Strategies for Delivering Secure Wireless Guest Access

Cisco Mobility TV Mobility TV Host Chris Kozup Marketing Manager, Mobility Solutions, Cisco Scott Pope Manager, Guest Access Product Management, Cisco Tony Diep IT Theater Service Manager for US & Canada, Cisco

Thank You for Joining Us Today The next wireless and mobility videocast event will take place on May 8, 2007 at 10:00 AM Pacific The featured subject will be Outdoor Wireless To register visit: http://www.cisco.com/go/semreg/mobilitytvepisodes/142299_3

The next wireless and mobility videocast event will take place on May 8, 2007 at 10:00 AM Pacific

The featured subject will be Outdoor Wireless

To register visit: http://www.cisco.com/go/semreg/mobilitytvepisodes/142299_3

Wireless in the News

Cisco Mobility Express Solution Affordable business-class mobility solution announced for small and medium businesses Application-Based Access Points, Controllers, plus Application Servers Cisco Mobility Express Solution Controller-Based Access Points Plus Controllers Offer a Mobile Foundation for All Standalone Access Points Grow with Your Business Adapt to Your Level of Sophistication

Affordable business-class mobility solution announced for small and medium businesses

Cisco Empowers the Wireless Branch Office Cisco introduces new WLAN Controller Module for the ISR and new 3G WAN interface to create the Empowered Wireless Branch Empowered Wireless Branch Integrated 3G Wireless WAN ISR Wireless LAN

Cisco introduces new WLAN Controller Module for the ISR and new 3G WAN interface to create the Empowered Wireless Branch

Cisco Wins TechTarget’s 2007 Gold Award Cisco awarded TechTarget Gold Award for Product Leadership in the Wireless Category Gold Award: Cisco WiSM/WLSM

Cisco awarded TechTarget Gold Award for Product Leadership in the Wireless Category

Cisco Teams with the NBA The NBA partners with Cisco to transform the experience of sports through the use of technology

The NBA partners with Cisco to transform the experience of sports through the use of technology

Upcoming Cisco Wireless Events Interop Las Vegas, Nevada May 20–26, 2007 Cisco Secure Wireless Road Show Sixteen cities in North America Ask your account rep for details

Interop

Las Vegas, Nevada

May 20–26, 2007

Cisco Secure Wireless Road Show

Sixteen cities in North America

Ask your account rep for details

Agenda Why Secure Guest Access? 1 Cisco on Cisco: Guest Access Case Study 2 Cisco’s Secure Wireless Guest Access Solution 3

Business Trends and Challenges Trends Widespread wireless deployment Over 65% of businesses use WLAN Mobility services new business imperative 67% of businesses reported up to 50 visitors per month requiring network access* Increased pressure to reduce network operational cost and complexity Research case revealed ROI of up to 328%* Challenges Optimize partner, vendor and customer interactions with wireless access to network resources Deliver guest access without exposing internal resources to security threats Security ranks as #1 wireless network concern Source: WLAN Adoption Study, Forrester Research, 2006

Trends

Widespread wireless deployment

Over 65% of businesses use WLAN

Mobility services new business imperative

67% of businesses reported up to 50 visitors per month requiring network access*

Increased pressure to reduce network operational cost and complexity

Research case revealed ROI of up to 328%*

Challenges

Optimize partner, vendor and customer interactions with wireless access to network resources

Deliver guest access without exposing internal resources to security threats

Security ranks as #1 wireless network concern

Wireless Guest Access Is Changing Business Retail Providing customers real-time product or service information for an enhanced, better informed consumer experience Healthcare Allowing suppliers to place refill orders on the premises to minimize inventory shortages Financial Enabling consultants to complete audits more accurately efficiently Carpeted Office Providing secure access to business partners and consultants to ensure faster decision making and increased business agility

Retail

Cisco Mobility TV Mobility TV Host Chris Kozup Marketing Manager, Mobility Solutions, Cisco Scott Pope Manager, Guest Access Product Management, Cisco Tony Diep IT Theater Service Manager for US & Canada, Cisco

Cisco on Cisco Guest Access Build a policy and architecture in which: Non-Cisco employees can access the Internet Where and when Cisco deems appropriate With Cisco's permission From Cisco’s infrastructure Secure, authenticated, recorded Objectives and Constraints

Build a policy and architecture in which:

Non-Cisco employees can access the Internet

Where and when Cisco deems appropriate

With Cisco's permission

From Cisco’s infrastructure

Secure, authenticated, recorded

Cisco on Cisco Guest Access Architecture WWW Guest Data Guest traffic tunneled in GRE BBSM “ hotspot.cisco.com” Employee generates access code via portal Corporate Current – Layer 3 Architecture WWW Guest Data Guest traffic tunneled in GRE NAC Appliance “ hotspot.cisco.com” Corporate Planned – Strategic

Cisco on Cisco Wireless SSID Architecture Wireless voice SSID EAP-FAST authentication WPA encryption QoS Broadcast = NO Guest networking SSID Open authentication No encryption Broadcast = YES Two production data SSIDs EAP-FAST authentication CKIP encryption on one WPA encryption on the other Broadcast = NO Cisco wireless voice users Cisco wireless data users NON-Cisco, guest WLAN users Common SSID configuration for all access points

Cisco on Cisco Guest Usage Trends - Global Average of 19,000 users per month (and rising) Over 228,000 guests past 12 months Over 330 buildings with wired & wireless guest services Guest Users

Average of 19,000 users per month (and rising)

Over 228,000 guests past 12 months

Over 330 buildings with wired & wireless guest services

Cisco on Cisco Support Cost Analysis – FY 2007 $14,450 Support Case Cost ($25 per case) $162,450 or $0.71 per guest Total Support Cost $148,000 Tier 2/3 Support (Est. 1 FTE) 578 # IT Support Cases (Annual) 228,048 Number of Guest Codes (Annual) FY 2007 Support Cost of Hotspot.cisco.com $162,450 Cost of “Hotspot.cisco.com” (see above) $5,538,750 Cost Avoidance $5,701,200 Total cost of support ($25 x 228,048) 228,048 # of helpdesk calls required (without guest service) FY 2007 Support Cost Pre-Hotspot.cisco.com

Cisco on Cisco Hotspot Benefits Access codes can be generated within 15 seconds Batch codes can be generated for large groups IT administrative overhead avoided Improved Turnaround Branded network experience – Cisco viewed as technology leader “ No hassle” network access Guest Experience Visitor sponsors responsible for generating code – no IT support needed Staff Empowerment Users must digitally sign acceptable use policy with legal disclaimer Legal Protection Controlled network access Uncontrolled, non-corporate clients segmented from enterprise network Improved Security Over $5M in potential support/administrative overhead avoided Cost Avoidance

Access codes can be generated within 15 seconds

Batch codes can be generated for large groups

IT administrative overhead avoided

Branded network experience – Cisco viewed as technology leader

“ No hassle” network access

Visitor sponsors responsible for generating code – no IT support needed

Users must digitally sign acceptable use policy with legal disclaimer

Controlled network access

Uncontrolled, non-corporate clients segmented from enterprise network

Over $5M in potential support/administrative overhead avoided

Mobility Services … Beyond Connectivity Security Guest Voice Location Guest networks for customers, partners and auditors Vendor replenishment networks Public access networks Automatic, 24 x 7 security and compliance monitoring for breaches via wireless medium Network access control based on user location Asset management Location-based content distribution Streamlined workflow using historical location data Real-time mobile voice communications Improved collaboration via mobile unified communications Faster customer service response Pervasive Wireless Network

Guest networks for customers, partners and auditors

Vendor replenishment networks

Public access networks

Automatic, 24 x 7 security and compliance monitoring for breaches via wireless medium

Network access control based on user location

Asset management

Location-based content distribution

Streamlined workflow using historical location data

Real-time mobile voice communications

Improved collaboration via mobile unified communications

Faster customer service response

Cisco Mobility TV Mobility TV Host Chris Kozup Marketing Manager, Mobility Solutions, Cisco Scott Pope Manager, Guest Access Product Management, Cisco Tony Diep IT Theater Service Manager for US & Canada, Cisco

Types of Network Users Corporate Employees Need internal network access Can be role based to allow granular access if needs require Need restricted internal access Printers File Shares Specific Applications Device Support Contractors/ Consultants Guest Users Internet Access Only No need to access internal systems Segment Access Completely Full Access Internet Only Cisco Guest Services Give You Control

Need internal network access

Can be role based to allow granular access if needs require

Need restricted internal access

Printers

File Shares

Specific Applications

Device Support

Internet Access Only

No need to access internal systems

Segment Access Completely

Cisco Solutions for Secure Guest Access Lobby admin portal for user provisioning End-user registration page Network partitioning using tunneling User authentication and authorization in local database or AAA server Usage logging and reporting Core features, plus… Network privileges based on roles End-user security posture assessment Full policy-based end-user portal customization using partners Unification of wireless and wired guest access Versatile Solutions for Diverse Deployment Environments Wireless Guest Access in Cisco Unified Wireless Enhanced Wired and Wireless Guest Access Core and Enhanced Options

Lobby admin portal for user provisioning

End-user registration page

Network partitioning using tunneling

User authentication and authorization in local database or AAA server

Usage logging and reporting

Core features, plus…

Network privileges based on roles

End-user security posture assessment

Full policy-based end-user portal customization using partners

Unification of wireless and wired guest access

Wireless Guest Access Back-end segmentation (mobility anchor) Separate the guest traffic from the corporate internal traffic via EoIP tunnels Lobby ambassador/ host portal Guest user creation and token generation Served from WLAN Controller or WCS Customizable guest screen Served from WLAN Controller or external server Back-end authentication Local WLAN Controller user database or external AAA Wired/Wireless VLANs Campus Core LWAPP LWAPP WCS Ether IP “ Guest Tunnel” Emp Emp Internet Ether IP “ Guest Tunnel” DMZ WLAN Controller Guest Emp Guest Emp

Back-end segmentation (mobility anchor)

Separate the guest traffic from the corporate internal traffic via EoIP tunnels

Lobby ambassador/ host portal

Guest user creation and token generation

Served from WLAN Controller or WCS

Customizable guest screen

Served from WLAN Controller or external server

Back-end authentication

Local WLAN Controller user database or external AAA

Lobby Ambassador Feature Simple and Fast Lobby Ambassador feature enables any staff member to enable guests Integrated Solution Runs on any controller and WCS Secure Generate individual guest name, unique password and duration of access

Simple and Fast

Lobby Ambassador feature enables any staff member to enable guests

Integrated Solution

Runs on any controller and WCS

Secure

Generate individual guest name, unique password and duration of access

Enhanced Wired and Wireless Guest Access Cisco NAC Appliance Provides: Very granular role-based access Endpoint posture assessment and remediation OS and posture restrictions QoS policy for guest users Integration with broader AAA servers Uniform guest access for wired/wireless Cisco “GuestNet” Customized Portal: Cisco developed portal services for “one-stop” shop Basic portal customization, per-user customization Partner User Portals Provide: Extensive portal customization Customizable logging, reporting, billing Temporary user accounts for email, printing, etc. Campus Core LWAPP LWAPP WCS Ether IP “ Guest Tunnel” Emp Emp Internet Ether IP “ Guest Tunnel” DMZ WLAN Controller NAC Appliance Wired/Wireless VLANs Guest Emp Guest Emp

Cisco NAC Appliance Provides:

Very granular role-based access

Endpoint posture assessment and remediation

OS and posture restrictions

QoS policy for guest users

Integration with broader AAA servers

Uniform guest access for wired/wireless

Cisco “GuestNet” Customized Portal:

Cisco developed portal services for “one-stop” shop

Basic portal customization, per-user customization

Partner User Portals Provide:

Extensive portal customization

Customizable logging, reporting, billing

Temporary user accounts for email, printing, etc.

Role-Based Access Control Validates authorization policies and privileges Layer 3/Layer 4 role-based access control (RBAC) to permit access to specific port, protocol, or subnet Supports multiple user roles Customized portals per guest user group – redirection to a pre-defined page for acceptable user policy notice Bandwidth throttling for each user role by assigning shared or dedicated bandwidth usage Secures internal wired Ethernet ports Scans for Security Requirements Guest session access scheduling Pre-configured Windows critical hot fixes and anti-virus application checks Performs repair and update Self remediation for quarantined users

Validates authorization policies and privileges

Layer 3/Layer 4 role-based access control (RBAC) to permit access to specific port, protocol, or subnet

Supports multiple user roles

Customized portals per guest user group – redirection to a pre-defined page for acceptable user policy notice

Bandwidth throttling for each user role by assigning shared or dedicated bandwidth usage

Secures internal wired Ethernet ports

Scans for Security Requirements

Guest session access scheduling

Pre-configured Windows critical hot fixes and anti-virus application checks

Performs repair and update

Self remediation for quarantined users

Implementation Considerations Ensure guest access to only Internet and authorized network resources Eliminate IT administrator involvement with user authorizations Leverage integration of wired and wireless network (policies and administration) Ensure internal users and applications have priority over guests Monitor network use and prohibit services on location or per-user basis Whatever the Business Reason for Guest Access, Implementation and Security Goals Should:

Ensure guest access to only Internet and authorized network resources

Eliminate IT administrator involvement with user authorizations

Leverage integration of wired and wireless network (policies and administration)

Ensure internal users and applications have priority over guests

Monitor network use and prohibit services on location or per-user basis

With Wireless… Now You Can

Now You Can… Enhance your customer’s retail experience Increase the time and money customers spend on site Improve vendor productivity and accuracy Allow suppliers to update inventory or restocking data real-time Provide a virtual support network for hospitalized patients Enable connectivity to the outside world with online access to family, friends, research, entertainment Track when and where users access the network Ensure the security of your facility and critical business data

Enhance your customer’s retail experience

Increase the time and money customers spend on site

Improve vendor productivity and accuracy

Allow suppliers to update inventory or restocking data real-time

Provide a virtual support network for hospitalized patients

Enable connectivity to the outside world with online access to family, friends, research, entertainment

Track when and where users access the network

Ensure the security of your facility and critical business data