Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise.

Published byRobyn Lawson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise."— Presentation transcript:

1 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise CISSP, CCSP

2 222 © 2004 Cisco Systems, Inc. All rights reserved. Agenda WLAN Security Issues WLAN Enterprise Issues Requirements for WLAN Management & Security Solution Cisco Clean Access Solution Case Study: Stanford University 2

3 333 © 2004 Cisco Systems, Inc. All rights reserved. WLAN Security Issues - A Different IT Beast Non-existent or Porous Boundaries ▪ More vulnerable to a variety of malicious attacks ▪ WEP security inadequate ▪ Many common areas where anyone can access a wireless signal Security Challenge Shifted from Ports to Users ▪ Authentication more important but also more difficult ▪ Increase susceptibility to attacks originating from employees’ home networks Wireless and Wireline Management Integration Unresolved ▪ Management is enormous challenge ▪ Impacts usability and productivity

4 444 © 2004 Cisco Systems, Inc. All rights reserved. WLAN Security Issues MAC and IP Spoofing Too Easy ▪ Multitude of free tools on Internet allow machines to spoof other MAC and IP addresses Denial of Service (DoS) Attacks Too Easy ▪ Several DoS attacks possible including consuming all IP addresses, DoS attacks on web servers, file servers, mail servers, etc. “Man in the middle” Attack ▪ Malicious users find it easy to insert themselves in communication path in order to steal user credentials, session, etc.

5 555 © 2004 Cisco Systems, Inc. All rights reserved. WLAN Enterprise Issues IssueToolsIf Left Unresolved Multi-vendor Access Point Management Management software provided by each access point vendor but is not interoperable with others Heterogeneous environments are impossible to manage centrally Integrated Management between Wired and Wireless Networks NoneManagement and user interface complexity increases Viruses Imported from External Networks Point ProductsViruses may frequently and severely impact enterprise productivity Management Difficulties Associated with VPNs – over-WLANs Vendor-specific solutions; most VPNs built for dial-up use Security gaps may remain; client maintenance complexity increases

6 666 © 2004 Cisco Systems, Inc. All rights reserved. Requirements for WLAN Management & Security Solution Authentication-based Access to WLAN ▪ Users must be authenticated before provided network access ▪ Authentication must be performed using existing authentication systems ▪ Un-authentication users (rogue users) must not be allowed to launch DoS attacks (e.g. ping attacks, etc.) Client-less Deployment Mandatory ▪ Security solution should not mandate the deployment of any client software ▪ Optional client software for ease of use, additional security, network sniffing, rogue access point reporting, war driving, etc. preferred

7 777 © 2004 Cisco Systems, Inc. All rights reserved. Requirements for WLAN Management & Security Solution Strong Data Protection ▪ Standards-based, strong, over-the-encryption is needed of WEP or any proprietary mechanism Non-Proprietary Hardware Preferred ▪ Preferred that security solution not require proprietary hardware ▪ Easily scalable hardware

8 888 © 2004 Cisco Systems, Inc. All rights reserved. Requirements for WLAN Management & Security Solution Centralized Deployment ▪ Security and management solution must both be deployable centrally in the network centers ▪ Edge deployments are too expensive to deploy/manage Centralized Configuration & Management ▪ Ability to configure and manage entire deployment from a central location ▪ Secure remote management

9 999 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Clean Access Solution 999 © 2003 Cisco Systems, Inc. All rights reserved.

10 10 © 2004 Cisco Systems, Inc. All rights reserved. What Does Clean Access Do? Before allowing users onto the network, whether it’s a wired or wireless network, Clean Access: RECOGNIZES EVALUATES ENFORCES Recognizes: Users, device, and role (guest, employee, contractor) Evaluates: Identify vulnerabilities on devices Enforces: Eliminate vulnerabilities before network access

11 11 © 2004 Cisco Systems, Inc. All rights reserved. Key Cisco Clean Access Features Role-based access control Cisco Clean Access server enforces authorization policies and privileges Supports multiple user roles (e.g. guests, employees, and contractors ) Scans for security requirements Agent scan for required versions of hotfixes, AV, and other software Network scan for virus and worm infections Network scan for port vulnerabilities Network quarantine Isolate non-compliant machines from rest of network MAC and IP-based quarantine effective at a per-user level Repair and update Network-based tools for vulnerability and threat remediation Help-desk integration All-in-One Policy Compliance and Remediation Solution

12 12 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Clean Access Server Formerly CleanMachines SmartServer Serves as an inline or out-of-band device for network access control Cisco Clean Access Manager Formerly CleanMachines SmartManager Centralizes management for administrators, support personnel, and operators Cisco Clean Access Agent Formerly CleanMachines SmartEnforcer Optional client for device-based registry scans in unmanaged environments Cisco Clean Access Components

13 13 © 2004 Cisco Systems, Inc. All rights reserved. Pre-Configured Clean Access Checks Critical Windows Update Windows XP, Windows 2000, Windows 98, Windows ME Symantec Norton AntiVirus 2005 v. 11.0.x Norton AntiVirus 2004 v. 10.x Norton AntiVirus 2004 Professional v. 10.x Norton Internet Security 2004 Norton AntiVirus 2003 v. 9.x Norton AntiVirus 2003 Professional v. 9.x Norton AntiVirus 2002 Professional v. 8.x Norton AntiVirus Corporate Edition v. 7.x Symantec Internet Security 2005 Edition 8.0.x Symantec AntiVirus Scan Engine Edition 8.0.x Symantec AntiVirus Corporate Edition v. 9.x Symantec AntiVirus Corporate Edition v. 8.x Sophos Sophos Anti-Virus Enterprise v. 3.x McAfee McAfee VirusScan Enterprise v. 8.0i beta McAfee VirusScan Enterprise Edition v. 7.5 McAfee VirusScan Enterprise Edition v. 7.1 McAfee VirusScan Enterprise Edition v. 7.0 McAfee VirusScan Enterprise Edition v. 4.5.x McAfee VirusScan Professional Edition v. 8.0.x McAfee VirusScan Professional Edition v. 7.x McAfee VirusScan ASaP Trend Micro Trend Micro Internet Security v. 12.x Trend Micro Internet Security v. 11.2 Trend Micro Internet Security v. 11.0 Trend Micro OfficeScan Corporate Edition v. 6.x Trend Micro OfficeScan Corporate Edition v. 5.x Trend Micro PC-Cillin 2004 Trend Micro PC-Cillin 2003 Cisco Systems Cisco Security Agent v. 4.x Customers can easily add custom checks

14 14 © 2004 Cisco Systems, Inc. All rights reserved. Pre-Configured Checks (cont’d) Computer Associates (eTrust) Computer Associates eTrust Antivirus v. 7.x Computer Associates eTrust EZ Antivirus v. 6.2.x Computer Associates eTrust EZ Antivirus v. 6.1.x F-Secure F-Secure Anti-Virus for Workstations TBYB 5.x F-Secure Anti-Virus Client Security 5.x F-Secure Anti-Virus 2004 5.x Panda Panda Titanium Anti-Virus 2004 v. 3.x Panda Anti-Virus Platinum v. 7.x Panda Anti-Virus Platinum v. 6.x Panda Internet Security Platinum v. 8.x Panda Anti-Virus Light v. 1.9x Kaspersky Kaspersky Anti-Virus Personal v. 5.x Kaspersky Anti-Virus Personal v. 4.x Kaspersky Anti-Virus Personal Pro v. 4.x Authentium Authentium Command Anti-Virus Enterprise 4.x SOFTWIN (BitDefender) BitDefender Free Edition v. 7.x BitDefender Standard/Professional Edition 7.x BitDefender Standard v. 8.0.x BitDefender Professional Plus v. 8.0.x Grisoft (AVG) AVG Antivirus v. 7.0 AVG Antivirus v. 6.0 AVG Antivirus v. 6.0 Free Edition Frisk Software International F-Prot Antivirus v. 3.x SalD DrWeb Antivirus v. 4.31b Eset NOD32 Antivirus system NT/2000/2003/XP 2.0 Zone Labs ZoneAlarm with Antivirus v. 5.x

15 15 © 2004 Cisco Systems, Inc. All rights reserved. THE GOAL Intranet/ Network Cisco Clean Access System Operation 2. User Is Redirected to a Login Page Clean Access validates username and password; also performs device and network scans to assess vulnerabilities on the device Device Is Non-Compliant or Login Is Incorrect User is denied access and assigned to a quarantine role with access to online remediation resources 3a. Quarantine Role 3b. Device Is “Clean” Machine gets on “clean list” and is granted access to network Cisco Clean Access Server Cisco Clean Access Manager 1. End User Attempts to Access a Web Page or Uses an Optional Client Network access is blocked until end user provides login information Authentication Server

16 16 © 2004 Cisco Systems, Inc. All rights reserved. Sample Reporting 4. Login Screen

17 17 © 2004 Cisco Systems, Inc. All rights reserved. Multiple Deployment Options Out-of-band: For high throughput environments for deployment in Campus Environments Branch Offices Extranet environments Highly routed environments Inline: Supports environments including Wireless Hubs Shared Media

18 18 © 2004 Cisco Systems, Inc. All rights reserved. CCA Inline Deployment FEATURES: VLAN trunking support ~1 GB/sec throughput support Failover support Intranet Border Router Firewall Switch Core Switch Authentication Server Clean Access Server Routed Central Deployment Clean Access Server Bridged Central Deployment Clean Access Server Edge Deployment Clean Access Manager

19 19 © 2004 Cisco Systems, Inc. All rights reserved. Secure Remote Access Deployment Secure Remote: Supports environments with remote users coming through VPN Concentrators

20 20 © 2004 Cisco Systems, Inc. All rights reserved. CCA Out Of Band Deployment Router Firewall Internet Clean Access Server Clean Access Manager End User Integrates with Cisco switches to provide out of band solution. Provides network access control for LAN users. Deployed in highly routed networks and environments where in-line appliance is not appropriate.

21 21 © 2004 Cisco Systems, Inc. All rights reserved. CCA: User Access, Non-certified Machine Host with CCA Agent 1 End user attaches host to network Switch CCA Manager 2 2 Switch sends MAC address via SNMP-based alert to CCA Manager 3 CCA Manager decides whether host has been previously certified 1 4 4 CCA Server acts as a gateway or bridge for the quarantine VLAN CCA Server CCA Server intercepts device request Performs posture assessment and remediation 5  5 CCA Server certifies MAC address and forwards to CCA Manager Network 7 7 Host is granted access to network 6 6 CCA Manager instructs switch to change to the appropriate VLAN  3 If NO, CCA Manager instructs switch to put device on quarantine VLAN. 

22 22 © 2004 Cisco Systems, Inc. All rights reserved. End User Experience: with Agent 4. Login Screen User Authentication User Machine Quarantined Remediation Steps

23 23 © 2004 Cisco Systems, Inc. All rights reserved. End User Experience: with Agent 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate

24 24 © 2004 Cisco Systems, Inc. All rights reserved. End User Experience: Web-based Login Screen Scan is performed (types of checks depend on user role/OS) Click-through remediation

25 25 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Clean Access: The Holistic Solution ProductsWLAN Security WLAN Management Clean Access Authentication √√ Encryption √√ User/Group Policy Management √√ Firewall √√ Roaming Support √√ AP Configuration & Management √√ Remote Client Updates √√ Centralized WLAN Management √√ WLAN Monitoring & Reporting √√√

26 26 © 2004 Cisco Systems, Inc. All rights reserved. Case Study: Stanford University 26 © 2003 Cisco Systems, Inc. All rights reserved.

27 27 © 2004 Cisco Systems, Inc. All rights reserved. Stanford University – Authentication & Ease of Use Challenge Improve Authentication Keep it simple Interoperate with existing system Solution Clean Access protects each subnet Authentication through Kerberos Centralized Deployment (edge-based optional) Benefits Short implementation Rapid ROI Wireless expanding into business school & medical center

28 28 © 2004 Cisco Systems, Inc. All rights reserved. Stanford University WLAN Deployment Huge Campus ▪ Large student, faculty, and staff community ▪ More than 8200 acres ▪ More than 675 large buildings Wireless Computing Growing in Popularity ▪ Wireless laptops mandatory in certain schools ▪ Lower cost of Wireless access cards Deployment ▪ More than 250 access points throughout common areas and many buildings ▪ Divided into 4 major network segments

29 29 © 2004 Cisco Systems, Inc. All rights reserved. Stanford University WLAN Deployment - Security Security for Initial Deployment ▪ Minimal ▪ Based on MAC address of access card – SU maintains database of registered MAC addresses (NetDB) and only registered network cards are provided IP addresses ▪ No WEP – Preferable to providing user with false sense of security ▪ Susceptible to several different types of attacks

30 30 © 2004 Cisco Systems, Inc. All rights reserved. Q&A 30 © 2003 Cisco Systems, Inc. All rights reserved.

31 31 © 2004 Cisco Systems, Inc. All rights reserved. 31

Download ppt "1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
A Guide to major network components

A Guide to major network components
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer

Similar presentations

Ads by Google