Upload
truonganh
View
215
Download
1
Embed Size (px)
Citation preview
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1BRKAGG-201414674_05_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-201414674_05_2008_c2 2
Design and Deployment of WLAN Security Fundamentals
BRKAGG-2014
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAGG-201414674_05_2008_c2
What You Should Already Know
Cisco networking basics, and design concepts
802.11 WLAN fundamentals
Cisco Unified Wireless Networking (CUWN) concepts
WLAN Security basics
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAGG-201414674_05_2008_c2
Session Agenda
Wireless and Security: Why?Need for Security, Threats and Vulnerabilities, Exploits
Secure Wireless Deployment: Self-Defending NetworkRequirements, Definition and Objectives of a Secure WLAN
802.11: Authentication and EncryptionEvolution of 802.11, with a security perspective
802.1X and EAP
Mitigation Strategies and the Cisco Unified Wireless NetworkRogue Classification, Containment, Exclusion, MFP, IDS, Signatures, Switch-port tracing, Config Auditing
Operational Perspective of a Secure WLANReporting, Dashboard, Alarms
End-to-End System-Level Security and IntegrationIPS, NAC, CS-MARS, Firewall and CSA
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAGG-201414674_05_2008_c2
Wireless and Security: Why?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAGG-201414674_05_2008_c2
Need for WLAN Security
Open, Pervasive nature of RFCan’t control RF Propagation, don’t need physical access to launch attacks anymore
Business impact of stolen dataPotential legal and financial implications (specially in retail, healthcare and government verticals)
Innate design, per IEEE 802.11, was designed with basic security needs in mind – times have changed
Known vulnerabilities over time
WLANs are easy DoS targets: jamming, floods, man-in-the-middle attacks, and dictionary attacks…
No protection of 802.11 Management and Control frames, most solutions address 802.11 Data frames only
Need to protect and authorize access to network services and resources
There’s always an opportunity cost with Security (Money/Resources/Requirements vs. [how] Secure a WLAN could be)
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAGG-201414674_05_2008_c2
WLANs: Threats and Vulnerabilities
Denial of Service Attacks
Man-in-the-Middle Attacks
MAC Address SpoofingTrivial to bypass the once considered secure methods: not broadcasting SSID and MAC Filtering
Sniffing (and war-driving)
Shared Spectrum (CSMA/CA), and Rogue DevicesFear of honeypot APs
Comprises the entire (rest of) network
Exploits, and the “Script-Kiddie” factorActive/passive “sniffing”, and easily obtainable tools have given birth to script-kiddies
Authentication Vulnerabilities
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKAGG-201414674_05_2008_c2
Wireless: Denial of Service Attacks
RF JammingAny intentional or un-intentional RF transmitter in the same frequency can adversely affect the WLAN
DoS using 802.11 Management framesManagement frames are not authenticated today
Trivial to fake the source of a management frame
De-Authentication floods are probably the most worrisome
Misuse of Spectrum (CSMA/CA – Egalitarian Access!)“Silencing” the network with RTS/CTS floods, Big-NAV Attacks
802.1X Authentication floods and Dictionary attacksOverloading the system with unnecessary processing
Legacy implementations are prone to dictionary attacks, in addition to other algorithm-based attacks
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAGG-201414674_05_2008_c2
Wireless: MAC Address Spoofing
As with wired networks, MAC address and IP address spoofing are possible, if not easy, in Wireless Networks
Outsider (hostile) attack scenarioDoes not know key/encryption policy
IP Address spoofing is not possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP)
MAC Address spoofing alone (i.e., without IP Address spoofing) may not buy much if encryption is turned on
Insider attack scenario:Seeking to obtain users’ secure info
MAC address and IP Address spoofing will not succeed if EAP/802.1x authentication is used (unique encryption key is derived per user (i.e., per MAC address))
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAGG-201414674_05_2008_c2
Wireless Sniffing: Good and Bad
First – Sniffing, or capturing packets over the air, is an extremely useful troubleshooting methodology
Sniffing, in the old days was reliant on very specific cards and drivers
Very easy to find support for most cards and drivers today
Cost (if you like to pay for it) of such software is negligible (or, just use free/opensource software)
Provides an insight (with physical proximity) into the network, services, and devices which comes in handy when performing network reconnaissance
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKAGG-201414674_05_2008_c2
Wireless: Rogue Devices
What is a Rogue?Any device that’s sharing your spectrum, but not managed by you
Majority of rogues are setup by insiders (low cost, convenience, ignorance)
When is a Rogue dangerous?When setup to use the same ESSID as your network (honeypot)
When it’s detected to be on the wired network too
Ad-hoc rogues are arguably a big threat, too!
Setup by an outsider, most times, with malicious intent
What needs to be done?Classify
Detect
Reporting, if needed
Track (over-the-air, and on-the-wire) and Mitigate (Shutdown, Contain, etc)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAGG-201414674_05_2008_c2
Wireless: Man in the Middle Attacks
A MiTM is when an attacker poses as the network to the clients and as a client to the actual network
The attacker forces a legitimate client off the network
The attacker lures the client to a honeypot
The attacker gains security credentials by intercepting user traffic
Very easy to do with:MAC Address Spoofing
Rogue Device Setup
DoS Attacks
Easier Sniffing, and war-driving
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKAGG-201414674_05_2008_c2
Quick Look: Common WLAN Exploits/Tools
Remote-Exploit/Backtrack/Auditor
Aircrack, WEPcrack, etc
coWPAtty
Kismet
NetStumbler, Hotspotter, etc
AirSnort
Sniffing tools: Sniffer, OmniPeek, Wireshark
dsniff, nmap
wellenreiter
asleap
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAGG-201414674_05_2008_c2
Authentication Vulnerabilities
Management frames are not authenticated!
Dictionary attacksOn-line (active) attacks: active attack to compromise passwords or pass-phrases
Off-line attacks: passive attack to compromise passwords or pass-phrases
MITM attacksActive attacks: an attacker attempts to insert himself in the middle of authentication sequence
Can be employed in 802.1X as well as PSK environmentsMultiple known WEP weaknesses, and many exploits out there
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKAGG-201414674_05_2008_c2
Secure Wireless Deployment: Self-Defending Network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAGG-201414674_05_2008_c2
Characteristics of Self-Defending Network
Secure infrastructure
Trusted and secure communications
Autonomic policy deployment and enforcement
Adaptive threat response
SiSi SiSi
IntranetInternet
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAGG-201414674_05_2008_c2
Basic Requirements to Secure a WLAN
Protection of the WLAN network—Management Frame Protection (MFP) and Wireless IDS
Protect the network from external sources and devices not controlled by infrastructure (secure infrastructure)
Protection of the WLAN devices and managed user/device connectivityEncryption/authentication of managed 802.11 devices
Authentication framework—framework to facilitate authentication messages between clients, access point, and AAA server
Authentication algorithm—mechanism to validate client credentials
Encryption algorithm—mechanism to provide data privacy
Message integrity—ensures data frames are tamper free and truly originate from the source address
Beyond authentication and encryption of client devices (L2), protect client devices and network from malicious software
Operating system/service/application security
Network Admission Control and Client Shunning (for example)
Not specifically a wireless function, but enforcement can be provided by wireless network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAGG-201414674_05_2008_c2
Compliance Requirements
The Payment Card Industry (PCI) Standard presents 12 requirements
Not all requirements map to Wireless, but some relevant ones are:
Prepare, and include wireless in, Network Security Policy (requirement 11)
Secure the WLAN against threats and unauthorized access (requirements 2 and 4: WPA, and 802.11i)
Don’t use default credentials (requirement 2)
Defend cardholder information (requirement 5: NAC and CSA)
Enlist employees in safeguarding cardholder information
PCI Standard: https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAGG-201414674_05_2008_c2
Secure Wireless Deployment Objectives
Develop a policy to define:Access to the network, and servicesEncryption of dataCompliance (if necessary) and mitigation strategies
Provide Authentication and Encryption to WLAN Users and ServicesPrepare for, and mitigate against threats
Rogues Devices (OTA, and on-the-wire)Interferers/JammersHost-based SecurityPosture AssessmentMFP
Be Spectrum-awareUse Radio Resource ManagementUse Spectrum Intelligence solution to constantly monitor, and police Spectrum usage
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAGG-201414674_05_2008_c2
(The Cisco) Definition of Secure Wireless
The Cisco Secure Wireless solution provides customers with guidelines to secure a WLAN so that they can leverage the associated business benefits in confidenceCisco Unified Wireless fundamental & enhanced security features
802.1X/EAP, WPA/WPA2/802.11i, CCX Management Frame Protection (MFP), Wireless IDS/IPS features on the WLC, Cisco Secure Services Client (CSSC)
Cisco NAC Appliance Integration WLAN client security policy compliance through assessment and remediation
Cisco Firewall Integration Fully featured, highly scalable firewalls for enhanced policy enforcement
Cisco IPS Integration Automated threat mitigation with enforcement by WLC on the access edge
CSA Integration General client endpoint protection on both wired and wireless networks Wireless ad-hoc, simultaneous wired and wireless, location-aware, plus upstream QoS marking policy enforcement
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless NetworkEnd-to-End, Unified–Only Cisco
Secure Wireless Design Guide: www.cisco.com/go/srnd
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKAGG-201414674_05_2008_c2
Secure Wireless — Sample Topology
AP and WLC, using Split-MAC Architecture, act as 802.1X
Authenticator
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAGG-201414674_05_2008_c2
802.11 – Authentication and Encryption
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAGG-201414674_05_2008_c2
Need for Authentication and Encryption
“Open and Shared”No physical barriers to intrusion
No Spectrum-Policing
Standard, and Ubiquitous 802.11 protocol permits simple client association (i.e., “open authentication”)
The most common attacks against WLAN networks are targeted at management frames, which are not encrypted, authenticated or signed
Common attacks—VOID11, Aireplay, File2air, Airforge, ASLEAP, Jack Attacks, FakeAP, Hunter/Killer
Harder, if not impossible, to control physical access
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKAGG-201414674_05_2008_c2
Pre-RSN: WEP
Deprecated, move on
No? Ok…quick refresher:Comes in 2 flavors: WEP-40bit and WEP-104bit, Cryptographic Mechanisms are the same irrespective of key length
Provides for encryption keys, and no data authentication (yes, MAC Address authentication can be used but it’s trivial to spoof)
Two key types:
key-mapping keys: mapped to distinct TA,RA Pair
default keys: shared by all STAs, one of 4 in an array
Uses RC4 Encryption Algorithm: symmetric stream cipher – uses same keys for encryption and decryption for data stream – vulnerable to key reuse (oh, and hope your WEP vendor at least randomizes keys!)
802.11 fails to specify key distribution mechanisms
Many stopgap solutions out there, but not enough for Enterprise Security needs – migrate to 802.11i/WPAv2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAGG-201414674_05_2008_c2
Pre-RSN: 802.11 Auth: Open-System vs. Shared-Key
Both the AP and STA must complete 802.11 Authentication before Association
Open-System (required by 802.11):Null authentication algorithm – only provides identity and request/response for authentication
Uses 2 message auth transaction sequence
Shared-Key (Only required for WEP):Uses 4 frame sequence, can only be used with WEP
a) STA – AP: request to authenticate
b) AP – STA: sends challenge text
c) STA – AP: encrypt and send challenge text
d) AP – STA: decrypts, and if correct, allows STA on to the network
Shared secret must be known by all STAs, but no mechanism to distribute them
Not secure – easy to decipher the shared key, and doesn’t add anything on top of open-system auth
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAGG-201414674_05_2008_c2
What Is RSN?
Robust Security Network: A result of the work done by the IEEE 802.11i standard
An RSN is any WLAN that uses one of the cipher suites defined in802.11i: Temporal Key Integrity Protocol (TKIP) or CBC-MAC Protocol (CCMP)
Used for both, the Pairwise, and Group Ciphers
Transition Security Networks (TSN) still use WEP for Group Ciphers
Usage of RSN signifies the presence of an extra “Information Element (IE)” in Probe Responses and Beacons
Use to announce and exchange Cipher Suites and Auth-Key Management (AKM) Suites
Default: AKM via 802.1X, or PMK Security Association Caching
AKM via Pre-Shared Key (PSK)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAGG-201414674_05_2008_c2
But first, WPA
Similar to RSN, in terms that it provides: authentication at upper layers, authentication mechanisms, key distribution and renewal mechanisms
Created by the Wi-Fi Alliance, comes in the commonly known flavors of: Personal and Enterprise
Use of TKIP: major improvement over WEPUse of a MIC (Message Integrity Check) - Michael: improvement over WEP’s CRC method, and provides a counter (TKIP Sequence Counter) to secure against replay attacks (injection)
Included countermeasures to suppress all transmissions for 60 seconds when more than 2 MIC failures occur
TKIP is included in 802.11i for backwards compatibility
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAGG-201414674_05_2008_c2
WPAv2 –IEEE 802.11i
Authentication mechanisms defined in IEEE Std. 802.1X-2004
CCMP (TKIP optional for RSNA, but supported for backwards compatibility with legacy devices)
Based on CCM of AES
Uses AES-based block cipher (128-bit key and 128-bit block size)
Use of 802.1X
RSN Associations: PMKSA, PTKSA, GTKSA, SMK and STKSA Set of Policies and Keys
Pairwise keys used for unicast traffic, and group keys used for multicast and broadcast traffic
Key management procedures
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAGG-201414674_05_2008_c2
Standardizing the WLAN Architecture
The Internet Engineering Task Force (IETF) focused on delivering a standard
LWAPP selected as starting point, and follows the same architecture
Renamed protocol to Configuration and Provisioning of Wireless Access Points (CAPWAP)
Peer security review completed
CAPWAP Support on CUWN: Late August, 2008
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAGG-201414674_05_2008_c2
Data Protection
802.1X Authentication
Key Management Key Distribution
Capabilities Discovery
802.11i/WPA Authentication and Key Management Overview
Controller/AccessPoint RADIUS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAGG-201414674_05_2008_c2
802.11i/WPA Capabilities Discovery
Controller/AccessPoint
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAGG-201414674_05_2008_c2
Key Management and 4-Way Handshake
The four WPA/TKIP temporal keys are:Data Encryption key (128 bits)Data Integrity key (128 bits)EAPOL-Key Encryption key (128 bits)EAPOL-Key Integrity key (128 bits)
The three WPA2/AES-CCMP temporal keys are:Data Encryption/Integrity key (128 bits)EAPOL-Key Encryption key (128 bits)EAPOL-Key Integrity key (128 bits)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAGG-201414674_05_2008_c2
802.1X and EAP
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAGG-201414674_05_2008_c2
EAP — Protocol Flow RFC 3748
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKAGG-201414674_05_2008_c2
Lightweight Extensible Authentication Protocol (LEAP)
Deprecated
Client supportWindows 95-XP, Windows CE, Macintosh OS 9.X and 10.X,
and Linux
RADIUS serverCisco ACS and Cisco Access Registrar
Local RADIUS on AP (12.2(13)), ISR (12.3(11), and WLSM)
Juniper (Funk) Steel Belted RADIUS or Odyssey server products
Interlink RAD-series
Microsoft Domain or Active Directory database (optional) for back end authentication
Device support: All Cisco Wireless LAN products
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAGG-201414674_05_2008_c2
Protected Extensible Authentication Protocol (PEAP)
Hybrid authentication methodServer side authentication with TLS
Client side authentication with EAP authentication types (EAP-GTC, EAP-MSCHAPv2, etc.)
Clients do not require certificatesSimplifies end user/device management
RADIUS server requires a server certificateRADIUS server’s “self-issuing” certificate capability may be used
Purchase a server certificate per server from public PKI entity
Setup a simple PKI server to issue server certificates
Allows for one way authentication types to be usedOne-time passwords
Proxy to LDAP, UNIX, NT/AD, OTP, etc.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAGG-201414674_05_2008_c2
Flexible Authentication via Secure Tunneling (EAP-FAST)
Strong authentication without the requirement for certificate management
Simple to deploy
Open standard—latest draft published October 2005http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-03.txt
Robust supportFast roaming (CCKM)
Fallback authentication via Cisco IOS® Access Point Local Authentication server
Multiple NAC supplicants are available which employ EAP-FAST authentication
EAP-FAST establishes an encrypted tunnel between the client and the AAA server
The client and AAA can then securely use any credentials within the tunnel
Client stacks from Cisco-Meetinghouse, and others
CCX versions 3 and 4 specify EAP-FAST support
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAGG-201414674_05_2008_c2
EAP-FAST Authentication
AccessPointClient RADIUS Server
Start
IdentityIdentity
Request Identity
Server Authenticates Client
AP Blocks All Requests Until
Authentication Completes
ClientAuthentication
PAC-Opaque PAC-Opaque
External User DB
Establish a Secure Tunnel (PAC and TLS)
Server Authentication
A-IDA-ID
WPA or CCKM Key Management Used
Protected Data Session
Key Management
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKAGG-201414674_05_2008_c2
Transport Layer Security (EAP-TLS)
Client supportWindows 2000, XP, and Windows CE (natively supported)
Non-Windows platforms: third-party supplicants (Cisco-Meetinghouse and Juniper-Funk)
Each client requires a user certificate
Infrastructure requirementsEAP-TLS supported RADIUS server
Cisco ACS, Cisco AR, MS IAS, Funk, Interlink
RADIUS server requires a server certificate
Certificate Authority Server (PKI infrastructure)
Certificate managementBoth client and RADIUS server certificates to be managed
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAGG-201414674_05_2008_c2
EAP Protocols: Feature Support
EAP-TLS PEAP LEAP EAP-FAST
Single Sign-on Yes Yes Yes Yes
Login Scripts (MS DB) Yes1 Yes1 Yes Yes
Password Expiration (MS DB) N/A Yes No Yes
Client and OS Availability XP, 2000, CE,and Others2
XP, 2000, CE, CCXv2 Clients3,
and Others2
Cisco/CCXv1 or Above Clients and Others2
Cisco/CCXv3 Clients4 and
Others2
MS DB Support Yes Yes Yes Yes
LDAP DB Support Yes Yes5 No Yes
OTP Support No Yes5 No Yes6
1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD)2 Greater operating system coverage is available from Meetinghouse and Funk supplicants3 PEAP/GTC is supported on CCXv2 clients and above4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems
EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients5 Supported by PEAP/GTC only6 Supported with 3rd party supplicant
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAGG-201414674_05_2008_c2
EAP Protocols: Feature Support
EAP-TLS PEAP LEAP EAP-FAST
Off-Line Dictionary Attacks? No No Yes1 No
Local Authentication No No Yes Yes
WPA Support Yes Yes Yes Yes
Application Specific Device (ASD) Support No No Yes Yes
Server Certificates? Yes Yes No No
Client Certificates? Yes No No No
Deployment Complexity High Medium Low Low
RADIUS Server Scalability Impact High High Low Low/Medium
1 Strong password policy mitigates dictionary attacks; please refer to: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAGG-201414674_05_2008_c2
PKC and CCKM
Client channel scanning and AP selection algorithms—Improved via CCX featuresRefreshing of IP address—Irrelevant in controller-based architecture!Re-authentication of client device and re-keying
Cisco Centralized Key Management (CCKM) – Cisco proprietary, supported via CCXProactive Key Caching (PKC)—extension of optional component of 802.11i (PMK Caching)Coming soon: Standardization via 802.11r
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAGG-201414674_05_2008_c2
Fast Secure RoamingStandard Wi-Fi Secure Roaming
1. 802.1X authentication in wireless today requires three “end-to-end”transactions with an overall transaction time of > 500ms
2. 802.1X authentication in wireless today requires a roaming clientto re-authenticate, incurring an additional 500+ ms to the roam
Cisco ACS AAA Server
WAN
AP1AP2
1. 802.1X Initial Authentication
Transaction
2. 802.1X Re-Authentication After Roaming
Note: Mechanism Is Needed to Centralize Key Distribution
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAGG-201414674_05_2008_c2
Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching
WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients
From the 802.11i specification:Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be usedlater
When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame
When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address;AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA
PMK cache records will be kept for one hour for non-associated STAs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAGG-201414674_05_2008_c2
Implementations of PMK Caching
Cisco implements Pairwise Master Key caching:At the controller for the unified wireless solution
At each access point in the Cisco IOS APs
Implementing PMK caching at a central point for distribution among a set of APs is referred to as Proactive Key Caching or Opportunistic Key Caching
Requires WPA2 client authenticationImplemented with Microsoft WPA2 client
Enabled by default with KB893357 for XP SP2
Other WPA2 clients also support PMK caching
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAGG-201414674_05_2008_c2
Fast Secure RoamingProactive Key Caching (PKC)
Extension of Pairwise Master Key caching
Leverages client use of Master Key caching
Permits knowledge of Master Key before client roam to AP on new controller
Controller mobility group automatically exchanges
Initial Authentication
PMK Derived
PMK Used in 4W Handshake
PMK Proactively Cached on New Controller
Client Transmits Cached PMK upon New Association
PMK Used in 4W Handshake
Client Roam
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAGG-201414674_05_2008_c2
Fast Secure RoamingCentralized Key Management (CCKM)
1. AP1 & 2 authenticate via 802.1X with the WDS AP to establish a secure session
2. Initial client 802.1X authentication goes to central AAA server (~ 500ms)
3. During a client roam, the client signals to the WDS it has roamed and WDS will send the clients key to the new AP (AP2)
4. The overall roam time is reduced to < 150ms, and in most cases < 100ms
Cisco ACS AAA Server
WAN
AP1AP2
AP-Based WDS
Note: Because the local WDS device handles roaming and re-authentication, the WAN Link is not used
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAGG-201414674_05_2008_c2
Mitigation Strategies, and Cisco Unified Wireless
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless: Security Highlights
Trusted wireless infrastructure—only authorized APs are permitted to join controller
Secure wireless infrastructure—encryption of control data and centralized configuration
Central policy enforcement point to simplify deployment and easily control WLAN network access
Integrated Intelligent Radio Resource Management
Integrated wIDS/wIPS
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAGG-201414674_05_2008_c2
Cisco WLAN Security Components
3. Identity Networking
• Mutual authentication• Strong encryption• User policy enforcement• (AAA, ACLs, QoS
contracts)
1. Secure RF Mgmt• RF bleed-over protection• Coverage hole correction• Interference avoidance• Hi-res location tracking
5. Network Access Control• Host-based integrity checking• Anti-virus protection• Client remediation
2. Intrusion Protection• Rogue detection and
location map• IDS attack signatures• Client exclusion and
containment• Hi-res location tracking
4. Secure Enterprise Mobility• Persistent VPN connectivity• Pro-active Key Caching (PKC)• Fast secure roaming
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAGG-201414674_05_2008_c2
LWAPP Tunnel
Ingress/Egress point from/to upstream switched/routed wired
network (802.1Q trunk)
Switched/Routed Wired NetworkLightweight
Access PointWireless LAN
Controller
Cisco Centralized WLAN — Architecture
“Lightweight” Access Points CONFIG and SOFTWARE from a centralized WLAN controller
DATA Forwarding functions of traditional AP split between
“Lightweight” AP and centralized WLAN controller
LWAPP defines CONTROL messaging and data encapsulation between access points and
centralized WLAN controller
Wireless LAN Client
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAGG-201414674_05_2008_c2
Cisco Centralized WLAN –Functional Breakdown
LWAPP Tunnel
Ingress/Egress point from/to upstream switched/routed
wired network (802.1Q trunk)
Switched/Routed Wired Network
Lightweight Access Point
Wireless LAN Controller
Remote RF interfaceReal-time 802.11 MACRF spectral analysis
WLAN IDS/IPS Signature analysis
Security managementQoS policy enforcementCentralized configuration
Northbound management interfaces
LWAPP encapsulates all communication between access point and controller
Mutual authentication—X.509 certificate based
LWAPP control AES-CCM encryptedData encapsulation
Radio Resource Management (RRM) coordination
Mobility management
Wireless LAN Client
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless IDS Implementation
WLAN services 802.11 traffic and provides most IDS functions
Rogue Detection
Denial-of-service detection
WLAN Exploit Signature Analysis
RF interference detection
Detection of attempts to access WLAN network and attempts to attract managed clients (e.g. honeypot)
Dedicated/hybrid Wireless IDS deploymentLWAPP APs may be deployed in one of three modes:
Local—serves 802.11 traffic and monitors
Monitor—monitors 802.11 traffic on all channels
Rogue Detector — does wired network correlation of rogue AP devices (via ARP sniffing)
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAGG-201414674_05_2008_c2
Rogue AP Detection
Rogue AP detection has multiple facets:Air/RF detection—detection of rogue devices by observing/sniffing beacons and 802.11 probe responses
Rogue AP location—use of the detected RF characteristics and known properties of the managed RF network to locate the rogue device
Wire detection—a mechanism for tracking/correlating the rogue device to the wired network
A WIDS may require different deployments to effectively address all of these facets
For example, it is typically required to use a scanning-mode AP as a “rogue traffic injector” to attempt to trace the rogue’s connected port
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAGG-201414674_05_2008_c2
Configure a Rogue AP Rule on the WLC:
Security --> Wireless Protection Policies --> Rogue Policies --> Rogue Rules (Malicious)
Rogue Classification – Configuration
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAGG-201414674_05_2008_c2
Configure a Rogue AP Rule on the WLC:
Security --> Wireless Protection Policies --> Rogue Policies --> Rogue Rules (Friendly)
Rogue Classification – Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAGG-201414674_05_2008_c2
Rogue AP Detection and Suppression
Rogue AP detection methodologyWLAN system collects (via beacons and probe responses) and reports BSSID informationSystem compares collected BSSID information versus authorized (i.e., managed AP) BSSID informationUnauthorized APs are flagged and reported via fault monitoring functionality
Rogue AP suppression techniquesTrace the rogue AP over the wired network to verify that the rogue is internal and should be containedUse of managed devices to disassociate clients from unauthorized AP and prevent further associations via 802.11
de-authentication frames
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless: Map Rogue AP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless: Rogue Containment
Rogue AP, Rogue-Connected Client, or Ad-Hoc Client May Be Contained by Controller Issuing Unicast De-Authentication Packets
Maximum number of APs participating in containment is configurable
Maximum of three simultaneous containments may operate on a single LWAPP AP
Rogue client devices may be authenticated to a RADIUS (MAC address) database
Maximum time for auto-containment is configurable
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless: Rogue AP Detection and Containment
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKAGG-201414674_05_2008_c2
Wireless IDS: Signature Detection The WLC comes with built in Wireless IDS signatures that can be augmented with additional customer signatures
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKAGG-201414674_05_2008_c2
Wireless IDS: Signature Configuration Signature frequency, Signature MAC frequency and Quite Time can be modified in WLC 5.0 release to reduce false positives
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKAGG-201414674_05_2008_c2
Switch-Port Tracing
Introduced in Release 5.1
Rogues on your network are potentially more dangerous
Allows tracing the port to which the rogue is connected to, and the ability to shutdown the port
SNMP communities of the switches in your network must be correctly configured
Supported on IOS-based switches only
Limited to 2 hops so that it does not impact performance
CDP must be enabled
Follow Enterprise design best practice – wired 802.1X
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKAGG-201414674_05_2008_c2
802.11 Management Frame Vulnerability
802.11 management frames are NOT authenticated
Anyone can spoof an AP’s MAC address or SSID and send an 802.11 management frame on behalf of that AP
Anyone can spoof a client’s MAC address and send an 802.11 management frame on behalf of that client
Threats:802.11 Denial of Service (DoS) attacks by spoofing AP or client 802.11 de-authentication or disassociation frames to disconnect users
Rogue AP or MITM avoids detection by spoofing valid AP MAC or SSID
Managed AP1MAC Addr A.B.C.D
Disassociation
Attacker SpoofingAP1 MAC Addr
A.B.C.D
X
User disconnected
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKAGG-201414674_05_2008_c2
Cisco Management Frame Protection (MFP)
Inserts a MIC (Message Integrity Code) as a signature into management frames
MFP employs HMAC-SHA1 hash algorithm to calculate MIC key
Mitigates management frame attacksInvalid management frames ignored
Immediate detection by WLC of malicious rogues or MITM devices that are spoofing a valid AP MAC or SSID
Infrastructure MFP supportIntroduced in Unified Wireless 4.0
Client MFP supportIntroduced in CCX version 5
MIC Valid?
X
Managed AP1MAC Addr A.B.C.D
Attacker SpoofingAP1 MAC Addr
A.B.C.D
Spoofed management frame discarded
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKAGG-201414674_05_2008_c2
Client MFP (MFP-2)
Protects class 3 (authenticated session) unicast management frames between an AP and an authenticated client.
A CCXv5 feature
Must be supported on the client
Uses WPA2 (AES-CCMP or TKIP) encryption
Protects the following unicast frames Deauth
Disassoc
Action
Spoofed frames are reported to the WCS as alerts
Spoofed frames are ignored by AP and client
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKAGG-201414674_05_2008_c2
Client Exclusion: Blacklisting
Client Exclusion Policy may be used to exclude client from WLAN network
No response is issued to excluded client probe requests
Client exclusion may be triggered by the following:
Client exclusion may also be manually invoked
Configurable timer or client may be indefinitely excluded until manually removed from exclusion list
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKAGG-201414674_05_2008_c2
Configuration Auditing
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKAGG-201414674_05_2008_c2
Operational Perspective of a Secure WLAN
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKAGG-201414674_05_2008_c2
Security Dashboard: Insight into the NetworkWCS Security Dashboard
Security Index
Quick Insight into Network Security
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKAGG-201414674_05_2008_c2
Compliance Reporting
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKAGG-201414674_05_2008_c2
Events and Alarms Reporting
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKAGG-201414674_05_2008_c2
End-to-End System-Level Security and Integration
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless Solution and IDS/IPS Integration Overview
Cisco Unified Wireless Self-Defending NetworkIntegrated end-to-end, defence-in-depth solution
Threat detection and mitigation on a WLAN is a key element
Wireless & Traditional IDS/IPS Integration for WLAN Threat Detection & Mitigation
Wireless IDS/IPS (WIDS/IPS) features of the Cisco WLAN Controller (WLC)
Cisco IDS/IPS platforms
Extend same principles and policies of threat detection & mitigation on a wired network to a WLAN
Extend general network security policy to include a WLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKAGG-201414674_05_2008_c2
WLAN Controller
ASA 5500 with IPS/IDS Module
1
2
Deep Packet Inspection
3 Shun Malicious traffic
Enterprise Network
Cisco WLC and IPS Integration:IPS Client Block Enforcement on a WLC
1 Client to AP/Controller2 Controller to IDS
3 Shun IDS to Controller
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKAGG-201414674_05_2008_c2
Cisco WLC and IPS Integration:IPS Client Block Enforcement on a WLC
Cisco IPS Host Block
Cisco WLC Shun List
Cisco WLC Client Exclusion
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKAGG-201414674_05_2008_c2
Cisco Firewall Integration
Cisco offers range of fully featured firewalls that can be integrated into the Secure Wireless solution
Enables a consistent firewall platform deployment across the wired and wireless network
Enables consistent policy enforcement across both the wired and wireless network
Provides lower TCO and easier management
Can be used to enforce policy on traffic between the WLAN and the wired network
Policies may be applied on layers L2-L7
Enables stateful firewall, network access restrictions, etc.
Integrated and extended features on common platformsIncluding SSL VPN, IPS, content security, security contexts
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKAGG-201414674_05_2008_c2
Cisco Firewall Integration Scenario: AAA Override and Policy Enforcement
Restricts user group access to permitted network resources only
802.1X allows a common WLAN but different user group VLAN assignment based upon AAA policy
Single SSID with RADIUS-assigned VLAN upon successful 802.1x/EAP authentication
VLAN mapped to different firewall VLANs and subject to different firewall policy
VLAN mapped to a specific virtual context (user group) in the firewall
Firewall policy enforced per user group
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKAGG-201414674_05_2008_c2
LWAPPAccess Point
Wireless LAN Controller
CS-MARS
CS-MARS: Monitoring Analysis and Response System
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKAGG-201414674_05_2008_c2
Check for the DoS attack related alarms on the WLC
Dos Attack Related Events inWLAN Controller
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKAGG-201414674_05_2008_c2
Results of a query for WLAN related to the DoS Attacks showing the Access Point / Type / Mac-address of the attacker in the raw SNMP data
Query/Report for WLAN Related Events in CS-MARS
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless with NAC Appliance: Summary
Cisco NAC appliance is an easily deployed NAC product that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.
The Cisco NAC appliance identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with network security policies, and repairs any vulnerabilities before permitting access to the network.
Cisco’s NAC solution is a natural complement to a Unified Wireless deployment and enhances overall wireless security by enforcing end station policy compliance.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKAGG-201414674_05_2008_c2
Cisco Unified Wireless with NAC Appliance
NAC Appliance accommodates several deployment scenarios:Centralized and Distributed
In-band and Out-of-Band
Virtual Gateway or Real IP Gateway
Unified Wireless and Campus Virtualization best practices currently recommend a centralized deployment
Should be logically in-band, L2 adjacent with wireless topology
Virtual G/W mode with VLAN Mapping is preferred over IP GW mode for wireless deployments
Real IP G/W mode is compatible with wireless deployment, but with caveats.
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKAGG-201414674_05_2008_c2
LWAPPAccess Point
Wireless LAN Controller
NAC ApplianceServer
Cisco Unified Wireless with NAC Appliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKAGG-201414674_05_2008_c2
CSA for WLAN Security Overview
CSA OverviewKey element of integrated end-to-end, defence-in-depthapproach to security
Identifies and prevents malicious or unauthorized behavior
Offers endpoint threat protection, often referred to as Host-based IPS (HIPS)
CSA for WLAN SecurityThreat detection and mitigation on a WLAN, along with policyenforcement
General client protection
WLAN-specific scenarios
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKAGG-201414674_05_2008_c2
Cisco Self-Defending Network
LWAPPAccess Point
Wireless LAN Controller
NAC ApplianceServer
Wireless ClientCSSCCSA
NAC Agent
Guest Anchor Controller
Wired ClientCSSCCSA
NAC Agent
ASA IPS Edition
CS-MARS
CS-ACSCSA ManagerNAC ManagerDHCP Server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKAGG-201414674_05_2008_c2
Cisco Security Agent
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKAGG-201414674_05_2008_c2
Wireless Ad-Hoc Connection Security Concerns
Typically little or no securityGenerally, unauthenticated, unencryptedconnection
High risk of connectivity to unauthorized or rogue device
Risk of bridging a rogue wireless ad-hoc device into a secure, wired network
Simultaneous wireless ad-hoc & wiredconnections
Microsoft Windows native WLAN client vulnerability
Microsoft Wireless Auto Configuration default behavior creates high risk of connectivity to a rogue device, particularly as a user may not even be aware that an 802.11 radio is enabled
RogueWLAN Device
AuthorizedDevice
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKAGG-201414674_05_2008_c2
CSA Wireless Ad-HocPre-Defined Rule Module Considerations
Wireless ad-hoc connections continue to be initiated, accepted, and remain active and connected
Only UDP and TCP traffic over a wireless ad-hoc connection is dropped
Additional CSA security measures should be in place toprotect clients from non-UDP and non-TCP threats
ICMP pings that route over a wireless ad-hoc interface are not filtered and remain a threat
Incoming ICMP packets may be filtered by enforcing a CSANetwork Shield rule module
No current solution to filter outgoing ICMP packets
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKAGG-201414674_05_2008_c2
Simultaneous Wired and WirelessSecurity Concerns
Risk of bridging a rogue device into a secure wired network
Risk of bridging an authorized device into the wired network, bypassing network security measures and policies
User may not be aware of 802.11 network connectivity
Active insecure or wireless ad-hoc profile may be used by rogue device, e.g. public hotspot or unauthenticated home WLAN profile
Rogue Device
Wireless ad-hoc connections
Corporate Network
Authorized Device
Wired connectionWLAN connection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKAGG-201414674_05_2008_c2
CSA Location-Aware Policy Enforcement
CSA v5.2 introduced the ability to enforce different security policies based on the location of a client
Enables stronger security protection measures to be enforcedwhen a client is on an insecure or non-corporate network
CSA v5.2 also introduced a pre-defined location-aware Windows rule module
“Roaming - Force VPN”
Leverages system state conditions and interface sets to applyrules that force the use of VPN if a client is out of the office
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKAGG-201414674_05_2008_c2
CSA Force VPN When Roaming Pre-Defined Rule Module
CSA v5.2 introduced a pre-defined Windows rule module to module to force connectivity to the corporate network if a network connection is active
“Roaming - Force VPN”
If a network connection is active but the CSA MC is notreachable, all UDP or TCP traffic over any interface is denied,except HTTP/HTTPS for a period of 300 seconds
May be used to protect the roaming client itself, local data, and data in transit when on insecure, non-corporate networks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKAGG-201414674_05_2008_c2
Q and A
© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKAGG-201414674_05_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKAGG-201414674_05_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.