31
1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise CISSP, CCSP

1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

Embed Size (px)

Citation preview

Page 1: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

1© 2004 Cisco Systems, Inc. All rights reserved.

Managing and Securing Wireless Networks with Cisco Clean Access

Steve Coppel

SE, Maryland Enterprise

CISSP, CCSP

Page 2: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

222© 2004 Cisco Systems, Inc. All rights reserved.

Agenda

• WLAN Security Issues

• WLAN Enterprise Issues

• Requirements for WLAN Management & Security Solution

• Cisco Clean Access Solution

• Case Study: Stanford University

2

Page 3: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

333© 2004 Cisco Systems, Inc. All rights reserved.

WLAN Security Issues - A Different IT Beast

• Non-existent or Porous Boundaries

▪ More vulnerable to a variety of malicious attacks

▪ WEP security inadequate

▪ Many common areas where anyone can access a wireless signal

• Security Challenge Shifted from Ports to Users

▪ Authentication more important but also more difficult

▪ Increase susceptibility to attacks originating from employees’ home networks

• Wireless and Wireline Management Integration Unresolved

▪ Management is enormous challenge

▪ Impacts usability and productivity

Page 4: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

444© 2004 Cisco Systems, Inc. All rights reserved.

WLAN Security Issues

• MAC and IP Spoofing Too Easy

▪ Multitude of free tools on Internet allow machines to spoof other MAC and IP addresses

• Denial of Service (DoS) Attacks Too Easy

▪ Several DoS attacks possible including consuming all IP addresses, DoS attacks on web servers, file servers, mail servers, etc.

• “Man in the middle” Attack

▪ Malicious users find it easy to insert themselves in communication path in order to steal user credentials, session, etc.

Page 5: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

555© 2004 Cisco Systems, Inc. All rights reserved.

WLAN Enterprise Issues

Issue Tools If Left Unresolved

Multi-vendor Access Point Management

Management software provided by each access point vendor but is not interoperable with others

Heterogeneous environments are impossible to manage centrally

Integrated Management between Wired and Wireless Networks

None Management and user interface complexity increases

Viruses Imported from External Networks

Point Products Viruses may frequently and severely impact enterprise productivity

Management Difficulties Associated with VPNs – over-WLANs

Vendor-specific solutions; most VPNs built for dial-up use

Security gaps may remain; client maintenance complexity increases

Page 6: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

666© 2004 Cisco Systems, Inc. All rights reserved.

Requirements for WLAN Management & Security Solution

• Authentication-based Access to WLAN

▪ Users must be authenticated before provided network access

▪ Authentication must be performed using existing authentication systems

▪ Un-authentication users (rogue users) must not be allowed to launch DoS attacks (e.g. ping attacks, etc.)

• Client-less Deployment Mandatory

▪ Security solution should not mandate the deployment of any client software

▪ Optional client software for ease of use, additional security, network sniffing, rogue access point reporting, war driving, etc. preferred

Page 7: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

777© 2004 Cisco Systems, Inc. All rights reserved.

Requirements for WLAN Management & Security Solution

• Strong Data Protection

▪ Standards-based, strong, over-the-encryption is needed of WEP or any proprietary mechanism

• Non-Proprietary Hardware Preferred

▪ Preferred that security solution not require proprietary hardware

▪ Easily scalable hardware

Page 8: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

888© 2004 Cisco Systems, Inc. All rights reserved.

Requirements for WLAN Management & Security Solution

• Centralized Deployment

▪ Security and management solution must both be deployable centrally in the network centers

▪ Edge deployments are too expensive to deploy/manage

• Centralized Configuration & Management

▪ Ability to configure and manage entire deployment from a central location

▪ Secure remote management

Page 9: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

999© 2004 Cisco Systems, Inc. All rights reserved.

Cisco Clean Access Solution

999© 2003 Cisco Systems, Inc. All rights reserved.

Page 10: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

101010© 2004 Cisco Systems, Inc. All rights reserved.

What Does Clean Access Do?

Before allowing users onto the network, whether it’s a wired or wireless network, Clean Access:

RECOGNIZES

EVALUATES

ENFORCES

Recognizes:Users, device, and role (guest, employee, contractor)

Evaluates:Identify vulnerabilities on devices

Enforces:Eliminate vulnerabilities before network access

Page 11: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

111111© 2004 Cisco Systems, Inc. All rights reserved.

Key Cisco Clean Access Features

• Role-based access control

Cisco Clean Access server enforces authorization policies and privileges

Supports multiple user roles (e.g. guests, employees, and contractors)

• Scans for security requirements

Agent scan for required versions of hotfixes, AV, and other software

Network scan for virus and worm infections

Network scan for port vulnerabilities

• Network quarantineIsolate non-compliant machines from rest of network

MAC and IP-based quarantine effective at a per-user level

• Repair and updateNetwork-based tools for vulnerability and threat remediation

Help-desk integration

All-in-One Policy Compliance and Remediation Solution

Page 12: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

121212© 2004 Cisco Systems, Inc. All rights reserved.

• Cisco Clean Access Server

Formerly CleanMachines SmartServer

Serves as an inline or out-of-band device for network access control

• Cisco Clean Access Manager

Formerly CleanMachines SmartManager

Centralizes management for administrators, support personnel, and operators

• Cisco Clean Access Agent

Formerly CleanMachines SmartEnforcer

Optional client for device-based registry scans in unmanaged environments

Cisco Clean Access Components

Page 13: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

131313© 2004 Cisco Systems, Inc. All rights reserved.

Pre-Configured Clean Access Checks

Critical Windows Update

Windows XP, Windows 2000, Windows 98, Windows ME

Symantec

Norton AntiVirus 2005 v. 11.0.x Norton AntiVirus 2004 v. 10.xNorton AntiVirus 2004 Professional v. 10.x Norton Internet Security 2004 Norton AntiVirus 2003 v. 9.x Norton AntiVirus 2003 Professional v. 9.x Norton AntiVirus 2002 Professional v. 8.x Norton AntiVirus Corporate Edition v. 7.x   Symantec Internet Security 2005 Edition 8.0.x Symantec AntiVirus Scan Engine Edition 8.0.x Symantec AntiVirus Corporate Edition v. 9.x   Symantec AntiVirus Corporate Edition v. 8.x

Sophos    

Sophos Anti-Virus Enterprise v. 3.x  

 

McAfee

McAfee VirusScan Enterprise v. 8.0i beta McAfee VirusScan Enterprise Edition v. 7.5 McAfee VirusScan Enterprise Edition v. 7.1 McAfee VirusScan Enterprise Edition v. 7.0 McAfee VirusScan Enterprise Edition v. 4.5.x McAfee VirusScan Professional Edition v. 8.0.x McAfee VirusScan Professional Edition v. 7.x McAfee VirusScan ASaP

Trend Micro

Trend Micro Internet Security v. 12.x   Trend Micro Internet Security v. 11.2   Trend Micro Internet Security v. 11.0   Trend Micro OfficeScan Corporate Edition v. 6.x   Trend Micro OfficeScan Corporate Edition v. 5.x   Trend Micro PC-Cillin 2004   Trend Micro PC-Cillin 2003 

Cisco Systems

Cisco Security Agent v. 4.x

Customers can easily add custom checks

Page 14: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

141414© 2004 Cisco Systems, Inc. All rights reserved.

Pre-Configured Checks (cont’d)

Computer Associates (eTrust)    

Computer Associates eTrust Antivirus v. 7.x Computer Associates eTrust EZ Antivirus v. 6.2.x Computer Associates eTrust EZ Antivirus v. 6.1.x

F-Secure    

F-Secure Anti-Virus for Workstations TBYB 5.x F-Secure Anti-Virus Client Security 5.x F-Secure Anti-Virus 2004 5.x

Panda    

Panda Titanium Anti-Virus 2004 v. 3.x   Panda Anti-Virus Platinum v. 7.x  Panda Anti-Virus Platinum v. 6.x   Panda Internet Security Platinum v. 8.x  Panda Anti-Virus Light v. 1.9x   

Kaspersky    

Kaspersky Anti-Virus Personal v. 5.xKaspersky Anti-Virus Personal v. 4.x Kaspersky Anti-Virus Personal Pro v. 4.x  

Authentium    

Authentium Command Anti-Virus Enterprise 4.x  

SOFTWIN (BitDefender)    

BitDefender Free Edition v. 7.x   BitDefender Standard/Professional Edition 7.x BitDefender Standard v. 8.0.x BitDefender Professional Plus v. 8.0.x 

Grisoft (AVG)    

AVG Antivirus v. 7.0AVG Antivirus v. 6.0AVG Antivirus v. 6.0 Free Edition

Frisk Software International    

F-Prot Antivirus v. 3.x

SalD    

DrWeb Antivirus v. 4.31b

Eset    

NOD32 Antivirus system NT/2000/2003/XP  2.0

Zone Labs     

ZoneAlarm with Antivirus v. 5.x

Page 15: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

151515© 2004 Cisco Systems, Inc. All rights reserved.

THE GOAL

Intranet/Network

Cisco Clean Access System Operation

2. User Is Redirected to a Login Page

• Clean Access validates username and password; also performs device and network scans to assess vulnerabilities on the device

Device Is Non-Compliant or Login Is Incorrect

• User is denied access and assigned to a quarantine role with access to online remediation resources

3a. QuarantineRole

3b. Device Is “Clean”• Machine gets on “clean

list” and is granted access to network

Cisco CleanAccess Server

Cisco Clean Access Manager

1. End User Attempts to Access a Web Page or Uses an Optional Client

• Network access is blocked until end user provides login information Authentication

Server

Page 16: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

161616© 2004 Cisco Systems, Inc. All rights reserved.

Sample Reporting

4.

LoginScreen

Page 17: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

171717© 2004 Cisco Systems, Inc. All rights reserved.

Multiple Deployment Options

Out-of-band: For high throughput environments for deployment in• Campus Environments• Branch Offices• Extranet environments• Highly routed environments

Inline: Supports environments including• Wireless• Hubs• Shared Media

Page 18: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

181818© 2004 Cisco Systems, Inc. All rights reserved.

CCA Inline Deployment

FEATURES:• VLAN trunking support• ~1 GB/sec throughput

support• Failover support

IntranetBorder Router

Firewall

Switch

Core

Switch

Authentication Server

Clean Access Server

Routed Central Deployment

Clean Access Server

Bridged Central Deployment

Clean Access Server

Edge Deployment

Clean Access Manager

Page 19: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

191919© 2004 Cisco Systems, Inc. All rights reserved.

Secure Remote Access Deployment

Secure Remote: Supports environments with remote users coming through VPN Concentrators

Page 20: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

202020© 2004 Cisco Systems, Inc. All rights reserved.

CCA Out Of Band Deployment

Router

Firewall

Internet

Clean Access Server

Clean AccessManager

End User

Integrates with Cisco switches to provide out of band solution.

Provides network access control for LAN users.

Deployed in highly routed networks and environments where in-line appliance is not appropriate.

Page 21: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

212121© 2004 Cisco Systems, Inc. All rights reserved.

CCA: User Access, Non-certified Machine

Host withCCA Agent

1 End user attaches host to network

Switch

CCA Manager

2

2 Switch sends MAC address via SNMP-based alert to CCA Manager

3 CCA Manager decides whether host has been previously certified

1

4

4 CCA Server acts as a gateway or bridge for the quarantine VLAN

CCA Server

CCA Server intercepts device requestPerforms posture assessment and remediation

5

5 CCA Server certifies MAC address and forwards to CCA Manager

Network7

7 Host is granted access to network

6

6 CCA Manager instructs switch to change to the appropriate VLAN

3

If NO, CCA Manager instructs switch to put device on quarantine VLAN.

Page 22: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

222222© 2004 Cisco Systems, Inc. All rights reserved.

End User Experience: with Agent

4.

LoginScreen

User Authentication

User Machine Quarantined

Remediation Steps

Page 23: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

232323© 2004 Cisco Systems, Inc. All rights reserved.

End User Experience: with Agent

4.

LoginScreen Scan is performed

(types of checks depend on user role)

Scan fails

Remediate

Page 24: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

242424© 2004 Cisco Systems, Inc. All rights reserved.

End User Experience: Web-based

LoginScreen

Scan is performed(types of checks depend on user role/OS)

Click-through remediation

Page 25: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

252525© 2004 Cisco Systems, Inc. All rights reserved.

Cisco Clean Access: The Holistic Solution

Products WLAN Security

WLAN Management

Clean Access

Authentication √ √

Encryption √ √

User/Group Policy Management

√ √

Firewall √ √

Roaming Support √ √

AP Configuration & Management

√ √

Remote Client Updates

√ √

Centralized WLAN Management

√ √

WLAN Monitoring & Reporting

√ √ √

Page 26: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

262626© 2004 Cisco Systems, Inc. All rights reserved.

Case Study: Stanford University

262626© 2003 Cisco Systems, Inc. All rights reserved.

Page 27: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

272727© 2004 Cisco Systems, Inc. All rights reserved.

Stanford University – Authentication & Ease of Use

• Challenge

Improve Authentication

Keep it simple

Interoperate with existing system

• Solution

Clean Access protects each subnet

Authentication through Kerberos

Centralized Deployment (edge-based optional)

• Benefits

Short implementation

Rapid ROI

Wireless expanding into business school & medical center

Page 28: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

282828© 2004 Cisco Systems, Inc. All rights reserved.

Stanford University WLAN Deployment

• Huge Campus

▪ Large student, faculty, and staff community

▪ More than 8200 acres

▪ More than 675 large buildings

• Wireless Computing Growing in Popularity

▪ Wireless laptops mandatory in certain schools

▪ Lower cost of Wireless access cards

• Deployment

▪ More than 250 access points throughout common areas and many buildings

▪ Divided into 4 major network segments

Page 29: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

292929© 2004 Cisco Systems, Inc. All rights reserved.

Stanford University WLAN Deployment - Security

• Security for Initial Deployment

▪ Minimal

▪ Based on MAC address of access card – SU maintains database of registered MAC addresses (NetDB) and only registered network cards are provided IP addresses

▪ No WEP – Preferable to providing user with false sense of security

▪ Susceptible to several different types of attacks

Page 30: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

303030© 2004 Cisco Systems, Inc. All rights reserved.

Q&A

303030© 2003 Cisco Systems, Inc. All rights reserved.

Page 31: 1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise

313131© 2004 Cisco Systems, Inc. All rights reserved. 313131