Secure Unified

Wireless and Mobility

Solutions for
Government

Jim Ransome, Ph.D., CISSP, CISM

Senior Director, Secure Unified Wireless and Mobility Applications
Corporate Security Programs Organization and Global Government
Solutions Group
General Dynamics Unified Information Assurance User Conference 2008
GD Conference 08

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

About The Speaker

10+ years senior corporate executive information and physical security
CSO Roles

CISO Roles

23 years government service

National Lab computer scientist/national security analyst, NCIS federal special agent,
retired naval reserve intelligence officer, former marine corps sergeant
Ph.D. in information systems specializing in information security
Dissertation: Developed/tested a converged wired-wireless network security model
NSA/DHS Center of Academic Excellence in Information Assurance Education
Graduate Certificates
International business and international affairs
Certifications
Certified Information Security Professional (CISSP)
Certified Information Security Manager (CISM)
Adjunct Professor for a masters-level information security curriculum
Publications (Elsevier - Digital Press)
Operational Wireless Security, VoIP Security, IM Security, Business Continuity and
Disaster Recovery for InfoSec Managers
GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
Securing the core, defending the edge
Can wireless LANs really be secured?
Building secure unified wireless and
mobility government solutions
Wireless and mobility solutions for
classified environments
The future of secure wireless and
mobility solutions

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Core,

Defending the Edge

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

What Does This Mean For Wireless And

Mobility?

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

It Takes Us From
Where We Were

Where We Want To Be
How We Get There

Unified Networks,
Unified Communications
Unified Security

Remember Wireless Enables Mobility

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Can Wireless LANs

Really Be Secured?

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Building on 802.11i: A Unified Wireless Security Approach

to End-to-End Security
Fine-grained Mapping and Authentication
Location services enable precise mapping of clients
and threats, allowing fine-grained authentication and
quick removal
Wired IDS Integration

L2 IDS

Unified wired and wireless IDS ensures malicious

wireless clients are disconnected from the network

L3-7 IDS

Wireless Endpoint Compliance

NAC Appliance

NAC prevents wireless endpoints from introducing

viruses, spyware, malware, etc.
Wireless IDS/IPS

RF Containment
802.11a
Rogue AP

Comprehensive wireless threat identification and

over-the-air prevention

802.11a
Rogue Client

Offsite Endpoint Protection

IPS detects and prevents offsite wireless threats
such as ad hoc networks

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Building on 802.11i: Other Key Elements of a Unified

Wireless Security Solution
Guest

Guest

Campus

Network Segmentation
Key to providing Guest Access by
controlling and prioritizing access to
business resources

Contractor

Contractor

Wireless Network Location Services

DMZ
Guest controller

Enterpris
e
Network

Contractor

Quick Location of rogue access points

and other wireless threats

Guest Services

Switchto-switch
guest
tunnel

Path Isolation/Guest traffic never mixes

with enterprise traffic
Rogue AP
Wireless Security Policy

Enterprise user
Guest user

GD Conference 08

Wireless client connection policy

enforcement

Wireless
Security
Policy

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Building on 802.11i: Real-time RF Management and

Integrated Spectrum Intelligence
A Phased Approach

Case Studies

Detect, classify,
and locate
RF interference

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

Building Secure
Unified Wireless and
Mobility Government
Solutions

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Products and Solutions Vendors

Challenges of a Secure and Interoperable Unified Communications Infrastructure

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

Wireless and Mobility Products

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

The Rapid Acceleration of Secure Unified Government

Wireless and Mobility Applications
Mobile Access Routers

Type-1/HAIPE device
solutions for wireless
LANs architected
to meet all
federal requirements

IPv6 and Mobile IPv6

Tactical Communication Kits

FIPS Validated (FIPS 140-2) MESH Solution

Secure routing and

communications
for Mobile Ad Hoc
Networks (MANETs)

GD Conference 08

Integrated Spectrum Intelligence

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

Mobile Access Router

Facilitating The Acceleration

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Cisco IP Interoperability and Collaboration System

(IPICS)
Integrated Networks Critical for Effective Operations and Emergency Management

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

Cisco IP Interoperability and Collaboration System

(IPICS)
Push-to-talk (PTT)
client for PC users

Cisco IPICS Server

and Policy Engine

IPICS Management Console

Server
Administration
Console

Policy
Engine

Secure
VoIP Network
VoIP

VoI
P

VoIP Gateway

IP
Vo

Vo
IP

LMR Gateway
and Media Services

Ops Views

PSTN

VHF/UHF/Nextel
PTT Radios
GD Conference 08

Cisco IPICS
PMC Client

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Cisco IP Phones
w/ PTT Services

PSTN/Cellular
Phones
17

Outdoor Wireless and Mobility Solutions

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

Wireless and
Mobility Solutions
for Classified
Environments

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

The Future of Secure

Wireless and Mobility
Solutions

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Federal Wireless Policies

Secretary of Commerce - FIPS 140-1 (1994) updated to
FIPS 140-2 (2001)
FIPS certification required for federal agencies
FIPS 140-3 targeted 2009

DoD Directive 8100.2 WLAN follow-on (June 2006)

Standards based - WiFi certified / IEEE 802.11i security (WPA2)
FIPS 140-2 Certification
Common Criteria Certification / U.S. Government Protection Profiles
WIDS w/location tracking (wired and wireless nets)

DISA Wireless STIG (draft version 5, release 2.01)

OSD (NII) DoD follow-on policy security boundary
https://acc.dau.mil/CommunityBrowser.aspx?id=153484&lang=en-US
GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Cisco Unified Wireless Network

802.11i End-To-End Wireless Security

DoD compliant and FIPS validated

APs authenticate into DoD network with X.509 certs as CC trusted network devices
Controller/APs establish FIPS 140-2 validated assured control channel
APs enforce 802.1X port access control & terminate FIPS 140-2
encryption/decryption services at the edge of the DoD security border
Controller centrally manages 802.1x state machine providing secure mobility
22
GD Conference 08
2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing Wireless and Mobile Networks

Security is never a one size fits all solution
Type 1 over WLAN requires a layered approach
IP Security (High Assurance IP Encryption - HAIPE)
Link Security (WPA, FIPS, WIDS, VPN, Location Awareness...)

HAIPE
HAIPE
WPAv2, FIPS 140-2, WIDS, Location, L3 VPN
WPAv2, FIPS 140-2, WIDS, location, L3 VPN
Classified
Classified

GD Conference 08

SBU and/or Unclassified

SBU and/or
unclassified
Wireless
and Wired
LAN/WAN
wireless and wired LAN/WAN

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Classified
Classified

23

Type 1 Architecture for Wireless and Mobile Networks

End-to-End Wireless Security

DoD compliant and FIPS validated

APs authenticate into DoD network with X.509 certs as CC trusted network devices
Controller/APs establish FIPS 140-2 validated assured control channel
APs enforce 802.1X port access control & terminate FIPS 140-2
encryption/decryption services at the edge of the DoD security border
Controller centrally manages 802.1x state machine providing secure mobility
24
GD Conference 08
2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

Type 1 Architecture for Wireless and Mobile Networks

Example: Red Data Center Extension WLAN Deployments

Secure WLAN Client connects over Black WLAN to Red Enclave

Red Enclave can use a WLAN or other HAIPE device to connect to Black
WLAN

Extends Red Services without physical extension of Red Network

Only need to configure two tunnels per client HAIPE device
Red Router will route between clients
GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Type 1 Architecture for Wireless and Mobile Networks

Example: Red Data Center Extension WLAN Deployments

Using Type-1 WLAN and Type 1 Ethernet HAIPEs to connect VoSIP or

video enclaves over a wireless backbone (indoor or outdoor)
Opportunities to interoperate with SME-PED

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

Type 1 Architecture for Wireless and Mobile Networks

Example: Red Data Center w/Integration of HAIPE Router

Type-1 WLAN client connects over Black WLAN then to HAIPE head-end
router
HAIPE Router routes intra-client traffic and can route out to the SIPRNET
Client only needs to terminate two HAIPE Tunnels

Extends Red Services without physical extension of Red Network

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Wireless Security Integration

WLAN security is about more than encrypting data-in-transit
Need to take a holistic view of the network to create a
defense in-depth Architecture
Security at each layer plays a critical role
Only by integrating each piece can
attacks be detected and mitigated
efficiently
All aspects must be analyzed and
utilized for efficient spectrum
utilization

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

Cisco Wireless Federal Solution

FIPS & Common Criteria Certified
Cisco Secure ACS
FIPS 140-2 AAA RADIUS

Cisco 2710
Wireless Location
Appliance

Cisco Wireless Control

System (WCS)
Centralized WLAN
Management

Cisco WLAN FIPS 140-2 Controllers

Cisco Aironet FIPS 140-2 APs

WIDS

WIDS

WIDS

Type-1 Certified
GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Cisco Wireless FIPS 802.11i (WPA2) Solution

FIPS 140-2
802.11i Supplicant

FIPS 140-2
Aironet APs

FIPS 140-2
WLAN Controllers

FIPS 140-2
AAA RADIUS

IEEE 802.11i (WPA2) Security

1242 / 1131 /1232

IOS / LWAPP
Cisco Secure
Services Client
(FIPS Dev)

Cisco Solutions+ 3eTI

802.11i FIPS/CC Client

Compatible with all

WPA/2 certified
FIPS supplicants
GD Conference 08

WLC4402 - 12, 25, 50 APs

WLC4404 - 100 APs

BR1310 IOS

1522 Mesh
LWAPP
FIPS Pre-val

1250 802.11n
LWAPP
(FIPS Dev)

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

ACS FIPS Pre-val

Cat6K WiSM - 300 APs

Cat3750G - 25/50 APs

FIPS Pre-val
30

GD Conference 08

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

31