S5068 Presentation Live

© 2007 Cisco Systems, Inc. All rights reserved.

13490_03_2007_c1

Strategies for Delivering Secure Wireless Guest Access


13490_03_2007_c1

Cisco Mobility TV

Mobility TV HostChris KozupMarketing Manager, Mobility Solutions,Cisco

Scott PopeManager,

Guest Access Product Management,

Cisco

Tony DiepIT Theater Service Manager for US &

Canada, Cisco


13490_03_2007_c1

Thank You for Joining Us Today

The next wireless and mobility videocast event will take place on May 8, 2007 at 10:00 AM Pacific

The featured subject will be Outdoor Wireless

To register visit:http://www.cisco.com/go/semreg/mobilitytvepisodes/142299_3


13490_03_2007_c1

Wireless in the News


13490_03_2007_c1

Cisco Mobility Express Solution

Affordable business-class mobility solution announced for small and medium businesses

Application-BasedAccess Points, Controllers, plus Application Servers

Cisco Mobility Express Solution

Controller-BasedAccess Points Plus Controllers

Offer a Mobile Foundation for All

StandaloneAccess Points

Grow with Your Business

Adapt to Your Level of Sophistication


13490_03_2007_c1

Cisco Empowers the Wireless Branch Office

Cisco introduces new WLAN Controller Module for the ISR and new 3G WAN interface to create the Empowered Wireless Branch

EmpoweredWireless Branch

Integrated3GWirelessWAN

ISRWireless

LAN


13490_03_2007_c1

Cisco Wins TechTarget’s 2007Gold Award

Cisco awarded TechTarget Gold Award for Product Leadership in the Wireless Category

Gold Award:Cisco WiSM/WLSM

7


13490_03_2007_c1

Cisco Teams with the NBA

The NBA partners with Cisco to transform the experience of sports through the use of technology


13490_03_2007_c1

Upcoming Cisco Wireless Events

InteropLas Vegas, Nevada

May 20–26, 2007

Cisco Secure Wireless Road ShowSixteen cities in North America

Ask your account rep for details


13490_03_2007_c1

Agenda

Why Secure Guest Access?1Cisco on Cisco: Guest Access Case Study2Cisco’s Secure Wireless Guest Access Solution3


13490_03_2007_c1

Business Trends and Challenges

Trends Widespread wireless deployment

Over 65% of businesses use WLAN

Mobility services new business imperative

67% of businesses reported up to 50 visitors per month requiring network access*

Increased pressure to reduce network operational cost and complexity

Research case revealed ROI of up to 328%*

ChallengesOptimize partner, vendor and customer interactions with wireless access to network resources

Deliver guest access without exposing internal resources to security threats

Security ranks as #1 wireless network concern

Source: WLAN Adoption Study, Forrester Research, 200611


13490_03_2007_c1

Wireless Guest Access Is Changing Business

RetailProviding customers real-time product or service information for an enhanced, better informed consumer experience

HealthcareAllowing suppliers to place refill orders on the premises to minimize inventory shortages

FinancialEnabling consultants to complete audits more accurately efficiently

Carpeted Office

Providing secure access to business partners and consultants to ensure faster decision making and increased business agility


13490_03_2007_c1

Cisco Mobility TV


Scott PopeManager,


Cisco


Canada, Cisco


13490_03_2007_c1

Cisco on Cisco Guest Access

Build a policy and architecture in which:Non-Cisco employees can access the Internet

a) Where and when Cisco deems appropriate

b) With Cisco's permission

c) From Cisco’s infrastructure

d) Secure, authenticated, recorded

Objectives and Constraints


13490_03_2007_c1

Cisco on CiscoGuest Access Architecture

WWW

Guest Data

Guest traffictunneled in GRE

BBSM

“hotspot.cisco.com”

Employee generates

access code via portal

Corporate

Current – Layer 3 Architecture

WWW

Guest Data

Guest traffictunneled in GRE

NAC Appliance

“hotspot.cisco.com”Corporate

Planned – Strategic


13490_03_2007_c1

Wireless voice SSIDEAP-FAST authenticationWPA encryptionQoSBroadcast = NO

Guest networking SSIDOpen authentication

No encryptionBroadcast = YES

Two production data SSIDsEAP-FAST authenticationCKIP encryption on oneWPA encryption on the otherBroadcast = NO

Cisco wireless voice users

Cisco wireless data users

NON-Cisco, guest WLAN users

Cisco on CiscoWireless SSID Architecture

Common SSID configuration for all access points


13490_03_2007_c1

Cisco on CiscoGuest Usage Trends - Global

0

5000

10000

15000

20000

25000

30000

Jan-0

5

Mar

-05

May

-05

Jul-0

5

Sep-0

5

Nov-05

Jan-0

6

Mar

-06

May

-06

Jul-0

6

Sep-0

6

Nov-06

Jan-0

7

Mar

-07

Guest Users

Average of 19,000 users per month (and rising)

Over 228,000 guests past 12 months

Over 330 buildings with wired & wireless guest services


13490_03_2007_c1

Cisco on CiscoSupport Cost Analysis – FY 2007

Support Cost of Hotspot.cisco.com FY 2007

Number of Guest Codes (Annual) 228,048

# IT Support Cases (Annual) 578

Support Case Cost ($25 per case) $14,450

Tier 2/3 Support (Est. 1 FTE) $148,000

Total Support Cost$162,450

or$0.71 per guest

Support Cost Pre-Hotspot.cisco.com FY 2007

# of helpdesk calls required (without guest service) 228,048

Total cost of support ($25 x 228,048) $5,701,200

Cost of “Hotspot.cisco.com” (see above) $162,450

Cost Avoidance $5,538,750


13490_03_2007_c1

Cost Avoidance

Over $5M in potential support/administrative overhead avoided

Improved Security

Controlled network access

Uncontrolled, non-corporate clients segmented from enterprise network

Improved Turnaround

Access codes can be generated within 15 seconds

Batch codes can be generated for large groups

IT administrative overhead avoided

Staff Empowerment

Visitor sponsors responsible for generating code – no IT support needed

Guest Experience

Branded network experience – Cisco viewed as technology leader

“No hassle” network access

Legal Protection

Users must digitally sign acceptable use policy with legal disclaimer

Cisco on CiscoHotspot Benefits


13490_03_2007_c1

Mobility Services … Beyond Connectivity

Security Guest Voice Location

• Guest networks for customers, partners and auditors

• Vendor replenishment networks

• Public access networks

• Automatic, 24 x 7 security and compliance monitoring for breaches via wireless medium

• Network access control based on user location

• Asset management

• Location-based content distribution

• Streamlined workflow using historical location data

• Real-time mobile voice communications

• Improved collaboration via mobile unified communications

• Faster customer service response

Pervasive Wireless Network


13490_03_2007_c1

Cisco Mobility TV


Scott PopeManager,


Cisco


Canada, Cisco


13490_03_2007_c1

Types of Network Users

CorporateEmployees

• Need internal network access

• Can be role based to allow granular access if needs require

• Need restricted internal access

• Printers

• File Shares

• Specific Applications

• Device Support

Contractors/Consultants

GuestUsers

• Internet Access Only

• No need to access internal systems

• Segment Access Completely

FullAccess

InternetOnly

Cisco Guest Services Give You Control


13490_03_2007_c1

Cisco Solutions for Secure Guest Access

Lobby admin portal for user provisioning

End-user registration page

Network partitioning using tunneling

User authentication and authorization in local database or AAA server

Usage logging and reporting

Core features, plus… Network privileges based

on roles

End-user security posture assessment

Full policy-based end-user portal customization using partners

Unification of wireless and wired guest access

Versatile Solutions for Diverse Deployment Environments

Wireless Guest Access in Cisco Unified Wireless

Enhanced Wired and Wireless Guest Access

Core and Enhanced Options


13490_03_2007_c1

Wireless Guest Access

1. Back-end segmentation (mobility anchor)

Separate the guest traffic from the corporate internal traffic via EoIP tunnels

2. Lobby ambassador/host portal

Guest user creation and token generation

Served from WLAN Controller or WCS

3. Customizable guest screenServed from WLAN Controller or external server

4. Back-end authenticationLocal WLAN Controller user database or external AAA

Wired/WirelessVLANs

Campus Core

LWAPP LWAPP

SiSi

SiSi SiSi

WCS

EtherIP“Guest Tunnel”

Emp Emp

Internet

Guest Emp Guest Emp

EtherIP“Guest

Tunnel”

DMZ WLAN Controller


13490_03_2007_c1

Lobby Ambassador Feature

Simple and Fast Lobby Ambassador feature enables any staff member to enable guests

Integrated Solution Runs on any controller and WCS

Secure Generate individual guest name, unique password and duration of access


13490_03_2007_c1

Enhanced Wired and Wireless Guest Access

Cisco NAC Appliance Provides: Very granular role-based access

Endpoint posture assessment and remediation

OS and posture restrictions

QoS policy for guest users

Integration with broader AAA servers

Uniform guest access for wired/wireless

Cisco “GuestNet” Customized Portal: Cisco developed portal services for

“one-stop” shop

Basic portal customization, per-user customization

Partner User Portals Provide: Extensive portal customization

Customizable logging, reporting, billing

Temporary user accounts for email, printing, etc.

Campus Core

LWAPP LWAPP

SiSi

SiSi SiSi

WCS

EtherIP“Guest Tunnel”

Emp Emp

Internet

Guest Emp Guest Emp

EtherIP“Guest

Tunnel”

DMZ WLAN Controller

NAC Appliance

Wired/WirelessVLANs


13490_03_2007_c1

Role-Based Access Control Validates authorization policies

and privilegesLayer 3/Layer 4 role-based access control (RBAC) to permit access to specific port, protocol, or subnet

Supports multiple user rolesCustomized portals per guest user group – redirection to a pre-defined page for acceptable user policy notice

Bandwidth throttling for each user role by assigning shared or dedicated bandwidth usage

Secures internal wired Ethernet ports

Scans for Security RequirementsGuest session access scheduling

Pre-configured Windows critical hot fixes and anti-virus application checks

Performs repair and update Self remediation for quarantined users

2727


13490_03_2007_c1

Implementation Considerations

Ensure guest access to only Internet and authorized network resources

Eliminate IT administrator involvement with user authorizations

Leverage integration of wired and wireless network (policies and administration)

Ensure internal users and applications have priority over guests

Monitor network use and prohibit services on location or per-user basis

Whatever the Business Reason for Guest Access, Implementation and Security Goals Should:


13490_03_2007_c1

With Wireless…Now You Can


13490_03_2007_c1

Now You Can…

Enhance your customer’s retail experienceIncrease the time and money customers spend on site

Improve vendor productivity and accuracyAllow suppliers to update inventory or restocking data real-time

Provide a virtual support network for hospitalized patients

Enable connectivity to the outside world with online access to family, friends, research, entertainment

Track when and where users access the network

Ensure the security of your facility and critical business data

30


13490_03_2007_c1