Securely Designing Your Wireless LAN for Threat Mitigation...
Transcript of Securely Designing Your Wireless LAN for Threat Mitigation...
Securely DesigningYour Wireless LAN forThreat Mitigation, Policy and BYOD
Kanu Gupta, Technical Marketing Engineer, CCIE – 40465 (Wireless)
BRKEWN-2005
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKEWN-2005Cisco Spark spaces will be available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Objectives
BRKEWN-2005 4
ISE in detail
Configuration details
Version discrepancies
IPV6
Fabric
Roadmap
We wont talk about
Harden Infrastructure
Protect the Air
Secure Client Access
Solution Level
Protection
• APIC Plug n Play • aWIPS• ISE
• Guest & BYOD
Management
• TrustSec
• NetFlow/StealthWatch
• Cisco Umbrella
Inbuilt
Advanced
• Securing AP-WLC
communication
• 802.1x AP port
security
• Default Best
Practices
• Base WIPS
• Rogue Detection
• Clean Air
• 802.11w
• Client Access
Methods (802.1x,
iPSK, WebAuth)
• Native Policy
Management
• Application Visibility
& Control
• URL Filtering
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For your reference
• There are slides in your PDF that will not be presented, or quickly presented.
• They are valuable, but included only “For your reference”.
For your reference
For your reference
BRKEWN-2005 5
• Infrastructure Hardening
• Over the Air Security
• Secure Access
• Solution Level Security
• Enterprise Use Case
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Digital Network Architecture for mobility
Automation
• Plug n Play
• EasyQOS
• ISE: .1x, BYOD and Guest
Open APIs: Modular Aps with Restful APIs
Cloud Service Management• CMX 10.x with Context and Guest
Platforms & Virtualization
Assurance
• Restful APIs on WLC
• Netflow Export
• Apple Network Optimization
& FastLane
Principles
• Modular AP’s with Restful API’s
• DNA Optimized Controllers: 3504, 5520, 8540
• Various VM Models: ESXi, KVM, HyperV, AWS
Insights and
Experiences
Automation
and Assurance
Security and
Compliance
Outcomes
BRKEWN-2005 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Embedded
Security
Built for
Today’s Threats
Security Expertise
and Innovation
Evidence
of Trust
Organizations can no longer rely on
perimeter devices to protect the network
from cyber intrusions… There has never
been a greater need to improve network
infrastructure security
Alert TA16-251A, September 2016
“
”
9BRKEWN-2005
Trustworthy SystemsProtect the Device
Learn more:
• Visit trust.cisco.com
• See: BRKARC-1010 “Protecting the Device:
Cisco Trustworthy Systems & Embedded Security”
• Meet the Engineer: Topic: “Security and Trust Architecture”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Trustworthy Systems LevelsEnterprise Wireless
Protects
the Network
Counterfeit Protections
Image Signing
Secure Boot
ModernCrypto
Hardware Trust Anchor
Secure Device
Onboarding
ISE Stealthwatch
Solution Level Attack Protection
IP Source Guard ACLs
WIPS/RogueDHCP Snooping Secure Transport
Protections Against Attack
802.11w,r,i TrustSec Netflow
Security
CulturePSIRT
AdvisoriesSecurity Training
Product Security Baseline
Threat Modeling
Open Source Registration
Supply Chain Management
Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”
Platform
Integrity
Umbrella
BRKEWN-2005 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Infrastructure Hardening
Best Practices
802.11
Encryption
MFP, 802.11W
Plug n Play
12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP control at the access layer802.1X credentials for the AP
Layer 2 Point-to-(Multi)Point Layer 3 Link
Authenticator AuthC ServerSupplicant EAP over LAN
(EAPoL)RADIUS
Access Point(AP)
AP# capwap ap dot1x username [USER] password [PWD]
* Not supported today on 1800/2800/3800 APs.
BRKEWN-2005 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
Securing the AP-WLC communicationCAPWAP tunnels
CAPWAP Control
DTLS, UDP 5246
CAPWAP Data
(DTLS) UDP 5247
(Cisco Controller) >config ap link-encryption enable all/[AP-NAME]
BRKEWN-2010
• CAPWAP Control encrypted by default
• CAPWAP Data encapsulated but not encrypted by default
• Support for DTLS Data encryption between AP and WLC
14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CAPWAP
Securing the AP-WLC communicationLocal Significant Certificate (LSC)
Your PKI
Example:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
BRKEWN-2005 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vegas AP Group
APIC-EM Plug-n-Play (PnP)
APIC-EM
AP SN #123 > Config. File (WLC IP, Vegas AP Group, etc.)
AP(SN #123)
WLC
AP(SN #456)
APIC-EM IP in DHCP option 43or DNS resolution for pnpserver.<dhcp-domain-option>
AP PnP Deployment Guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
AP SN #456 > Not in any Project list > Claim list
BRKEWN-2005
For secure provisioning of Access Points
16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Out-of-Box
Vegas
AP GroupOut-of-Box
Out-of-Box
Out-of-
Box
Securing the AP-WLC communicationOut-of-Box AP Group and RF Profile (v7.3+)
Vegas AP Group > Radios Enabled
Out-of-Box AP Group > Radios Disabled
Example:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870
BRKEWN-2005 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKEWN-2005
End to End Encryption of Mobility Tunnel
CAPWAP v4 with DTLS encryption between Wireless LAN Controllers
8.5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Over the Air SecurityawIPS, ELM
Rogue Detection
Cisco CleanAir®
Off-Channel
Scanning
FRA Radio
EDRM
24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
wireless Intrusion Prevention System (wIPS)
Denial of Service
Service disruption
Evil Twin/Honeypot APHACKER’S
AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
Non-802.11 Attacks
Backdoor access
BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Rogue Access Points
HACKER
Detected by CleanAir and tracked by MSE
BRKEWN-2005 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
wIPS Process Flow and Component Interactions
BRKEWN-2005 26
1
Prime Infrastructure
SNMP trap
4
wIPS AP Wireless Controller
CAPWAP
2
wIPS MSE 8.x
NMSP
3
Solution
Components
Functions Licensing
Base IDS WLC, AP and Prime
Infrastructure
(optional)
Supports 17 native
signatures. Supports
rogue detection &
containment
Does not require any
licensing
Adaptive WIPS WLC, AP, MSE and
Prime Infrastructure
Offers
comprehensive over
the air threat
detection &
mitigation
Licensed feature on
MSE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
wIPS with Cisco Mobility Services Engine (MSE) 8.0Prime
WLCWLC
APAP AP AP
SOAP/XML over
HTTP/HTTPS
MSE
BRKEWN-2005 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWIPS: Accurate Detection & Mitigation
Device Inventory AnalysisSignature & Anomaly Detection Network Traffic AnalysisOn/Off Channel Scanning
Cla
ssific
ation • Default tuning profiles
• Customizable event
auto-classification
• Wired-side tracing
• Physical location Notification
• Unified PI security
dashboard
• Flexible staff
notification
• Device location Mitig
ation
• Wired port disable
• Over-the-air mitigation
• Auto or manual
• Uses all APs for
superior scale
Managem
ent • Role-based with audit
trails
• Customizable event
reporting
• PCI reporting
• Full event forensics
Detection
Threats
Rogue
AP/Clients
Ad-Hoc
ConnectionsOver-the-Air Attacks
CrackingRecon
DoS
BRKEWN-2005 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30BRKEWN-2005
Supported AP modes for wIPS
Data on 2.4 and 5 GHz
wIPS on all channels
Data on 2.4 and 5 GHz
wIPS on all channels
Data on 5GHz
wIPS on all channels
Data on 2.4 and 5 GHz
wIPS on all channels
“best effort”
Cisco Adaptive wIPS Deployment Guide:http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5GHz. / 2.4GHz.
.5GHz. / Security
Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference
Good Better Best
Features ELM Monitor Mode AP ELM with FRA
Monitor Mode
Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs
Client Serving with Security
Monitoring
Y N Y
wIPS Security Monitoring 50 ms off-channel scan on selected
channels on 2.4 and 5 GHz
7 x 24 All Channels on 2.4GHz and
5GHz
7 x 24 All Channels on 2.4GHz and
5GHz
CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and
5GHz
7 x 24 All Channels on 2.4GHz and
5GHz
Serving channel Serving channelOff-Ch Off-Ch
Serving channel Serving channelOff-Ch Off-Ch
Enhanced Local Mode
Access Point
GOOD
2.4 GHz
5 GHz
t
t
Monitor Mode
Access Point
BETTER
2.4 GHz
5 GHz
t
t
Ch11Ch2
Ch38
Ch1
Ch36
…Ch11Ch2Ch1
…
Ch11Ch2Ch1
…
…
Ch161Ch157 Ch38Ch36
…… …
t
2.4 GHz
5 GHz
tCh11Ch2Ch1
…
Ch38Ch36 Ch161Ch157
…… …ELM with FRA Wireless Security
Monitoring
BEST
Serving channel Serving channelOff-Ch Off-Ch5 GHz t
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue Access PointsWhat are they?
• A rogue AP is an AP that does not belong to our deployment.
• We might need to care (malicious/on network) or not (friendly).
• Sometimes we can disable them, sometimes we can mitigate them.
“I don’t know it.” “Me neither.”
BRKEWN-2005 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Serve Client on 2.4 GHz
50 ms off-channel
Serve Clients on 5
GHz
50 ms off-channel
Rogue Detection and Mitigation
Rogue Classification and
Containment
• Rogue Rules
• Manual Classification –
Friendly/Malicious
• Manual and Auto
Containment
CleanAir with Rogue AP
Types
• WiFi Invalid Channel
• WiFi Inverted
Rogue Location
• Real-time with PI, MSE,
CleanAir
• Location of Rogue APs
and Clients , Ad-hoc
Rogue, Non-wifi
interferers
Data Serving AP
Scan
1.2s per channel
Monitor Mode AP
FRA with MM
Serve Client on dedicated 5
GHz
Scan 1.2s per channel
BRKEWN-2005 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Optimize Wi-Fi with CleanAir
6
11
1
RRM
BRKEWN-2005 36
Quickly Identify and Mitigate Wi-Fi Impacting Interference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
1
RRM11
6
11
1
BRKEWN-2005 37
Optimize Wi-Fi with CleanAirQuickly Identify and Mitigate Wi-Fi Impacting Interference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
1
RRM
6
11
1
116
X
BRKEWN-2005 38
Optimize Wi-Fi with CleanAirQuickly Identify and Mitigate Wi-Fi Impacting Interference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CleanAir detectable AttacksSome examples
IP and Application
Attacks & Exploits
WiFi Protocol
Attacks & Exploits
RF Signaling
Attacks & Exploits
Traditional IDS/IPSLayer 3-7
wIPSLayer 2
CleanAirLayer 1
Dedicated to L1 Exploits
Rogue
Threats“undetectable” rogues
Wi-Fi
Jammers“classic” interferers
2.4
GHz
5
GHz
BRKEWN-3010
BRKEWN-2005 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
802.1x
MAC Auth
Webauth
Guest Access
BYOD
NAC RADIUS
Secure Access to Corporate Network
Classification
46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring & Troubleshooting
• Device Admin / TACACS+
ACS
NAC
Profiler
Guest
Server
NAC
Manager
NAC
Server
Identity
Services
Engine
Cisco Identity Services Engine (ISE)
BRKSEC-3697
BRKSEC-3699
48BRKEWN-2005
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication and AuthorizationWhat are they?
802.1X /iPSK/ MAB / WebAuth
It tells who/what the
endpoint is.
It tells what the
endpoint has access to.
VLAN
Access Control List
Quality of Service
Application Control
Bonjour Service Policy
URL Redirect
Policy Elements
49BRKEWN-2005
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
URL RedirectCentral Web Auth, Client Provisioning, Posture
• Url-Redirection: for CWA, Client Provisioning, Posture and MDM, URL value is returned as a Cisco AV-pair RADIUS attribute. e.g. cisco:cisco-av-pair=url-redirect=
https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
• Url-Redirect-Acl: this ACL specifies traffic to be permitted (bypass redirection) or denied (trigger redirection). The ACL is returned as a named ACL on the WLC.
e.g. cisco-av-pair=url-redirect-acl=ACL-POSTURE-REDIRECT
ACL entries defined traffic subject to redirection (deny) and traffic to bypass redirection (permit)
50
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Client attributes and traffic for ProfilingHow RADIUS, HTTP, DNS, DHCP (and other traffic) are used to classify clients
• The ISE uses multiple attributes to build a complete picture of the end client’s device profile.
• Information is collected from sensors which capture different attributes.
RADIUS
DHCP
HTTP UserAgent
Mobile devices are quite chatty for
web applications, or they can also be
redirected to one of ISE’s portals.ISE
3
DHCP/
HTTP
Sensor
The Client’s DHCP/HTTP
Attributes are captured
by the AP and provided
in RADIUS Accounting
messages by the WLC.
2
The MAC
address is
checked
against the
known vendor
OUI database.
1
HTTP
BRKEWN-2005 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
Profiling Example from ISE
I have some
certainty that this
device is an iPad
DHCP:host-name
CONTAINS iPad
IP:User-Agent
CONTAINS iPad
Is the MAC Address
from Apple
57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAC address checked against
vendor OUI database
Client’s DHCP attributes captured by AP
UserAgent payload on custom HTTP port inspected by HTTP
Sensor
Collection
Analysis Pre-Defined Device Signatures and in-built MAC OUI Dictionary
Local (WLC) Device Classification
MAC OUI and device profiles can be dynamically updated on WLC independent of controller image
DHCP
HTTP
1
2
3
BRKEWN-2005 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
Profile based Policy EnforcementPractical Examples of Policies
Product Bookings
Facebook.com
Corporate laptop
Personal iPad
Employee
User Role Device Service Action
Employee Corporate
Asset
Product Bookings/
Facebook.com
Permit
Employee iPad Facebook.com Permit
Employee iPad Product Bookings Deny
x
59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
Device Awareness- Identity is the Base
IP network
Authorized Users IP Phones IoT Devices Guests
802.1x Identity PSK Web auth
Various Authentication Mechanisms
ISE
Security Benefits Drawback
802.1x • Robust
• Industry standard
• strong encryption and
authentication
• Requires 802.1x
supplicant
• Complex to configure,
implement and
manage
Identity
PSK
• Easy to configure
• Strong encryption
• Works with existing
infrastructure
• Manually key in the
passphrase for client
Web
authentic
ation
• Used with MAB and profiler
to trigger guest process for
secure onboarding and
resources for guest access
• Web auth by itself
offers per client access
rather than group
level.
Managed Devices/Users Non 802.1 Devices Non 802.1 Users
61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62BRKEWN-2005
802.1XWhy 802.1X?
Supplicant Authenticator Authentication Server
EAPoL RADIUSAP, WLC ISE
How does it work?
Industry standard
approach to
identity
Most secure
user/device
authentication
Complements
other switch
security features
Various
deployment
options
Foundation for
services like
posture, policy
implementation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAP Authentication Types Different Authentication Options Leveraging Different Credentials
Tunnel-Based
EAP-PEAP
EAP-FAST
Inner Methods
EAP-GTC EAP-TLS EAP-MSCHAPv2
• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner method, which may be vulnerable by itself.
• Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.
Certificate-Based
EAP-TLS
BRKEWN-2005 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Change of Authorization (CoA)• RADIUS protocol is initiated by the network devices (NAD)
• No way to change authorization from the ISE
• Now the network device listens to CoA requests from ISE
RADIUS
CoA (UDP:1700/3799)
• Re-authenticate session
• Terminate session
• Terminate session with port bounce
• Disable host port
Now I can control
ports when I want to!(config)#aaa server radius dynamic-author
client {PSN} server-key {RADIUS_KEY}
BRKEWN-2005 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity PSK: Multiple PSKs per SSID allows for advanced security encryption across all devices
Increased demand for IoT
devices
Identity security without 802.1x
Simple Operations
High Scale
Cost Effective
• Private PSK with RADIUS integration
• Per client AAA override (VLAN / ACL etc)
8.5
BRKEWN-2005 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68BRKEWN-2005
Identity PSK
Wireless LAN Controller
Device MAC Group Private PSK
IOT Devices aabbcc
Sensors xxyyzz
Employees ---
PSK WLAN
MAC Filtering
AAA Override
✓
✓
✓IOT Devices
Sensors
Employees
Cisco-AVPair += "psk-mode=ascii”
Cisco-AVPair += "psk=aabbcc"
Cisco-AVPair += "psk-mode=ascii”
Cisco-AVPair += "psk=xxyyzz"
No PSK attributes
WLAN PSK
xxyyzz
aabbcc
ISEAccess Point
8.5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP-WLC DHCP/DNS ISE Server
Host Acquires IP Address, Triggers Session State
4
• Open SSID with
MAC Filtering
enabled
1
AuthC success; AuthZ for unknown MAC returned:
Redirect/filter ACL, portal URL
Host Opens Browser – WLC redirects browser to ISE web page
Login Page
Host Sends Username/Password
5
Web Auth Success results in CoA
Server
authorizes
user
6
MAB re-auth
MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned.7
First authentication session2
3
.
Central Web Authentication (CWA)
BRKEWN-2005 70
CWA is a URL-Redirect scenario
Redirection URL and the redirect ACL are centrally configured on ISE and communicated to WLC via RADIUS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other URL-Redirect scenarios (Posture, MDM)AP-WLC DHCP/DNS ISE Server
Host Acquires IP Address, Triggers Session State
4
• SSID configured
for 802.1X / MAB1
AuthC success; AuthZ returned:
Redirect/filter ACL, URL for posture/MDM/etc.
Host Opens Browser – WLC redirects browser to ISE for other services
Posture check, MDM check, client provisioning, etc.5
RADIUS CoA
Server
authorizes
user
6
802.1X/MAB re-auth
802.1X/MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned.7
First authentication session2
3Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB.
BRKEWN-2005 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73BRKEWN-2005
MDM Integration
Jail BrokenPIN Locked
EncryptionISE Registered PIN LockedMDM Registered Jail Broken
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKEWN-2005
Managing Guest User Lifecycle with ISE
PROVISIONING
Create Guest Accounts
Create Single Guest Account
Import CSV file for multiple Guest Accounts
NOTIFICATION
Give Accounts to Guests
Print Account Details
Send Account Details via Email
Send Account Details via Text
MANAGEMENT REPORTING
Manage Guest Accounts Report on Guests
View, edit, suspend Guest Accounts
Manage batches of created accounts
View, audit reports on Individual Guest accounts
Display Management reports on Guest Accounts
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE – Sponsor Portal• Customizable sponsor
pages
• Sponsor privileges tied to defined sponsor policy
o Roles sponsor can create
o Time profiles can be assigned
o Management of other guest accounts
o Single or bulk account creation
BRKEWN-2005 76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE – Guest Self-Service
BRKEWN-2005 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec SXP
Inline Tagging
AVC/ Netflow
URL Filtering
Local Policy w/
AVC, Umbrella
AAA Override
VLAN, ACL, QoS
Solution Level Attack Protection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
Integrating Security IN the Network
Network as a Security Sensor (NaaS)
Network as a Security Enforcer (NaaE)
Detect Anomalous Traffic
Detect User access violations
Obtain broad Visibility of Network Traffic
Software Defined Segmentation to contain attack
Dynamic User Groups and consistent Policy Across the Network, Users and Devices
Access Control to protect resources
81
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
The Network Gives Deep and Broad Visibility
Network
Segmentation
Discover and Classify Assets
Understand
Behavior
Design and Model Policy
Enforce Policy
Active Monitoring
Network: key asset for threat detection and control
83
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Prime
Infrastructure
StealthWatch, Live
Action and others
App Visibility &
User Experience Report
Reporting Tool
Static
Netflow
Perf. Collection &
Exporting
How AVC Works on Cisco WirelessNetwork Visibility, Control, Context and Analytics
DPI engine (NBAR2)
identifies applications
using L7 signatures
Deep Packet
Inspection
Collect application info and
exports to controller every
90 seconds
App BW Transaction
Time
…
WebEx 3 Mb 150 ms …
Citrix 10 Mb 500 ms …
Use QoS Rate Limiting
to control application
bandwidth usage for
performance
Control
High
Med
Low
NBAR on AP
AireOS 8.1
BRKEWN-2005 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AVC on FlexConnect Access Points
WAN
BRANCH
WLC
NetFlow Export from AP to WLC
Gen2 AP
Real time information for
last 90 seconds
Stateful context
transfer on roam
• AVC supported on Gen 2 FlexConnect Access Points (AireOS8.1). Protocol Pack 14 with upgraded NBAR engine 23
• Stateful context transfers supported for Intra Flexconnect Group roams
8.1
BRKEWN-2005 85
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
NetFlow- The heart to network as a sensor record
Client MAC
Client IP
SSIDAccess Point MAC
Packet Count
Byte Count
ToS- DSCP Value
Application Tag
NetFlow
Netflow statistics sent at an interval of 30 seconds
Netflow record sent even for unclassified applications
Username sent for dot1x authentication
Who Where
WhenWhat
86
Network as an Enforcer
• Wireless StealthWatch Integration
• TrustSec for Policy Enforcement
• Policy Management with ISE
• Native Policy Management on WLC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless StealthWatch IntegrationNetwork as a Sensor, Network as an Enforcer
WLC
ISE
Flow Telemetry from Network Devices
Identity, MAC Address, Device Type
StealthWatchManagement Console
(upto 25 Flow Collectors)
StealthWatch Flow Collectors
(collect and analyze)
pxGrid notifications
Quarantine
Netflow v9 records
CoA
BRKSEC-3014
AireOS 8.2 on 5520/8510/8540 WLC
BRKEWN-2005 88
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
89
Cisco TrustSec Enabled Network Segmentation
Simplifying Enforcement
Traditional Security Policy
Dynamic Policy & Enforcement
TrustSec Security Policy
Employee Supplier App
ServerNon
Compliant
Shared
Server
Identity-enabled
Infrastructure
Internet
Data Center
Intranet
8.4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless TrustSec Support
5 Employee
6 Voice
7 Partner
Classification
(Assigning SGTs)
Static & Dynamic
Assignments
A B
Propagation
Inline SGT & SXP
Enforcement
Security Group ACL
SXPv4 on AP Inline Tagging on AP SGACL Enforcement
Local NO NO YES
Flex YES YES YES
Mesh NO NO YES (Indoor only)
Topology, location independent
Policy (SGT) stays with endpoint.
Simplifies ACL management traffic
BRKEWN-2005 90
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91BRKEWN-2005
Egress Policy Matrix
Default Rule, Can be
Permit or Deny
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ingress classification, Egress Enforcement
Cat3850 Cat6800 Nexus 2248
WLC5508
Nexus 2248
Cat6800 Nexus 7000 Nexus 5500
User authenticated
Classified as Marketing (5)
Lookup
Destination SGT 20
DST: 10.1.100.52
SGT: 20
SRC: 10.1.10.220DST: 10.1.200.100
SGT: 30
Web_Dir
CRM
DST
SRC
Web_Dir
(20)
CRM
(30)
Marketing
(5)Permit Deny
BYOD
(7)Deny SGACL-A
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
Enterprise
Backbone
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
BRKEWN-2005 92
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93BRKEWN-2005
TrustSecEast-West Traffic Use Case Role Based Segmentation
VLAN: Data-1VLAN: Data-2
Wired/Wireless
Data Center
DC Switch
Application
Servers
ISE
Enterprise
Backbone
Remediation
Wired/Wireless
Employee SupplierEmployeeSupplier
Shared
Services
Employee Tag
Supplier Tag
TrustSec enabled WLC &
AP receives policy for only
what is connected
Access control based on
the Role of the user
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How about policies?
Differentiating user groups
Keeping untrusted devices out
Basic access vs Full Access
BRKEWN-2005 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE for Network-Wide Unified Policy Enforcement
WHO WHAT WHERE WHEN HOW
CONTEXT
IDENTITY
WIRELESS LAN CONTROLLER, ACCESS POINTS, SWITCHES, ROUTERS
Personal iPad
Employee Owned
Franklo
Guest
9 am
TonyS
Consultant
6 pm
KG
Employee
2 pm
Profiling
Posture
Guest Access
802.1X
iPSK
MAB
WebAuth
BRKEWN-2005 97
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKEWN-2005
Client Context and PoliciesControl and Enforcement
IDENTITY PROFILING
Wireless LAN Controller
DHCP
RADIUS
SNMP
NETFLOW
HTTP
DNS
ISE
Unified Access Management
Access Point
802.1X EAP Machine/User Authentication
HQ
2:38pm
Profiling to
identify device
Full or partial access granted
Personalasset
Company asset
Posture of the device
PolicyDecision
4
6
Corporate
Resources
Internet Only
1
2
3 5
EnforcementdACL, VLAN,
SGT
100
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101BRKEWN-2005
Local Profiling and Policy on WLCBuild BYOD: Native WLC Options
Access Method
User Role
Device Type
Time of Day
Authentication Type
VLAN
Access Control List
Quality of Service
AVC
Bonjour Service Policy
VLAN
Inputs: Conditions Results: Enforcement Elements
ISE WIRELESS LAN CONTROLLER
Profiling using RADIUS probes, DHCP probes, HTTP, SNMP,
DNS, NETFLOW
Profiling based on MAC OUI, DHCP, HTTP based User-Agent
Multiple attributes for Policy action supported Policy action attributes - VLAN, ACL, Session Timeout, QoS
Profiling rules can be customized Default profiling rules
ISE and Wireless LAN Controller Profiling Support
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKEWN-2005
Policies for Applications and Services
1. Cisco Umbrella
2. URL Filtering
3. AVC
4. mDNS and Bonjour Services
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108BRKEWN-2005
Cisco Umbrella for Content Filtering
Why care about DNS?
CLOUD BASED WEB FILTERING THREAT MANAGEMENT INSIGHTFUL REPORTING
Network EndpointMobile Virtual Cloud Apps
Low cost
architectureData analysis
methods
Uses Recursive
DNS
Powerful reporting
and analytics
8.4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
ACME
ACME
Policies
block gaming sites
DNS
Query
DNS
Response
Cisco Umbrella with WLC
208.67.220.220
DNS Server
(or external DNS
proxy to)
10.1.1.1
BRKEWN-2005 109
• WLC intercepts DNS packet, redirects query to Umbrella cloud server at 208.67.220.220
• Content filtering and whitelisting at DNS layer at WLAN, AP Group, Policy level
208.67.220.220
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110BRKEWN-2005
Role Based Policy with Cisco UmbrellaOpenDNS Profile Mapping in Local Policy
Contractor Employee
AAA user role
Contractor
Policy Employee
Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role Based Policy with Cisco Umbrella
Cisco Umbrella
Cloud
DNS query
DNS response
BRKEWN-2005 111
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role Based Policy with Cisco Umbrella
DNS query
DNS response
BRKSEC-2980
LABSEC-2006
BRKEWN-2005 112
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Location Based Policy with Cisco UmbrellaOpenDNS Profile Mapping in AP Group
Corporate
HQ Branch Office
Corporate
Policy
Branch
Policy
BRKEWN-2005 113
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ROLE BASED APPLICATION POLICY
• Alice(Sales) and Bob(IT Admin) are both employees
• Both Alice and Bob are connected to the same SSID
• Alice can access certain applications (YouTube), Bob cannot
ROLE BASED + DEVICE TYPE APPLICATION POLICY
• Alice can access inventory info on an IT provisioned Windows Laptop
• Alice cannot access inventory info on her personal iPAD
ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY
• Alice has limited access (rate limit) to Jabber on her iPhone
7.4AVC
7.5Dynamic
protocol pack
update
7.6Jabber, Lync
2013 support
8.0• User and device aware
policies
• Ability to classify
Apple iOS, Windows,
Android upgrades
121BRKEWN-2005
Granular Filtering with Policy tie-in to AVC
8.1• User & device aware
policies
• Ability to classify Apple
iOS, Windows, Android
upgrades
8.2• Wi-Fi calling
• Skype for business
• UserId + IPFlow for
Netflow export
• Stealthwatch
Collector
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Employee
YouTube
Employee Contractor
RADIUSWLC
Facebook Skype BitTorrent
AVC (Application Visibility and Control)Per-user profiles via AAA
Contractor
Facebook Skype
cisco-av-pair = avc-profile-name = AVC-Employee
cisco-av-pair = avc-profile-name = AVC-Contract
BRKEWN-2005 122
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Teacher NetworkStudent Network
AirPrint AirPlay File
Share
Teacher
Service Profile
AirPlay File
Share
Student
Service Profile
iTunes
SharingAirPrint
mDNS Service Instances Groups
Apple TV1 Apple TV1
Apple TV2
Teacher Service
Instance ListStudent Service
Instance List
mDNS and Bonjour ServicesFilter by WLAN and VLAN
mDNS Profiles – Select
services
mDNS Profile with Local
Policy – Services per-user
and per-device
mDNS Policies – Services
based on AP Location and
user role
BRKEWN-2005 124
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consolidate, Secure, Segment
Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID
User CategoryEmployees, Contractors,
BYOD Devices
IOT devices like Sensors,
Robots etc.Guest users
Secure the Clients
Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication
Policy based on User-role,
Device, time of day, auth-typeACL, QoS, AVC Profile, mDNS Profile, OpenDNS Policy
Secure the Air
Rogue detection, Basic wIPS, Advanced wIPS, CleanAir for interferers
Management Frame protection using MFP and 802.11w
Segment and Secure
the Network
AAA Override
VLAN based segmentation
based on user-role, identity
with a single SSID
VLAN based segmentation
based on IOT device groups
with a single PSK SSID
Specific users can be
quarantined or rate-limited
SGT TrustSecSegmentation by function for
eg. Marketing, Sales, HR
SGT override for IOT device
groups
Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy
StealthWatch Integration
Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor
Secure connection between WLC and AP using DTLS
Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities
(UC) Approved Products List (APL).
Wireless Security for Workforce
BRKEWN-2005 126
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise SSID Security and Segmentation
WLCAccess Point
Contractor VLAN ID = 20
user-role = Marketing
user-role = Contractor
user-role = Sales
Enterprise
Backbone
ISE AAA
Override
✔
✔
802.1x
✔✔
Employee VLAN ID = 10
User role VLAN
Marketing 10
Sales 10
Contractor 20
Enterprise SSID
SGT = 4 SGT = 5
SGT = 6
SGT
4
5
6
Marketing SalesContractor
sServer
Marketing
Sales
Contractors
Server
Backend
Servers
PERMIT
PERMIT
DENY
Micro-segmentation
using Cisco TrustSec
Apple devices
Controlled access via
mDNS Profile
Category-Based Filtering
Based on Umbrella Policy
Role Based Access Control Based
on Scalable Group Tags and SGACLs
VLAN-Based Segmentation
Using AAA Override
Application
Mark Webex,
Jabber
Mark Webex,
Jabber
Drop Youtube
Apple devices
Apple TV,
Printer, iTunes
Apple TV,
Printer, iTunes
Printer Only
Umbrella
Policy
Block ebay
Block ebay
Block ebay,
CNN, BBC
Policy Classification Engine
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consolidate, Secure, Segment
Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID
User CategoryEmployees, Contractors,
BYOD Devices
IOT devices like Sensors,
Robots etc.Guest users
Secure the Clients
Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication
Policy based on User-role,
Device, time of day, auth-typeACL, QoS, AVC Profile, mDNS Profile, OpenDNS Policy
Secure the Air
Rogue detection, Basic wIPS, Advanced wIPS, CleanAir for interferers
Management Frame protection using MFP and 802.11w
Segment and Secure
the Network
AAA Override
VLAN based segmentation
based on user-role, identity
with a single SSID
VLAN based segmentation
based on IOT device groups
with a single PSK SSID
Specific users can be
quarantined or rate-limited
SGT TrustSecSegmentation by function for
eg. Marketing, Sales, HR
SGT override for IOT device
groups
Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy
StealthWatch Integration
Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor
Secure connection between WLC and AP using DTLS
Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities
(UC) Approved Products List (APL).
Wireless Security for IOT
BRKEWN-2005 128
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOT SSID Security and Segmentation
WLCAccess Point
Enterprise
Backbone
ISE AAA
Override
IOT Sensors
VLAN ID = 30
IPSK
IOT Lighting
VLAN ID = 10
Smart Devices
VLAN = 20
IOT Sensors
PSK = aabbcc
IOT Lighting
PSK = eeffgg
Smart devices
PSK = xxyyzz
✔✔
✔
IOT SSID
IOT Sensors IOT Lighting Smart Devices
IOT Sensors
IOT Lighting
Smart Devices
Identity
PSK VLAN
IOT
Sensorsaabbcc 30
IOT Lighting eeffgg 10
Smart
Devices xxyyzz 20
ACL
PERMIT
PERMIT
DENY
SGTBackend
Servers
4 PERMIT
5 DENY
6 DENY
SGT = 4 SGT = 5
SGT = 6
✔
BRKEWN-2005 129
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130BRKEWN-2005
Consolidate, Secure, Segment Wireless Security for Guest
Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID
User CategoryEmployees, Contractors,
BYOD Devices
Mission-specific IOT devices
like Sensors, Robots etc.Guest users
Secure the Clients
Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication
Policy based on User-role,
Device, time of day, auth-typeACL, QoS, AVC Profile, mDNS Profile, OpenDNS Policy
Secure the Air
Rogue detection, Basic wIPS, Advanced wIPS, CleanAir for interferers
Management Frame protection using MFP and 802.11w
Segment and Secure
the Network
AAA Override
VLAN based segmentation
based on user-role, identity
with a single SSID
VLAN based segmentation
based on IOT device groups
with a single PSK SSID
Specific users can be
quarantined or rate-limited
Segmentation
TrustSec assignment by
function for eg. Marketing,
Sales, HR
TrustSec override for IOT
device groups
Segmentation using
Anchoring traffic to DMZ
Cisco Umbrella Policy based on SSID, AP Group, Local Policy
StealthWatch Integration
Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor
Secure connection between WLC and AP using DTLS
Trust Wireless Common Criteria (CC) , Federal Information Processing Standard (FIPS), and the Department of Defense Unified
Capabilities (UC) Approved Products List (APL).
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application
Mark Webex,
Jabber
Drop Youtube
Guest SSID Security and Segmentation
WLCAccess Point
Enterprise
Backbone
Guest SSID ISE AAA
Override
Anchor
WLC
Category-Based Filtering
Based on Umbrella Policy
Guest VLAN ID = 50
User role VLAN
Guest 50
QoS
Rate-limit
Umbrella
Policy
Block news,
sports
Policy Classification Engine
SGT
7
Backend
Servers
DENY
Web
auth
SGT = 7
Employee Server Guest
Employee
Server
Guest
Role Based Access Control Based
on Scalable Group Tags and SGACLs
VLAN 50
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Takeaways for an End to End Wireless Security Solution
• Take a defense in depth approach to security. Add security layers that complement one another and at difference places in the IT network. What one misses, the other catches.
• “Complexity and security are inversely proportional”. Take a simple approach to design network security policy. Break your overall policy into smaller managed pieces to simplify creating an efficient policy.
• BYOD strategy must consider all mobile worker types and functions before deploying solutions. Give it a try (e.g. PoC) before network wide implementation.
BRKEWN-2005 132
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKEWN-2005 134