Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol...
-
Upload
theresa-patchell -
Category
Documents
-
view
212 -
download
0
Transcript of Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol...
Wireless and Network Wireless and Network Security IntegrationSecurity Integration
Defense by Hi-5Defense by Hi-5
Marc HogueMarc HogueChris JacobsonChris JacobsonAlexandra KorolAlexandra KorolMark OrdonezMark Ordonez
Jinjia XiJinjia Xi
IntroductionIntroduction
► Importance of Integrated Network Importance of Integrated Network SecuritySecurity Example of disjointed solutionExample of disjointed solution Example of properly integrated solutionExample of properly integrated solution
► Importance to IT LeadersImportance to IT Leaders
AgendaAgenda
►Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components
Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS
Cisco Unified Wireless Cisco Unified Wireless NetworkNetwork
►Anytime, anywhere access to information.Anytime, anywhere access to information.►Real-time access to instant messaging, e-Real-time access to instant messaging, e-
mail, and network resources.mail, and network resources.►Mobility services, such as voice, guest Mobility services, such as voice, guest
access, advanced security, and location.access, advanced security, and location.►Modular architecture that supports 802.11n, Modular architecture that supports 802.11n,
802.11a/b/g, and enterprise wireless mesh 802.11a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while for indoor and outdoor locations, while ensuring a smooth migration path to future ensuring a smooth migration path to future technologies and servicestechnologies and services
Secure Wireless ArchitectureSecure Wireless Architecture
►The following five interconnected The following five interconnected elements work together to deliver a elements work together to deliver a unified enterprise-class wireless unified enterprise-class wireless solution:solution: Client devicesClient devices Access pointsAccess points Wireless controllersWireless controllers Network managementNetwork management Mobility servicesMobility services
Campus ArchitectureCampus Architecture
► High availability High availability ► Access services Access services ► Application optimization and protection services Application optimization and protection services ► Virtualization services Virtualization services ► Security services Security services ► Operational and management servicesOperational and management services
Branch ArchitectureBranch Architecture
Cisco Unified Wireless Cisco Unified Wireless NetworkNetwork
►Anytime, anywhere access to information.Anytime, anywhere access to information.►Real-time access to instant messaging, e-Real-time access to instant messaging, e-
mail, and network resources.mail, and network resources.► Mobility services, such as voice, guest Mobility services, such as voice, guest
access, advanced security, and location.access, advanced security, and location.►Modular architecture that supports 802.11n, Modular architecture that supports 802.11n,
802.11a/b/g, and enterprise wireless mesh 802.11a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while for indoor and outdoor locations, while ensuring a smooth migration path to future ensuring a smooth migration path to future technologies and servicestechnologies and services
AgendaAgenda
► Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components
Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS
Where CSA Fits into ArchitectureWhere CSA Fits into Architecture
CSACSA
►CSA is an endpoint security solutionCSA is an endpoint security solution►Single agent that provides:Single agent that provides:
zero update attack protectionzero update attack protection data loss preventiondata loss prevention signature based antivirus signature based antivirus
►Two Components:Two Components: CSA MC CSA MC CSACSA
Need for CSA Need for CSA
Threats and CSA MitigationThreats and CSA Mitigation
Threats and CSA MitigationThreats and CSA Mitigation
Prevent Wireless Ad hoc Prevent Wireless Ad hoc Communications ModuleCommunications Module
► If a wireless ad-hoc connection is active, all If a wireless ad-hoc connection is active, all UDP or TCP traffic over any active wireless UDP or TCP traffic over any active wireless ad-hoc connection is denied, regardless of ad-hoc connection is denied, regardless of the application or IP address.the application or IP address.
► Alerts are logged and reported any time the Alerts are logged and reported any time the rule module is triggeredrule module is triggered
► Customization allows:Customization allows: User Query User Query Test DeploymentTest Deployment
Prevent Wireless if Ethernet Prevent Wireless if Ethernet Active ModuleActive Module
► If an Ethernet connection is active, all UDP If an Ethernet connection is active, all UDP or TCP traffic over any active 802.11 or TCP traffic over any active 802.11 wireless connection is denied, regardless of wireless connection is denied, regardless of the application or IP address.the application or IP address.
► An alert is logged and reported for each An alert is logged and reported for each unique instance that the rule module is unique instance that the rule module is triggered.triggered.
► Supports customizationSupports customization Customized user query as a rule actionCustomized user query as a rule action Customized rule module based on locationCustomized rule module based on location Customized rule module in test modeCustomized rule module in test mode
Location Aware Policy Location Aware Policy EnforcementEnforcement
►Enforces different security policies Enforces different security policies based on the location of a mobile clientbased on the location of a mobile client
►Determines state of mobile client based Determines state of mobile client based on:on: System state conditionsSystem state conditions Network interface set characteristicsNetwork interface set characteristics
►CSA location-aware policy may leverage CSA location-aware policy may leverage any of the standard CSA featuresany of the standard CSA features
Roaming Force VPN ModuleRoaming Force VPN Module
► If the CSA MC is not reachable and a If the CSA MC is not reachable and a network interface is active, all UDP or network interface is active, all UDP or TCP traffic over any active interface is TCP traffic over any active interface is denied, regardless of the application or denied, regardless of the application or IP address, with the exception of web IP address, with the exception of web traffic, which is permitted for 300 traffic, which is permitted for 300 seconds.seconds.
► Informs user that VPN connection is Informs user that VPN connection is requiredrequired
►Message is loggedMessage is logged
AgendaAgenda
► Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components
Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS
Cisco NAC Appliance Cisco NAC Appliance OverviewOverview
►Admission Control and compliance Admission Control and compliance enforcementenforcement
►Features:Features: In-band or out-of-band deployment optionsIn-band or out-of-band deployment options User authentication toolsUser authentication tools Bandwidth and traffic filtering controlsBandwidth and traffic filtering controls Vulnerability assessment and remediation (also Vulnerability assessment and remediation (also
referred to as posture assessment)referred to as posture assessment) Network ScanNetwork Scan Clean Access AgentClean Access Agent
NAC ArchitectureNAC Architecture
Out-of-Band ModesOut-of-Band Modes
In-Band ModesIn-Band Modes
NAC Appliance Positioning:NAC Appliance Positioning:Edge DeploymentEdge Deployment
NAC Appliance Positioning:NAC Appliance Positioning:Centralized DeploymentCentralized Deployment
NAC AuthenticationNAC Authentication
►802.1x/EAP authentication does 802.1x/EAP authentication does not not pass through to NACpass through to NAC
►Authentication methods include:Authentication methods include: Web authenticationWeb authentication Clean Access AgentClean Access Agent Single sign-on (SSO) with Clean Access Single sign-on (SSO) with Clean Access
Agent with the following:Agent with the following: VPN RADIUS accountingVPN RADIUS accounting Active DirectoryActive Directory
Authentication Process:Authentication Process:AD SSOAD SSO
Posture Assessment ProcessPosture Assessment Process
Remediation ProcessRemediation Process
Authenticated UserAuthenticated User
AgendaAgenda
► Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components
Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS
Firewall Placement OptionsFirewall Placement Options
Source: Cisco, Deploying Firewalls Throughout Your Organization
Why Placing Firewalls in Multiple Why Placing Firewalls in Multiple Network Segments? Network Segments?
►Provide the first line of defense in network Provide the first line of defense in network security infrastructuressecurity infrastructures
►Prevent access breaches at all key network Prevent access breaches at all key network juncturesjunctures
►Help organizations comply with the latest Help organizations comply with the latest corporate and industry governance corporate and industry governance mandatesmandates Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX) Gramm-Leach-Bliley (GLB)Gramm-Leach-Bliley (GLB) Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act
(HIPAA)(HIPAA) Payment Card Industry Data Security Standard (PCI DSS)Payment Card Industry Data Security Standard (PCI DSS)
► Cisco Catalyst 6500 Cisco Catalyst 6500 Wireless Services Module Wireless Services Module (WiSM) and Cisco Firewall (WiSM) and Cisco Firewall Services Module (FWSM)Services Module (FWSM)
► Cisco Catalyst 6500 Cisco Catalyst 6500 Wireless Services Module Wireless Services Module (WiSM) and Cisco Adaptive (WiSM) and Cisco Adaptive Security Appliances (ASA)Security Appliances (ASA)
► 2100 family WLCs with a 2100 family WLCs with a Cisco IOS firewall in an ISR Cisco IOS firewall in an ISR routerrouter
Firewall IntegrationFirewall Integration
FWSM and ASA Modes of FWSM and ASA Modes of OperationOperation
Transparent ModeTransparent ModeRouted ModeRouted Mode
High Availability High Availability ConfigurationConfiguration
ASA High AvailabilityASA High AvailabilityFWSM High AvailabilityFWSM High Availability
WLC Deployments and IOS WLC Deployments and IOS FirewallFirewall
AgendaAgenda
► Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components
Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS
IPS Threat Detection and Migration IPS Threat Detection and Migration RolesRoles
WLC and IPS CollaborationWLC and IPS Collaboration
►Cisco WLC and IPS Cisco WLC and IPS synchronization synchronization
►WLC enforcement of a Cisco IPS WLC enforcement of a Cisco IPS host block host block
►Cisco IPS host block retractionCisco IPS host block retraction
Example of WLC enforcementExample of WLC enforcement
AgendaAgenda
► Integrated Solution ArchitectureIntegrated Solution Architecture► Integrated Solution ComponentsIntegrated Solution Components
Cisco Security Agent (CSA)Cisco Security Agent (CSA) Cisco NAC Appliance Cisco NAC Appliance Cisco FirewallCisco Firewall Cisco IPSCisco IPS CS-MARSCS-MARS
CS-MARSCS-MARS
►Cisco Security Monitoring, Analysis and Cisco Security Monitoring, Analysis and Reporting SystemReporting System
►Monitor the networkMonitor the network►Detect and correlate anomaliesDetect and correlate anomalies►Mitigate threatsMitigate threats
Cross-Network Cross-Network Anomaly Anomaly Detection and Detection and CorrelationCorrelation► MARS is configured to MARS is configured to
obtain the obtain the configurations of configurations of other network other network devices.devices.
► Devices send events Devices send events to MARS via SNMP.to MARS via SNMP.
► Anomalies are Anomalies are detected and detected and correlated across all correlated across all devices.devices.
Monitoring, Anomalies, & Monitoring, Anomalies, & MitigationMitigation
►Discover Layer 3 devices on networkDiscover Layer 3 devices on network Entire network can be mappedEntire network can be mapped Find MAC addresses, end-points, topologyFind MAC addresses, end-points, topology
►Monitors wired and wireless devicesMonitors wired and wireless devices Unified monitoring provides complete pictureUnified monitoring provides complete picture
►Anomalies can be correlatedAnomalies can be correlated Complete view of anomalies (e.g. host names, Complete view of anomalies (e.g. host names,
MAC addresses, IP addresses, ports, etc.)MAC addresses, IP addresses, ports, etc.)►Mitigation responses triggered using rulesMitigation responses triggered using rules
Rules can be further customized to extend MARSRules can be further customized to extend MARS
ReportingReporting
►MARS provides reportingMARS provides reporting Detected events (e.g. DoS, probes, etc.)Detected events (e.g. DoS, probes, etc.) Distinguish between LAN and WLAN Distinguish between LAN and WLAN
eventsevents Leverage reporting from other Leverage reporting from other
components (e.g. WLC, WCS, etc.)components (e.g. WLC, WCS, etc.)►Allows detailed analysis ofAllows detailed analysis of
EventsEvents ThreatsThreats AnomaliesAnomalies
Q & AQ & A