Upload
robyn-lawson
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
1© 2004 Cisco Systems, Inc. All rights reserved.
Managing and Securing Wireless Networks with Cisco Clean Access
Steve Coppel
SE, Maryland Enterprise
CISSP, CCSP
222© 2004 Cisco Systems, Inc. All rights reserved.
Agenda
• WLAN Security Issues
• WLAN Enterprise Issues
• Requirements for WLAN Management & Security Solution
• Cisco Clean Access Solution
• Case Study: Stanford University
2
333© 2004 Cisco Systems, Inc. All rights reserved.
WLAN Security Issues - A Different IT Beast
• Non-existent or Porous Boundaries
▪ More vulnerable to a variety of malicious attacks
▪ WEP security inadequate
▪ Many common areas where anyone can access a wireless signal
• Security Challenge Shifted from Ports to Users
▪ Authentication more important but also more difficult
▪ Increase susceptibility to attacks originating from employees’ home networks
• Wireless and Wireline Management Integration Unresolved
▪ Management is enormous challenge
▪ Impacts usability and productivity
444© 2004 Cisco Systems, Inc. All rights reserved.
WLAN Security Issues
• MAC and IP Spoofing Too Easy
▪ Multitude of free tools on Internet allow machines to spoof other MAC and IP addresses
• Denial of Service (DoS) Attacks Too Easy
▪ Several DoS attacks possible including consuming all IP addresses, DoS attacks on web servers, file servers, mail servers, etc.
• “Man in the middle” Attack
▪ Malicious users find it easy to insert themselves in communication path in order to steal user credentials, session, etc.
555© 2004 Cisco Systems, Inc. All rights reserved.
WLAN Enterprise Issues
Issue Tools If Left Unresolved
Multi-vendor Access Point Management
Management software provided by each access point vendor but is not interoperable with others
Heterogeneous environments are impossible to manage centrally
Integrated Management between Wired and Wireless Networks
None Management and user interface complexity increases
Viruses Imported from External Networks
Point Products Viruses may frequently and severely impact enterprise productivity
Management Difficulties Associated with VPNs – over-WLANs
Vendor-specific solutions; most VPNs built for dial-up use
Security gaps may remain; client maintenance complexity increases
666© 2004 Cisco Systems, Inc. All rights reserved.
Requirements for WLAN Management & Security Solution
• Authentication-based Access to WLAN
▪ Users must be authenticated before provided network access
▪ Authentication must be performed using existing authentication systems
▪ Un-authentication users (rogue users) must not be allowed to launch DoS attacks (e.g. ping attacks, etc.)
• Client-less Deployment Mandatory
▪ Security solution should not mandate the deployment of any client software
▪ Optional client software for ease of use, additional security, network sniffing, rogue access point reporting, war driving, etc. preferred
777© 2004 Cisco Systems, Inc. All rights reserved.
Requirements for WLAN Management & Security Solution
• Strong Data Protection
▪ Standards-based, strong, over-the-encryption is needed of WEP or any proprietary mechanism
• Non-Proprietary Hardware Preferred
▪ Preferred that security solution not require proprietary hardware
▪ Easily scalable hardware
888© 2004 Cisco Systems, Inc. All rights reserved.
Requirements for WLAN Management & Security Solution
• Centralized Deployment
▪ Security and management solution must both be deployable centrally in the network centers
▪ Edge deployments are too expensive to deploy/manage
• Centralized Configuration & Management
▪ Ability to configure and manage entire deployment from a central location
▪ Secure remote management
999© 2004 Cisco Systems, Inc. All rights reserved.
Cisco Clean Access Solution
999© 2003 Cisco Systems, Inc. All rights reserved.
101010© 2004 Cisco Systems, Inc. All rights reserved.
What Does Clean Access Do?
Before allowing users onto the network, whether it’s a wired or wireless network, Clean Access:
RECOGNIZES
EVALUATES
ENFORCES
Recognizes:Users, device, and role (guest, employee, contractor)
Evaluates:Identify vulnerabilities on devices
Enforces:Eliminate vulnerabilities before network access
111111© 2004 Cisco Systems, Inc. All rights reserved.
Key Cisco Clean Access Features
• Role-based access control
Cisco Clean Access server enforces authorization policies and privileges
Supports multiple user roles (e.g. guests, employees, and contractors)
• Scans for security requirements
Agent scan for required versions of hotfixes, AV, and other software
Network scan for virus and worm infections
Network scan for port vulnerabilities
• Network quarantineIsolate non-compliant machines from rest of network
MAC and IP-based quarantine effective at a per-user level
• Repair and updateNetwork-based tools for vulnerability and threat remediation
Help-desk integration
All-in-One Policy Compliance and Remediation Solution
121212© 2004 Cisco Systems, Inc. All rights reserved.
• Cisco Clean Access Server
Formerly CleanMachines SmartServer
Serves as an inline or out-of-band device for network access control
• Cisco Clean Access Manager
Formerly CleanMachines SmartManager
Centralizes management for administrators, support personnel, and operators
• Cisco Clean Access Agent
Formerly CleanMachines SmartEnforcer
Optional client for device-based registry scans in unmanaged environments
Cisco Clean Access Components
131313© 2004 Cisco Systems, Inc. All rights reserved.
Pre-Configured Clean Access Checks
Critical Windows Update
Windows XP, Windows 2000, Windows 98, Windows ME
Symantec
Norton AntiVirus 2005 v. 11.0.x Norton AntiVirus 2004 v. 10.xNorton AntiVirus 2004 Professional v. 10.x Norton Internet Security 2004 Norton AntiVirus 2003 v. 9.x Norton AntiVirus 2003 Professional v. 9.x Norton AntiVirus 2002 Professional v. 8.x Norton AntiVirus Corporate Edition v. 7.x Symantec Internet Security 2005 Edition 8.0.x Symantec AntiVirus Scan Engine Edition 8.0.x Symantec AntiVirus Corporate Edition v. 9.x Symantec AntiVirus Corporate Edition v. 8.x
Sophos
Sophos Anti-Virus Enterprise v. 3.x
McAfee
McAfee VirusScan Enterprise v. 8.0i beta McAfee VirusScan Enterprise Edition v. 7.5 McAfee VirusScan Enterprise Edition v. 7.1 McAfee VirusScan Enterprise Edition v. 7.0 McAfee VirusScan Enterprise Edition v. 4.5.x McAfee VirusScan Professional Edition v. 8.0.x McAfee VirusScan Professional Edition v. 7.x McAfee VirusScan ASaP
Trend Micro
Trend Micro Internet Security v. 12.x Trend Micro Internet Security v. 11.2 Trend Micro Internet Security v. 11.0 Trend Micro OfficeScan Corporate Edition v. 6.x Trend Micro OfficeScan Corporate Edition v. 5.x Trend Micro PC-Cillin 2004 Trend Micro PC-Cillin 2003
Cisco Systems
Cisco Security Agent v. 4.x
Customers can easily add custom checks
141414© 2004 Cisco Systems, Inc. All rights reserved.
Pre-Configured Checks (cont’d)
Computer Associates (eTrust)
Computer Associates eTrust Antivirus v. 7.x Computer Associates eTrust EZ Antivirus v. 6.2.x Computer Associates eTrust EZ Antivirus v. 6.1.x
F-Secure
F-Secure Anti-Virus for Workstations TBYB 5.x F-Secure Anti-Virus Client Security 5.x F-Secure Anti-Virus 2004 5.x
Panda
Panda Titanium Anti-Virus 2004 v. 3.x Panda Anti-Virus Platinum v. 7.x Panda Anti-Virus Platinum v. 6.x Panda Internet Security Platinum v. 8.x Panda Anti-Virus Light v. 1.9x
Kaspersky
Kaspersky Anti-Virus Personal v. 5.xKaspersky Anti-Virus Personal v. 4.x Kaspersky Anti-Virus Personal Pro v. 4.x
Authentium
Authentium Command Anti-Virus Enterprise 4.x
SOFTWIN (BitDefender)
BitDefender Free Edition v. 7.x BitDefender Standard/Professional Edition 7.x BitDefender Standard v. 8.0.x BitDefender Professional Plus v. 8.0.x
Grisoft (AVG)
AVG Antivirus v. 7.0AVG Antivirus v. 6.0AVG Antivirus v. 6.0 Free Edition
Frisk Software International
F-Prot Antivirus v. 3.x
SalD
DrWeb Antivirus v. 4.31b
Eset
NOD32 Antivirus system NT/2000/2003/XP 2.0
Zone Labs
ZoneAlarm with Antivirus v. 5.x
151515© 2004 Cisco Systems, Inc. All rights reserved.
THE GOAL
Intranet/Network
Cisco Clean Access System Operation
2. User Is Redirected to a Login Page
• Clean Access validates username and password; also performs device and network scans to assess vulnerabilities on the device
Device Is Non-Compliant or Login Is Incorrect
• User is denied access and assigned to a quarantine role with access to online remediation resources
3a. QuarantineRole
3b. Device Is “Clean”• Machine gets on “clean
list” and is granted access to network
Cisco CleanAccess Server
Cisco Clean Access Manager
1. End User Attempts to Access a Web Page or Uses an Optional Client
• Network access is blocked until end user provides login information Authentication
Server
161616© 2004 Cisco Systems, Inc. All rights reserved.
Sample Reporting
4.
LoginScreen
171717© 2004 Cisco Systems, Inc. All rights reserved.
Multiple Deployment Options
Out-of-band: For high throughput environments for deployment in• Campus Environments• Branch Offices• Extranet environments• Highly routed environments
Inline: Supports environments including• Wireless• Hubs• Shared Media
181818© 2004 Cisco Systems, Inc. All rights reserved.
CCA Inline Deployment
FEATURES:• VLAN trunking support• ~1 GB/sec throughput
support• Failover support
IntranetBorder Router
Firewall
Switch
Core
Switch
Authentication Server
Clean Access Server
Routed Central Deployment
Clean Access Server
Bridged Central Deployment
Clean Access Server
Edge Deployment
Clean Access Manager
191919© 2004 Cisco Systems, Inc. All rights reserved.
Secure Remote Access Deployment
Secure Remote: Supports environments with remote users coming through VPN Concentrators
202020© 2004 Cisco Systems, Inc. All rights reserved.
CCA Out Of Band Deployment
Router
Firewall
Internet
Clean Access Server
Clean AccessManager
End User
Integrates with Cisco switches to provide out of band solution.
Provides network access control for LAN users.
Deployed in highly routed networks and environments where in-line appliance is not appropriate.
212121© 2004 Cisco Systems, Inc. All rights reserved.
CCA: User Access, Non-certified Machine
Host withCCA Agent
1 End user attaches host to network
Switch
CCA Manager
2
2 Switch sends MAC address via SNMP-based alert to CCA Manager
3 CCA Manager decides whether host has been previously certified
1
4
4 CCA Server acts as a gateway or bridge for the quarantine VLAN
CCA Server
CCA Server intercepts device requestPerforms posture assessment and remediation
5
5 CCA Server certifies MAC address and forwards to CCA Manager
Network7
7 Host is granted access to network
6
6 CCA Manager instructs switch to change to the appropriate VLAN
3
If NO, CCA Manager instructs switch to put device on quarantine VLAN.
222222© 2004 Cisco Systems, Inc. All rights reserved.
End User Experience: with Agent
4.
LoginScreen
User Authentication
User Machine Quarantined
Remediation Steps
232323© 2004 Cisco Systems, Inc. All rights reserved.
End User Experience: with Agent
4.
LoginScreen Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
242424© 2004 Cisco Systems, Inc. All rights reserved.
End User Experience: Web-based
LoginScreen
Scan is performed(types of checks depend on user role/OS)
Click-through remediation
252525© 2004 Cisco Systems, Inc. All rights reserved.
Cisco Clean Access: The Holistic Solution
Products WLAN Security
WLAN Management
Clean Access
Authentication √ √
Encryption √ √
User/Group Policy Management
√ √
Firewall √ √
Roaming Support √ √
AP Configuration & Management
√ √
Remote Client Updates
√ √
Centralized WLAN Management
√ √
WLAN Monitoring & Reporting
√ √ √
262626© 2004 Cisco Systems, Inc. All rights reserved.
Case Study: Stanford University
262626© 2003 Cisco Systems, Inc. All rights reserved.
272727© 2004 Cisco Systems, Inc. All rights reserved.
Stanford University – Authentication & Ease of Use
• Challenge
Improve Authentication
Keep it simple
Interoperate with existing system
• Solution
Clean Access protects each subnet
Authentication through Kerberos
Centralized Deployment (edge-based optional)
• Benefits
Short implementation
Rapid ROI
Wireless expanding into business school & medical center
282828© 2004 Cisco Systems, Inc. All rights reserved.
Stanford University WLAN Deployment
• Huge Campus
▪ Large student, faculty, and staff community
▪ More than 8200 acres
▪ More than 675 large buildings
• Wireless Computing Growing in Popularity
▪ Wireless laptops mandatory in certain schools
▪ Lower cost of Wireless access cards
• Deployment
▪ More than 250 access points throughout common areas and many buildings
▪ Divided into 4 major network segments
292929© 2004 Cisco Systems, Inc. All rights reserved.
Stanford University WLAN Deployment - Security
• Security for Initial Deployment
▪ Minimal
▪ Based on MAC address of access card – SU maintains database of registered MAC addresses (NetDB) and only registered network cards are provided IP addresses
▪ No WEP – Preferable to providing user with false sense of security
▪ Susceptible to several different types of attacks
303030© 2004 Cisco Systems, Inc. All rights reserved.
Q&A
303030© 2003 Cisco Systems, Inc. All rights reserved.
313131© 2004 Cisco Systems, Inc. All rights reserved. 313131