Cisco Wireless A to B part2 - Ingram Micro Solution Center Portal

Transcript Cisco Wireless A to B part2 - Ingram Micro Solution Center Portal

Cisco Wireless A to B
(ACCESS to BYOD)
Part 2 of 3
Mobility Services Engine
(wIPS, Context)
Peter Avino
Instructor/Engineer Ingram Micro
Solution Center/Experience Center
[email protected]
Video – [email protected]
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
AGENDA:
Wireless Intrusion Prevention
Context Aware Mobility
Mobility Service Engine
Live Demo
Prosperity and Joy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Wireless Intrusion Prevention
Open Air
No physical barriers to intrusion
Open Protocols
Well-documented and
understood
The most common attacks
against
WLAN networks are targeted at
management frames
Regulatory and
Business
Requirements
Sarbanes-Oxley
HIPAA
PCI
Open Spectrum
Easy access to inexpensive
technology
More Devices
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Using wIPS
to
Enhance
Security
Monitoring the Airwaves to Find Threats
Find Rogue Access Points
Rogue access points can be used to hijack
information from your corporate network from
outside your physical building
Detect Wireless Attackers
Wireless attacks take many forms that are not
detected by traditional network security
These attacks can be both detected and mitigated
using wireless IPS
Stay on Top of New Threats
Leverage both signature-based network analysis,
and anomaly-based methods for detection
Maintain protection with on-going threat
detection updates
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Using wIPS
to
Improve
Compliance
Integrated Into System-Level Security View
Efficiently Audit Your Security
Gather the information you need about your
environment from a single source to demonstrate
compliance to auditors
Use Integrated Compliance Tools
Let your infrastructure and wIPS solution help to
guide you with ways to better secure your network
and maintain security compliance, even when
configurations change
Know the Extent of Attacks
Use full event forensics to determine the exact flow
of information across your network when an attack
occurs in order to determine that no other systems
have been breached
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Using wIPS to Streamline Threat Management
Simple and Secure
Configure and Monitor from a Single Source
Leverage an integrated management system
to unify WLAN and wIPS policy and
event monitoring workflows
Utilize Embedded wIPS Policy Profiles
Use configuration profiles to establish a baseline
wIPS configuration in order to effectively tune
your monitoring system
Know Who Did What (History/Forensics)
Use a flexible notification system to easily notify staff
when security events have occurred
Leverage consolidated event records with complete
audit trail
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
wIPS Services
CleanAir Without MSE
CleanAir With MSE
(Adaptive wIPS)
Rogue Mitigation
Yes
Yes
Track and Trace Rogues
No
Yes
Security Penetration and Denial of
Service Attack Mitigation
No
Yes
Detect Interferers
Yes
Yes
Classify Interferers
Yes
Yes
Mitigate Interferers
Yes
Yes
Maintain Air Quality
Yes
Yes
Detect Layer 1 Exploits
Yes
Yes
System wide Interferer Details and
Event Correlation
No
Yes
Zone of Impact and Interferer
Notification
No
Yes
Track and Trace Interferers and
Layer 1 Exploits
No
Yes
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
What is so special about
the CleanAir AP?
Detect and Classify
97
100
63
90
20
 Uniquely identify and track
multiple interferers
 Assess unique impact to WiFi performance
 Monitor AirQuality
35
Cisco CleanAir
High-resolution interference detection and classification
logic built-in to Cisco’s 802.11n Wi-Fi chip design. Inline
operation with no CPU or performance impact.
Spectrum Intelligence
CleanAir Express*
* Future support
Access Point
1600*
Detection
Classification
Mitigation
Location
Performance Optimized
Top Impacts and Severity List
•
•
•
•
Alert Correlation
Air Quality Index
Zone of Impact
Off Channel Scanning
Proactive Intelligent Channel Switching
* Future support
CleanAir
2600
or 3600
•
•
•
•
•
•
•
•
•
CleanAir
with WSSI
3600 with WSSI
Module
•
•
•
•
•
•
•
•
•
•
•
Monitor-mode access point
for wIPS spends all of its cycles
scanning channels looking for
rogues and over-the-air
attacks. A monitor-mode
access point can
simultaneously be used for
location (context-aware)
services and other monitormode services
© 2010 Cisco and/or its affiliates. All rights reserved.
A local-mode access point
splits its cycles between
serving WLAN clients and
scanning channels for threats.
As a result, detection times
are longer (3 to 60 minutes)
and a smaller range of overthe-air attacks can be
detected
Cisco Confidential
10
10
DEMO!!!
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
??? QUESTIONS ???
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Context Aware Mobility
Contextual
Information
of Mobile
Assets
Identity
Right Device
Time
Location
End User
Experience
Right Business Application
Right Team
Context Aware
Mobility
Right Network
Temperature
Availability
Humidity
Right Place
Right Time
Ability to Dynamically Capture and Use Contextual Information of Mobile
Assets to Optimize, Change or Create Communications Flow and
Business Processes
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Challenges of Today’s Solutions
In close proximity
Passive RFID
Campus
Wi-Fi (TDoA,
Chokepoint)
Nationwide
Building
Cellular, GPS
Wi-Fi (RSSI, Chokepoint)
Different Devices, Networks and Applications to Manage for Each
Workspace Involved in the Business Process
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Keeping Track of Your Assets
in MOTION
Is It Here?
Where Is It?
What Is Its
Condition?
What Is
His/Her
Status?
Condition
Tracking
Asset
Tracking
Zone/Inventory
Management
Presence
Network
Location
Services
Answer Questions Critical to Your
Business in Real Time
Where in
My Network Is
It?
Zone/Inventory Management
Applications
Is It Here?
Where Is It?
What Is Its
Condition?
What Is
His/Her
Status?
Where in
My Network Is
It?
Defining Zones and Tracking Mobile Assets Entering and
Exiting
Healthcare

 Nurses and
Physician schedule
 Emergency Room minimum 
attendance
Manufacturing
 Final goods inventory
 Emergency evacuation
Education
 Classroom attendance
 Emergency evacuation
 Location aware promotions
Retail
Inventory management of
medical equipment
Alerts when equipment
leaving building
Asset Tracking Applications
Is It Here?
Where Is It?
What Is Its
Condition?
What Is
His/Her
Status?
Where in
My Network Is
It?
Locating a Mobile Asset Anywhere in the Campus
Healthcare
Manufacturing
Education
Retail
 Locating medical equipment such as infusion pump,
wheelchairs…
 Automated update of location information into bed
management or medication administration
 Tracking pallets on the factory floor
 Locating working in process (WIP) parts for assembly
 Locating students when walking on
campus
 Tracking pallets in the warehouse
 Locate sales associate
 Information on demand
Condition Tracking Applications
Is It Here?
Where Is It?
What Is Its
Condition?
What Is
His/Her
Status?
Where in
My Network Is
It?
Measuring Temperature, Pressure, Humidity, Motion…
Healthcare
Manufacturing
Retail
 Initiate a request to sterilize medical equipment
 Monitor storage conditions for equipment or medication
 Provide patient comfort in a responsive manner
 Monitor environmental conditions for chemical processes
 Employees’ safety
 Detect asset in motion
 Ensure that perishable goods are kept in the right
condition or alert
Presence Applications
Is It Here?
Where Is It?
What Is Its
Condition?
What Is
His/Her
Status?
Where in
My Network Is
It?
Using Location Information to Automate Presence Status in
Unified Communications Applications
Healthcare
Office
Consumer
 Automatically update status of medical staff to know if (ER,
surgery, off time…) and how to reach them
(call, IM, email…)
 Most efficient way to
collaborate (e.g. in a
meeting, at his/her
desk…)
 Social networking
(at the gym, in
the library…)
Network Location Services Applications
Is It Here?
Where Is It?
What Is Its
Condition?
What Is
His/Her
Status?
Where in
My Network Is
It?
Automatically Optimizing Your Wireless Resources Where It
Is the Most Needed
 Immediately locate
rogue wireless
devices
 Accurately identify
interference zones
and dead spots
 Associate network
access with physical
location
 Track location history
How TDoA works
Derived D1
Received at T1
• Time Difference of Arrival
• Used with any CCX tags (not
client)
• Wi-Fi TDoA receivers are
synchronized
• Distances between the tag and
APs is calculated based on the
time difference of arrival
• Requires Line of Sight
• Recommended for high ceilings,
outdoors and outdoor like
environments (e.g. warehouses,
parking lots)
Wi-Fi TDoA
Receiver #1
Derived D2
TDoA
Received at T2
Wi-Fi TDoA
Receiver #2
D1
D2
TDoA
Sent at T0
D3
Derived D3
TDoA
Wi-Fi TDoA
Receiver #3
Received at T3
How RSSI works
Derived D1
Measured Strength S1
• Received Signal Strength
Indicated
• Used with Tags and Clients
• Receivers are the access points
• Distances between the tag and
APs is calculated based on the
received signal strength
• Requires medium to short read
range for better accuracy
• Recommended for indoors
Wi-Fi Access
Point #1
Derived D2
Measured Strength S2
Wi-Fi Access
Point #2
D1
D2
D3
Derived D3
Wi-Fi Access
Point #3
Measured Strength S3
How Chokepoint works
• Hybrid tags with 125 kHz passive
and Wi-Fi active sides
• Tags and chokepoints have to be
from the same vendor
(Aeroscout or WhereNet)
• When the tag is in close
proximity of the chokepoint, its
passive side gets excited and
captures the information
(location and sensoring) then
the active side sends the
information over Wi-Fi
• The tag beaconing frequency
can be reconfigured by the
chokepoint
• Indoor or Outdoor
Wi-Fi Access
Point
Chokepoint
125 kHz
Passive
Wi-Fi
Active
DEMO!!!
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
??? QUESTIONS ???
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
Mobility Services Engine
An open platform that gets data real time from the
wireless LAN to track and act upon mobile
resources
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
Mobility Services Engine
An open platform that gets data real time from the
wireless LAN to track and act upon mobile
resources
Two Flavors:
Hardware Apliance vs. Virtual Machine
(3355)
.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Mobility Services Engine
Context Aware Mobility
wIPS
Context Aware Mobility + wIPS
Capacity
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Cisco 3355 Mobility Services Engine
Cisco Context-Aware Software to track up to 18000 devices
Cisco Adaptive Wireless Intrusion Prevention System
software to support up to 3000 monitor mode or enhanced
local mode (ELM) access points
(2) Quad-Core Intel Nehalem Processor 2.0 GHz, 4-MB
cache, 16-GB DDR3 (2 x 8 GB), Four hot-swappable 146-GB
SAS drives with up to 6-Gbps transfer rate
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
High-End Virtual Appliance
50,000 Context-Aware License
10,000 aWIPS License
Minimum RAM: 20GB
Minimum Hard disk space allocation: 500GB
Disk System Throughput: Minimum of 1600 IOPS with a
bandwidth of 6000 Kbytes/sec
Physical cores: 16 at 2.13GHz or better
(2x Intel Xeon E7-L8867)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
Standard Virtual Appliance
18,000 Context-Aware License
5,000 aWIPS License
Minimum RAM: 11GB
Minimum Hard disk space allocation: 500GB
Disk System Throughput: Minimum of 1000 IOPS with a
bandwidth of 3500 Kbytes/sec
Physical cores: 8 at 2.93GHz or better (2x Intel Xeon
X5570)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
Low End Virtual Appliance
2,000 Context-Aware License
2,000 aWIPS License
Minimum RAM: 6GB
Minimum Hard disk space allocation: 500GB
Disk System Throughput: Minimum of 900 IOPS with a
bandwidth of 3000 Kbytes/sec
Physical cores: 2 at 2.93GHz or better (2x Intel Xeon
X5570)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
??? QUESTIONS ???
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33