Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi

Introduction ► Importance of Integrated Network Security  Example of disjointed solution  Example of properly integrated solution ► Importance to IT Leaders

Agenda ► Integrated Solution Architecture ► Integrated Solution Components  Cisco Security Agent (CSA)  Cisco NAC Appliance  Cisco Firewall  Cisco IPS  CS-MARS

Cisco Unified Wireless Network ► Anytime, anywhere access to information. ► Real-time access to instant messaging, , and network resources. ► Mobility services, such as voice, guest access, advanced security, and location. ► Modular architecture that supports n, a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while ensuring a smooth migration path to future technologies and services

Secure Wireless Architecture ► The following five interconnected elements work together to deliver a unified enterprise-class wireless solution:  Client devices  Access points  Wireless controllers  Network management  Mobility services

Campus Architecture ► High availability ► Access services ► Application optimization and protection services ► Virtualization services ► Security services ► Operational and management services

Branch Architecture

Cisco Unified Wireless Network ► Anytime, anywhere access to information. ► Real-time access to instant messaging, , and network resources. ► Mobility services, such as voice, guest access, advanced security, and location. ► Modular architecture that supports n, a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while ensuring a smooth migration path to future technologies and services

Agenda ► Integrated Solution Architecture ► Integrated Solution Components  Cisco Security Agent (CSA)  Cisco NAC Appliance  Cisco Firewall  Cisco IPS  CS-MARS

Where CSA Fits into Architecture

CSA ► CSA is an endpoint security solution ► Single agent that provides:  zero update attack protection  data loss prevention  signature based antivirus ► Two Components:  CSA MC  CSA

Need for CSA

Threats and CSA Mitigation

Prevent Wireless Ad hoc Communications Module ► If a wireless ad-hoc connection is active, all UDP or TCP traffic over any active wireless ad-hoc connection is denied, regardless of the application or IP address. ► Alerts are logged and reported any time the rule module is triggered ► Customization allows:  User Query  Test Deployment

Prevent Wireless if Ethernet Active Module ► If an Ethernet connection is active, all UDP or TCP traffic over any active wireless connection is denied, regardless of the application or IP address. ► An alert is logged and reported for each unique instance that the rule module is triggered. ► Supports customization  Customized user query as a rule action  Customized rule module based on location  Customized rule module in test mode

Location Aware Policy Enforcement ► Enforces different security policies based on the location of a mobile client ► Determines state of mobile client based on:  System state conditions  Network interface set characteristics ► CSA location-aware policy may leverage any of the standard CSA features

Roaming Force VPN Module ► If the CSA MC is not reachable and a network interface is active, all UDP or TCP traffic over any active interface is denied, regardless of the application or IP address, with the exception of web traffic, which is permitted for 300 seconds. ► Informs user that VPN connection is required ► Message is logged

Agenda ► Integrated Solution Architecture ► Integrated Solution Components  Cisco Security Agent (CSA)  Cisco NAC Appliance  Cisco Firewall  Cisco IPS  CS-MARS

Cisco NAC Appliance Overview ► Admission Control and compliance enforcement ► Features:  In-band or out-of-band deployment options  User authentication tools  Bandwidth and traffic filtering controls  Vulnerability assessment and remediation (also referred to as posture assessment)  Network Scan  Clean Access Agent

NAC Architecture

Out-of-Band Modes

In-Band Modes

NAC Appliance Positioning: Edge Deployment

NAC Appliance Positioning: Centralized Deployment

NAC Authentication ► 802.1x/EAP authentication does not pass through to NAC ► Authentication methods include:  Web authentication  Clean Access Agent  Single sign-on (SSO) with Clean Access Agent with the following:  VPN RADIUS accounting  Active Directory

Authentication Process: AD SSO

Posture Assessment Process

Remediation Process

Authenticated User

Agenda ► Integrated Solution Architecture ► Integrated Solution Components  Cisco Security Agent (CSA)  Cisco NAC Appliance  Cisco Firewall  Cisco IPS  CS-MARS

Firewall Placement Options Source: Cisco, Deploying Firewalls Throughout Your Organization

Why Placing Firewalls in Multiple Network Segments? ► Provide the first line of defense in network security infrastructures ► Prevent access breaches at all key network junctures ► Help organizations comply with the latest corporate and industry governance mandates  Sarbanes-Oxley (SOX)  Gramm-Leach-Bliley (GLB)  Health Insurance Portability and Accountability Act (HIPAA)  Payment Card Industry Data Security Standard (PCI DSS)

► Cisco Catalyst 6500 Wireless Services Module (WiSM) and Cisco Firewall Services Module (FWSM) ► Cisco Catalyst 6500 Wireless Services Module (WiSM) and Cisco Adaptive Security Appliances (ASA) ► 2100 family WLCs with a Cisco IOS firewall in an ISR router Firewall Integration

FWSM and ASA Modes of Operation Transparent Mode Routed Mode

High Availability Configuration ASA High Availability FWSM High Availability

WLC Deployments and IOS Firewall

Agenda ► Integrated Solution Architecture ► Integrated Solution Components  Cisco Security Agent (CSA)  Cisco NAC Appliance  Cisco Firewall  Cisco IPS  CS-MARS

IPS Threat Detection and Migration Roles

WLC and IPS Collaboration ► Cisco WLC and IPS synchronization ► WLC enforcement of a Cisco IPS host block ► Cisco IPS host block retraction

Example of WLC enforcement

Agenda ► Integrated Solution Architecture ► Integrated Solution Components  Cisco Security Agent (CSA)  Cisco NAC Appliance  Cisco Firewall  Cisco IPS  CS-MARS

CS-MARS ► Cisco Security Monitoring, Analysis and Reporting System ► Monitor the network ► Detect and correlate anomalies ► Mitigate threats

Cross-Network Anomaly Detection and Correlation ► MARS is configured to obtain the configurations of other network devices. ► Devices send events to MARS via SNMP. ► Anomalies are detected and correlated across all devices.

Monitoring, Anomalies, & Mitigation ► Discover Layer 3 devices on network  Entire network can be mapped  Find MAC addresses, end-points, topology ► Monitors wired and wireless devices  Unified monitoring provides complete picture ► Anomalies can be correlated  Complete view of anomalies (e.g. host names, MAC addresses, IP addresses, ports, etc.) ► Mitigation responses triggered using rules  Rules can be further customized to extend MARS

Reporting ► MARS provides reporting  Detected events (e.g. DoS, probes, etc.)  Distinguish between LAN and WLAN events  Leverage reporting from other components (e.g. WLC, WCS, etc.) ► Allows detailed analysis of  Events  Threats  Anomalies

Q & A