Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Connecting Syria's Refugees

822 views

Published on

Cisco TACOPS partnered with NetHope.org to deploy advanced connectivity and security for refugees in 2015-2016 in response to the Syrian Refugee crisis in Europe. Architecture, management and cybersecurity are discussed.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Connecting Syria's Refugees

  1. 1. Connecting Syria’s Refugees Matt Altman, Rakesh Bharania Cisco Tactical Operations NetHope Global Summit 2016 7 November 2016 NetHope Emergency Response Working Group
  2. 2. Agenda: Refugee Connectivity: Design for Mass Communication Network Architectures Built in Security and Quality
  3. 3. 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public Principles of Mass Communication
  4. 4. Cisco Public 44© 2013-2014 Cisco and/or its affiliates. All rights reserved. Historically, Hastily Formed Networks (HFNs) have been deployed to support humanitarian workers only. Relatively low number of users, small number of sites On the refugee crisis, providing communications to a mass population was the primary goal. (similar to UN ETC 2020 CwC) Tens/hundreds of thousands of users, multiple sites, broad geography. Internet access essential for asylum applications in Greece This forced us to make several design assumptions… Mass Communications: What Made This Different.
  5. 5. Cisco Public 55© 2013-2014 Cisco and/or its affiliates. All rights reserved. Our networks had to be … Standardized: One design that could be replicated multiple times across dozens of locations. Portable: The smaller/lighter the hardware, the easier it was to transport and deploy. Supportable: Ensure the networks could be supported and managed over the long-term with few resources on the ground. Equitable: Networks had to support the maximum number of users, prevent “super users” from using too much bandwidth. Consider social dynamics (ensure gender equity, etc) Designing Networks Differently
  6. 6. Cisco Public 66© 2013-2014 Cisco and/or its affiliates. All rights reserved. To support large numbers of users over a long duration, we needed… Advanced Cybersecurity – advanced threat protection for refugee and humanitarian worker devices, even though we had no ability to enforce policy on any device. Content Management – Block malware sites, peer-to-peer (network stability), adult content (cultural/social) Traffic Shaping / QoS - Prioritize voice/video traffic to ensure quality Rate Limiting – Allow software updates to download w/o saturating network Network management – networks continually managed for performance, break/fix with little/no persistent on-site staff We couldn’t use “dumb pipe” networks.
  7. 7. 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public Network Design
  8. 8. Cisco Public 88© 2013-2014 Cisco and/or its affiliates. All rights reserved. INTERNET DSL – 4Mbps x 1Mbps TOOWAY VSAT – 10 Mbps x 1Mbps Groundstation INTERNET 3GCradlepoint 2100 MX64 FW/ gateway MR72- GRE-007-AP1 Gateway MR72- GRE-007-AP2 Gateway Ubiquiti M5 Ubiquiti M5 INTERNET DSL – 4Mbps x 1Mbps MX64 FW/ gateway MR66- KIT-013-AP1 Command Pole GATEWAY MR66- KIT-013-AP5 Repeater MR66- KIT-013-AP2 Runway Pole Repeater MR66- KIT-013-AP3 Wash Area Repeater MR66- KIT-013-AP4 Repeater MR66- KIT-013-AP6 Repeater Equipment : Router – Meraki MX64 Cloud managed Firewall, IPS, AMP Content Filtering Access Point – Meraki MR66/72 Cloud managed Dual Band MESH Identity based firewall PtP Wireless – Ubiquiti M5 5GHz BackHaul – Cradlepoint AER 2100 Cloud-managed Dual Modem — Multi-carrier Eutelsat Tooway VSAT
  9. 9. Cisco Public 99© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  10. 10. Cisco Public 1010© 2013-2014 Cisco and/or its affiliates. All rights reserved. First teams deployed: November 2015 Nine Deployment Teams (NH Teams A – I) Total Meraki Sites Deployed 62 (14 decommissioned) Number of users supported since November 2015: 400,000+
  11. 11. 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public Security
  12. 12. Cisco Public 1212© 2013-2014 Cisco and/or its affiliates. All rights reserved. Protect the mission Protect the vulnerable Keep bad things out. Keep critical services running Know what’s happening on the network and devices Balance security and access Get it right every time. Security: What are We Really Trying to Do
  13. 13. Cisco Public 1313© 2013-2014 Cisco and/or its affiliates. All rights reserved. Humanitarian cybersecurity is different than the enterprise…
  14. 14. Cisco Public 1414© 2013-2014 Cisco and/or its affiliates. All rights reserved. Advanced refugee protection: Meraki MX + OpenDNS INTERNET MALWARE C2/BOTNETS PHISHING AV AV AV AV MERAKI MX AV AV MERAKI MX SANDBOX PROXY NGFW NETFLW AV AV AV AV MID LAYER LAST LAYER MID LAYER LAST LAYER MID LAYER FIRST LAYER Perimeter Perimeter Perimeter Endpoint Endpoint MERAKI MX Advanced security architecture for humanitarian response. Meraki MX Security Appliance: • SourceFire AMP stops malware on site – 220M known malicious files, 1.5M eval daily • Snort based IPS/IDS • Webroot BrightCloud content filtering OpenDNS Umbrella – DNS security in the cloud, constantly updated with botnet, malware sites in real-time.
  15. 15. Cisco Public 1515© 2013-2014 Cisco and/or its affiliates. All rights reserved. Results – Automated, multi-layered threat defense 24/7 advanced security protection at every location, w/real-time updates (16,000 weekly clients, 18 TB/week) 320,000 IPS block events / month (all sites) Stopping novel/new mobile malware/rootkits without touching any client devices. 1.7-2.4 million DNS queries analyzed for threat every 24 hours. Credible threats stopped in the cloud.
  16. 16. Cisco Public 1616© 2013-2014 Cisco and/or its affiliates. All rights reserved. What does this mean for vulnerable refugees? Android malware is the number one threat. Example Android malware: Kemoge (android rootkit), Triada (financial fraud malware) We are protecting vulnerable refugees from theft of sensitive information on their devices, keeping their limited money out of the hands of organized crime. We are protecting NetHope NGO & UN aid workers’ devices from these threats too!
  17. 17. 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
  18. 18. Thank you.

×