html5-img
1 / 40

BITES 2006 Cisco Systems sijones@cisco

BITES 2006 Cisco Systems sijones@cisco.com. Core aspects of BSF. Transforming Education Putting the Learner at the centre , Citizenship, Skills Efficiency Workforce Reform, Buildings, Energy, Security Social Inclusion Equal Access , Every Child Matters (ECM, ICS)

topper
Download Presentation

BITES 2006 Cisco Systems sijones@cisco

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BITES 2006 Cisco Systemssijones@cisco.com

  2. Core aspects of BSF • Transforming Education Putting the Learner at the centre, Citizenship, Skills • Efficiency • Workforce Reform, Buildings, Energy, Security • Social Inclusion Equal Access, Every Child Matters (ECM, ICS) • Regeneration – Community & Economic Extended Schools, Home Access, Business • Long Term Partnerships

  3. BSF? • ‘Birmingham Society of the Future’ • Program & Procurement dominated or led by the needs of communities • Steady and progressive transformation over a longer term • Will learners be measured by Government or be asked for feedback about their learning environments

  4. Agenda for today • ‘Connected Learning’ • Multi Service Wireless • Secure Wireless • What you should be looking out for?

  5. Four Steps To Transformation 4 3 Step 1: Connect all buildings and provide access to critical information Step 2: Implement network-based applications to improve administrative efficiency Step 3: Put teacher proficiency and productivity first Step 4: Create a student-centered learning environment to achieve academic excellence 2 1

  6. OPTIMISED SCHOOLS Intelligent Information Network EFFICIENT SCHOOLS • New Capabilities • Adaptive resources • Personalised learning • (MLE’s) • Collaboration software • Rich communications • Automation • On-demand Data Center CONNECTED SCHOOLS • Network Simplification • Service virtualization • Data Center • Integrated security • Virtualised call control • User mobility • Virtual & e-learning • Opex Reduction • Communications over IP • Integrated wiring on Ethernet • Toll bypass • Data simplification IP Networking Adoption 2006 2015

  7. Cisco Connected Learning Solutions Transforming Education Academic Excellence Administrative Efficiency Intelligent Information Network Unified Communications Virtual Classroom Intelligent Buildings Video Infusion Self Defending Network Secure Wireless IP Network

  8. Cisco Connected LearningModel for 21st Century Education

  9. 1. Education Model • Learning is an active process, and one that involves collaboration, problem solving, critical thinking with mentor support from teachers • Government policy focused on transforming education using technology as a catalyst • Student focused, catering for individual needs and personalisation. • Relevant and authentic learning opportunities • Prepares for lifelong learning • Community focused and provides relevant skills and knowledge • Open ended

  10. 2. Learning Environment Organisational • Technology as a teaching and learning tool • Technology for assessment • Flexible and adaptable VLE Community • Environment enables communities to be built • Accessible from anywhere, anytime • Builds structures for learning environment between home & schools & for lifelong learning • Potential to involve all members of the community • Schools as centres of the community • Global and national reach

  11. 2. Learning Environment Classroom organisation • Structured for 21st century working and learning environment • Flexible yet managed • allows for group, individual and whole class work Student focused environment • Provides authentic and autonomous leaning • Learning how to learn • Peer teaching and learning opportunities • Curriculum arises out of real community needs • Development of autonomy and critical thinking and problem solving skills

  12. Secure Wireless • Teaching & Learning Laptop, PDA, Projector, Wireless Slate • Security Access, Assets, mobile CCTV, mobile alerts/paging • IP Telephony - staff communications • Guest Access Community, Parents, Inspections • Outdoor (sports events, weather view) • Flexible ICT during refurbishment

  13. Secure Wireless

  14. Secure Wireless • Teaching & Learning Laptop, PDA, Projector, Wireless Slate • Security Access, Assets, mobile CCTV, mobile alerts/paging • IP Telephony - staff communications • Guest Access Community, Parents, Inspections • Outdoor (sports events, weather view) • Flexible ICT during refurbishment

  15. Agenda • Business Critical Wireless • WLAN Security Leadership • Cisco Unified Wireless Network • Cisco Self-Defending Network • Keep Clients Safe • Keep Clients Honest • Protect the Network

  16. $ Millions 3,000 $2740 40% CAGR $1960 2,000 $1400 1,000 $1000 $640 Wireless Goes Business CriticalThe Emerging Enterprise Market Enterprise Wireless Market (Growing at 40% Per Annum) All Wireless Branch Dual Mode Voice Mainstream Enterprise Office, Location, Mesh Networking Initial Office Deployments Verticals, PWLAN FY ’04 FY ’05 FY ’06 FY ’07 FY ’08

  17. Cisco WLAN Security Leadership and Innovation • Industry's first implementation of 802.1X/EAP authentication and dynamic key derivation • Chaired and led the 802.11i work group • Wrote or co-wrote many EAP RFCs • Technical leadership role in Fast Secure Roaming 802.11r • Industry leading, patent pending rogue detection, mitigation and suppression • Continuing to innovate with Self- Defending Network • Location enabled security; Access Control / IDS alerts • Invented host posture analysis (NAC) • Invented Management Frame Protection (MFP) • Invented Self Defending Network (NIC)

  18. Cisco strategy to dramatically improve the network’s ability to identify, prevent, and adapt to threats An initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats Keep Clients Honest Keep Clients Safe Protect the Network • Network Admission Control • Guest Access • Strong Mutual Authentication • Strong Encryption • True Wireless IPS • Adaptive Client Policies • Rogue AP detection and containment • Multilayer client exclusions Endpoint Protection Anomaly and IDS/IPS Integrated Management Admission Control Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

  19. Keep Clients Safe • Strong Mutual Authentication • Strong Encryption • True Wireless IPS • Adaptive Client Policies Endpoint Protection Checklist for Secure Wireless LANs Implementation Checklist

  20. What are WPA and WPA2? Authentication and Encryption standards for Wi-Fi clients and APs 802.1X authentication WPA uses TKIP encryption WPA2 uses AES encryption Which should I use? Go for the Gold! Silver, if you have legacy clients Lead, if you absolutely have no other choice (i.e. ASDs) • Gold • WPA2/802.11i • EAP • AES • Silver • WPA • EAP • TKIP • Lead • dWEP (legacy) • EAP/LEAP • VLANs + ACLs Protected Access

  21. CorporateNetwork Cannot send data until… Data from client Blocked by AP EAP …EAP authentication complete 802.1x RADIUS Client sends data Passed by AP Data from client How does Extensible Authentication Protocol (EAP) Authenticate Clients? WLAN Client Access Point/Controller RADIUS server Client associates

  22. Common Attacks: VOID11 Aireplay File2air Airforge ASLEAP Jack attacks FakeAP Hunter/Killer What makes 802.11 vulnerable to attacks? Most common attacks are against management frames Cisco MFP Protected

  23. MFP Protected MFP Protected Management Frame Protection (MFP) • A solution for clients and infrastructure (APs) • Clients and APs add a MIC (signature)into every management frame • Anomalies are detected instantly andreported to Wireless Control Server (WCS)

  24. CCX v1 802.1X authentication EAP-TLS & LEAP Cisco pre-standard TKIP Client Rogue reporting CCX v3 • WPA2 compliance • EAP-FAST • CCKM with EAP-FAST • AES encryption CCX v5 • MFP • Client Policies CCX v2 • WPA compliance • Fast Roaming with CCKM • PEAP CCX v4 • CCKM with EAP-TLS, PEAP • WIDS • MBSSID CCX- Driving Security Standardization

  25. Security and WLAN Clients • Trend: Embedded adapters in most devices • Result: Adapter reference designs in most devices • How do you ensure that all of your client devices support your chosen 802.1X type(s) and encryption option(s)? • Options: • Try to standardize on adapters from one vendor • USE WPA/WPA2 “extended EAP” certified clients • Rely on what is available in Windows • Use a commercial supplicant suite • Support a mix of authentication types • Use Cisco Compatible Extensions (CCX) adapters

  26. Cisco strategy to dramatically improve the network’s ability to identify, prevent, and adapt to threats An initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats Keep Clients Honest Keep Clients Safe Protect the Network • Network Admission Control • Guest Access • Strong Mutual Authentication • Strong Encryption • True Wireless IPS • Adaptive Client Policies • Rogue AP detection and containment • Multilayer client exclusions Endpoint Protection Anomaly and IDS/IPS Integrated Management Admission Control Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

  27. Keep Clients Honest • Network Admission Control • Guest Access Admission Control Checklist for Secure Wireless LANs ImplementationChecklist

  28. The Need for Admission Control • Viruses, worms, spyware, etc. continue to plague organizations • Viruses still #1 cause of financial loss* (downtime, recovery, productivity, etc.) • Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.)arenot checked for policy compliance • Unprotected endpoint devices are often responsible for spreading infection • Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive “Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.” – Burton Group *2005 FBI/CSI Report

  29. 7 5 4 3 2 1 8 6 NAC2 – Ubiquitous Admission ControlCTA-Capable Endpoints with NAC-Capable 802.1X Supplicants 802.1x Network ACS EAPo802.1x Vendor Server CTA EAPoRADIUS NetworkAccess Device (NAD) HCAP • 802.1X connection setup between NAD and endpoint • NAD requests credentials from endpoint (EAPo802.1X) • This may include user, device, and/or posture • CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X) • NAD sends credentials to ACS (EAPoRADIUS) • ACS can proxy portions of posture authentication to vendor server (HCAP) • User/device credentials sent to authentication databases (LDAP, Active Directory, etc) • ACS validates credentials, determines authorization rights • E.g. visitors given GUEST access, unhealthy devices given QUARANTINE access • ACS sends authorization policy to NAD (VLAN assignment) • Host assigned VLAN, may then gain IP access (or denied, restricted)

  30. Secure Guest Access DMZ Guest controller • Captive portal native in the controller • Two options for guest access: • (1) Guest users can be placed on guest VLAN • (2) All guest traffic is tunneled to a guest controller • User DB can be local or RADIUS • Robust administration • Ambassador login • Customizable web pages Enterprise Network Switch-to-switch guest tunnel SSID Client Default Gateway = Internal = GUEST Enterprise user Guest user

  31. Cisco strategy to dramatically improve the network’s ability to identify, prevent, and adapt to threats An initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats Keep Clients Honest Keep Clients Safe Protect the Network • Network Admission Control • Guest Access • Strong Mutual Authentication • Strong Encryption • True Wireless IPS • Adaptive Client Policies • Rogue AP detection and containment • Multilayer client exclusions Endpoint Protection Anomaly and IDS/IPS Integrated Management Admission Control Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

  32. Protect the Network • Rogue AP detection and containment • Multilayer client exclusions Anomaly and IDS/IPS Checklist for Secure Wireless LANs Implementation Checklist

  33. A Complete Solution for Handling Rogues • Detect Rogue AP • (Generate alarm) 2. Assess Rogue AP (Identity, Location, ..) 3. Contain Rogue AP 4. View Historical Report • Can be automated • Multiple rogues contained simultaneously

  34. Cisco WCS – Centralized Security Management

  35. Cisco WLAN FIPS statusFederal Information Processing Standard (FIPS) • Pre-validated for FIPS 140-2 and Common Criteria • 4400 controller • AP1200, AP1100 and BR1300 (LWAPP and Autonomous) • FIPS Kit will be required; contents include: • - Tamper-evidence labels • - Download instructions for FIPS approved IOS images • - Download instructions for Security Policies

  36. Cisco strategy to dramatically improve the network’s ability to identify, prevent, and adapt to threats An initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats Keep Clients Honest Keep Clients Safe Protect the Network • Network Admission Control • Guest Access • Strong Mutual Authentication • Strong Encryption • True Wireless IPS • Adaptive Client Policies • Rogue AP detection and containment • Multilayer client exclusions Endpoint Protection Anomaly and IDS/IPS Integrated Management Admission Control Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

  37. Security Management CS-MARS • Network wide anomaly detection • Rules based correlation WCS • Simple, Powerful Dashboard • Robust Reporting

  38. Keep Clients Honest Keep Clients Safe Protect the Network • Network Admission Control • Guest Access • Strong Mutual Authentication • Strong Encryption • True Wireless IPS • Adaptive Client Policies • Rogue AP detection and containment • Multilayer client exclusions Endpoint Protection Anomaly and IDS/IPS Admission Control Checklist Summary

  39. The Cisco Difference • Unifying wireless and wire line • Utilizing all of Cisco’s security expertise and product line • Not reinventing the wheel • Location, Location,Location • Only WLAN system with RF fingerprinting for rogue location accuracy • INTEGRATED air monitoring • Only WLAN system that does not require separate air monitors • Built-in rogue protection and intrusion detection • Security Designed for Real-Time Applications • Fast Secure roaming • Active leadership in standards bodies • 802.11i, 802.11r, 802.11w, 802.11k

More Related