Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 14
Cisco Physical SecuritySolutions Overview for IAB
Dec 2010
Bryan Bryan [email protected]@cisco.comConsulting Systems Engineer Consulting Systems Engineer ‐‐
FederalFederal
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 15
AgendaPortfolio
Cisco Physical Access Manager Overview
Cisco Physical Access Manager HSPD12
Cisco Logical Access Solutions
Converged Logical and Physical Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 16
Cisco Physical Security Portfolio
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 17
Cisco Physical Access – A Distributed Architecture
Cisco Access Gateway250,000 encrypted credentials
Autonomous or NetworkedOperation Access Layer
Switch
Switched/Route d
Network
Cisco Physical Access
ManagerLDAP / MicrosoftActive Directory
Certificate Authority
IDMS
POE
Scalable Modular Architecture, Open Systems Integration with external Databases Such as Certificate Authority and FIPS-201 approved IDMS
LockRequest to Exit
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 18
Migrating from CPAM to CPAM Secure Architecture
CPAM Maintains FASC-N, User Name, User Affiliation, Issuer, Expiration Date and
Access Privileges
TrustPointTM
Enrollment Station
ENROLLMENT:•PIN Verification
•EXPIRATION DATE•BIOMETRIC Check
•PHOTO Display
CISCO PAM
FASC-N & Access Privileges Down Loaded to CPAM
Gateway
CISCO Gateway
User Presents CAC / PIV FOR
Access
Gateway Matches ID No. with Authorization Privileges
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 19
Using Challenge/Response to Avoid Clones
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 20
Cisco Advantages
Leverage network based architectures
• Appliance based server with Java thin client application• Solution can be cloud based as a result
Lower installation costs by using network power
Encrypted communications between gateways and software
Provide Video pop up upon alarms dispatched to iPhone via IPICS mobile client
Integration to Cisco switches, network access, VoIP phones
Open API’s WSDL and EDI for 3rd party integration
Master/Master high availability with constant synchronization
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 21
Data Security Incidents on the Rise …
21© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21Empowered Branch
Infonetics Study, 2009Security Incidents Reported to US CERT From
FY 2006 – FY 2008
Security Incidents by CategoryA 206% Increase in Security Incidents
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 22
Cisco Network Access Solution
Endpoint ComplianceNetwork access only for compliant devices
Contractor Compliance
Restricted internet access only for contractors
Wireless ComplianceSecured network access only for compliant wireless devices
Regulatory ComplianceEnsure sensitive data is accessible to
authorized personsGovernment Office 2with wireless
Vendor Meetingin Building 3 Internet
SSLIPSec
VPN User ComplianceEnsure compliance of computers used by contractors and consultants
Government Office 1
A Complete Logical Access Control Solution for Government
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 23
How Does Logical and Physical Access Converge?
PACS components are devices on the network that need access (gateway and servers).
Use PACS information for policy enforcement on network access.
If user A is in building, disable VPN access or alarmIf user A is in building, activate resources such as computer (wake on LAN), IP phone, lights, etc…all achievable via network.
Use same network based PKI components such as CA for authentication, while authorization will be specific to application: network access, physical access, data access.
Authorization may be consolidated also as products mature.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 24
How Does Logical and Physical Access Converge?
Source: Computer and Information Security Handbook , John R. Vacca (2009)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 25
Network Access
Cisco IPICS
IPNetwork of Networks
Cisco Digital Media System
Cisco Unified Communications
Communications
Cisco Video Surveillance
Text to Speech
UHF
VHF
Military
Example of Unauthorized Access on CPAM
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 26
Cisco IPICS
IPNetwork of Networks
Cisco Digital Media System
Cisco Unified Communications
Communications
Cisco Media Manager
Text to Speech
UHF
VHF
Military
Network Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 27
Cisco IPICS
IPNetwork of Networks
Cisco Digital Media System
Cisco Unified Communications
Communications
Cisco VideoSurveillance
Text to Speech
UHF
VHF
Military
TextText
Network Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 28
Network Access Solution in Action A Conceptual View
Network-AttachedDevice: IP Gateway
Nexus® 7000Switch
NAC GuestServer NAC Profiler
Server
ACS
802.1X
Protected Resources : Apps, Storage, Data at Rest
IP Phones
Control Plane: RADIUS
Supplicant
DirectoryService
Cisco®
Catalyst® Switch
Users,Endpoints
CampusNetworkCampusNetwork
Guest User
End user / Endpoint attempts to access network
‣
802.1X Authentication for registered user‣
MAC Authentication Bypass for agentless device‣
Web Authentication for Guest
1
Policy Servers evaluate identity information ‣
NAC Profiler evaluates agentless device (IP Cam, Gateway)‣
Guest Server manages temporary guest access‣
ACS evaluates overall policy and returns authorization back to NAD
2
Access Control based on policies ‣
Catalyst switch to enforce access control based on policy (VLAN Assignment, dACL, SGT)
‣
Nexus 7000 to apply SGACL based on SGT mapped to role
3
2a
CPAM Server
Evaluate PACS info‣
Policy servers interact with CPAM server to ensure User is Badged In
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 29
Network Access Solution in Action A Conceptual View
Network-AttachedDevice: IP Gateway
Nexus® 7000Switch
NAC GuestServer NAC Profiler
Server
ACS
802.1X
Protected Resources : Apps, Storage, Data at Rest
IP Phones
Control Plane: RADIUS
Supplicant
DirectoryService
Cisco®
Catalyst® Switch
Users,Endpoints
CampusNetworkCampusNetwork
Guest User
End user / Endpoint attempts to access network
‣
802.1X Authentication for registered user‣
MAC Authentication Bypass for agentless device‣
Web Authentication for Guest
1
Policy Servers evaluate identity information ‣
NAC Profiler evaluates agentless device (IP Cam, Gateway)‣
Guest Server manages temporary guest access‣
ACS evaluates overall policy and returns authorization back to NAD
2
Access Control based on policies ‣
Catalyst switch to enforce access control based on policy (VLAN Assignment, dACL, SGT)
‣
Nexus 7000 to apply SGACL based on SGT mapped to role
3
2a
CPAM Server
Evaluate PACS info‣
Policy servers interact with CPAM server to ensure User is Badged In
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 31
Cisco Physical Access Gateway
OutputModule
Reader Module
Hardware OverviewInput
Module
Mandatory component. Connects up to 2 doors, and up to 15 additional modules (connected via a 3 wire CAN bus).
Power: POE or 12V – 24V DC
2 Ethernet ports
10 pin Weigand Reader port : can be configured as two 5 pin Weigand ports
1 RS-485 port
3 Outputs (Form C Relays)
3 Supervised inputs
Tamper & PF inputs (can be configured as additional inputs)
.
Requires Access Gateway
Connects up to 2 doors, to the Cisco Access Gateway via CAN bus.
Power: 12V – 24V DC
10 pin Weigand port : can be configured as two 5 pin Weigand ports
1 RS-485 port
3 Outputs (Form C Relays)
3 Supervised inputs
Tamper & PF inputs (can be configured to be used as additional inputs)
CAN Termination switch
Requires Access Gateway
Connects up to 10 inputs to the Cisco Access Gateway via a CAN bus.
Example inputs are: Pushbutton switches, Glass Break sensors, or any contact closure input. circuit
Power: 12V to 24V DC
10 Supervised inputs
Tamper & PF inputs (can be configured to be used as additional inputs)
CAN Termination switch
Requires Access Gateway
Connects up to 8 outputs to the Cisco Access Gateway cia CAN bus..
Example outputs are: lights, LEDs, or any contact closure output circuit.
Power: 12V to 24V DC
8 Form C (5V, 30A) outputs
Tamper & PF inputs (can be configured to be used as additional inputs)
CAN Termination switch
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco Physical Access Control 32
Physical Access Gateway Expansion
Maximum of 400 Meters (1300 Feet)
Additional modules can be a maximum of 40M (130 Feet) from the access gateway.
CiscoAccess
Gateway ReaderModule
ReaderModule
InputModule
OutputModule
CAN Bus
Modules may be added or removed at run time without affecting operation of the other modules.
Any combination of additional modules (up to 15)can be connected to the Access Gateway via a 3 Wire Controller Area Network (CAN) Bus..
The Cisco Access Gateway is always required, and an control up to 2 doors by itself.
