Secure Wireless for DOD
-
Upload
cisco -
Category
Technology
-
view
553 -
download
0
Transcript of Secure Wireless for DOD
Ubiquitous WLAN Access…… with access to NIPR in every Unclass space… with access to NIPR in large outdoor training and testing areas… for Guest users in public areas… for contractors in all work environments… for students in all training areas… ALL DoD Users should have Internet Access at all DoD Locations!
Goal for DoD Wireless
Via additional layers of Security…… provide wireless users access to high side networks… provide all network users access to high side networks… secure high side network transport over untrusted networks
Goal for Secure DoD Wireless
DoD Reference Architecture• Separate Management Network
• APs in Separate Network• APs are Network devices and must be secured
• WLAN & LAN Management in Separate Network
• Wireless Clients in own network• Client Must Route to NIPR
• Optional Components• Prime Infrastructure• Authentication Server Optional
• Utilize Sites Existing Resources – ACS/NPS
• ISE Does significantly more, Integration with PI
• MSE is optional
• AD Integration
Secure Client Connectivity for NIPR Access1. AP Enforces 802.1X Authentication2. WLC (Authenticator) Terminates .1X protocol
then uses RADIUS for forward Authentication to Authentication Server.
3. Client uses EAP Protocol to Authenticate against Authentication Server. For DoD client should use EAP-TLS where the client certificate comes from the CAC.
4. End to End EAP-TLS Conversation between Client (Supplicant) and ISE (Authentication Server).
5. Once Authorized, ISE derives the PMK and distributes to the WLC and the Client.
6. Client and WLC Mutually Derive the PTK (session encryption key) and WLC Securely distributes to the AP
7. AP and Client establish Secure WPA2 (AES Encrypted) Connection
8. Client Bridged to the Network at WLC
5
43
2
1
6
6
7
8
5
5
PMKPMK
PTK
PTK
Wired & Wireless Network
Scalable network policy management for all forms of network access: LAN, WLAN & VPN
Secure Group Access (SGA): simplified role-based access control and enforcement based on context, avoids manual ACL/VLAN configs
Comprehensive guest management
Cisco Unified Access PillarsUnified Policy Unified Management Unified Network
Single view for managing wired and wireless network elements
Application visibility and assurance: deterministic end user application experience across wired and wireless
Third-party device management
Common programmable Fabric (UADP ASIC) – SDN Ready
Consistent functionality across wired and wireless
Application Visibility & Control (AVC)
Subsecond stateful Switchover (SSO)
CertCert
Cert
Identity Services Engine (ISE)
Prime Infrastructure
Certified Cisco Wireless Access = Portfolio Leadership
WLAN Controllers WLAN Access Points
Large EnterpriseCert8510
Medium Locations
Small Locations
5508
Cert2504 ME
Cert
Cert
3702 2702Cert
Indoor APs
Outdoor APs
Cert
1700 1850/30
1572 1532
Cert Cert
5520 APL
8540 APL2802 APL
3802 APL
Cisco Wireless Government CertificationsWhat’s Certified:
• All Cisco 11ac wave 1 & 2 APs• All appliance and integrated controllers• MSE 8.0 /CMX 10.4# and PI 2.2/3.2#
• APL Listing for WLAS, WAB,WIDSPredictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers
Feature consistency and deployment flexibility
Certification 8.0 8.3
FIPS *
CC
UCAPL
CSfC
USGv6
Comprehensive certified end-end solution* FIPS via Compliance today, full eval in process# Certification scheduled for later this year
Commercial Solutions for Classified Program
• NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data
• This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years
• CSfC program requirements are customer-driven– CSfC vendors do not request features or drive requirements
– http://www.nsa.gov/ia/programs/csfc_program/index.shtml
CSfC “Layered” Architectures for Classified• Architectural, defense-in-depth (e.g. “layers”), approach to security
• SECRET require 2 Layers of ‘countable’ Crypto mLoS 128• TOP SECRET requires 2 layers of ‘countable’ Crypto mLoS 192
• Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information
Suite B VPN / Countable Layer #1
Suite B Application Layer Security / Countable Layer #2
Approved Encryption Technologies can vary at each Layer
Outer Tunnel
Campus WLAN Capability Package• WLAN Provides outer layer of security
• Common Outer Layer can support multiple inner layers – based on 1.8 draft
• Tunnel to to unclass network
• Use VPN for Inner layer of security• Any Connect
WPA2
Suite B VPN Countable Layer
Outer Tunnel
AES-256 Encrypted CAPWAPOuter Tunnel
Inner Tunnel
Campus WLAN Capability Package Cont…• Potential Unwritten requirements
• 500m Standoff from facility perimeter• Over the air AES-256 Crytpo
• Requires an approved WLAN Client• Client hardening requirements
https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client
Mobile Access Capability Package• Security traverses Unclassifed Network
• Security Enclave is relevant to LAN, WAN & WLAN
• CSfC Security is an Enterprise network resource
Suite B VPN/Application Layer Security / Countable Layer #2
Outer Tunnel
Suite B VPN / Countable Layer #1
Inner Tunnel
Mobile Access Capability Package Cont…• Primary CP being used for WLAN deployments
• Allows for the WLAN to stay black• Support Unclass networks
• Allows for Application layer security for 2nd tunnel• Secure VDI, Jabber, any application• Coexists with VPN Tunnel
• Cisco 5921 Now listed as approved VPN Client• Can now provide 2 layers of VPN
Plan for CSfC Success
• Understand the effort for an approved solution• Engagement with CSfC• Registering the system
• Engage with CSfC Trusted Integrator• Keep Simple then grow (Crawl, Walk, Run, Fly….)
• Site to Site• Site to Site over Wireless mesh
• Portable solution over WLAN to client device• Laptop over WLAN• Mobile device over WLAN
• AVC• StealthWatch Integration• SGA Support• EAP Chaining• SourceFire Integration• wIDS & CleanAir• Location
Security is more than Confidentiality
Employee
YouTube
Employee Contractor
RADIUSWLC
Facebook Skype BitTorrent
AVC (Application Visibility and Control)Per-user profiles via AAA
Contractor
Facebook Skype
cisco-av-pair = avc-profile-name = AVC-Employee
cisco-av-pair = avc-profile-name = AVC-Contract
18
19
WLC integration with StealthWatchAs of AireOS 8.2 on 5520/8510/8540 WLC
ISE
WLC
BitTorrent
Netflow v9 records
pxGrid notifications
Quarantine
CoA
VLAN 100
MAB
WebAuth
Agent-less Device
Campus Network
Untagged Frame Tagged Frame
SGT Enforcement
Security Group Access (SGA)AireOS 8.3 and before – SXP peering from the WLC
802.1X
Users,Endpoints
IT Portal (SGT 4)10.1.100.10
Catalyst 3k-X Cat 6500Distribution
The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X)
IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
SXP
Speaker Listener
SGT=5SGT=5ISE
SGT=5 SGT = Security Group TagSXP = SGT eXchange ProtocolSGACL = SGT ACL
deny sgt-src 5 sgt-dst 4
20
Security Group Access (SGA)AireOS 8.4 – SGT inline tagging at the WLC (5520/8540) or AP (802.11ac APs)
Tagged Frame
SGT = Security Group TagSXP = SGT eXchange ProtocolSGACL = SGT ACL
WLC
AP
SGT=5
MAB
WebAuth
Agent-less Device
802.1X
Users,Endpoints
Campus NetworkSGACL
Catalyst 3k-X
deny sgt-src 5 sgt-dst 4
SGT=5SGT=5
ISE
21
Security Group Access (SGA)AireOS 8.4 – SGACL at the WLC (5520/8540) or AP (802.11ac APs)
SGT = Security Group TagSXP = SGT eXchange ProtocolSGACL = SGT ACL
ISE
WLC
AP
SGT=5
MAB
WebAuth
Agent-less Device
802.1X
Users,Endpoints
SGACLdeny sgt-src 5 sgt-dst 4
22
EAP Chaining• Supported with AnyConnect 3.1+ and ISE.• It relies on advanced options of EAP-
FAST to authenticate both the machine and the user in the same EAP(-FAST) session.
• If no user information is available (logged out), only machine credentials are used.
• If also the user’s identity is available, both machine and user information will be used for 802.1X authentication.
EAPChaining
23
Access Enforcement
• Changing VLAN between machine and user authentication is a common option.* Some supplicants do not detect/support it consistently to trigger IP renewal.
• While keeping the same VLAN, a different ACL/SGT can be applied to the machine and the user.ü This is more “client agnostic” as it does not require IP renewal.
Machine VLAN
User VLAN
IPS with ISEWLC
Design and deployment guides:http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200240-ISE-and-FirePower-integration-remediat.html
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/how-to-pxgrid_sourcefire_draft_1013_je.pdf
FireSIGHT
ISE
FirePOWER syslog
pxGrid
RADIUS CoA
26
CleanAir detectable AttacksSome examples
IP and ApplicationAttacks & Exploits
WiFi ProtocolAttacks & Exploits
RF SignalingAttacks & Exploits
Traditional IDS/IPSLayer 3-7
wIPSLayer 2
CleanAirLayer 1
Dedicated to L1 Exploits
RogueThreats
“undetectable” rogues
Wi-Fi Jammers
“classic” interferers
2.4GHz
5GHz
28
Cisco Location Tracking Roadmap
PresenceGreater customer
insights
Enhanced location
Hyperlocation
Bluetooth Low Energy
Accuracy 20m
Type In-zone Detection
Use Cases
Venue-level,Visitors, Dwell Time
Accuracy 10m
Type X,Y coordinates, Optimized refresh
Use Cases
Zone-levelCorrelation
Accuracy 1-3m
Type Real time refresh, app required
Use Cases
Way Finding / Indoor navigation / Proximity Marketing
Accuracy 1-3m
Type Refresh every 10 seconds, no app
Use Cases
Sub-zone-levelWork space optimization
• The Future of the Edge is Wireless• Elevated Security Should be a Network Resource
• Not dedicated to a network
• Security is more than Confidentiality• SGA, wIDS, CleanAir, StealthWatch, ISE…
Closing…