FEDERAL SECURED WIRELESS BRIEF - CSFC
|
|
- Jonah Bridges
- 5 years ago
- Views:
Transcription
1 FEDERAL SECURED WIRELESS BRIEF - CSFC Brian Baker Regional Security Lead - Army/SOF/NG World Wide Technology 16JUN2015 Copyright 2013 World Wide Technology, Inc. All rights reserved.
2 WHAT IS THE CSFC? Commercial Solutions for Classified (CSfC) Program by the NSA U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements. NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years. ( )
3 WHAT DOES THE CSFC OFFER? Capability Package NSA/CSS is developing sets of Capability Packages in order to provide customers with ready access to the information needed to satisfy their operational requirements. Capability Packages contain product-neutral information that will allow customers/integrators to successfully implement their own solutions. Using the information in the Capability Package, customers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular manner. CSfC Capability Packages will provide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements.
4 CURRENT CSFC CAPABILITY PACKAGES Campus WLAN Capability Package Virtual Private Network (VPN) Capability Package Mobility Capability Package Data-at-Rest (DAR) Capability Package
5 CAPABILITY PACKAGES - WHAT'S IN DEVELOPMENT NSA is currently updating and evolving its suite of Capability Packages. Upcoming releases include: Mobile Access CP v1.1 update to Mobile Access CP to include more user comments and requirements. Campus WLAN CP v2.0 evolution of Campus Wireless LAN CP; features a shared WPA2 layer. (Estimated date: Feb 2016) Data at Rest v3.0 CP hardware FDE technology; e.g., Self Encrypting Drives. (Estimated date: TBD 2016) Secure Multisite Connectivity CP extends VPN v3.1 to include MACsec use cases; enables secure high speed connectivity. (Estimated date: April 2016)
6 HOW? DAA (Designated Approving Authority) Approval Clearly Defined and Articulated Requirements Project Plan Supporting Documentation Fiduciary Duty (Due Diligence) Risk Mitigation NSA Support CSfC DISA Security Technical Implementation Guidelines (STIG s) Document Defined Waiver s
7 SUPPORTING DOD DOCUMENTATION DOD INSTRUCTION NUMBER WIPS/WIDS Army Wireless LAN Policy DoDD Encryption of unclassified data for transmission to and from wireless devices is required. Exceptions may be granted on a case-by-case basis as determined by the Designated Approving Authority (DAA) for the wireless connections under their control. At a minimum, data encryption must be implemented end-to-end over an assured channel and shall be validated under the Cryptographic Module Validation Program as meeting requirements per Federal Information Processing Standards (FIPS) Publication (PUB) 140-2, Overall Level 1 or Level 2, as dictated by the sensitivity of the data (reference (g)). DoDD Supplement x Requirement This document added additional guidance related IEEE wireless LAN technologies and security. In addition to detailing the data-in-transit security requirements when deploying IEEE networks, the document also stated that continuous 24/7 wireless intrusion detection was required for wired and wireless networks. AR 25-2 Information Assurance - PED s (Personal Electronic Device) standards Army CIO/G-6, SAIS-CB, Wireless Security Standards - Wireless Best Practices
8 How do we get there?
9 TRUSTED INTEGRATOR LIST Vetted by NSA as a Tusted Provider through an interview process Allows Customers to outsource the design, architecture and implementation of the CSfC network.
10 GETTING THERE Use the tools and resources available. CSfC Institutional Knowledge Commercial Knowledge Industry Knowledge Define the requirements Resource the Project, bring in the right players early (IA, Network Team, Service Desk Team, etc.) PLAN, PLAN, PLAN, Implement/Execute
11 What are the Guidelines?
12 CSfC Campus WLAN Capability Package v1.1 Dated 14DEC2012
13 AGNOSTIC NSA OVERVIEW
14 User Equipment Access Network Protected Network VPN Enterprise Firewall Wireless Controller VPN CA Enterprise 802.1x/WLAN Authentication WIPS/WIDS WLAN CA Management
15 USER EQUIPMENT (UE)
16 DMZ ARCHITECTURE
17 HIGH LEVEL MOBILE DEVICE- INFRASTRUCTURE CONNECTION The following summarizes the sequence of events that occur in order to establish network access from a wireless Mobile Device in the architecture: 1) The Mobile Device is powered on. The WLAN Client automatically associates with the Wireless System. 2) The Wireless System requires the WLAN Client to perform an IEEE 802.1X authentication before providing access. The WLAN Client and WLAN Authentication Server mutually authenticate using ITU-T X.509v3 machine certificates. The Wireless System acts as a pass through to WLAN Authentication Server during these communications. If either WLAN Authentication Server or the WLAN Client determines that the other party s certificate is not valid, communication will cease. 3) The WLAN Client and WLAN Authentication Server execute a key establishment protocol (EAP-TLS) to derive the PMK. 4) WLAN Authentication Server passes the PMK to the Wireless System using RADIUS inside an IPsec protected wired connection. Depending on the vendor, the Wireless System will either keep the PMK on the Wireless Controller or push the keys out to the appropriate AP as needed. 5) The WLAN Client and Wireless System perform a 4-way handshake to derive a session key from the PMK. From this point forward all communication between the Wireless Client and the Wireless System is protected with this session key. 6) The VPN Client and VPN Gateway mutually authenticate via ITU-T X.509v3 machine certificates. If either the VPN Client or the VPN Gateway determines that the other party s certificate is not valid, all communications will cease. 7) The VPN Client and VPN Gateway negotiate keys, algorithms, and parameters for the IPsec connection using IKE. From this point forward all communication between the VPN Client and VPN Gateway is protected with an IPsec tunnel. 8) At this point the Mobile Device is connected to the wired network, but does not have access to services. Unless the system owner wants to establish a user authentication method specifically for wireless users, the Mobile Device and the network perform a user authentication to gain service access using the authentication method already implemented on the wired network.
18 Interactions with Enterprise Services The two layers of encryption (WLAN and VPN) required by this Capability Package result in the creation of nested secure tunnels that carry Internet Protocol (IP) packets between the mobile device and the Enterprise Mobility Infrastructure. The VPN Gateway acts as the endpoint of the inner tunnel on the infrastructure side. Integration with the back-end enterprise network on the unencrypted side of the inner tunnel is outside the scope of this Capability Package, but this section identifies some best practices. Appropriate organizational policies and directives should be consulted for definitive information.
19 Authentication and Authorization: The WLAN and VPN Gateway only authenticate mobile device identity using machine certificates. It is recommended (and may be required) that the mobile device user be authenticated prior to granting access to backend application services. This verification should be centralized and occur as close to the network edge as possible. Guidance: The following references provide useful guidance for securing remote access to enterprise resources for the Department of Defense (DoD). This guidance for securing remote access should be applied within the context of the classified network for which a wireless connection is provided. Secure Remote Computing (SRC) Security Technical Implementation Guide (STIG), Defense Information Systems Agency (DISA) Network Infrastructure Technology Overview, DISA Remote Access Policy STIG, DISA Remote Access Server (RAS) STIG, DISA
20 Enterprise Services The Campus WLAN solution described in this Capability Package is application-agnostic in that it provides an end-to-end path for IP packets between the UE and the Enterprise Network without regard to what those IP packets contain. Enterprise services may or may not depend on the ability of the UE to provide local non-volatile storage for user data, configuration data, or state information (e.g., persistent cookies).
21 REQUIREMENTS
22 NSA UPDATES Date Item 16 June 2015 Updated the Components list 11 June 2015 Updated the Components list 08 June 2015 Updated the Components list; Updated the Archived Components list, Updated the VPN, Mobile Access, WLAN and DAR Registration Forms; Updated the VPN Compliance Checklist 27 May 2015 Updated the Components list 21 May 2015 Updated the Components list; Updated the Trusted Integrator list 21 May 2015 Updated the Components list; Updated the Trusted Integrator list 18 May 2015 Updated the Components list; Updated the VPN Compliance Checklist; Removed the Mobility Program page; 11 May 2015 Updated the Components list; Updated the Trusted Integrator list; Updated the Backround section 29 Apr 2015 Updated the DaR CP portion of the page; Updated the Mobile Access CP portion of the page 23 Apr 2015 Updated the Components list; Updated the DaR Compliance Checklist form; Updated the DAR Registration form; Added new Trusted Integrator; Added new component to the Comoponents list; Removed Non-technical and technical FAQs 02 Apr 2015 Updated the Components list; Updated the VPN Compliance Checklist form ; Added new Trusted Integrator 01 Apr 2015 Updated the CSfC homepage; Updated the Campus WLAN Registration Form; Added new Trusted Integrator
23 CSFC APPROVED PRODUCTS LIST What is the Process to get a Commercial Product CSfC-Listed? Vendors who wish to have their products eligible as CSfC components of a composed, layered IA solution must build their products in accordance with the applicable US Government approved Protection Profile(s) and submit their product using the Common Criteria Process. The vendor will enter into a Memorandum of Agreement (MoA) with NSA. The MoA specifies that the vendor s product must be NIAP certified, FIPS certified, and that the vendor agrees to fix vulnerabilities in a timely fashion. The MoA may also reference technology-specific selections for NIAP testing.
24 CSFC APPROVED PRODUCT LIST CSFC Component Vendor Model Version (or later) CNSSP-11 Compliance Apriva VPN Server Red Hat Enterprise 6.5 NIAP Validation Ongoing (at InfoGard) Aruba 600 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Aruba 3000 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Aruba 6000 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Aruba 7005, 7010, 7024 and 7030 Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) IPsec VPN Gateway Click for Selections Aruba 7200 Series Mobility Controllers Aruba OS NIAP Validation Ongoing (at CSC) Brocade Communications Systems Cisco MLXe Series Router 1905, 1921, 1941, 2901, 2911, and 2921 Integrated Services Routers 15.2(4)M6 IOS Cisco 2951, 3925, and 3945 Integrated Services Routers 15.2(4)M6 IOS Cisco 3925E and 3945E Integrated Services Routers 15.2(4)M6 IOS Cisco 1001-X, 1002-X, 1006 including ESP-100, and 1013 including ESP-100 or ESP-200 Aggregation Services Routers IOS XE Cisco 5940 and 5915 Embedded Services Routers IOS 15.2(4)GC Cisco 819, 819W, 819HGW, 819H-4G, 881, 881G, 881GW, 881W- GN-A-K9, 881GW-GN-A-K9, 891 and 891W Integrated 15.2(4)M7 Services Routers Cisco 4431-X, 4451-X Integrated Services Router IOS XE Cisco 4351, 4331, 4321 Integrated Services Routers IOS XE Cisco ASA 5500-X Midrange Appliances 5506-X Series, 5508-X Series, 5512-X, 5515-X, 5525-X, 5545-X; 5555-X; ASA x X Series High-end Appliances , , , ; ASA-SM for Catalyst 6500 with Sup2T In Contracting Phase NIAP Validation Completed (at Leidos) NIAP Validation Completed (at Leidos) NIAP Validation Completed (at Leidos) NIAP Validation Ongoing (at Booz Allen Hamilton) NIAP Validation Completed (at Leidos) NIAP Validation Completed (at Booz Allen Hamilton) NIAP Validation Completed (at Leidos) NIAP Validation Ongoing (at Leidos) In Contracting Phase ***Complete CSFC List can be found at:
25 COMPONENT SELECTION RESTRICTIONS
26 ALGORITHMS: Approved Interim Algorithms: Approved Suite B Algorithms:
27 LIFECYCLE REQUIRMENTS (CUSTOMER RESPONSIBILITIES) The following types of changes must be addressed during a component s/solution s lifecycle: Component Change: CSfC Components Lists and IA Alerts must be monitored for changes/updates. Guidance provided with the CSfC Components Lists and IA Alerts must be followed to continue to be in compliance with the Capability Package. Routine Capability Package Update: If a Capability Package is updated, all solutions based on that Capability Package must be validated against the latest Capability Package annually and have 6 months to come into compliance. Emergency Capability Package Update: If a Capability Package is deemed no longer to provide the level of security stated in the document, all solutions based on that Capability Package must be updated to the lasted version as soon as possible. NSA will provided an updated risk statement and possible mitigations (if available) to all registered users of the Capability Package with a required timeline for update.
28 REFERENCE ARCHITECTURES Feasible Solutions and Examples
29 NSA COMMERCIAL SOLUTION FOR CLASSIFIED VPN V2.0 SOLUTION (CISCO SINGLE VENDOR)
30 User Equipment Access Network Protected Network VPN Enterprise Firewall Wireless Controller VPN CA Enterprise 802.1x/WLAN Authentication WIPS/WIDS WLAN CA Management
31 Proposed Wireless Solution Android Device Windows Wireless Black Transport ios x AP 3702x AP 5508 WLC Black Identity Services Engine (ISE) AD/CA Prime Infrastructure Mobility Services Engine (MSE) ISRG2 ASR IOS FW Outer DMZ AD/CA Identity Services Engine (ISE) VPN/Firewall/Authentication Servers on Different Code Base ASA 55XX-X FW Enterprise AD/CA Identity Services Engine (ISE) Inner Tunnel Device WPA2 AES-128-CCMP 2 ASA 55XX-X Outer Tunnel AES-256-GCM Suite B IPSec Outer VPN AES-256-GCM or TLS Inner Application VPN 1 Wireless AES WPA2 & 802.1x 2 ISR/ASR IOS FW to Protect Wireless DMZ Services (AD,CA,ISE,MSE) 3 ASA SuiteB IPSec Outer 4 ASA FW Protects Inner Device 5 Inner Application VPN - TLS/SRTP/IPSec WLC & ISE can Authenticate to AD/LDAP to Allow Roaming Access AnyConnect VPN Launched from Any Location (Local, Hotel etc.)
32 Android Device Windows Wireless Black Transport ios 3602x AP 3702x AP 5508 WLC Black Identity Services Engine (ISE) AD/CA Prime Infrastructure Mobility Services Engine (MSE) ISRG2 ASR IOS FW Outer DMZ AD/CA Identity Services Engine (ISE) ASA 55XX-X Outer Tunnel ASA 55XX-X FW Enterprise AD/CA Identity Services Engine (ISE) Inner Tunnel Device Wireless is AC Capable WLC & ISE can Authenticate to AD/LDAP to Allow Roaming Access Cisco Prime Offers Centralized Management of Wired & Wireless Infrastructure to Include Location Tracking, Frequency Mgt, Rogue Detection etc. Single Client with Same AnyConnect VPN Launched from Any Location (Local, Hotel etc.) O&M of ASA is Familiar as Other ASA s are Deployed Today Existing PKI Infrastructure In Place Today to Support NGE (Suite B)
33 QUESTIONS NEXT STEPS
DoD Mobility Mobility Product Security Certification Processes
DoD Mobility Mobility Product Security Certification Processes Greg Youst DISA Chief Mobility Engineer 25 May 2017 Agenda DoD Mobility Unclassified Mobility Certification Process Main DoD Approved Product
More informationARUBA MULTIZONE DATA SHEET
Aruba s centralized architecture provides a more secure Wi-Fi environment that is different from any other Wi-Fi vendor on the market today. Among the key security advantages of this architecture are:
More informationAbout FIPS, NGE, and AnyConnect
About FIPS, NGE, and AnyConnect, on page 1 Configure FIPS for the AnyConnect Core VPN Client, on page 4 Configure FIPS for the Network Access Manager, on page 5 About FIPS, NGE, and AnyConnect AnyConnect
More informationDOD INSTRUCTION COMMERCIAL WIRELESS LOCAL-AREA NETWORK (WLAN) DEVICES, SYSTEMS, AND TECHNOLOGIES
DOD INSTRUCTION 8420.01 COMMERCIAL WIRELESS LOCAL-AREA NETWORK (WLAN) DEVICES, SYSTEMS, AND TECHNOLOGIES Originating Component: Office of the Chief Information Officer of the Department of Defense Effective:
More informationNational Information Assurance (IA) Policy on Wireless Capabilities
Committee on National Security Systems CNSS Policy No. 17 National Information Assurance (IA) Policy on Wireless Capabilities This document prescribes minimum standards. Your department or agency may require
More informationNational Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017
National Information Assurance Partnership (NIAP) 2017 Report NIAP continued to grow and make a difference in 2017 from increasing the number of evaluated products available for U.S. National Security
More informationWhite paper. Combatant command (COCOM) next-generation security architecture
Combatant command () next-generation security architecture using NSA Suite B Table of Contents Combatant command () next-generation security architecture using NSA Suite B NSA Commercial Solution for Classified
More informationDoDD DoDI
DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1 Scope of DoDD 8500.1 Information Classes: Unclassified Sensitive information Classified All ISs to include:
More informationDepartment of Defense INSTRUCTION
Department of Defense INSTRUCTION NUMBER 8551.1 August 13, 2004 ASD(NII)/DoD CIO SUBJECT: Ports, Protocols, and Services Management (PPSM) References: (a) DoD Directive 8500.1, "Information Assurance (IA),"
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Port Security Port Security helps to control access to logical and physical ports, protocols, and services. This
More informationCCEVS APPROVED ASSURANCE CONTINUITY MAINTENANCE REPORT
TM ASSURANCE CONTINUITY MAINTENANCE REPORT FOR Aruba Remote Access Points Maintenance Update of Aruba Remote Access Points Maintenance Report Number: CCEVS-VR-VID10766-2017a Date of Activity: September
More informationCisco Identity Services Engine (ISE) Mentored Install - Pilot
Cisco Identity Services Engine (ISE) Mentored Install - Pilot Skyline Advanced Technology Services (ATS) offers Professional Services for a variety of Cisco-centric solutions. From inception to realization,
More informationDoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2. Version 1, Release February Developed by DISA for the DoD
DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2 Version 1, Release 1 21 February 2018 Developed by for the DoD 21 February 2018 Developed by for the DoD Trademark Information Names, products,
More informationDesigning Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015 What Could It Cost You? Average of $0.58 a record According to the Verizon
More informationWI-FI: SECURE ENOUGH FOR FEDERAL GOVERNMENT?
WI-FI: SECURE ENOUGH FOR FEDERAL GOVERNMENT? TECHNOLOGY, POLICY, AND REAL-WORLD RISK TABLE OF CONTENTS INTRODUCTION SUMMARY OF RELEVANT POLICIES HOW WI-FI SECURITY WORKS: AUTHENTICATION AND ENCRYPTION
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationFirewalls for Secure Unified Communications
Firewalls for Secure Unified Communications Positioning Guide 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12 Firewall protection for call control
More informationDoD Wireless Smartphone Security Requirements Matrix Version January 2011
DoD Wireless Smartphone Security s Matrix Version 3.5 21 January 2011 1 This matrix was developed by Defense Information Systems Agency Field Security Operations (DISA FSO) and is an unofficial compilation
More informationYour wireless network
Your wireless network How to ensure you are meeting Government security standards Cabinet Office best practice Wi-Fi guidelines Overview Cyber Security is a hot topic but where do you start? The Cabinet
More informationDoD Mobility briefing for the AFCEA Mobility Summit
For Official Use Only DoD Mobility briefing for the AFCEA Mobility Summit Mr. Randall Conway Principal Deputy, Deputy Chief Information Officer, Information Enterprise US Department of Defense January
More informationThe following chart provides the breakdown of exam as to the weight of each section of the exam.
Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those
More informationENHANCING PUBLIC WIFI SECURITY
ENHANCING PUBLIC WIFI SECURITY A Technical Paper prepared for SCTE/ISBE by Ivan Ong Principal Engineer Comcast 1701 John F Kennedy Blvd Philadelphia, PA 19103 215-286-2493 Ivan_Ong@comcast.com 2017 SCTE-ISBE
More informationRequirements for Building Effective Government WLANs
White Paper Government Requirements for Building Effective Government WLANs CJ Mathias Farpoint Group Introduction With governments just now beginning the adoption of wireless LANs as a key component of
More informationCommercial Solutions for Classified (CSFC) Multi-Site Virtual Private Network Capability Package
NATIONAL SECURITY AGENCY INFORMATION ASSURANCE DIRECTORATE Commercial Solutions for Classified (CSFC) Multi-Site Virtual Private Network Capability Package Version 1.0 August 17, 2012 This page left intentionally
More informationExam : Title : Security Solutions for Systems Engineers. Version : Demo
Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized
More informationCisco ONE Enterprise Cloud Suite
Cisco ONE Enterprise Cloud Suite Pragmatic Progression to Cloud Automation Geoff Soon Today s Businesses Require Greater Agility Focus on increasing speed of business Customers expect on-demand service
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationStandard For IIUM Wireless Networking
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA (IIUM) Document No : IIUM/ITD/ICTPOL/4.3 Effective Date : 13/11/2008 1.0 OBJECTIVE Standard For IIUM Wireless Networking Chapter : Network Status : APPROVED Version
More informationAchieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients
Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients This document is provided as is with no warranties whatsoever, including any warranty of merchantability,
More informationCisco Desktop Collaboration Experience DX650 Security Overview
White Paper Cisco Desktop Collaboration Experience DX650 Security Overview Cisco Desktop Collaboration Experience DX650 Security Overview The Cisco Desktop Collaboration Experience DX650 (Cisco DX650)
More informationUnified Communications Networks Security and Platforms
Unified Communications Networks Security and Platforms About Program Who May Apply? Learning Environment Program Overview Program Architecture Partnership with Industry Index Who is Who? 2 Index Introduction
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationSolution Architecture
2 CHAPTER Introduction The purpose of the Secure Wireless is to provide common security services across the network for wireless and wired users and enable collaboration between wireless and network security
More informationCNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum
December 2010 Advisory Memorandum Reducing the Risk of Removable Media in National Security Systems NATIONAL MANAGER FOREWORD 1. Using removable media presents serious risks to the security of National
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Boundary and The Network Boundary and for an Enterprise is essential; it provides for an understanding of
More informationChanges to UCR 2008, Change 2, made by UCR 2008, Change 3 for Section 5.3.6, Multifunction Mobile Devices
Errata Sheet Changes to UCR 2008, Change 2, made by UCR 2008, Change 3 for Section 5.3.6, Multifunction Mobile Devices All SECTION CORRECTION EFFECTIVE DATE New UCR section created to address Immediate
More informationSecure Mobility. Klaus Lenssen Senior Business Development Manager Security
Secure Mobility Klaus Lenssen Senior Business Development Manager Security KL Secure Mobility 2008 Cisco Systems, Inc. All rights reserved. Cisco public 1 Complete Your Online Session Evaluation Please
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Key Management Key Management is a service and process that provides, controls, and maintains the cryptographic keys,
More informationHP Instant Support Enterprise Edition (ISEE) Security overview
HP Instant Support Enterprise Edition (ISEE) Security overview Advanced Configuration A.03.50 Mike Brandon Interex 03 / 30, 2004 2003 Hewlett-Packard Development Company, L.P. The information contained
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationFIPS Validated i WLAN
Tech Brief Government FIPS Validated 802.11i WLAN Meeting Government Requirements for Secure Mobile Data Situation From the boardroom to the battlefield, no entity has a greater need for mobile communications
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationVendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo
Vendor: HP Exam Code: HP2-Z32 Exam Name: Implementing HP MSM Wireless Networks Version: Demo QUESTION 1 A network administrator deploys several HP MSM APs and an HP MSM Controller. The APs discover the
More informationPROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL
Q&A PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL This document answers questions about Protected Extensible Authentication Protocol. OVERVIEW Q. What is Protected Extensible Authentication Protocol? A.
More informationNational Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products
Committee on National Security Systems CNSS Policy No. 19 February 2007 National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products This document prescribes minimum
More informationNetwork Security 1. Module 7 Configure Trust and Identity at Layer 2
Network Security 1 Module 7 Configure Trust and Identity at Layer 2 1 Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication 2 Module 7 Configure
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationBuilding an Assurance Foundation for 21 st Century Information Systems and Networks
Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership
More informationDEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 26 Mar 13
DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549 IN REPLY REFER TO: Joint Interoperability Test Command (JTE) 26 Mar 13 MEMORANDUM FOR DISTRIBUTION SUBJECT: Extension of
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationSecuring Cisco Wireless Enterprise Networks ( )
Securing Cisco Wireless Enterprise Networks (300-375) Exam Description: The 300-375 Securing Wireless Enterprise Networks (WISECURE) exam is a 90minute, 60-70 question assessment that is associated with
More informationExpected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy
CHAPTER 9 DEVELOPING NETWORK SECURITY STRATEGIES Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy Network Security Design
More informationCisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps
Cisco 300-375 Dumps with Valid 300-375 Exam Questions PDF [2018] The Cisco 300-375 Securing Cisco Wireless Enterprise Networks (WISECURE) exam is an ultimate source for professionals to retain their credentials
More informationCisco ONE Software BRKRST Dan Lohmeyer Senior Director, Software Strategy and Operations
Cisco ONE Software BRKRST-1213 Dan Lohmeyer Senior Director, Software Strategy and Operations Agenda Introduction Enterprise Challenges Cisco ONE Software Conclusion Enterprise Challenges IT Decision Maker
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationPartner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014
Partner Webinar AnyConnect 4.0 Rene Straube Cisco Germany December 2014 Agenda Introduction to AnyConnect 4.0 New Licensing Scheme for AnyConnect 4.0 How to migrate to the new Licensing? Ordering & Migration
More informationCampus Network Design
Design Principles Campus Network Design 2003, Cisco Systems, Inc. All rights reserved. 2-1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-2 Design Principles Task in Network Design Plan phase
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 642-737 Title : Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0 Vendor : Cisco Version : DEMO Get
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationCisco Exam Questions & Answers
Cisco 648-385 Exam Questions & Answers Number: 648-385 Passing Score: 800 Time Limit: 120 min File Version: 34.4 http://www.gratisexam.com/ Cisco 648-385 Exam Questions & Answers Exam Name: CXFF - Cisco
More informationCisco AnyConnect. Ordering Guide. June For further information, questions, and comments, please contact
Ordering Guide Cisco AnyConnect Ordering Guide June 2016 For further information, questions, and comments, please contact anyconnect-pricing@cisco.com. 2016 Cisco and/or its affiliates. All rights reserved.
More informationCisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]
s@lm@n Cisco Exam 642-737 Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ] Cisco 642-737 : Practice Test Question No : 1 RADIUS is set up with multiple servers
More informationCisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions
Data Sheet Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions Security Operations Challenges Businesses are facing daunting new challenges in security
More informationDEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 23 Oct 12
DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549 IN REPLY REFER TO: Joint Interoperability Test Command (JTE) 23 Oct 12 MEMORANDUM FOR DISTRIBUTION SUBJECT: Extension of
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationIdentity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition
Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition Sept. 8, 2008 Liberty Alliance 1 Welcome! Introduction of speakers Introduction of attendees Your organization
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationWireless LAN Security. Gabriel Clothier
Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo
Vendor: Cisco Exam Code: 642-737 Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0 Version: Demo QUESTION 1 Which statement describes the major difference between PEAP and EAP-FAST
More informationASSURANCE CONTINUITY MAINTENANCE REPORT FOR ARUBA MOBILITY CONTROLLER AND ACCESS POINT SERIES
ASSURANCE CONTINUITY MAINTENANCE REPORT FOR ARUBA MOBILITY CONTROLLER AND ACCESS POINT SERIES TM Maintenance Update of Aruba Mobility Controller and Access Point Series, (ArubaOS version 6.4.3.0-FIPS)
More informationImplementing Security in Windows 2003 Network (70-299)
Implementing Security in Windows 2003 Network (70-299) Level 1 Authorization & Authentication 2h 20m 20s 1.1 Group Strategy 1.2 Group Scopes 1.3 Built-in Groups 1.4 System or Special Groups 1.5 Administrating
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationBeOn Security Cybersecurity for Critical Communications Systems
WHITEPAPER BeOn Security Cybersecurity for Critical Communications Systems Peter Monnes System Design Engineer Harris Corporation harris.com #harriscorp TABLE OF CONTENTS BeOn Security... 3 Summary...
More informationCOPYRIGHTED MATERIAL. Contents
Contents Foreword Introduction xxv xxvii Assessment Test xxxviii Chapter 1 WLAN Security Overview 1 Standards Organizations 3 International Organization for Standardization (ISO) 3 Institute of Electrical
More informationCisco ISE Features Cisco ISE Features
Cisco ISE Overview, on page 2 Key Functions, on page 2 Identity-Based Network Access, on page 3 Support for Multiple Deployment Scenarios, on page 3 Support for UCS Hardware, on page 3 Basic User Authentication
More informationSECURING MOBILITY. Through the Canadian Medium Assurance Solutions Program. ICMC May Greg Hills Director, Architecture and Technology Assurance
SECURING MOBILITY Through the Canadian Medium Assurance Solutions Program ICMC May 2016 Greg Hills Director, Architecture and Technology Assurance PAGE 1 INTRODUCTION Basic, Medium, and High Assurance
More informationAnyConnect Secure Mobility Client for Windows 10
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 AnyConnect Secure Mobility Client
More informationManaging Site-to-Site VPNs: The Basics
CHAPTER 23 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationWireless technology Principles of Security
Wireless technology Principles of Security 1 Wireless technologies 2 Overview This module provides an introduction to the rapidly evolving technology of wireless LANs (WLANs). WLANs redefine the way the
More informationLayer 2 authentication on VoIP phones (802.1x)
White Paper www.siemens.com/open Layer 2 authentication on VoIP phones (802.1x) IP Telephony offers users the ability to log-on anywhere in the world. Although this offers mobile workers great advantages,
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationDoD UC Framework 2013, Section 13 Table of Contents TABLE OF CONTENTS
, Table of Contents TABLE OF CONTENTS SECTION PAGE Security Devices... 13-1 13.1 Physical Security... 13-1 13.2 Security Devices Security Design... 13-1 13.3 Network Security Design... 13-1 13.4 Requirements
More informationCisco.Realtests v by.TAMMY.29q. Exam Code: Exam Name: CXFF - Cisco Express Foundation for Field Engineers
Cisco.Realtests.648-385.v2014-07-08.by.TAMMY.29q Number: 648-385 Passing Score: 800 Time Limit: 120 min File Version: 24.5 http://www.gratisexam.com/ Exam Code: 648-385 Exam Name: CXFF - Cisco Express
More informationSecurely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM
Securely Deliver Remote Monitoring and Service to Critical Systems A White Paper from the Experts in Business-Critical Continuity TM Executive Summary As a leading equipment manufacturer of critical infrastructure
More informationCisco Exam Questions & Answers
Cisco 648-375 Exam Questions & Answers Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 22.1 http://www.gratisexam.com/ Cisco 648-375 Exam Questions & Answers Exam Name: Cisco Express
More informationJUNIPER NETWORKS PRODUCT BULLETIN
PRODUCT BULLETIN JUNIPER NETWORKS PRODUCT BULLETIN Junos Pulse Mobile Security Suite 4.2 What s New for Enterprises and Service Providers Bulletin Date January 24, 2013 Bulletin Number 8000022 Applicable
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Boundary Network Boundary Protection is the Capability to protect and control access to Enterprise resources
More informationCisco ONE for Access Wireless
Data Sheet Cisco ONE for Access Wireless Cisco ONE Software helps customers purchase the right software capabilities to address their business needs. It helps deliver reduced complexity, simplified buying,
More informationProgress Report National Information Assurance Partnership
Progress Report 2012-2015 National Information Assurance Partnership Executive Summary The National Information Assurance Partnership (NIAP) has made significant progress in three primary mission areas:
More informationDEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTD) 15 Aug 14
DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND 20755-0549 IN REPLY REFER TO: Joint Interoperability Test Command (JTD) 15 Aug 14 MEMORANDUM FOR DISTRIBUTION SUBJECT: Extension of
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationCISCO QUAD Cisco CCENT/CCNA/CCDA/CCNA Security (QUAD)
Our Learning Exclusive Custom exam prep software and materials Exam delivery in classroom with 98% success Course specific thinqtank Learning publications to promote fun exciting learning Extended hours
More informationSecuring BYOD with Cisco TrustSec Security Group Firewalling
White Paper Securing BYOD with Cisco TrustSec Security Group Firewalling Getting Started with TrustSec What You Will Learn The bring-your-own-device (BYOD) trend can spur greater enterprise productivity
More informationCyber Security Requirements for Electronic Safety and Security
This document is to provide suggested language to address cyber security elements as they may apply to physical and electronic security projects. Security consultants and specifiers should consider this
More informationBrocade MLXe Family Devices with Multi- Service IronWare R
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme TM Validation Report Brocade Communication Systems, Inc 130 Holger Way San Jose, CA 95134 Brocade MLXe Family
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Mapping The Network Mapping helps visualize the network and understand relationships and connectivity between
More informationSeagate Supply Chain Standards and Operational Systems
DATA IS POTENTIAL Seagate Supply Chain Standards and Operational Systems Government Solutions Henry Newman May 9 2018 Supply Chain Standards and Results Agenda 1. 2. SUPPLY CHAIN REQUIREMENTS AND STANDARDS
More informationCisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation
Ordering Guide TrustSec 4.0:How to Create Campus and Branch-Office Segmentation Ordering Guide November 2013 2013 and/or its affiliates. All rights reserved. This document is Public Information. Page 1
More information