secure wireless-do d-ks-020316

Secure WirelessAdvanced, Secure, Certified, Proven

Kurt Sauter – Product Specialist - Mobility

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Agenda • Introduction• Gigabit Wi-Fi • New Products• Management• CSfC• Q&A

33

Digital Transformation Accelerate Business Processes, Introduce New Innovative Offerings

UPS Tracking

Data Driven Business Intelligence

Mobile Point of Sale

Payments on Phone or Tablet

StarbucksApps

Customer Loyalty and Transactions

PhilipsConnectedLighting

Custom Settings Building

IntelligenceNike Digital

SportDigital Performance

Coaching

4

HealthcareGovernment Manufacturing Education Financial

Digitization Impacts All Sectors

Cisco Confidential

5

Evolution of the Open OfficeOpen Workspace

High Performance Wi-Fi While Leveraging Location-based Solutions

Like CMX

Reliably Connect Employees and Devices for Business Critical Applications such as

Wi-Fi Calling and Video Services

Dynamically adapting the network to provide optimal user experience

6

Internet of Things

Motion and Ambient Light

sensors

Troffer

DownLight

Wall ControlSwitchback

front

7

Improved Parking Experience

No Parking Zone

Monitor and Manage Parking Spaces Guidance to the Available Parking Space

Parking Sensor

Parking Sensor


Increased Adoption and Uses

Increasing Efficiencies

Mobile Devices Security and Compliance Classrooms, Training, Briefing Centers

DISA STIG’s require WIDS to monitor the air

wired or wireless network DoD Instruction 8420.01

DoD Wireless Applications




New Applications Increased Efficiencies

Logistics / Retail Outdoor Command Centers

Barcode ScannersRFID Tags

CoC TentsReduce Cabling

Field DataRange Monitoring




Wireless Asset Tracking Surveillance Flight Line

Perimeter SecurityHigh Value Asset TrackingTheft Prevention Maintenance Instructions





Barracks / MWR Pier Side Medical / Field Hospitals

Ship to shoreMaintenance work

Surveillance





Guest User Access Wireless/Wired Voice Wireless SIPRNet

CSfC Sponsor Guest UsersIsolate guest traffic



Tactical, Logistics

Outdoor

Outdoor Wireless

Rapid Deployment

1572Mesh Access Points



Expanding mobile use cases

BYOD

Company Purchased

Basic Communication

sTransforming

WorkMobile

Transactions

iOS dramatically

better on Cisco

networks

Enterprise voice integration with

iPhone

Seamless collaboration for mobile workers

PBXTelco

switch

LAN

Corporate WAN

VoIP Internet

Cisco Collaboration Cloud

iPhone integrated with enterprise voice

Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco and Apple Togetherfor a Better End-User Experience

Improve device efficiency

through joint tested

standards-based

functionality

Analyze and prioritize Apple-

based applications

Minimize impact of Apple

upgrades by accessing local instances on Cisco® ASRs

Display content from Apple

devices Wirelessly

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Wireless Architecture Overview


Basic Wireless Deployment

Wireless Controller

Wireless Access Points

Intranet


Advanced Wireless Deployment

Wireless Controller

Wireless Access Points

Intranet

Location data

1. MSE detects Rogue APs and Threats 2. Provides Location Tracking of devices

Mobility Services Engine (MSE)Identity Services

Engine (ISE)

Authentication and Policy

Prime Wired and Wireless

Management


Wireless Architecture

Access Points

• 3702 + Modules, 2702, 1702• 1552, 1572 Outdoor

Controllers

• 5508, 2504, 7500, 8500 HA modes• 3650, 3850, 4500, UA Switches Wireless Controller

Management

• Prime • MSE • ISE Can run as VM or Appliance

WIDS, CMX, Location Tracking

Mobility Services Engine (MSE)

Identity Services Engine (ISE)

One Policy, Authentication, Guest

Prime

One ManagementWired and Wireless

Access Points


SecureCertified Military-Grade Security

• Approved for Classified. DoD Accredited• Wired and Wireless IDS that work

together• End-to-End TrustSec Security

Widest Portfolio of ProductsSaves Money

• Large portfolio of indoor and outdoor APs

• Most controller options including Cloud-based

• Right-size for specific uses or environments One Management, One Policy

End-to-End Control, Wired + Wireless• Advanced Client, App and Network

Control• One User Policy for the entire network• Advanced BYOD + Guest User Access

Application EnablementAdvanced Analytics

• Engage users using the wireless network• Drive mobile apps for guests and

customers• Location Tracking Analytics and APIs

ArchitectureOne Network: Wired and Wireless

• Controller functionality in Cisco Switches• Deployment: Local, Flex, Cloud, Mesh• Mission Critical Redundancy, High

Availability

Best Wireless PerformanceFastest Wireless, The Most RF

Control• Designed and Built By Cisco • Advanced RF Innovation• Works best in the most difficult

environments

Why Cisco Wi-Fi ?

$

24

Importance of 802.11ac Wave 2


Addressing Growth 802.11ac Wave 2

Highest Wi-Fi Performance Ever

Better End Device Efficiency

For Highly Demanding Environments

Higher Data Rate Than Previous Standard

Allows For More Wireless Data With Wider Channels

Simultaneously Deliver Data to Multiple Devices

Conserve End-Device Battery


Wi-Fi Connectivity Speed Timeline Gigabit Wi-Fi As Primary Access 3SS Desktops / Laptops

2SS Laptops / Tablets

1SS Tablets / Smartphones

*Assuming 80 MHz channel is available and suitable

**Assuming 160 MHz channel is available and suitable

802.11 802.11n802.11b802.11a/

g 802.11acWave 1

802.11acWave 2

2630**

1730**

290*

= Connect Rates (Mbps)

= Spatial StreamsSS

20162015

Gig

abit

Ethe

rnet

U

plin

k

2 G

igab

it E

ther

net

Upl

inks

Minimum

Typi

cal

Prod

uct

Max

1 SpatialStream

2 SpatialStream

3Spatial

Streams

20132007200319991997

211

24

54 65

450

300

1300*

290*

870*

5260**

3500**

600*

Dual 5GHz

Mul

ti-G

igab

it U

plin

ks


Better Traffic Handling 802.11ac Wave 2 with 160MHZ - Wider Channels

Wider Channels Allows More Traffic

to Pass

Multi-User MIMO Uses the Channel to

Max Capacity

20–40 MHz 80-160 MHz


Simultaneous Data Delivery to Many DevicesMulti-User, Multi-In, Multi-Out

Devices Get On and Off the Network Quicker, Allowing More Devices to Be Served

Multi-User MIMO (MU-MIMO)

Single-User MIMO (SU-MIMO)

29

Cisco’s Wave 2Offerings


802.11ac Wave 23x3 antenna with 3 spatial streamsSupport for MU-MIMO

Dedicated third radioAir Marshal, Auto RF, CMX

Fourth Bluetooth LE radioEnabling Beacon engagement & BLE scanning

PoE+ 802.3at power for full operationSleek industrial design of MR32/34

Meraki MR42802.11ac Wave 2

Shipping 9 Feb

$1,099 list


Cisco Aironet PortfolioPositioned to Capture the 802.11ac Wave 2 Transition

Enterprise Class Mission Critical Best in Class

1830(I)1850(I,E)

2800(I,E)3800(I,E,P)

• 802.11ac Wave 2: Most Cost-effective,

870 Mbps. • 3x3:2SS 80MHz.

• Spectrum Analysis*• Tx Beam Forming

• 1 GE Port• USB 2.0

• Centralized, FlexConnect and Mobility Express

• 802.11ac Wave 2: Cost-effective, 1.7

Gbps • 4x4:3SS 80Mhz.

• Spectrum Analysis*• Tx Beam Forming

• 2 GE Ports• USB 2.0

• Centralized, FlexConnect and Mobility Express

• 802.11ac Wave 2: High-Performance 5Gbps

• 2.4, 5GHZ or Dual 5GHZ.• 4x4:3SS 160 MHz

• MU-MIMO• 2 GE Ports

• USB 2.0• Enhanced Location*

(External Antenna)• CleanAir 160MHz

• ClientLink 4.0• Smart Antenna Connector

• Centralized, FlexConnect and Mobility Express*

• 802.11ac Wave 2: High-Performance 5Gbps.

• 2.4, 5GHZ or Dual 5GHZ. • 4x4:3SS 160MHz.

• MU-MIMO• 2 GE or 1 GE + 1 mGig

(5G)• USB 2.0

• Enhanced Location* (External Antenna)

• CleanAir 160 MHz• ClientLink 4.0 • Smart Antenna

Connector• StadiumVision

• Modularity• Centralized, FlexConnect

and Mobility Express*

*Post-FCS

May May


Next-Generation Wave 2 802.11ac Access Points

Cisco Aironet® 3800 Series

* Post-FCS

• Industry leading 4x4 MIMO:3 spatial streams (SS) Wave 2 802.11ac access points

• Dual radio, 802.11ac Wave 2, 160 MHz• Combined Data Rate of 5.2Gbps• 2 x 5 GHz: 4x4: 3SS supporting

• SU-MIMO / MU-MIMO• Flexible Radio Assignment: 2.4GHz, Dual-5GHz, Wireless

Security Monitoring, Wireless Service Assurance*, or Enhanced Location*

• Gigabit Ethernet and multi-Gigabit Ethernet (1G, 2.5G, 5G)

• HDX Technology• Enhanced Location using External Antennas*

• USB 2.0 • Internal and external antenna models

• Smart Antenna Connector - 2nd Antenna Connector• Modularity: Side Mount ModularMulti-Gigabit Wi-Fi has fully

arrived.

May


• Default operating mode• Serve Clients on both 2.4GHz and 5GHz

Flexible Radio Assignment5GHz

Serving 2.4GHzServing

Wireless Security Monitor

Wireless Service

Assurance*

• Dual 5GHz Support, both radios serving clients on 5GHz

• Maximum over the air data rate up to 5.2Gbps

• Wireless Security Monitoring• Scan both 2.4GHz and 5GHz for security

threats• Serve Client of 5GHz• Wireless Service Assurance*• Proactively monitors the network

performance• Serve Client of 5GHz

* Denotes feature availability post-FCS

5GHzServing

5GHzServing

5GHzServing

5GHzServing

Enhanced Location*

• Enhanced Location*• Improves the client location accuracy• Serve Client of 5GHz

5GHzServing


Self Optimizing Network Flexible Radio Assignment

2.4GHzServing

2.4-5GHzMonitoring

5GHz.Serving

5GHz.Serving

CleanAIr

CleanAIr

!2.4GHzServing

5GHz.Serving

CleanAIr



2.4GHzServing

2.4-5GHzMonitoring

5GHz.Serving

5GHz.Serving

2.4GHzServing

5GHz.Serving

5GHzServing

5GHzServing

2.4GHzServing



5GHzServing

2.4GHzServing

5GHz.Serving

5GHz.Serving

5HzServing

5GHz.Serving

2.4GHzServing

2.4GHzServing

2.4-5GHzMonitoring


Dual 5GHz – Improves Client Performance and Capacity

• Improves the Effective Spectrum Usage of the Cell

• Micro-Radio• 802.11ac Clients near the AP

• High Performance Wi-Fi Clients at 802.11ac data rates

• Excellent speed and performance • Macro-Radio

• All legacy Clients join macro-cell• Future of wireless

Users have a better overall experience on a Dual 5GHz Access Point

Micro Macro


Smart AntennaConnector

Primary Antenna Connectors – Dipole and Cabled Antennas

Smart Antenna Connector – 2800 / 3800

Second Cabled or Location Antenna*

*Post-FCS

• Cisco pioneered intelligent antenna connection

• Sleek design• Allows a second cabled antenna to be

connected to the Access Point• Dual 5 GHz

• Band specific antennas• Location antennas*

• Antenna versatility for challenging coverage deployments - High Density

locations, auditorium classrooms, stadiums, arenas, convention centers,

…


Dual 5GHz – 2x the Coverage Area and Capacity

• Provide 2x the coverage area from a single Access Point

• Improve the total Network Performance

• Utilizes Smart Antenna Connector • Mix and match all Cisco Supported

Antennas


Meet Any Wi-Fi Use CaseExpandability and Investment Protection

Custom Application Using Linux

Adv. Security and Spectrum

Analysis

Bluetooth Beacon

location Antennas

Directional Antennas

Stadium Panel

Antenna

SMART ANTENNA

PORT

MODULEPORT

Self-Discover / Self-Configure

Other

Other

PRIMARY ANTENNAS

Potential Future Expandability

Future Wi-Fi Standard

Video Surveillance

Custom Application Using Linux

BluetoothBeaconing

3G and LTE

Small CellOffload

Other


Greater Scalability Turbo Performance

5 10 15 20 25 30 35 40 45 50 55 6001234567

Rate Cisco Out Performs It's Near Compeittor

5.9x faster thannearest competitor

TCP Downlink Throughput 5GHz Multi-Client: 802.11ac Clients

Number of Clients

Rat

e C

isco

Out

Per

form

s It'

s N

eare

st C

ompe

titor


Optimize the Wi-Fi Environment CleanAir for 160MHz.

Quickly Identify and Mitigate Wi-Fi

Impacting Interference

Channel 48

48

4848

48

48

48

4848

48

4848


Maximize Channels When Radar Is PresentFlexible Dynamic Frequency Selection

5170MHz

5330MHz

36 40 44 48 52 56 60 64

20MHz.

40MHz.

80MHz.

160MHz.

5490MHz

5710MHz

100

104

108

112

116

120

124

128

132

136

140

Channel Used by Air Traffic

Radar

See it on 160MHZ

Band

Dynamic Frequency Selection

FlexibleDynamic

Frequency Selection


2.5-5 Gigabit

Port

Offload Wireless Traffic FasterMultigigabit Technology

Cisco MultigigabitStandard Cat 5e/Cat6

Cables1

Gigabit Port

Delivers up to 5X Speeds in Enterprise WithoutReplacing Cabling Infrastructure

Supports PoE Up to 60W

2.5-5 Gigabit

Port

Cisco

Available on 3800


Catalyst 3850 ─ Multigigabit Versions

48 Port Version 24 Port VersionDownlinks:

36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT Line Rate

PoE/PoE+/UPoE, EEE, MACSecUplinks:

4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW)

Downlinks:24 x GE/mGig/10GT

PoE/PoE+/UPoE, EEE, MACSec

Uplinks: 4x10GE SFP+, 2 x 40G QSFP (NEW),

8x10G SFP+ (NEW)

All 3850 Versions Can Stack with Each Other


Catalyst 3850 mGig

C3850 24 port mGig Switch24p mGig/10GT PoE+/UPOE. Line rate at 72 byte packet sizes

C3850 48 port mGig Switch12p mGig/10GT PoE+, 36p 1GE UPOE. Line rate

Investment Protection – mGig speeds with Cat 5e, 10G with Cat 6a

DATA

PoE+

UPOE

Fiber

New Member to the stacking Family

MGIG


The New Compact Multigigabit Switch

6 x 1G/PoE+ 2 x Multigigabit PoE+ 2 x 10G SFP+

Multiple Use Cases

1

2

multi-gigabit for 11ac AP Deployments

multi-gigabit as Uplinks Connected to Access Switches (Cat 3K/4K)

3

Instant Access (IA) Client providing multi-gigabit connectivity4

multi-gigabit as 10G Links for Horizontal Stacking


Zero Impact Application Visibility and Control

Maintain performance with zero-impact AVC

Gain visibility into the network

Monitor critical applications

Control application performance

APP APP APP APP

APP APP APP APP

APP APP APP APP

APP APP APP APP


Improve Connectivity to All Devices Cisco ClientLink 4.0

Improves device performance

802.11ac Wave 2 Access Point: TX beamforming

• 802.11a• 802.11g• 802.11n

• 802.11ac Wave 1• 802.11ac Wave 2

• 802.11ac Wave 2

802.11ac Wave 2 Access Point:

ClientLink

Cisco


The World’s Most Versatile Access Points All The Benefits of 802.11ac Wave 2

HigherData Rate

WiderChannels

SimultaneousData Delivery

BetterBattery Life

Highest Wi-Fi Performance Ever Better End Device Efficiency

New Flexible Radio Assignment

ImprovedModularity

ImprovedCleanAir

Plus Cisco Innovations for High Density Environments

ImprovedClientLink

New Multi-GigabitUplinks

New ZeroImpact AVC

TurboPerformance

OptimizedRoamingImproved

Enhanced Location*

Flexible DynamicFrequency Selection

Self-Optimizing Network Optimized Mobile User Experience

NEW: Cisco Aironet 2800 NEW: Cisco Aironet 3800

*Future

New Smart Antenna

Connector


Cisco Aironet Outdoor Access PointsIndustry’s Best 802.11n & 802.11ac Series

Base

1530High-Functionality

1550Best in Class

1570

• Low Profile, Low Price• Europe: Low Profile• Emerging SP: Low Price• Enterprise: Low profile &

Price• 11n, 2G: 3x3:3; 5G: 2x3:2• Int/External Antennas

• Multiple models & features• Enterprise, MSO• DOCSIS3.0 8x4• 11n, 2x3:2• Int/External Antennas

• High-end Enterprise, MSO• 11ac, 4x4:3 • NG-Cable: 24x8• Int/External Antennas• Modular: Future Proof

NEW


Aironet 1532

802.11abgn modes

Supports up to 200 clients

1532I internal antenna

1532E External antenna

PoE+ or DC power

-30 to 65 °C temperature range

Aironet 1552

802.11abgn modes

Supports up to 400 clients

1552I/E Internal/External Antenna

1552C/CU Cable Modem

1552H Hazardous / 1552S Sensor

-40 to 55 °C temperature range

Cisco Outdoor Access Point Leadership

New

New Paintable Cover


IW3702-4E CloseupN-type antenna ports for 4x4 MIMO with three spatial streams and support for up to 13 dBi gain antennas

10/100/1000Base-T, PoE and PoE+ in (M12)10/100/1000Base-T, PoE out (M12)

10 to 60 VDC in (M12)Management console port (RJ-45 serial)

Integrated wall/panel mount

Diecast aluminum chassis with integrated heatsink


2500 Virtual WLC Flex 7500

85405760 WISM2

Catalyst 3850 Mobility Express

• 300 to 1000 APs• 15,000 clients

• 20 Gbps

• 25 to 1000 APs• 12,000 clients

• 60 Gbps

• 100 to 6000 APs• 64,000 clients

• 40 Gbps

Large Campus and Service Provider

Small Campus / Branch (Controller on Premise) Branch (Controller in DC)

• 5 to 75 APs• 1000 clients

• 1 Gbps

• 5 to 3k APs• 20k clients• 500 Mbps

• 1-100 APs per stack Directly connected APs

• 2K clients per stack• 40 Gbps per switch

• Up to 25 APs• 750 clients

• 300 to 6000 APs• 64,000 clients

• 1 Gbps

• 1-50 APs per switch/stack Directly connected APs• 1000 clients per stack

• 40 Gbps per switch

Catalyst 3650 Catalyst 4500-E SUP

• 1-100 APs per SUP Indirectly connected APs

• 2K clients per stack• 40 Gbps per switch

5520

• 10-1500 APs• 20,000 clients

• 20 Gbps

5508

• 12 to 500 APs• 7000 clients

• 8 Gbps

8510

• 100 to 6000 APs• 64,000 clients

• 10 Gbps

The Industries Most Versatile Controller Portfolio


Previous 12 Months5520 WLAN Controller 8540 WLAN Controller

WLC 5520 and WLC8540 Controllers

Access Points 6,000Clients 64,000Deployment Modes Centralized, FlexConnect and

MeshForm Factor 2 RUIO Interface Four port 1G or 10G with LAGPower Options AC or DCRedundancy Dual Power supply and HDD

w/RAID

Access Points 1,500Clients 20,000Deployment Modes Centralized, FlexConnect and

MeshForm Factor 1 RUIO Interface Dual 1G or 10G ports with LAGPower Supply AC w/Optional Redundant

Power Supply

HighestScalabili

ty

57

ManagementInnovations


Mobility Express: Investment ProtectionSame Access Point hardware regardless of where the WLAN Controller function is located – Access Point, Appliance, Switch, Router, Virtual Machine, etc.

Management Point WirelessController

Hardware Protection Flexible Migration Feature Protection

Investment Protection


Simple By Design: Deploy in MinutesWLAN Express Setup Wizard

• Simplified User Interface• Over-The-Air no cable needed

• Basic Employee and a Guest WLAN• Improved Guest captive-portal

Cisco’s Best Practices ON by default

• Internet only Guest Access Controls• Application Visibility

• Clean Air and intrusion detection• Band Select

• Radio Resource Management• Client Profiling

• Bonjour Service Directory• Best practice default settings

Built-in Analytics Dashboard


Prime 3.0 Modern User Interface

No Flash !!

Tablet-friendly

Metrics widgets

Same menu structure as 2.2

Correlated charts

Dashboard export

Dashboard tagging for favorites


Why Cisco for Digital Campus Analytics

• CMX = Location Analytics• Users & Devices• Location (Dwell Time)• Activity Patterns (Crossovers)

• Prime = Network Analytics• Device utilization• Interface utilization• Application utilization


Cisco OnePortable, Perpetual & Inclusive license

WLAN Management and AnalyticsFull Visibility & Control

Prime Assurance – NetFlow Advanced Client TroubleshootingQuality of Infrastructure ReportsQuality of Experience Reports

Cisco Prime Infrastructure CMX ISE

Highly Accurate Location ServicesWi-Fi and Bluetooth location tracking

Connected Mobile ExperiencePresence AnalyticsLocation Analytics

CMX Connect- Onboarding

AAA Radius and data base Integration802.1x & CoA

Enhanced Guest Management PortalTrustSec Policy Control

Simplified License with Greater Value

Any Controller Any AP

63

Security


Certified WPA2 Enterprise (128bit AES crypto) - Today Elevating to 802.11ac Wave 2 (256bit AES crypto) – Tomorrow

Integrated WIDS Modular AP with security module – integrated monitor mode AP

Location based Access ISE Integration with MSE – Enforce access based on location

Integrated Spectrum Analysis Capabilities Detailed visibility into the Wi-Fi Spectrum with the ability to detect,

classify, identify and locate interferers

Enterprise WLAN Built on a Foundation of Security


Wireless Security - a network solutionArchitecting “Network as a Sensor” and “Network as an Enforcer”

Network Sensor(Lancope)

NGFW

Campus/DCSwitches/WLC

Cisco Routers / Branch 3rd Vendor Devices

Threat

API

API (pxGrid)

ISE

Network Sensors Network EnforcersPolicy & Context

Sharing

TrustSecSecurity Group Tag

Cisco Collective Security Intelligence

ConfidentialData

NGIPS


Cisco Wireless Government CertificationsWhat’s Certified:

All Cisco 11ac and 11n Access Points All appliance and integrated

controllers MSE 8.0 and PI 2.2 APL Listing for WLAS, WAB,WIDS

What’s unique to Cisco: Cisco ONLY Wireless vendor with DCE

and Common Criteria Certification Predictable wireless certification – MD

SW release gets certified Common release both Enterprise and

Government customers – Feature consistency and deployment flexibility

Certification 7.0 8.0 IOS 3.6

FIPS

CC

UCAPL

CSfC

USGv6

Comprehensive end-end solution certified !


Granular Location Tracking - Cisco Hyperlocation

After: Determine direction (AoA) to client in addition to distance => ±1 meter accuracy

Before: Location approximated based on RSSI - ±5 to 10 meter accuracy

Granular indoor location accuracy to contextually connect users

Engage & Improve Guest Experience

Room Level Accuracy

Range Inferred - Prone to errors

Only RSSI calculation

Blue dot spotlight

projected at the user’s

feet

High Accuracy

Multi technology AoA, RSSI, BLE

Improved Calculation


68

Security: Location Based AccessIdentity

ServicesEngine (ISE)

Wireless ControllerAccess Points

Location Tracking

MobilityServicesEngine

Clients

User Authentication


69

Location-Based Network Access How Does It Work?

ISE

Wireless ControllerAccess Points

Location data

1. Client attempts to connect and authenticate with ISE2. ISE queries the MSE for location of client 3. If client is in a No-Connect Zone access is denied4. If client moves into a No-Connect Zone, MSE notifies

ISE and forces re-authentication

Clients

Zone-change event

Authenticate User

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

CSfC Commercial Solutions for ClassifiedUsing Suite-B Primitives to elevate Network Security


Next Generation Encryption Protocol Suite

Security Briefings & Training

Key Establishment ECDH-P256/384

Digital Signatures ECDSA-P256/384

Hashing SHA-256/384

AuthenticatedEncryption AES-128/256-GCM

Authentication HMAC-SHA-256/384

Entropy SP800-90

Suite B


NSA Developing Policy

CSfC (Commercial Solutions for Classified) Packages at NSA• Site to Site VPN Policy• Campus WLAN Policy

o Developed to address tactical WLAN deploymentso Meant for small deployments, less than 50 clients

• Enterprise Mobility Policy (forthcoming)o Applicable to 3G/4G, WLAN and Wired Network

2 Layers of Suite B security


CSfC “Layered” Architectures for Classified Architectural, defense in depth (e.g. “layers”), approach to security

–SECRET require 2 Layers of ‘countable’ Crypto mLoS 128–TS requires 2 layers of ‘countable’ Crypto mLoS 192

–Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information

– Suite B VPN / 1 Countable Layer

Suite B Application Layer Security / 1 Countable Layer


The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers.

An Update to the Manufacturer Diversity Requirement

Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )

http://www.nsa.gov/ia/programs/csfc_program/


An Update to the Manufacturer Diversity Requirement

CSfC layered solutions, with a single vendor is now permitted under certain conditions

The manufacturer must document the similarities and differences between the two products, including: cryptographic HW components, SW code base (i.e. operating system), software cryptographic libraries, and development teams.

NSA will review the information of solutions and determine if they meet the requirements for independent layers

Cisco’s variation of OS’s, across certain platforms are targeting this “single-vendor” solution that is compliant with the CSfC guidelines

“ The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-

manufacturer implementations of both layers. “ Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )

http://www.nsa.gov/ia/programs/csfc_program/


Cisco Achieves Single Vendor Multi-Platform for CSfC VPN Capability Package

Allows Cisco ASA to be used as an Inner or Outer VPN Gateway when paired with an approved IOS/IOS-XE VPN router

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79Cisco Highly Confidential

Cisco Wireless CSfC scenario 1a – VPN CP

Black Network between client and Outer VPN, Gray network between VPN head ends

• IPSec with AES-256-GCM from EUD to Outer VPN head end

• IPSec with AES-256-GCM from EUD to Inner VPN head end

• WPAv2-Enterprise from the EUD to WLAS to comply with DoD Instruction 8420.01, but doesn’t impact CSfC two layer requirements.

IPSec AES-256-GCM IPSec AES-256-GCMWPA2 AES-128-CCMP

Unclass WPA2, Suite B VPN, Suite B VPN

Outer Suite B VPN # 1

Unclass WLANUnclass WLAN

Controller Inner Suite B VPN #2


Cisco Wireless CSfC scenario 1b – VPN CP

Black Network between client and Outer VPN, Gray network between VPN head ends

• IPSec with AES-256-GCM from EUD to Outer VPN head end

• IPSec with AES-256-GCM from Wireless Router to Inner VPN head end

• WPAv2-Enterprise from the Wireless Router to WLAS to comply with DoD Instruction 8420.01, but doesn’t impact CSfC two layer requirements.

Two layers of Encryption maintained between EUD and Outer VPN

IPSec AES-256-GCM IPSec AES-256-GCMWPA2 AES-128-CCMP




Controller Inner Suite B VPN #2


Cisco Wireless CSfC scenario 2 – Mobility CP

Black Network between client and Outer VPN, Applications located in Gray DMZ network

• IPSec with AES-256-GCM from EUD to VPN head end

• TLS Application Encryption with AES-256-GCM from EUD to Application Server

• WPAv2-Enterprise from the EUD to WLAS to comply with DoD Instruction 8420.01, but doesn’t impact CSfC two layer requirements.

WPA2 AES-128-CCMP IPSec AES-256-GCM TLS AES-256-GCM




ControllerInner Suite B

Application Layer Security - TLS


Cisco Wireless CSfC Scenario 3 – WLAN CP

Black Network from EUD to Wires Controller, Gray Network between WLC and VPN

• WPAv2 AES-128-CCMP for over the air encryption between EUD and AP

• CAPWAP Data encryption with DTLS AES-256-CBC between AP and WLC

• IPSec with AES-256-GCM to Inner VPN head end

WPA2 AES-128-CCMP IPSec AES-256-GCMCAPWAP DTLS AES-256-CBC

Unclass WPA2, S Suite B VPN Outer Suite B VPN

# 1Unclass WLAN

Unclass WLAN Controller


WLAN or VPN Package?

The First Countable layer of Suite B Security will classify that network Red.

• Therefore if WLAN L2 security is counted, that WLAN can only be used for Red communications

If Enterprise Environment requires Classified & Unclassified communications they must be deployed on 2 separate networks

Vendor diversity requirement eased


Secure View

AFRL and AIS

Approved

Accredited


CSfC Enterprise Architecture

Unclass

PI ISE

SiSi

• Build on the foundation of the Enterprise Network



Unclass

PI ISE

SiSi


• Add a Security Enclave for access to Classified

VDI Voice Services

Classified

SiSi

ASA

ASR


CSfC Security for the Enterprise• VPN platform built for Scale – Multi-Gig Throughput

ASR 1001-X

ASA5585-SSP60

• Enterprise ResiliencyLocal & Geographical Redundancy

• Network High Availability

• Advanced Security IntegrationSourceFire

TrustSec

Netflow

• 3rd Party IntegrationLancope

Splunk

ASA

ASR

ASA

ASR

Classified

WLC - HA



Unclass

PI ISE

SiSi


• Add a Security Enclave for access to Classified

Support for Classified WLAN

Support for Classified LAN

Support for Classified WAN

• Advanced Location resources can enable location based access

System Integration enables dynamic control of WLAN access

VDI Voice Services

Classified

SiSi

3G/4G

ASA

ASR


External

Cisco White Paper–https://supportforums.cisco.com/docs/DOC-40445

NSA CSfC website–http://www.nsa.gov/ia/programs/CSfC_program/index.shtml

List of NSA approved vendors (as of Feb 2014)

–http://www.nsa.gov/ia/_files/factsheets/CSfC_Components_List_FINAL_Public_19Feb2014.pdf

Disclaimer: The NSA does not recommend nor endorse the use of any Company's products over any other products nor does the Agency offer an opinion regarding whether the Company's Product Series should be used to satisfy any specific user requirement.

Additional Resources

https://supportforums.cisco.com/docs/DOC-40445

https://supportforums.cisco.com/docs/DOC-40445

http://www.nsa.gov/ia/programs/CSfC_program/index.shtml

http://www.nsa.gov/ia/programs/CSfC_program/index.shtml

http://www.nsa.gov/ia/_files/factsheets/CSfC_Components_List_FINAL_Public_19Feb2014.pdf




Cisco WLAN CSfC Product Listing


Q&A Federal Wireless Webinar March 15th

Send email to: [email protected]

mailto:[email protected]


Wired and Wireless Better togetherNew product Architectures allow even more seamless integration

• Cisco Wi-Fi now built into Access Switches• Cisco Wi-Fi is now as fast as wired Ethernet (802.11ac =860Mbps per radio)• Complete integration with Cisco Prime Network Management wired and wireless• A single Operating System for both wired and wireless products• A single policy for end users and Quality of Service• Easily monitor and troubleshoot wired and wireless end-to-end• Provide both wireless and wired Guest User Access from same management console• Only Cisco Can provide wireless + wired “MAC SEC” for end-to-end encryption • Cisco wired and wireless provide seamless support for Cisco Unified Communication