Connecting & Securing Syria’s Refugeessolutionscenter.nethope.org/assets/collaterals/NH...Android...
Transcript of Connecting & Securing Syria’s Refugeessolutionscenter.nethope.org/assets/collaterals/NH...Android...
Connecting & SecuringSyria’s Refugees
Rakesh Bharania, NCE
Cisco Tactical Operations
NetHope Solutions Center1 December 2016
NetHope Emergency Response
Agenda:
Refugee Connectivity: Design for Mass Communication
Network Architectures
Built in Security and Quality
Lessons Learned
3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Principles of Mass Communication
Cisco Public 44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Historically, Hastily Formed Networks (HFNs) havebeen deployed to support humanitarian workers only.
Relatively low number of users, small number of sites
On the refugee crisis, providing communicationsto a mass population was the primary goal. (similar to UN ETC 2020 CwC)
Tens/hundreds of thousands of users, multiple sites, broad geography. Internet accessessential for asylum applications in Greece
This forced us to make several design assumptions…
Mass Communications: What Made This Different.
Cisco Public 55© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Our networks had to be …
Standardized: One design that could be replicated multiple times across dozensof locations.
Portable: The smaller/lighter the hardware, the easier it was to transport and deploy.
Supportable: Ensure the networks could be supported and managed over the long-termwith few resources on the ground.
Equitable: Networks had to support the maximum number of users, prevent “super users” from using too much bandwidth. Consider social dynamics (ensure gender equity, etc)
Designing Networks Differently
Cisco Public 66© 2013-2014 Cisco and/or its affiliates. All rights reserved.
To support large numbers of users over a long duration, we needed…
Advanced Cybersecurity – advanced threat protection for refugee and humanitarian workerdevices, even though we had no ability to enforce policy on any device.
Content Management – Block malware sites, peer-to-peer (network stability),adult content (cultural/social)
Traffic Shaping / QoS - Prioritize voice/video traffic to ensure quality
Rate Limiting – Allow software updates to download w/o saturating network
Network management – networks continually managed for performance, break/fixwith little/no persistent on-site staff
We couldn’t use “dumb pipe” networks.
7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Design
Cisco Public 88© 2013-2014 Cisco and/or its affiliates. All rights reserved.
INTERNET
DSL – 4Mbps x 1Mbps
TOOWAY VSAT – 10 Mbps x 1Mbps Groundstation
INTERNET
3GCradlepoint 2100
MX64 FW/gateway
MR72-GRE-007-AP1
GatewayMR72-
GRE-007-AP2Gateway
Ubiquiti M5Ubiquiti M5
INTERNET DSL – 4Mbps x 1Mbps
MX64 FW/gateway
MR66- KIT-013-AP1
Command PoleGATEWAY
MR66- KIT-013-AP5
Repeater
MR66- KIT-013-AP2 Runway Pole
Repeater
MR66- KIT-013-AP3 Wash AreaRepeater
MR66- KIT-013-AP4
Repeater
MR66- KIT-013-AP6
Repeater
Equipment :
Router – Meraki MX64Cloud managedFirewall, IPS, AMPContent Filtering
Access Point – Meraki MR66/72Cloud managedDual Band MESHIdentity based firewall
PtP Wireless – Ubiquiti M55GHz
BackHaul –Cradlepoint AER 2100Cloud-managedDual Modem — Multi-carrier
Eutelsat Tooway VSAT
Cisco Public 99© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public 1010© 2013-2014 Cisco and/or its affiliates. All rights reserved.
First teams deployed:November 2015
Nine Deployment Teams (NH Teams A – I)
Total Meraki Sites Deployed62 (14 decommissioned)
Number of users supportedsince November 2015:
400,000+
11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security
Cisco Public 1212© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Protect the mission
Protect the vulnerable
Keep bad things out.
Keep critical services running
Know what’s happeningon the network and devices
Balance security and access
Get it right every time.
Security: What are We Really Trying to Do
Cisco Public 1313© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Humanitarian cybersecurity is different than the enterprise…
Cisco Public 1414© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced refugee protection: Meraki MX + OpenDNS
INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
MERAKI MX
AV AV
MERAKI MX
SANDBOX
PROXY
NGFW
NETFLW
AV AV
AV AV
MID
LAYER
LAST
LAYERMID
LAYER
LAST
LAYER
MID
LAYER
FIRST
LAYER
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
MERAKI MX
Advanced security architecturefor humanitarian response.
Meraki MX Security Appliance:
• SourceFire AMPstops malware on site –220M known malicious files,1.5M eval daily
• Snort based IPS/IDS
• Webroot BrightCloud content filtering
OpenDNS Umbrella – DNSsecurity in the cloud, constantlyupdated with botnet, malwaresites in real-time.
Cisco Public 1515© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Results – Automated, multi-layered threat defense
24/7 advanced security protection at every location, w/real-time updates(16,000 weekly clients, 18 TB/week)
320,000 IPS block events / month (all sites)
Stopping novel/new mobile malware/rootkitswithout touching any client devices.
1.7-2.4 million DNS queries analyzed for threatevery 24 hours. Credible threats stopped in the cloud.
Cisco Public 1616© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What does this mean for vulnerable refugees?
Android malware is the number one threat.
Example Android malware: Kemoge (android rootkit), Triada (financial fraud malware)
We are protecting vulnerable refugees from theft of sensitive information on their devices, keeping their limited money out of the hands of organized crime.
We are protecting NetHope NGO & UN aid workers’ devices from these threats too!
17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lessons Learned
Cisco Public 1818© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cloud management of all infrastructure is essential when you have no personnel on the ground.
Advanced security is no longer a luxury in humanitarian tech operations. Attacks are routine.
SSID naming “#NETHOPE_FREE_WIFI” special character allowed the network to be easily distinguished compared to any other nearby network.
Mesh WLAN deployments should include no more than two repeaters per gateway access point
Consider placement of WLAN APs from a social, not just technical perspective. People tend to congregate where signal is best. Physical security concerns and equitable access.
What did we learn?(Things that worked well)
Cisco Public 1919© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Camps grow so overbuild everything. The capacity you need today isn’t what you’ll need three months from now.
Electricity always a challenge people would unplug AP injectors to recharge phones. Run PoEinstead of mesh to mitigate risk. UPS/Power protection too – we have lost unprotected devices.
Use larger Meraki MX at larger sites – consider MX 84/100/etc at largest sites. MX64/65 not sufficient (overwhelmed CPU leads to dropped traffic) – review MX sizing guide.
What did we learn?(Challenges)
20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Public 2121© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Connect with us!
On Cisco.com – www.cisco.com/go/tacops
Cisco CSR Reporting: csr.cisco.com -> “Critical human needs”
Facebook: facebook.com/cisco.tacops
Slideshare: slideshare.net/CiscoTACOPS
Twitter: @CiscoTACOPS
Thank you.