Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD

Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD Kanu Gupta, Technical Marketing Engineer, CCIE 40465 (Wireless) BRKEWN-2005

Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot#brkewn-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Session Objectives Inbuilt Securing AP-WLC communication 802.1x AP port security Default Best Practices Base WIPS Rogue Detection Clean Air 802.11w Client Access Methods (802.1x, ipsk, WebAuth) Native Policy Management Application Visibility & Control URL Filtering Advanced APIC Plug n Play awips ISE Guest & BYOD Management TrustSec NetFlow/StealthWatch Cisco Umbrella Harden Infrastructure Protect the Air Secure Client Access Solution Level Protection We wont talk about ISE in detail Configuration details Version discrepancies IPV6 Fabric Roadmap BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

For your reference For your reference There are slides in your PDF that will not be presented, or quickly presented. They are valuable, but included only For your reference. For your reference BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Agenda Infrastructure Hardening Over the Air Security Secure Access Solution Level Security Enterprise Use Case

Cisco Digital Network Architecture for mobility Open APIs: Modular Aps with Restful APIs Principles Cloud Service Management CMX 10.x with Context and Guest Automation Plug n Play EasyQOS ISE:.1x, BYOD and Guest Assurance Restful APIs on WLC Netflow Export Apple Network Optimization & FastLane Platforms & Virtualization Modular AP s with Restful API s DNA Optimized Controllers: 3504, 5520, 8540 Various VM Models: ESXi, KVM, HyperV, AWS Outcomes Insights and Experiences Automation and Assurance Security and Compliance BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Trustworthy Systems Protect the Device Embedded Security Built for Today s Threats Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions There has never been a greater need to improve network infrastructure security Alert TA16-251A, September 2016 Evidence of Trust Security Expertise and Innovation Learn more: Visit trust.cisco.com See: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security Meet the Engineer: Topic: Security and Trust Architecture BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Cisco Trustworthy Systems Levels Enterprise Wireless Protects the Network Protections Against Attack Solution Level Attack Protection DHCP Snooping Secure Transport WIPS/Rogue 802.11w,r,i IP Source Guard ACLs TrustSec Umbrella ISE Stealthwatch Netflow Platform Integrity Secure Boot Image Signing Counterfeit Protections Hardware Trust Anchor Modern Crypto Secure Device Onboarding Security Culture Supply Chain Management Open Source Registration Security Training Threat Modeling Product Security Baseline PSIRT Advisories Learn more: BRKARC-1010 Protecting the Device: Cisco Trustworthy Systems & Embedded Security BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Secure the Infrastructure

AP control at the access layer 802.1X credentials for the AP Access Point (AP) Supplicant Layer 2 Point-to-(Multi)Point EAP over LAN (EAPoL) Authenticator Layer 3 Link RADIUS AuthC Server AP# capwap ap dot1x username [USER] password [PWD] * Not supported today on 1800/2800/3800 APs. BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

BRKEWN-2010 Securing the AP-WLC communication CAPWAP tunnels CAPWAP Control encrypted by default CAPWAP Data encapsulated but not encrypted by default Support for DTLS Data encryption between AP and WLC DTLS, UDP 5246 CAPWAP Control CAPWAP Data (DTLS) UDP 5247 (Cisco Controller) >config ap link-encryption enable all/[ap-name] BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Securing the AP-WLC communication Local Significant Certificate (LSC) Your PKI CAPWAP Example: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

APIC-EM Plug-n-Play (PnP) For secure provisioning of Access Points WLC APIC-EM AP SN #123 > Config. File (WLC IP, Vegas AP Group, etc.) AP SN #456 > Not in any Project list > Claim list APIC-EM IP in DHCP option 43 or DNS resolution for pnpserver.<dhcp-domain-option> AP (SN #123) Vegas AP Group AP (SN #456) AP PnP Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_apic-em-pnp-deployment-guide.html BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Securing the AP-WLC communication Out-of-Box AP Group and RF Profile (v7.3+) Out-of- Box Out-of-Box AP Group > Radios Disabled Vegas AP Group > Radios Enabled Out-of-Box Vegas Out-of-Box AP Group Out-of-Box Example: http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#id2870 BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Over the Air Security and Threat Mitigation

wireless Intrusion Prevention System (wips) Ad-hoc Wireless Bridge HACKER Evil Twin/Honeypot AP HACKER S AP Reconnaissance HACKER Client-to-client backdoor access Rogue Access Points HACKER Denial of Service Seeking network vulnerabilities Cracking Tools HACKER BLUETOOTH AP Service disruption Non-802.11 Attacks Detected by CleanAir and tracked by MSE Backdoor access Service disruption Sniffing and eavesdropping MICROWAVE BLUETOOTH RF-JAMMERS RADAR BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

wips Process Flow and Component Interactions Solution Components Functions Licensing Base IDS WLC, AP and Prime Infrastructure (optional) Supports 17 native signatures. Supports rogue detection & containment Does not require any licensing Adaptive WIPS WLC, AP, MSE and Prime Infrastructure Offers comprehensive over the air threat detection & mitigation Licensed feature on MSE 1 2 3 4 CAPWAP NMSP SNMP trap wips AP Wireless Controller wips MSE 8.x Prime Infrastructure BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Classification Notification Mitigation Management AWIPS: Accurate Detection & Mitigation Threats Cracking Recon DoS Rogue AP/Clients Ad-Hoc Connections Over-the-Air Attacks Detection On/Off Channel Scanning Signature & Anomaly Detection Network Traffic Analysis Device Inventory Analysis Default tuning profiles Customizable event auto-classification Wired-side tracing Physical location Unified PI security dashboard Flexible staff notification Device location Wired port disable Over-the-air mitigation Auto or manual Uses all APs for superior scale Role-based with audit trails Customizable event reporting PCI reporting Full event forensics BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Supported AP modes for wips Data on 2.4 and 5 GHz Data on 2.4 and 5 GHz Data on 5GHz Data on 2.4 and 5 GHz wips on all channels wips on all channels wips on all channels wips on all channels best effort Cisco Adaptive wips Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/wips_deployment_guide.html#pgfid-43500 BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Cisco Wireless Security Deployment with AP3800/2800 Maintains Capacity and Avoids Interference Good Better Best Features ELM Monitor Mode AP ELM with FRA Monitor Mode Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs Client Serving with Security Monitoring wips Security Monitoring Y N Y 50 ms off-channel scan on selected channels on 2.4 and 5 GHz 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and 5GHz 7 x 24 All Channels on 2.4GHz and 5GHz Enhanced Local Mode Access Point GOOD 2.4 GHz 5 GHz Serving channel Serving channel Off-Ch Off-Ch Serving channel Serving channel Off-Ch Off-Ch t t Monitor Mode Access Point BETTER 2.4 GHz 5 GHz Ch1 Ch36 Ch2 Ch38 Ch11 Ch1 Ch2 Ch11 Ch1 Ch157 Ch2 Ch161 Ch36 Ch38 Ch11 t t t ELM with FRA Wireless Security Monitoring BEST 2.4 GHz Ch1 Ch2 Ch11 Ch36 Ch38 5GHz. / 2.4GHz..5GHz. / Security 5 GHz Serving channel Off-Ch Serving channel Off-Ch t t Ch157 Ch161 5 GHz 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Rogue Access Points What are they? A rogue AP is an AP that does not belong to our deployment. I don t know it. Me neither. We might need to care (malicious/on network) or not (friendly). Sometimes we can disable them, sometimes we can mitigate them. BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Rogue Detection and Mitigation Rogue Classification and Containment Rogue Rules Manual Classification Friendly/Malicious Manual and Auto Containment FRA with MM Data Serving AP CleanAir with Rogue AP Types WiFi Invalid Channel WiFi Inverted Rogue Location Real-time with PI, MSE, CleanAir Location of Rogue APs and Clients, Ad-hoc Rogue, Non-wifi interferers Serve Client Scan 1.2s on dedicated 5 per channel GHz Scan 1.2s per channel Serve Client on 2.4 GHz 50 ms offchannel Serve Clients on 5 GHz 50 ms offchannel Monitor Mode AP BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

CleanAir detectable Attacks Some examples BRKEWN-3010 IP and Application Attacks & Exploits Traditional IDS/IPS Layer 3-7 WiFi Protocol Attacks & Exploits wips Layer 2 Dedicated to L1 Exploits RF Signaling Attacks & Exploits CleanAir Layer 1 Rogue Threats undetectable rogues Wi-Fi Jammers 2.4 GHz classic interferers 5 GHz BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Secure Access to Corporate Network ISE Access methods Guest Management

Identity Services Engine

Cisco Identity Services Engine (ISE) BRKSEC-3697 BRKSEC-3699 ACS NAC Profiler Guest Server NAC Manager NAC Server Identity Services Engine Centralized Policy RADIUS Server Posture Assessment Guest Access Services Device Profiling Client Provisioning MDM Monitoring & Troubleshooting Device Admin / TACACS+ BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Authentication and Authorization What are they? It tells who/what the endpoint is. 802.1X /ipsk/ MAB / WebAuth Policy Elements VLAN Access Control List Quality of Service Application Control It tells what the endpoint has access to. Bonjour Service Policy URL Redirect BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

URL Redirect Central Web Auth, Client Provisioning, Posture Url-Redirection: for CWA, Client Provisioning, Posture and MDM, URL value is returned as a Cisco AV-pair RADIUS attribute. e.g. cisco:cisco-av-pair=url-redirect= https://ip:8443/guestportal/gateway?sessionid=sessionidvalue& action=cwa Url-Redirect-Acl: this ACL specifies traffic to be permitted (bypass redirection) or denied (trigger redirection). The ACL is returned as a named ACL on the WLC. e.g. cisco-av-pair=url-redirect-acl=acl-posture-redirect ACL entries defined traffic subject to redirection (deny) and traffic to bypass redirection (permit) BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Client attributes and traffic for Profiling How RADIUS, HTTP, DNS, DHCP (and other traffic) are used to classify clients 1 The MAC address is checked against the known vendor OUI database. DHCP HTTP 2 DHCP/ HTTP Sensor The Client s DHCP/HTTP Attributes are captured by the AP and provided in RADIUS Accounting messages by the WLC. The ISE uses multiple attributes to build a complete picture of the end client s device profile. Information is collected from sensors which capture different attributes. HTTP UserAgent RADIUS 3 Mobile devices are quite chatty for web applications, or they can also be redirected to one of ISE s portals. ISE BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Profiling Example from ISE Is the MAC Address from Apple DHCP:host-name CONTAINS ipad IP:User-Agent CONTAINS ipad I have some certainty that this device is an ipad BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Local (WLC) Device Classification Collection 1 MAC address checked against vendor OUI database DHCP HTTP 2 Client s DHCP attributes captured by AP 3UserAgent payload on custom HTTP port inspected by HTTP Sensor Analysis Pre-Defined Device Signatures and in-built MAC OUI Dictionary MAC OUI and device profiles can be dynamically updated on WLC independent of controller image BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Profile based Policy Enforcement Practical Examples of Policies Corporate laptop Product Bookings x Employee Facebook.com Personal ipad User Role Device Service Action Employee Corporate Asset Product Bookings/ Facebook.com Permit Employee ipad Facebook.com Permit Employee ipad Product Bookings Deny BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Methods Client Access 802.1x Identity PSK MAB WebAuth

Device Awareness- Identity is the Base Various Authentication Mechanisms Security Benefits Drawback IP network 802.1x Robust Industry standard strong encryption and authentication Requires 802.1x supplicant Complex to configure, implement and manage ISE Identity PSK Easy to configure Strong encryption Works with existing infrastructure Manually key in the passphrase for client 802.1x Identity PSK Web auth Web authentic ation Used with MAB and profiler to trigger guest process for secure onboarding and resources for guest access Web auth by itself offers per client access rather than group level. Authorized Users IP Phones IoT Devices Guests Managed Devices/Users Non 802.1 Devices Non 802.1 Users BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

802.1X Why 802.1X? Industry standard approach to identity Most secure user/device authentication Complements other switch security features Various deployment options Foundation for services like posture, policy implementation How does it work? Supplicant Authenticator Authentication Server EAPoL AP, WLC RADIUS ISE BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

EAP Authentication Types Different Authentication Options Leveraging Different Credentials Tunnel-Based Certificate-Based EAP-PEAP EAP-FAST Inner Methods EAP-GTC EAP-TLS EAP-MSCHAPv2 EAP-TLS Tunnel-based Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate. This provides security for the inner method, which may be vulnerable by itself. Certificate-based For more security EAP-TLS provides mutual authentication of both the server and client. BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

RADIUS Change of Authorization (CoA) RADIUS protocol is initiated by the network devices (NAD) No way to change authorization from the ISE (config)#aaa server radius dynamic-author client {PSN} server-key {RADIUS_KEY} Now I can control ports when I want to! RADIUS CoA (UDP:1700/3799) Now the network device listens to CoA requests from ISE Re-authenticate session Terminate session Terminate session with port bounce Disable host port BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

Identity PSK: Multiple PSKs per SSID allows for advanced security encryption across all devices 8.5 Increased demand for IoT devices Identity security without 802.1x Simple Operations High Scale Cost Effective Private PSK with RADIUS integration Per client AAA override (VLAN / ACL etc) BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Identity PSK 8.5 IOT Devices aabbcc PSK WLAN MAC Filtering AAA Override Sensors xxyyzz Access Point Wireless LAN Controller ISE Cisco-AVPair No PSK += "psk-mode=ascii attributes Cisco-AVPair += "psk=aabbcc" "psk=xxyyzz" Device MAC Group Private PSK IOT Devices aabbcc Sensors xxyyzz Employees --- Employees WLAN PSK BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Central Web Authentication (CWA) AP-WLC DHCP/DNS ISE Server CWA is a URL-Redirect scenario Redirection. URL and the redirect ACL are centrally configured on ISE and communicated to WLC via RADIUS 2 4 1 Open SSID with MAC Filtering enabled Host Acquires IP Address, Triggers Session State 5 First authentication session AuthC success; AuthZ for unknown MAC returned: Redirect/filter ACL, portal URL Host Opens Browser WLC redirects browser to ISE web page Host Sends Username/Password 3 Login Page 6 Web Auth Success results in CoA 7 MAB re-auth MAB Success Session lookup policy matched Authorization ACL/VLAN returned. Server authorizes user BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Other URL-Redirect scenarios (Posture, MDM) AP-WLC DHCP/DNS ISE Server 1 SSID configured for 802.1X / MAB Thanks to RADIUS CoA we can apply other identity services after 802.1X, MAB. 2 4 First authentication session Host Acquires IP Address, Triggers Session State 3 AuthC success; AuthZ returned: Redirect/filter ACL, URL for posture/mdm/etc. Host Opens Browser WLC redirects browser to ISE for other services 5 Posture check, MDM check, client provisioning, etc. 6 RADIUS CoA 7 802.1X/MAB re-auth 802.1X/MAB Success Session lookup policy matched Authorization ACL/VLAN returned. Server authorizes user BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

MDM Integration ISE Registered MDM Registered Encryption PIN Locked Jail Broken Jail Broken PIN Locked 2015 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Guest Management

Managing Guest User Lifecycle with ISE PROVISIONING Create Guest Accounts NOTIFICATION Give Accounts to Guests Create Single Guest Account Import CSV file for multiple Guest Accounts Print Account Details Send Account Details via Email Send Account Details via Text Manage Guest Accounts View, edit, suspend Guest Accounts Manage batches of created accounts MANAGEMENT Report on Guests View, audit reports on Individual Guest accounts Display Management reports on Guest Accounts REPORTING BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

ISE Sponsor Portal Customizable sponsor pages Sponsor privileges tied to defined sponsor policy o Roles sponsor can create o Time profiles can be assigned o Management of other guest accounts o Single or bulk account creation BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Network Based Security

Solution Level Attack Protection TrustSec SXP Inline Tagging AVC/ Netflow Local Policy w/ AVC, Umbrella URL Filtering AAA Override VLAN, ACL, QoS 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Integrating Security IN the Network Network as a Security Sensor (NaaS) Network as a Security Enforcer (NaaE) Detect Anomalous Traffic Detect User access violations Obtain broad Visibility of Network Traffic Software Defined Segmentation to contain attack Dynamic User Groups and consistent Policy Across the Network, Users and Devices Access Control to protect resources BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Network as a Sensor Application Visibility & Control NetFlow

The Network Gives Deep and Broad Visibility Network: key asset for threat detection and control Discover and Classify Assets Active Monitoring Network Segmentation Understand Behavior Enforce Policy Design and Model Policy BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

How AVC Works on Cisco Wireless Network Visibility, Control, Context and Analytics AireOS 8.1 App Visibility & User Experience Report Static Netflow App BW Transaction Time WebEx 3 Mb 150 ms Citrix 10 Mb 500 ms High Med Low NBAR on AP Deep Packet Inspection Perf. Collection & Exporting Reporting Tool Control DPI engine (NBAR2) identifies applications using L7 signatures Collect application info and exports to controller every 90 seconds Cisco Prime Infrastructure StealthWatch, Live Action and others Use QoS Rate Limiting to control application bandwidth usage for performance BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

8.1 AVC on FlexConnect Access Points Real time information for last 90 seconds Stateful context transfer on roam BRANCH Gen2 AP WAN NetFlow Export from AP to WLC WLC AVC supported on Gen 2 FlexConnect Access Points (AireOS 8.1). Protocol Pack 14 with upgraded NBAR engine 23 Stateful context transfers supported for Intra Flexconnect Group roams BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

NetFlow- The heart to network as a sensor record Client MAC Client IP Who Where SSID Access Point MAC Packet Count NetFlow Byte Count ToS- DSCP Value Application Tag Netflow statistics sent at an interval of 30 seconds Netflow record sent even for unclassified applications Username sent for dot1x authentication What When BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Network as an Enforcer Wireless StealthWatch Integration TrustSec for Policy Enforcement Policy Management with ISE Native Policy Management on WLC

Wireless StealthWatch Integration Network as a Sensor, Network as an Enforcer BRKSEC-3014 AireOS 8.2 on 5520/8510/8540 WLC pxgrid notifications StealthWatch Flow Collectors CoA ISE Quarantine Flow Telemetry from Network Devices (collect and analyze) Netflow v9 records WLC Identity, MAC Address, Device Type StealthWatch Management Console (upto 25 Flow Collectors) BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 Cisco TrustSec Enabled Network Segmentation Simplifying Enforcement 8.4 Traditional Security Policy Data Center Internet Intranet Identity-enabled Infrastructure TrustSec Security Policy Employee Supplier App Server Shared Server Dynamic Policy & Enforcement Non Compliant 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Wireless TrustSec Support 5 Employee 6 Voice 7 Partner Classification A Propagation B Enforcement (Assigning SGTs) Static & Dynamic Assignments Inline SGT & SXP Security Group ACL SXPv4 on AP Inline Tagging on AP SGACL Enforcement Topology, location independent Policy (SGT) stays with endpoint. Simplifies ACL management traffic Local NO NO YES Flex YES YES YES Mesh NO NO YES (Indoor only) BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Ingress classification, Egress Enforcement Lookup Destination SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: 10.1.10.220 Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248 SRC:10.1.10.220 DST: 10.1.100.52 SGT: 5 5 Enterprise Backbone Nexus 2248 Web_Dir DST: 10.1.100.52 SGT: 20 CRM DST: 10.1.200.100 SGT: 30 WLC5508 DST SRC Web_Dir (20) CRM (30) Marketing (5) Permit Deny User authenticated Classified as Marketing (5) BYOD (7) Deny SGACL-A BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

TrustSec East-West Traffic Use Case Role Based Segmentation Data Center Access control based on the Role of the user Shared Services Remediation Application Servers DC Switch Enterprise Backbone ISE Wired/Wireless Wired/Wireless TrustSec enabled WLC & AP receives policy for only what is connected Employee Tag Supplier Tag Supplier Employee Employee Supplier VLAN: Data-2 VLAN: Data-1 BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

TrustSec Demo

ISE for Network-Wide Unified Policy Enforcement Profiling Posture Guest Access WHO WHAT WHERE WHEN HOW CONTEXT KG Employee 2 pm TonyS Consultant 6 pm Franklo Guest 9 am Personal ipad Employee Owned 802.1X ipsk MAB WebAuth IDENTITY WIRELESS LAN CONTROLLER, ACCESS POINTS, SWITCHES, ROUTERS BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Client Context and Policies Control and Enforcement IDENTITY 1 802.1X EAP Machine/User Authentication ISE PROFILING HTTP NETFLOW SNMP HQ Company asset 2 Profiling to identify device Policy Decision 4 Corporate Resources DNS RADIUS DHCP 2:38pm Access Point Wireless LAN Controller Internet Only Personal asset 3 5 Posture of the device Unified Access Management Enforcement dacl, VLAN, SGT 6 Full or partial access granted BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Local Profiling and Policy on WLC Build BYOD: Native WLC Options Inputs: Conditions Access Method User Role Device Type Results: Enforcement Elements VLAN VLAN Access Control List Quality of Service Time of Day AVC Authentication Type Bonjour Service Policy ISE and Wireless LAN Controller Profiling Support ISE Profiling using RADIUS probes, DHCP probes, HTTP, SNMP, DNS, NETFLOW Multiple attributes for Policy action supported Profiling rules can be customized WIRELESS LAN CONTROLLER Profiling based on MAC OUI, DHCP, HTTP based User-Agent Policy action attributes - VLAN, ACL, Session Timeout, QoS Default profiling rules BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

WLC integration with Cisco Umbrella Policy tie-in to Cisco Umbrella

Cisco Umbrella for Content Filtering 8.4 Why care about DNS? CLOUD BASED WEB FILTERING THREAT MANAGEMENT INSIGHTFUL REPORTING Low cost architecture Data analysis methods Uses Recursive DNS Powerful reporting and analytics Network Mobile Virtual Endpoint Cloud Apps BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108

Cisco Umbrella with WLC Internet 208.67.220.220 ACME Policies block gaming sites DNS Query DNS Response DNS Server (or external DNS proxy to) 208.67.220.220 10.1.1.1 WLC intercepts DNS packet, redirects query to Umbrella cloud server at 208.67.220.220 Content filtering and whitelisting at DNS layer at WLAN, AP Group, Policy level ACME BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Role Based Policy with Cisco Umbrella OpenDNS Profile Mapping in Local Policy Contractor Policy Employee Policy AAA user role Contractor Employee BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110

Location Based Policy with Cisco Umbrella OpenDNS Profile Mapping in AP Group Corporate Policy Branch Policy Corporate HQ Branch Office BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113

Cisco Umbrella Demo

Application Visibility and Control Policy tie-in to AVC

Granular Filtering with Policy tie-in to AVC ROLE BASED APPLICATION POLICY Alice(Sales) and Bob(IT Admin) are both employees Both Alice and Bob are connected to the same SSID Alice can access certain applications (YouTube), Bob cannot ROLE BASED + DEVICE TYPE APPLICATION POLICY Alice can access inventory info on an IT provisioned Windows Laptop Alice cannot access inventory info on her personal ipad ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY Alice has limited access (rate limit) to Jabber on her iphone 7.4 AVC 7.5 Dynamic protocol pack update 7.6 Jabber, Lync 2013 support 8.0 User and device aware policies Ability to classify Apple ios, Windows, Android upgrades 8.1 User & device aware policies Ability to classify Apple ios, Windows, Android upgrades 8.2 Wi-Fi calling Skype for business UserId + IPFlow for Netflow export Stealthwatch Collector BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121

AVC (Application Visibility and Control) Per-user profiles via AAA WLC RADIUS cisco-av-pair = avc-profile-name = AVC-Employee cisco-av-pair = avc-profile-name = AVC-Contract Employee Contractor YouTube Facebook Skype BitTorrent Facebook Skype Employee Contractor BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122

mdns Bonjour Service Policy tie-in to mdns

mdns and Bonjour Services Filter by WLAN and VLAN mdns Profiles Select services mdns Profile with Local Policy Services per-user and per-device mdns Policies Services based on AP Location and user role Teacher Service Profile AirPrint AirPlay File Share Teacher Service Instance List Apple TV1 Student Service Instance List Apple TV1 itunes Sharing Student Service Profile AirPlay File Share AirPrint Teacher Network Apple TV2 mdns Service Instances Groups Student Network BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124

Consolidate, Secure and Segment Enterprise Use Case for Workforce, IoT and Guest Access

Consolidate, Secure, Segment Wireless Security for Workforce Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices IOT devices like Sensors, Robots etc. Guest users Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and 802.11w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network SGT TrustSec Segmentation by function for eg. Marketing, Sales, HR SGT override for IOT device groups Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126

Enterprise SSID Security and Segmentation Category-Based Filtering Based on Umbrella Policy Role Based Access Control Based on Scalable Group Tags and SGACLs Marketing Marketing Sales Contractor s Server Sales SGT = 4 SGT = 5 Contractors Server 802.1x Enterprise Backbone SGT = 6 Access Point Enterprise SSID WLC ISE AAA Override VLAN-Based Segmentation Using AAA Override Apple devices Controlled access via mdns Profile Employee VLAN ID = 10 Policy Classification Engine Contractor VLAN ID = 20 Umbrella User role VLAN Application Apple devices Policy user-role = Marketing Mark Webex, Apple TV, Marketing 10 Block ebay Jabber Printer, itunes user-role = Contractor Mark Webex, Apple TV, Sales 10 Block ebay Jabber Printer, itunes user-role = Sales Contractor 20 Drop Youtube Printer Only Block ebay, CNN, BBC Facebook Micro-segmentation using Cisco TrustSec SGT 4 5 6 Backend Servers PERMIT PERMIT DENY 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Consolidate, Secure, Segment Wireless Security for IOT Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices IOT devices like Sensors, Robots etc. Guest users Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and 802.11w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network SGT TrustSec Segmentation by function for eg. Marketing, Sales, HR SGT override for IOT device groups Cisco Umbrella and OpenDNS Policy based on SSID, AP Group, Local Policy StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria, Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

IOT SSID Security and Segmentation IOT Sensors IOT Lighting Smart Devices IOT Sensors IOT Lighting Smart Devices SGT = 4 SGT = 5 IPSK Enterprise Backbone SGT = 6 Access Point IOT SSID WLC ISE AAA Override IOT Sensors IOT Sensors PSK = aabbcc Identity VLAN ID = 30 VLAN PSK IOT Lighting IOT PSK Sensors = eeffgg aabbcc IOT Lighting 30 VLAN ID = 10 IOT Lighting eeffgg 10 Smart devices Smart Devices PSK Smart = xxyyzz xxyyzz Devices VLAN = 20 20 ACL PERMIT PERMIT DENY SGT Backend Servers 4 PERMIT 5 DENY 6 DENY BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129

Consolidate, Secure, Segment Wireless Security for Guest Consolidate SSIDs Enterprise SSID IOT SSID Guest SSID User Category Employees, Contractors, BYOD Devices Mission-specific IOT devices like Sensors, Robots etc. Guest users Security L2/L3 802.1x, BYOD CWA Identity PSK Web-authentication Secure the Clients Secure the Air Policy based on User-role, Device, time of day, auth-type ACL, QoS, AVC Profile, mdns Profile, OpenDNS Policy Rogue detection, Basic wips, Advanced wips, CleanAir for interferers Management Frame protection using MFP and 802.11w AAA Override VLAN based segmentation based on user-role, identity with a single SSID VLAN based segmentation based on IOT device groups with a single PSK SSID Specific users can be quarantined or rate-limited Segment and Secure the Network Segmentation TrustSec assignment by function for eg. Marketing, Sales, HR TrustSec override for IOT device groups Cisco Umbrella Policy based on SSID, AP Group, Local Policy Segmentation using Anchoring traffic to DMZ StealthWatch Integration Encrypted mobility tunnels between Controllers in the mobility group and Guest Anchor Secure connection between WLC and AP using DTLS Trust Wireless Common Criteria (CC), Federal Information Processing Standard (FIPS), and the Department of Defense Unified Capabilities (UC) Approved Products List (APL). BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130

Guest SSID Security and Segmentation Category-Based Filtering Based on Umbrella Policy VLAN 50 SGT = 7 Anchor WLC Employee Server Guest Role Based Access Control Based on Scalable Group Tags and SGACLs Employee Server Guest Web auth Enterprise Backbone Access Point Guest SSID WLC ISE AAA Override Policy Classification Engine Guest VLAN ID = 50 User role VLAN Application QoS Umbrella Policy SGT Backend Servers Guest 50 Mark Webex, Jabber Drop Youtube Rate-limit Block news, sports 7 DENY 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Key Takeaways for an End to End Wireless Security Solution Take a defense in depth approach to security. Add security layers that complement one another and at difference places in the IT network. What one misses, the other catches. Complexity and security are inversely proportional. Take a simple approach to design network security policy. Break your overall policy into smaller managed pieces to simplify creating an efficient policy. BYOD strategy must consider all mobile worker types and functions before deploying solutions. Give it a try (e.g. PoC) before network wide implementation. BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKEWN-2005 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134

Thank you