Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi
Introduction ► Importance of Integrated Network Security Example of disjointed solution Example of properly integrated solution ► Importance to IT Leaders
Agenda ► Integrated Solution Architecture ► Integrated Solution Components Cisco Security Agent (CSA) Cisco NAC Appliance Cisco Firewall Cisco IPS CS-MARS
Cisco Unified Wireless Network ► Anytime, anywhere access to information. ► Real-time access to instant messaging, , and network resources. ► Mobility services, such as voice, guest access, advanced security, and location. ► Modular architecture that supports n, a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while ensuring a smooth migration path to future technologies and services
Secure Wireless Architecture ► The following five interconnected elements work together to deliver a unified enterprise-class wireless solution: Client devices Access points Wireless controllers Network management Mobility services
Campus Architecture ► High availability ► Access services ► Application optimization and protection services ► Virtualization services ► Security services ► Operational and management services
Branch Architecture
Cisco Unified Wireless Network ► Anytime, anywhere access to information. ► Real-time access to instant messaging, , and network resources. ► Mobility services, such as voice, guest access, advanced security, and location. ► Modular architecture that supports n, a/b/g, and enterprise wireless mesh for indoor and outdoor locations, while ensuring a smooth migration path to future technologies and services
Agenda ► Integrated Solution Architecture ► Integrated Solution Components Cisco Security Agent (CSA) Cisco NAC Appliance Cisco Firewall Cisco IPS CS-MARS
Where CSA Fits into Architecture
CSA ► CSA is an endpoint security solution ► Single agent that provides: zero update attack protection data loss prevention signature based antivirus ► Two Components: CSA MC CSA
Need for CSA
Threats and CSA Mitigation
Prevent Wireless Ad hoc Communications Module ► If a wireless ad-hoc connection is active, all UDP or TCP traffic over any active wireless ad-hoc connection is denied, regardless of the application or IP address. ► Alerts are logged and reported any time the rule module is triggered ► Customization allows: User Query Test Deployment
Prevent Wireless if Ethernet Active Module ► If an Ethernet connection is active, all UDP or TCP traffic over any active wireless connection is denied, regardless of the application or IP address. ► An alert is logged and reported for each unique instance that the rule module is triggered. ► Supports customization Customized user query as a rule action Customized rule module based on location Customized rule module in test mode
Location Aware Policy Enforcement ► Enforces different security policies based on the location of a mobile client ► Determines state of mobile client based on: System state conditions Network interface set characteristics ► CSA location-aware policy may leverage any of the standard CSA features
Roaming Force VPN Module ► If the CSA MC is not reachable and a network interface is active, all UDP or TCP traffic over any active interface is denied, regardless of the application or IP address, with the exception of web traffic, which is permitted for 300 seconds. ► Informs user that VPN connection is required ► Message is logged
Agenda ► Integrated Solution Architecture ► Integrated Solution Components Cisco Security Agent (CSA) Cisco NAC Appliance Cisco Firewall Cisco IPS CS-MARS
Cisco NAC Appliance Overview ► Admission Control and compliance enforcement ► Features: In-band or out-of-band deployment options User authentication tools Bandwidth and traffic filtering controls Vulnerability assessment and remediation (also referred to as posture assessment) Network Scan Clean Access Agent
NAC Architecture
Out-of-Band Modes
In-Band Modes
NAC Appliance Positioning: Edge Deployment
NAC Appliance Positioning: Centralized Deployment
NAC Authentication ► 802.1x/EAP authentication does not pass through to NAC ► Authentication methods include: Web authentication Clean Access Agent Single sign-on (SSO) with Clean Access Agent with the following: VPN RADIUS accounting Active Directory
Authentication Process: AD SSO
Posture Assessment Process
Remediation Process
Authenticated User
Agenda ► Integrated Solution Architecture ► Integrated Solution Components Cisco Security Agent (CSA) Cisco NAC Appliance Cisco Firewall Cisco IPS CS-MARS
Firewall Placement Options Source: Cisco, Deploying Firewalls Throughout Your Organization
Why Placing Firewalls in Multiple Network Segments? ► Provide the first line of defense in network security infrastructures ► Prevent access breaches at all key network junctures ► Help organizations comply with the latest corporate and industry governance mandates Sarbanes-Oxley (SOX) Gramm-Leach-Bliley (GLB) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS)
► Cisco Catalyst 6500 Wireless Services Module (WiSM) and Cisco Firewall Services Module (FWSM) ► Cisco Catalyst 6500 Wireless Services Module (WiSM) and Cisco Adaptive Security Appliances (ASA) ► 2100 family WLCs with a Cisco IOS firewall in an ISR router Firewall Integration
FWSM and ASA Modes of Operation Transparent Mode Routed Mode
High Availability Configuration ASA High Availability FWSM High Availability
WLC Deployments and IOS Firewall
Agenda ► Integrated Solution Architecture ► Integrated Solution Components Cisco Security Agent (CSA) Cisco NAC Appliance Cisco Firewall Cisco IPS CS-MARS
IPS Threat Detection and Migration Roles
WLC and IPS Collaboration ► Cisco WLC and IPS synchronization ► WLC enforcement of a Cisco IPS host block ► Cisco IPS host block retraction
Example of WLC enforcement
Agenda ► Integrated Solution Architecture ► Integrated Solution Components Cisco Security Agent (CSA) Cisco NAC Appliance Cisco Firewall Cisco IPS CS-MARS
CS-MARS ► Cisco Security Monitoring, Analysis and Reporting System ► Monitor the network ► Detect and correlate anomalies ► Mitigate threats
Cross-Network Anomaly Detection and Correlation ► MARS is configured to obtain the configurations of other network devices. ► Devices send events to MARS via SNMP. ► Anomalies are detected and correlated across all devices.
Monitoring, Anomalies, & Mitigation ► Discover Layer 3 devices on network Entire network can be mapped Find MAC addresses, end-points, topology ► Monitors wired and wireless devices Unified monitoring provides complete picture ► Anomalies can be correlated Complete view of anomalies (e.g. host names, MAC addresses, IP addresses, ports, etc.) ► Mitigation responses triggered using rules Rules can be further customized to extend MARS
Reporting ► MARS provides reporting Detected events (e.g. DoS, probes, etc.) Distinguish between LAN and WLAN events Leverage reporting from other components (e.g. WLC, WCS, etc.) ► Allows detailed analysis of Events Threats Anomalies
Q & A