washingtonpost.com: Welcome to the First Part of The Conversations with Cisco. Today we have with us Stephen Orr to help us understand how Cisco can help you protect data in-transit across wireless networks, while benefiting from mobile computing. Welcome Stephen.

Stephen Orr, Cisco: Good afternoon and welcome to the first on-line chat session. Today we will take questions regarding deploying Secure Wireless Architectures while meeting Federal requirements and providing enterprise class services.

_______________________

Washington, D.C.: Do Cisco wireless products comply with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 Level 2 Certification as well as the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard?

Stephen Orr, Cisco: Yes – Cisco has taken a unique approach to FIPS validation of of Unified Wireless Architecture. Cisco does not charge for its FIPS validated version of software – in fact, it is included as part of our mainline code which allows customer to benefit from all of the latest feature enhancements.
The following products have all be validated for FIPS 140-2 Level 2 while being fully compliant with the IEEE 802.11i standard.

4400 Controllers (cert# 693)
Wireless Module for the Catalyst 6500 (Cert# 729)
Lightwieght AP’s 1131,1231,1242 (cert# 695)

In process for FIPS validation are the following products
3750 integrated Wireless LAN Controller
Cisco Secure RADIUS Server

Please see the following NIST url for more information on all of Cisco’s FIPS validated products

http://csrc.nist.gov/cryptval/140-1/1401vend.htm

_______________________

San Diego, Calf.: What components do I need to set up a Secure Wireless Architecture 5?

Stephen Orr, Cisco: The minimum components required to enable a Secure Wireless Architecture for Federal Agencies are:

The Wireless LAN Controller and Lightwieght Access Point.

To comply with NIST guidleines from FIPS or NIAP Common Criteria, in addition to the previous components – the Wireless Control Software, Location Appliance and Cisco Secure ACS are also required

_______________________

Arlington, Va.: How does Cisco WIDS deal with Rogue AP's and Clients?

Stephen Orr, Cisco: The Unified Wireless Architecture’s WIDS will perform multiple actions on Rogue devices. First, the Wireless Control Software will detect the Rogue device and then produce an alert/alarm on the management console (an email/page can also be sent). Once the rogue is confirmed by the administrator, you can take action by having the Wireless System send de-authentication and dis-association message to the Rogue device. The Location Appliance is critical to any WIDS deployment so that you can track the rogue device and physically remove it from the network.

_______________________

Washington, D.C.: Is there an additional charge for Cisco's FIPS validated software?

Stephen Orr, Cisco: No – Cisco's FIPS validated code for the Unified Wireless Architecture is part of the mainline release and is included at no additional charge.

_______________________

Washington, D.C.: Are there any synergies with other Cisco Security products?

Stephen Orr, Cisco: Yes – Cisco is in a position to offer a comprehensive security architecture that extends beyond the wireless network creating a defense in-depth architecture. Currently there is integration between Cisco's Wired and Wireless IDS, Cisco’s Host Based IDS solution (Cisco Security Agent) as well as Cisco Clean Access for client remediation and in the future, there will be an integration with Cisco’s Security Monitoring, Analysis and Response System (CS-MARS) to present the Network Security Administrator with a common operational security picture.

_______________________

Chicago, Ill.: Is there a way to prevent a laptop from using both the wireless interface and Ethernet interface simultaneously?

Stephen Orr, Cisco: Yes – by using the Cisco Security Agent (CSA) – you can set a priority for connected interfaces – if one is connected, the other is disabled.
“http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html”

_______________________

Arlington, Va.: Does Cisco have a VoWLAN handset?

Stephen Orr, Cisco: Yes – Cisco has a new Wireless Voice handset the 7921 – it is an 802.11 a/b/g phone that supports the full suite of 802.11 standards include 802.11i using AES 128 for securing data in transit.
"http://www.cisco.com/en/US/products/ps7071/index.html"

_______________________

Boston, Mass.: How does an AP authenticate itself to the network?

Stephen Orr, Cisco: A Cisco Lightweight AP utilizes an x.509 certificate to authenticate itself to the Wireless LAN controller.

_______________________

Miami, Fl.: Why do I need a RADIUS server for Wireless?

Stephen Orr, Cisco: The RADIUS server is a critical part of the 802.1x authentication process. In conjunction with a selected EAP (Extensible Authentication Protocol) method – the RADIUS server will perform client or machine authentication depending on the credentials presented. The RADIUS server is also responsible for generating the cryptographic keying material as part of the 802.11i process.

_______________________

Raleigh, N.C.: What authentication methods does Cisco Support?

Stephen Orr, Cisco: Cisco supports a wide range of authentication protocols the most widely used are EAP-FAST, PEAP and EAP-TLS

_______________________

Arlington, Va.: What benefit is it to have FIPS validated Access Points?

Stephen Orr, Cisco: An Access Point that's achieved FIPS validation has proven that its cryptographic capabilities meet NIST FIPS140-2 Level 2 standards. When combined with NIAP Common Criteria certification, the AP can be classified as an information assurance device allow you to place the device on your trusted network - as opposed to placing it outside the network in a DMZ

_______________________

Seattle, Wash.: Why is it important for the AP to perform the encryption/decryption of traffic at the AP?

Stephen Orr, Cisco: Encrypting at the AP allows you to extend you Security Architecture to the edge of the network. By encrypting at the AP we are able to provide per radio hardware encryption that will scale as more AP's are added to the network as well as mitigate any single points of failure.

_______________________

Dallas, Tex.: Does the Cisco solution provide location tracking capabilities?

Stephen Orr, Cisco: Yes - location tracking is a critical part of the Unified Wireless Architecture. The Wireless Control Software and the Location appliance both enable long term tracking of all 802.11 devices.

_______________________

Washington, D.C.: Is the performance of your system affected when WIDS and location tracking is turned on?

Stephen Orr, Cisco: There is no impact on performance for the Cisco Unified Wireless Architecture when performing Intrusion Detection

_______________________

Washington, D.C.: I have no plans for WLAN deployment over the next 12 - 18 Months, so why do I need a WIDS?

Stephen Orr, Cisco: In order to safeguard your network from Rogue Access Points and Rogue clients even if you have not deployed a Wireless Access Solution, a WIDS should be deployed as part of a defense in depth architecture. In context to the Department of Defense, the DoD 8100.2 supplemental policy mandates WIDS for all networks to prevent Rogues. Cisco's UWL can be deployed as a WIDS only today and when ready, client access may be enabled.

_______________________

Boston, Mass.: How do the Cisco WLC securely manage the Lightweight APs?

Stephen Orr, Cisco: Once the Lightweight AP authenticates to the Wireless LAN Controller via a X.509 certificate exchange, a FIPS validated Lightweight Access Point Protocol (LWAPP) Command and Control Channel secured via AES 128 bit encryption is established. All AP management,authentication andsecurity related functions between the AP and the WLC are communicated across this secure tunnel.

_______________________

Arlington, Va.: Are there any Cisco products that meet the security requirements defined by NIST FIPS140-2 2?

Stephen Orr, Cisco: Yes - the following are products that have validated through NIST for FIPS 140-2 Level 2

4400 Controllers (cert# 693)
Wireless Module for the Catalyst 6500 (Cert# 729)
Lightwieght AP’s 1131,1231,1242 (cert# 695)

In process for FIPS validation are the following products
3750 integrated Wireless LAN Controller
Cisco Secure RADIUS Server

Please see the following NIST url for more information on all of Cisco’s FIPS validated products
http://csrc.nist.gov/cryptval/140-1/1401vend.htm

_______________________

Pennsylvania, PA.: So what is the plan to protect the government from data that is encyprted and viruses that are out there.

Stephen Orr, Cisco: Decrypting data in transit at the Access Point (802.11i) is critical to extending the Intrusion Detection Architecture to the edge of the network. It will provide the ability to scan the client traffic prior to it traversing the network.

In order to provide a comprehensive architecture - combining a Wireless IDS with a Wired IDS will provide the maximum detection capability. Wireless IDS will only detect RF and 802.11 attacks so there is no way to mitigate Layer 3 DoS attacks. Cisco's IPS products will detect the Layer 4-7 attack and send a shun command to the Wireless LAN Controllers removing the Wireless Client performing the attack from the network.

_______________________

San Jose, Calif.: What are Common Criteria WLAN Protection Profiles and why are they important?

Stephen Orr, Cisco: Common Criteria Protection Profiles are issued by NIAP (the National Information Assurance Partnership).

A Protection Profile as defined by NIAP is:
An implementation-independent specification of information assurance security requirements. Protection profiles are a complete combination of security objectives, security related functional requirements, information assurance requirements, assumptions, and rationale.

The purpose of a PP is to state a security problem rigorously for a given collection of system or products - known as the Target of Evaluation (TOE) - and to specify security requirements to address that problem without dictating how these requirements will be implemented.

Meeting a specific PP is important because it defines the minimum-security requirement for a WLAN Access System to meet government acceptance.

Cisco has currently submitted its Unified Wireless Architecture for Common Criteria against the only approve protection profile:
"http://www.niap-ccevs.org/cc-scheme/pp/PP_WLAN_AS_BR_V1.0.pdf"

_______________________

washingtonpost.com: It looks like we were just about out of time here. Stephen, thank you for your time and answering our questions.

Stephen Orr, Cisco: Thank you for your participation and if you have any further questions please contact:

Kathy Ditto "kditto@cisco.com"

or visit

"www.cisco.com/go/wireless"

_______________________