Cisco Blogs


Cisco Blog > Enterprise Networks

Access Control with Cisco TrustSec: Moving from “IP Addresses” to “Roles and Attributes”

Today’s enterprise is a highly dynamic, and hyper connected environment where IT plays a critical role in connecting the users, devices, resources and corporate IT systems. Today’s employees are also highly mobile in nature and do not necessarily have a single workspace assignment. The IT departments are constantly being challenged by the organization’s Line of Business owners to keep up with the pace of rolling out new services to address market needs, while keeping up with user expectations.

At the same time, IT departments also are responsible for ensuring business continuity and an uninterrupted service. However, the toughest challenge that any IT organization faces is implementing a security architecture which not only satisfies the compliance and industry regulatory requirements, but also provides a sufficient amount of protection against unauthorized access, data breaches, etc.

The traditional way to implement a security architecture in this kind of an environment is by implementing security rules in Firewall for traffic traversing the network’s extranet/intranet or data-center perimeters. For implementing security policies within an organizations network, Identity-Based Networking using IEEE 802.1X is generally used. Read More »

Tags: , , , , , , , , , , , ,

802.11i, Authentication and You

January 4, 2012 at 5:00 am PST

Not too long ago I was assigned to a troubleshooting and remediation project for a hospital here in the SF bay area. The problem, after much troubleshooting and lab recreations, was determined to be due to an unique issue with client roaming and authentication. During the course of troubleshooting my coworker and myself often found ourselves explaining 802.1X and 802.11i to others working on the troubleshooting effort, or requesting technical updates. So based on that experience, I started thinking this might a be a good topic to cover here.

Let’s review the some of typical components of the enterprise wireless security model.

What is 802.1X?
802.1X is not a protocol, but rather a framework for a “port-based” access control method.  802.1X was initially created for use in switches, hence the port-based terminology, which really doesn’t fit too well in wireless since users don’t connect to a port. In the end it’s meant to be a logical concept in the 802.11 world.  802.1X was adopted for wireless networks with the creation of 802.11i to provide authenticated access to wireless networks. At a high level. the framework allows for a client that has connected to the WLAN to remain in a blocked port status until it has been authenticated by a AAA server. Essentially the only traffic allow through this virtual blocked port is EAP traffic, things like HTTP would be dropped.

What is EAP?

EAP  (Extensible Authentication Protocol) is the authentication method used by 802.1X. It can take on various forms, such as PEAP, EAP-TLS, EAP-FAST, to name a few. There is one thing to remember when determining what EAP type to use in your network, is that it is dependent upon what your client and AAA server supports. This is it, your AP or AP/Controller hardware or code version will play no part in version is supported. Unless your AP/controller is acting as the AAA server, but I’ll stay away from that in this post. I think this can be a point of confusion for people who haven’t read much or anything about EAP methods. So, if some one asks what version of EAP the AP will support, all you need to do is ask them, what does their Client and AAA server support.

What is 802.11i?

Simply put, 802.11i is an amendment to the original 802.11 standard to address the well documented security short comings of WEP. It incorporates WPA  as a part of the 802.11i amendment and adds the fully approved WPA2 with AES encryption method. 802.11i  introduces the concept of a Robust Security Network (RSN) with the Four-way handshake and the Group key Handshake.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Securing the Mobile Experience Made Simpler

It is no longer a question of “if” your organization will face the new reality of mobile device proliferation, just an ever closer “how soon.” Users expect the network to enable trends like Bring Your Own Device (BYOD), and they aren’t just using smartphones and tablets to be more productive, they are falling in love with them. For businesses, simply allowing access isn’t the answer. It’s a question of relevant, secure access across the entire network, while protecting corporate assets and delivering an optimal user experience. Cisco focuses on exactly that -- how to enable a simple and secure mobility experience, with a consistent end-to-end architecture across wired, wireless and VPN access.

As a cornerstone of this wired-wireless access architecture, the Cisco Identity Services Engine (ISE) has already been helping customers like Whittier Union High School, San Antonio Water System and BlueWater Communications Group apply consistent security across the entire network through a centralized, single policy source.

Whittier Union High School District, a California high school district serving more than 13,600 students, was facing the challenge of mobile devices. Both faculty and students were bringing their personal devices on campus, many for educational apps and tools.

“It’s becoming increasingly critical to provide employees, students, and visitors access to our network and extensive educational resources given the growing expectations of our tech-savvy population,” stated Karen Yeh, Director of Information Technology, Whittier Union High School District.

Whittier needed a way to apply differentiated policy across their student and staff populations, somehow managing access for both personal and corporate devices, all without increasing IT resources. Karen called Cisco, and two weeks later her team was deploying the Cisco ISE, implementing a single point of security policy for their networks across wired, wireless and VPN. Considering that Richard Nixon, the 37th president of the US went to Whittier High School, the flexible network access enabled by Cisco ISE may be empowering the next generation of leaders, scientist or artists. But, mobile devices aren’t confined to education. San Antonio Water System, a public utility owned by the city of San Antonio, is seeing surprisingly similar issues.

Read More »

Tags: , , , , , , , , , , , , , , , , ,

DCID Protection Level 3 and Multi-tenant Cloud

The former Director of Central Intelligence Directives 6/3 established specific protection levels based on an information system’s assessed level of concern. In 2008  The Office of the Director of National Intelligence (ODNI) began releasing Intelligence Community Directives (ICD) that were to eventually supersede the DCID. I’m no longer an active practitioner of Certification and Accreditation so it is unclear to me whether the ICD 500 series has actually superseded or cancelled the DCID 6/3. From my interactions over the past 18 months I’m thinking that the DCID 6/3 is still alive combined with specific ICD 500 guidance and 800-53. Regardless, in my opinion the DCID 6/3 offers some great legacy guidance for multi-tenant clouds.

Read More »

Tags: , , , , , , , , ,