Upload
rakesh-bharania
View
682
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Discusses an architectural approach towards security for Hastily Formed Networks (HFNs) and other crisis support technology for rescue teams, law enforcement, NGOs, etc in the immediate aftermath of a disaster.
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public
Securing Hastily Formed NetworksFor Disaster Relief and Emergency ResponseBRKSEC-1000
2
VIDEO
“We don’t just get involved in something and then leave…we get involved in ways nobody else does.”
John ChambersPresident & CEO – Cisco Systems
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 5
Agenda
A bit about Cisco Tactical Operations
The intersection of human needs andnetworks
Introducing the “Hastily Formed Network” (HFN)
Security considerations of HFNs
Q&A
Wrap-up
Securing Hastily Formed Networks
Cisco Tactical Operationshumanitarian networks
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 7
Cisco TacOps Provides Crisis Support
Cisco Tactical Operations (TacOps) is a dedicated crisis response team that establishes emergency networks after a disaster.
TacOps personnel skills include technical, operational, first responder, military and logistics
Promotes innovative technology solutions for disaster response and other hardship situations.
Emergency response fundedby Cisco Corporate Philanthropy.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 8
Cisco Learned Lessons from Hurricane Katrina Initially: TacOps supported “extreme risk” incidents
Expanded mission: To have a scalable, coordinated,response to disasters (2005) … because:
Hurricane Katrina - what Cisco did:‒ Cisco sent hundreds of volunteers and tons
of equipment to Gulf region. ‒ We were successful, but…
Hurricane Katrina - lessons learned:‒ There were many willing engineers but few
trained for the environment.‒ Less effective due to the Cisco-wide uncoordinated
response.‒ No standardized Cisco mobile platform for disaster
response.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 9
Today: All-hazards Response, Anywhere
Famine, Horn of Africa Tornadoes, AL, NC, MO Earthquake/Tsunami, Japan Earthquakes, Christchurch
New Zealand Flooding, Brazil Flooding, Queensland
Australia Fourmile Canyon Fire, Boulder
CO Gas Pipeline Explosion, San
Bruno CA
Plane Crash, Palo Alto CA Earthquake, Port-Au-Prince
Haiti Fiber-Optic Cut, SF Bay Area
CA Flooding, Cedar Rapids IA Evans Road Fire, NC Harris Fire, San Diego CA Hurricanes Katrina, Gustav,
Ike
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 10
US Relationships
Office of Emergency Services
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 11
International Relationships
The Intersection of Human Needs and Networks
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 13
All Crisis Responders Share the Same Problem
Public Safety
13
How to deliver the right information in the right format to the right person at the right time?
Defense
National, State & Local Government
HealthcareCritical Infrastructure
Transportation
NGOs/VOADs/ International Orgs
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 14
Radio, phone Radio + Integrated DataSingle device Any Device (BYOD)Voice only Voice, Video, DataClosed teams Open collaborationCommand centric In the field, social media, everyone
Fixed locations Deployable anywhere
The Need for Technology in Disaster is IncreasingGoal: Mission workflowand productivitybenefits to save livesand speed recovery.
Goal: Mission workflowand productivitybenefits to save livesand speed recovery.
Evolution in People, Process and Technologies to support disaster and humanitarian reliefEvolution in People, Process and Technologies to support disaster and humanitarian relief
Introducing Hastily Formed Networks
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 16
Typical ICT Challenges in Disaster
Lack of power
Degraded telephony infrastructure
Degraded Push-to-Talk Radio, Lack of interoperability
Oversubscribed services
Limited Internet access
Few IT resources
Lack of trained staff
Information and Computing Technologies (ICT) are Needed but Overwhelmed
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 17
Solution: Hastily Formed Networks (HFN)
HFNs are portable, IP-based networksthat are deployed in emergencieswhen normal communicationshas been disabled or destroyed.
Enable on-scene and remote respondersto share situational awareness, coordinateoperations, establish command and control.
Communicate within the affectedarea as well as to the outside world.
Instant Emergency Networks
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 18
NPS/Cisco HFN Layered Model
Social/Cultural
HUMAN / COGNITIVE
APPLICATION
SPECIALIZED - Collaboration - Sit Awareness - Cmd/Control - Fusion
NETWORK
PHYSICAL
Organizational Political Economic
VIDEO/IMAGERY - VTC - GIS - Layered Maps
VOICE- Push-to-talk- Cellular- VoIP- Sat Phone/PSTN
TEXT - email - chat - SMS
WIRED - DSL - Cable - Other ISP WAN
WIRELESSLOCAL
- WiFi - PAN - MAN
WIRELESSLONG HAUL
- WiMAX - Microwave - IP over HF
SAT BROADBAND
- VSAT - BGAN
POWER - Fossil Fuel - Renewable
HUMAN NEEDS - Shelter - Water - Fuel - Food
PHYSICAL SECURITY
- Force Protection- Access Authorization
NET OP CENTER - Network Sec -Cmd/Control - Leadership
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 19
That Layer Model Assumes Something Important
Security underlies every element of an HFN.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 20
HFNs: What They Are
Portable: mobile, rolling kit, easily movedwith few personnel
Rapidly deployable: pre-configured, set upwith minimal training
Interim: Once pre-event communicationsis restored typically decommissioned.
Based on: WiFi/VSAT/WiMAX/etc.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 21
HFNs: What They Are Not
A replacement for pre-emergency infrastructure.
Designed for large numbers of users
High bandwidth (if on VSAT). High latency, etc. needs to be considered.
Typical NOC HFN NOC (Haiti)
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 22
The First Deployed HFN: Hurricane Katrina
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 23
The First Deployed HFN: Hurricane Katrina
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 24
More Recently: 2010 Haiti QuakeMore Recently: 2010 Haiti Quake
USNS COMFORTUSNS COMFORT
AirportAirport
VSAT/BGAN SatelliteWiMAX Point-to-Point
WiFi Mesh
NPS HFN TEAM HAITI NETWORK
WiFi Access Point
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 25
Mobile and Kit HFN Solutions
Network Emergency Response Vehicle (NERV)‒ ISR G2 based platform/VSAT/Mesh
‒ Video surveillance, streaming, TelePresence
Mobile Communicator Vehicle (MC2)
‒ ISR based platform. VSAT, Mesh
Emergency Communications Kit (ECK)‒ Rapidly deployable communications capability
‒ ISR 2811 / 3825 based
Example Units for Our Security Discussions
Securing Hastily Formed Networks
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 27
Security: What are We Really Trying to Do?
Keep bad things out.
Protect the mission
Keep critical services running
Know what’s happeningon the network and devices
Balance security and access
Get it right every time.
Inside Outside
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 28
Myth Busting: Information Security in a Disaster Assumption: “In a crisis network, I need to get deployed
quickly. I don’t have time or the resources to securethe network!”
Reality: All HFN networks should be pre-planned – planand build your security intoyour infrastructure!
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 29
HFN Security Starts With the Physical
You’re going into a disaster zone!
“Force Protection”
Physical security of equipment
Logistics
Intelligence
Health and Safety
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 30
Basic Information Security Concepts via HFN
Confidentiality: secure voice, video. Patient data. Security sensitive info.
Integrity: command and control channels
Availability: Denial of Service, appropriate use of the network, VSAT
Authenticity: User/admin verification, trusted endpoints.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 31
IP Traffic Planes (a Reminder)
Data plane traffic: end-station, user generated traffic.
Control plane traffic: network device generated or received traffic used to operate create the network itself. (ARP, EIGRP, OSPF, etc.)
Management plane traffic: traffic designed to manage the network or devices on the network. (SSH, FTP, SNMP, NTP, etc.)
Addressing can help keep things organized: All kits/vehicles have/16, and each vlan is a /24 with a specified role. We can identifytraffic flows easily.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 32
HFNs Use the Same Basic Infosec Assumptions Least-privilege access: Users, devices, systems are given minimal
access given the crisis environment (advanced AAA solutions, etc. may not be available!)
Threats may come from anywhere in the network.
Simplicity: Once initially configured, the security architecture should establish itself without requiring any additional work from personnel who already have too much to do.
Defense-in-Depth: No single security feature or technology can mitigate the range of possible threats.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 33
DMVPN/FW Router
3925
Core Router
3945
WirelessController
IPICSHF
UHF
VHF
IP Phone7970/9971
Video Conferencing
(C40)
WirelessMesh AP
1524-PS/1522
Inside Wireless AP 1242
WirelessIP Phone
VideoSurveillance
Cameras
Internet
Cisco SystemsSan Jose, CARaleigh, NC
VSAT
SatelliteModem Access
Switch
Cisco NERV Architecture
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 34
Use Strong Passwords, Restricted Privileges
For system/network devices, strong passwords are enforced.- No dictionary words, mix of special chars, letters, numbers- Based on mnemonic/phrase that is easily remembered (no guesswork in a disaster)- No “cisco/cisco” or similar. Duh!
Computers and other devices: “user” (non admin accounts), and administrative accounts. Use the least-access user needed for a task.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 35
DoS is the Primary Security Concern with Satellite Satellite is often the only way to get
broadband data in a disaster.
The “thin sippy straw” – b/w from128kbps – 5mbps (typical Ku VSAT system)
Protect your satellite bandwidth at all costs!
Malicious traffic
‒ Zombie, flooding traffic.
Inappropriate use …?
‒ YouTube
‒ BitTorrent
‒ FarmVille
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 36
A Real World Security Incident…
Once upon a time… the NERV had aflat, open network.
Evans Road Fire in North Carolina.
Firefighter’s laptop came ontothe NERV pre-infected – DDoSzombie w/spoofed SRC IP.
Created DoS condition on the satellite uplink.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 37
…Had Us Reevaluate Access.
Designed for differentiated access in a easy-to-deploy fashion.
“Untrusted” VLANs: open WiFi, certain networks such as thoseexternal to the NERV or kits(patch panel) – access to the Internet only.
“Trusted” VLANs have open access toservers, vehicle-based resources, etc.Requires you to have physical access to vehicle/kit
Optical & Copper patch panel allow only limited access
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 38
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 39
Our HFN Firewall Strategy – One Policy, Everywhere Each “unit” is responsible
for its own firewall
Each policy is the same
Inbound IOS firewall, BOGON filters
Egress Internet-only from “untrusted” networks
Egress “sanity checking” filters for spoofed outboundtraffic
Internet
ASA Firewall
ASA Firewall
Field Units
San Jose, CA
Raleigh, NC
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 40
Dynamic Multipoint VPN Increases Resiliency
3DES / SHA1 IPSEC DMVPN protects all management planecontrol plane VoIP, TelePresence traffic.
IPSEC tunnels link both backend hubs in San Joseand RTP
Each remote unit comes up and establishes two tunnels
DMVPN is NAT friendly &increases resiliency.
Internet
ASA Firewall
ASA Firewall
DMVPN Tunnel
San Jose, CA
Raleigh, NC
DMVPN Tunnel
IPSEC
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 41
Remote Access VPN Brings in Remote Users
Cisco ASAs configured to support bothremote access IPSEC and AnyConnectSSL VPN
Remote users are typicallytrying to join the TelePresenceenvironment, oradminister the infrastructure. Low volume.
Internet
ASA Firewall
ASA Firewall
Remote user
(Jabber Video)
San Jose, CA
Raleigh, NC
CTS C40
AnyConnect
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 42
Intrusion Monitoring for Malicious Traffic
Monitor network traffic using NM-IPS
Monitor the VLAN between core router and gateway router (e.g. to/from Internet or VPN)
Since our usage patterns change fromdeployment to deployment, we use them in IDS mode and rely uponon-scene engineers to investigate alarms.
Consider which network segmentsyou “care the most about”
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 43
Security Features for 802.11 Mesh Networks
Mesh networks support 802.11i – WPA2
But do your clients? Old devicesmay not support it.
Cisco LWAPP considered insecure – avoid it (it’s old anyway!)
Since code 5.2 – CAPWAP [RFC 5415]interoperable … but don’t bet on it.
Encryption + authentication required between AP and controller(which means you’ll have to do some pre-config, not plug and play)
Segment traffic across multiple wireless VLANs
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 44
802.16e WiMax Security – Proceed with Caution
WiMax provides a wireless bridgetechnology (4G)
Range: dozens of kilometers
BUT …
Security features variablefrom each vendor, no standardization
Do your homework.
‒ Quality of security implementation is spotty.
‒ 3DES, AES 128, 192, 256 for encryption
‒ Don’t use MAC auth. Use vs X.509 EAP-TLS
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 45
Host Security…When You Don’t Control the Host! All TacOps server hosts are hardened. PCs have a/v, CSA, etc.
But what about “untrusted” hosts on scene?
American Red Cross
‒ maintains ghost master system images, keep them patched & up to date.
‒ When they’re deploying laptops, they will image the laptops immediately before shipping them out.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 46
Network Monitoring – Know Your Network Health (Don’t Just Assume!) You need to know what’s going on
before your users do.
SNMP, Cisco NetFlow, ASDM
‒ Beware of “chatty” managementplane protocols that might causetrouble over satellite.
‒ Consider what network elementsreally need to be monitored.
Q&A
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 48
Wrapping it all up
The need for technology in disasters is increasing.
Hastily Formed Networks provide IP in austere environments
SECURE Hastily Formed Networks can help save lives and speed recovery to affected communities.
You can have ease of deployment and security – it takes an architectural approach.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 49
Connect with us OnlineWeb. Email. Social Media.
On Cisco.com: http://www.cisco.com/go/tacops/
Email: [email protected]
Facebook:http://www.facebook.com/cisco.tacops
Twitter:@SJ_NERV@RTP_NERV
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 50
Complete Your Online Session Evaluation Give us your feedback and you
could win fabulous prizes.Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public 51
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
© 2012 Cisco and/or its affiliates. All rights reserved.BRKSEC-1000 Cisco Public