Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

#CiscoLiveLA 2017 Presentacion de Jerome Henry

947 views

Published on

#CiscoLiveLA 2017 Presentacion de Jerome Henry

Published in: Technology
  • Best survey site online! $1,500 a month thanks to you guys! Without a doubt the best paid surveys site online!I have made money from other survey sites but made double or triple with GoldOpinions.com for the same time and effort. The variety and number of daily paid surveys I get from them is unmatched. A must for anyone looking for extra cash or a full time income. ■■■ http://ishbv.com/goldops777/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • $25 per hour jobs on Facebook, now hiring! ■■■ http://ishbv.com/socialpaid/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

#CiscoLiveLA 2017 Presentacion de Jerome Henry

  1. 1. Presentation Title Presenter Name and Title Session ID
  2. 2. Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD Jerome Henry, Principal Engineer, CCIE – 27450 BRKEWN-2005
  3. 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda What this session will cover… • AP and WLC secure connection; • wireless radio threats; • secure/open SSID fundamentals; • client secure connection options; • CUWN and AireOS use cases …and what it won’t… • configuration details; • version discrepancies; • roadmap; • IPv6; • not too much for guests. …except when it does.
  4. 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public For your reference • There are slides in your PDF that will not be presented, or quickly presented. • They are valuable, but included only “For your reference”. For your reference For your reference BRKEWN-2005 4
  5. 5. • Secure the infrastructure • Protecting the air • Secure the clients • Network Services • Use cases Agenda
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Digital Network Architecture for mobility Automation • Plug n Play • EasyQOS • ISE: .1x, BYOD and Guest Open APIs: Modular Aps with Restful APIs Cloud Service Management • CMX 10.x with Context and Guest Platforms & Virtualization Assurance • Restful APIs on WLC • Netflow Export • Apple Network Optimization & FastLane Principles • Modular AP’s with Restful API’s • DNA Optimized Controllers: 3504, 5520, 8540 • Various VM Models: ESXi, KVM, HyperV, AWS Insights and Experiences Automation and Assurance Security and Compliance Outcomes
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public WLAN portfolio with integrated security PROTECT THE CLIENTS PROTECT THE NETWORK Integrated Security within APs and WLCs Advanced Security with Policies, Segmentation, and Visibility PROTECT THE AIR Cisco Trustworthy Systems Certifications (FIPS, common criteria, DoD UC APL) TRUST Identity PSK TrustSec (with ISE) Base WIPS Rogue Detection Clean AIr Adaptive WIPS Default best practices 802.11w, DTLS Cisco Umbrella Wireless LAN Cisco Stealthwatch
  8. 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Embedded Security Built for Today’s Threats Security Expertise and Innovation Evidence of Trust Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions… There has never been a greater need to improve network infrastructure security Alert TA16-251A, September 2016 “ ” Trustworthy Systems Protect the Device Learn more: • Visit trust.cisco.com • See: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security” • Meet the Engineer: Topic: “Security and Trust Architecture”
  9. 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Trustworthy Systems Levels Enterprise Wireless Protects the Network Counterfeit Protections Image Signing Secure Boot Modern Crypto Hardware Trust Anchor Secure Device Onboarding ISE Stealthwatch Solution Level Attack Protection IP Source Guard ACLs WIPS/RogueDHCP Snooping Secure Transport Protections Against Attack 802.11w,r,i TrustSec Netflow Security Culture PSIRT Advisories Security Training Product Security Baseline Threat Modeling Open Source Registration Supply Chain Management Umberlla Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security” Platform Integrity
  10. 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public End to End Security: A Glimpse AP • Securing the Air through accurate classification of Rogues & Interference • Secure communication with other AP’s via 802.11w/MFP and DTLS • Security at the edge with AWIPS Controller Netflow Collection Security & Insights Lancope(NAAS) CMX Geo-fencing limits access within physical perimeter ISE Secure authentication with 802.1x Securing personal devices BYOD Simple Guest Deployment Per Device & Application Policies Easy segmentation with TrustSec IOT Classification & Policy Cisco Umbrella Content filtering and protection against cyber-attacks Switch IOT Segmentation with TrustSec Devices ISE + Meraki/Third party MDM Prioritizes applications NAAE
  11. 11. Secure the Infrastructure
  12. 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Secure Infrastructure Feature Highlights Infrastructure Hardening Plug n Play FIPS Support Encryption 802.11 MFP, 802.11wCertificate storeBest Practices Trustworthy Systems
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Securing the infrastructure • How to secure the AP connectivity and access. • How to secure the communication between the WLC and the AP. • How to secure the radio: • intrusion detection/prevention; • rogue access points; • interferences. CAPWAP Access Point (AP) Wireless LAN Controller (WLC)Data Encapsulation – UDP 5247 Control Messages – UDP 5246 BRKEWN-2005 14
  14. 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Securing the AP-WLC communication CAPWAP tunnels BRKEWN-2010 Data DTLS • CAPWAP Control encrypted by default • CAPWAP Data encapsulated but not encrypted by default • Option to encrypt data traffic for specific APs since 7.0 • Support for DTLS Data encryption between AP and WLC • Performance impact: Without Data DTLS, avg vWLC throughput is 200Mbps. All APs using Data DTLS, throughput is 100Mbps CAPWAP Data Plane (DTLS) UDP 5247 Control Plane DTLS, UDP 5246 ControllerAccess Point Wi-Fi Client
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Securing the AP-WLC communication Manufacturer Installed Certificate (MIC) CAPWAP Control DTLS, UDP 5246 CAPWAP Data (DTLS) UDP 5247 BRKEWN-2005 16
  16. 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public CAPWAP Securing the AP-WLC communication Local Significant Certificate (LSC) Your PKI Example: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html BRKEWN-2005 17
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Out-of-Box Berlin AP GroupOut-of-Box Out-of-Box Out-of- Box Securing the AP-WLC communication Out-of-Box AP Group and RF Profile (v7.3+) Berlin AP Group > Radios Enabled Out-of-Box AP Group > Radios Disabled Example: http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870 BRKEWN-2005 18
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public APIC-EM Plug-n-Play (PnP) Site-2 PnP Server WLC-2a WLC-2b WLC-3a WLC-3b Site-3 Site Product ID Serial # Hostname Configuration Site-2 AIR-CAP3702I-A- K9 RFD0XP2T02 5 Site-2-AP Site-2-Config Site-3 AIR-CAP3702I-A- K9 RFE0ZP2T026 Site-3-AP Site-3-Config Configuration WLC AP Group AP Mode Site-2-Config WLC-2a Site-2-Group AP-Site-2 Site-3-Config WLC-3a Site-3-Group AP-Site-3 WLC IP: WLC-2a AP Name: Site-2-AP AP Mode: Local AP Group: Site-2-Group WLC IP: WLC-3a AP Name: Site-3-AP AP Mode: FlexConnect AP Group: Site-3-Group AireOS 8.2
  19. 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Berlin AP Group APIC-EM Plug-n-Play (PnP) APIC-EM AP SN #123 > Config. File (WLC IP, Berlin AP Group, etc.) AP (SN #123) WLC AP (SN #456) APIC-EM IP in DHCP option 43 or DNS resolution for pnpserver.<dhcp-domain-option> AP PnP Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html AP SN #456 > Not in any Project list > Claim list BRKEWN-2005 20 For secure provisioning of Access Points
  20. 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Berlin AP Group > WLAN Id 17+ Default AP Group > WLAN Id 1-16 Default Berlin AP Group Securing the AP-WLC communication Default AP Group and WLAN Id > 16 For your reference BRKEWN-2005 21
  21. 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Wireless connection workflow Endpoint CAPWAP Access Point (AP) Wireless LAN Controller (WLC)Data Encapsulation – UDP 5247 Control Messages – UDP 5246802.11 Probe Request Probe Response Probe Request (forwarded) Authentication Request (not for 802.1X, but in case of PSK) Authentication Response (Re) Association Request (Re) Association Response 802.1X phase if enabled EAPoL Keys exchange in case of PSK or 802.1X Other identity services IDS/wIPS focus BRKEWN-2005 22
  22. 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AP control at the access layer A few words on 802.1X EAPoL Start EAPoL Request Identity Beginning EAP-Response Identity: Printer RADIUS Access Request [AVP: EAP-Response: Printer] EAP-Request: EAP-FAST EAP-Response: EAP-FAST RADIUS Access-Challenge [AVP: EAP-Request EAP-FAST] RADIUS Access Request [AVP: EAP-Response: EAP-FAST] Multiple Challenge- Request Exchanges Possible Middle EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dACL-n] End Layer 2 Point-to-(Multi)Point Layer 3 Link Authenticator AuthC ServerSupplicant EAP over LAN (EAPoL) RADIUS BRKEWN-2005 27
  23. 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AP control at the access layer 802.1X credentials for the AP * Layer 2 Point-to-(Multi)Point Layer 3 Link Authenticator AuthC ServerSupplicant EAP over LAN (EAPoL) RADIUS Access Point (AP) AP# capwap ap dot1x username [USER] password [PWD] * Not supported today on 1800/2800/3800 APs. BRKEWN-2005 28
  24. 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AP control at the access layer The FlexConnect challenge Layer 2 Point-to-(Multi)Point Layer 3 Link Authenticator AuthC ServerSupplicant EAP over LAN (EAPoL) RADIUS FlexConnect AP “needs” a trunk port. interface GigabitEthernet1/0/1 switchport access vlan 100 switchport mode access authentication port-control auto dot1x pae authenticator ... 802.1X (usually) needs an access port. BRKEWN-2005 29
  25. 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AP control at the access layer The FlexConnect challenge Layer 2 Point-to-(Multi)Point Layer 3 Link Authenticator AuthC ServerSupplicant EAP over LAN (EAPoL) RADIUS “Here I am.” “What do you think?” “Accept. Here is the interface template *.” * IOS 15.2(2)E. LABSEC-2004 cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE template FLEXCONNECT_AP_TRUNK_TEMPLATE switchport trunk native vlan 100 switchport trunk allowed vlan 100,110,120,130 switchport mode trunk spanning-tree portfast trunk BRKEWN-2005 30
  26. 26. Security and Threat Mitigation
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5GHz Serving 2.4GHz Serving 5/2.4GHz Monitor • Enabled by Dual 5GHz • Adjust Radio Bands to Better Serve the Environment Security and Threat Mitigation P2P Blocking Client Exclusion awIPS, ELM Rogue Detection Local, Monitor, Security Module 2800/3800 XOR Radio FRA Cisco CleanAir® Off-Channel Scanning Classification TKIP Encryption 8.3 MR1 EDRM Security and Threat Mitigation
  28. 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public wIPS Process Flow and Component Interactions 33Presentation ID 1 WLC PI (Optional)wIPS AP 2 3 1 WLCwIPS AP 2 3 wIPS MSE 8.x 4 PI Solution Components Functions Licensing Base WIPS WLC, AP and Prime Infrastructure (optional) Supports 17 native signatures. Supports rogue detection & containment Does not require any licensing Adaptive WIPS WLC, AP, MSE and Prime Infrastructure Offers comprehensive over the air threat detection & mitigation Licensed feature on MSE Cisco WIPS solution= Base WIPS + Adaptive WIPS
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Intrusion Detection System (IDS) • It works with basic WLC+AP. • 17 pre-canned signatures. • Additional custom signatures are supported. BRKEWN-2005 34
  30. 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AWIPS: Accurate Detection & Mitigation Device Inventory AnalysisSignature & Anomaly Detection Network Traffic AnalysisOn/Off Channel Scanning Classification • Default tuning profiles • Customizable event auto-classification • Wired-side tracing • Physical location Notification • Unified PI security dashboard • Flexible staff notification • Device location Mitigation • Wired port disable • Over-the-air mitigation • Auto or manual • Uses all APs for superior scale Management • Role-based with audit trails • Customizable event reporting • PCI reporting • Full event forensics Detection Threats Rogue AP/Clients Ad-Hoc Connections Over-the-Air Attacks Cracking Recon DoS
  31. 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public wireless Intrusion Prevention System (wIPS) Denial of Service Service disruption Evil Twin/Honeypot AP HACKER’S AP Reconnaissance Seeking network vulnerabilities HACKER Cracking Tools Sniffing and eavesdropping HACKER Non-802.11 Attacks Backdoor access BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption Ad-hoc Wireless Bridge Client-to-client backdoor access HACKER Rogue Access Points HACKER Detected by CleanAir and tracked by MSE BRKEWN-2005 37
  32. 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public wIPS with Cisco Mobility Services Engine (MSE) 8.0 Prime WLCWLC AP AP AP AP SOAP/XML over HTTP/HTTPS MSE BRKEWN-2005 38
  33. 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public IDS and wIPS Signatures wIPS on MSEIDS on WLC For your reference BRKEWN-2005 39
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Supported AP modes for wIPS Data on 2.4 and 5 GHz wIPS on all channels Data on 2.4 and 5 GHz wIPS on all channels Data on 5GHz wIPS on all channels Data on 2.4 and 5 GHz wIPS on all channels “best effort” Cisco Adaptive wIPS Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500 BRKEWN-2005 40
  35. 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5GHz. / 2.4GHz. .5GHz. / Security Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference Good Better Best Features ELM Monitor Mode AP ELM with FRA Monitor Mode Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs Client Serving with Security Monitoring Y N Y wIPS Security Monitoring 50 ms off-channel scan on selected channels on 2.4 and 5 GHz 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz Serving channel Serving channelOff-Ch Off-Ch Serving channel Serving channelOff-Ch Off-Ch Enhanced Local Mode Access Point  GOOD 2.4 GHz 5 GHz t t Monitor Mode Access Point  BETTER 2.4 GHz 5 GHz t t Ch11Ch2 Ch38 Ch1 Ch36 … Ch11Ch2Ch1 … Ch11Ch2Ch1 … … Ch161Ch157 Ch38Ch36 …… … t 2.4 GHz 5 GHz t Ch11Ch2Ch1 … Ch38Ch36 Ch161Ch157 …… … ELM with FRA Wireless Security Monitoring  BEST Serving channel Serving channelOff-Ch Off-Ch 5 GHz t
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Rogue Access Points What are they? • A rogue AP is an AP that does not belong to our deployment. • We might need to care (malicious/on network) or not (friendly). • Sometimes we can disable them, sometimes we can mitigate them. “I don’t know it.” “Me neither.” BRKEWN-2005 47
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Serve Client on 2.4 GHz 50 ms off- channel Serve Clients on 5 GHz 50 ms off- channel Rogue Detection and Mitigation  Rogue Classification and Containment • Rogue Rules • Manual Classification – Friendly/Malicious • Manual and Auto Containment  CleanAir with Rogue AP Types • WiFi Invalid Channel • WiFi Inverted  Rogue Location • Real-time with PI, MSE, CleanAir • Location of Rogue APs and Clients , Ad-hoc Rogue, Non-wifi interferers Data Serving AP Scan 1.2s per channel Monitor Mode AP FRA with MM Serve Client on dedicated 5 GHz Scan 1.2s per channel
  38. 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Rogue AP Detection Rogue Rules in the WLC and General Options BRKEWN-2005 49
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Containing Multiple Rogues with Single Click • In 7.4, WLC allows manual containment for multiple rogue APs in a Single click ! • Rogues are classified and Admin alerted. Admin can then initiate containment in single click • AP that is nearest to rogue AP sends containment packets to Rogue AP • Rogue Client per Rogue AP has been increased from 16 to 256 (2504 supports 64 Rogue client per Rogue AP) Click to Select all Click to Contain all Step.0. Create Rogue Policy Step 1.Select Rogues Step 2.Click [Contain] !
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Policy Based Auto Containment • Custom Rogue Policy allows administrator to generate multiple Custom Rogue Policy, which includes automated action • Based on Administrative Rogue rule policy, Rogue AP/Client can be automatically classified as Internal or External Rogue and can trigger auto-containment Rule Type Notify / Action Custom Severity Friendly • Alert • Internal • External No Malicious • Alert • Contain No Custom • Alert • Contain Yes (1…100) Step1: Create Rogue Rule with Containment Action Step2: Filtered Rogue list will be automatically contained
  41. 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Rogue AP Detection Rogue Location Discovery Protocol (RLDP) Caveats: • it only works if the rogue SSID is open; • it does not work if the RLDP message gets filtered; • while trying to associate to the rogue AP, the RLDP AP stops serving clients (up to 30 secs). RLDP message (UDP:6352) BRKEWN-2005 52
  42. 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Rogue AP Detection Rogue Detector mode Rogue Detector AP Trunk with all monitored VLANs (WLC, AP, client, etc.) ARP from Rogue Client Caveats: • it only works if the rogue client’s MAC is not behind NAT; • it supports up to 500 rogue MACs. Config. guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html BRKEWN-2005 53
  43. 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Rogue AP Detection Switch Port Tracing Prime CDP Neighbors CAM Table CAM Table (next hop) For your reference BRKEWN-2005 54
  44. 44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public CleanAir 6 11 1 RRM BRKEWN-2005 55
  45. 45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public CleanAir 6 1 RRM 11 6 11 1 BRKEWN-2005 56
  46. 46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public CleanAir 6 1 RRM 6 11 1 116 X BRKEWN-2005 57
  47. 47. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Event Driven RRM (EDRRM) High: Air Quality ≤ 60 Medium: Air Quality ≤ 50 Low: Air Quality ≤ 35 Rogue AP’s duty cycle contribution, available as of AireOS 8.1. BRKEWN-2005 58
  48. 48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public CleanAir detectable Attacks Some examples IP and Application Attacks & Exploits WiFi Protocol Attacks & Exploits RF Signaling Attacks & Exploits Traditional IDS/IPS Layer 3-7 wIPS Layer 2 CleanAir Layer 1 Dedicated to L1 Exploits Rogue Threats “undetectable” rogues Wi-Fi Jammers “classic” interferers 2.4 GHz 5 GHz BRKEWN-3010 BRKEWN-2005 59
  49. 49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Detecting extensive DoS attacks and security penetration – Base WIPS + Adaptive WIPS • Locating Rogue APs, attackers and victims • Manual or fixed auto containment policy for rogue AP/client • Comprehensive wired rogue detection algorithm using Auto SPT, RLDP or Rogue Detector AP Recap of Cisco WIPS Open/Wired/NATed Rogue AP Encrypted / Wired / +/- 1 or 2 and OUI Based Ethernet MAC Rogue APRLDP or Rogue Detector Magic Packet WLC PI SNMP / Auto SPT Locating, Tracking and Tracing Rogue APs MSE
  50. 50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Management Frame Protection (MFP) • Infrastructure MFP, with additional Message Integrity Check (MIC) for management frames. • Client MFP, with encryption of management frames for associated/authenticated clients. MFP Protected MFP Protected Enterprise NetworkCCXv5 For your reference BRKEWN-2005 61
  51. 51. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public IEEE 802.11w Protected Management Frames (PMF) • Client protection with additional cryptography for de-authentication and disassociation frames. • Infrastructure protection with Security Association (SA) tear down mechanism. 802.11w Protected Enterprise Network For your reference BRKEWN-2005 62
  52. 52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Service Ready Feature Highlights Local Profiling Bonjour Apple Services Solution level Attack Protection AVC/ Netflow 802.1x Webauth Guest Access MAC Auth BYOD NAC RADIUS Local Policy w/ AVC, Umbrella AAA Override VLAN, ACL, QoS TrustSec SXP Inline Tagging OKC, CCKM Roaming Cisco Umbrella URL Filtering
  53. 53. Securing Client Access
  54. 54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Identity Awareness Choose the access control method Authorized Users IP Phones Tablets Network Device GuestsIoT Devices Authentication Features 802.1x Identity PSKMac Auth Bypass Web Authentication
  55. 55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public EAPoL Start EAPoL Request Identity Beginning EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] EAP-Request: PEAP EAP-Response: PEAP RADIUS Access-Challenge [AVP: EAP-Request PEAP] RADIUS Access Request [AVP: EAP-Response: PEAP] Multiple Challenge- Request Exchanges Possible Middle EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dACL-n] End Layer 2 Point-to-Point Layer 3 Link Authenticator Auth ServerSupplicant EAP over LAN (EAPoL) RADIUS IEEE 802.1X For your reference BRKEWN-2005 70
  56. 56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public EAP Authentication Types Different Authentication Options Leveraging Different Credentials Tunnel-Based EAP-PEAP EAP-FAST Inner Methods EAP-GTC EAP-TLS EAP-MSCHAPv2 • Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate. This provides security for the inner method, which may be vulnerable by itself. • Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client. Certificate-Based EAP-TLS BRKEWN-2005 71
  57. 57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public RADIUS Change of Authorization (CoA) • RADIUS protocol is initiated by the network devices (NAD) • No way to change authorization from the ISE • Now the network device listens to CoA requests from ISE RADIUS CoA (UDP:1700/3799) • Re-authenticate session • Terminate session • Terminate session with port bounce • Disable host port Now I can control ports when I want to! (config)#aaa server radius dynamic-author client {PSN} server-key {RADIUS_KEY} For your reference BRKEWN-2005 72
  58. 58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public RADIUS Change of Authorization (CoA) Layer 2 Point-to-(Multi)Point Layer 3 Link AuthenticatorSupplicant EAP over LAN (EAPoL) RADIUS RADIUS CoA-Request [VSA: subscriber: reauthenticate] RADIUS CoA-Ack Change of Authorization EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] EAP-Request: PEAP EAP-Response: PEAP RADIUS Access-Challenge [AVP: EAP-Request PEAP] RADIUS Access Request [AVP: EAP-Response: PEAP] EAPoL Request Identity Re-Authentication Multiple Challenge- Request Exchanges Possible AuthC Server BRKEWN-2005 73
  59. 59. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Identity PSK (AireOS 8.5 release) 74BRKEWN-2005 Increased demand for IoT devices Identity security without 802.1x High Scale Cost Effective Simple Operations • Private PSK with RADIUS integration • Per client AAA override (VLAN / ACL, QoS etc)
  60. 60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Identity PSK 75BRKEWN-2005 How it works! PSK WLAN MAC Filtering AAA Override Employees Sensors WLAN PSK xxyyzz IoT Devices aabbcc Device MAC Group Private PSK IOT Devices aabbcc Sensors xxyyzz Employees --- Cisco-AVPair += "psk-mode=ascii” Cisco-AVPair += "psk=aabbcc" Cisco-AVPair += "psk-mode=ascii” Cisco-AVPair += "psk=xxyyzz"
  61. 61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AP-WLC DHCP/DNS ISE ServerOptional: • MAB • 802.1X 0 Pre-webauth ACL 2 Host Acquires IP Address, Triggers Session State 3 Host Opens Browser Login Page Host Sends Password 4 WLC Queries AAA Server AAA Server Returns Policy Server authorizes user 5 WLC Applies New WebAuth Policy (L3)6 • SSID with WebAuth 1 Local Web Authentication (LWA) LOCAL because the redirection URL and the pre-webauth ACL are locally configured on the WLC. MAB (optional) 802.1X (optional) Local Web Auth BRKEWN-2005 77
  62. 62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public AP-WLC DHCP/DNS ISE Server Host Acquires IP Address, Triggers Session State 4 • Open SSID with MAC Filtering enabled 1 AuthC success; AuthZ for unknown MAC returned: Redirect/filter ACL, portal URL Host Opens Browser – WLC redirects browser to ISE web page Login Page Host Sends Username/Password 5 Web Auth Success results in CoA Server authorizes user 6 MAB re-auth MAB Success Session lookup – policy matched Authorization ACL/VLAN returned.7 First authentication session 2 3 CENTRAL because the redirection URL and the pre- webauth ACL are centrally configured on ISE and communicated to the WLC via RADIUS. Central Web Auth Central Web Authentication (CWA) BRKEWN-2005 79
  63. 63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Other URL-Redirect scenarios (posture, MDM, etc.) AP-WLC DHCP/DNS ISE Server Host Acquires IP Address, Triggers Session State 4 • SSID configured for 802.1X / MAB1 AuthC success; AuthZ returned: Redirect/filter ACL, URL for posture/MDM/etc. Host Opens Browser – WLC redirects browser to ISE for other services Posture check, MDM check, client provisioning, etc. 5 RADIUS CoA Server authorizes user 6 802.1X/MAB re-auth 802.1X/MAB Success Session lookup – policy matched Authorization ACL/VLAN returned.7 First authentication session 2 3  CWA is a URL-Redirect scenario.  Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB or WebAuth. BRKEWN-2005 81
  64. 64. Secure Network Services
  65. 65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public How about policies? Differentiating user groups. Keeping untrusted devices out. Basic access vs. Full access BRKEWN-2005 85
  66. 66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Different wired and wireless security leaves you vulnerable to risk and malicious activityLatest Cisco wireless minimizes risk and works with switching and routing for end-to-end validation Network Policy Enforcement Network as a Sensor and Enforcer Access Policy Created on Identity Services Engine Authorized user accepts policy 1 2 Network validates activity – serves as a sensor and policy enforcer 3
  67. 67. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public • Centralized Policy • RADIUS Server • Posture Assessment • Guest Access Services • Device Profiling • Client Provisioning • MDM • Monitoring & Troubleshooting • SIEM Integration • Device Admin / TACACS+ ACS NAC Profiler Guest Server NAC Manager NAC Server Identity Services Engine Cisco Identity Services Engine (ISE) BRKSEC-3697 BRKSEC-3699 BRKEWN-2005 87
  68. 68. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Authentication and Authorization What are they? 802.1X /iPSK/ MAB / WebAuth It tells who/what the endpoint is. It tells what the endpoint has access to. BRKEWN-2005 88
  69. 69. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Policy Rules 1. Authentication Rules • Define what identity stores to reference. • Example – Active Directory, CA Server, Internal DB,etc. 2. Authorization Rules • Define what users and devices get access to resources. • Example – All Employees, with Windows Laptops have full access. For your reference BRKEWN-2005 89
  70. 70. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Guests and BYOD, can’t hide... BRKEWN-2005 103
  71. 71. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public ROLE BASED APPLICATION POLICY • Alice(User) and Bob(IT Admin) are both employees • Both Alice and Bob are connected to the same SSID • Bob can access certain applications (YouTube), Alice cannot ROLE BASED + DEVICE TYPE APPLICATION POLICY • Alice can access inventory info on an IT provisioned Windows Laptop • Alice cannot access inventory info on her personal iPAD ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY • Alice has limited access (rate limit) to Jabber on her iPhone 7.4 AVC 7.5 Dynamic protocol pack update 7.6 Jabber, Lync 2013 support 8.0 • User and device aware policies • Ability to classify Apple iOS, Windows, Android upgrades Per user-group, per device policy tie-in to AVC 8.1 • User & device aware policies • Ability to classify Apple iOS, Windows, Android upgrades 8.2 • Wi-Fi calling • Skype for business • UserId + IPFlow for Netflow export • Lancope Collector
  72. 72. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Employee YouTube Employee Contractor RADIUSWLC Facebook Skype BitTorrent AVC (Application Visibility and Control) Per-user profiles via AAA Contractor Facebook Skype cisco-av-pair = avc-profile-name = AVC-Employee cisco-av-pair = avc-profile-name = AVC-Contract BRKEWN-2005 105
  73. 73. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKEWN-2005 WLC integration with StealthWatch As of AireOS 8.2 on 5520/8510/8540 WLC ISE WLC BitTorrent Netflow v9 records pxGrid notifications Quarantine CoA BRKSEC-3014
  74. 74. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public VLAN 100 MAB WebAuth Agent-less Device Campus Network Untagged Frame Tagged Frame SGT Enforcement Security Group Access (SGA) AireOS 8.3 and before – SXP peering from the WLC 802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Catalyst 3k-X Cat 6500 Distribution The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X) IP Address SGT 10.1.10.102 5 10.1.10.110 14 10.1.99.100 12 SXP Speaker Listener SGT=5SGT=5 ISE SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL deny sgt-src 5 sgt-dst 4 BRKEWN-2005 107
  75. 75. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public IP Address SGT 10.1.10.102 5 10.1.10.110 14 10.1.99.100 12 Security Group Access (SGA) AireOS 8.4 – SXP peering from the AP (802.11ac APs) MAB WebAuth Agent-less Device 802.1X Users, Endpoints ISE WLC AP Campus Network SGACL Catalyst 3k-X SXP Speaker Listener deny sgt-src 5 sgt-dst 4 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL SGT=5 BRKEWN-2005 108
  76. 76. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Security Group Access (SGA) AireOS 8.4 – SGT inline tagging at the WLC (5520/8540) or AP (802.11ac APs) Tagged Frame SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL WLC AP SGT=5 MAB WebAuth Agent-less Device 802.1X Users, Endpoints Campus Network SGACL Catalyst 3k-X deny sgt-src 5 sgt-dst 4 SGT=5SGT=5 ISE BRKEWN-2005 109
  77. 77. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Security Group Access (SGA) AireOS 8.4 – SGACL at the WLC (5520/8540) or AP (802.11ac APs) SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL ISE WLC AP SGT=5 MAB WebAuth Agent-less Device 802.1X Users, Endpoints SGACL deny sgt-src 5 sgt-dst 4 BRKSEC-2203 BRKSEC-3690 BRKEWN-2005 110
  78. 78. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Internet ACME 208.67.220.220ACME Policies block gaming sites DNS Query DNS Response Introducing Cisco Umbrella with WLC 208.67.220.220 DNS Server (or external DNS proxy to) 10.1.1.1 BRKEWN-2005 112 Cisco Umbrella Cloud
  79. 79. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public WLC integration with Cisco Umbrella Cisco Umbrella Cloud DNS query DNS response BRKEWN-2005 113
  80. 80. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public WLC integration with OpenDNS DNS query DNS response BRKSEC-2980 LABSEC-2006 BRKEWN-2005 114 Cisco Umbrella Cloud
  81. 81. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public OpenDNS Policy Segmentation ISR 4K Contractor Corp Guest Policy 1 Policy 3 Wireless Controller for Dynamic Evaluation of Attributes for Access Control Current ISR Implementation Site specific Policy, Enforced per Interface Identity Server Returns attributes Guest networkCorp network Policy 2Policy Cisco Umbrella Cisco Umbrella Cisco Umbrella Cisco Umbrella
  82. 82. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Teacher Network Student Network AirPrint AirPlay File Share Teacher Service Profile AirPlay File Share Student Service Profile iTunes Sharing AirPrint mDNS Service Instances Groups Apple TV1 Apple TV1 Apple TV2 Teacher Service Instance List Student Service Instance List mDNS and Bonjour Services  mDNS Profiles – Select services  mDNS Profile with Local Policy – Services per-user and per-device  mDNS Policies – Services based on AP Location and user role  mDNS AP – Services Behind a L3 boundary  Location Specific Services
  83. 83. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Conclusion
  84. 84. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Key Takeaways • Security is an end-to-end concern • Start by securing the infrastructure • Use CleanAir, WIPS to protect the Air • Protect your client access with CWA, ISE • AVC Policies, TrustSec and SGTs protect your traffic 118BRKEWN-2005
  85. 85. Cisco SparkAsk Question, Get Answers Use Cisco Spark to communicate with the speaker after the event! What if I have a question after visiting Cisco Live? ... Cisco Spark cs.co/ciscolive/#session ID *Get the Cisco Spark app from iTunes store or Google Play store 1. Go to the Cisco Live Mobile app 2. Find this session 3. Click the join link in the session description 4. Navigate to the room, room name = Session ID 5. Enter messages in the room Spark rooms will be available until Friday 17 November 2017 www.ciscospark.com E.g: session ID = BRKACI-2001
  86. 86. Complete Your Online Session Evaluation Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online • Give us your feedback about the session you just joined Complete your session surveys through the Cisco Live mobile app: https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English) https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español) or from the Session Catalog on CiscoLive.com/latam. 120Presentation ID
  87. 87. Thank you

×