BITES 2006 Cisco Systems sijones@cisco.com Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Core aspects of BSF • Transforming Education Putting the Learner at the centre, Citizenship, Skills • Efficiency Workforce Reform, Buildings, Energy, Security • Social Inclusion Equal Access, Every Child Matters (ECM, ICS) • Regeneration – Community & Economic Extended Schools, Home Access, Business • Education Vision & Strategy Long Term Partnerships © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 2 BSF? • ‘Birmingham Society of the Future’ • Program & Procurement dominated or led by the needs of communities • Steady and progressive transformation over a longer term • Will learners be measured by Government or be asked for feedback about their learning environments Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Agenda for today • ‘Connected Learning’ • Multi Service Wireless • Secure Wireless • What you should be looking out for? Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 4 Four Steps To Transformation Step 1: Connect all buildings and provide access to critical information Step 2: Implement network-based applications to improve administrative efficiency Step 3: Put teacher proficiency and productivity first Step 4: Create a student-centered learning environment to achieve academic excellence Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. 1 Cisco Public 5 IP Networking Adoption Intelligent Information Network EFFICIENT SCHOOLS CONNECTED SCHOOLS Opex Reduction • Communications over IP • Integrated wiring on Ethernet • Toll bypass • Data simplification Network Simplification • Service virtualization • Data Center • Integrated security • Virtualised call control • User mobility • Virtual & e-learning 2006 Education Vision & Strategy OPTIMISED SCHOOLS New Capabilities • Adaptive resources • Personalised learning (MLE’s) • Collaboration software • Rich communications • Automation • On-demand Data Center 2015 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Cisco Connected Learning Solutions Transforming Education Academic Excellence Administrative Efficiency Unified Communications Virtual Classroom Video Infusion Intelligent Buildings Self Defending Network Secure Wireless Intelligent Information Network IP Network Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Cisco Connected Learning Model for 21st Century Education Education Model Learning Environment Curriculum Teaching Learning Finance Business Applications Infrastructure Services layer School LA/LEA IP Foundation Data Centre Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Operational Collaboration Applications End client devices Virtual School Regional & National Cabling and Building Systems Cisco Public 8 1. Education Model • Learning is an active process, and one that involves collaboration, problem solving, critical thinking with mentor support from teachers • Government policy focused on transforming education using technology as a catalyst • Student focused, catering for individual needs and personalisation. • Relevant and authentic learning opportunities • Prepares for lifelong learning • Community focused and provides relevant skills and knowledge • Open ended Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 9 2. Learning Environment Organisational • Technology as a teaching and learning tool • Technology for assessment • Flexible and adaptable VLE Community • Environment enables communities to be built • Accessible from anywhere, anytime • Builds structures for learning environment between home & schools & for lifelong learning •Potential to involve all members of the community •Schools as centres of the community •Global and national reach Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 10 2. Learning Environment Classroom organisation • Structured for 21st century working and learning environment • Flexible yet managed • allows for group, individual and whole class work Student focused environment • Provides authentic and autonomous leaning • Learning how to learn • Peer teaching and learning opportunities • Curriculum arises out of real community needs • Development of autonomy and critical thinking and problem solving skills Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 11 Secure Wireless • Teaching & Learning Laptop, PDA, Projector, Wireless Slate • Security Access, Assets, mobile CCTV, mobile alerts/paging • IP Telephony - staff communications • Guest Access Community, Parents, Inspections • Outdoor (sports events, weather view) • Flexible ICT during refurbishment Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 12 Secure Wireless Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 13 Secure Wireless • Teaching & Learning Laptop, PDA, Projector, Wireless Slate • Security Access, Assets, mobile CCTV, mobile alerts/paging • IP Telephony - staff communications • Guest Access Community, Parents, Inspections • Outdoor (sports events, weather view) • Flexible ICT during refurbishment Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 14 Agenda • Business Critical Wireless • WLAN Security Leadership • Cisco Unified Wireless Network • Cisco Self-Defending Network – Keep Clients Safe – Keep Clients Honest – Protect the Network Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Wireless Goes Business Critical The Emerging Enterprise Market Enterprise Wireless Market (Growing at 40% Per Annum) $ Millions 3,000 $2740 All Wireless Branch 40% CAGR $1960 2,000 Mainstream Enterprise Office, Location, Mesh Networking $1400 1,000 Dual Mode Voice $1000 Initial Office Deployments $640 FY ’04 Education Vision & Strategy Verticals, PWLAN FY ’05 FY ’06 © 2005 Cisco Systems, Inc. All rights reserved. FY ’07 FY ’08 Cisco Public 16 Cisco WLAN Security Leadership and Innovation • Industry's first implementation of 802.1X/EAP authentication and dynamic key derivation • Chaired and led the 802.11i work group • Wrote or co-wrote many EAP RFCs • Technical leadership role in Fast Secure Roaming 802.11r • Industry leading, patent pending rogue detection, mitigation and suppression • Continuing to innovate with SelfDefending Network Location enabled security; Access Control / IDS alerts Invented host posture analysis (NAC) Invented Management Frame Protection (MFP) Invented Self Defending Network (NIC) Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy Education Vision & Strategy •Strong Mutual Authentication •Strong Encryption •True Wireless IPS •Adaptive Client Policies Keep Clients Honest •Network Admission Control •Guest Access Anomaly and IDS/IPS Keep Clients Safe Admission Control Endpoint Protection Cisco strategy to An initiative toimprove dramatically dramatically the improve the network’s network’s abilityability identify,prevent, prevent, and totoidentify, and adapt to threats adapt to threats Integrated Management © 2005 Cisco Systems, Inc. All rights reserved. Protect the Network •Rogue AP detection and containment •Multilayer client exclusions Cisco Public 18 Checklist for Secure Wireless LANs Implementation Checklist a 802.1X(EAP) Endpoint Protection a WPA2 (AES) or WPA (TKIP) Education Vision & Strategy Keep Clients Safe •Strong Mutual Authentication •Strong Encryption •True Wireless IPS •Adaptive Client Policies © 2005 Cisco Systems, Inc. All rights reserved. Frame a Management Protection a Cisco CSA Cisco Public 19 Protected Access What are WPA and WPA2? Gold • Authentication and Encryption standards for Wi-Fi clients and APs WPA2/802.11i • 802.1X authentication •EAP •AES • WPA uses TKIP encryption Silver • WPA2 uses AES encryption WPA Which should I use? • Go for the Gold! • Silver, if you have legacy clients • Lead, if you absolutely have no other choice (i.e. ASDs) Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. •EAP •TKIP Lead dWEP (legacy) •EAP/LEAP •VLANs + ACLs Cisco Public 20 How does Extensible Authentication Protocol (EAP) Authenticate Clients? WLAN Client Access Point/ Controller Client associates Cannot send data until… RADIUS server Corporate Network Data from client Blocked by AP EAP …EAP authentication complete Client sends data Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Data from client RADIUS Passed by AP Cisco Public 21 What makes 802.11 vulnerable to attacks? Most common attacks are against management frames Common Attacks: • VOID11 • Aireplay • File2air • Airforge • ASLEAP • Jack attacks • FakeAP • Hunter/Killer Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 23 Management Frame Protection (MFP) • A solution for clients and infrastructure (APs) • Clients and APs add a MIC (signature) into every management frame • Anomalies are detected instantly and reported to Wireless Control Server (WCS) MFP Protected MFP Protected Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 24 CCX- Driving Security Standardization CCX v1 CCX v3 • 802.1X authentication • WPA2 compliance • EAP-TLS & LEAP • EAP-FAST • Cisco pre-standard TKIP • CCKM with EAP-FAST • Client Rogue reporting • AES encryption CCX v5 • MFP • Client Policies CCX v2 CCX v4 • WPA compliance • CCKM with EAP-TLS, PEAP • Fast Roaming with CCKM • PEAP Education Vision & Strategy • WIDS • MBSSID © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 25 Security and WLAN Clients • Trend: Embedded adapters in most devices • Result: Adapter reference designs in most devices How do you ensure that all of your client devices support your chosen 802.1X type(s) and encryption option(s)? • Options: Try to standardize on adapters from one vendor USE WPA/WPA2 “extended EAP” certified clients Rely on what is available in Windows Use a commercial supplicant suite Support a mix of authentication types Use Cisco Compatible Extensions (CCX) adapters Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 26 Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy Education Vision & Strategy •Strong Mutual Authentication •Strong Encryption •True Wireless IPS •Adaptive Client Policies Keep Clients Honest •Network Admission Control •Guest Access Anomaly and IDS/IPS Keep Clients Safe Admission Control Endpoint Protection Cisco strategy to An initiative toimprove dramatically dramatically the improve the network’s network’s abilityability identify,prevent, prevent, and totoidentify, and adapt to threats adapt to threats Integrated Management © 2005 Cisco Systems, Inc. All rights reserved. Protect the Network •Rogue AP detection and containment •Multilayer client exclusions Cisco Public 28 Checklist for Secure Wireless LANs Implementation Checklist Cisco NAC for wired and wireless a Admission Control a Cisco CSA Education Vision & Strategy Keep Clients Honest © 2005 Cisco Systems, Inc. All rights reserved. Guest: Integrated captive a •Network Admissionportal w/traffic tunneling Control •Guest Access Cisco Public 29 The Need for Admission Control • Viruses, worms, spyware, etc. continue to plague organizations Viruses still #1 cause of financial loss* (downtime, recovery, productivity, etc.) • Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.) are not checked for policy compliance • Unprotected endpoint devices are often responsible for spreading infection Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive “Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.” – Burton Group *2005 FBI/CSI Report Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 30 NAC2 – Ubiquitous Admission Control CTA-Capable Endpoints with NAC-Capable 802.1X Supplicants 802.1x 1 8 2 EAPo802.1x CTA Network ACS 4 3 Network Access Device (NAD) 5 HCAP Vendor Server 7 6 1. 802.1X connection setup between NAD and endpoint 2. NAD requests credentials from endpoint (EAPo802.1X) This may include user, device, and/or posture 3. CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X) 4. NAD sends credentials to ACS (EAPoRADIUS) 5. ACS can proxy portions of posture authentication to vendor server (HCAP) User/device credentials sent to authentication databases (LDAP, Active Directory, etc) 6. ACS validates credentials, determines authorization rights E.g. visitors given GUEST access, unhealthy devices given QUARANTINE access 7. ACS sends authorization policy to NAD (VLAN assignment) 8. Host assigned VLAN, may then gain IP access (or denied, restricted) Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 31 Secure Guest Access • Captive portal native in the controller • Two options for guest access: DMZ Guest controller Enterprise Network Switch-to-switch guest tunnel (1) Guest users can be placed on guest VLAN (2) All guest traffic is tunneled to a guest controller SSID Client Default Gateway = Internal = GUEST • User DB can be local or RADIUS • Robust administration Ambassador login Enterprise user Guest user Customizable web pages Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 32 Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy Education Vision & Strategy •Strong Mutual Authentication •Strong Encryption •True Wireless IPS •Adaptive Client Policies Keep Clients Honest •Network Admission Control •Guest Access Anomaly and IDS/IPS Keep Clients Safe Admission Control Endpoint Protection Cisco strategy to An initiative toimprove dramatically dramatically the improve the network’s network’s abilityability identify,prevent, prevent, and totoidentify, and adapt to threats adapt to threats Integrated Management © 2005 Cisco Systems, Inc. All rights reserved. Protect the Network •Rogue AP detection and containment •Multilayer client exclusions Cisco Public 33 Checklist for Secure Wireless LANs Implementation Checklist a Wireless IDS Anomaly and IDS/IPS a Rogue Detect/Containment a FIPS Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Protect the Network •Rogue AP detection and containment •Multilayer client exclusions Cisco Public 34 A Complete Solution for Handling Rogues 1. Detect Rogue AP (Generate alarm) 2. Assess Rogue AP (Identity, Location, ..) 3. Contain Rogue AP 4. View Historical Report • Can be automated • Multiple rogues contained simultaneously Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 36 Cisco WCS – Centralized Security Management Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 37 Cisco WLAN FIPS status Federal Information Processing Standard (FIPS) • Pre-validated for FIPS 140-2 and Common Criteria -4400 controller -AP1200, AP1100 and BR1300 (LWAPP and Autonomous) • FIPS Kit will be required; contents include: - Tamper-evidence labels - Download instructions for FIPS approved IOS images - Download instructions for Security Policies Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 38 Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy Education Vision & Strategy •Strong Mutual Authentication •Strong Encryption •True Wireless IPS •Adaptive Client Policies Keep Clients Honest •Network Admission Control •Guest Access Anomaly and IDS/IPS Keep Clients Safe Admission Control Endpoint Protection Cisco strategy to An initiative toimprove dramatically dramatically the improve the network’s network’s abilityability identify,prevent, prevent, and totoidentify, and adapt to threats adapt to threats Integrated Management © 2005 Cisco Systems, Inc. All rights reserved. Protect the Network •Rogue AP detection and containment •Multilayer client exclusions Cisco Public 39 Security Management CS-MARS • Network wide anomaly detection • Rules based correlation WCS • Simple, Powerful Dashboard • Robust Reporting Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 40 •Strong Mutual Authentication •Strong Encryption •True Wireless IPS •Adaptive Client Policies a802.1X (EAP) (AES) or aWPA2 WPA (TKIP) aManagement Frame Protection aCisco CSA Education Vision & Strategy Keep Clients Honest •Network Admission Control •Guest Access Anomaly and IDS/IPS Keep Clients Safe Admission Control Endpoint Protection Checklist Summary Protect the Network •Rogue AP detection and containment •Multilayer client exclusions NAC for a Cisco wired and wireless a Wireless IDS a Cisco CSA a Rogue Detect/Contain Guest: Integrated a captive portal w/traffic tunneling a FIPS © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 41 The Cisco Difference • Unifying wireless and wire line Utilizing all of Cisco’s security expertise and product line Not reinventing the wheel • Location, Location, Location Only WLAN system with RF fingerprinting for rogue location accuracy • INTEGRATED air monitoring Only WLAN system that does not require separate air monitors Built-in rogue protection and intrusion detection • Security Designed for Real-Time Applications Fast Secure roaming • Active leadership in standards bodies 802.11i, 802.11r, 802.11w, 802.11k Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 42 Education Vision & Strategy © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 43