Security

In 2000, during the initial deployment, the Cisco security architecture was based upon a combination of Cisco LEAP, for authentication, and Cisco Key Integrity Protocol (CKIP), for data integrity (encryption). However, as the industry, solutions, and threats evolved, Cisco further strengthened the security of its internal WLAN.

In 2005, Cisco replaced LEAP with Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST). EAP-FAST further secures authentication by ensuring that all user credentials and passwords are passed from the client to the authenticators via a strongly encrypted tunnel. For more information about EAP-FAST, visit http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html or visit Cisco.com and search for the keyword EAP-FAST.

Additionally, and in line with Cisco IT's policy of adopting open, cross-industry standards (where applicable and where Cisco does not provide enhanced value-added alternatives), WiFi Protected Access (WPA) was adopted as the encryption protocol for data integrity.

The Wireless LAN Solution Engine (WLSE) provides radio-based rogue AP detection and has been integrated into Cisco IT's help desk case generation system. Additionally, an internally developed tool is used for network-based (that is, wired) scanning. This tool regularly scans Class C IP subnets, searching for devices that satisfy certain criteria and may be rogue access points. Based upon so-called "TCP port fingerprinting" and other holistic logic, the tool compares all devices it detects with the database of Cisco IT installed access points. Where a device is not already listed as a Cisco IT device, it is flagged as "interesting," and a case is automatically generated. This case, in turn, is routed to the Tier 2 support team for investigation.