BITES 2006
Cisco Systems
sijones@cisco.com
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Core aspects of BSF
•
Transforming Education
Putting the Learner at the centre, Citizenship, Skills
•
Efficiency
Workforce Reform, Buildings, Energy, Security
•
Social Inclusion
Equal Access, Every Child Matters (ECM, ICS)
•
Regeneration – Community & Economic
Extended Schools, Home Access, Business
•
Education Vision &
Strategy
Long Term Partnerships
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
BSF?
• ‘Birmingham Society of the Future’
• Program & Procurement dominated or led by the
needs of communities
• Steady and progressive transformation over a
longer term
• Will learners be measured by Government or be
asked for feedback about their learning
environments
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Agenda for today
•
‘Connected Learning’
•
Multi Service Wireless
•
Secure Wireless
•
What you should be looking out for?
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Four Steps To Transformation
Step 1:
Connect all buildings and provide access
to critical information
Step 2:
Implement network-based applications to
improve administrative efficiency
Step 3:
Put teacher proficiency and productivity
first
Step 4:
Create a student-centered learning
environment to achieve academic
excellence
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
1
Cisco Public
5
IP Networking Adoption
Intelligent Information Network
EFFICIENT
SCHOOLS
CONNECTED
SCHOOLS
Opex Reduction
• Communications
over IP
• Integrated wiring on
Ethernet
• Toll bypass
• Data simplification
Network Simplification
• Service virtualization
• Data Center
• Integrated security
• Virtualised call control
• User mobility
• Virtual & e-learning
2006
Education Vision &
Strategy
OPTIMISED
SCHOOLS
New Capabilities
• Adaptive resources
• Personalised learning
(MLE’s)
• Collaboration software
• Rich communications
• Automation
• On-demand Data Center
2015
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Cisco Connected Learning Solutions
Transforming Education
Academic Excellence
Administrative Efficiency
Unified Communications
Virtual Classroom
Video Infusion
Intelligent Buildings
Self Defending Network
Secure Wireless
Intelligent
Information
Network
IP Network
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Cisco Connected Learning
Model for 21st Century Education
Education Model
Learning Environment
Curriculum
Teaching
Learning
Finance
Business Applications
Infrastructure Services layer
School
LA/LEA
IP Foundation
Data Centre
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Operational
Collaboration Applications
End client devices
Virtual School
Regional &
National
Cabling and Building Systems
Cisco Public
8
1. Education Model
•
Learning is an active process, and one that involves
collaboration, problem solving, critical thinking with mentor
support from teachers
•
Government policy focused on transforming education
using technology as a catalyst
•
Student focused, catering for individual needs and
personalisation.
•
Relevant and authentic learning opportunities
•
Prepares for lifelong learning
•
Community focused and provides relevant skills and
knowledge
•
Open ended
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
2. Learning Environment
Organisational
• Technology as a teaching and learning tool
• Technology for assessment
• Flexible and adaptable VLE
Community
• Environment enables communities to be built
• Accessible from anywhere, anytime
• Builds structures for learning environment between home &
schools & for lifelong learning
•Potential to involve all members of the community
•Schools as centres of the community
•Global and national reach
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
2. Learning Environment
Classroom organisation
• Structured for 21st century working and learning environment
• Flexible yet managed
• allows for group, individual and whole class work
Student focused environment
• Provides authentic and autonomous leaning
• Learning how to learn
• Peer teaching and learning opportunities
• Curriculum arises out of real community needs
• Development of autonomy and critical thinking and problem
solving skills
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Secure Wireless
• Teaching & Learning
Laptop, PDA, Projector, Wireless Slate
• Security
Access, Assets, mobile CCTV, mobile alerts/paging
• IP Telephony - staff communications
• Guest Access
Community, Parents, Inspections
• Outdoor (sports events, weather view)
• Flexible ICT during refurbishment
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Secure Wireless
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Secure Wireless
• Teaching & Learning
Laptop, PDA, Projector, Wireless Slate
• Security
Access, Assets, mobile CCTV, mobile alerts/paging
• IP Telephony - staff communications
• Guest Access
Community, Parents, Inspections
• Outdoor (sports events, weather view)
• Flexible ICT during refurbishment
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Agenda
• Business Critical Wireless
• WLAN Security Leadership
• Cisco Unified Wireless Network
• Cisco Self-Defending Network
– Keep Clients Safe
– Keep Clients Honest
– Protect the Network
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Wireless Goes Business Critical
The Emerging Enterprise Market
Enterprise Wireless Market (Growing at 40% Per Annum)
$ Millions
3,000
$2740
All Wireless Branch
40% CAGR
$1960
2,000
Mainstream Enterprise Office,
Location, Mesh Networking
$1400
1,000
Dual Mode Voice
$1000
Initial Office Deployments
$640
FY ’04
Education Vision &
Strategy
Verticals, PWLAN
FY ’05
FY ’06
© 2005 Cisco Systems, Inc. All rights reserved.
FY ’07
FY ’08
Cisco Public
16
Cisco WLAN Security Leadership and Innovation
• Industry's first implementation of
802.1X/EAP authentication and dynamic
key derivation
• Chaired and led the 802.11i work group
• Wrote or co-wrote many EAP RFCs
• Technical leadership role in Fast Secure
Roaming 802.11r
• Industry leading, patent pending rogue
detection, mitigation and suppression
• Continuing to innovate with SelfDefending Network
Location enabled security; Access Control /
IDS alerts
Invented host posture analysis (NAC)
Invented Management Frame Protection
(MFP)
Invented Self Defending Network (NIC)
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Cisco Unified Wireless Network
Engineered to Deliver on the SDN Strategy
Education Vision &
Strategy
•Strong Mutual
Authentication
•Strong Encryption
•True Wireless IPS
•Adaptive Client
Policies
Keep Clients Honest
•Network Admission
Control
•Guest Access
Anomaly and
IDS/IPS
Keep Clients Safe
Admission Control
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the network’s
network’s
abilityability
identify,prevent,
prevent, and
totoidentify,
and
adapt to threats
adapt to threats
Integrated Management
© 2005 Cisco Systems, Inc. All rights reserved.
Protect the
Network
•Rogue AP detection
and containment
•Multilayer client
exclusions
Cisco Public
18
Checklist for Secure Wireless LANs
Implementation Checklist
a 802.1X(EAP)
Endpoint
Protection
a WPA2 (AES) or WPA (TKIP)
Education Vision &
Strategy
Keep Clients Safe
•Strong Mutual
Authentication
•Strong Encryption
•True Wireless IPS
•Adaptive Client
Policies
© 2005 Cisco Systems, Inc. All rights reserved.
Frame
a Management
Protection
a Cisco CSA
Cisco Public
19
Protected Access
What are WPA and WPA2?
Gold
• Authentication and Encryption
standards for Wi-Fi clients and APs
WPA2/802.11i
• 802.1X authentication
•EAP
•AES
• WPA uses TKIP encryption
Silver
• WPA2 uses AES encryption
WPA
Which should I use?
• Go for the Gold!
• Silver, if you have legacy clients
• Lead, if you absolutely have no
other choice (i.e. ASDs)
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
•EAP
•TKIP
Lead
dWEP (legacy)
•EAP/LEAP
•VLANs + ACLs
Cisco Public
20
How does Extensible Authentication Protocol
(EAP) Authenticate Clients?
WLAN Client
Access Point/
Controller
Client associates
Cannot send data until…
RADIUS server
Corporate
Network
Data from client
Blocked by AP
EAP
…EAP authentication
complete
Client sends data
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
802.1x
Data from client
RADIUS
Passed by AP
Cisco Public
21
What makes 802.11 vulnerable to attacks?
Most common attacks are against management frames
Common Attacks:
• VOID11
• Aireplay
• File2air
• Airforge
• ASLEAP
• Jack attacks
• FakeAP
• Hunter/Killer
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Management Frame Protection (MFP)
• A solution for clients and infrastructure (APs)
• Clients and APs add a MIC (signature)
into every management frame
• Anomalies are detected instantly and
reported to Wireless Control Server (WCS)
MFP Protected
MFP Protected
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
CCX- Driving Security Standardization
CCX v1
CCX v3
• 802.1X authentication
• WPA2 compliance
• EAP-TLS & LEAP
• EAP-FAST
• Cisco pre-standard TKIP
• CCKM with EAP-FAST
• Client Rogue reporting
• AES encryption
CCX v5
• MFP
• Client Policies
CCX v2
CCX v4
• WPA compliance
• CCKM with EAP-TLS,
PEAP
• Fast Roaming with CCKM
• PEAP
Education Vision &
Strategy
• WIDS
• MBSSID
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Security and WLAN Clients
• Trend: Embedded adapters in most devices
• Result: Adapter reference designs in most
devices
How do you ensure that all of your client devices
support your chosen 802.1X type(s) and encryption
option(s)?
• Options:
Try to standardize on adapters from one vendor
USE WPA/WPA2 “extended EAP” certified clients
Rely on what is available in Windows
Use a commercial supplicant suite
Support a mix of authentication types
Use Cisco Compatible Extensions (CCX) adapters
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Cisco Unified Wireless Network
Engineered to Deliver on the SDN Strategy
Education Vision &
Strategy
•Strong Mutual
Authentication
•Strong Encryption
•True Wireless IPS
•Adaptive Client
Policies
Keep Clients Honest
•Network Admission
Control
•Guest Access
Anomaly and
IDS/IPS
Keep Clients Safe
Admission Control
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the network’s
network’s
abilityability
identify,prevent,
prevent, and
totoidentify,
and
adapt to threats
adapt to threats
Integrated Management
© 2005 Cisco Systems, Inc. All rights reserved.
Protect the
Network
•Rogue AP detection
and containment
•Multilayer client
exclusions
Cisco Public
28
Checklist for Secure Wireless LANs
Implementation Checklist
Cisco NAC for wired and
wireless
a
Admission Control
a Cisco CSA
Education Vision &
Strategy
Keep Clients Honest
© 2005 Cisco Systems, Inc. All rights reserved.
Guest: Integrated captive
a
•Network Admissionportal w/traffic tunneling
Control
•Guest Access
Cisco Public
29
The Need for Admission Control
• Viruses, worms, spyware, etc. continue
to plague organizations
Viruses still #1 cause of financial loss*
(downtime, recovery, productivity, etc.)
• Most users are routinely authenticated,
but their endpoint devices (laptops, PCs,
PDAs, etc.) are not checked for policy
compliance
• Unprotected endpoint devices are often
responsible for spreading infection
Ensuring devices accessing the network
comply with policy (security tools installed,
enabled, and current) is difficult and
expensive
“Endpoint systems are
vulnerable and represent the
most likely point of infection
from which a virus or worm
can spread rapidly and cause
serious disruption and
economic damage.”
– Burton Group
*2005 FBI/CSI Report
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
30
NAC2 – Ubiquitous Admission Control
CTA-Capable Endpoints with NAC-Capable 802.1X Supplicants
802.1x
1
8
2
EAPo802.1x
CTA
Network
ACS
4
3
Network
Access Device
(NAD)
5
HCAP
Vendor
Server
7
6
1.
802.1X connection setup between NAD and endpoint
2.
NAD requests credentials from endpoint (EAPo802.1X)
This may include user, device, and/or posture
3.
CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X)
4.
NAD sends credentials to ACS (EAPoRADIUS)
5.
ACS can proxy portions of posture authentication to vendor server (HCAP)
User/device credentials sent to authentication databases (LDAP, Active Directory, etc)
6.
ACS validates credentials, determines authorization rights
E.g. visitors given GUEST access, unhealthy devices given QUARANTINE access
7.
ACS sends authorization policy to NAD (VLAN assignment)
8.
Host assigned VLAN, may then gain IP access (or denied, restricted)
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Secure Guest Access
• Captive portal native in the
controller
• Two options for guest
access:
DMZ
Guest controller
Enterprise
Network
Switch-to-switch
guest tunnel
(1) Guest users can be placed
on guest VLAN
(2) All guest traffic is tunneled
to a guest controller
SSID Client Default Gateway
= Internal
= GUEST
• User DB can be local or
RADIUS
• Robust administration
Ambassador login
Enterprise user
Guest user
Customizable web pages
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Cisco Unified Wireless Network
Engineered to Deliver on the SDN Strategy
Education Vision &
Strategy
•Strong Mutual
Authentication
•Strong Encryption
•True Wireless IPS
•Adaptive Client
Policies
Keep Clients Honest
•Network Admission
Control
•Guest Access
Anomaly and
IDS/IPS
Keep Clients Safe
Admission Control
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the network’s
network’s
abilityability
identify,prevent,
prevent, and
totoidentify,
and
adapt to threats
adapt to threats
Integrated Management
© 2005 Cisco Systems, Inc. All rights reserved.
Protect the
Network
•Rogue AP detection
and containment
•Multilayer client
exclusions
Cisco Public
33
Checklist for Secure Wireless LANs
Implementation Checklist
a Wireless IDS
Anomaly and
IDS/IPS
a Rogue Detect/Containment
a FIPS
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Protect the
Network
•Rogue AP detection
and containment
•Multilayer client
exclusions
Cisco Public
34
A Complete Solution for Handling Rogues
1. Detect Rogue AP
(Generate alarm)
2. Assess Rogue AP
(Identity, Location, ..)
3. Contain Rogue AP
4. View Historical
Report
• Can be automated
• Multiple rogues contained
simultaneously
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
36
Cisco WCS – Centralized Security
Management
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
37
Cisco WLAN FIPS status
Federal Information Processing Standard (FIPS)
• Pre-validated for FIPS 140-2
and Common Criteria
-4400 controller
-AP1200, AP1100 and BR1300
(LWAPP and Autonomous)
• FIPS Kit will be required;
contents include:
- Tamper-evidence labels
- Download instructions for FIPS
approved IOS images
- Download instructions for
Security Policies
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
38
Cisco Unified Wireless Network
Engineered to Deliver on the SDN Strategy
Education Vision &
Strategy
•Strong Mutual
Authentication
•Strong Encryption
•True Wireless IPS
•Adaptive Client
Policies
Keep Clients Honest
•Network Admission
Control
•Guest Access
Anomaly and
IDS/IPS
Keep Clients Safe
Admission Control
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the network’s
network’s
abilityability
identify,prevent,
prevent, and
totoidentify,
and
adapt to threats
adapt to threats
Integrated Management
© 2005 Cisco Systems, Inc. All rights reserved.
Protect the
Network
•Rogue AP detection
and containment
•Multilayer client
exclusions
Cisco Public
39
Security Management
CS-MARS
• Network wide anomaly
detection
• Rules based
correlation
WCS
• Simple, Powerful
Dashboard
• Robust Reporting
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
40
•Strong Mutual
Authentication
•Strong Encryption
•True Wireless IPS
•Adaptive Client
Policies
a802.1X (EAP)
(AES) or
aWPA2
WPA (TKIP)
aManagement
Frame Protection
aCisco CSA
Education Vision &
Strategy
Keep Clients Honest
•Network Admission
Control
•Guest Access
Anomaly and
IDS/IPS
Keep Clients Safe
Admission Control
Endpoint
Protection
Checklist Summary
Protect the
Network
•Rogue AP detection
and containment
•Multilayer client
exclusions
NAC for
a Cisco
wired and wireless
a Wireless IDS
a Cisco CSA
a Rogue
Detect/Contain
Guest: Integrated
a captive portal
w/traffic tunneling
a FIPS
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
41
The Cisco Difference
• Unifying wireless and wire line
Utilizing all of Cisco’s security expertise and product line
Not reinventing the wheel
• Location, Location, Location
Only WLAN system with RF fingerprinting for rogue location
accuracy
• INTEGRATED air monitoring
Only WLAN system that does not require separate air monitors
Built-in rogue protection and intrusion detection
• Security Designed for Real-Time Applications
Fast Secure roaming
• Active leadership in standards bodies
802.11i, 802.11r, 802.11w, 802.11k
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
42
Education Vision &
Strategy
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Public
43