Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol...

Wireless and Network Wireless and Network Security IntegrationSecurity Integration

Defense by Hi-5Defense by Hi-5

Marc HogueMarc HogueChris JacobsonChris JacobsonAlexandra KorolAlexandra KorolMark OrdonezMark Ordonez

Jinjia XiJinjia Xi

IntroductionIntroduction

► Importance of Integrated Network Importance of Integrated Network SecuritySecurity Example of disjointed solutionExample of disjointed solution Example of properly integrated solutionExample of properly integrated solution

► Importance to IT LeadersImportance to IT Leaders

AgendaAgenda

►Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components

Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS

Cisco Unified Wireless Cisco Unified Wireless NetworkNetwork

►Anytime, anywhere access to information.Anytime, anywhere access to information.►Real-time access to instant messaging, e-Real-time access to instant messaging, e-

mail, and network resources.mail, and network resources.►Mobility services, such as voice, guest Mobility services, such as voice, guest

access, advanced security, and location.access, advanced security, and location.►Modular architecture that supports 802.11n, Modular architecture that supports 802.11n,

802.11a/b/g, and enterprise wireless mesh 802.11a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while for indoor and outdoor locations, while ensuring a smooth migration path to future ensuring a smooth migration path to future technologies and servicestechnologies and services

Secure Wireless ArchitectureSecure Wireless Architecture

►The following five interconnected The following five interconnected elements work together to deliver a elements work together to deliver a unified enterprise-class wireless unified enterprise-class wireless solution:solution: Client devicesClient devices Access pointsAccess points Wireless controllersWireless controllers Network managementNetwork management Mobility servicesMobility services

Campus ArchitectureCampus Architecture

► High availability High availability ► Access services Access services ► Application optimization and protection services Application optimization and protection services ► Virtualization services Virtualization services ► Security services Security services ► Operational and management servicesOperational and management services

Branch ArchitectureBranch Architecture

Cisco Unified Wireless Cisco Unified Wireless NetworkNetwork

►Anytime, anywhere access to information.Anytime, anywhere access to information.►Real-time access to instant messaging, e-Real-time access to instant messaging, e-

mail, and network resources.mail, and network resources.► Mobility services, such as voice, guest Mobility services, such as voice, guest

access, advanced security, and location.access, advanced security, and location.►Modular architecture that supports 802.11n, Modular architecture that supports 802.11n,

802.11a/b/g, and enterprise wireless mesh 802.11a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while for indoor and outdoor locations, while ensuring a smooth migration path to future ensuring a smooth migration path to future technologies and servicestechnologies and services

AgendaAgenda

► Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components


Where CSA Fits into ArchitectureWhere CSA Fits into Architecture

CSACSA

►CSA is an endpoint security solutionCSA is an endpoint security solution►Single agent that provides:Single agent that provides:

zero update attack protectionzero update attack protection data loss preventiondata loss prevention signature based antivirus signature based antivirus

►Two Components:Two Components: CSA MC CSA MC CSACSA

Need for CSA Need for CSA

Threats and CSA MitigationThreats and CSA Mitigation

Prevent Wireless Ad hoc Prevent Wireless Ad hoc Communications ModuleCommunications Module

► If a wireless ad-hoc connection is active, all If a wireless ad-hoc connection is active, all UDP or TCP traffic over any active wireless UDP or TCP traffic over any active wireless ad-hoc connection is denied, regardless of ad-hoc connection is denied, regardless of the application or IP address.the application or IP address.

► Alerts are logged and reported any time the Alerts are logged and reported any time the rule module is triggeredrule module is triggered

► Customization allows:Customization allows: User Query User Query Test DeploymentTest Deployment

Prevent Wireless if Ethernet Prevent Wireless if Ethernet Active ModuleActive Module

► If an Ethernet connection is active, all UDP If an Ethernet connection is active, all UDP or TCP traffic over any active 802.11 or TCP traffic over any active 802.11 wireless connection is denied, regardless of wireless connection is denied, regardless of the application or IP address.the application or IP address.

► An alert is logged and reported for each An alert is logged and reported for each unique instance that the rule module is unique instance that the rule module is triggered.triggered.

► Supports customizationSupports customization Customized user query as a rule actionCustomized user query as a rule action Customized rule module based on locationCustomized rule module based on location Customized rule module in test modeCustomized rule module in test mode

Location Aware Policy Location Aware Policy EnforcementEnforcement

►Enforces different security policies Enforces different security policies based on the location of a mobile clientbased on the location of a mobile client

►Determines state of mobile client based Determines state of mobile client based on:on: System state conditionsSystem state conditions Network interface set characteristicsNetwork interface set characteristics

►CSA location-aware policy may leverage CSA location-aware policy may leverage any of the standard CSA featuresany of the standard CSA features

Roaming Force VPN ModuleRoaming Force VPN Module

► If the CSA MC is not reachable and a If the CSA MC is not reachable and a network interface is active, all UDP or network interface is active, all UDP or TCP traffic over any active interface is TCP traffic over any active interface is denied, regardless of the application or denied, regardless of the application or IP address, with the exception of web IP address, with the exception of web traffic, which is permitted for 300 traffic, which is permitted for 300 seconds.seconds.

► Informs user that VPN connection is Informs user that VPN connection is requiredrequired

►Message is loggedMessage is logged

AgendaAgenda



Cisco NAC Appliance Cisco NAC Appliance OverviewOverview

►Admission Control and compliance Admission Control and compliance enforcementenforcement

►Features:Features: In-band or out-of-band deployment optionsIn-band or out-of-band deployment options User authentication toolsUser authentication tools Bandwidth and traffic filtering controlsBandwidth and traffic filtering controls Vulnerability assessment and remediation (also Vulnerability assessment and remediation (also

referred to as posture assessment)referred to as posture assessment) Network ScanNetwork Scan Clean Access AgentClean Access Agent

NAC ArchitectureNAC Architecture

Out-of-Band ModesOut-of-Band Modes

In-Band ModesIn-Band Modes

NAC Appliance Positioning:NAC Appliance Positioning:Edge DeploymentEdge Deployment

NAC Appliance Positioning:NAC Appliance Positioning:Centralized DeploymentCentralized Deployment

NAC AuthenticationNAC Authentication

►802.1x/EAP authentication does 802.1x/EAP authentication does not not pass through to NACpass through to NAC

►Authentication methods include:Authentication methods include: Web authenticationWeb authentication Clean Access AgentClean Access Agent Single sign-on (SSO) with Clean Access Single sign-on (SSO) with Clean Access

Agent with the following:Agent with the following: VPN RADIUS accountingVPN RADIUS accounting Active DirectoryActive Directory

Authentication Process:Authentication Process:AD SSOAD SSO

Posture Assessment ProcessPosture Assessment Process

Remediation ProcessRemediation Process

Authenticated UserAuthenticated User

AgendaAgenda



Firewall Placement OptionsFirewall Placement Options

Source: Cisco, Deploying Firewalls Throughout Your Organization

Why Placing Firewalls in Multiple Why Placing Firewalls in Multiple Network Segments? Network Segments?

►Provide the first line of defense in network Provide the first line of defense in network security infrastructuressecurity infrastructures

►Prevent access breaches at all key network Prevent access breaches at all key network juncturesjunctures

►Help organizations comply with the latest Help organizations comply with the latest corporate and industry governance corporate and industry governance mandatesmandates Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX) Gramm-Leach-Bliley (GLB)Gramm-Leach-Bliley (GLB) Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act

(HIPAA)(HIPAA) Payment Card Industry Data Security Standard (PCI DSS)Payment Card Industry Data Security Standard (PCI DSS)

► Cisco Catalyst 6500 Cisco Catalyst 6500 Wireless Services Module Wireless Services Module (WiSM) and Cisco Firewall (WiSM) and Cisco Firewall Services Module (FWSM)Services Module (FWSM)

► Cisco Catalyst 6500 Cisco Catalyst 6500 Wireless Services Module Wireless Services Module (WiSM) and Cisco Adaptive (WiSM) and Cisco Adaptive Security Appliances (ASA)Security Appliances (ASA)

► 2100 family WLCs with a 2100 family WLCs with a Cisco IOS firewall in an ISR Cisco IOS firewall in an ISR routerrouter

Firewall IntegrationFirewall Integration

FWSM and ASA Modes of FWSM and ASA Modes of OperationOperation

Transparent ModeTransparent ModeRouted ModeRouted Mode

High Availability High Availability ConfigurationConfiguration

ASA High AvailabilityASA High AvailabilityFWSM High AvailabilityFWSM High Availability

WLC Deployments and IOS WLC Deployments and IOS FirewallFirewall

AgendaAgenda



IPS Threat Detection and Migration IPS Threat Detection and Migration RolesRoles

WLC and IPS CollaborationWLC and IPS Collaboration

►Cisco WLC and IPS Cisco WLC and IPS synchronization synchronization

►WLC enforcement of a Cisco IPS WLC enforcement of a Cisco IPS host block host block

►Cisco IPS host block retractionCisco IPS host block retraction

Example of WLC enforcementExample of WLC enforcement

AgendaAgenda



CS-MARSCS-MARS

►Cisco Security Monitoring, Analysis and Cisco Security Monitoring, Analysis and Reporting SystemReporting System

►Monitor the networkMonitor the network►Detect and correlate anomaliesDetect and correlate anomalies►Mitigate threatsMitigate threats

Cross-Network Cross-Network Anomaly Anomaly Detection and Detection and CorrelationCorrelation► MARS is configured to MARS is configured to

obtain the obtain the configurations of configurations of other network other network devices.devices.

► Devices send events Devices send events to MARS via SNMP.to MARS via SNMP.

► Anomalies are Anomalies are detected and detected and correlated across all correlated across all devices.devices.

Monitoring, Anomalies, & Monitoring, Anomalies, & MitigationMitigation

►Discover Layer 3 devices on networkDiscover Layer 3 devices on network Entire network can be mappedEntire network can be mapped Find MAC addresses, end-points, topologyFind MAC addresses, end-points, topology

►Monitors wired and wireless devicesMonitors wired and wireless devices Unified monitoring provides complete pictureUnified monitoring provides complete picture

►Anomalies can be correlatedAnomalies can be correlated Complete view of anomalies (e.g. host names, Complete view of anomalies (e.g. host names,

MAC addresses, IP addresses, ports, etc.)MAC addresses, IP addresses, ports, etc.)►Mitigation responses triggered using rulesMitigation responses triggered using rules

Rules can be further customized to extend MARSRules can be further customized to extend MARS

ReportingReporting

►MARS provides reportingMARS provides reporting Detected events (e.g. DoS, probes, etc.)Detected events (e.g. DoS, probes, etc.) Distinguish between LAN and WLAN Distinguish between LAN and WLAN

eventsevents Leverage reporting from other Leverage reporting from other

components (e.g. WLC, WCS, etc.)components (e.g. WLC, WCS, etc.)►Allows detailed analysis ofAllows detailed analysis of

EventsEvents ThreatsThreats AnomaliesAnomalies

Q & AQ & A

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol...

Documents

Transcript of Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol...