Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco - Secure Enterprise WLAN

2,848 views

Published on

Presentation on Secure Enterprise WLAN & Cisco NGE for secure networks at Cisco Tech Day

Published in: Technology
  • Be the first to comment

Cisco - Secure Enterprise WLAN

  1. 1. New Capabilities. Cisco NGE for secure networks Cisco – Secure Enterprise WLAN Jay Pitcher – Technical Solutions Architect japitche@cisco.com
  2. 2. Importance of 802.11ac Wave 2
  3. 3. Addressing Growth 802.11ac Wave 2 Highest Wi-Fi Performance Ever Better End Device Efficiency For Highly Demanding Environments Higher Data Rate Than Previous Standard Allows For More Wireless Data With Wider Channels Simultaneously Deliver Data to Multiple Devices Conserve End-Device Battery
  4. 4. Wi-Fi Connectivity Speed Timeline Gigabit Wi-Fi As Primary Access 3SS Desktops / Laptops 2SS Laptops / Tablets 1SS Tablets / Smartphones *Assuming 80 MHz channel is available and suitable **Assuming 160 MHz channel is available and suitable 802.11 802.11n802.11b 802.11a/g 802.11ac Wave 1 802.11ac Wave 2 2630** 1730** 290* = Spatial StreamsSS 20162015 Gigabit Ethernet Uplink 2Gigabit Ethernet Uplinks 1 Spatial Stream 2 Spatial Stream 3 Spatial Streams 20132007200319991997 2 11 24 54 65 450 300 1300* 290* 870* 5260** 3500** 600* Dual 5GHz Multi-Gigabit Uplinks
  5. 5. Better Traffic Handling 802.11ac Wave 2 with 160MHZ - Wider Channels Wider Channels Allows More Traffic to Pass Multi-User MIMO Uses the Channel to Max Capacity 20–40 MHz 80-160 MHz
  6. 6. Simultaneous Data Delivery to Many Devices Multi-User, Multi-In, Multi-Out Devices Get On and Off the Network Quicker, Allowing More Devices to Be Served Multi-User MIMO (MU-MIMO)Single-User MIMO (SU-MIMO)
  7. 7. New Products and Certifications
  8. 8. Wired & Wireless Network Scalable network policy management for all forms of network access: LAN, WLAN & VPN Secure Group Access(SGA): simplified role-based accesscontrol and enforcement based on context, avoids manualACL/VLAN configs Comprehensive guest management Cisco Unified Access Pillars Unified Policy Unified Management Unified Network Single view for managing wired and wireless network elements Application visibility and assurance: deterministic end user application experience across wired and wireless Third-party device management Common IOS Operating System Common programmable Fabric (UDAP ASIC) – SDN Ready Consistent functionality acrosswired and wireless Application Visibility & Control(AVC) Subsecond statefulSwitchover (SSO) Cert Cert Cert Identity Services Engine (ISE) Prime Infrastructure
  9. 9. Single Wired/Wireless Platform Up to 200 APs in a mobility group Certified Cisco Unified Access = Portfolio Leadership Converged Access WLAN Controllers WLAN Access Points Large Enterprise Cert 3850 Cert 3650 8540 Cert8510 5520 Medium Locations Small Locations 5508 Cert 2504 ME Cert Cert 3702 2702 Cert IndoorAPs OutdoorAPs Cert 1700 1850/30 1572 1532 Cert Cert Next Next Next
  10. 10. Cisco Wireless Government Certifications What’s Certified: • All Cisco 11ac and 11n Access Points • All appliance and integrated controllers • MSE 8.0 and PI 2.2 • APL Listing for WLAS, WAB,WIDS Predictable wireless certification – MD SW release gets certified Common release both Enterprise and Government customers Feature consistency and deployment flexibility Certification 7.0 8.0 IOS 3.6 FIPS CC UCAPL CSfC Comprehensive certified end-end solution
  11. 11. Cisco Wireless Government Certifications - Tomorrow What will be Certified • All current controllers & .11n/.11ac APs • New .11ac Wave 2 APs, 3802/2802 • 5520/8540 Controller • New controller/mesh platforms Predictable wireless certification – MD SW release gets certified Common release both Enterprise and Government customers Feature consistency and deployment flexibility Certification 8.3 16.3 FIPS CC UCAPL CSfC Comprehensive certified end-end solution
  12. 12. § RightTo Use Licensing,Ease of Enablementand Portability § Utilizes the NEW WLAN Express WEBGUI with best practices enabled § Allows administrator to easily migrate config from previous WLC Simplified Migration and Manageability § Ability to host multiple services such as Application Visibility and Control, Bonjour Services Directory,TrustSec, Guest, High Availability with SSO § Supportfor centralized,distributed and Mesh deployments Services Ready § 5520 scales up to 1500 AP & 20,000 clients § 8540 scales up to 6000 AP & 64,000 clients Built for addressing Scale of BYOD § 5520 supports 20 Gig of throughput § 8540 supports 40 Gig of throughput Throughput to address needs of Wave-2 11ac 5520 8540 Introducing the Cisco 5520 and 8540 Feature-Rich, Multi-mode and Ready for Wave 2 8011ac
  13. 13. Hardware Mechanical Details 5520 WLC Form Factor 1 RU IO Interface Dual 1G or 10G with LAG Operating Temperature 5°C to 35°C Storage Temperature - 40°C to 65°C HDD Solid State Drive (SSD) Power Options 770WAC w/ Optional Redundant PSU ( hot-swappable)
  14. 14. Hardware Mechanical Details 8540 WLC Form Factor 2 RU IO Interface Four 1G or 10G with LAG Operating Temperature 5°C to 35°C Storage Temperature - 40°C to 65°C HDD Hot-swappable SSD w/RAID Power Options 1200WAC, 930W DC RedundantPSU
  15. 15. Evolution of Wireless LAN Controllers Enterprise Campus and Full-Service Branch 500 APs, 7000 Clients 8 Gbps Throughput THEN 5508 NOW 5520 500 AP Groups 100 FlexConnect Groups 25 APs/FCG 512 VLANs, 64 Interface Groups 14000 PMK Cache 2000 Rogue APs, 2500 Rogue Clients 5000 RFIDs 1000 APs/RRM Group 100000 AVC Flows 1500 APs, 20000 Clients 20 Gbps Throughput 4095 VLANs, 512 Interface Groups 40000 PMK Cache 24000 Rogue APs, 32000 Rogue Clients 25000 RFIDs 3000 APs/RRM Group 320000 AVC Flows 1500 AP Groups 1500 FlexConnect Groups, 100 FlexAPs/FCG
  16. 16. Evolution of Wireless LAN Controllers Enterprise Large Campus, SP Wi-Fi and Large Branch Operations 6000 APs, 64000 Clients 10 Gbps Throughput THEN 8510 NOW 8540 6000 AP Groups 2000 FlexConnect Groups 100 APs/FCG 4095 VLANs 40000 PMK Cache 24000 Rogue APs, 32000 Rogue Clients 50000 RFIDs AVC Flows 320000 6000 APs, 64000 Clients 40 Gbps Throughput 4095 VLANs 64000 PMK Cache 24000 Rogue APs, 32000 Rogue Clients 50000 RFID 320000 AVC Flows 6000 AP Groups 2000 FlexConnect Groups 100 Flex APs/FCG
  17. 17. Innovations Only Cisco Delivers Custom Engineered Hardware for Business Flexibility Optimized Roaming Intelligently Connects the Proper Access Point as People Move Turbo Performance Scales to Support More Devices Running High Bandwidth Apps. Cisco CleanAir® Remediates Device Impacting Interference Cisco ClientLink Improves Performance of Legacy and 802.11ac Devices. Expandability Add Functionality Via Module, Smart Antenna Port or USB Port Radio Resource Management(RRM) Automatic frequency and output power configuration and adjustments High Availability Controller Stateful Switchover for mission critical reliability Application Visibility & Control Provides visibility and control over applications that are used on the network. Video Stream Reliable and Scalable support for broadcast of rich media.
  18. 18. Cisco Hyperlocation Technology & Solution After: Determine direction (AoA) to clientin addition to distance => ±1 meter accuracy Before: Location approximated based on RSSI - ±5 to 10 meter accuracy Granular indoor location accuracy to contextually connect users Engage & Improve Guest Experience Room Level Accuracy Range Inferred - Prone to errors Only RSSI calculation Blue dot spotlight projected at the user’s feet High Accuracy Multi locating technology AoA, RSSI Improved Calculation Recent Innovations
  19. 19. Innovation: Angle of Arrival(AOA) = ~+/-1 meter accuracy • Different antenna elements hear the signal a little earlier/later than others, measured by the phase of the signal • Favors line-of-sight with high degree of accuracy in cone under AP AP antenna array 90 degree cone Client Wavefront (rays with a common distance) Each antenna element is a fraction of a wavelength closer/farther to the client than its neighbor, and the exact value depend on the client location (if underneath => 0, if side on => element spacing) Recent Innovations
  20. 20. Cisco Aironet Portfolio Positioned to Capture the 802.11ac Wave 2 Transition Enterprise Class Mission Critical Best in Class 1850 • 4x4:3SS 80Mhz; 1.7 Gbps • Spectrum Analysis* • Internal or External antenna • Tx Beam Forming • 2 GE Ports • USB 2.0 • Centralized, FlexConnect and Mobility Express 2800 • 4x4:3SS 160 MHz; 5 Gbps • 2.4, 5GHz or Dual 5GHz • 2 GE Ports • Internal or External antenna • Smart Antenna Connector • Enhanced Location* (External Antenna) • CleanAir 160MHz • ClientLink 4.0 • USB 2.0 • Centralized, FlexConnect and Mobility Express* 3800 • 4x4:3SS 160 MHz; 5 Gbps • 2.4, 5GHz or Dual 5GHz • 1 GE + 1 mGig (5G) • Internal or External antenna • Smart Antenna Connector • Enhanced Location* (External Antenna) • CleanAir 160 MHz • ClientLink 4.0 • StadiumVision • USB 2.0 • Modularity • Centralized, FlexConnect and Mobility Express* 1810 Wall Plate • 2x2:2SS 80 MHz; 867 Mbps • Tx Beam Forming • 1 GE Port uplink • 3 GE Local Ports, including 1 PoE out • Local ports 802.1x ready • Integrated BLE Gateway* 1830 • 3x3:2SS 80MHz; 867Mbps • Spectrum Analysis* • Internal antenna • Tx Beam Forming • 1 GE Port • USB 2.0 • Centralized, FlexConnect and Mobility Express 1810 Teleworker • 2x2:2SS 80 MHz; 867 Mbps • 3 GE Local Ports downlink, including 1 PoE out • One or Two Local Ports can be tunneled back to corporate * Future availability
  21. 21. • 5 Gbps PHY • 4x4:3SS – 160 MHZ – MU- MIMO • 2 Ethernet Ports, GbE + mGig (1G, 2.5G, 5G) • Dual 5 GHz • HDX Technology • USB 2.0 • StadiumVision • CleanAir 160MHz, ClientLink 4.0, Videostream • Side Mount Modular Architecture Best in Class 3800 • 802.11ac W2 • 870 Mbps PHY • 3x3:2SS • Spectrum Analysis* • Tx Beam Forming • USB 2.0 Enterprise Class 1830 Mission Critical 2800 • 802.11ac W2 • 2.0 Gbps PHY • 4x4:4SS • Spectrum Analysis* • Tx Beam Forming • 2 GE Ports, USB 2.0 Enterprise Class 1850 Enterprise Best In ClassMission Critical Cisco Aironet Indoor Access Points Portfolio Industry’s Best 802.11ac Series Access Points New New • 5 Gbps PHY • 4x4:3SS – 160 MHZ – MU- MIMO • 2 Ethernet Ports, 2xGbE • Dual 5 GHz • HDX Technology • USB 2.0 • StadiumVision • CleanAir 160MHz, ClientLink 4.0, Videostream
  22. 22. Comparing the Cisco Wave 2 AP Portfolio MAX DATA RATE 1.087Gbps. 2.4Gbps. 5Gbps. 5Gbps. GIGABIT / MULTIGIGABIT PORTS 1Gig 2Gig 2Gig 2Gig or 1Gig / 1MGig (1Gig, 2.5Gig, 5Gig) USB 2.0 PORT 1 1 1 1 Spectrum Analysis TX Beam Forming CleanAir / ClientLink Dual 5GHz Radios Optimized Roaming ANTENNAS: SPATIAL STREAMS 3X3:2SS - 80MHz. 4X4:4SS – 80MHz. FlexSmart: Optimized Radios Cisco Aironet 1830 Cisco Aironet 1850 Cisco Aironet 2800 Cisco Aironet 3800 Side Mount Modularity Smart Antenna Connector 4X4:3SS – 160MHz. 4X4:3SS – 160MHz. Appliance & Virtualized Control Appliance & Virtualized Control Appliance & Virtualized Control Appliance & Virtualized Control
  23. 23. Power Over Ethernet • AP2800/3800 is fully supported under 30W (802.11at/PoE+) power • LAG is supported on 2800/3800 or mGig could be used on 3800 • New AIR-PWRINJ6 (low cost 30W .3at injector) works w/ GbE for 2800/3800 • Local power supply for 3800 (AIR-PWR-50)
  24. 24. Reforming 5 GHz to Optimize for 802.11ac • More non-overlapping channels enabling better 802.11ac experience • 6x 80 MHz channels (5 in Canada and Europe) • 2x 160 MHz channels (1 in Canada) • Additional 5GHz spectrum liberalization (5.35- 5.47 GHz and 5.85-5.925 GHz) allows: Channel Bandwidth (MHz) No. of Non- overlapping Channels 20 37 40 18 80 9 160 4 Future 5GHz Opportunity
  25. 25. • FCC § New “-B” regulatory domain version of existing APs coming in 1H CY16 − 3600/2600/1600/702i/702w, 3700/2700/1700, and 3800/2800 Series − 1530/1570 and only H/S/WU from the 1550 Series − 1830/1850 and 1570 already support –B reg domain § -B opens new channels 120, 124, 128, and catchup for 144 § Higher power allowed in UNII-1, some lower power limits in UNII-3 • Recent Country migrations § Vietnam, Thailand, Macau moving to –S § Algeria, Kuwait, Tunisia moving to –I § Malaysia moving to –K § Pakistan moving to –G Regulatory Domain Update
  26. 26. Dynamic Bandwidth Selection (DBS) Radio Resource Management (RRM) selects channel only Difficult to find non- overlapping channels 80 MHz Channel 52/56/60/64 Interference impacts 80 MHz…whatcan I use? 52 56 60 64 RRM selects channel and channel width Automatic detection of non-overlapping channels Primary 20 Secondary 20 Secondary 40 • 80-MHz channel 52/56/60/64 • Interference is impacting only channel 60 • 3x20 MHz channels still available or 1x40 MHz and 1x20 MHz 52 56 60 64 After Automatic and intelligent use of spectrum Before Complex configuration and inefficient use of spectrum 52 56 60 64 Gives confidence in deploying wider channels
  27. 27. Improve Connectivity to All Devices ClientLink 4.0 Improves Device Performance 802.11ac Wave 2 Access Point: TX Beamforming • 802.11a • 802.11g • 802.11n • 802.11ac Wave 1 • 802.11ac Wave 2 • 802.11ac Wave 2 802.11ac Wave 2 Access Point: ClientLink
  28. 28. Radio Role Flexibility Adjust Radio Bands to Better Serve the Environment. Innovations Only Cisco Delivers Custom Engineered Hardware for Business Flexibility Optimized Roaming Intelligently Connects the Proper Access Point as People Move Turbo Performance Scales to Support More Devices Running High Bandwidth Apps. Zero Impact AVC Hardware Based Application Visibility and Control without Impact to Performance. Cisco CleanAir® Remediates Device Impacting Interference Cisco ClientLink Improves Performance of Legacy and 802.11ac Devices. Expandability Add Functionality Via Module, Smart Antenna Port or USB Port MultigigabitUplinks Free Up Wireless With Faster Wired Network Offload Gb+ Flex Dynamic Frequency Selection Automatically Adjusts So Not to Interfere With Other Radio Systems
  29. 29. • 2.4 GHz and 5 GHz on the same silicon • Allows serving of either 2.4 GHz or 5 GHz channel • Allows Serial scanning of all 2.4 and 5 GHz channels • Role selection is manual or Automatic – RRM What is an XOR Radio? 5GHz Serving 2.4GHz Serving 5GHz Serving 5GHz Serving
  30. 30. • Default operating mode • Serve Clients on both 2.4GHz and 5GHz Flexible Radio Assignment 5GHz Serving 2.4GHz Serving Wireless Security Monitor Wireless Service Assurance* • Dual 5GHz Support, both radios serving clients on 5GHz • Maximum over the air data rate up to 5.2Gbps • Wireless Security Monitoring • Scan both 2.4GHz and 5GHz for security threats • Serve Client of 5GHz • Wireless Service Assurance* • Proactively monitors the network performance • Serve Client of 5GHz * Denotes feature availability post-FCS 5GHz Serving 5GHz Serving 5GHz Serving 5GHz Serving Enhanced Location* • Enhanced Location* • Improves the client location accuracy • Serve Client of 5GHz 5GHz Serving
  31. 31. Dual 5GHz - Macro/Micro cell Architecture • Common in cellular deployments • Method for addressing Non Linear Traffic requirements • Allows more bandwidth to be applied to an area within a larger coverage cell • Significantly increases Airtime Efficiency and Capacity
  32. 32. AP2800/3800 Internal Antenna Hardware Previously in the controller Access Point radios were defined as… Radio 0 = 2.4 GHz Radio 1 = 5.0 GHz Using “Flexible Radio Assignment” Radio “0” can be configured as 2.4 GHz (default) or as an additional 5 GHz radio. If configured as a 5 GHz radio the 2.4 GHz radio is disabled and the 5 GHz micro-cell antennas are used. Micro-cell antenna is 5 dBi @ 5 GHz Macro-cell antenna is 6 dBi @ 5 GHz
  33. 33. Difference in antenna designs allow for RF co-existence Conventional AP footprint (Macro-Cell) uniform 360 Degree coverage Smaller AP footprint (Micro-Cell) uniform 360 Degree but for smaller coverage area (high density) deployments By using spatially-efficient and compact antenna design along with different channels & Tx RF power – BOTH radios can co-exist internally
  34. 34. Dual 5 GHz External Antenna Macro/Macro Cells • Using the DART connector on the E Model enables Dual 5 GHz cells with external antenna’s • Doubles the effective coverage for the cost of one additional antenna • Double capacity on existing cable plan • Multi-gigabit port on 3802 provides throughput investment 5GHz Serving 5GHz Serving
  35. 35. Dual 5 GHz External Antenna Macro-Macro cells Cable allows for secondary 5 GHz radio antenna to be physically spaced away from the primary radio allowing for Macro-Macro operation Stadium antenna deployments for different coverage areas or higher density areas ANT-2566 in different directions or even back-to- back tilted downward for Factory and warehouse deployments Omni + directional deployments 5GHz Serving 5GHz Serving
  36. 36. Smart Antenna Connector Side Mount Modular Slot (3800 only) Primary Antenna Connectors – Dipole and Cabled Antennas 3802e, 3802p and 2802e Smart Antenna Connector Secondary 5 GHz CabledAntenna Second Cabled or Hyperlocation Antenna 5GHz Serving 5GHz Serving
  37. 37. Meet Any Wi-Fi Use Case Expandability and Investment Protection Future Wi-Fi Standard IOT Integration Custom Compute Platform Adv. Security and Spectrum Analysis 3G & LTE Small Cell Bluetooth Beacon Hyperlocation Antenna Stadium Panel Antenna Self-Discover / Self-Configure 3G/LTE Backhaul Directional Antennas Bluetooth Intelligence
  38. 38. 2.5-5 GigabitPort Offload Wireless Traffic Faster Multigigabit Technology Cisco Multigigabit Standard Cat 5e/Cat6 Cables 1 GigabitPort Delivers up to 5X Speeds in Enterprise Without Replacing Cabling Infrastructure Supports PoE Up to 60W 2.5-5 GigabitPort Available on 3800 Recently Announced
  39. 39. Components Cisco Unified Wireless • Components • Wireless LAN controllers • Aironetaccess points • Management(Prime Infrastructure) • Mobility Service Engine (MSE)
  40. 40. Cisco Unified Wireless Principals • Components • Wireless LAN controllers • Aironet access points • Management (Prime Infrastructure) • Mobility Service Engine (MSE) • Flex Connect • Converged Access
  41. 41. • Components • Wireless LAN controllers • Aironet access points • Management (Prime Infrastructure) • Mobility Service Engine (MSE) • Flex Connect • Converged Access • Mesh Network • Seamless Roaming to Enterprise WLAN • Bridging Cisco Unified Wireless Principals
  42. 42. Recommended Certified Design • Deploy Controller Based on Scale Requirements • Smallest Sites < 5 APs • Flex Connect AP • Smaller Sites 5 – 25 APs • 2504 WLAN Controller • Medium Sites 25 – 300 APs • 5508 WLAN Controller • Larger Sites 300+ APs • 8510 WLAN Controller • Access Point Deployment • 2702/3702 802.11ac APs • 1572 Outdoor Mesh • Services • Virtual Services on UCS Servers • Single server for PI, MSE, ISE • HA Server for redundancy
  43. 43. Add Guest Services… • Isolate Guest Traffic • Utilize Anchor controller • Isolate Local or Enterprise traffic • Client Bridges to Network at Anchor Controller • Utilized Integrated controller guest portal or ISE Guest Portal • ISE Provides Rich on-boarding option • ISE Provides Rich Sponsor options
  44. 44. Wireless Security - a network solution Architecting “Network as a Sensor” and “Network as an Enforcer” Network Sensor (Lancope) NGFW Wireless & Wired Infrastructure Cisco Routers / Branch 3rd Vendor Devices Threat API API (pxGrid) ISE Network Sensors Network Enforcers Policy & Context Sharing TrustSec Security Group Tag Cisco Collective Security Intelligence Confidential Data NGIPS
  45. 45. Cisco Enterprise Network Visibility Cisco AVC Device Sensors/Platforms Orchestration/Management 3rd Party Visualization 3rd Party Security/Billing Switch Router AP Controller FW VM APIC-EM Prime Web GUI
  46. 46. Cisco Next-Generation Encryption Protocol Suite Key Establishment ECDH-P256/384/521 Digital Signatures ECDSA-P256/384/521 Hashing SHA-256/384/512 Authenticated Encryption AES-128/256-GCM Authentication HMAC-SHA-256/384/512 Entropy SP800-90
  47. 47. Cisco NGE and Suite B • NGE is a super set of “Suite B” – Cisco has additional Cipher Suites • Upgrades all crypto mechanisms – New/Upgraded algorithms, key sizes, protocols and entropy • Compatible with existing security architectures, e.g., DMVPN, GETVPN, P2P SAs • Standards-based components, available today in next-generation solutions • Targets Suite B (US), FIPS-140 (US/Canada), NATO NGE (Cisco) Suite B (NSA)
  48. 48. Commercial Solutions for Classified Program • NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data • This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years • CSfC program requirements are customer-driven – CSfC vendors do not request features or drive requirements – http://www.nsa.gov/ia/programs/csfc_program/index.shtml
  49. 49. CSfC “Layered” Architectures for Classified • Architectural, defense-in-depth (e.g. “layers”), approach to security • SECRET require 2 Layers of ‘countable’ Crypto mLoS 128 • TOP SECRET requires 2 layers of ‘countable’ Crypto mLoS 192 • Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information Suite B VPN / Countable Layer #1 Suite B Application Layer Security / Countable Layer #2 Approved Encryption Technologies can vary at each Layer Outer Tunnel
  50. 50. NGE vs Suite B vs CSfC • NGE is a super-set of Suite B • Includes older, transitional ciphers as well as Suite B compliant and stronger ciphers • Suite B is a consistent and specific implementation of cryptographic ciphers • CSfC is a layered architecture of Suite B compliant COTS equipment NGE (Cisco) Suite B (NSA) CSfC (NSA)
  51. 51. Cisco Wireless Infrastructure APL Listed Over 20 Product Categories across 8 CSfC Components
  52. 52. Campus WLAN Capability Package • WLAN Provides outer layer of security • Common Outer Layer can support multiple inner layers – based on 1.8 draft • Tunnel to to unclass network • Use VPN for Inner layer of security • Any Connect WPA2 Suite B VPN Countable Layer Outer Tunnel AES-256 Encrypted CAPWAP Outer Tunnel Inner Tunnel
  53. 53. Campus WLAN Capability Package Cont… • Potential Unwritten requirements • 500m Standoff from facility perimeter • Over the air AES-256 Crytpo • Requires an approved WLAN Client • Client hardening requirements https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client
  54. 54. Campus WLAN Capability Package Cont… • Potential Unwritten requirements • 500m Standoff from facility perimeter • Over the air AES-256 Crytpo • Requires an approved WLAN Client • Client hardening requirements https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client
  55. 55. Mobile Access Capability Package • Security traverses Unclassifed Network • Security Enclave is relevant to LAN, WAN & WLAN • CSfC Security is an Enterprise network resource Suite B VPN/Application Layer Security / Countable Layer #2 Outer Tunnel Suite B VPN / Countable Layer #1 Inner Tunnel
  56. 56. Mobile Access Capability Package Cont… • Primary CP being used for WLAN deployments • Allows for the WLAN to stay black • Support Unclass networks • Allows for Application layer security for 2nd tunnel • Secure VDI, Jabber, any application • Coexists with VPN Tunnel • Cisco 5921 Now listed as approved VPN Client • Can now provide 2 layers of VPN
  57. 57. Cisco as the Single Vendor Multi-Platform for CSfC • Allows Cisco ASA to be used as an Inner or Outer VPN Gateway when paired with an approved IOS/IOS-XE VPN router
  58. 58. Plan for CSfC Success • Understand the effort for an approved solution • Engagement with CSfC • Registering the system • Engage with CSfC Trusted Integrator • Keep Simple then grow (Crawl, Walk, Run, Fly….) • Site to Site • Site to Site over Wireless mesh • Portable solution over WLAN to client device • Laptop over WLAN • Mobile device over WLAN
  59. 59. Wrap up… • 802.11ac Wave 2 • The future Cisco Certified WLAN solution • 2800/3800 .11ac Wave 2 AP, the enterprise standard • Dual radio capabilities • Secure Wireless deployment options • Part of the secure network
  60. 60. Q & A

×