE

SGT=5 SGT = Security Group TagSXP = SGT eXchange ProtocolSGACL = SGT ACL

deny sgt-src 5 sgt-dst 4

20

Security Group Access (SGA)AireOS 8.4 – SGT inline tagging at the WLC (5520/8540) or AP (802.11ac APs)

Tagged Frame

SGT = Security Group TagSXP = SGT eXchange ProtocolSGACL = SGT ACL

WLC

AP

SGT=5

MAB

WebAuth

Agent-less Device

802.1X

Users,Endpoints

Campus NetworkSGACL

Catalyst 3k-X

deny sgt-src 5 sgt-dst 4

SGT=5SGT=5

ISE

21

Security Group Access (SGA)AireOS 8.4 – SGACL at the WLC (5520/8540) or AP (802.11ac APs)

SGT = Security Group TagSXP = SGT eXchange ProtocolSGACL = SGT ACL

ISE

WLC

AP

SGT=5

MAB

WebAuth

Agent-less Device

802.1X

Users,Endpoints

SGACLdeny sgt-src 5 sgt-dst 4

22

EAP Chaining• Supported with AnyConnect 3.1+ and ISE.• It relies on advanced options of EAP-

FAST to authenticate both the machine and the user in the same EAP(-FAST) session.

• If no user information is available (logged out), only machine credentials are used.

• If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.

EAPChaining

23

802.1X + CWAUse Case: Machine and User Authentication for Mobiles

WLC

ISE 1.3+

24

Access Enforcement

• Changing VLAN between machine and user authentication is a common option.* Some supplicants do not detect/support it consistently to trigger IP renewal.

• While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user.ü This is more “client agnostic” as it does not require IP renewal.

Machine VLAN

User VLAN

IPS with ISEWLC

Design and deployment guides:http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200240-ISE-and-FirePower-integration-remediat.html

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/how-to-pxgrid_sourcefire_draft_1013_je.pdf

FireSIGHT

ISE

FirePOWER syslog

pxGrid

RADIUS CoA

26

Integrated wIDSRogue Rules in the WLC and General Options

BRKEWN-2005 27

CleanAir detectable AttacksSome examples

IP and ApplicationAttacks & Exploits

WiFi ProtocolAttacks & Exploits

RF SignalingAttacks & Exploits

Traditional IDS/IPSLayer 3-7

wIPSLayer 2

CleanAirLayer 1

Dedicated to L1 Exploits

RogueThreats

“undetectable” rogues

Wi-Fi Jammers

“classic” interferers

2.4GHz

5GHz

28

Cisco Location Tracking Roadmap

PresenceGreater customer

insights

Enhanced location

Hyperlocation

Bluetooth Low Energy

Accuracy 20m

Type In-zone Detection

Use Cases

Venue-level,Visitors, Dwell Time

Accuracy 10m

Type X,Y coordinates, Optimized refresh

Use Cases

Zone-levelCorrelation

Accuracy 1-3m

Type Real time refresh, app required

Use Cases

Way Finding / Indoor navigation / Proximity Marketing

Accuracy 1-3m

Type Refresh every 10 seconds, no app

Use Cases

Sub-zone-levelWork space optimization

• The Future of the Edge is Wireless• Elevated Security Should be a Network Resource

• Not dedicated to a network

• Security is more than Confidentiality• SGA, wIDS, CleanAir, StealthWatch, ISE…

Closing…