1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
Guide to Network Defense and Countermeasures Second Edition
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Wireless and Switch Security NETS David Mitchell.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
A Guide to major network components
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Virtual Private Network
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
1 © 2004 Cisco Systems, Inc. All rights reserved. KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN ACCESS (CCA) Tom Leary-Southeast Sales Specialists
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
ECE 578: COMPUTER NETWORK AND SECURITY
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Policy and Configuration Compliance for Devices Connecting to the Wireless Network.
Common Devices Used In Computer Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 6 of the Executive Guide manual Technology.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Module 11: Remote Access Fundamentals
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Module 8: Configuring Network Access Protection
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause.
Module 11: Designing Security for Network Perimeters.
Security fundamentals Topic 10 Securing the network perimeter.
Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
So how to identify exactly who and what is on your network at any point in time? Andrew Noonan, SE ForeScout February 2015.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Introduction to Networking
Web Servers / Deployment
Presentation transcript:

1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise CISSP, CCSP

222 © 2004 Cisco Systems, Inc. All rights reserved. Agenda WLAN Security Issues WLAN Enterprise Issues Requirements for WLAN Management & Security Solution Cisco Clean Access Solution Case Study: Stanford University 2

333 © 2004 Cisco Systems, Inc. All rights reserved. WLAN Security Issues - A Different IT Beast Non-existent or Porous Boundaries ▪ More vulnerable to a variety of malicious attacks ▪ WEP security inadequate ▪ Many common areas where anyone can access a wireless signal Security Challenge Shifted from Ports to Users ▪ Authentication more important but also more difficult ▪ Increase susceptibility to attacks originating from employees’ home networks Wireless and Wireline Management Integration Unresolved ▪ Management is enormous challenge ▪ Impacts usability and productivity

444 © 2004 Cisco Systems, Inc. All rights reserved. WLAN Security Issues MAC and IP Spoofing Too Easy ▪ Multitude of free tools on Internet allow machines to spoof other MAC and IP addresses Denial of Service (DoS) Attacks Too Easy ▪ Several DoS attacks possible including consuming all IP addresses, DoS attacks on web servers, file servers, mail servers, etc. “Man in the middle” Attack ▪ Malicious users find it easy to insert themselves in communication path in order to steal user credentials, session, etc.

555 © 2004 Cisco Systems, Inc. All rights reserved. WLAN Enterprise Issues IssueToolsIf Left Unresolved Multi-vendor Access Point Management Management software provided by each access point vendor but is not interoperable with others Heterogeneous environments are impossible to manage centrally Integrated Management between Wired and Wireless Networks NoneManagement and user interface complexity increases Viruses Imported from External Networks Point ProductsViruses may frequently and severely impact enterprise productivity Management Difficulties Associated with VPNs – over-WLANs Vendor-specific solutions; most VPNs built for dial-up use Security gaps may remain; client maintenance complexity increases

666 © 2004 Cisco Systems, Inc. All rights reserved. Requirements for WLAN Management & Security Solution Authentication-based Access to WLAN ▪ Users must be authenticated before provided network access ▪ Authentication must be performed using existing authentication systems ▪ Un-authentication users (rogue users) must not be allowed to launch DoS attacks (e.g. ping attacks, etc.) Client-less Deployment Mandatory ▪ Security solution should not mandate the deployment of any client software ▪ Optional client software for ease of use, additional security, network sniffing, rogue access point reporting, war driving, etc. preferred

777 © 2004 Cisco Systems, Inc. All rights reserved. Requirements for WLAN Management & Security Solution Strong Data Protection ▪ Standards-based, strong, over-the-encryption is needed of WEP or any proprietary mechanism Non-Proprietary Hardware Preferred ▪ Preferred that security solution not require proprietary hardware ▪ Easily scalable hardware

888 © 2004 Cisco Systems, Inc. All rights reserved. Requirements for WLAN Management & Security Solution Centralized Deployment ▪ Security and management solution must both be deployable centrally in the network centers ▪ Edge deployments are too expensive to deploy/manage Centralized Configuration & Management ▪ Ability to configure and manage entire deployment from a central location ▪ Secure remote management

999 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Clean Access Solution 999 © 2003 Cisco Systems, Inc. All rights reserved.

10 © 2004 Cisco Systems, Inc. All rights reserved. What Does Clean Access Do? Before allowing users onto the network, whether it’s a wired or wireless network, Clean Access: RECOGNIZES EVALUATES ENFORCES Recognizes: Users, device, and role (guest, employee, contractor) Evaluates: Identify vulnerabilities on devices Enforces: Eliminate vulnerabilities before network access

11 © 2004 Cisco Systems, Inc. All rights reserved. Key Cisco Clean Access Features Role-based access control Cisco Clean Access server enforces authorization policies and privileges Supports multiple user roles (e.g. guests, employees, and contractors ) Scans for security requirements Agent scan for required versions of hotfixes, AV, and other software Network scan for virus and worm infections Network scan for port vulnerabilities Network quarantine Isolate non-compliant machines from rest of network MAC and IP-based quarantine effective at a per-user level Repair and update Network-based tools for vulnerability and threat remediation Help-desk integration All-in-One Policy Compliance and Remediation Solution

12 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Clean Access Server Formerly CleanMachines SmartServer Serves as an inline or out-of-band device for network access control Cisco Clean Access Manager Formerly CleanMachines SmartManager Centralizes management for administrators, support personnel, and operators Cisco Clean Access Agent Formerly CleanMachines SmartEnforcer Optional client for device-based registry scans in unmanaged environments Cisco Clean Access Components

13 © 2004 Cisco Systems, Inc. All rights reserved. Pre-Configured Clean Access Checks Critical Windows Update Windows XP, Windows 2000, Windows 98, Windows ME Symantec Norton AntiVirus 2005 v x Norton AntiVirus 2004 v. 10.x Norton AntiVirus 2004 Professional v. 10.x Norton Internet Security 2004 Norton AntiVirus 2003 v. 9.x Norton AntiVirus 2003 Professional v. 9.x Norton AntiVirus 2002 Professional v. 8.x Norton AntiVirus Corporate Edition v. 7.x Symantec Internet Security 2005 Edition 8.0.x Symantec AntiVirus Scan Engine Edition 8.0.x Symantec AntiVirus Corporate Edition v. 9.x Symantec AntiVirus Corporate Edition v. 8.x Sophos Sophos Anti-Virus Enterprise v. 3.x McAfee McAfee VirusScan Enterprise v. 8.0i beta McAfee VirusScan Enterprise Edition v. 7.5 McAfee VirusScan Enterprise Edition v. 7.1 McAfee VirusScan Enterprise Edition v. 7.0 McAfee VirusScan Enterprise Edition v. 4.5.x McAfee VirusScan Professional Edition v. 8.0.x McAfee VirusScan Professional Edition v. 7.x McAfee VirusScan ASaP Trend Micro Trend Micro Internet Security v. 12.x Trend Micro Internet Security v Trend Micro Internet Security v Trend Micro OfficeScan Corporate Edition v. 6.x Trend Micro OfficeScan Corporate Edition v. 5.x Trend Micro PC-Cillin 2004 Trend Micro PC-Cillin 2003 Cisco Systems Cisco Security Agent v. 4.x Customers can easily add custom checks

14 © 2004 Cisco Systems, Inc. All rights reserved. Pre-Configured Checks (cont’d) Computer Associates (eTrust) Computer Associates eTrust Antivirus v. 7.x Computer Associates eTrust EZ Antivirus v. 6.2.x Computer Associates eTrust EZ Antivirus v. 6.1.x F-Secure F-Secure Anti-Virus for Workstations TBYB 5.x F-Secure Anti-Virus Client Security 5.x F-Secure Anti-Virus x Panda Panda Titanium Anti-Virus 2004 v. 3.x Panda Anti-Virus Platinum v. 7.x Panda Anti-Virus Platinum v. 6.x Panda Internet Security Platinum v. 8.x Panda Anti-Virus Light v. 1.9x Kaspersky Kaspersky Anti-Virus Personal v. 5.x Kaspersky Anti-Virus Personal v. 4.x Kaspersky Anti-Virus Personal Pro v. 4.x Authentium Authentium Command Anti-Virus Enterprise 4.x SOFTWIN (BitDefender) BitDefender Free Edition v. 7.x BitDefender Standard/Professional Edition 7.x BitDefender Standard v. 8.0.x BitDefender Professional Plus v. 8.0.x Grisoft (AVG) AVG Antivirus v. 7.0 AVG Antivirus v. 6.0 AVG Antivirus v. 6.0 Free Edition Frisk Software International F-Prot Antivirus v. 3.x SalD DrWeb Antivirus v. 4.31b Eset NOD32 Antivirus system NT/2000/2003/XP 2.0 Zone Labs ZoneAlarm with Antivirus v. 5.x

15 © 2004 Cisco Systems, Inc. All rights reserved. THE GOAL Intranet/ Network Cisco Clean Access System Operation 2. User Is Redirected to a Login Page Clean Access validates username and password; also performs device and network scans to assess vulnerabilities on the device Device Is Non-Compliant or Login Is Incorrect User is denied access and assigned to a quarantine role with access to online remediation resources 3a. Quarantine Role 3b. Device Is “Clean” Machine gets on “clean list” and is granted access to network Cisco Clean Access Server Cisco Clean Access Manager 1. End User Attempts to Access a Web Page or Uses an Optional Client Network access is blocked until end user provides login information Authentication Server

16 © 2004 Cisco Systems, Inc. All rights reserved. Sample Reporting 4. Login Screen

17 © 2004 Cisco Systems, Inc. All rights reserved. Multiple Deployment Options Out-of-band: For high throughput environments for deployment in Campus Environments Branch Offices Extranet environments Highly routed environments Inline: Supports environments including Wireless Hubs Shared Media

18 © 2004 Cisco Systems, Inc. All rights reserved. CCA Inline Deployment FEATURES: VLAN trunking support ~1 GB/sec throughput support Failover support Intranet Border Router Firewall Switch Core Switch Authentication Server Clean Access Server Routed Central Deployment Clean Access Server Bridged Central Deployment Clean Access Server Edge Deployment Clean Access Manager

19 © 2004 Cisco Systems, Inc. All rights reserved. Secure Remote Access Deployment Secure Remote: Supports environments with remote users coming through VPN Concentrators

20 © 2004 Cisco Systems, Inc. All rights reserved. CCA Out Of Band Deployment Router Firewall Internet Clean Access Server Clean Access Manager End User Integrates with Cisco switches to provide out of band solution. Provides network access control for LAN users. Deployed in highly routed networks and environments where in-line appliance is not appropriate.

21 © 2004 Cisco Systems, Inc. All rights reserved. CCA: User Access, Non-certified Machine Host with CCA Agent 1 End user attaches host to network Switch CCA Manager 2 2 Switch sends MAC address via SNMP-based alert to CCA Manager 3 CCA Manager decides whether host has been previously certified CCA Server acts as a gateway or bridge for the quarantine VLAN CCA Server CCA Server intercepts device request Performs posture assessment and remediation 5  5 CCA Server certifies MAC address and forwards to CCA Manager Network 7 7 Host is granted access to network 6 6 CCA Manager instructs switch to change to the appropriate VLAN  3 If NO, CCA Manager instructs switch to put device on quarantine VLAN. 

22 © 2004 Cisco Systems, Inc. All rights reserved. End User Experience: with Agent 4. Login Screen User Authentication User Machine Quarantined Remediation Steps

23 © 2004 Cisco Systems, Inc. All rights reserved. End User Experience: with Agent 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate

24 © 2004 Cisco Systems, Inc. All rights reserved. End User Experience: Web-based Login Screen Scan is performed (types of checks depend on user role/OS) Click-through remediation

25 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Clean Access: The Holistic Solution ProductsWLAN Security WLAN Management Clean Access Authentication √√ Encryption √√ User/Group Policy Management √√ Firewall √√ Roaming Support √√ AP Configuration & Management √√ Remote Client Updates √√ Centralized WLAN Management √√ WLAN Monitoring & Reporting √√√

26 © 2004 Cisco Systems, Inc. All rights reserved. Case Study: Stanford University 26 © 2003 Cisco Systems, Inc. All rights reserved.

27 © 2004 Cisco Systems, Inc. All rights reserved. Stanford University – Authentication & Ease of Use Challenge Improve Authentication Keep it simple Interoperate with existing system Solution Clean Access protects each subnet Authentication through Kerberos Centralized Deployment (edge-based optional) Benefits Short implementation Rapid ROI Wireless expanding into business school & medical center

28 © 2004 Cisco Systems, Inc. All rights reserved. Stanford University WLAN Deployment Huge Campus ▪ Large student, faculty, and staff community ▪ More than 8200 acres ▪ More than 675 large buildings Wireless Computing Growing in Popularity ▪ Wireless laptops mandatory in certain schools ▪ Lower cost of Wireless access cards Deployment ▪ More than 250 access points throughout common areas and many buildings ▪ Divided into 4 major network segments

29 © 2004 Cisco Systems, Inc. All rights reserved. Stanford University WLAN Deployment - Security Security for Initial Deployment ▪ Minimal ▪ Based on MAC address of access card – SU maintains database of registered MAC addresses (NetDB) and only registered network cards are provided IP addresses ▪ No WEP – Preferable to providing user with false sense of security ▪ Susceptible to several different types of attacks

30 © 2004 Cisco Systems, Inc. All rights reserved. Q&A 30 © 2003 Cisco Systems, Inc. All rights reserved.

31 © 2004 Cisco Systems, Inc. All rights reserved. 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.