Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD

Transcription

1

2 Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD Kanu Gupta, Technical Marketing Engineer, CCIE (Wireless) BRKEWN-2005

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkewn Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Session Objectives Inbuilt Securing AP-WLC communication 802.1x AP port security Default Best Practices Base WIPS Rogue Detection Clean Air w Client Access Methods (802.1x, ipsk, WebAuth) Native Policy Management Application Visibility & Control URL Filtering Advanced APIC Plug n Play awips ISE Guest & BYOD Management TrustSec NetFlow/StealthWatch Cisco Umbrella Harden Infrastructure Protect the Air Secure Client Access Solution Level Protection We wont talk about ISE in detail Configuration details Version discrepancies IPV6 Fabric Roadmap BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 For your reference For your reference There are slides in your PDF that will not be presented, or quickly presented. They are valuable, but included only For your reference. For your reference BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Agenda Infrastructure Hardening Over the Air Security Secure Access Solution Level Security Enterprise Use Case

7 Cisco Digital Network Architecture for mobility Open APIs: Modular Aps with Restful APIs Principles Cloud Service Management CMX 10.x with Context and Guest Automation Plug n Play EasyQOS ISE:.1x, BYOD and Guest Assurance Restful APIs on WLC Netflow Export Apple Network Optimization & FastLane Platforms & Virtualization Modular AP s with Restful API s DNA Optimized Controllers: 3504, 5520, 8540 Various VM Models: ESXi, KVM, HyperV, AWS Outcomes Insights and Experiences Automation and Assurance Security and Compliance BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 8

8 Trustworthy Systems Protect the Device Embedded Security Built for Today s Threats Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions There has never been a greater need to improve network infrastructure security Alert TA16-251A, September 2016 Evidence of Trust Security Expertise and Innovation Learn more: Visit trust.cisco.com See: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security Meet the Engineer: Topic: Security and Trust Architecture BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 9

9 Cisco Trustworthy Systems Levels Enterprise Wireless Protects the Network Protections Against Attack Solution Level Attack Protection DHCP Snooping Secure Transport WIPS/Rogue w,r,i IP Source Guard ACLs TrustSec Umbrella ISE Stealthwatch Netflow Platform Integrity Secure Boot Image Signing Counterfeit Protections Hardware Trust Anchor Modern Crypto Secure Device Onboarding Security Culture Supply Chain Management Open Source Registration Security Training Threat Modeling Product Security Baseline PSIRT Advisories Learn more: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 10

10 Secure the Infrastructure

11 Infrastructure Hardening Encryption Plug n Play MFP, W Best Practices 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

12 AP control at the access layer 802.1X credentials for the AP Access Point (AP) Supplicant Layer 2 Point-to-(Multi)Point EAP over LAN (EAPoL) Authenticator Layer 3 Link RADIUS AuthC Server AP# capwap ap dot1x username [USER] password [PWD] * Not supported today on 1800/2800/3800 APs. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 13

13 BRKEWN-2010 Securing the AP-WLC communication CAPWAP tunnels CAPWAP Control encrypted by default CAPWAP Data encapsulated but not encrypted by default Support for DTLS Data encryption between AP and WLC DTLS, UDP 5246 CAPWAP Control CAPWAP Data (DTLS) UDP 5247 (Cisco Controller) >config ap link-encryption enable all/[ap-name] BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 14

14 Securing the AP-WLC communication Local Significant Certificate (LSC) Your PKI CAPWAP Example: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 15

15 APIC-EM Plug-n-Play (PnP) For secure provisioning of Access Points WLC APIC-EM AP SN #123 > Config. File (WLC IP, Vegas AP Group, etc.) AP SN #456 > Not in any Project list > Claim list APIC-EM IP in DHCP option 43 or DNS resolution for pnpserver.<dhcp-domain-option> AP (SN #123) Vegas AP Group AP (SN #456) AP PnP Deployment Guide: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 16

16 Securing the AP-WLC communication Out-of-Box AP Group and RF Profile (v7.3+) Out-of- Box Out-of-Box AP Group > Radios Disabled Vegas AP Group > Radios Enabled Out-of-Box Vegas Out-of-Box AP Group Out-of-Box Example: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 17

17 End to End Encryption of Mobility Tunnel 8.5 CAPWAP v4 with DTLS encryption between Wireless LAN Controllers BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 18

18 Over the Air Security and Threat Mitigation

19 Over the Air Security awips, ELM Rogue Detection Cisco CleanAir EDRM FRA Radio Off-Channel Scanning 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

20 wireless Intrusion Prevention System (wips) Ad-hoc Wireless Bridge HACKER Evil Twin/Honeypot AP HACKER S AP Reconnaissance HACKER Client-to-client backdoor access Rogue Access Points HACKER Denial of Service Seeking network vulnerabilities Cracking Tools HACKER BLUETOOTH AP Service disruption Non Attacks Detected by CleanAir and tracked by MSE Backdoor access Service disruption Sniffing and eavesdropping MICROWAVE BLUETOOTH RF-JAMMERS RADAR BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 25

21 wips Process Flow and Component Interactions Solution Components Functions Licensing Base IDS WLC, AP and Prime Infrastructure (optional) Supports 17 native signatures. Supports rogue detection & containment Does not require any licensing Adaptive WIPS WLC, AP, MSE and Prime Infrastructure Offers comprehensive over the air threat detection & mitigation Licensed feature on MSE CAPWAP NMSP SNMP trap wips AP Wireless Controller wips MSE 8.x Prime Infrastructure BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 26

22 wips with Cisco Mobility Services Engine (MSE) 8.0 Prime SOAP/XML over HTTP/HTTPS WLC MSE WLC AP AP AP AP BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 27

23 Classification Notification Mitigation Management AWIPS: Accurate Detection & Mitigation Threats Cracking Recon DoS Rogue AP/Clients Ad-Hoc Connections Over-the-Air Attacks Detection On/Off Channel Scanning Signature & Anomaly Detection Network Traffic Analysis Device Inventory Analysis Default tuning profiles Customizable event auto-classification Wired-side tracing Physical location Unified PI security dashboard Flexible staff notification Device location Wired port disable Over-the-air mitigation Auto or manual Uses all APs for superior scale Role-based with audit trails Customizable event reporting PCI reporting Full event forensics BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 28

24 Supported AP modes for wips Data on 2.4 and 5 GHz Data on 2.4 and 5 GHz Data on 5GHz Data on 2.4 and 5 GHz wips on all channels wips on all channels wips on all channels wips on all channels best effort Cisco Adaptive wips Deployment Guide: BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 30

25 Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference Good Better Best Features ELM Monitor Mode AP ELM with FRA Monitor Mode Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs Client Serving with Security Monitoring wips Security Monitoring Y N Y 50 ms off-channel scan on selected channels on 2.4 and 5 GHz 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz Enhanced Local Mode Access Point GOOD 2.4 GHz 5 GHz Serving channel Serving channel Off-Ch Off-Ch Serving channel Serving channel Off-Ch Off-Ch t t Monitor Mode Access Point BETTER 2.4 GHz 5 GHz Ch1 Ch36 Ch2 Ch38 Ch11 Ch1 Ch2 Ch11 Ch1 Ch157 Ch2 Ch161 Ch36 Ch38 Ch11 t t t ELM with FRA Wireless Security Monitoring BEST 2.4 GHz Ch1 Ch2 Ch11 Ch36 Ch38 5GHz. / 2.4GHz..5GHz. / Security 5 GHz Serving channel Off-Ch Serving channel Off-Ch t t Ch157 Ch161 5 GHz 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

26 Rogue Access Points What are they? A rogue AP is an AP that does not belong to our deployment. I don t know it. Me neither. We might need to care (malicious/on network) or not (friendly). Sometimes we can disable them, sometimes we can mitigate them. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 33

27 Rogue Detection and Mitigation Rogue Classification and Containment Rogue Rules Manual Classification Friendly/Malicious Manual and Auto Containment FRA with MM Data Serving AP CleanAir with Rogue AP Types WiFi Invalid Channel WiFi Inverted Rogue Location Real-time with PI, MSE, CleanAir Location of Rogue APs and Clients, Ad-hoc Rogue, Non-wifi interferers Serve Client Scan 1.2s on dedicated 5 per channel GHz Scan 1.2s per channel Serve Client on 2.4 GHz 50 ms offchannel Serve Clients on 5 GHz 50 ms offchannel Monitor Mode AP BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 34

28 Optimize Wi-Fi with CleanAir Quickly Identify and Mitigate Wi-Fi Impacting Interference RRM BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 36

29 Optimize Wi-Fi with CleanAir Quickly Identify and Mitigate Wi-Fi Impacting Interference RRM BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 37

30 Optimize Wi-Fi with CleanAir Quickly Identify and Mitigate Wi-Fi Impacting Interference RRM 11 X 6 1 BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 38

31 CleanAir detectable Attacks Some examples BRKEWN-3010 IP and Application Attacks & Exploits Traditional IDS/IPS Layer 3-7 WiFi Protocol Attacks & Exploits wips Layer 2 Dedicated to L1 Exploits RF Signaling Attacks & Exploits CleanAir Layer 1 Rogue Threats undetectable rogues Wi-Fi Jammers 2.4 GHz classic interferers 5 GHz BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 40

32 Secure Access to Corporate Network ISE Access methods Guest Management

33 Secure Access to Corporate Network 802.1x Webauth Guest Access MAC Auth Classification BYOD NAC RADIUS BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 46

34 Identity Services Engine

35 Cisco Identity Services Engine (ISE) BRKSEC-3697 BRKSEC-3699 ACS NAC Profiler Guest Server NAC Manager NAC Server Identity Services Engine Centralized Policy RADIUS Server Posture Assessment Guest Access Services Device Profiling Client Provisioning MDM Monitoring & Troubleshooting Device Admin / TACACS+ BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 48

36 Authentication and Authorization What are they? It tells who/what the endpoint is X /ipsk/ MAB / WebAuth Policy Elements VLAN Access Control List Quality of Service Application Control It tells what the endpoint has access to. Bonjour Service Policy URL Redirect BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 49

37 URL Redirect Central Web Auth, Client Provisioning, Posture Url-Redirection: for CWA, Client Provisioning, Posture and MDM, URL value is returned as a Cisco AV-pair RADIUS attribute. e.g. cisco:cisco-av-pair=url-redirect= action=cwa Url-Redirect-Acl: this ACL specifies traffic to be permitted (bypass redirection) or denied (trigger redirection). The ACL is returned as a named ACL on the WLC. e.g. cisco-av-pair=url-redirect-acl=acl-posture-redirect ACL entries defined traffic subject to redirection (deny) and traffic to bypass redirection (permit) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 50

38 Client attributes and traffic for Profiling How RADIUS, HTTP, DNS, DHCP (and other traffic) are used to classify clients 1 The MAC address is checked against the known vendor OUI database. DHCP HTTP 2 DHCP/ HTTP Sensor The Client s DHCP/HTTP Attributes are captured by the AP and provided in RADIUS Accounting messages by the WLC. The ISE uses multiple attributes to build a complete picture of the end client s device profile. Information is collected from sensors which capture different attributes. HTTP UserAgent RADIUS 3 Mobile devices are quite chatty for web applications, or they can also be redirected to one of ISE s portals. ISE BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 56

39 Profiling Example from ISE Is the MAC Address from Apple DHCP:host-name CONTAINS ipad IP:User-Agent CONTAINS ipad I have some certainty that this device is an ipad BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 57

40 Local (WLC) Device Classification Collection 1 MAC address checked against vendor OUI database DHCP HTTP 2 Client s DHCP attributes captured by AP 3UserAgent payload on custom HTTP port inspected by HTTP Sensor Analysis Pre-Defined Device Signatures and in-built MAC OUI Dictionary MAC OUI and device profiles can be dynamically updated on WLC independent of controller image BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 58

41 Profile based Policy Enforcement Practical Examples of Policies Corporate laptop Product Bookings x Employee Facebook.com Personal ipad User Role Device Service Action Employee Corporate Asset Product Bookings/ Facebook.com Permit Employee ipad Facebook.com Permit Employee ipad Product Bookings Deny BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 59

42 Methods Client Access 802.1x Identity PSK MAB WebAuth

43 Device Awareness- Identity is the Base Various Authentication Mechanisms Security Benefits Drawback IP network 802.1x Robust Industry standard strong encryption and authentication Requires 802.1x supplicant Complex to configure, implement and manage ISE Identity PSK Easy to configure Strong encryption Works with existing infrastructure Manually key in the passphrase for client 802.1x Identity PSK Web auth Web authentic ation Used with MAB and profiler to trigger guest process for secure onboarding and resources for guest access Web auth by itself offers per client access rather than group level. Authorized Users IP Phones IoT Devices Guests Managed Devices/Users Non Devices Non Users BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 61

44 802.1X Why 802.1X? Industry standard approach to identity Most secure user/device authentication Complements other switch security features Various deployment options Foundation for services like posture, policy implementation How does it work? Supplicant Authenticator Authentication Server EAPoL AP, WLC RADIUS ISE BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 62

45 EAP Authentication Types Different Authentication Options Leveraging Different Credentials Tunnel-Based Certificate-Based EAP-PEAP EAP-FAST Inner Methods EAP-GTC EAP-TLS EAP-MSCHAPv2 EAP-TLS Tunnel-based Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate. This provides security for the inner method, which may be vulnerable by itself. Certificate-based For more security EAP-TLS provides mutual authentication of both the server and client. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 64

46 RADIUS Change of Authorization (CoA) RADIUS protocol is initiated by the network devices (NAD) No way to change authorization from the ISE (config)#aaa server radius dynamic-author client {PSN} server-key {RADIUS_KEY} Now I can control ports when I want to! RADIUS CoA (UDP:1700/3799) Now the network device listens to CoA requests from ISE Re-authenticate session Terminate session Terminate session with port bounce Disable host port BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 65

47 Identity PSK: Multiple PSKs per SSID allows for advanced security encryption across all devices 8.5 Increased demand for IoT devices Identity security without 802.1x Simple Operations High Scale Cost Effective Private PSK with RADIUS integration Per client AAA override (VLAN / ACL etc) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 67

48 Identity PSK 8.5 IOT Devices aabbcc PSK WLAN MAC Filtering AAA Override Sensors xxyyzz Access Point Wireless LAN Controller ISE Cisco-AVPair No PSK += "psk-mode=ascii attributes Cisco-AVPair += "psk=aabbcc" "psk=xxyyzz" Device MAC Group Private PSK IOT Devices aabbcc Sensors xxyyzz Employees --- Employees WLAN PSK BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 68

49 Central Web Authentication (CWA) AP-WLC DHCP/DNS ISE Server CWA is a URL-Redirect scenario Redirection. URL and the redirect ACL are centrally configured on ISE and communicated to WLC via RADIUS Open SSID with MAC Filtering enabled Host Acquires IP Address, Triggers Session State 5 First authentication session AuthC success; AuthZ for unknown MAC returned: Redirect/filter ACL, portal URL Host Opens Browser WLC redirects browser to ISE web page Host Sends Username/Password 3 Login Page 6 Web Auth Success results in CoA 7 MAB re-auth MAB Success Session lookup policy matched Authorization ACL/VLAN returned. Server authorizes user BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 70

50 Other URL-Redirect scenarios (Posture, MDM) AP-WLC DHCP/DNS ISE Server 1 SSID configured for 802.1X / MAB Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB. 2 4 First authentication session Host Acquires IP Address, Triggers Session State 3 AuthC success; AuthZ returned: Redirect/filter ACL, URL for posture/mdm/etc. Host Opens Browser WLC redirects browser to ISE for other services 5 Posture check, MDM check, client provisioning, etc. 6 RADIUS CoA X/MAB re-auth 802.1X/MAB Success Session lookup policy matched Authorization ACL/VLAN returned. Server authorizes user BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 72

51 MDM Integration ISE Registered MDM Registered Encryption PIN Locked Jail Broken Jail Broken PIN Locked 2015 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 73

52 Guest Management

53 Managing Guest User Lifecycle with ISE PROVISIONING Create Guest Accounts NOTIFICATION Give Accounts to Guests Create Single Guest Account Import CSV file for multiple Guest Accounts Print Account Details Send Account Details via Send Account Details via Text Manage Guest Accounts View, edit, suspend Guest Accounts Manage batches of created accounts MANAGEMENT Report on Guests View, audit reports on Individual Guest accounts Display Management reports on Guest Accounts REPORTING BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 75

54 ISE Sponsor Portal Customizable sponsor pages Sponsor privileges tied to defined sponsor policy o Roles sponsor can create o Time profiles can be assigned o Management of other guest accounts o Single or bulk account creation BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 76

55 ISE Guest Self-Service BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 77

56 Network Based Security

57 Solution Level Attack Protection TrustSec SXP Inline Tagging AVC/ Netflow Local Policy w/ AVC, Umbrella URL Filtering AAA Override VLAN, ACL, QoS 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

58 Integrating Security IN the Network Network as a Security Sensor (NaaS) Network as a Security Enforcer (NaaE) Detect Anomalous Traffic Detect User access violations Obtain broad Visibility of Network Traffic Software Defined Segmentation to contain attack Dynamic User Groups and consistent Policy Across the Network, Users and Devices Access Control to protect resources BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 81

59 Network as a Sensor Application Visibility & Control NetFlow

60 The Network Gives Deep and Broad Visibility Network: key asset for threat detection and control Discover and Classify Assets Active Monitoring Network Segmentation Understand Behavior Enforce Policy Design and Model Policy BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 83

61 How AVC Works on Cisco Wireless Network Visibility, Control, Context and Analytics AireOS 8.1 App Visibility & User Experience Report Static Netflow App BW Transaction Time WebEx 3 Mb 150 ms Citrix 10 Mb 500 ms High Med Low NBAR on AP Deep Packet Inspection Perf. Collection & Exporting Reporting Tool Control DPI engine (NBAR2) identifies applications using L7 signatures Collect application info and exports to controller every 90 seconds Cisco Prime Infrastructure StealthWatch, Live Action and others Use QoS Rate Limiting to control application bandwidth usage for performance BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 84

62 8.1 AVC on FlexConnect Access Points Real time information for last 90 seconds Stateful context transfer on roam BRANCH Gen2 AP WAN NetFlow Export from AP to WLC WLC AVC supported on Gen 2 FlexConnect Access Points (AireOS 8.1). Protocol Pack 14 with upgraded NBAR engine 23 Stateful context transfers supported for Intra Flexconnect Group roams BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 85

63 NetFlow- The heart to network as a sensor record Client MAC Client IP Who Where SSID Access Point MAC Packet Count NetFlow Byte Count ToS- DSCP Value Application Tag Netflow statistics sent at an interval of 30 seconds Netflow record sent even for unclassified applications Username sent for dot1x authentication What When BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 86

64 Network as an Enforcer Wireless StealthWatch Integration TrustSec for Policy Enforcement Policy Management with ISE Native Policy Management on WLC

65 Wireless StealthWatch Integration Network as a Sensor, Network as an Enforcer BRKSEC-3014 AireOS 8.2 on 5520/8510/8540 WLC pxgrid notifications StealthWatch Flow Collectors CoA ISE Quarantine Flow Telemetry from Network Devices (collect and analyze) Netflow v9 records WLC Identity, MAC Address, Device Type StealthWatch Management Console (upto 25 Flow Collectors) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 88

66 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 Cisco TrustSec Enabled Network Segmentation Simplifying Enforcement 8.4 Traditional Security Policy Data Center Internet Intranet Identity-enabled Infrastructure TrustSec Security Policy Employee Supplier App Server Shared Server Dynamic Policy & Enforcement Non Compliant 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

67 Wireless TrustSec Support 5 Employee 6 Voice 7 Partner Classification A Propagation B Enforcement (Assigning SGTs) Static & Dynamic Assignments Inline SGT & SXP Security Group ACL SXPv4 on AP Inline Tagging on AP SGACL Enforcement Topology, location independent Policy (SGT) stays with endpoint. Simplifies ACL management traffic Local NO NO YES Flex YES YES YES Mesh NO NO YES (Indoor only) BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 90

68 Egress Policy Matrix Default Rule, Can be Permit or Deny BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 91

69 Ingress classification, Egress Enforcement Lookup Destination SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248 SRC: DST: SGT: 5 5 Enterprise Backbone Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 WLC5508 DST SRC Web_Dir (20) CRM (30) Marketing (5) Permit Deny User authenticated Classified as Marketing (5) BYOD (7) Deny SGACL-A BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 92

70 TrustSec East-West Traffic Use Case Role Based Segmentation Data Center Access control based on the Role of the user Shared Services Remediation Application Servers DC Switch Enterprise Backbone ISE Wired/Wireless Wired/Wireless TrustSec enabled WLC & AP receives policy for only what is connected Employee Tag Supplier Tag Supplier Employee Employee Supplier VLAN: Data-2 VLAN: Data-1 BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 93

71 TrustSec Demo

72 How about policies? Differentiating user groups Keeping untrusted devices out Basic access vs Full Access BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 96

73 ISE for Network-Wide Unified Policy Enforcement Profiling Posture Guest Access WHO WHAT WHERE WHEN HOW CONTEXT KG Employee 2 pm TonyS Consultant 6 pm Franklo Guest 9 am Personal ipad Employee Owned 802.1X ipsk MAB WebAuth IDENTITY WIRELESS LAN CONTROLLER, ACCESS POINTS, SWITCHES, ROUTERS BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 97

74 Client Context and Policies Control and Enforcement IDENTITY X EAP Machine/User Authentication ISE PROFILING HTTP NETFLOW SNMP HQ Company asset 2 Profiling to identify device Policy Decision 4 Corporate Resources DNS RADIUS DHCP 2:38pm Access Point Wireless LAN Controller Internet Only Personal asset 3 5 Posture of the device Unified Access Management Enforcement dacl, VLAN, SGT 6 Full or partial access granted BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 100

75 Local Profiling and Policy on WLC Build BYOD: Native WLC Options Inputs: Conditions Access Method User Role Device Type Results: Enforcement Elements VLAN VLAN Access Control List Quality of Service Time of Day AVC Authentication Type Bonjour Service Policy ISE and Wireless LAN Controller Profiling Support ISE Profiling using RADIUS probes, DHCP probes, HTTP, SNMP, DNS, NETFLOW Multiple attributes for Policy action supported Profiling rules can be customized WIRELESS LAN CONTROLLER Profiling based on MAC OUI, DHCP, HTTP based User-Agent Policy action attributes - VLAN, ACL, Session Timeout, QoS Default profiling rules BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 101

76 Policies for Applications and Services 1. Cisco Umbrella 2. URL Filtering 3. AVC 4. mdns and Bonjour Services BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 106

77 WLC integration with Cisco Umbrella Policy tie-in to Cisco Umbrella

78 Cisco Umbrella for Content Filtering 8.4 Why care about DNS? CLOUD BASED WEB FILTERING THREAT MANAGEMENT INSIGHTFUL REPORTING Low cost architecture Data analysis methods Uses Recursive DNS Powerful reporting and analytics Network Mobile Virtual Endpoint Cloud Apps BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 108

79 Cisco Umbrella with WLC Internet ACME Policies block gaming sites DNS Query DNS Response DNS Server (or external DNS proxy to) WLC intercepts DNS packet, redirects query to Umbrella cloud server at Content filtering and whitelisting at DNS layer at WLAN, AP Group, Policy level ACME BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 109

80 Role Based Policy with Cisco Umbrella OpenDNS Profile Mapping in Local Policy Contractor Policy Employee Policy AAA user role Contractor Employee BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 110

81 Role Based Policy with Cisco Umbrella Cisco Umbrella Cloud DNS query DNS response BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 111

82 Role Based Policy with Cisco Umbrella BRKSEC-2980 LABSEC-2006 DNS query DNS response BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 112

83 Location Based Policy with Cisco Umbrella OpenDNS Profile Mapping in AP Group Corporate Policy Branch Policy Corporate HQ Branch Office BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 113

84 Cisco Umbrella Demo

85 Application Visibility and Control Policy tie-in to AVC

86 Granular Filtering with Policy tie-in to AVC ROLE BASED APPLICATION POLICY Alice(Sales) and Bob(IT Admin) are both employees Both Alice and Bob are connected to the same SSID Alice can access certain applications (YouTube), Bob cannot ROLE BASED + DEVICE TYPE APPLICATION POLICY Alice can access inventory info on an IT provisioned Windows Laptop Alice cannot access inventory info on her personal ipad ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY Alice has limited access (rate limit) to Jabber on her iphone 7.4 AVC 7.5 Dynamic protocol pack update 7.6 Jabber, Lync 2013 support 8.0 User and device aware policies Ability to classify Apple ios, Windows, Android upgrades 8.1 User & device aware policies Ability to classify Apple ios, Windows, Android upgrades 8.2 Wi-Fi calling Skype for business UserId + IPFlow for Netflow export Stealthwatch Collector BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 121

87 AVC (Application Visibility and Control) Per-user profiles via AAA WLC RADIUS cisco-av-pair = avc-profile-name = AVC-Employee cisco-av-pair = avc-profile-name = AVC-Contract Employee Contractor YouTube Facebook Skype BitTorrent Facebook Skype Employee Contractor BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 122

88 mdns Bonjour Service Policy tie-in to mdns

89 mdns and Bonjour Services Filter by WLAN and VLAN mdns Profiles Select services mdns Profile with Local Policy Services per-user and per-device mdns Policies Services based on AP Location and user role Teacher Service Profile AirPrint AirPlay File Share Teacher Service Instance List Apple TV1 Student Service Instance List Apple TV1 itunes Sharing Student Service Profile AirPlay File Share AirPrint Teacher Network Apple TV2 mdns Service Instances Groups Student Network BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 124

90 Consolidate, Secure and Segment Enterprise Use Case for Workforce, IoT and Guest Access

91 Consolidate, Secure, Segment Wireless Security for Workforce Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices IOT devices like Sensors, Robots etc. Guest users Security L2/L x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network SGT TrustSec Segmentation by function for eg. Marketing, Sales, HR SGT override for IOT device groups Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 126

92 Enterprise SSID Security and Segmentation Category-Based Filtering Based on Umbrella Policy Role Based Access Control Based on Scalable Group Tags and SGACLs Marketing Marketing Sales Contractor s Server Sales SGT = 4 SGT = 5 Contractors Server 802.1x Enterprise Backbone SGT = 6 Access Point Enterprise SSID WLC ISE AAA Override VLAN-Based Segmentation Using AAA Override Apple devices Controlled access via mdns Profile Employee VLAN ID = 10 Policy Classification Engine Contractor VLAN ID = 20 Umbrella User role VLAN Application Apple devices Policy user-role = Marketing Mark Webex, Apple TV, Marketing 10 Block ebay Jabber Printer, itunes user-role = Contractor Mark Webex, Apple TV, Sales 10 Block ebay Jabber Printer, itunes user-role = Sales Contractor 20 Drop Youtube Printer Only Block ebay, CNN, BBC Facebook Micro-segmentation using Cisco TrustSec SGT Backend Servers PERMIT PERMIT DENY 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

93 Consolidate, Secure, Segment Wireless Security for IOT Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices IOT devices like Sensors, Robots etc. Guest users Security L2/L x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network SGT TrustSec Segmentation by function for eg. Marketing, Sales, HR SGT override for IOT device groups Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 128

94 IOT SSID Security and Segmentation IOT Sensors IOT Lighting Smart Devices IOT Sensors IOT Lighting Smart Devices SGT = 4 SGT = 5 IPSK Enterprise Backbone SGT = 6 Access Point IOT SSID WLC ISE AAA Override IOT Sensors IOT Sensors PSK = aabbcc Identity VLAN ID = 30 VLAN PSK IOT Lighting IOT PSK Sensors = eeffgg aabbcc IOT Lighting 30 VLAN ID = 10 IOT Lighting eeffgg 10 Smart devices Smart Devices PSK Smart = xxyyzz xxyyzz Devices VLAN = ACL PERMIT PERMIT DENY SGT Backend Servers 4 PERMIT 5 DENY 6 DENY BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 129

95 Consolidate, Secure, Segment Wireless Security for Guest Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices Mission-specific IOT devices like Sensors, Robots etc. Guest users Security L2/L x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network Segmentation TrustSec assignment by function for eg. Marketing, Sales, HR TrustSec override for IOT device groups Cisco Umbrella Policy based on SSID, AP Group, Local Policy Segmentation using Anchoring traffic to DMZ StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria (CC), Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 130

96 Guest SSID Security and Segmentation Category-Based Filtering Based on Umbrella Policy VLAN 50 SGT = 7 Anchor WLC Employee Server Guest Role Based Access Control Based on Scalable Group Tags and SGACLs Employee Server Guest Web auth Enterprise Backbone Access Point Guest SSID WLC ISE AAA Override Policy Classification Engine Guest VLAN ID = 50 User role VLAN Application QoS Umbrella Policy SGT Backend Servers Guest 50 Mark Webex, Jabber Drop Youtube Rate-limit Block news, sports 7 DENY 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

97 Key Takeaways for an End to End Wireless Security Solution Take a defense in depth approach to security. Add security layers that complement one another and at difference places in the IT network. What one misses, the other catches. Complexity and security are inversely proportional. Take a simple approach to design network security policy. Break your overall policy into smaller managed pieces to simplify creating an efficient policy. BYOD strategy must consider all mobile worker types and functions before deploying solutions. Give it a try (e.g. PoC) before network wide implementation. BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 132

98 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

99 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKEWN Cisco and/or its affiliates. All rights reserved. Cisco Public 134

100 Thank you

101