Security
In 2000, during the initial deployment, the Cisco security
architecture was based upon a combination of Cisco LEAP, for authentication, and
Cisco Key Integrity Protocol (CKIP), for data integrity (encryption). However,
as the industry, solutions, and threats evolved, Cisco further strengthened the
security of its internal WLAN.
In 2005, Cisco replaced LEAP with Extensible Authentication
Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST). EAP-FAST
further secures authentication by ensuring that all user credentials and
passwords are passed from the client to the authenticators via a strongly
encrypted tunnel. For more information about EAP-FAST, visit http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html
or visit Cisco.com and search for the keyword EAP-FAST.
Additionally, and in line with Cisco IT's policy of adopting
open, cross-industry standards (where applicable and where Cisco does not
provide enhanced value-added alternatives), WiFi Protected Access (WPA) was
adopted as the encryption protocol for data integrity.
The Wireless LAN Solution Engine (WLSE) provides radio-based
rogue AP detection and has been integrated into Cisco IT's help desk case generation system. Additionally, an internally developed
tool is used for network-based (that is, wired)
scanning. This tool regularly scans
Class C IP subnets, searching for devices that satisfy certain criteria and may
be rogue access points. Based upon so-called "TCP port fingerprinting" and other
holistic logic, the tool compares all devices it detects with the database of
Cisco IT installed access points. Where a device is not already listed as a
Cisco IT device, it is flagged as "interesting," and a case is automatically
generated. This case, in turn, is routed to the Tier 2 support team for
investigation.
Sections
Archive
Syndication
