Embed Size (px)
New Capabilities. Cisco NGE for secure networks
Cisco – Secure Enterprise WLAN
Jay Pitcher – Technical Solutions [email protected]
Importance of 802.11ac Wave 2
Addressing Growth 802.11ac Wave 2
Highest Wi-Fi Performance Ever
Better End Device Efficiency
For Highly Demanding Environments
Higher Data Rate Than Previous Standard
Allows For More Wireless Data With Wider Channels
Simultaneously Deliver Data to Multiple Devices
Conserve End-Device Battery
Wi-Fi Connectivity Speed Timeline Gigabit Wi-Fi As Primary Access 3SS Desktops / Laptops
2SS Laptops / Tablets
1SS Tablets / Smartphones
*Assuming 80 MHz channel is available and suitable
**Assuming 160 MHz channel is available and suitable
802.11 802.11n802.11b 802.11a/g 802.11acWave 1
802.11acWave 2
2630**
1730**
290*
= Spatial StreamsSS
20162015
Gig
abit
Eth
erne
t U
plin
k
2 G
igab
it E
ther
net
Upl
inks
1 SpatialStream
2 SpatialStream
3Spatial
Streams
20132007200319991997
2 1124
54 65
450
300
1300*
290*
870*
5260**
3500**
600*
Dual 5GHz
Mul
ti-G
igab
it U
plin
ks
Better Traffic Handling 802.11ac Wave 2 with 160MHZ - Wider Channels
Wider Channels Allows More Traffic to Pass
Multi-User MIMO Uses the Channel to Max Capacity
20–40 MHz 80-160 MHz
Simultaneous Data Delivery to Many DevicesMulti-User, Multi-In, Multi-Out
Devices Get On and Off the Network Quicker, Allowing More Devices to Be Served
Multi-User MIMO (MU-MIMO)Single-User MIMO (SU-MIMO)
New Products and Certifications
Wired & Wireless Network
Scalable network policy management for all forms of network access: LAN, WLAN & VPN
Secure Group Access (SGA): simplified role-based access control and enforcement based on context, avoids manual ACL/VLAN configs
Comprehensive guest management
Cisco Unified Access PillarsUnified Policy Unified Management Unified Network
Single view for managing wired and wireless network elements
Application visibility and assurance: deterministic end user application experience across wired and wireless
Third-party device management
Common IOS Operating System
Common programmable Fabric (UDAP ASIC) – SDN Ready
Consistent functionality across wired and wireless
Application Visibility & Control (AVC)
Subsecond stateful Switchover (SSO)
CertCert
Cert
Identity Services Engine (ISE)
Prime Infrastructure
Single Wired/Wireless Platform
Up to 200 APs in a mobility group
Certified Cisco Unified Access = Portfolio Leadership
Converged Access WLAN Controllers WLAN Access Points
Large Enterprise
Cert3850
Cert3650
8540 Cert8510
5520
Medium Locations
Small Locations
5508
Cert2504 ME
Cert
Cert
3702
2702Cert
Indoor APs
Outdoor APs
Cert
1700
1850/30
1572 1532
Cert Cert
Next
Next
Next
Cisco Wireless Government CertificationsWhat’s Certified:
• All Cisco 11ac and 11n Access Points • All appliance and integrated
controllers• MSE 8.0 and PI 2.2• APL Listing for WLAS, WAB,WIDS
Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers
Feature consistency and deployment flexibility
Certification 7.0 8.0 IOS 3.6
FIPS
CC
UCAPL
CSfC
Comprehensive certified end-end solution
Cisco Wireless Government Certifications -Tomorrow
What will be Certified• All current controllers & .11n/.11ac
APs• New .11ac Wave 2 APs, 3802/2802• 5520/8540 Controller• New controller/mesh platforms
Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers
Feature consistency and deployment flexibility
Certification 8.3 16.3
FIPS
CC
UCAPL
CSfC
Comprehensive certified end-end solution
§ Right To Use Licensing, Ease of Enablement and Portability§ Utilizes the NEW WLAN Express WEBGUI with best practices enabled§ Allows administrator to easily migrate config from previous WLC
Simplified Migration and Manageability
§ Ability to host multiple services such as Application Visibility and Control, Bonjour Services Directory, TrustSec, Guest, High Availability with SSO
§ Support for centralized, distributed and Mesh deployments
Services Ready
§ 5520 scales up to 1500 AP & 20,000 clients§ 8540 scales up to 6000 AP & 64,000 clients
Built for addressing Scale of BYOD
§ 5520 supports 20 Gig of throughput§ 8540 supports 40 Gig of throughput
Throughput to address needs of Wave-2 11ac
5520
8540
Introducing the Cisco 5520 and 8540Feature-Rich, Multi-mode and Ready for Wave 2 8011ac
Hardware Mechanical Details 5520 WLC
Form Factor 1 RU
IO Interface Dual 1G or 10G with LAG
Operating Temperature 5°C to 35°C
Storage Temperature - 40°C to 65°C
HDD Solid State Drive (SSD)
Power Options 770W AC w/ Optional Redundant PSU ( hot-swappable)
Hardware Mechanical Details 8540 WLC
Form Factor 2 RU
IO Interface Four 1G or 10G with LAG
Operating Temperature 5°C to 35°C
Storage Temperature - 40°C to 65°C
HDD Hot-swappable SSD w/ RAID
Power Options 1200W AC, 930W DCRedundant PSU
Evolution of Wireless LAN Controllers Enterprise Campus and Full-Service Branch
500 APs, 7000 Clients8 Gbps Throughput
THEN 5508
NOW 5520
500 AP Groups100 FlexConnect Groups25 APs/FCG
512 VLANs, 64 Interface Groups14000 PMK Cache
2000 Rogue APs, 2500 Rogue Clients 5000 RFIDs 1000 APs/RRM Group100000 AVC Flows
1500 APs, 20000 Clients20 Gbps Throughput
4095 VLANs, 512 Interface Groups40000 PMK Cache
24000 Rogue APs, 32000 Rogue Clients25000 RFIDs3000 APs/RRM Group320000 AVC Flows
1500 AP Groups1500 FlexConnect Groups,100 Flex APs/FCG
Evolution of Wireless LAN Controllers Enterprise Large Campus, SP Wi-Fi and Large Branch Operations
6000 APs, 64000 Clients10 Gbps Throughput
THEN 8510
NOW 8540
6000 AP Groups2000 FlexConnect Groups100 APs/FCG
4095 VLANs40000 PMK Cache
24000 Rogue APs, 32000 Rogue Clients 50000 RFIDsAVC Flows 320000
6000 APs, 64000 Clients40 Gbps Throughput
4095 VLANs64000 PMK Cache
24000 Rogue APs, 32000 Rogue Clients50000 RFID320000 AVC Flows
6000 AP Groups2000 FlexConnect Groups100 Flex APs/FCG
Innovations Only Cisco DeliversCustom Engineered Hardware for Business Flexibility
Optimized RoamingIntelligently Connects the Proper Access Point as People Move
Turbo PerformanceScales to Support More Devices Running High Bandwidth Apps.
Cisco CleanAir®
Remediates Device Impacting Interference
Cisco ClientLink Improves Performance of Legacy and 802.11ac Devices.
Expandability Add Functionality Via Module, Smart Antenna Port or USB Port
Radio Resource Management (RRM)Automatic frequency and output power configuration and adjustments
High AvailabilityController Stateful Switchover for
mission critical reliability
Application Visibility & ControlProvides visibility and control over applications
that are used on the network.
Video StreamReliable and Scalable support for
broadcast of rich media.
Cisco Hyperlocation Technology & SolutionAfter: Determine direction (AoA) to client in addition to
distance => ±1 meter accuracyBefore: Location approximated based on RSSI -
±5 to 10 meter accuracy
Granular indoor location accuracy to contextually connect users
Engage & Improve Guest Experience
Room Level Accuracy
Range Inferred -Prone to errors
Only RSSI calculation
Blue dot spotlight projected at the user’s feet
High Accuracy
Multi locating technologyAoA, RSSI
Improved Calculation
Recent Innovations
Innovation: Angle of Arrival(AOA) = ~+/-1 meter accuracy
• Different antenna elements hear the signal a little earlier/later than others, measured by the phase of the signal
• Favors line-of-sight with high degree of accuracy in cone under AP
AP antenna array
90 de
gree c
one
Client
Wavefront (rays with a
common distance)
Each antenna element is a fraction of a wavelength closer/farther to the client than its neighbor, and the exact value depend on the client location (if underneath => 0, if side on => element spacing)
Recent Innovations
Cisco Aironet PortfolioPositioned to Capture the 802.11ac Wave 2 Transition
Enterprise Class Mission Critical Best in Class
1850• 4x4:3SS 80Mhz; 1.7
Gbps• Spectrum Analysis*• Internal or External
antenna• Tx Beam Forming • 2 GE Ports• USB 2.0• Centralized, FlexConnect
and Mobility Express
2800• 4x4:3SS 160 MHz; 5 Gbps• 2.4, 5GHz or Dual 5GHz• 2 GE Ports• Internal or External antenna• Smart Antenna Connector• Enhanced Location*
(External Antenna)• CleanAir 160MHz • ClientLink 4.0• USB 2.0• Centralized, FlexConnect
and Mobility Express*
3800
• 4x4:3SS 160 MHz; 5 Gbps• 2.4, 5GHz or Dual 5GHz• 1 GE + 1 mGig (5G)• Internal or External antenna• Smart Antenna Connector• Enhanced Location* (External
Antenna)• CleanAir 160 MHz• ClientLink 4.0 • StadiumVision• USB 2.0• Modularity• Centralized, FlexConnect and
Mobility Express*
1810 Wall Plate• 2x2:2SS 80 MHz; 867 Mbps• Tx Beam Forming• 1 GE Port uplink• 3 GE Local Ports, including 1
PoE out• Local ports 802.1x ready• Integrated BLE Gateway*
1830• 3x3:2SS 80MHz;
867Mbps• Spectrum Analysis*• Internal antenna• Tx Beam Forming• 1 GE Port• USB 2.0• Centralized, FlexConnect
and Mobility Express1810 Teleworker
• 2x2:2SS 80 MHz; 867 Mbps• 3 GE Local Ports downlink,
including 1 PoE out• One or Two Local Ports can be
tunneled back to corporate
* Future availability
• 5 Gbps PHY• 4x4:3SS – 160 MHZ – MU-
MIMO• 2 Ethernet Ports, GbE + mGig
(1G, 2.5G, 5G)• Dual 5 GHz• HDX Technology• USB 2.0• StadiumVision• CleanAir 160MHz, ClientLink
4.0, Videostream• Side Mount Modular
Architecture
Best in Class
3800
• 802.11ac W2 • 870 Mbps PHY• 3x3:2SS• Spectrum Analysis*• Tx Beam Forming• USB 2.0
Enterprise Class
1830
Mission Critical
2800
• 802.11ac W2 • 2.0 Gbps PHY• 4x4:4SS• Spectrum Analysis*• Tx Beam Forming • 2 GE Ports, USB 2.0
Enterprise Class
1850
Enterprise Best In ClassMission Critical
Cisco Aironet Indoor Access Points PortfolioIndustry’s Best 802.11ac Series Access Points
NewNew
• 5 Gbps PHY• 4x4:3SS – 160 MHZ – MU-
MIMO• 2 Ethernet Ports, 2xGbE • Dual 5 GHz• HDX Technology• USB 2.0• StadiumVision• CleanAir 160MHz, ClientLink
4.0, Videostream
Comparing the Cisco Wave 2 AP Portfolio
MAX DATA RATE 1.087Gbps. 2.4Gbps. 5Gbps. 5Gbps.
GIGABIT / MULTIGIGABIT PORTS1Gig 2Gig 2Gig 2Gig or 1Gig / 1MGig
(1Gig, 2.5Gig, 5Gig)
USB 2.0 PORT 1 1 1 1Spectrum Analysis
TX Beam Forming
CleanAir / ClientLinkDual 5GHz RadiosOptimized Roaming
ANTENNAS: SPATIAL STREAMS 3X3:2SS - 80MHz. 4X4:4SS – 80MHz.
FlexSmart: Optimized Radios
Cisco Aironet 1830
Cisco Aironet 1850
Cisco Aironet2800
Cisco Aironet 3800
Side Mount Modularity
Smart Antenna Connector
4X4:3SS – 160MHz. 4X4:3SS – 160MHz.
Appliance & Virtualized Control
Appliance & Virtualized Control
Appliance & Virtualized Control
Appliance & Virtualized Control
Power Over Ethernet• AP2800/3800 is fully supported under 30W
(802.11at/PoE+) power
• LAG is supported on 2800/3800 or mGig could be used on 3800
• New AIR-PWRINJ6 (low cost 30W .3at injector) works w/ GbE for 2800/3800
• Local power supply for 3800 (AIR-PWR-50)
Reforming 5 GHz to Optimize for 802.11ac
• More non-overlapping channels enabling better 802.11ac experience
• 6x 80 MHz channels (5 in Canada and Europe)
• 2x 160 MHz channels (1 in Canada)
• Additional 5GHz spectrum liberalization (5.35-5.47 GHz and 5.85-5.925 GHz) allows:
ChannelBandwidth (MHz)
No. of Non-overlapping Channels
20 37
40 18
80 9
160 4
Future 5GHz Opportunity
• FCC§ New “-B” regulatory domain version of existing APs coming in 1H CY16
− 3600/2600/1600/702i/702w, 3700/2700/1700, and 3800/2800 Series− 1530/1570 and only H/S/WU from the 1550 Series− 1830/1850 and 1570 already support –B reg domain
§ -B opens new channels 120, 124, 128, and catchup for 144 § Higher power allowed in UNII-1, some lower power limits in UNII-3
• Recent Country migrations § Vietnam, Thailand, Macau moving to –S § Algeria, Kuwait, Tunisia moving to –I § Malaysia moving to –K§ Pakistan moving to –G
Regulatory Domain Update
Dynamic Bandwidth Selection (DBS)
Radio Resource Management (RRM)
selects channel only
Difficult to find non-overlapping channels
80 MHz Channel 52/56/60/64
Interference impacts 80 MHz…what canI use?
52 56 60 64
RRM selects channeland channel width
Automatic detectionof non-overlapping
channels
Primary20
Secondary 20
Secondary40
• 80-MHz channel 52/56/60/64• Interference is impacting only channel 60 • 3x20 MHz channels still available or
1x40 MHz and 1x20 MHz
52 56 60 64
AfterAutomatic and intelligent use of spectrum
BeforeComplex configuration and inefficient use of spectrum
52 56 60 64
Gives confidence in deploying wider channels
Improve Connectivity to All Devices ClientLink 4.0
Improves Device Performance
802.11ac Wave 2 Access Point: TX
Beamforming
• 802.11a• 802.11g• 802.11n
• 802.11ac Wave 1• 802.11ac Wave 2
• 802.11ac Wave 2
802.11ac Wave 2 Access Point: ClientLink
Radio Role FlexibilityAdjust Radio Bands to Better
Serve the Environment.
Innovations Only Cisco DeliversCustom Engineered Hardware for Business Flexibility
Optimized RoamingIntelligently Connects the Proper Access Point as People Move
Turbo PerformanceScales to Support More Devices Running High Bandwidth Apps.
Zero Impact AVCHardware Based Application Visibility and Control
without Impact to Performance.
Cisco CleanAir®
Remediates Device Impacting Interference
Cisco ClientLink Improves Performance of Legacy and 802.11ac Devices.
Expandability Add Functionality Via Module, Smart Antenna Port or USB Port
Multigigabit UplinksFree Up Wireless With Faster
Wired Network Offload Gb+
Flex Dynamic Frequency SelectionAutomatically Adjusts So Not to Interfere With Other Radio Systems
• 2.4 GHz and 5 GHz on the same silicon• Allows serving of either 2.4 GHz or 5 GHz channel• Allows Serial scanning of all 2.4 and 5 GHz channels• Role selection is manual or Automatic – RRM
What is an XOR Radio?
5GHzServing
2.4GHzServing 5GHz
Serving 5GHz
Serving
• Default operating mode• Serve Clients on both 2.4GHz and 5GHz
Flexible Radio Assignment5GHz
Serving 2.4GHzServing
Wireless Security Monitor
Wireless Service
Assurance*
• Dual 5GHz Support, both radios serving clients on 5GHz• Maximum over the air data rate up to 5.2Gbps
• Wireless Security Monitoring• Scan both 2.4GHz and 5GHz for security threats• Serve Client of 5GHz
• Wireless Service Assurance*• Proactively monitors the network performance• Serve Client of 5GHz
* Denotes feature availability post-FCS
5GHzServing
5GHzServing
5GHzServing
5GHzServing
Enhanced Location*
• Enhanced Location*• Improves the client location accuracy• Serve Client of 5GHz
5GHzServing
Dual 5GHz - Macro/Micro cell Architecture
• Common in cellular deployments • Method for addressing Non Linear Traffic
requirements• Allows more bandwidth to be applied to an
area within a larger coverage cell• Significantly increases Airtime Efficiency
and Capacity
AP2800/3800 Internal Antenna HardwarePreviously in the controller Access Point radios were defined as…
Radio 0 = 2.4 GHzRadio 1 = 5.0 GHz
Using “Flexible Radio Assignment”Radio “0” can be configured as 2.4 GHz (default) or as an additional 5 GHz radio.
If configured as a 5 GHz radio the 2.4 GHz radio is disabled and the 5 GHz micro-cell antennas are used.
Micro-cell antenna is 5 dBi @ 5 GHzMacro-cell antenna is 6 dBi @ 5 GHz
Difference in antenna designs allow for RF co-existence
Conventional AP footprint (Macro-Cell) uniform 360Degree coverage
Smaller AP footprint (Micro-Cell) uniform 360Degree but for smaller coverage area (high density) deployments
By using spatially-efficient and compact antenna design along with different channels & Tx RF power –BOTH radios can co-exist internally
Dual 5 GHz External Antenna Macro/Macro Cells
• Using the DART connector on the E Model enables Dual 5 GHz cells with external antenna’s
• Doubles the effective coverage for the cost of one additional antenna
• Double capacity on existing cable plan
• Multi-gigabit port on 3802 provides throughput investment
5GHzServing
5GHzServing
Dual 5 GHz External Antenna Macro-Macro cells
Cable allows for secondary 5 GHzradio antenna to be physically spaced away from the primary radio allowing for Macro-Macro operation
Stadium antenna deployments for different coverage areas or higher density areas
ANT-2566 in different directions or even back-to-back tilted downward for Factory and warehouse deployments
Omni + directional deployments
5GHzServing
5GHzServing
Smart AntennaConnector
Side MountModular Slot(3800 only)
Primary Antenna Connectors – Dipole and Cabled Antennas
3802e, 3802p and 2802e Smart Antenna Connector
Secondary 5 GHz Cabled AntennaSecond Cabled or Hyperlocation Antenna
5GHzServing
5GHzServing
Meet Any Wi-Fi Use CaseExpandability and Investment Protection
Future Wi-Fi Standard
IOTIntegration
Custom ComputePlatform
Adv. Security and Spectrum
Analysis3G & LTESmall Cell
Bluetooth Beacon
Hyperlocation Antenna
Stadium Panel
Antenna
Self-Discover / Self-Configure
3G/LTEBackhaul
Directional Antennas
BluetoothIntelligence
2.5-5 Gigabit Port
Offload Wireless Traffic FasterMultigigabit Technology
Cisco MultigigabitStandard Cat 5e/Cat6 Cables
1 Gigabit Port
Delivers up to 5X Speeds in Enterprise WithoutReplacing Cabling Infrastructure
Supports PoE Up to 60W
2.5-5 Gigabit Port
Available on 3800
Recently Announced
Components Cisco Unified Wireless • Components
• Wireless LAN controllers• Aironet access points• Management (Prime Infrastructure)• Mobility Service Engine (MSE)
Cisco Unified Wireless Principals• Components
• Wireless LAN controllers• Aironet access points
• Management (Prime Infrastructure)• Mobility Service Engine (MSE)
• Flex Connect
• Converged Access
• Components• Wireless LAN controllers• Aironet access points
• Management (Prime Infrastructure)• Mobility Service Engine (MSE)
• Flex Connect
• Converged Access
• Mesh Network• Seamless Roaming to Enterprise WLAN
• Bridging
Cisco Unified Wireless Principals
Recommended Certified Design• Deploy Controller Based on Scale
Requirements• Smallest Sites < 5 APs
• Flex Connect AP• Smaller Sites 5 – 25 APs
• 2504 WLAN Controller
• Medium Sites 25 – 300 APs• 5508 WLAN Controller
• Larger Sites 300+ APs• 8510 WLAN Controller
• Access Point Deployment• 2702/3702 802.11ac APs• 1572 Outdoor Mesh
• Services• Virtual Services on UCS Servers
• Single server for PI, MSE, ISE
• HA Server for redundancy
Add Guest Services…• Isolate Guest Traffic
• Utilize Anchor controller• Isolate Local or Enterprise traffic
• Client Bridges to Network at Anchor Controller
• Utilized Integrated controller guest portal or ISE Guest Portal• ISE Provides Rich on-boarding option• ISE Provides Rich Sponsor options
Wireless Security - a network solutionArchitecting “Network as a Sensor” and “Network as an Enforcer”
Network Sensor(Lancope)
NGFW
Wireless & Wired Infrastructure
Cisco Routers / Branch 3rd Vendor Devices
Threat
API
API (pxGrid)
ISE
Network Sensors Network EnforcersPolicy & Context
Sharing
TrustSecSecurity Group Tag
Cisco Collective Security Intelligence
ConfidentialData
NGIPS
Cisco Enterprise Network Visibility
Cisco AVC
Device Sensors/Platforms Orchestration/Management
3rd Party Visualization 3rd Party Security/Billing
Switch Router AP Controller FW VM
APIC-EM Prime Web GUI
Cisco Next-Generation Encryption Protocol Suite
46
Key Establishment ECDH-P256/384/521
Digital Signatures ECDSA-P256/384/521
Hashing SHA-256/384/512
Authenticated Encryption AES-128/256-GCM
Authentication HMAC-SHA-256/384/512
Entropy SP800-90
Cisco NGE and Suite B• NGE is a super set of “Suite B” – Cisco has additional Cipher Suites
• Upgrades all crypto mechanisms – New/Upgraded algorithms, key sizes, protocols and entropy
• Compatible with existing security architectures, e.g., DMVPN, GETVPN, P2P SAs
• Standards-based components, available today in next-generation solutions
• Targets Suite B (US), FIPS-140 (US/Canada), NATO
NGE(Cisco)
Suite B(NSA)
Commercial Solutions for Classified Program
• NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data
• This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years
• CSfC program requirements are customer-driven– CSfC vendors do not request features or drive requirements
– http://www.nsa.gov/ia/programs/csfc_program/index.shtml
CSfC “Layered” Architectures for Classified• Architectural, defense-in-depth (e.g. “layers”), approach to security
• SECRET require 2 Layers of ‘countable’ Crypto mLoS 128• TOP SECRET requires 2 layers of ‘countable’ Crypto mLoS 192
• Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information
Suite B VPN / Countable Layer #1
Suite B Application Layer Security / Countable Layer #2
Approved Encryption Technologies can vary at each Layer
Outer Tunnel
NGE vs Suite B vs CSfC• NGE is a super-set of Suite B
• Includes older, transitional ciphers as well as Suite B compliant and stronger ciphers
• Suite B is a consistent and specific implementation of cryptographic ciphers
• CSfC is a layered architecture of Suite B compliant COTS equipment
NGE(Cisco)
Suite B(NSA)
CSfC(NSA)
Cisco Wireless Infrastructure APL ListedOver 20 Product Categories across 8 CSfC Components
Campus WLAN Capability Package• WLAN Provides outer layer of security
• Common Outer Layer can support multiple inner layers – based on 1.8 draft
• Tunnel to to unclass network
• Use VPN for Inner layer of security• Any Connect
WPA2
Suite B VPN Countable Layer
Outer Tunnel
AES-256 Encrypted CAPWAPOuter Tunnel
Inner Tunnel
Campus WLAN Capability Package Cont…• Potential Unwritten requirements
• 500m Standoff from facility perimeter• Over the air AES-256 Crytpo
• Requires an approved WLAN Client• Client hardening requirements
https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client
Campus WLAN Capability Package Cont…• Potential Unwritten requirements
• 500m Standoff from facility perimeter• Over the air AES-256 Crytpo
• Requires an approved WLAN Client• Client hardening requirements
https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client
Mobile Access Capability Package• Security traverses Unclassifed Network
• Security Enclave is relevant to LAN, WAN & WLAN
• CSfC Security is an Enterprise network resource
Suite B VPN/Application Layer Security / Countable Layer #2
Outer Tunnel
Suite B VPN / Countable Layer #1
Inner Tunnel
Mobile Access Capability Package Cont…• Primary CP being used for WLAN deployments
• Allows for the WLAN to stay black• Support Unclass networks
• Allows for Application layer security for 2nd tunnel• Secure VDI, Jabber, any application• Coexists with VPN Tunnel
• Cisco 5921 Now listed as approved VPN Client• Can now provide 2 layers of VPN
Cisco as the Single Vendor Multi-Platform for CSfC• Allows Cisco ASA to be used as an Inner or Outer VPN Gateway when
paired with an approved IOS/IOS-XE VPN router
Plan for CSfC Success
• Understand the effort for an approved solution• Engagement with CSfC• Registering the system
• Engage with CSfC Trusted Integrator• Keep Simple then grow (Crawl, Walk, Run, Fly….)
• Site to Site• Site to Site over Wireless mesh
• Portable solution over WLAN to client device• Laptop over WLAN• Mobile device over WLAN
Wrap up…
• 802.11ac Wave 2• The future Cisco Certified WLAN solution• 2800/3800 .11ac Wave 2 AP, the enterprise standard
• Dual radio capabilities• Secure Wireless deployment options
• Part of the secure network
Q & A
