Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Wireless A to B (ACCESS to BYOD) Part 2 of 3 Mobility Services Engine (wIPS, Context) Peter Avino Instructor/Engineer Ingram Micro Solution Center/Experience.

Similar presentations


Presentation on theme: "Cisco Wireless A to B (ACCESS to BYOD) Part 2 of 3 Mobility Services Engine (wIPS, Context) Peter Avino Instructor/Engineer Ingram Micro Solution Center/Experience."— Presentation transcript:

1 Cisco Wireless A to B (ACCESS to BYOD) Part 2 of 3 Mobility Services Engine (wIPS, Context)
Peter Avino Instructor/Engineer Ingram Micro Solution Center/Experience Center Video –

2 AGENDA: Wireless Intrusion Prevention Context Aware Mobility Mobility Service Engine Live Demo Prosperity and Joy

3 Wireless Intrusion Prevention
Open Air No physical barriers to intrusion Open Protocols Well-documented and understood The most common attacks against WLAN networks are targeted at management frames Open Spectrum Easy access to inexpensive technology More Devices Regulatory and Business Requirements Sarbanes-Oxley HIPAA PCI

4 Using wIPS to Enhance Security Monitoring the Airwaves to Find Threats
Find Rogue Access Points Rogue access points can be used to hijack information from your corporate network from outside your physical building Detect Wireless Attackers Wireless attacks take many forms that are not detected by traditional network security These attacks can be both detected and mitigated using wireless IPS Stay on Top of New Threats Leverage both signature-based network analysis, and anomaly-based methods for detection Maintain protection with on-going threat detection updates

5 Using wIPS to Improve Compliance Integrated Into System-Level Security View
Efficiently Audit Your Security Gather the information you need about your environment from a single source to demonstrate compliance to auditors Use Integrated Compliance Tools Let your infrastructure and wIPS solution help to guide you with ways to better secure your network and maintain security compliance, even when configurations change Know the Extent of Attacks Use full event forensics to determine the exact flow of information across your network when an attack occurs in order to determine that no other systems have been breached

6 Using wIPS to Streamline Threat Management Simple and Secure
Configure and Monitor from a Single Source Leverage an integrated management system to unify WLAN and wIPS policy and event monitoring workflows Utilize Embedded wIPS Policy Profiles Use configuration profiles to establish a baseline wIPS configuration in order to effectively tune your monitoring system Know Who Did What (History/Forensics) Use a flexible notification system to easily notify staff when security events have occurred Leverage consolidated event records with complete audit trail

7 wIPS Services CleanAir Without MSE CleanAir With MSE (Adaptive wIPS)
Rogue Mitigation Yes Track and Trace Rogues No Security Penetration and Denial of Service Attack Mitigation Detect Interferers Classify Interferers Mitigate Interferers Maintain Air Quality Detect Layer 1 Exploits System wide Interferer Details and Event Correlation Zone of Impact and Interferer Notification Track and Trace Interferers and Layer 1 Exploits

8 What is so special about the CleanAir AP?
Detect and Classify 100 97 Uniquely identify and track multiple interferers Assess unique impact to Wi- Fi performance Monitor AirQuality 63 90 20 35 Show an AP with a magnifying glass that shows the chip inside, and then blow out to a us/them thing – custom vs standard Wi-Fi chipset. What you get and what don’t. So, standard chips don’t even receive non-Wi-Fi signals; our chips can see both Wi-Fi and non-Wi-Fi interference. This cannot be compensated for in software, it’s a hardware design limitation. See more things, and see them more clearly – have much finer resolution to recognize what something is, accurately, and the impact of that interference. Zone of impact is understood by AP/Controller; we can aggregate interference data from multiple Aps, and then locate that. Chipset + Cognia technology enables us to see and classify more non-Wi-Fi sources of interference that are not received by standard chipsets Then, standard wi-fi chipsets do not have enough information to show intensity/impact or duration of interference, and we offer high-resolution visualization of this interference, to clearly show impact of the interference Further, we can aggregate across Aps to show impact on the system rather than individual devices only – so that one source of interference produces one alarm, rather than several (one for each AP) High-resolution interference detection and classification logic built-in to Cisco’s n Wi-Fi chip design. Inline operation with no CPU or performance impact. Cisco CleanAir

9 Clean Air Overview Matrix
Spectrum Intelligence CleanAir Express* CleanAir CleanAir with WSSI Access Point  1600* 2600 or 3600 3600 with WSSI Module Detection Classification Mitigation Location  Performance Optimized Top Impacts and Severity List Alert Correlation Air Quality Index Zone of Impact Off Channel Scanning Proactive Intelligent Channel Switching * Future support * Future support

10 AP Mode Monitor vs. Local
Monitor-mode access point for wIPS spends all of its cycles scanning channels looking for rogues and over-the-air attacks. A monitor-mode access point can simultaneously be used for location (context-aware) services and other monitor-mode services A local-mode access point splits its cycles between serving WLAN clients and scanning channels for threats. As a result, detection times are longer (3 to 60 minutes) and a smaller range of over-the-air attacks can be detected

11 DEMO!!!

12 ??? QUESTIONS ???

13 Context Aware Mobility
Contextual Information of Mobile Assets End User Experience Identity Humidity Availability Time Location Temperature Right Device Right Team Right Business Application Right Network Right Place Right Time Context Aware Mobility Ability to Dynamically Capture and Use Contextual Information of Mobile Assets to Optimize, Change or Create Communications Flow and Business Processes

14 Challenges of Today’s Solutions
In close proximity Passive RFID Campus Wi-Fi (TDoA, Chokepoint) Nationwide Cellular, GPS Building Wi-Fi (RSSI, Chokepoint) Different Devices, Networks and Applications to Manage for Each Workspace Involved in the Business Process

15 Keeping Track of Your Assets in MOTION
What Is His/Her Status? Where in My Network Is It? What Is Its Condition? Is It Here? Where Is It? Condition Tracking Asset Tracking Presence Network Location Services Zone/Inventory Management Answer Questions Critical to Your Business in Real Time

16 Zone/Inventory Management Applications
What Is His/Her Status? Where in My Network Is It? What Is Its Condition? Is It Here? Where Is It? Defining Zones and Tracking Mobile Assets Entering and Exiting Nurses and Physician schedule Emergency Room minimum attendance Inventory management of medical equipment Alerts when equipment leaving building Healthcare Final goods inventory Emergency evacuation Manufacturing Classroom attendance Emergency evacuation Education Location aware promotions Retail

17 Asset Tracking Applications
What Is His/Her Status? Where in My Network Is It? What Is Its Condition? Is It Here? Where Is It? Locating a Mobile Asset Anywhere in the Campus Locating medical equipment such as infusion pump, wheelchairs… Automated update of location information into bed management or medication administration Healthcare Tracking pallets on the factory floor Locating working in process (WIP) parts for assembly Manufacturing Locating students when walking on campus Education Tracking pallets in the warehouse Locate sales associate Information on demand Retail

18 Condition Tracking Applications
What Is His/Her Status? Where in My Network Is It? What Is Its Condition? Is It Here? Where Is It? Measuring Temperature, Pressure, Humidity, Motion… Initiate a request to sterilize medical equipment Monitor storage conditions for equipment or medication Provide patient comfort in a responsive manner Healthcare Monitor environmental conditions for chemical processes Employees’ safety Detect asset in motion Manufacturing Ensure that perishable goods are kept in the right condition or alert Retail

19 Presence Applications
What Is His/Her Status? Where in My Network Is It? What Is Its Condition? Is It Here? Where Is It? Using Location Information to Automate Presence Status in Unified Communications Applications Automatically update status of medical staff to know if (ER, surgery, off time…) and how to reach them (call, IM, …) Healthcare Most efficient way to collaborate (e.g. in a meeting, at his/her desk…) Office Social networking (at the gym, in the library…) Consumer

20 Network Location Services Applications
What Is His/Her Status? Where in My Network Is It? What Is Its Condition? Is It Here? Where Is It? Automatically Optimizing Your Wireless Resources Where It Is the Most Needed Immediately locate rogue wireless devices Accurately identify interference zones and dead spots Associate network access with physical location Track location history

21 How TDoA works Time Difference of Arrival
Derived D1 Received at T1 Time Difference of Arrival Used with any CCX tags (not client) Wi-Fi TDoA receivers are synchronized Distances between the tag and APs is calculated based on the time difference of arrival Requires Line of Sight Recommended for high ceilings, outdoors and outdoor like environments (e.g. warehouses, parking lots) Wi-Fi TDoA Receiver #1 Derived D2 TDoA Received at T2 D1 Wi-Fi TDoA Receiver #2 D2 TDoA Sent at T0 D3 Derived D3 TDoA Wi-Fi TDoA Receiver #3 Received at T3

22 How RSSI works Received Signal Strength Indicated
Derived D1 Measured Strength S1 Received Signal Strength Indicated Used with Tags and Clients Receivers are the access points Distances between the tag and APs is calculated based on the received signal strength Requires medium to short read range for better accuracy Recommended for indoors Wi-Fi Access Point #1 Derived D2 Measured Strength S2 D1 Wi-Fi Access Point #2 D2 D3 Derived D3 Wi-Fi Access Point #3 Measured Strength S3

23 How Chokepoint works Hybrid tags with 125 kHz passive and Wi-Fi active sides Tags and chokepoints have to be from the same vendor (Aeroscout or WhereNet) When the tag is in close proximity of the chokepoint, its passive side gets excited and captures the information (location and sensoring) then the active side sends the information over Wi-Fi The tag beaconing frequency can be reconfigured by the chokepoint Indoor or Outdoor Wi-Fi Access Point Chokepoint 125 kHz Wi-Fi Passive Active

24 DEMO!!!

25 ??? QUESTIONS ???

26 Mobility Services Engine An open platform that gets data real time from the wireless LAN to track and act upon mobile resources

27 Mobility Services Engine An open platform that gets data real time from the wireless LAN to track and act upon mobile resources Two Flavors: Hardware Apliance vs. Virtual Machine (3355)

28 Mobility Services Engine Context Aware Mobility wIPS Context Aware Mobility + wIPS Capacity

29 Cisco 3355 Mobility Services Engine
Cisco Context-Aware Software to track up to devices Cisco Adaptive Wireless Intrusion Prevention System software to support up to 3000 monitor mode or enhanced local mode (ELM) access points (2) Quad-Core Intel Nehalem Processor 2.0 GHz, 4-MB cache, 16-GB DDR3 (2 x 8 GB), Four hot-swappable 146-GB SAS drives with up to 6-Gbps transfer rate

30 High-End Virtual Appliance
50,000 Context-Aware License 10,000 aWIPS License Minimum RAM: 20GB Minimum Hard disk space allocation: 500GB Disk System Throughput: Minimum of 1600 IOPS with a bandwidth of 6000 Kbytes/sec Physical cores: 16 at 2.13GHz or better (2x Intel Xeon E7-L8867)

31 Standard Virtual Appliance
18,000 Context-Aware License 5,000 aWIPS License Minimum RAM: 11GB Minimum Hard disk space allocation: 500GB Disk System Throughput: Minimum of 1000 IOPS with a bandwidth of 3500 Kbytes/sec Physical cores: 8 at 2.93GHz or better (2x Intel Xeon X5570)

32 Low End Virtual Appliance
2,000 Context-Aware License 2,000 aWIPS License Minimum RAM: 6GB Minimum Hard disk space allocation: 500GB Disk System Throughput: Minimum of 900 IOPS with a bandwidth of 3000 Kbytes/sec Physical cores: 2 at 2.93GHz or better (2x Intel Xeon X5570)

33 ??? QUESTIONS ???


Download ppt "Cisco Wireless A to B (ACCESS to BYOD) Part 2 of 3 Mobility Services Engine (wIPS, Context) Peter Avino Instructor/Engineer Ingram Micro Solution Center/Experience."

Similar presentations


Ads by Google