Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Design Approaches to Secure Wireless within UK Government May 2014

advertisement 
Design Approaches to
Secure Wireless within
UK Government
May 2014
Design Approaches to Secure Wireless within UK Government
1
Legal Disclaimer
This proposal is being provided by Cisco International Limited. As a developer and manufacturer of
leading edge communications products and software, Cisco does not generally undertake direct business
in Europe. As a result, the response that we are providing to you is not an offer of sale or otherwise,
but simply an information pack to enable you to make an initial evaluation of the Cisco product offerings.
Where provided, compliance statements are made to assist in your evaluation, but these do not, and will
not in the future, comprise part of any offer capable of acceptance.
Any information concerning pricing and rates is purely indicative. If your initial evaluation favours a
solution based on the Cisco products, we will assist you in identifying a Cisco accredited systems
integrator of your choice from a number of well-established companies in the UK and you will be free to
negotiate commercial and contractual terms with one or more of those integrators. As part of the same
process, you should have any Cisco compliance statements verified or modified by the integrator based
on the design proposed by the integrator.
The Cisco logos, trademarks and other information provided by Cisco appear in this response with
Cisco’s permission and are proprietary and confidential information of Cisco Systems, Inc.
1
1.1 1.2
EXECUTIVE SUMMARY......................................................................................................................4
Introduction .......................................................................................................................................4
1.1.1 Executive Summar.y........................................................................................................4
Proposed Solution............................................................................................................................6
1.2.1 Secure Wireless LAN Background – Manual Y...............................................................6
1.2.2 Current Secure Wireless LAN Guidance – AP12............................................................6
1.2.3 Main Differentiators - Manual Y and AP12.....................................................................7
1.2.4 Cisco Approach for Secure Wireless LAN......................................................................7
2
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 ARCHITECTURAL OVERVIEW ...........................................................................................................9
Model 1 – AP12 Local/Cloud Managed Wireless LAN..................................................................10
2.1.1 Model 1a – AP12 Local Wireless LAN Controller..........................................................10
2.1.2 Model 1b – AP12 Cisco Cloud Based Wireless LAN....................................................11
Model 2 – AP12 Centralised Wireless LAN Controller..................................................................13
Model 3 – Wireless LAN for IL2 PSN Connection..........................................................................15
2.3.1 Deviation from AP12 Guidance.....................................................................................16
Model 4 – IL3 Based Wireless LAN Approach...............................................................................17
2.4.1 Model 4a – IL3 Based WLAN........................................................................................17
2.4.2 Enhanced Wireless Security.........................................................................................18
2.4.3 Cisco ISE Benefits........................................................................................................19
2.4.4 Mobile Device Management Support.......................................................................... 21
2.4.5 Deviation from AP12 Guidance.................................................................................... 21
2.4.6 Model 4b – Addition of VPN IPsec Overlay.................................................................. 22
Architecture Management............................................................................................................. 23
Architecture Sample Kit List.......................................................................................................... 24
Model Comparison......................................................................................................................... 25
General Wireless Design Considerations..................................................................................... 29
2.8.1 Points for Consideration.............................................................................................. 29
Architecture Enhancements.......................................................................................................... 31
2.9.1 Enhancements to the Service...................................................................................... 31
Guest User Experience................................................................................................................... 31
2.10.1 Guest User Experience................................................................................................ 31
3 CISCO DIFFERENTIATORS ....................................................................................................................... 33
3.1 Cisco Differentiators...................................................................................................................... 34
4 APPENDIX ................................................................................................................................................. 37
4.1.1 Cisco Key Wireless LAN Key Technology Areas.......................................................... 38
4.1.2 Cisco Cloud Managed Wireless LAN........................................................................... 38
4.1.3 Cisco WLAN Controllers.............................................................................................. 38
4.2 Cisco Wireless Network Management......................................................................................... 39
4.3 Cisco Mobility Services Engine (MSE).......................................................................................... 39
4.4 Cisco Identity Services Engine (ISE)............................................................................................. 39
4.4.1 Cisco ISE Appliances................................................................................................... 39
4.4.2 Cisco Secure Network Server..................................................................................... 39
4.4.3 Cisco ISE Licensing..................................................................................................... 39
Figure 1 - AP12 Local WLC...........................................................................................................................10
Figure 2 - AP12 Cloud Managed...................................................................................................................11
Figure 3 – AP12 Central WLC.........................................................................................................................13
Figure 4 – IL2 Based Connectivity..................................................................................................................15
Figure 5 - IL3 Based Connectivity..................................................................................................................17
Figure 6 - IL3 Based Connectivity with VPN Client........................................................................................22
Design Approaches to Secure Wireless within UK Government
3
1. Executive Summary
1.1Introduction
1.1.1 Executive Summary
Wireless LAN coverage is an ever-increasing necessity of the
modern workplace, especially as mobile technologies such as
smartphones and tablets become commonplace at work.
A large percentage of these devices don’t have the capability
for a wired Ethernet and therefore rely on the presence of a
wireless infrastructure to operate successfully. Some of the
latest laptops released don’t include a wired Ethernet port by
default, so there’s a clear emphasis in the industry to steer
towards a wireless environment. With the ever increasing
capability of mobile devices, together with continual increase
in wireless throughput (one Gbps wireless LAN throughput is
a reality today); there’s a clear need for a comprehensive and
robust wireless deployment strategy in all public and private
sector organisations.
4
Design Approaches to Secure Wireless within UK Government
Users are no longer fixed to desks with a single desktop PC for
connection to the network - instead it’s more common to see
users with a multitude of devices, each with different levels of
network access. This can range from full corporate access for
the company-issued laptop or smart devices, or limited access
for the BYOD devices. Equally, services are no longer restricted
to a particular device or even IP subnet, such as traditional data
and voice devices. Multiple services can easily be established
from a single end user device: a smartphone has the capability
to make phone calls, share video data calls, whilst sharing and
checking emails, as an example. It’s therefore imperative that
“A wireless LAN
solution that allows
flexibility, mobility,
security, visibility
and control will
be fundamental
to achieving
this working
environment.”
the wireless service that carries this information has the ability
to distinguish between these differing streams of data, so that
any Quality of Service may be applied. This not only ensures
business critical applications are guaranteed as they traverse
the network, but also ensures that non-business critical
applications can be dropped if necessary.
To realise these benefits, this document outlines the possible
approaches of a Cisco wireless LAN infrastructure that could
be deployed within a secure environment. A typical example
of which could be UK Central UK Government Departments
where the network may be accredited to carry classified data
with the need to apply additional technical controls to protect
sensitive data.
A wireless LAN solution that allows flexibility, mobility, security,
visibility and control will be fundamental to achieving this
working environment.
Design Approaches to Secure Wireless within UK Government
5
“Fundamentally
Cisco’s wireless
solution is
based around
a centralised
deployment
model that uses a
wireless controller
concept providing
a single point of
administration
and traffic egress
for all connected
access points.”
1.2 Proposed Solution
The proposed solutions within this document are primarily
aimed at satisfying wireless LAN solutions for UK Central
Government departments, that will ultimately be connected
and form part of the shared Public Services Network (PSN). As
such, there may also be a relevance to distributed Government
departments, such as local councils, where a PSN based WAN
and / or LAN is present.
1.2.1 Secure Wireless LAN Background – Manual Y
CESG Infosec Manual Y, Use of WPA2 Unevaluated Wireless
Technology in Government Systems, was a paper published
by CESG that provided guidelines on deploying Wireless
LAN for use in networks classified to RESTRICTED. It was
recommended that any UK Government body planning to
implement a Wireless LAN to deliver RESTRICTED data or
voice services should consider the guidance within Manual
Y from CESG.
The accreditation process involved engaging either CESG directly,
or a suitably trained CLAS consultant. First a high level design
needed to be produced, reviewed by the CLAS consultant
and approved in principle. Secondly, the solution needed to
be implemented and ultimately signed off by the department’s
accreditor. The accreditor may require a penetration test. All the
6
Design Approaches to Secure Wireless within UK Government
above activity needed to be budgeted for as part of the project.
Manual Y called for a secure, standards based Wireless LAN
using 802.11i certificate based authentication and encryption
methods that leverages a PKI infrastructure. Additional
measures are required to protect the Authentication servers,
the Certificate Authority and to lock down the client. By using
Layer 2 security a Manual V or CAPS VPN is not required.
1.2.2 Current Secure Wireless LAN Guidance – AP12
In February 2013, first issue Version One of Architectural
Pattern 12 (AP12) was released and it replaces CESG Infosec
Manual Y, Use of WPA2 Unevaluated Wireless Technology in
Government Systems.
AP12 proposes a number of architectures aimed at managing
the security risks of wireless LAN networking.
The AP12 document provides guidance rather than a
mandatory policy, however to conform to AP12, all the ‘must’
statements within the document need to be followed. When
implementing a solution to AP12, strict adherence to the
controls contained within it does not automatically result in
a secure solution - this remains the role of the accreditor, in
collaboration with the systems integrator to ensure that the
solution implemented is appropriate to the context within
which it is deployed.
AP12 requires the managed endpoint to use a Virtual Private
Network (VPN) solution, such as Cisco AnyConnect Secure
Mobility Client to encrypt traffic between the managed
wireless endpoint and the enterprise VPN gateway, thus
ensuring the confidentiality and integrity of data in transit
over the wireless network is protected.
1.2.3 Main Differentiators - Manual Y and AP12
The main differentiation between Manual Y and AP12 is the level
of trust associated with the underlying wireless infrastructure.
Manual Y was based on the use of embedded capabilities
within the wireless infrastructure to provide confidentiality
and integrity to the client’s traffic. Furthermore the wireless
network infrastructure devices were physically connected to
the main departmental LAN offering a truly integrated wired
and wireless service to users.
AP12 on the other hand sees the introduction of a completely
separate physical network infrastructure, dedicated to wireless
LAN with the requirement that a corporate managed endpoint
utilises an IPsec VPN to provide traffic confidentiality and
integrity protection – in essence the wireless infrastructure is
viewed as untrusted. Following the AP12 guidance provides
no direct connection to the local departmental LAN but instead
a connection is only achieved through the IPsec VPN tunnel.
1.2.4 Cisco Approach for Secure Wireless LAN
There are many approaches and methods that could be
adopted to satisfy the guidance outlined in CESG AP12 and
will ultimately be subject to the individual customer’s business
needs, the traffic profile and security requirements.
Fundamentally our wireless solution is based around a
centralised deployment model that uses a wireless controller
concept providing a single point of administration and traffic
egress for all connected access points. This model contrasts
with an autonomous architecture whereby each access point
becomes a managed endpoint and traffic egress is distributed.
LAN and traverse the IL2 PSN WAN backbone to centralised
IL2 resources. Importantly, an assumption has been made
that the guest wireless infrastructure will remain separate and
isolated from the corporate wireless infrastructure.
The final approach will propose what is considered good
practice and will steer away from the AP12 guidance, although
a wide range of security controls will be considered delivering
the necessary protection of traffic confidentiality and provide
a high degree of access control security. This approach will
see the wireless infrastructure form an integrated part of the
secure environment and a model that shares many of the traits
from the older Manual Y guidance.
Importantly, this approach keeps the guest wireless
infrastructure separate, and for the purposes of this
document, it is assumed for this final approach that the guest
infrastructure is via a separate dedicated infrastructure,
although this again may be subject to individual customer
requirements. Guest and Corporate infrastructures in this
instance will be separate and isolated.
A customer may wish to choose any or none of these
approaches in-order to satisfy their wireless LAN requirements,
and we have the breadth of portfolio and expertise to ensure
that an appropriate solution can be investigated.
Irrespective of solution proposed, in each case any connection
that involves the use of an unmanaged wireless device
connecting to a managed wireless LAN infrastructure will
utilise dedicated wireless infrastructure on an isolated LAN
segment. This would be applicable to guest users devices
or contractor users devices, as an example and follows the
principles of the unmanaged devices guidance published by
the Cabinet Office PSN team and subsequently forms CESG
Architectural Pattern 7 (AP7).
This document will suggest four approaches that may be
considered. The first two approaches follow the principles of
AP12, including the provision of a separate dedicated wireless
infrastructure with either local wireless controllers or central
wireless controllers, of which the latter assumes deployment
in a multi-site environment.
The third approach introduces a variation on this theme and
introduces some of the principles of a commercial good
practice deployment of wireless technology, whereby the
wireless infrastructure devices are connected directly to the
Design Approaches to Secure Wireless within UK Government
7
8
Design Approaches to Secure Wireless within UK Government
2. Architectural Overview
Proposal for Government
Design Approaches
Departments
to Secure
/ CiscoWireless
Secure Wireless
within UKLAN
Government
Proposal
9
2. Architectural Overview
2.1 Model 1 – AP12 Local/Cloud Managed Wireless LAN
With reference to CESG document Architectural Pattern 12 (AP12), this approach is a combination of Scenario’s one and
three and where this guidance is followed, is considered to be the most likely deployment method for small and simple
use cases.
2.1.1Model 1a – AP12 Local Wireless LAN Controller
Figure 1 - AP12 Local WLC
IL3
Resources
IL2
Resources
Trusted
Corporate
resources
Customer Data
Centre
DMZ
VPN
Concentrator
IL3 LAN
MDM
IL2 PSN
WAN
PSN
CE
Router
Prime
Infrastructure
MSE
WAN
Internet
Local WLC
Customer Site
IL0
Guest
LAN
IL2 LAN
Client based VPN
Encrypted Tunnel
direct VPN
Concentrator
(n) x AP
Corporate
Managed
Client
The above model is based on a multi-site network and assumes
that the VPN termination point is located centrally in the data
centre. Following this assumption, this approach considers that
there will be a dedicated wireless LAN infrastructure within a
site consisting of wireless access points and a local wireless
controller. This will be connected to a dedicated and physically
segmented network that will have a direct Internet connection
over which all wireless traffic will be transported.
Design Approaches to Secure Wireless within UK Government
Guest Traffic
direct to
internet
Advertised
wireless LAN
SSID
Any Connect
VPN Client
10
MSE
ISE
Boundary
Firewall
PSN
CE
Router
IL3
Overlay
Optional Management, Security and Location
Guest Client
All of this infrastructure will be isolated from any accredited
networks that carry protectively marked traffic or traffic
designated higher than IL0.
The wireless LAN network SSID will be advertised and both
corporate and guest users may associate to it with all traffic
being routed either directly to the Internet (guest traffic) or
to the VPN concentrator hosted in the central data centre
(corporate traffic).
For a corporate device, subject to the clients’ local security
requirements, an IPsec VPN client will be required to secure
the session between the device and the trusted network.
All traffic between the client and the trusted network will
be encapsulated within this IPsec tunnel, which is
independent of the wireless LAN infrastructure. Once the
secure tunnel has been established, this will allow the user
access to departmental resources as determined by local
security policies.
For guest and/or contractor users, clients will associate to
the advertised open SSID, but upon launching their internet
browser, they will be redirected to a captive portal hosted
on the wireless controller, where they will be challenged to
authenticate with a username and password. Once entered,
they will then be given access to the local LAN and provided
direct access to the Internet.
2.1.2Model 1b – AP12 Cisco Cloud Based Wireless LAN
As an alternative to previous example, this Model 1b is along similar lines to Model 1a, with the exception that in this instance, the
use of the Cisco Cloud based Wireless LAN (Meraki) solution is considered. This may not be suitable to all departments, as the
management traffic (not data) will be sent to the Cisco public cloud and therefore careful consideration should be taken over the
additional risks this model may introduce.
2.1.2 Model 1b – AP12 Cisco Cloud Based Wireless LAN
Figure 2 - AP12 Cloud Managed
IL3
Resources
IL2
Resources
Customer Data
Centre
IL2 PSN
WAN
PSN
CE
Router
IL3 LAN
VPN
Concentrator
Internet
PSN
CE
Router
IL3
Overlay
Trusted
Corporate
resources
Cisco Cloud
based Network
(Meraki)
WAN
Internet
Access Point Management
Customer Site
based management
IL0 LAN
IL2 LAN
Client based VPN
Encrypted Tunnel
direct to VPN
Concentrator via
AP & Local
Internet
Advertised
wireless LAN
SSID
Any Connect
VPN Client
Corporate
Managed
Client
Guest Client
Design Approaches to Secure Wireless within UK Government
11
The above model is based on a multi-site network and assumes
that the VPN termination point is located centrally in the data
centre. Following this assumption, this approach considers
that there will be a dedicated wireless LAN infrastructure
within a site consisting of Cisco cloud based wireless access
points. This will be connected to a dedicated and physically
segmented network that will have a direct Internet connection
over which all wireless traffic will be transported.
All of this infrastructure will be isolated from any accredited
networks that carry protectively marked traffic or traffic
designated higher than IL0.
The wireless LAN network SSID will be advertised and both
corporate and guest users may associate to it with all traffic
being routed either directly to the Internet (guest traffic) or
to the VPN concentrator hosted in the central data centre
(corporate traffic).
For a corporate device, subject to the clients’ local security
requirements, an IPsec VPN client will be required to secure the
session between the device and the trusted network. All traffic
between the client and the trusted network will be encapsulated
within this IPsec tunnel, which is independent of the wireless
LAN infrastructure. Once the secure tunnel has been
established, this will allow the user access to departmental
resources as determined by local security policies.
12
Design Approaches to Secure Wireless within UK Government
For guest and/or contractor users, clients will associate to
the advertised open SSID, but upon launching their internet
browser, they will be redirected to a captive portal hosted
within the Cisco Cloud wireless LAN service, where they will
be challenged to authenticate with a username and password.
Once entered, they will then be given access to the local LAN
and provided direct access to the Internet.
All wireless LAN management will be performed from the
Cloud based solution, No client based user goes via the cloud,
as all user traffic will be dropped onto the local network.
Access to the deployed wireless LAN access points can be
achieved via the department’s internet connection, where an
SSL connection to the web GUI for their deployment of Cisco
Cloud based access points can be managed, or setting up of
guest accounts. Additionally, from here, rules could be setup
to prevent certain traffic types, such as Netflix, for example,
if these are seen as nonbusiness critical.
2.2 Model 2 – AP12 Centralised Wireless LAN Controller
This second approach is again produced in line with scenarios one and three from within the CESG AP12 document and is
considered to be the most likely deployment method for larger and more distributed deployments or where an element of central
control and visibility may be needed for guest users.
2.2
Model 2a – AP12 Centralised Wireless LAN Controller
Figure 3 - AP12 Central WLC
Customer Data
Centre
IL3
Resources
DMZ
Trusted
Corporate Optional Management, Security and Location
resources
IL2
Resources
MSE
ISE
VPN
Concentrator
Boundary
Firewall
PSN
CE
router
IL3
Overlay
IL2 PSN
WAN
PSN
CE
router
IL3
LAN
MDM
IL2
LAN
IL0
Guest
LAN
Guest Traffic direct to
internet via CAPWAP
tunnel
Any Connect
VPN Client
As above, this second approach is based upon the assumption
that most customers’ VPN concentrator solutions will be
located in the data centre and therefore in order to meet the
requirements set out in AP12, a dedicated, physically isolated
infrastructure consisting of wireless LAN access points, LAN
switches and a WAN router must be deployed in the branch
locations where wireless connectivity is required. An additional
Internet WAN / DSL circuit will then be required to connect
this dedicated infrastructure to an Internet DMZ located within
the data centre. All wireless LAN traffic from the branch site
will then be tunnelled, via a CAPWAP tunnel from the access
Internet
CAPWAP DTLS
tunnel for all Access
Point Data Traffic
Client based VPN
Encrypted Tunnel
direct to VPN
Concentrator via
AP CAPWAP
tunnel
Corporate
Managed
Client
MSE
WLC(s)
WAN /
Internet
Customer Site
Prime
Infrastructure
Advertised
wireless LAN
SSID
Guest Client
points and terminated on a wireless controller located within the
DMZ. At this point, departmental traffic will be able to reach the
Internet facing interface of the VPN concentrator, whilst guest
users will be provided with direct Internet connectivity.
All of the wireless infrastructure equipment would be
physically separated from the existing accredited departmental
network and a dedicated WAN or Internet connection should
be provisioned to carry wireless client traffic to the centralised
wireless LAN controllers.
Design Approaches to Secure Wireless within UK Government
13
As with the first deployment model, the wireless LAN network
SSID will be advertised on the branch site whereby corporate
users and guests may associate to it. All traffic will be
terminated centrally before egressing to the Internet or VPN
concentrator as necessary for their connection.
For a departmental device (if CESG AP12 guidance is
followed), an IPsec VPN client will be required to secure the
connection between the device and the trusted network.
All traffic between the client and the trusted network will be
encapsulated within this IPsec tunnel, which is independent
of the wireless LAN infrastructure. The VPN session will
traverse the local wireless network and pass through the
CAPWAP tunnel to the centralised wireless LAN controller
where the VPN traffic is then forwarded to the Internet facing
interface of the VPN concentrator. Once the secure tunnel has
been established with the VPN concentrator, user access to
departmental resources will be permitted as determined by
departmental security policies.
14
Design Approaches to Secure Wireless within UK Government
For guest and/or contractor users, clients will associate to the
advertised open SSID, and again, all traffic will be forwarded,
via the CAPWAP tunnel to the central wireless controllers
in the DMZ where the CAPWAP tunnel will terminate. Upon
launching their Internet browser, users will be redirected to a
captive portal hosted on the wireless controller where they will
be challenged to authenticate with a username and password.
Once entered, they will then be permitted access to the central
DMZ LAN for direct Internet connection and can either surf the
internet or launch their own VPN connection as appropriate.
Central filtering of guest traffic can also be provided if required
by departmental security policy.
It should be noted that this scenario also scales more readily
than the first approach since the central wireless LAN
controllers could be used to terminate CAPWAP tunnels from
access points located in multiple branch sites.
2.3 Model 3 – Wireless LAN for IL2 PSN Connection
This third approach steers away from the guidance of AP12 and instead adopts some of the key principles that may be familiar
from the delivery of a Manual Y based solution.
2.3
Model 3a – Wireless LAN for IL2 PSN Connection
Figure 4 – IL2 Based Connectivity
Customer Data
Centre
IL2 Resources
ISE
DMZ
Prime
Infrastructure
MDM
ISE
MSE
MSE
Internet
Corporate
WLC(s)
IL3
Resources
DHCP
AD
CA
OCSP
Guest
WLC(s)
Boundary
Firewall
CAPWAP DTLS
tunnel for all Access Point Data Traffic
PSN CE router
IL3
Overlay
IL2 PSN
WAN
IL0 WAN
Note - Guest access is
optional and customer
dependant. Approaches may
vary dependant upon
customer requirements
PSN CE router
CAPWAP DTLS
tunnel for all Access Point Data
Traffic via IL0 WAN
Customer Site
IL2 LAN
IL3 LAN
CAPWAP with
DTLS
tunnel for all
corporate
traffic to IL2
resources
Guest traffic direct to
internet via AP CAPWAP
tunnel
‘Corp’ SSID
802.1x
WPA2-AES
EAP-TLS
Corporate
Managed
Client
In the previous approaches, dedicated WAN and LAN
infrastructure would be deployed in each location where WLAN
connectivity is required. Depending on the scale of the wireless
coverage required, this could result in significant additional
investment in parallel infrastructure. This third approach
considers these cost implications and proposes that existing
network infrastructure is utilised to transport departmental traffic
only, with a separate, more limited infrastructure that could
be deployed in selective areas for guest wireless coverage.
Transporting guest traffic over an existing accredited IL2 or IL3
infrastructure without any assured cryptographic separation is
likely to represent too great a risk to most clients and so this
IL0 LAN
‘Guest’ SSID
Open
Corporate
Managed
Client
scenario assumes the underlying transport network for guest
traffic remains on a separate, isolated network infrastructure.
This guest infrastructure method may adopt any of the previous
examples represented, but will allow the department to choose
a more cost effective approach that could be deployed in
selective areas.
This model approaches the solution from the basis that access
is required to IL2 resources, via an IL2 based WAN connection.
It is anticipated that this scenario is for IL2 based client activity
only and not IL3. This may represent scenarios that may be
more pertinent to Local Government clients in particular.
Design Approaches to Secure Wireless within UK Government
15
This method proposes that the access points be connected
directly to the existing IL2 LAN. Traffic from the access points
will be encapsulated within a DTLS encrypted CAPWAP tunnel
which is then terminated on a centralised WLAN controller.
This approach has been considered to address the needs
of many local government departments who have adopted
such a model today. This model is broadly in line with CESG
Manual Y and is it is generally considered acceptable to
meet the current PSN Code of Connection (CoCo), although
it is important to note that Cisco provides no guarantees for
CoCo compliance should this approach betaken. It should
also be noted that a suitable risk assessment should always
be undertaken to determine if such an approach adequately
mitigates risks within the target environment.
Corporate client authentication and authorisation will be
conducted via the use of mutual authentication in the form
of EAP-TLS with client / server based digital certificates.
Upon completion of the authentication process, WPA2-AES
wireless encryption shall be utilised to secure the wireless
session and there will be no reliance upon client based VPN
to secure the session.
In order to manage the increased risk associated with the use
of connecting the access points to the trusted environment and
not using an assured method of encryption, additional security
controls can be deployed through the introduction of the Cisco
Identity Services Engine (ISE) located centrally. The ISE device
delivers a range of network admission control functions allowing
tighter control over the wireless, or wired device type, operating
system, patch level and presence of endpoint security software
such as anti-virus and personal firewall.
The Cisco ISE can also be used to enforce extensive policy
rules. These rules can be based on the contextual identity of
the user or device and can be applied in a consistent manner
across wired, wireless or even VPN connections.
Guest and/or contractors will associate to the wireless LAN via a
separate dedicated open SSID and all traffic will be forwarded,
via a CAPWAP tunnel to a separate, centralized wireless
controller in an internet DMZ. On launching their Internet browser,
guest users will be redirected to a captive portal page hosted
on a guest Cisco ISE platform where they’ll be challenged to
authenticate with a username and password. Once entered,
they may then be subjected to a series of additional security
controls, such as time of day restrictions or the application
of network layer access control policies. Guest users are then
permitted access to the Internet or launch their own VPN
connection as appropriate. Central filtering of guest traffic can
also be provided if required by departmental security policy.
16
Design Approaches to Secure Wireless within UK Government
It should be noted that like the previous example, this scenario
is more readily scalable due to the deployment of a central
wireless controller. In addition, this scenario also scales more
readily for the guest users when compared to the previous
two approaches, since the central Cisco ISE platform could be
expanded to support many thousands of guest connections
and multiple authentication methods from the branch sites.
With a suitably designed topology, both corporate and guest
wireless authentication could be achieved with the use of the
Cisco ISE platform.
2.3.1 Deviation from AP12 Guidance
This model deviates from the guidance within AP12 as it
suggests the use of an existing PSN based WAN connection
and existing IL2 LAN to both connect access points to and
facilitate the transport of corporate wireless LAN traffic. The
assumption is that guest wireless LAN traffic will remain upon
a separate, isolated network infrastructure.
This reduces cost by utilising existing WAN circuits and LAN
equipment as it removes the additional burden of managing
and maintaining a dedicated WLAN network – although this
would be required for guest users but should be of a much
lower scale.
By adopting a solution that does not rely upon IPsec VPN
connectivity at the edge, visibility of the wireless client traffic
can be gained and therefore business critical applications,
such as Jabber, telepresence or WebEx can be identified by
the wireless LAN system, classified and QoS policies properly
applied, enhancing the overall user experience. This would also
help to ensure that non-business critical applications can also
be identified and marked at a lower priority or traffic dropped
to ensure the availability of business critical applications.
2.4 Model 4 – IL3 Based Wireless LAN Approach
This final deployment model again deviates from AP12 and proposes a solution that represents a commercial good practice
approach following a similar line to that defined in the now obsolete CESG Manual Y guidance.
Two approaches are presented here. The first model, 4a considers a solution that is very much in line with Manual Y. The second
approach, Model 4b, adds to this solution by again introducing an IPsec VPN overlay.
2.4.1 Model 4a – IL3 Based WLAN
Figure 5 – IL3 Based Connectivity
Customer Data
Centre
Trusted
Corporate
resources
WLC
DHCP
AD
DMZ
CA OCSP
ISE
Boundary
Firewall
Internet
ISE
MSE
CAPWAP DTLS
tunnel for all
Access Point
Data Traffic via
IL3 overlay
Prime
Infrastructure
WLC(s)
MSE
PSN CE
router
IL3
Overlay
IL0
WAN
IL2 PSN
WAN
IL0 LAN
PSN CE
router
IL3 LAN
Note - Guest access is
optional and customer
dependant. Approaches may
vary dependant upon
customer requirements
CAPWAP DTLS tunnel for
all Access Pont Data
Traffic via IL0 WAN
Guest traffic direct to
internet via AP CAPWAP
tunnel
‘Corp’ SSID
802.1x
EAP-TLS
WPA2-AES
Corporate
Managed
Client
Guest SSID
Open
Customer Site
In this model, the wireless access points will be connected
directly to the accredited IL3 LAN and the wireless
infrastructure will be utilised by trusted corporate users only.
A corporate client will associate to an advertised SSID and
will then perform an 802.1x authentication session with the
RADIUS function of Cisco ISE server. The client will perform
mutual authentication using EAP-TLS, with digital certificates
issued by a departmental PKI. A policy within the ISE will
ensure that the corporate device is profiled, classified and
Guest Client
controlled, such that the device type and security posture
(anti-virus version, operating system patch level etc.) can be
identified and an appropriate access policy applied.
The Cisco ISE is feature-rich and many additional capabilities
can be deployed to further secure the session, such as
Security Group Tagging. The client could take advantage
of the Cisco NAC client supplicant, so that continued and
periodic checks can be performed upon the client to ensure
that it still complies with the defined security policy after the
authentication and authorisation stage completion.
Design Approaches to Secure Wireless within UK Government
17
Once authentication is complete, the client’s wireless
connection will be secured with dynamic keys using WPA2
AES-CCM encryption. All traffic from the access points will be
tunnelled to the wireless controller using Data plane Transport
Layer Security (DTLS) protected CAPWAP tunnels.
Since an IPsec VPN will not be utilised in this approach, the
wireless LAN controller will have full visibility of the wireless
traffic and a range of application visibility controls can be
utilised. At the most basic level, quality of service can be
applied to the wireless traffic to ensure that voice and video
applications can be prioritised. More advanced capabilities
can also be deployed based on Cisco Application Visibility
and Control (AVC) including:
• Network-Based Application Recognition Version 2 (NBAR2),
next-generation Deep Packet Inspection (DPI) technology
that can identify more than 1000 applications and support
application categorisation, with the ability to update the
protocol definition.
• NetFlow Version 9 export to select and export data
of interest, allowing easy consumption of application
performance statistics by Cisco and third-party applications.
• Reporting and management tools, such as Cisco Prime™
Infrastructure with Assurance module, an enterprise-grade
infrastructure and service-monitoring tool for reporting of
application and network performance that can provide up to
30 different reports for application visibility.
It is recognised that mixing of IL3 traffic with guest traffic will
not be an acceptable deployment option and so it’s proposed
that a separate infrastructure should be deployed that satisfies
any requirement for guest access. This could take the form
of any of the previous three models dependent upon specific
guest requirements.
2.4.2 Enhanced Wireless Security
With the addition of the Cisco MSE platform, both location
tracking and fully featured IDS monitoring become a real
feature of our wireless LAN solution.
At the core of the Cisco Adaptive Wireless IPS is an advanced
approach to wireless threat detection and performance
management. While most market solutions rely solely on
over-the-air passive traffic monitoring. The Cisco Adaptive
Wireless IPS combines network traffic analysis, network
device and topology information with signature-based
techniques and anomaly detection to deliver highly accurate
and complete wireless threat prevention. Because the solution
is infrastructure integrated, Cisco can continually monitor
wireless traffic on both the wired and wireless network. That
network intelligence can be used to analyse attacks from
many different sources of information to more accurately
pinpoint and proactively prevent attacks instead of waiting until
damage or exposure has occurred.
Building upon the core detection capabilities, Cisco Adaptive
Wireless IPS delivers rich attack classification as well as
mitigation alerting, and reporting features. From a classification
standpoint, the system provides users with flexible rules for
automatically classifying security events. Automatic
classification along with the system’s inherent accuracy,
greatly reduces the operational expenses associated with
manual investigation of potential threats detected by the
system. The classification can also be linked with the threat
mitigation actions, enabling either manual or automatic
mitigation of security events based on their severity. The
system can also alert IT operators of both detection and
mitigation events based on the severity classification of
the event.
To assure full visibility into the wireless environment, Cisco
Adaptive Wireless IPS also detects performance-related issues
and non-802.11 devices (Bluetooth, radar, microwaves, etc.)
18
Design Approaches to Secure Wireless within UK Government
“Integration with
Cisco Prime means
IT and the help desk
can spend far less
time on user and
network security fixes
and changes.”
and attacks. Utilising radio resource management (RRM), the
system provides unmatched performance and network selfhealing. Information collected relating to noise and interference,
as well as client signal strength and other data, are used to
dynamically assign channels and adjust access point transmit
power in real time. This avoids co-channel interference, route
around failed devices and minimises coverage holes. For
performance degradation and attacks spawned by non-802.11
sources, the solution delivers an RF spectrum expert with the
ability to detect non-802.11 devices or sources of interference
that could mask denial-of-service attacks generated by
non-802.11 devices. Non-802.11 devices such as Bluetooth
access points can impact performance of wireless networks,
or even more damaging, create ad hoc connections to your
wireless network through authenticated client devices.
Prime Infrastructure (PI) provides wireless IPS network
management and reporting on a unified configuration as well as
security event management and reporting with physical location
tracking of where the security event took place on the network.
With system forensics, an administrator can actually play back
events with the ability to trace, locate, and capture any WLAN
or RF event. Realtime security posture and events are viewed
via a consolidated security dashboard in PI. Historical event data
can be stored using the Mobility Services Engine (MSE) as a
platform, allowing for access to large files with multiyear, forensic
data reporting accessible via PI. This can allow for more complex
analysis over time as well as compliance reporting.
The Cisco access points can be deployed in three modes that
can leverage the capability of wireless IPS. First the access
points will be deployed as standard client serving devices,
but will periodically come off channel to scan for the wireless
threat. The second is to deploy access points specially as air
monitors, thus giving greater granularity and control over the
wireless threat. The last option is to deploy sensor modules,
Wireless Security & Spectrum Intelligence Modules (WSSI)
within the Cisco 3600 series access, where you then have
the flexibility of servicing clients whilst have a dedicated
monitoring device within the same AP.
2.4.3 Cisco ISE Benefits
Cisco ISE is a next-generation identity and access control
policy platform that enables enterprises to enforce
compliance; enhance infrastructure security in wired, wireless,
and BYOD environments; and simplify service operation.
Cisco ISE offers this solution with the following benefits:
• Improved operational efficiency: ISE on-boarding
and security automation, central policy control, visibility,
troubleshooting, and integration with Cisco Prime means
IT and the help desk can spend far less time on user and
network security fixes and changes.
Design Approaches to Secure Wireless within UK Government
19
• Enhanced automated on-boarding: ISE self-service
registration portal for BYOD, guest, and IT device onboarding automates AAA user identification, device profiling
and posturing, 802.1X provisioning, and remediation, so it’s
easy for employees to get their devices on-net and comply
with security policy.
• Enhanced automated device security: ISE provides device
posture check and remediation options, including integration
with MDM solutions and the lightweight Cisco Network
Admission Control (NAC) Client, so it’s easy for users to
keep their devices secure and policy-compliant.
• Advanced anywhere access: ISE provisions policy on the
network access device in real-time, so mobile or remote
users can get consistent access to their services from
wherever they enter the network.
• Increased employee availability: Through wired, wireless,
and VPN networks, the ISE allows enterprises to more easily
authenticate and authorise users. This means more uptime
and availability for employees who want to work from any
location, at any time, from any device.
• Advanced guest management services: Through
provisioning, notification, management, and reporting of
guest user accounts, the ISE provides complete guest
lifecycle management by empowering sponsors to onboard guests, thus reducing IT workload. Since the platform
automates much of this process, this can help save both
time and money on security.
• Amplified identity enforcement: ISE uses the industry’s
first device profiler with automated updating to identify each
device; match it to its user and to other attributes, including
time, location, and network; and create a contextual identity
so IT can apply granular control over who and what is
allowed on the network.
• Improved security policy enforcement: The ISE enforces
security policies by blocking, isolating, and repairing noncompliant machines in a quarantine area without needing
administrator attention. The platform can be set up with
alerts for IT administrators for 24/7 policy enforcement of
your network security protocols.
• Advanced policy enforcement: Based on the users’
contextual identity, ISE sends secure access rules to the
network point of access. IT is assured of consistent policy
enforcement whether the user is trying to access the
network from a wired, wireless, or VPN connection.
• Enhanced infrastructure security: The ISE allows
the gathering of real-time contextual information from
the network, users, and devices, and makes proactive
governance decisions by enforcing policy across the entire
network infrastructure.
• Improved security compliance: A single dashboard
simplifies policy creation, visibility, and reporting across
all company networks so it is easy to validate compliance
for audits, regulatory requirements, and mandated federal
802.1X guidelines.
• Improved network monitoring: Through periodic evaluation
and remediation, the ISE addresses vulnerabilities on user
machines. In addition, it is able to discover, classify, and
associate identity for network endpoints connecting to the
network. This makes it easier for IT teams to view the entire
network at a glance and monitor traffic.
20
Design Approaches to Secure Wireless within UK Government
Further information and validated design approaches, can be
found here:
http://www.cisco.com/en/US/netsol/ns982/networking_
solutions_program_home.html#~slng,
2.4.4 Mobile Device Management Support
Cisco ISE platform integrates with a number of leading
Mobile Device Management (MDM) platform vendors, such
as MobileIron, airwatch, Citrix Zenprise, MaaS360, Good,
iAnywhere, to name a few. These provide the ability to further
enhance the manageability of the smart device such that the
following can be easily achieved: • Containerise
• Remote wipe
• Back-up
• Jailbreak
• Pin lock
• Personal devices
this solution and a separate infrastructure will be required,
which may take the form of any of the models previously
described within this document, as appropriate. Not including
guest wireless LAN traffic on the same infrastructure as a
potential secure wireless LAN that is directed connected to an
IL3 accredited network, is in line with current guidance
published from CESG.
This model offers the potential benefit of cost reductions by
utilising existing LAN and WAN connectivity, without the need
to purchase additional dedicated equipment or service provider
WAN connections, to provide wireless LAN connectivity to
trusted departmental corporate users.
It will allow visibility of corporate client traffic, so that it can be
identified and appropriately handled with Quality of Service to
protect business critical applications and collaboration services,
such as real-time traffic voice and video services.
Should an organisation wish to deploy smart devices, ISE
works closely with MDM platforms via an API, to check
device health and specifies the level of control over devices.
It enforces on Premise MDM device registration and restricts
access. The MDM augments Endpoint Data and intelligence
allowing ISE to take action on the device and the access rights.
The Cisco NAC agent examines the Mac and Windows
devices for things like OS & AV.
Management can also be in-line with existing methods
deployed for the departmental network management
infrastructure and there would be no need to purchase
additional management infrastructure to manage the IL3
based wireless LAN deployment.
2.4.5 Deviation from AP12 Guidance
As a recap of the previous sections for this approach, this
model deviates from the guidance within AP12. It suggests the
direct connection of wireless LAN access points to the secure
network and the use of the wireless LAN equipment to encrypt
the wireless traffic for the managed client using 802.1x based
EAP-TLS mutual authentication methods with AES CCMP
WPA2 encryption as opposed to an IPsec based VPN solution.
This solution would also rely upon the additional controls
that may be adopted by the use of toolsets such as Identity
Services Engine (ISE) with Mobile Device Management (MDM)
integration and monitoring tools such as Prime Infrastructure
(PI) with Mobility Services Engine (MSE) for wIPS and
advanced location services. These extra measures can help to
mitigate the risk by giving visibility of the trusted clients, where
they are connecting from, what they are using to connect with,
visibility of traffic from the client, adopting Quality of Service
profiles and ability to periodically monitor the client to ensure
that the policies and controls are not compromised. In addition
to the ability to continuously monitor the RF environment for
advanced wireless intrusion protection and mitigation.
There will be no guest wireless LAN overlay integrated within
Design Approaches to Secure Wireless within UK Government
21
This does add an extra layer of integrity to the solution,
but will be at the expense of traffic visibility and thus the
inability to apply appropriate Quality of Service to the
business critical applications.
By adopting this proposal, the solution could be considered
to be more akin to methods deployed in the previous Manual
Y guidance and adopting a more commercial Enterprise good
practice approach.
2.4.6 Model 4b – Addition of VPN IPsec Overlay
This approach considers the concerns that some customers
may have with regards to connecting access points directly
to the trusted environment and relying upon wireless LAN
equipment encryption, which is not assured by CESG.
2.4.6 Model 4b - Addition of VPN IPsec Overlay
Figure 6 – IL3 Based Connectivity with VPN Client
Customer Data
Centre
Trusted
Corporate
resources
VPN
Concentrator
WLC
DHCP
AD
DMZ
CA OCSP
Boundary
Firewall
ISE
Internet
FW
ISE
WLC(s)
MSE
CAPWAP DTLS
tunnel for all
Access Point
MSE
Prime
Infrastructure
IL3 overlay
PSN CE
router
MDM
IL3
Overlay
IL2 PSN
WAN
PSN CE
router
IL3 LAN
Note - Guest access is
optional and customer
dependant. Approaches may
vary dependant upon
customer requirements
IL0
WAN
IL0 LAN
CAPWAP DTLS tunnel for
all Access Point Data
Traffic via IL0 WAN
internet via AP CAPWAP
tunnel
‘Corp’ SSID
802.1x
EAP-TLS
WPA2-AES
Corporate
Managed
Client
22
Any Connect
VPN Client
Guest SSID
Open
Customer Site
Design Approaches to Secure Wireless within UK Government
Guest Client
2.5 Architecture Management
Consideration should be given to how any of the models
previously described, will be managed effectively.
Departmental groups responsible for network management
may already have systems in place to manage and report on
the trusted corporate network infrastructure components, but
this may reside within an accredited IL3 based environment.
Having a separate network infrastructure in an unclassified
environment may present challenges as to how this network
can either be incorporated into the existing network
management infrastructure or investigate the requirement
for a second management system to manage this isolated
network infrastructure.
It may be acceptable to manage an unclassified network
component from an IL3 or IL2 based management
infrastructure with the appropriate controls and protection
in place, but this will be strictly down to the departmental
accreditor to ensure that this is feasible or appropriate for
the department in question. Clearly, additional management
systems may increase cost or complexity to the solution, but
may be unavoidable in some cases where management from
an existing IL3 or IL2 based network management platform is
deemed unacceptable.
Management of the secure wireless LAN solution or Guest
wireless LAN solution is out of scope of this document and
it is recommended that a suitably qualified Cisco Partner is
approached to understand the full design and configuration
requirements for the solution.
Design Approaches to Secure Wireless within UK Government
23
2.6 Architecture Sample Kit List
The list below represents an example of kit that could be deployed. It does not represent a definitive or accurate list of equipment
to order, as these will be subject to individual customer requirements.
Full design and configurations are available through a qualified Cisco Partner.
Scenario 1
AIR-CT2504-5-K9
2504 Wireless Controller with 5 AP
Licenses
WLAN controller 2500 series
AIR-CAP2602I-E-K9
802.11n CAP w/CleanAir; 3x4:3SS;
Mod; Int Ant; E Reg Domain
2600 series access point with CleanAir
Optional wireless controller approach switch / wireless controller
WS-C3850-48F-E
Cisco Catalyst 3850 48 Port Full PoE IP
Services
Unified Access switch (contains IOS
based wireless LAN controller)
ISR router with SRE blade
FL-SRE-WLC-5
5 access point license for Cisco Wireless
Controller on SRE (when sold with ISR
G2 system)
Cisco Meraki Cloud Wireless LAN
MR16-HW
Meraki MR16 Cloud Managed AP
Scenario 2 + 3
AIR-CT5508-50-K9
5508 Series Controller for up to 50 APs
WLAN controller 5500 series
AIR-CAP2602I-E-K9
802.11n CAP w/CleanAir; 3x4:3SS;
Mod; Int Ant; E Reg Domain
2600 series access point with CleanAir
HA option
AIR-CT5508-HA-K9
Cisco 5508 Series Wireless Controller
for High Availability
Scenario 4 (not including guest)
AIR-CT5508-50-K9
5508 Series Controller for up to 50 APs
WLAN controller 5500 series
AIR-CAP2602I-E-K9
802.11n CAP w/CleanAir; 3x4:3SS;
Mod; Int Ant; E Reg Domain
2600 series access point with CleanAir
HA option
AIR-CT5508-HA-K9
Cisco 5508 Series Wireless Controller
for High Availability
Optional management
R-PI12-BASE-K9
Prime Infrastructure 1.2 Base License
and Software
WLAN Management
Optional Wireless Location and Security
L-MSE-7.0-K9
MSE Virtual Appliance (Please select
L-MSE-PAK for MSE Lic)
L-MSE-PAK
MSE License PAK (E Delivery)
L-WIPS-ELM-100AP
100 AP WIPS Enhanced Local Mode
licenses
24
Design Approaches to Secure Wireless within UK Government
Mobility Services Engine
Licenses for enhanced local mode Wireless Intrusion Protection - scans
the channel that the access points are
currently on.
Optional advanced monitoring
100 AP WIPS Monitor Mode licenses
Licenses for dedicated monitor mode
access points - scan all channels for
Wireless Instruction Protection
AIR-CAS-1KC-K9
Context Aware License For 1K Clients
and Tags (RSSI based)
Context Aware
L-AD-LS-100AP
100 AP Advanced Location Services licenses
L-WIPS-MM-100AP
Further enhanced location tracking
Identity and Policy Management
ISE-VM-K9
Cisco Identity Services Engine VM
Cisco Identity Services Engine (ISE)
L-ISE-AD5Y-W-100=
Cisco ISE 100 Endpoint 5 Year Wireless
Subscription License
Wireless license for Ise
2.7 Model Comparison
The table below attempts to demonstrate feature comparisons between the four wireless deployment models proposed in
this document:
Model 1
Model 2
AP12 - local
AP12 - Central
WLC OR Cloud
WLC
Based
Capabilities
Model 3
WLAN via IL2
PSN WAN
Model 4
WLAN via IL3
Common wireless Infrastructure
Corporate only
4
4
4
4
Corporate + Guest
4
4
8
8
Corporate + Guest + Contractor
4
4
8
8
8
8
4
4
Simple
4
4
8
8
Intermediate
8
8
8
8
Complex
8
8
4
4
VPN Software
4
4
8
89
VPN Software licenses required for VPN Concentrator
4
4
8
89
41
41
88
88
Wireless Encryption WPA2 AES CCM
8
8
4
4
AAA
8
8
4
4
802.1X
8
8
4
4
Client Digital Certificates
8
8
4
4
EAP-TLS
8
8
4
4
Separate Corporate and Guest Infrastructure
Isolated Corporate and Guest Infrastructure
Solution Complexity
Corporate Client Wireless Authentication & Security
Wireless Encryption Pre-Shared-Key (PSK)
Design Approaches to Secure Wireless within UK Government
25
Model 1
Model 2
AP12 - local
AP12 - Central
WLC OR Cloud
WLC
Based
Capabilities
Model 3
WLAN via IL2
PSN WAN
Model 4
WLAN via IL3
Corporate WAN Connectivity
Requires additional WAN circuit
4
4
8
8
Requires additional WAN routers
4
4
8
8
Uses customers existing PSN based WAN (IL2)
8
8
4
4
Uses customers existing PSN based WAN (IL3 overlay)
8
8
8
4
4
4
8
8
4
4
8
8
8
8
4
8
8
8
8
4
42
42
42
42
Requires DMZ connectivity for corporate only
4
4
4
8
Requires DMZ connectivity for guest only
4
4
4
4
Corporate Wired and Wireless Authentication
8
8
4
4
Requires DMZ connectivity for corporate and guest traffic
4
4
8
8
Requires DMZ connectivity for corporate only
4
4
8
8
Requires DMZ connectivity for guest only
4
4
4
4
Local Site Corporate WLAN Connectivity
Requires additional LAN Cabling
Requires additional dedicated LAN switches, used for
Corporate and Guest traffic
Access Points connected directly to customers existing PSN
based ( IL2 ) LAN
Access Points connected directly to customers existing PSN
based ( IL3 ) LAN
Requires additional dedicated LAN switches for Guest only
Options for Central Data Centre Solution -
5
Application Visibility and Control - 6
Application visibility and Control for Corporate traffic
8
8
4
4
Application visibility and Control for Guest traffic
4
4
4
4
Identify Corporate traffic type and apply QoS
8
8
4
4
Identify Guest traffic type and apply QoS
4
4
4
4
Secure Group tagging for corporate clients
8
8
4
4
Posture Assessment and Remediation
8
8
4
4
Authorisation and Change of Authorisation
8
8
4
4
Device Profiling
8
8
4
4
Policy Enforcement (VLAN; dACL; SGACL)
8
8
4
4
Quality of Service -
6
Corporate Client Security
26
Design Approaches to Secure Wireless within UK Government
Model 1
Model 2
AP12 - local
AP12 - Central
WLC OR Cloud
WLC
Based
Capabilities
Model 3
WLAN via IL2
PSN WAN
Model 4
WLAN via IL3
4
4
4
4
4
4
4
4
BYOD - Corporate Mobile Device Management
Wi-Fi Profile Provisioning
Certificate Provisioning
Native VPN Configuration Provisioning
see note -10
see note -10
Microsoft Exchange Active Sync Access Management
BYOD - Corporate Mobile Application Management
Distribution of Public Applications
8
8
4
4
Distribution of Private Applications
8
8
4
4
Application Single Sign On
8
8
4
4
Application Specific VPN
8
8
4
4
Selective Wipe
8
8
4
4
Containerisation
8
8
4
4
Device Pass Code Policy
8
8
4
4
Camera / Face Time Restrictions
8
8
4
4
Use of Controller ‘Lobby Ambassador’ for Guest
4
4
Local Internet Break-out for Guest users
4
8
Central Internet Break-out for Guest users
8
4
Identify Guest traffic type and apply QoS
46
46
Simple guest port pages
4
4
see note - 7
see note - 7
Comprehensive Guest portal pages
8
8
Active Directory Integration
8
8
Policy Enforcement (VLAN; dACL; SGACL)
8
8
Guest User Experience
Notes:
1 Option to use either PSK or 802.1x to facilitate wireless encryption
2 Optional if guest access required
3 Optional with ISE
4 optional with dedicated guest infrastructure
5 assumes no direct connection to company VPN concentrator, except via a WAN connection
6 Note - dependant upon wireless topology deployed
7Guest access for a secure wireless LAN solution will be an optional add on, separate infrastructure. This may take the form of
any of the options presented earlier in the document
8 Typically, 802.1x authentication would be recommended
9 Optional if required on top of existing wireless AAA methods
10Onboarding of corporate managed devices prior to launch of VPN client for connectivity may be possible and will be dependent upon topology deployed (e.g. reachability of AD for example)
Design Approaches to Secure Wireless within UK Government
27
28
Design Approaches to Secure Wireless within UK Government
2.8 General Wireless Design Considerations
When adopting any of the models proposed above, the
following areas may be a consideration when embarking
upon a solution.
2.8.1
and steps can be taken to tighten the control over the
client actively, such as time of day that the service can be
accessed, downloadable access control lists or security
group tagging.
Points for Consideration
• IP Address Management – how clients and also the access
points gain their IP address for either a dedicated local solution
or DMZ centralised solution. Also, if a smaller solution, will this
be provided by the network equipment, or for larger solutions,
will this be provided by dedicated equipment? If so, additional
servers / management will be required.
• Guest Account Management – for a small solution,
guest portals and logins can be created via the wireless
LAN controller. If in doing so, access will be required by
receptionist or identified individuals to create and manage
guest user accounts on behalf of their visitors. If this wireless
LAN equipment is on a dedicated and physically separate
LAN, then access to create and / or print these accounts
details will be required either directly – with dedicated
provisioning PCs and printer, for example, or access
remotely via an internet connection from the departmental
infrastructure. Similarly, for larger deployments where a
centralised wireless controller or even the use of Cisco ISE is
utilised for guest account creation, access to these devices
should be considered. If accessing these resources from the
departmental trusted infrastructure, then a method of either
access directly via various protection level firewalls or having
admin access to the devices via an Internet connection may
need to be considered.
• Guest account creation – in line with the previous comment,
if a wireless controller based portal is used for guests, this
may require a departmental receptionist or corporate sponsor
to create accounts for individuals as they arrive. For a more
productive approach, ISE could be utilised to provision guest
accounts, either by sponsor provisioning, where a corporate
user for whom the guest are visiting can setup accounts
on the guest behalf or authorise these guest accounts.
Alternatively the guest user can self-provision and create their
wireless guest account upon arrival. These help speed up the
guest provisioning.
• Control of Guest Access – guest accounts within the
wireless controller will be effective from account creation
valid from until expiry. With Cisco ISE, the account will
become active from first logon and additional measures
• Application visibility and control – if an AP12 approach
is adopted for wireless deployment, this traffic will not be
visible to the network infrastructure as it traverses. As a
result, if there are any time critical applications that may
depend upon Quality of Service (QoS) to ensure a reliable
delivery, this may not be possible within a VPN type scenario.
An example could be a client laptop that is being used for
general email and Internet traffic, but is also being used for
collaboration services, such as WebEx Connect or Jabber
Video for TelePresence. Without the ability to conduct a
deep packet inspection on these traffic types and apply
a QoS parameters based upon the application type, as
opposed to the source IP, for example, the user experience
of these applications could be impacted.
• Single or Dual SSID - Depending upon local department
security requirements, some corporate builds devices may
only allow VPN connections if the device is not connected
directly to the corporate LAN. As a result, this type of client
may not have the ability to connect to a web front-end guest
portal to enter a username / password prior to launching
a VPN client. Therefore, consideration should be given to
whether single SSID for all clients (corporate and visitors),
or separate SSIDs (one for corporate and one for all other
devices) or some method of captive portal bypass would be
necessary (may require advanced devices such as ISE).
• Cost for additional infrastructure to support wireless
users – i.e. RF surveys, Installation & Cabling, PoE LAN
switches, WAN routers, WAN circuits etc.
• Remote management – Some manage service contracts
may be based around managing the departmental networks
via an accredited management platform that either resides
within the customer’s own network or within a dedicated
restricted management infrastructure. There could be
complexities around managing equipment from a restricted
environment or having to create bespoke solutions to manage
unclassified equipment whose only access is potentially via an
Internet connection. The potential to manage via an Internet
connection / security concerns (e.g. potential need to create
IPsec tunnels to manage equipment) is a consideration.
Design Approaches to Secure Wireless within UK Government
29
• Guest user experience - custom portal pages tailored
specifically to give the look and feel of the department
where the guest wireless is accessed; BYOD on-boarding
of guest devices, self-provisioning or sponsored access by
guest devices are all better leverage via the use of Cisco
ISE. Whilst the Cisco Wireless LAN controller can host
basic portal pages, these will be basic on comparison to a
Cisco ISE solution and may not have the ability to add more
webfeatures that may be demanded from the department.
• Location tracking & wIPS – Advanced location tracking and
advanced wireless Intrusion Prevention System may be a
requirement for the departmental security requirements and
these can be best leverage with the Cisco MSE platform.
This may also steer the design of the deployed wireless LAN
access points, due to potential additional access points for
dedicated monitoring or tracking purposes.
30
Design Approaches to Secure Wireless within UK Government
• Potential use for federating RADIUS function – as a future
thought, there could be a potential to federate the local
wireless LAN deployment with other similar deployments
of other government departments. This would require an
enterprise-deployed approach to the model 4, as described
in this document. Aligned PSN connected departments could
potentially advertise a common SSID across their estates,
so that any user from within this client base could associate
and authenticate with the local system, to a federated
centralised RADIUS server, to their own RADIUS server, thus
authentication and authorising access to the local resources.
This may be compared to how education departments
access resources for JANET via the Eduroam system.
Investigation would be required to understand the potential
for this approach.
Full design and configurations are available through a qualified
Cisco Partner.
2.9 Architecture Enhancements
By adopting any of the proposed solutions, consideration should
be given upon how to best utilise the architecture deployed.
2.9.1 Enhancements to the Service
There are many approaches that could be taken for the
proposed topology type and this will depend upon the individual
customer requirements. Cisco has a breadth of products across
the portfolio that can be leveraged to consolidate services
or enhance the user experience. Additions to the previous
models described could be considered.
• Utilisation of Cisco ISR routers for the WAN device with SRE
(Service Ready Engine) modules – for example,
(1) SRE modules to accommodate a virtual Wireless LAN
controller instance
(2) SRE modules to accommodate a virtual ISE instance for
more control over guest users
• Additional centralised filtering within DMZ for guest users
to ensure that this company policy internet usage policy is
being enforced. This may include URL filtering, identification
of client traffic, anti-Spam / Anti-virus etc. Example devices
could be Cisco IronPort
• Cisco Mobility Services Engine (MSE) – for advanced
wireless Intrusion Prevention System (wIPS) and advanced
location services. In order to provide protection against
rogue clients and access points it is highly useful to be able
to locate that device in the physical world, especially to
differentiate whether it is within your physical boundaries,
or outside. Only if a rogue is detected inside your physical
domain are you legally entitled to perform any sort of over
the air prevention tactics, such as sending de-auth frames.
The Cisco Prime Infrastructure management platform allows
an administrator to locate a single rogue device to 95%
accuracy. However, to locate, and record historic locations of
multiple rogue devices and indeed any Wi-Fi based device
such as a tags or PDAs, a location services engine can
be deployed. This can also be used as the engine to drive
asset-tracking applications from third party companies such
as Aeroscout and Airetrack
• Cisco Identity Services Engine (ISE) – for advanced AAA
services, BYOD, profiling and guest authentication
• Cisco Prime Infrastructure – from management of all Cisco
network devices upon the LAN – switches, routers, wireless
LAN controllers
• Utilisation of Cisco Unified Access switch, 3850, for
combined PoE switching and wireless LAN capability within a
single device, helping to reduce the TCO and OpEx and may
reduce the management overhead
Full design and configurations are available through a qualified
Cisco Partner
2.10 Guest User Experience
In deploying a scenario where guest wireless LAN connectivity is
a requirement, understanding how the guest user will connect,
from what device, how they will authenticate and ultimately,
what controls need to be applied, will fundamentally dictate the
direction of both eh topology and network devices deployed.
2.10.1 Guest User Experience
The user experience from a guest perspective can be
dramatically enhanced by adding Cisco Identity Services
Engine (ISE) as the main method for AAA authentication
and controlling guest access. Whilst there is a capability
within the wireless controller to provide basic captive port
access to guest users, adding ISE will leverage capability to
provide BYOD on-boarding, as well as the ability for device
authentication, authorisation, profiling, posture checking and
policies to apply to accessing clients. In essence, this can
identify ‘who’ the client is, ‘what’ they are accessing, ‘where’
they are accessing it from, ‘when’ they are allowed access
and ‘how’ they will be allowed access.
With a Cisco ISE platform centrally within the DMZ, this
dramatically increases the Guest capability and scalability of
the solution to allow the service to be conducted for multiple
customer sites or instances, giving the same user experience
to clients, regardless of site they are connecting from.
Design Approaches to Secure Wireless within UK Government
31
32
Design Approaches to Secure Wireless within UK Government
3. Cisco Differentiators
Proposal for Government
Design Approaches
Departments
to Secure
/ CiscoWireless
Secure Wireless
within UKLAN
Government
Proposal
33
3.1 Cisco Differentiators
For WLANs, Cisco delivers exceptional customer value. Cisco
distinguishes itself from its competitors through differentiators
at three levels: business, solution, and product / technical.
The unique customer value that we can provide gives us
our leading position in the wireless LAN and outdoor
Wi-Fi markets.
At the business level, the following differentiators distinguish
Cisco from its competitors:
• The confidence of working with an industry leader
• High level of WLAN expertise
• Large scale corporate wide deployments within months
• Consistent, stable, long-term WLAN supplier
• Lower TCO
• Focus on protecting network investments
• Financial choices for customers
At the solution level, the following differentiators
distinguish Cisco:
• Complete networking solutions
• Confidence in deployment
• Lower operation cost
• Multiple deployment options
• Lower operational cost
34
Design Approaches to Secure Wireless within UK Government
Cisco’s differentiators at the product / technical level include
the following:
• Leading product functionality and Performance
• Deployment flexibility
• Optimised for Video and Voice delivery (VoWLAN)
• Superior industry expertise and project management
• Secure wireless networks
• Mobility service integration such as location based service
• Lower operational cost
Tables are available with details on the differentiators and
customer value if needed.
“It is imperative that the
wireless service which
carries this information has
the ability to distinguish
between these differing
streams of data, such that
any Quality of Service may
be applied.”
Design Approaches to Secure Wireless within UK Government
35
36
Design Approaches to Secure Wireless within UK Government
4.Appendix
Proposal for Government
Design Approaches
Departments
to Secure
/ CiscoWireless
Secure Wireless
within UKLAN
Government
Proposal
37
4
Appendix
The links below represent some of the main areas from the Cisco Mobility wireless LAN solution. Full details are available through
a Cisco Partner.
4.1.1
Cisco Key Wireless LAN Key Technology Areas
Cisco CleanAir Technology http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns1070/aag_c22-594304.pdf
Cisco ClientLink http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/at_a_glance_c45-691984.pdf
Cisco VideoStream http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns1070/at_a_glance_c45-688062.pdf
Cisco 3700 Series Access Point –
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps13367/data_sheet_c78-729421.pdf
Cisco 3600 Series Access Point http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/data_sheet_c78-686782.pdf
Cisco WSSI Module
http://wwwin.cisco.com/tech/products/aironet3600/wssi.shtml
Cisco 802.11ac Module http://www.cisco.com/en/US/prod/collateral/modules/ps12859/ps13128/data_sheet_c78-727794.pdf
4.1.2
Cisco Cloud Managed Wireless LAN
https://meraki.cisco.com/products/wireless#features
4.1.3
Cisco WLAN Controllers
4.1.3.1 Cisco Flex 7500 Series Cloud Controller
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11635/data_sheet_c78-650053.pdf
4.1.3.2 Cisco 5500 Series WLAN Controller
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.pdf
4.1.2.3 Cisco 2500 Series Wireless Controller
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.pdf
4.1.3.4 Cisco WiSM 2 for Catalyst 6500 Series Switches
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6526/product_data_sheet0900aecd80364340.html
4.1.3.5 Cisco Wireless Controller Software for the Cisco SRE
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps9798/ps11716/data_sheet_c78-648142.pdf
4.1.3.6 Cisco Virtual Wireless Controllers (vWLC)
Wireless Controllers Product Information
http://wwwin.cisco.com/tech/wnbu/products/controllers.shtml
38
Design Approaches to Secure Wireless within UK Government
4.2 Cisco Wireless Network Management
4.2.1.1 Cisco Prime Infrastructure (PI)
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps11682/ps11686/ps11688/data_sheet_c78-650051.pdf
4.3 Cisco Mobility Services Engine (MSE)
http://www.cisco.com/en/US/products/ps9742/
4.4 Cisco Identity Services Engine (ISE)
4.4.1 Cisco ISE Appliances
For more information, please see:
http://www.cisco.com/en/US/products/ps11640/index.html
4.4.2 Cisco Secure Network Server
For more information, please see:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/data_sheet_c78-726524.html
4.4.3 Cisco ISE Licensing
For more information, please see:
http://www.cisco.com/en/US/products/ps11640/index.html
Design Approaches to Secure Wireless within UK Government
39
402014 Cisco
©
Design
and
Approaches
/ or its affiliates/
to Secure
All right
Wireless
reserved.
within UK Government
Related documents
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
12.6.1.4 Lab - Fix a Security Problem IT Essentials 5.0
12.6.1.4 Lab - Fix a Security Problem IT Essentials 5.0
Presentation 6: Mr. José Luiz Navarro Frauendorf, NEOTEC.
Presentation 6: Mr. José Luiz Navarro Frauendorf, NEOTEC.
Download
advertisement