Secure Unified Wireless and Mobility Solutions for …issa-balt.org/.../Presentations/2008-04_Can_wireless_be_secured.pdfWireless and Mobility Solutions for Government Jim Ransome,

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicGD Conference 08 1

Secure Unified Wireless and Mobility Solutions for Government

Jim Ransome, Ph.D., CISSP, CISMSenior Director, Secure Unified Wireless and Mobility Applications Corporate Security Programs Organization and Global Government Solutions GroupGeneral Dynamics Unified Information Assurance User Conference 2008


10+ years senior corporate executive information and physical securityCSO Roles CISO Roles

23 years government serviceNational Lab computer scientist/national security analyst, NCIS federal special agent, retired naval reserve intelligence officer, former marine corps sergeant

Ph.D. in information systems specializing in information securityDissertation: Developed/tested a converged wired-wireless network security modelNSA/DHS Center of Academic Excellence in Information Assurance Education

Graduate CertificatesInternational business and international affairs

CertificationsCertified Information Security Professional (CISSP) Certified Information Security Manager (CISM)

Adjunct Professor for a masters-level information security curriculumPublications (Elsevier - Digital Press)

Operational Wireless Security, VoIP Security, IM Security, Business Continuity and Disaster Recovery for InfoSec Managers

About The Speaker


Agenda

Securing the core, defending the edge

Can wireless LANs really be secured?

Building secure unified wireless and mobility government solutions

Wireless and mobility solutions for classified environments

The future of secure wireless and mobility solutions


Securing the Core,Defending the Edge


What Does This Mean For Wireless And Mobility?


Remember… Wireless Enables Mobility

How We Get There

Where We Were Where We Want To Be

Unified Networks, Unified Communications

Unified Security

It Takes Us From…


Can Wireless LANs Really Be Secured?


NAC Appliance

L2 IDS

L3-7 IDS

RF Containment

802.11aRogue AP

802.11a Rogue Client

Fine-grained Mapping and Authentication

Location services enable precise mapping of clients and threats, allowing fine-grained authentication and quick removal

Wired IDS Integration

Unified wired and wireless IDS ensures malicious wireless clients are disconnected from the network

Wireless Endpoint ComplianceNAC prevents wireless endpoints from introducing viruses, spyware, malware, etc.

Wireless IDS/IPSComprehensive wireless threat identification and over-the-air prevention

Offsite Endpoint Protection

IPS detects and prevents offsite wireless threats such as ad hoc networks

Building on 802.11i: A Unified Wireless Security Approach to End-to-End Security


Enterprise userGuest user

Switch-to-switch guest tunnel

EnterpriseNetwork

DMZ Guest controller

Wireless Security Policy

Rogue AP

Campus

Contractor

Guest

Contractor

Guest

Contractor

Network Segmentation

Key to providing Guest Access by controlling and prioritizing access to business resources

Wireless Network Location Services

Quick Location of rogue access points and other wireless threats

Guest ServicesPath Isolation/Guest traffic never mixes with enterprise traffic

Wireless Security Policy

Wireless client connection policy enforcement

Building on 802.11i: Other Key Elements of a Unified Wireless Security Solution


Detect, classify, and locate

RF interference

Case StudiesA Phased Approach

Building on 802.11i: Real-time RF Management and Integrated Spectrum Intelligence


Building Secure Unified Wireless and Mobility Government Solutions


Challenges of a Secure and Interoperable Unified Communications InfrastructureProducts and Solutions Vendors


Wireless and Mobility Products


Secure routing and communications

for Mobile Ad Hoc Networks (MANETs)

Tactical Communication Kits

Integrated Spectrum Intelligence

IPv6 and Mobile IPv6

The Rapid Acceleration of Secure Unified Government Wireless and Mobility Applications

Mobile Access Routers

FIPS Validated (FIPS 140-2) MESH Solution

Type-1/HAIPE device solutions for wireless

LANs architected to meet all

federal requirements


Mobile Access RouterFacilitating The Acceleration


Cisco IP Interoperability and Collaboration System (IPICS)Integrated Networks Critical for Effective Operations and Emergency Management


Cisco IPICS Serverand Policy Engine

Cisco IP Phonesw/ PTT Services

IPICS Management Console

Cisco IPICS PMC Client

VHF/UHF/NextelPTT Radios

SecureVoIP NetworkLMR Gateway

and Media Services

PSTN

PSTN/CellularPhones

VoIP GatewayVoIP

VoIP

VoIP

VoIP

Server Administration

Console

Ops Views Policy Engine

Push-to-talk (PTT) client for PC users

Cisco IP Interoperability and Collaboration System (IPICS)


Outdoor Wireless and Mobility Solutions


Wireless and Mobility Solutions for Classified Environments


The Future of Secure Wireless and Mobility Solutions


Secretary of Commerce - FIPS 140-1 (1994) updated to FIPS 140-2 (2001)

FIPS certification required for federal agencies

FIPS 140-3 targeted 2009

DoD Directive 8100.2 WLAN follow-on (June 2006)Standards based - WiFi certified / IEEE 802.11i security (WPA2)

FIPS 140-2 Certification

Common Criteria Certification / U.S. Government Protection Profiles

WIDS w/location tracking (wired and wireless nets)

DISA Wireless STIG (draft version 5, release 2.01)

OSD (NII) DoD follow-on policy security boundaryhttps://acc.dau.mil/CommunityBrowser.aspx?id=153484&lang=en-US

Federal Wireless Policies


Cisco Unified Wireless Network802.11i End-To-End Wireless Security

DoD compliant and FIPS validatedAPs authenticate into DoD network with X.509 certs as CC trusted network devicesController/APs establish FIPS 140-2 validated assured control channel APs enforce 802.1X port access control & terminate FIPS 140-2

encryption/decryption services at the edge of the DoD security borderController centrally manages 802.1x state machine providing secure mobility


HAIPE

WPAv2, FIPS 140-2, WIDS, Location, L3 VPN

SBU and/or UnclassifiedWireless and Wired LAN/WANClassified Classified

HAIPE

WPAv2, FIPS 140-2, WIDS, location, L3 VPN

SBU and/or unclassifiedwireless and wired LAN/WANClassified Classified

Securing Wireless and Mobile NetworksSecurity is never a “one size fits all” solution

Type 1 over WLAN requires a layered approachIP Security (High Assurance IP Encryption - HAIPE)

Link Security (WPA, FIPS, WIDS, VPN, Location Awareness...)


Type 1 Architecture for Wireless and Mobile NetworksEnd-to-End Wireless Security

DoD compliant and FIPS validatedAPs authenticate into DoD network with X.509 certs as CC trusted network devicesController/APs establish FIPS 140-2 validated assured control channel APs enforce 802.1X port access control & terminate FIPS 140-2

encryption/decryption services at the edge of the DoD security borderController centrally manages 802.1x state machine providing secure mobility


Type 1 Architecture for Wireless and Mobile NetworksExample: Red Data Center Extension WLAN Deployments

Secure WLAN Client connects over Black WLAN to Red EnclaveRed Enclave can use a WLAN or other HAIPE device to connect to Black WLAN

Extends Red Services without physical extension of Red NetworkOnly need to configure two tunnels per client HAIPE device

Red Router will route between clients


Type 1 Architecture for Wireless and Mobile NetworksExample: Red Data Center Extension WLAN Deployments

Using Type-1 WLAN and Type 1 Ethernet HAIPEs to connect VoSIP or video enclaves over a wireless backbone (indoor or outdoor)

Opportunities to interoperate with SME-PED


Type 1 Architecture for Wireless and Mobile Networks Example: Red Data Center w/Integration of HAIPE Router

Type-1 WLAN client connects over Black WLAN then to HAIPE head-end router

HAIPE Router routes intra-client traffic and can route out to the SIPRNET

Client only needs to terminate two HAIPE Tunnels

Extends Red Services without physical extension of Red Network


Wireless Security Integration

Need to take a holistic view of the network to create a defense in-depth Architecture

Security at each layer plays a critical role

Only by integrating each piece can attacks be detected and mitigated efficiently

All aspects must be analyzed and utilized for efficient spectrum utilization

WLAN security is about more than encrypting data-in-transit


Cisco Wireless Federal Solution

Cisco 2710 Wireless Location

Appliance

Cisco Wireless ControlSystem (WCS)

Centralized WLANManagement

Cisco Aironet FIPS 140-2 APs

Cisco Secure ACS FIPS 140-2 AAA RADIUS

Cisco WLAN FIPS 140-2 Controllers

WIDS WIDS WIDS

FIPS & Common Criteria Certified

Type-1 Certified


Cisco Wireless FIPS 802.11i (WPA2) SolutionFIPS 140-2

802.11i SupplicantFIPS 140-2AAA RADIUS

FIPS 140-2WLAN Controllers

FIPS 140-2Aironet APs

IEEE 802.11i (WPA2) Security

WLC4402 - 12, 25, 50 APsWLC4404 - 100 APs

Cat6K WiSM - 300 APs

Cat3750G - 25/50 APsFIPS Pre-val

ACS FIPS Pre-val

Cisco Solutions+ 3eTI802.11i FIPS/CC Client

Compatible with all WPA/2 certified

FIPS supplicants

Cisco Secure Services Client

(FIPS Dev)

1242 / 1131 /1232IOS / LWAPP

BR1310 IOS

1522 MeshLWAPP

FIPS Pre-val

1250 802.11nLWAPP

(FIPS Dev)


Documents

Secure Unified Wireless and Mobility Solutions for …issa-balt.org/.../Presentations/2008-04_Can_wireless_be_secured.pdfWireless and Mobility Solutions for Government Jim Ransome,