Upload
itsitiocom
View
60
Download
0
Embed Size (px)
Citation preview
Securely DesigningYour Wireless LAN forThreat Mitigation, Policy and BYOD
Jerome Henry, Principal Engineer, CCIE – 27450
BRKEWN-2005
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
What this session will cover…
• AP and WLC secure connection;
• wireless radio threats;
• secure/open SSID fundamentals;
• client secure connection options;
• CUWN and AireOS use cases
…and what it won’t…
• configuration details;
• version discrepancies;
• roadmap;
• IPv6;
• not too much for guests.
…except when it does.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For your reference
• There are slides in your PDF that will not be presented, or quickly presented.
• They are valuable, but included only “For your reference”.
For your reference
For your reference
BRKEWN-2005 4
• Secure the infrastructure
• Protecting the air
• Secure the clients
• Network Services
• Use cases
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Digital Network Architecture for mobility
Automation
• Plug n Play
• EasyQOS
• ISE: .1x, BYOD and Guest
Open APIs: Modular Aps with Restful APIs
Cloud Service Management• CMX 10.x with Context and Guest
Platforms & Virtualization
Assurance
• Restful APIs on WLC
• Netflow Export
• Apple Network Optimization
& FastLane
Principles
• Modular AP’s with Restful API’s
• DNA Optimized Controllers: 3504, 5520, 8540
• Various VM Models: ESXi, KVM, HyperV, AWS
Insights and
Experiences
Automation
and Assurance
Security and
Compliance
Outcomes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WLAN portfolio with integrated security
PROTECT THE CLIENTS
PROTECT THE NETWORK
Integrated Security
within APs and WLCs
Advanced Security with Policies,
Segmentation, and Visibility
PROTECT THE AIR
Cisco Trustworthy Systems
Certifications
(FIPS, common criteria, DoD UC APL)
TRUST
Identity PSK
TrustSec (with ISE)
Base WIPS
Rogue Detection
Clean AIr
Adaptive WIPS
Default best practices
802.11w, DTLS
Cisco Umbrella
Wireless LAN
Cisco Stealthwatch
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Embedded
Security
Built for
Today’s Threats
Security Expertise
and Innovation
Evidence
of Trust
Organizations can no longer rely on
perimeter devices to protect the network
from cyber intrusions… There has never
been a greater need to improve network
infrastructure security
Alert TA16-251A, September 2016
“
”
Trustworthy SystemsProtect the Device
Learn more:
• Visit trust.cisco.com
• See: BRKARC-1010 “Protecting the Device:
Cisco Trustworthy Systems & Embedded Security”
• Meet the Engineer: Topic: “Security and Trust Architecture”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Trustworthy Systems LevelsEnterprise Wireless
Protects
the Network
Counterfeit Protections
Image Signing
Secure Boot
ModernCrypto
Hardware Trust Anchor
Secure Device
Onboarding
ISE Stealthwatch
Solution Level Attack Protection
IP Source Guard ACLs
WIPS/RogueDHCP Snooping Secure Transport
Protections Against Attack
802.11w,r,i TrustSec Netflow
Security
CulturePSIRT
AdvisoriesSecurity Training
Product Security Baseline
Threat Modeling
Open Source Registration
Supply Chain Management
Umberlla
Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”
Platform
Integrity
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
End to End Security: A Glimpse
AP
• Securing the Air through
accurate classification of Rogues
& Interference
• Secure communication with
other AP’s via 802.11w/MFP and
DTLS
• Security at the edge with AWIPS
Controller
Netflow Collection
Security & Insights
Lancope(NAAS)
CMX
Geo-fencing limits
access within
physical perimeter
ISE
Secure authentication with 802.1x
Securing personal devices BYOD Simple
Guest Deployment
Per Device & Application Policies
Easy segmentation with TrustSec
IOT Classification & Policy
Cisco UmbrellaContent filtering and
protection against
cyber-attacks
Switch
IOT Segmentation
with TrustSec
Devices
ISE + Meraki/Third party
MDM Prioritizes
applications
NAAE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Infrastructure Feature Highlights
Infrastructure
Hardening
Plug n Play
FIPS Support
Encryption
802.11
MFP, 802.11wCertificate storeBest Practices
Trustworthy Systems
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing the infrastructure
• How to secure the AP connectivity and access.
• How to secure the communication between the WLC and the AP.
• How to secure the radio:
• intrusion detection/prevention;
• rogue access points;
• interferences.
CAPWAP
Access Point(AP)
Wireless LAN Controller(WLC)Data Encapsulation – UDP 5247
Control Messages – UDP 5246
BRKEWN-2005 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing the AP-WLC communicationCAPWAP tunnels
BRKEWN-2010
Data DTLS
• CAPWAP Control encrypted by default
• CAPWAP Data encapsulated but not encrypted by default
• Option to encrypt data traffic for specific APs since 7.0
• Support for DTLS Data encryption between AP and WLC
• Performance impact: Without Data DTLS, avg vWLC throughput is 200Mbps. All APs using Data DTLS, throughput is 100Mbps
CAPWAPData Plane
(DTLS) UDP 5247
Control Plane
DTLS, UDP 5246
ControllerAccess Point
Wi-Fi Client
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing the AP-WLC communicationManufacturer Installed Certificate (MIC)
CAPWAP Control
DTLS, UDP 5246
CAPWAP Data
(DTLS) UDP 5247
BRKEWN-2005 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CAPWAP
Securing the AP-WLC communicationLocal Significant Certificate (LSC)
Your PKI
Example:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
BRKEWN-2005 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Out-of-Box
Berlin
AP GroupOut-of-Box
Out-of-Box
Out-of-
Box
Securing the AP-WLC communicationOut-of-Box AP Group and RF Profile (v7.3+)
Berlin AP Group > Radios Enabled
Out-of-Box AP Group > Radios Disabled
Example:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870
BRKEWN-2005 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM Plug-n-Play (PnP)
Site-2
PnP Server
WLC-2a
WLC-2b
WLC-3a
WLC-3b
Site-3
Site Product ID Serial # Hostname Configuration
Site-2 AIR-CAP3702I-A-
K9
RFD0XP2T02
5
Site-2-AP Site-2-Config
Site-3 AIR-CAP3702I-A-
K9
RFE0ZP2T026 Site-3-AP Site-3-Config
Configuration WLC AP Group AP Mode
Site-2-Config WLC-2a Site-2-Group AP-Site-2
Site-3-Config WLC-3a Site-3-Group AP-Site-3
WLC IP: WLC-2a
AP Name: Site-2-AP
AP Mode: Local
AP Group: Site-2-Group
WLC IP: WLC-3a
AP Name: Site-3-AP
AP Mode: FlexConnect
AP Group: Site-3-Group
AireOS 8.2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Berlin AP Group
APIC-EM Plug-n-Play (PnP)
APIC-EM
AP SN #123 > Config. File (WLC IP, Berlin AP Group, etc.)
AP(SN #123)
WLC
AP(SN #456)
APIC-EM IP in DHCP option 43or DNS resolution for pnpserver.<dhcp-domain-option>
AP PnP Deployment Guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
AP SN #456 > Not in any Project list > Claim list
BRKEWN-2005 20
For secure provisioning of Access Points
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Berlin AP Group > WLAN Id 17+
Default AP Group > WLAN Id 1-16
Default
Berlin
AP Group
Securing the AP-WLC communicationDefault AP Group and WLAN Id > 16
For your reference
BRKEWN-2005 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless connection workflowEndpoint
CAPWAP
Access Point(AP)
Wireless LAN Controller(WLC)Data Encapsulation – UDP 5247
Control Messages – UDP 5246802.11
Probe Request
Probe Response
Probe Request (forwarded)
Authentication Request (not for 802.1X, but in case of PSK)
Authentication Response
(Re) Association Request
(Re) Association Response
802.1X phase if enabled
EAPoL Keys exchange in case of PSK or 802.1X
Other identity services
IDS/wIPS
focus
BRKEWN-2005 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP control at the access layerA few words on 802.1X
EAPoL Start
EAPoL Request Identity
Beginning
EAP-Response Identity: PrinterRADIUS Access Request
[AVP: EAP-Response: Printer]
EAP-Request: EAP-FAST
EAP-Response: EAP-FAST
RADIUS Access-Challenge
[AVP: EAP-Request EAP-FAST]
RADIUS Access Request
[AVP: EAP-Response: EAP-FAST]
Multiple
Challenge-
Request
Exchanges
Possible
Middle
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]End
Layer 2 Point-to-(Multi)Point Layer 3 Link
Authenticator AuthC ServerSupplicant EAP over LAN
(EAPoL)RADIUS
BRKEWN-2005 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP control at the access layer802.1X credentials for the AP *
Layer 2 Point-to-(Multi)Point Layer 3 Link
Authenticator AuthC ServerSupplicant EAP over LAN
(EAPoL)RADIUS
Access Point(AP)
AP# capwap ap dot1x username [USER] password [PWD]
* Not supported today on 1800/2800/3800 APs.
BRKEWN-2005 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP control at the access layerThe FlexConnect challenge
Layer 2 Point-to-(Multi)Point Layer 3 Link
Authenticator AuthC ServerSupplicant EAP over LAN
(EAPoL)RADIUS
FlexConnect AP “needs” a trunk port.
interface GigabitEthernet1/0/1switchport access vlan 100switchport mode accessauthentication port-control autodot1x pae authenticator...
802.1X (usually) needs an access port.
BRKEWN-2005 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP control at the access layerThe FlexConnect challenge
Layer 2 Point-to-(Multi)Point Layer 3 Link
Authenticator AuthC ServerSupplicant EAP over LAN
(EAPoL)RADIUS
“Here I am.”
“What do you think?”
“Accept. Here is the interface template *.”
* IOS 15.2(2)E.
LABSEC-2004
cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE
template FLEXCONNECT_AP_TRUNK_TEMPLATEswitchport trunk native vlan 100switchport trunk allowed vlan 100,110,120,130switchport mode trunkspanning-tree portfast trunk
BRKEWN-2005 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5GHzServing
2.4GHzServing
5/2.4GHzMonitor
• Enabled by Dual 5GHz
• Adjust Radio Bands to Better Serve the Environment
Security and Threat Mitigation P2P
Blocking
Client Exclusion
awIPS, ELM
Rogue Detection
Local, Monitor,
Security Module
2800/3800
XOR Radio
FRA
Cisco CleanAir®
Off-Channel
Scanning
Classification
TKIP Encryption
8.3 MR1
EDRM
Security and Threat
Mitigation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
wIPS Process Flow and Component Interactions
33Presentation ID
1
WLC PI (Optional)wIPSAP
2 3
1
WLCwIPSAP
2 3
wIPS
MSE 8.x
4
PI
Solution
Components
Functions Licensing
Base WIPS WLC, AP and
Prime Infrastructure
(optional)
Supports 17 native
signatures.
Supports rogue
detection &
containment
Does not require
any licensing
Adaptive WIPS WLC, AP, MSE and
Prime Infrastructure
Offers
comprehensive
over the air threat
detection &
mitigation
Licensed feature on
MSE
Cisco WIPS solution=
Base WIPS
+
Adaptive WIPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intrusion Detection System (IDS)
• It works with basic WLC+AP.
• 17 pre-canned signatures.
• Additional custom signatures are supported.
BRKEWN-2005 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWIPS: Accurate Detection & Mitigation
Device Inventory AnalysisSignature & Anomaly Detection Network Traffic AnalysisOn/Off Channel Scanning
Cla
ssific
ation • Default tuning profiles
• Customizable event
auto-classification
• Wired-side tracing
• Physical location Notification
• Unified PI security
dashboard
• Flexible staff
notification
• Device location Mitig
ation
• Wired port disable
• Over-the-air mitigation
• Auto or manual
• Uses all APs for
superior scale
Managem
ent • Role-based with audit
trails
• Customizable event
reporting
• PCI reporting
• Full event forensics
Detection
Threats
Rogue
AP/Clients
Ad-Hoc
ConnectionsOver-the-Air Attacks
CrackingRecon
DoS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
wireless Intrusion Prevention System (wIPS)
Denial of Service
Service disruption
Evil Twin/Honeypot APHACKER’S
AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
Non-802.11 Attacks
Backdoor access
BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Rogue Access Points
HACKER
Detected by CleanAir and tracked by MSE
BRKEWN-2005 37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
wIPS with Cisco Mobility Services Engine (MSE) 8.0Prime
WLCWLC
APAP AP AP
SOAP/XML over
HTTP/HTTPS
MSE
BRKEWN-2005 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IDS and wIPS Signatures
wIPS on MSEIDS on WLC
For your reference
BRKEWN-2005 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Supported AP modes for wIPS
Data on 2.4 and 5 GHz
wIPS on all channels
Data on 2.4 and 5 GHz
wIPS on all channels
Data on 5GHz
wIPS on all channels
Data on 2.4 and 5 GHz
wIPS on all channels
“best effort”
Cisco Adaptive wIPS Deployment Guide:http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500
BRKEWN-2005 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5GHz. / 2.4GHz.
.5GHz. / Security
Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference
Good Better Best
Features ELM Monitor Mode AP ELM with FRA
Monitor Mode
Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs
Client Serving with Security
Monitoring
Y N Y
wIPS Security Monitoring 50 ms off-channel scan on selected
channels on 2.4 and 5 GHz
7 x 24 All Channels on 2.4GHz and
5GHz
7 x 24 All Channels on 2.4GHz and
5GHz
CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and
5GHz
7 x 24 All Channels on 2.4GHz and
5GHz
Serving channel Serving channelOff-Ch Off-Ch
Serving channel Serving channelOff-Ch Off-Ch
Enhanced Local Mode
Access Point
GOOD
2.4 GHz
5 GHz
t
t
Monitor Mode
Access Point
BETTER
2.4 GHz
5 GHz
t
t
Ch11Ch2
Ch38
Ch1
Ch36
…Ch11Ch2Ch1
…
Ch11Ch2Ch1
…
…
Ch161Ch157 Ch38Ch36
…… …
t
2.4 GHz
5 GHz
tCh11Ch2Ch1
…
Ch38Ch36 Ch161Ch157
…… …ELM with FRA Wireless Security
Monitoring
BEST
Serving channel Serving channelOff-Ch Off-Ch5 GHz t
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue Access PointsWhat are they?
• A rogue AP is an AP that does not belong to our deployment.
• We might need to care (malicious/on network) or not (friendly).
• Sometimes we can disable them, sometimes we can mitigate them.
“I don’t know it.” “Me neither.”
BRKEWN-2005 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Serve Client on 2.4 GHz
50 ms off-channel
Serve Clients on 5
GHz
50 ms off-channel
Rogue Detection and Mitigation
Rogue Classification and
Containment
• Rogue Rules
• Manual Classification –
Friendly/Malicious
• Manual and Auto
Containment
CleanAir with Rogue AP
Types
• WiFi Invalid Channel
• WiFi Inverted
Rogue Location
• Real-time with PI, MSE,
CleanAir
• Location of Rogue APs
and Clients , Ad-hoc
Rogue, Non-wifi
interferers
Data Serving AP
Scan
1.2s per channel
Monitor Mode AP
FRA with MM
Serve Client on dedicated 5
GHz
Scan 1.2s per channel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue AP DetectionRogue Rules in the WLC and General Options
BRKEWN-2005 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containing Multiple Rogues with Single Click
• In 7.4, WLC allows manual containment for multiple rogue APs in a Single click !
• Rogues are classified and Admin alerted. Admin can then initiate containment in single click
• AP that is nearest to rogue AP sends containment packets to Rogue AP
• Rogue Client per Rogue AP has been increased from 16 to 256 (2504 supports 64 Rogue client per Rogue AP)
Click to
Select all
Click to
Contain all
Step.0. Create Rogue Policy Step 1.Select Rogues Step 2.Click [Contain] !
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Based Auto Containment
• Custom Rogue Policy allows administrator to generate multiple Custom Rogue Policy, which includes automated action
• Based on Administrative Rogue rule policy, Rogue AP/Client can be automatically classified as Internal or External Rogue and can trigger auto-containment
Rule Type Notify / Action Custom
Severity
Friendly • Alert
• Internal
• External
No
Malicious • Alert
• Contain
No
Custom • Alert
• Contain
Yes
(1…100)
Step1: Create Rogue Rule with
Containment Action
Step2: Filtered Rogue list will be automatically contained
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue AP DetectionRogue Location Discovery Protocol (RLDP)
Caveats:
• it only works if the rogue SSID is open;
• it does not work if the RLDP message gets filtered;
• while trying to associate to the rogue AP, the RLDP AP stops serving clients (up to 30 secs).
RLDP message (UDP:6352)
BRKEWN-2005 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue AP DetectionRogue Detector mode
Rogue Detector AP
Trunk with all monitored VLANs(WLC, AP, client, etc.)
ARP from Rogue Client
Caveats:
• it only works if the rogue client’s MAC is not behind NAT;
• it supports up to 500 rogue MACs.
Config. guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html
BRKEWN-2005 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue AP DetectionSwitch Port Tracing
Prime
CDP NeighborsCAM Table
CAM Table (next hop)
For your reference
BRKEWN-2005 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CleanAir
6
11
1RRM
BRKEWN-2005 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CleanAir
6
1RRM
11
6
11
1
BRKEWN-2005 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CleanAir
6
1RRM
6
11
1
116
X
BRKEWN-2005 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event Driven RRM (EDRRM)
High: Air Quality ≤ 60
Medium: Air Quality ≤ 50
Low: Air Quality ≤ 35
Rogue AP’s duty cycle contribution, available as of AireOS 8.1.
BRKEWN-2005 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CleanAir detectable AttacksSome examples
IP and Application
Attacks & Exploits
WiFi Protocol
Attacks & Exploits
RF Signaling
Attacks & Exploits
Traditional IDS/IPSLayer 3-7
wIPSLayer 2
CleanAirLayer 1
Dedicated to L1 Exploits
Rogue
Threats“undetectable” rogues
Wi-Fi
Jammers“classic” interferers
2.4
GHz
5
GHz
BRKEWN-3010
BRKEWN-2005 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Detecting extensive DoS attacks and security penetration – Base WIPS + Adaptive WIPS
• Locating Rogue APs, attackers and victims
• Manual or fixed auto containment policy for rogue AP/client
• Comprehensive wired rogue detection algorithm using Auto SPT, RLDP or Rogue Detector AP
Recap of Cisco WIPS
Open/Wired/NATed
Rogue AP Encrypted / Wired / +/- 1 or 2 and OUI
Based Ethernet MAC Rogue APRLDP
or Rogue Detector
Magic Packet
WLC PI
SNMP / Auto SPT
Locating, Tracking
and Tracing Rogue
APs MSE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Frame Protection (MFP)
• Infrastructure MFP, with additional Message Integrity Check (MIC) for management frames.
• Client MFP, with encryption of management frames for associated/authenticated clients.
MFP Protected
MFP Protected
Enterprise
NetworkCCXv5
For your reference
BRKEWN-2005 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IEEE 802.11wProtected Management Frames (PMF)
• Client protection with additional cryptography for de-authentication and disassociation frames.
• Infrastructure protection with Security Association (SA) tear down mechanism.
802.11w Protected
Enterprise
Network
For your reference
BRKEWN-2005 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service ReadyFeature Highlights
Local Profiling
Bonjour
Apple Services
Solution level Attack
Protection
AVC/ Netflow
802.1x
Webauth
Guest Access
MAC Auth
BYOD
NAC RADIUS
Local Policy w/
AVC, Umbrella
AAA Override
VLAN, ACL, QoS
TrustSec SXP
Inline Tagging
OKC, CCKM
Roaming
Cisco Umbrella
URL Filtering
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity AwarenessChoose the access control method
Authorized
UsersIP
PhonesTablets Network Device GuestsIoT Devices
Authentication Features
802.1x Identity PSKMac Auth Bypass Web Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAPoL Start
EAPoL Request Identity
Beginning
EAP-Response Identity: AliceRADIUS Access Request
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple
Challenge-
Request
Exchanges
Possible
Middle
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]End
Layer 2 Point-to-Point Layer 3 Link
Authenticator Auth ServerSupplicant EAP over LAN
(EAPoL)RADIUS
IEEE 802.1XFor your reference
BRKEWN-2005 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAP Authentication Types Different Authentication Options Leveraging Different Credentials
Tunnel-Based
EAP-PEAP
EAP-FAST
Inner Methods
EAP-GTC EAP-TLS EAP-MSCHAPv2
• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner method, which may be vulnerable by itself.
• Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.
Certificate-Based
EAP-TLS
BRKEWN-2005 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Change of Authorization (CoA)• RADIUS protocol is initiated by the network devices (NAD)
• No way to change authorization from the ISE
• Now the network device listens to CoA requests from ISE
RADIUS
CoA (UDP:1700/3799)
• Re-authenticate session
• Terminate session
• Terminate session with port bounce
• Disable host port
Now I can control
ports when I want to!(config)#aaa server radius dynamic-author
client {PSN} server-key {RADIUS_KEY}
For your reference
BRKEWN-2005 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Change of Authorization (CoA)
Layer 2 Point-to-(Multi)Point Layer 3 Link
AuthenticatorSupplicantEAP over LAN
(EAPoL)
RADIUS
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
RADIUS CoA-Ack
Change of
Authorization
EAP-Response Identity: AliceRADIUS Access Request
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
EAPoL Request Identity
Re-Authentication
Multiple
Challenge-
Request
Exchanges
Possible
AuthC Server
BRKEWN-2005 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity PSK (AireOS 8.5 release)
74BRKEWN-2005
Increased demand for IoT devices
Identity security without 802.1x
High Scale
Cost Effective
Simple Operations
• Private PSK with RADIUS
integration
• Per client AAA override
(VLAN / ACL, QoS etc)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity PSK
75BRKEWN-2005
How it works!PSK WLAN
MAC Filtering
AAA Override
Employees
Sensors
WLAN PSK
xxyyzz
IoTDevices
aabbcc
Device MAC Group Private PSK
IOT Devices aabbcc
Sensors xxyyzz
Employees ---
Cisco-AVPair += "psk-mode=ascii”
Cisco-AVPair += "psk=aabbcc"
Cisco-AVPair += "psk-mode=ascii”
Cisco-AVPair += "psk=xxyyzz"
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP-WLC DHCP/DNSISE ServerOptional:
• MAB
• 802.1X
0
Pre-webauth
ACL2
Host Acquires IP Address, Triggers Session State3
Host Opens Browser
Login Page
Host Sends Password
4
WLC Queries AAA Server
AAA Server Returns Policy
Server
authorizes
user5
WLC Applies New WebAuth Policy (L3) 6
• SSID with
WebAuth1
Local Web Authentication (LWA)
LOCAL because the redirection URL and the pre-webauth ACL are locallyconfigured on the WLC.
MAB
(optional)
802.1X
(optional)
Local
Web Auth
BRKEWN-2005 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP-WLC DHCP/DNS ISE Server
Host Acquires IP Address, Triggers Session State
4
• Open SSID with
MAC Filtering
enabled
1
AuthC success; AuthZ for unknown MAC returned:
Redirect/filter ACL, portal URL
Host Opens Browser – WLC redirects browser to ISE web page
Login Page
Host Sends Username/Password
5
Web Auth Success results in CoA
Server
authorizes
user
6
MAB re-auth
MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned.7
First authentication session2
3
CENTRAL because the redirection URL and the pre-webauth ACL are centrallyconfigured on ISE and communicated to the WLC via RADIUS.
Central
Web Auth
Central Web Authentication (CWA)
BRKEWN-2005 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other URL-Redirect scenarios (posture, MDM, etc.)AP-WLC DHCP/DNS ISE Server
Host Acquires IP Address, Triggers Session State
4
• SSID configured
for 802.1X / MAB1
AuthC success; AuthZ returned:
Redirect/filter ACL, URL for posture/MDM/etc.
Host Opens Browser – WLC redirects browser to ISE for other services
Posture check, MDM check, client provisioning, etc.5
RADIUS CoA
Server
authorizes
user
6
802.1X/MAB re-auth
802.1X/MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned.7
First authentication session2
3 CWA is a URL-Redirect
scenario.
Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB or WebAuth.
BRKEWN-2005 81
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How about policies?
Differentiating user groups.
Keeping untrusted devices out.
Basic access vs. Full access
BRKEWN-2005 85
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Different wired and wireless security leaves you vulnerable to risk and malicious activity Latest Cisco wireless minimizes risk and works with switching and routing for end-to-end validation
Network Policy Enforcement Network as a Sensor and Enforcer
Access Policy
Created on Identity
Services Engine
Authorized user
accepts policy
1
2
Network validates activity
– serves as a sensor and
policy enforcer3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring & Troubleshooting
• SIEM Integration
• Device Admin / TACACS+
ACS
NAC
Profiler
Guest
Server
NAC
Manager
NAC
Server
Identity
Services
Engine
Cisco Identity Services Engine (ISE)
BRKSEC-3697
BRKSEC-3699
BRKEWN-2005 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication and AuthorizationWhat are they?
802.1X /iPSK/ MAB / WebAuth
It tells who/what the
endpoint is.
It tells what the
endpoint has access to.
BRKEWN-2005 88
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Policy Rules
1. Authentication Rules
• Define what identity stores to reference.
• Example – Active Directory, CA Server, Internal DB,etc.
2. Authorization Rules
• Define what users and devices get access to resources.
• Example – All Employees, with Windows Laptops have full access.
For your reference
BRKEWN-2005 89
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Guests and BYOD, can’t hide...
BRKEWN-2005 103
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ROLE BASED APPLICATION POLICY
• Alice(User) and Bob(IT Admin) are both employees
• Both Alice and Bob are connected to the same SSID
• Bob can access certain applications (YouTube), Alice cannot
ROLE BASED + DEVICE TYPE APPLICATION POLICY
• Alice can access inventory info on an IT provisioned Windows Laptop
• Alice cannot access inventory info on her personal iPAD
ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY
• Alice has limited access (rate limit) to Jabber on her iPhone
7.4AVC
7.5Dynamic
protocol pack
update
7.6Jabber, Lync
2013 support
8.0• User and device aware
policies
• Ability to classify
Apple iOS, Windows,
Android upgrades
Per user-group, per device policy tie-in to AVC
8.1• User & device aware
policies
• Ability to classify Apple
iOS, Windows, Android
upgrades
8.2• Wi-Fi calling
• Skype for business
• UserId + IPFlow for
Netflow export
• Lancope Collector
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Employee
YouTube
Employee Contractor
RADIUSWLC
Facebook Skype BitTorrent
AVC (Application Visibility and Control)Per-user profiles via AAA
Contractor
Facebook Skype
cisco-av-pair = avc-profile-name = AVC-Employee
cisco-av-pair = avc-profile-name = AVC-Contract
BRKEWN-2005 105
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKEWN-2005
WLC integration with StealthWatchAs of AireOS 8.2 on 5520/8510/8540 WLC
ISE
WLC
BitTorrent
Netflow v9 records
pxGrid notifications
Quarantine
CoA
BRKSEC-3014
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLAN 100
MAB
WebAuth
Agent-less Device
Campus Network
Untagged Frame Tagged Frame
SGT Enforcement
Security Group Access (SGA)AireOS 8.3 and before – SXP peering from the WLC
802.1X
Users,
Endpoints
IT Portal (SGT 4)10.1.100.10
Catalyst 3k-X Cat 6500
Distribution
The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL
capable devices (e.g. Catalyst 3750-X)
IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
SXP
Speaker Listener
SGT=5SGT=5
ISE
SGT=5 SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
deny sgt-src 5 sgt-dst 4
BRKEWN-2005 107
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
Security Group Access (SGA)AireOS 8.4 – SXP peering from the AP (802.11ac APs)
MAB
WebAuth
Agent-less Device
802.1X
Users,
Endpoints
ISE
WLC
AP
Campus Network
SGACL
Catalyst 3k-X
SXP
Speaker Listener
deny sgt-src 5 sgt-dst 4
SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
SGT=5
BRKEWN-2005 108
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Access (SGA)AireOS 8.4 – SGT inline tagging at the WLC (5520/8540) or AP (802.11ac APs)
Tagged Frame
SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
WLC
AP
SGT=5
MAB
WebAuth
Agent-less Device
802.1X
Users,
Endpoints
Campus Network
SGACL
Catalyst 3k-X
deny sgt-src 5 sgt-dst 4
SGT=5SGT=5
ISE
BRKEWN-2005 109
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Access (SGA)AireOS 8.4 – SGACL at the WLC (5520/8540) or AP (802.11ac APs)
SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACLISE
WLC
AP
SGT=5
MAB
WebAuth
Agent-less Device
802.1X
Users,
Endpoints
SGACL
deny sgt-src 5 sgt-dst 4
BRKSEC-2203
BRKSEC-3690
BRKEWN-2005 110
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
ACME
208.67.220.220ACME
Policiesblock gaming sites
DNS
Query
DNS
Response
Introducing Cisco Umbrella with WLC
208.67.220.220
DNS Server(or external DNS
proxy to)
10.1.1.1
BRKEWN-2005 112
Cisco Umbrella
Cloud
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WLC integration with Cisco Umbrella
Cisco Umbrella
Cloud
DNS query
DNS response
BRKEWN-2005 113
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
WLC integration with OpenDNS
DNS query
DNS response
BRKSEC-2980
LABSEC-2006
BRKEWN-2005 114
Cisco Umbrella
Cloud
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenDNS Policy Segmentation
ISR 4K
Contractor
Corp
Guest
Policy 1 Policy 3
Wireless Controller for Dynamic
Evaluation of Attributes for Access Control
Current ISR Implementation
Site specific Policy, Enforced per Interface
Identity Server
Returns attributes
Guest networkCorp network
Policy 2Policy
Cisco UmbrellaCisco
UmbrellaCisco
Umbrella
Cisco
Umbrella
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Teacher NetworkStudent Network
AirPrint AirPlay File
Share
Teacher
Service Profile
AirPlay File
Share
Student
Service Profile
iTunes
SharingAirPrint
mDNS Service Instances Groups
Apple TV1 Apple TV1
Apple TV2
Teacher Service
Instance ListStudent Service
Instance List
mDNS and Bonjour Services
mDNS Profiles – Select
services
mDNS Profile with Local
Policy – Services per-user
and per-device
mDNS Policies – Services
based on AP Location and
user role
mDNS AP – Services Behind
a L3 boundary
Location Specific Services
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Takeaways
• Security is an end-to-end concern
• Start by securing the infrastructure
• Use CleanAir, WIPS to protect the Air
• Protect your client access with CWA, ISE
• AVC Policies, TrustSec and SGTs protect your traffic
118BRKEWN-2005
Cisco SparkAsk Question, Get Answers
Use Cisco Spark to communicate with the speaker after the event!
What if I have a question after visiting Cisco Live? ... Cisco Spark
cs.co/ciscolive/#session ID
*Get the Cisco Spark app from iTunes store or Google Play store
1. Go to the Cisco Live Mobile app
2. Find this session
3. Click the join link in the session description
4. Navigate to the room, room name = Session ID
5. Enter messages in the room
Spark rooms will be available until Friday 17 November 2017
www.ciscospark.com
E.g: session ID = BRKACI-2001
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback about the session you just joined
Complete your session surveys through the Cisco Live mobile app:https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English)
https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español)
or from the Session Catalog on CiscoLive.com/latam.
120Presentation ID