wlan security
DESCRIPTION
WLAN_SecurityTRANSCRIPT
-
Version 1
WLAN&3G Product Team
-
1.1.1 .................................................................. 3
1.1.1.1 ............................................................................................... 5 1.1.1.2 ....................................................................................... 6 1.1.1.3 MFP....................................................................... 8 1.1.1.4 2-7 IPSIDS .............................. 8 1.1.1.5 AP .. 11 1.1.1.6 NAC ........................................................................ 13 1.1.1.7 Mesh ....................................................................... 14 1.1.1.8 CCKM ................................................. 14 1.1.1.9 ......................................................................................... 14 1.1.1.10 ....................................................................................... 16
-
1.1.1
802.11 802.11WLAN 802.11 802.1x/EAP802.11iWPA/WPA2 802.11w
Cisco 802.1x/EAP
WLAN WLAN WLAN
WLAN WLAN
AP AP / AP
802.11w 802.11w CCX MFP
Mesh 802.11a Backhaul 11a
/
WEPTKIPAES
-
MFP
2-7 IPSIDS
AP
NAC
Mesh
CCKM
Secure Wireless Solution Architecture
WCS
CS-MARS
ASA 5500 w/ IPS Module
Internet
Enterprise
Guest Anchor Controller
NAC Appliance
NAC Manager
GuestGuestSSC
WPA2802.1X MFP
CSA Server
Cisco Security Agent
Trus
ted
Unt
rust
edW
irele
ssW
ired
Pub
lic Host intrusion prevention Endpoint malware mitigation
Endpoint Protection
Device posture assessment Dynamic, role-based network access
and managed connectivity WLAN threat mitigation with IPS/IDS
Traffic and Access Control
Strong user authentication Strong transport encryption RF Monitoring Secure Guest Access
WLAN Security Fundamentals
-
1.1.1.1
WLAN 802.1X-EAPTKIP AES
WEP
LEAPEAP-
FASTEAP-TLS PEAP
WEP
LEAPEAP-FAST
EAP-TLS PEAP TKIP/MICAES
IV AirSnort
TKIP/AES
TKIP WEP 1 WEP (MIC) 2 WEP
MIC 802.11 Integrity check function (ICV)MIC AP MIC MIC
WEP WEP 802.1X WEP 802.11i WEP WEP Cisco WLAN
-
AES TKIP WEP RC4 AES TKIP WEPAES 2 120 AES
AES WEP AES AES 128192 256 AES 128 WPA2/802.11i 128 WAP2/802.11i AES WPA2/802.11i 10
AES Counter-Mode/CBC-Mac (CCM)CCM Counter CTR AES AES CBC-MAC CTR CBC-MAC NIST 800-38CIETF RFC-3610
CCM 48 IV TKIP AES IV WEP CCM IV IV 48 IV
WEP TKIP RC4 RC4 TKIP TKIP WEP
AESAES AES AES AES
1.1.1.2
-
X.509
Campus Network
AuthorizedUsers/Devices
AAA/DHCP
AP -AP 802.1x AP 802.1x AP 802.1x AAA AP AP
-
1.1.1.3 MFP
AP
MIC MFP AP MFP
MFP ProtectedMFP Protected
MFP ProtectedMFP Protected
FUTURE- CCXv5
1.1.1.4 2-7 IPSIDS
2
WIDS
-
IP Web
2 IPS 7 IPS 27 2-7 IDS
-
IDS 2-7 IDS IDS
IDS 6500 IDS IDS 2-7 IDS AP/Mesh
Controller Wired IDS
L2 IDS L3-7 IDSClient shunClient shun
-
1.1.1.5 AP
APAd-Hoc AP APAd-Hoc
Network Core
Distribution
Access
SiSi
SiSi
SiSi
Rogue AP
RogueAP
Wireless Control System (WCS)
Wireless LAN
Controller
RogueDetector
NMS
ARP Sniffing
Auto-RRM
Rogue AP
RLDP
AP
4. 2. AP( ...)
1. AP()
3. AP
XX XX
-
AP AP AP
AP AP AP AP AP AP AP MonitorAP AP+Monitor AP
AP AP
AP AP AP AP
AP AP AP
Rogue AP
WCS
L2 Switched Network
AP AP AP AP
-
AP
1.1.1.6 NAC
NAC
Radius
-
1.1.1.7 Mesh
Mesh Mesh
Mesh AES AES Mesh
1.1.1.8 CCKM
CCKM (Cisco Centralized Key Management)
1.1.1.9
-
Internet
DMZCorporate Network
Guest SSID
Guest SSIDCorporate SSID
Corporate SSID
802.1Q Trunk
IsolatedGuest Traffic
Internet
DMZCorporate Network
Guest SSID
Guest SSIDCorporate SSID
Corporate SSID
802.1Q Trunk
IsolatedGuest Traffic
IsolatedGuest Traffic
DMZ Internet
Guest SSID
Guest SSIDCorporate SSID
Corporate SSID
Guest Traffic tunneled to DMZ via Ethernet over
IP Tunnel
Corporate Network
DMZ Internet
Guest SSID
Guest SSIDCorporate SSID
Corporate SSID
Guest Traffic tunneled to DMZ via Ethernet over
IP Tunnel
Guest Traffic tunneled to DMZ via Ethernet over
IP Tunnel
Corporate Network
-
DMZ
1.1.1.10
Log