Securing Hastily Formed Networks For Disaster Relief & Emergency Response

© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public

Securing Hastily Formed NetworksFor Disaster Relief and Emergency ResponseBRKSEC-1000

2

VIDEO

“We don’t just get involved in something and then leave…we get involved in ways nobody else does.”

John ChambersPresident & CEO – Cisco Systems

© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 5

Agenda

A bit about Cisco Tactical Operations

The intersection of human needs andnetworks

Introducing the “Hastily Formed Network” (HFN)

Security considerations of HFNs

Q&A

Wrap-up

Securing Hastily Formed Networks

Cisco Tactical Operationshumanitarian networks


Cisco TacOps Provides Crisis Support

Cisco Tactical Operations (TacOps) is a dedicated crisis response team that establishes emergency networks after a disaster.

TacOps personnel skills include technical, operational, first responder, military and logistics

Promotes innovative technology solutions for disaster response and other hardship situations.

Emergency response fundedby Cisco Corporate Philanthropy.


Cisco Learned Lessons from Hurricane Katrina Initially: TacOps supported “extreme risk” incidents

Expanded mission: To have a scalable, coordinated,response to disasters (2005) … because:

Hurricane Katrina - what Cisco did:‒ Cisco sent hundreds of volunteers and tons

of equipment to Gulf region. ‒ We were successful, but…

Hurricane Katrina - lessons learned:‒ There were many willing engineers but few

trained for the environment.‒ Less effective due to the Cisco-wide uncoordinated

response.‒ No standardized Cisco mobile platform for disaster

response.


Today: All-hazards Response, Anywhere

Famine, Horn of Africa Tornadoes, AL, NC, MO Earthquake/Tsunami, Japan Earthquakes, Christchurch

New Zealand Flooding, Brazil Flooding, Queensland

Australia Fourmile Canyon Fire, Boulder

CO Gas Pipeline Explosion, San

Bruno CA

Plane Crash, Palo Alto CA Earthquake, Port-Au-Prince

Haiti Fiber-Optic Cut, SF Bay Area

CA Flooding, Cedar Rapids IA Evans Road Fire, NC Harris Fire, San Diego CA Hurricanes Katrina, Gustav,

Ike


US Relationships

Office of Emergency Services


International Relationships

The Intersection of Human Needs and Networks


All Crisis Responders Share the Same Problem

Public Safety

13

How to deliver the right information in the right format to the right person at the right time?

Defense

National, State & Local Government

HealthcareCritical Infrastructure

Transportation

NGOs/VOADs/ International Orgs


Radio, phone Radio + Integrated DataSingle device Any Device (BYOD)Voice only Voice, Video, DataClosed teams Open collaborationCommand centric In the field, social media, everyone

Fixed locations Deployable anywhere

The Need for Technology in Disaster is IncreasingGoal: Mission workflowand productivitybenefits to save livesand speed recovery.

Goal: Mission workflowand productivitybenefits to save livesand speed recovery.

Evolution in People, Process and Technologies to support disaster and humanitarian reliefEvolution in People, Process and Technologies to support disaster and humanitarian relief

http://images.google.com/imgres?imgurl=http://www.eicsa.com.mx/imagenes/foto_productos_xtl5000.jpg&imgrefurl=http://www.eicsa.com.mx/productos_moviles_xtl5000.htm&h=287&w=429&sz=51&hl=en&start=12&tbnid=CHPuSKFLrILo8M:&tbnh=82&tbnw=123&prev=/images?q=motorola+astro&svnum=10&hl=en&lr=

Introducing Hastily Formed Networks


Typical ICT Challenges in Disaster

Lack of power

Degraded telephony infrastructure

Degraded Push-to-Talk Radio, Lack of interoperability

Oversubscribed services

Limited Internet access

Few IT resources

Lack of trained staff

Information and Computing Technologies (ICT) are Needed but Overwhelmed


Solution: Hastily Formed Networks (HFN)

HFNs are portable, IP-based networksthat are deployed in emergencieswhen normal communicationshas been disabled or destroyed.

Enable on-scene and remote respondersto share situational awareness, coordinateoperations, establish command and control.

Communicate within the affectedarea as well as to the outside world.

Instant Emergency Networks


NPS/Cisco HFN Layered Model

Social/Cultural

HUMAN / COGNITIVE

APPLICATION

SPECIALIZED - Collaboration - Sit Awareness - Cmd/Control - Fusion

NETWORK

PHYSICAL

Organizational Political Economic

VIDEO/IMAGERY - VTC - GIS - Layered Maps

VOICE- Push-to-talk- Cellular- VoIP- Sat Phone/PSTN

TEXT - email - chat - SMS

WIRED - DSL - Cable - Other ISP WAN

WIRELESSLOCAL

- WiFi - PAN - MAN

WIRELESSLONG HAUL

- WiMAX - Microwave - IP over HF

SAT BROADBAND

- VSAT - BGAN

POWER - Fossil Fuel - Renewable

HUMAN NEEDS - Shelter - Water - Fuel - Food

PHYSICAL SECURITY

- Force Protection- Access Authorization

NET OP CENTER - Network Sec -Cmd/Control - Leadership


That Layer Model Assumes Something Important

Security underlies every element of an HFN.


HFNs: What They Are

Portable: mobile, rolling kit, easily movedwith few personnel

Rapidly deployable: pre-configured, set upwith minimal training

Interim: Once pre-event communicationsis restored typically decommissioned.

Based on: WiFi/VSAT/WiMAX/etc.


HFNs: What They Are Not

A replacement for pre-emergency infrastructure.

Designed for large numbers of users

High bandwidth (if on VSAT). High latency, etc. needs to be considered.

Typical NOC HFN NOC (Haiti)


The First Deployed HFN: Hurricane Katrina


The First Deployed HFN: Hurricane Katrina


More Recently: 2010 Haiti QuakeMore Recently: 2010 Haiti Quake

USNS COMFORTUSNS COMFORT

AirportAirport

VSAT/BGAN SatelliteWiMAX Point-to-Point

WiFi Mesh

NPS HFN TEAM HAITI NETWORK

WiFi Access Point


Mobile and Kit HFN Solutions

Network Emergency Response Vehicle (NERV)‒ ISR G2 based platform/VSAT/Mesh

‒ Video surveillance, streaming, TelePresence

Mobile Communicator Vehicle (MC2)

‒ ISR based platform. VSAT, Mesh

Emergency Communications Kit (ECK)‒ Rapidly deployable communications capability

‒ ISR 2811 / 3825 based

Example Units for Our Security Discussions

Securing Hastily Formed Networks


Security: What are We Really Trying to Do?

Keep bad things out.

Protect the mission

Keep critical services running

Know what’s happeningon the network and devices

Balance security and access

Get it right every time.

Inside Outside


Myth Busting: Information Security in a Disaster Assumption: “In a crisis network, I need to get deployed

quickly. I don’t have time or the resources to securethe network!”

Reality: All HFN networks should be pre-planned – planand build your security intoyour infrastructure!


HFN Security Starts With the Physical

You’re going into a disaster zone!

“Force Protection”

Physical security of equipment

Logistics

Intelligence

Health and Safety


Basic Information Security Concepts via HFN

Confidentiality: secure voice, video. Patient data. Security sensitive info.

Integrity: command and control channels

Availability: Denial of Service, appropriate use of the network, VSAT

Authenticity: User/admin verification, trusted endpoints.


IP Traffic Planes (a Reminder)

Data plane traffic: end-station, user generated traffic.

Control plane traffic: network device generated or received traffic used to operate create the network itself. (ARP, EIGRP, OSPF, etc.)

Management plane traffic: traffic designed to manage the network or devices on the network. (SSH, FTP, SNMP, NTP, etc.)

Addressing can help keep things organized: All kits/vehicles have/16, and each vlan is a /24 with a specified role. We can identifytraffic flows easily.


HFNs Use the Same Basic Infosec Assumptions Least-privilege access: Users, devices, systems are given minimal

access given the crisis environment (advanced AAA solutions, etc. may not be available!)

Threats may come from anywhere in the network.

Simplicity: Once initially configured, the security architecture should establish itself without requiring any additional work from personnel who already have too much to do.

Defense-in-Depth: No single security feature or technology can mitigate the range of possible threats.


DMVPN/FW Router

3925

Core Router

3945

WirelessController

IPICSHF

UHF

VHF

IP Phone7970/9971

Video Conferencing

(C40)

WirelessMesh AP

1524-PS/1522

Inside Wireless AP 1242

WirelessIP Phone

VideoSurveillance

Cameras

Internet

Cisco SystemsSan Jose, CARaleigh, NC

VSAT

SatelliteModem Access

Switch

Cisco NERV Architecture


Use Strong Passwords, Restricted Privileges

For system/network devices, strong passwords are enforced.- No dictionary words, mix of special chars, letters, numbers- Based on mnemonic/phrase that is easily remembered (no guesswork in a disaster)- No “cisco/cisco” or similar. Duh!

Computers and other devices: “user” (non admin accounts), and administrative accounts. Use the least-access user needed for a task.


DoS is the Primary Security Concern with Satellite Satellite is often the only way to get

broadband data in a disaster.

The “thin sippy straw” – b/w from128kbps – 5mbps (typical Ku VSAT system)

Protect your satellite bandwidth at all costs!

Malicious traffic

‒ Zombie, flooding traffic.

Inappropriate use …?

‒ YouTube

‒ BitTorrent

‒ FarmVille


A Real World Security Incident…

Once upon a time… the NERV had aflat, open network.

Evans Road Fire in North Carolina.

Firefighter’s laptop came ontothe NERV pre-infected – DDoSzombie w/spoofed SRC IP.

Created DoS condition on the satellite uplink.


…Had Us Reevaluate Access.

Designed for differentiated access in a easy-to-deploy fashion.

“Untrusted” VLANs: open WiFi, certain networks such as thoseexternal to the NERV or kits(patch panel) – access to the Internet only.

“Trusted” VLANs have open access toservers, vehicle-based resources, etc.Requires you to have physical access to vehicle/kit

Optical & Copper patch panel allow only limited access



Our HFN Firewall Strategy – One Policy, Everywhere Each “unit” is responsible

for its own firewall

Each policy is the same

Inbound IOS firewall, BOGON filters

Egress Internet-only from “untrusted” networks

Egress “sanity checking” filters for spoofed outboundtraffic

Internet

ASA Firewall

ASA Firewall

Field Units

San Jose, CA

Raleigh, NC


Dynamic Multipoint VPN Increases Resiliency

3DES / SHA1 IPSEC DMVPN protects all management planecontrol plane VoIP, TelePresence traffic.

IPSEC tunnels link both backend hubs in San Joseand RTP

Each remote unit comes up and establishes two tunnels

DMVPN is NAT friendly &increases resiliency.

Internet

ASA Firewall

ASA Firewall

DMVPN Tunnel

San Jose, CA

Raleigh, NC

DMVPN Tunnel

IPSEC


Remote Access VPN Brings in Remote Users

Cisco ASAs configured to support bothremote access IPSEC and AnyConnectSSL VPN

Remote users are typicallytrying to join the TelePresenceenvironment, oradminister the infrastructure. Low volume.

Internet

ASA Firewall

ASA Firewall

Remote user

(Jabber Video)

San Jose, CA

Raleigh, NC

CTS C40

AnyConnect


Intrusion Monitoring for Malicious Traffic

Monitor network traffic using NM-IPS

Monitor the VLAN between core router and gateway router (e.g. to/from Internet or VPN)

Since our usage patterns change fromdeployment to deployment, we use them in IDS mode and rely uponon-scene engineers to investigate alarms.

Consider which network segmentsyou “care the most about”


Security Features for 802.11 Mesh Networks

Mesh networks support 802.11i – WPA2

But do your clients? Old devicesmay not support it.

Cisco LWAPP considered insecure – avoid it (it’s old anyway!)

Since code 5.2 – CAPWAP [RFC 5415]interoperable … but don’t bet on it.

Encryption + authentication required between AP and controller(which means you’ll have to do some pre-config, not plug and play)

Segment traffic across multiple wireless VLANs


802.16e WiMax Security – Proceed with Caution

WiMax provides a wireless bridgetechnology (4G)

Range: dozens of kilometers

BUT …

Security features variablefrom each vendor, no standardization

Do your homework.

‒ Quality of security implementation is spotty.

‒ 3DES, AES 128, 192, 256 for encryption

‒ Don’t use MAC auth. Use vs X.509 EAP-TLS


Host Security…When You Don’t Control the Host! All TacOps server hosts are hardened. PCs have a/v, CSA, etc.

But what about “untrusted” hosts on scene?

American Red Cross

‒ maintains ghost master system images, keep them patched & up to date.

‒ When they’re deploying laptops, they will image the laptops immediately before shipping them out.


Network Monitoring – Know Your Network Health (Don’t Just Assume!) You need to know what’s going on

before your users do.

SNMP, Cisco NetFlow, ASDM

‒ Beware of “chatty” managementplane protocols that might causetrouble over satellite.

‒ Consider what network elementsreally need to be monitored.

Q&A


Wrapping it all up

The need for technology in disasters is increasing.

Hastily Formed Networks provide IP in austere environments

SECURE Hastily Formed Networks can help save lives and speed recovery to affected communities.

You can have ease of deployment and security – it takes an architectural approach.


Connect with us OnlineWeb. Email. Social Media.

On Cisco.com: http://www.cisco.com/go/tacops/

Email: [email protected]

Facebook:http://www.facebook.com/cisco.tacops

Twitter:@SJ_NERV@RTP_NERV

http://www.cisco.com/go/tacops/

mailto:[email protected]

mailto:[email protected]

http://www.facebook.com/cisco.tacops


Complete Your Online Session Evaluation Give us your feedback and you

could win fabulous prizes.Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.

http://www.ciscolive.com/


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI

© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public