Slide 1

Wireless Network SecurityWhy wireless?Wifi, which is short for wireless fi something, allows your computer to connect to the Internet using magic.-Motel 6 commercial2 but it comes at a priceWireless networks present security risks far above and beyond traditional wired networksRogue access pointsEvil twinsPacket-based DoSSpectrum DoSEavesdroppingTraffic crackingCompromised clientsMAC spoofingAd-hoc networksMan-in-the-middleGrizzly bearsARP poisoningDHCP spoofingWar drivingIP leakageWired/wireless bridging3

AgendaThe Cisco Unified Wireless NetworksCisco Security Agent (CSA)Cisco NAC Appliance Cisco FirewallCisco IPSCS-MARSCommon wireless threatsHow Cisco Wireless Security protects against them4Todays wireless network

5

Cisco Unified Wireless NetworkThe following five interconnected elements work together to deliver a unified enterprise-class wireless solution:Client devicesAccess pointsWireless controllersNetwork managementMobility services

6CSA Cisco Security AgentFull featured agent-based endpoint protection

Two components:Managed client - Cisco Security AgentSingle point of configuration - Cisco Management Center7CSA - Purpose

8CSA Wireless Perspective

9CSA Combined Wireless FeaturesGeneral CSA featuresZero-day virus protectionControl of sensitive dataProvide integrity checking before allowing full network accessPolicy management and activity reporting

CSA Mobility featuresAble to block access to unauthorized or ad-hoc networksCan force VPN in unsecured environmentsStop unauthorized wireless-to-wired network bridging

10CSA End User View05/30/200911

Cisco Network Admission Control (NAC)Determines the users, their machines, and their rolesGrant access to network based on level of security complianceInterrogation and remediation of noncompliant devicesAudits for security compliance

12NAC - Overview 05/30/200913

13Cisco NAC Architecture14

Cisco NAC FeaturesClient identificationAccess via Active Directory, Clean Access Agent, or even web formCompliance auditingNon-compliant or vulnerable devices through network scans or Clean Access AgentPolicy enforcementQuarantine access and provide notification to users of vulnerabilities15

Cisco Firewall (Placement Options)Source: Cisco, Deploying Firewalls Throughout Your OrganizationWhy Placing Firewalls in Multiple Network Segments? Provide the first line of defense in network security infrastructuresPrevent access breaches at all key network juncturesWLAN separation with firewall to limit access to sensitive data and protect from data lossHelp organizations comply with the latest corporate and industry governance mandatesSarbanes-Oxley (SOX)Gramm-Leach-Bliley (GLB)Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)17-The rise of internal threats has come about by the emergence of new network perimeters that have formed inside the corporate LAN. 17Cisco IPSDesigned to accurately identify, classify and stop malicious trafficWorms, spyware, adware, network viruses which is achieved through detailed traffic inspectionCollaboration of IPS & WLC simplifies and automates threat detection & mitigation

18

CS-MARS:Cisco Security Monitoring, Analysis and Reporting SystemMonitor the networkDetect and correlate anomalies (providing visualization)Mitigate threats

19

Cross-Network Anomaly Detection and Correlation

MARS is configured to obtain the configurations of other network devices.Devices send events to MARS via SNMP.Anomalies are detected and correlated across all devices.

Configuration NotesSNMP community strings on MARS must match those on the devices.First add devices that detect attacks and false positives.Then add devices that can block an attack.Next add hosts such as critical database servers.Layer 3 devices can be discovered by CS-MARS.

20Monitoring, Anomalies, & MitigationDiscover Layer 3 devices on networkEntire network can be mappedFind MAC addresses, end-points, topologyMonitors wired and wireless devicesUnified monitoring provides complete pictureAnomalies can be correlatedComplete view of anomalies (e.g. host names, MAC addresses, IP addresses, ports, etc.)Mitigation responses triggered using rulesRules can be further customized to extend MARS

AgendaThe Cisco Unified Wireless NetworksCisco Security Agent (CSA)Cisco NAC Appliance Cisco FirewallCisco IPSCS-MARSCommon wireless threatsHow Cisco Wireless Security protects against them22Rogue Access PointsRogue Access Points refer to unauthorized access points setup in a corporate networkTwo varieties:Added for intentionally malicious behaviorAdded by an employee not following policyEither case needs to be prevented

23Rogue Access Points - ProtectionCisco Wireless Unified Network security can:Detect Rogue APsDetermine if they are on the networkQuarantine and reportCS-MARS notification and reporting

Locate rogue APs

24Cisco Rogue AP Mapping25

Group Quiz26For each of the business challenges below, which component(s) of CUWN protect against themMitigate network misuse, hacking and malware from WLAN clients by inspecting traffic flowsIdentify who is on the network and enforce granular policies to prevent exposure to viruses and malwareStreamline user experience, consolidate accounting, and improve password managementStandardize on wireless client connection policies while protecting them from suspect content and potential hackersSupporting and maintaining a diverse range of security products, correlating events and delivering concise reporting Offer secure, controlled access to network services for non employees and contractors

IPSCisco NAC NAC and CSACSACS-MARSNAC and firewall26Guest Wireless

27

Guest Wifi BenefitsNetwork segmentation

Policy management

Guest traffic monitoring

Customizable access portals

28Conclusions29Present unparalleled threats

The Cisco Unified Wireless Network Solution provides the best defense against these threats

In-Band Modes

When the NAC appliance is deployed in-band, all user traffic, both unauthenticated and authenticated, passes through the NAC appliance, which may be positioned logically or physically between end users and the network(s) being protected.When the NAC appliance is configured as a virtual gateway, it acts as a bridge between end users and the default gateway (router) for the client subnet being managed.When the NAC appliance is configured as a "real" IP gateway, it behaves like a router and forwards packets between its interfaces.30Compromised ClientsWifi ThreatSecurity ConcernCSA FeatureAd-hoc ConnectionsWide-open connectionsUnencryptedUnauthenticatedInsecurePre-defined ad-hoc policyConcurrent wired/wifi connectionContamenating secure wired environmentConcurrent wired/wifi pre-defined policyDisable wifi traffic if wired detectedAccess to unsecured wifiMay lack authentication / encryptionRisk of traffic cracking, rogue network devicesLocation based policiesRestrict allowed SSIDsEnforce stronger security policies

31