Security Challenges in R&D Environments #WLPC_EU Lisbon Portugal 2017 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research IGD Tel +49 6151 155 314 jaromir.likavec@igd.fraunhofer.de www.igd.fraunhofer.de 1
Agenda Fraunhofer IGD Characteristics of R&D Environments Unification Of Network Access USE Case Security Requirements Certificate Deployment WLAN and Remote Access at Fraunhofer IGD Device Profiling Posture Assessment Network Monitoring/Network Troubleshooting Summary 2 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Fraunhofer IGD Darmstadt Spatial Information Management 3D Printing Technology Information Visualization and Visual Analytics Virtual and Augmented Reality Smart Living & Biometric Technologies Visual Healthcare Technologies Visual Computing System Technologies Cultural Heritage Digitization Interactive Engineering Technologies Data Visualization HoloLens video 3 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
R&D environments are characterized by: High-security requirements Heterogeneous mobile equipment A mixture of private and corporate equipment Need for BYOD Need for remote access A constant need for deployment of new use cases Need for network monitoring A structured approach to troubleshooting Cutting edge technology 4 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Unification of Network Access Motivation: Different access mechanisms for LAN, WLAN and VPN Consolidate WLAN and VPN access Separate network access with private / corporate devices Private evil Corporate good Develop a unified access concept for end device Deploy Device/User-based authentication und authorization 5 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
USE Case Security Requirements Two-Factor Authentication (certificate + username/password) Prevent sharing of certificate by multiple users Check user exists in AD before allowing VPN Use AD group membership as criteria for allowing SSLVPN Check if the PC is joined to the AD domain Verify Device certificate is on correct device Mobile Devices Users Trusted user Trusted Device Full Access Trusted User Untrusted Device Limited Access Untrusted User Trusted Device Limited Access Untrusted User Untrusted Device No Access Permissions 6 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Generate Computer Certificate 7 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Use Of Certificates Domain Computer automatic distribution und automatic renewal Mobile Devices manual generation and Web download Apple Mac and Linux computer manual generation and Web download HQ CC-LAN use of Mail Certificates Cisco IP phones MIC Certificates What is checked Certificate Validity Certificate Revocation List (CRL) Device Entry at MS AD User/Password at MS AD MAC -Address on dns/dhcp (for HQ) 8 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
New Network Access at Fraunhofer IGD Wireless Remote Access LAN #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
WLAN and Remote Access at Fraunhofer IGD Cisco Anyconnect Mobility 10 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Remote Access 11 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Device Profiling Dynamic classification of every device that connects to network using the infrastructure Use Probes for collecting device attributes : Radius, DHCP, HTTP, NetFlow, NMAP, SNMP, LLDP/CDP Device Identity Groups Printer Vlan Apply Policies Voice Vlan Dyn. Vlan Video Vlan 12 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Posture Assessment Compliance Check OS Analysis of Antivirus, Antispyware, Personal FW Quarantine and Remediation Services 13 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Monitoring Troubleshooting Cisco ISE XT Spectrum WLC Air check G2 Cisco PRIME Omnipeek/Wireshark ZABBIX SPLUNK Ekahau Site Survey 14 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Summary 802.1X is ready for productive use Device certificates are used to determine whether the device is a corporate device or a private device that is connected to the LAN, WLAN, or VPN User credentials follow as a second step This solution for network access increases security and reduce operating costs It s not the Network It s (still) not the Network 15 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
Thank You Questions: 16 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec