Design and Deployment of WLAN Security Fundamentalsfaculty.ccc.edu/mmoizuddin/CISCO LIVE 2008/AGG/BRKAGG-2014.pdfDesign and Deployment of WLAN Security Fundamentals BRKAGG-2014

© 2006, Cisco Systems, Inc. All rights reserved.14674_05_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1BRKAGG-201414674_05_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-201414674_05_2008_c2 2

Design and Deployment of WLAN Security Fundamentals

BRKAGG-2014



What You Should Already Know

Cisco networking basics, and design concepts

802.11 WLAN fundamentals

Cisco Unified Wireless Networking (CUWN) concepts

WLAN Security basics


Session Agenda

Wireless and Security: Why?Need for Security, Threats and Vulnerabilities, Exploits

Secure Wireless Deployment: Self-Defending NetworkRequirements, Definition and Objectives of a Secure WLAN

802.11: Authentication and EncryptionEvolution of 802.11, with a security perspective

802.1X and EAP

Mitigation Strategies and the Cisco Unified Wireless NetworkRogue Classification, Containment, Exclusion, MFP, IDS, Signatures, Switch-port tracing, Config Auditing

Operational Perspective of a Secure WLANReporting, Dashboard, Alarms

End-to-End System-Level Security and IntegrationIPS, NAC, CS-MARS, Firewall and CSA



Wireless and Security: Why?


Need for WLAN Security

Open, Pervasive nature of RFCan’t control RF Propagation, don’t need physical access to launch attacks anymore

Business impact of stolen dataPotential legal and financial implications (specially in retail, healthcare and government verticals)

Innate design, per IEEE 802.11, was designed with basic security needs in mind – times have changed

Known vulnerabilities over time

WLANs are easy DoS targets: jamming, floods, man-in-the-middle attacks, and dictionary attacks…

No protection of 802.11 Management and Control frames, most solutions address 802.11 Data frames only

Need to protect and authorize access to network services and resources

There’s always an opportunity cost with Security (Money/Resources/Requirements vs. [how] Secure a WLAN could be)



WLANs: Threats and Vulnerabilities

Denial of Service Attacks

Man-in-the-Middle Attacks

MAC Address SpoofingTrivial to bypass the once considered secure methods: not broadcasting SSID and MAC Filtering

Sniffing (and war-driving)

Shared Spectrum (CSMA/CA), and Rogue DevicesFear of honeypot APs

Comprises the entire (rest of) network

Exploits, and the “Script-Kiddie” factorActive/passive “sniffing”, and easily obtainable tools have given birth to script-kiddies

Authentication Vulnerabilities


Wireless: Denial of Service Attacks

RF JammingAny intentional or un-intentional RF transmitter in the same frequency can adversely affect the WLAN

DoS using 802.11 Management framesManagement frames are not authenticated today

Trivial to fake the source of a management frame

De-Authentication floods are probably the most worrisome

Misuse of Spectrum (CSMA/CA – Egalitarian Access!)“Silencing” the network with RTS/CTS floods, Big-NAV Attacks

802.1X Authentication floods and Dictionary attacksOverloading the system with unnecessary processing

Legacy implementations are prone to dictionary attacks, in addition to other algorithm-based attacks



Wireless: MAC Address Spoofing

As with wired networks, MAC address and IP address spoofing are possible, if not easy, in Wireless Networks

Outsider (hostile) attack scenarioDoes not know key/encryption policy

IP Address spoofing is not possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP)

MAC Address spoofing alone (i.e., without IP Address spoofing) may not buy much if encryption is turned on

Insider attack scenario:Seeking to obtain users’ secure info

MAC address and IP Address spoofing will not succeed if EAP/802.1x authentication is used (unique encryption key is derived per user (i.e., per MAC address))


Wireless Sniffing: Good and Bad

First – Sniffing, or capturing packets over the air, is an extremely useful troubleshooting methodology

Sniffing, in the old days was reliant on very specific cards and drivers

Very easy to find support for most cards and drivers today

Cost (if you like to pay for it) of such software is negligible (or, just use free/opensource software)

Provides an insight (with physical proximity) into the network, services, and devices which comes in handy when performing network reconnaissance



Wireless: Rogue Devices

What is a Rogue?Any device that’s sharing your spectrum, but not managed by you

Majority of rogues are setup by insiders (low cost, convenience, ignorance)

When is a Rogue dangerous?When setup to use the same ESSID as your network (honeypot)

When it’s detected to be on the wired network too

Ad-hoc rogues are arguably a big threat, too!

Setup by an outsider, most times, with malicious intent

What needs to be done?Classify

Detect

Reporting, if needed

Track (over-the-air, and on-the-wire) and Mitigate (Shutdown, Contain, etc)


Wireless: Man in the Middle Attacks

A MiTM is when an attacker poses as the network to the clients and as a client to the actual network

The attacker forces a legitimate client off the network

The attacker lures the client to a honeypot

The attacker gains security credentials by intercepting user traffic

Very easy to do with:MAC Address Spoofing

Rogue Device Setup

DoS Attacks

Easier Sniffing, and war-driving



Quick Look: Common WLAN Exploits/Tools

Remote-Exploit/Backtrack/Auditor

Aircrack, WEPcrack, etc

coWPAtty

Kismet

NetStumbler, Hotspotter, etc

AirSnort

Sniffing tools: Sniffer, OmniPeek, Wireshark

dsniff, nmap

wellenreiter

asleap


Authentication Vulnerabilities

Management frames are not authenticated!

Dictionary attacksOn-line (active) attacks: active attack to compromise passwords or pass-phrases

Off-line attacks: passive attack to compromise passwords or pass-phrases

MITM attacksActive attacks: an attacker attempts to insert himself in the middle of authentication sequence

Can be employed in 802.1X as well as PSK environmentsMultiple known WEP weaknesses, and many exploits out there



Secure Wireless Deployment: Self-Defending Network


Characteristics of Self-Defending Network

Secure infrastructure

Trusted and secure communications

Autonomic policy deployment and enforcement

Adaptive threat response

SiSi SiSi

IntranetInternet



Basic Requirements to Secure a WLAN

Protection of the WLAN network—Management Frame Protection (MFP) and Wireless IDS

Protect the network from external sources and devices not controlled by infrastructure (secure infrastructure)

Protection of the WLAN devices and managed user/device connectivityEncryption/authentication of managed 802.11 devices

Authentication framework—framework to facilitate authentication messages between clients, access point, and AAA server

Authentication algorithm—mechanism to validate client credentials

Encryption algorithm—mechanism to provide data privacy

Message integrity—ensures data frames are tamper free and truly originate from the source address

Beyond authentication and encryption of client devices (L2), protect client devices and network from malicious software

Operating system/service/application security

Network Admission Control and Client Shunning (for example)

Not specifically a wireless function, but enforcement can be provided by wireless network


Compliance Requirements

The Payment Card Industry (PCI) Standard presents 12 requirements

Not all requirements map to Wireless, but some relevant ones are:

Prepare, and include wireless in, Network Security Policy (requirement 11)

Secure the WLAN against threats and unauthorized access (requirements 2 and 4: WPA, and 802.11i)

Don’t use default credentials (requirement 2)

Defend cardholder information (requirement 5: NAC and CSA)

Enlist employees in safeguarding cardholder information

PCI Standard: https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm



Secure Wireless Deployment Objectives

Develop a policy to define:Access to the network, and servicesEncryption of dataCompliance (if necessary) and mitigation strategies

Provide Authentication and Encryption to WLAN Users and ServicesPrepare for, and mitigate against threats

Rogues Devices (OTA, and on-the-wire)Interferers/JammersHost-based SecurityPosture AssessmentMFP

Be Spectrum-awareUse Radio Resource ManagementUse Spectrum Intelligence solution to constantly monitor, and police Spectrum usage


(The Cisco) Definition of Secure Wireless

The Cisco Secure Wireless solution provides customers with guidelines to secure a WLAN so that they can leverage the associated business benefits in confidenceCisco Unified Wireless fundamental & enhanced security features

802.1X/EAP, WPA/WPA2/802.11i, CCX Management Frame Protection (MFP), Wireless IDS/IPS features on the WLC, Cisco Secure Services Client (CSSC)

Cisco NAC Appliance Integration WLAN client security policy compliance through assessment and remediation

Cisco Firewall Integration Fully featured, highly scalable firewalls for enhanced policy enforcement

Cisco IPS Integration Automated threat mitigation with enforcement by WLC on the access edge

CSA Integration General client endpoint protection on both wired and wireless networks Wireless ad-hoc, simultaneous wired and wireless, location-aware, plus upstream QoS marking policy enforcement



Cisco Unified Wireless NetworkEnd-to-End, Unified–Only Cisco

Secure Wireless Design Guide: www.cisco.com/go/srnd


Secure Wireless — Sample Topology

AP and WLC, using Split-MAC Architecture, act as 802.1X

Authenticator



802.11 – Authentication and Encryption


Need for Authentication and Encryption

“Open and Shared”No physical barriers to intrusion

No Spectrum-Policing

Standard, and Ubiquitous 802.11 protocol permits simple client association (i.e., “open authentication”)

The most common attacks against WLAN networks are targeted at management frames, which are not encrypted, authenticated or signed

Common attacks—VOID11, Aireplay, File2air, Airforge, ASLEAP, Jack Attacks, FakeAP, Hunter/Killer

Harder, if not impossible, to control physical access



Pre-RSN: WEP

Deprecated, move on

No? Ok…quick refresher:Comes in 2 flavors: WEP-40bit and WEP-104bit, Cryptographic Mechanisms are the same irrespective of key length

Provides for encryption keys, and no data authentication (yes, MAC Address authentication can be used but it’s trivial to spoof)

Two key types:

key-mapping keys: mapped to distinct TA,RA Pair

default keys: shared by all STAs, one of 4 in an array

Uses RC4 Encryption Algorithm: symmetric stream cipher – uses same keys for encryption and decryption for data stream – vulnerable to key reuse (oh, and hope your WEP vendor at least randomizes keys!)

802.11 fails to specify key distribution mechanisms

Many stopgap solutions out there, but not enough for Enterprise Security needs – migrate to 802.11i/WPAv2


Pre-RSN: 802.11 Auth: Open-System vs. Shared-Key

Both the AP and STA must complete 802.11 Authentication before Association

Open-System (required by 802.11):Null authentication algorithm – only provides identity and request/response for authentication

Uses 2 message auth transaction sequence

Shared-Key (Only required for WEP):Uses 4 frame sequence, can only be used with WEP

a) STA – AP: request to authenticate

b) AP – STA: sends challenge text

c) STA – AP: encrypt and send challenge text

d) AP – STA: decrypts, and if correct, allows STA on to the network

Shared secret must be known by all STAs, but no mechanism to distribute them

Not secure – easy to decipher the shared key, and doesn’t add anything on top of open-system auth



What Is RSN?

Robust Security Network: A result of the work done by the IEEE 802.11i standard

An RSN is any WLAN that uses one of the cipher suites defined in802.11i: Temporal Key Integrity Protocol (TKIP) or CBC-MAC Protocol (CCMP)

Used for both, the Pairwise, and Group Ciphers

Transition Security Networks (TSN) still use WEP for Group Ciphers

Usage of RSN signifies the presence of an extra “Information Element (IE)” in Probe Responses and Beacons

Use to announce and exchange Cipher Suites and Auth-Key Management (AKM) Suites

Default: AKM via 802.1X, or PMK Security Association Caching

AKM via Pre-Shared Key (PSK)


But first, WPA

Similar to RSN, in terms that it provides: authentication at upper layers, authentication mechanisms, key distribution and renewal mechanisms

Created by the Wi-Fi Alliance, comes in the commonly known flavors of: Personal and Enterprise

Use of TKIP: major improvement over WEPUse of a MIC (Message Integrity Check) - Michael: improvement over WEP’s CRC method, and provides a counter (TKIP Sequence Counter) to secure against replay attacks (injection)

Included countermeasures to suppress all transmissions for 60 seconds when more than 2 MIC failures occur

TKIP is included in 802.11i for backwards compatibility



WPAv2 –IEEE 802.11i

Authentication mechanisms defined in IEEE Std. 802.1X-2004

CCMP (TKIP optional for RSNA, but supported for backwards compatibility with legacy devices)

Based on CCM of AES

Uses AES-based block cipher (128-bit key and 128-bit block size)

Use of 802.1X

RSN Associations: PMKSA, PTKSA, GTKSA, SMK and STKSA Set of Policies and Keys

Pairwise keys used for unicast traffic, and group keys used for multicast and broadcast traffic

Key management procedures


Standardizing the WLAN Architecture

The Internet Engineering Task Force (IETF) focused on delivering a standard

LWAPP selected as starting point, and follows the same architecture

Renamed protocol to Configuration and Provisioning of Wireless Access Points (CAPWAP)

Peer security review completed

CAPWAP Support on CUWN: Late August, 2008



Data Protection

802.1X Authentication

Key Management Key Distribution

Capabilities Discovery

802.11i/WPA Authentication and Key Management Overview

Controller/AccessPoint RADIUS


802.11i/WPA Capabilities Discovery

Controller/AccessPoint



Key Management and 4-Way Handshake

The four WPA/TKIP temporal keys are:Data Encryption key (128 bits)Data Integrity key (128 bits)EAPOL-Key Encryption key (128 bits)EAPOL-Key Integrity key (128 bits)

The three WPA2/AES-CCMP temporal keys are:Data Encryption/Integrity key (128 bits)EAPOL-Key Encryption key (128 bits)EAPOL-Key Integrity key (128 bits)


802.1X and EAP



EAP — Protocol Flow RFC 3748


Lightweight Extensible Authentication Protocol (LEAP)

Deprecated

Client supportWindows 95-XP, Windows CE, Macintosh OS 9.X and 10.X,

and Linux

RADIUS serverCisco ACS and Cisco Access Registrar

Local RADIUS on AP (12.2(13)), ISR (12.3(11), and WLSM)

Juniper (Funk) Steel Belted RADIUS or Odyssey server products

Interlink RAD-series

Microsoft Domain or Active Directory database (optional) for back end authentication

Device support: All Cisco Wireless LAN products



Protected Extensible Authentication Protocol (PEAP)

Hybrid authentication methodServer side authentication with TLS

Client side authentication with EAP authentication types (EAP-GTC, EAP-MSCHAPv2, etc.)

Clients do not require certificatesSimplifies end user/device management

RADIUS server requires a server certificateRADIUS server’s “self-issuing” certificate capability may be used

Purchase a server certificate per server from public PKI entity

Setup a simple PKI server to issue server certificates

Allows for one way authentication types to be usedOne-time passwords

Proxy to LDAP, UNIX, NT/AD, OTP, etc.


Flexible Authentication via Secure Tunneling (EAP-FAST)

Strong authentication without the requirement for certificate management

Simple to deploy

Open standard—latest draft published October 2005http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-03.txt

Robust supportFast roaming (CCKM)

Fallback authentication via Cisco IOS® Access Point Local Authentication server

Multiple NAC supplicants are available which employ EAP-FAST authentication

EAP-FAST establishes an encrypted tunnel between the client and the AAA server

The client and AAA can then securely use any credentials within the tunnel

Client stacks from Cisco-Meetinghouse, and others

CCX versions 3 and 4 specify EAP-FAST support



EAP-FAST Authentication

AccessPointClient RADIUS Server

Start

IdentityIdentity

Request Identity

Server Authenticates Client

AP Blocks All Requests Until

Authentication Completes

ClientAuthentication

PAC-Opaque PAC-Opaque

External User DB

Establish a Secure Tunnel (PAC and TLS)

Server Authentication

A-IDA-ID

WPA or CCKM Key Management Used

Protected Data Session

Key Management


Transport Layer Security (EAP-TLS)

Client supportWindows 2000, XP, and Windows CE (natively supported)

Non-Windows platforms: third-party supplicants (Cisco-Meetinghouse and Juniper-Funk)

Each client requires a user certificate

Infrastructure requirementsEAP-TLS supported RADIUS server

Cisco ACS, Cisco AR, MS IAS, Funk, Interlink

RADIUS server requires a server certificate

Certificate Authority Server (PKI infrastructure)

Certificate managementBoth client and RADIUS server certificates to be managed



EAP Protocols: Feature Support

EAP-TLS PEAP LEAP EAP-FAST

Single Sign-on Yes Yes Yes Yes

Login Scripts (MS DB) Yes1 Yes1 Yes Yes

Password Expiration (MS DB) N/A Yes No Yes

Client and OS Availability XP, 2000, CE,and Others2

XP, 2000, CE, CCXv2 Clients3,

and Others2

Cisco/CCXv1 or Above Clients and Others2

Cisco/CCXv3 Clients4 and

Others2

MS DB Support Yes Yes Yes Yes

LDAP DB Support Yes Yes5 No Yes

OTP Support No Yes5 No Yes6

1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD)2 Greater operating system coverage is available from Meetinghouse and Funk supplicants3 PEAP/GTC is supported on CCXv2 clients and above4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems

EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients5 Supported by PEAP/GTC only6 Supported with 3rd party supplicant


EAP Protocols: Feature Support

EAP-TLS PEAP LEAP EAP-FAST

Off-Line Dictionary Attacks? No No Yes1 No

Local Authentication No No Yes Yes

WPA Support Yes Yes Yes Yes

Application Specific Device (ASD) Support No No Yes Yes

Server Certificates? Yes Yes No No

Client Certificates? Yes No No No

Deployment Complexity High Medium Low Low

RADIUS Server Scalability Impact High High Low Low/Medium

1 Strong password policy mitigates dictionary attacks; please refer to: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html



PKC and CCKM

Client channel scanning and AP selection algorithms—Improved via CCX featuresRefreshing of IP address—Irrelevant in controller-based architecture!Re-authentication of client device and re-keying

Cisco Centralized Key Management (CCKM) – Cisco proprietary, supported via CCXProactive Key Caching (PKC)—extension of optional component of 802.11i (PMK Caching)Coming soon: Standardization via 802.11r


Fast Secure RoamingStandard Wi-Fi Secure Roaming

1. 802.1X authentication in wireless today requires three “end-to-end”transactions with an overall transaction time of > 500ms

2. 802.1X authentication in wireless today requires a roaming clientto re-authenticate, incurring an additional 500+ ms to the roam

Cisco ACS AAA Server

WAN

AP1AP2

1. 802.1X Initial Authentication

Transaction

2. 802.1X Re-Authentication After Roaming

Note: Mechanism Is Needed to Centralize Key Distribution



Fast Secure RoamingWPA2/802.11i Pairwise Master Key (PMK) Caching

WPA2 and 802.11i specify a mechanism to prevent excessive key management and 802.1X requests from roaming clients

From the 802.11i specification:Whenever an AP and a STA have successfully passed dot1x-based authentication, both of them may cache the PMK record to be usedlater

When a STA is (re-)associates to an AP, it may attach a list of PMK IDs (which were derived via dot1x process with this AP before) in the (re)association request frame

When PMK ID exists, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address;AP can bypass dot1x authentication process, and directly starts WPA2 four-way key handshake session with the STA

PMK cache records will be kept for one hour for non-associated STAs


Implementations of PMK Caching

Cisco implements Pairwise Master Key caching:At the controller for the unified wireless solution

At each access point in the Cisco IOS APs

Implementing PMK caching at a central point for distribution among a set of APs is referred to as Proactive Key Caching or Opportunistic Key Caching

Requires WPA2 client authenticationImplemented with Microsoft WPA2 client

Enabled by default with KB893357 for XP SP2

Other WPA2 clients also support PMK caching



Fast Secure RoamingProactive Key Caching (PKC)

Extension of Pairwise Master Key caching

Leverages client use of Master Key caching

Permits knowledge of Master Key before client roam to AP on new controller

Controller mobility group automatically exchanges

Initial Authentication

PMK Derived

PMK Used in 4W Handshake

PMK Proactively Cached on New Controller

Client Transmits Cached PMK upon New Association

PMK Used in 4W Handshake

Client Roam


Fast Secure RoamingCentralized Key Management (CCKM)

1. AP1 & 2 authenticate via 802.1X with the WDS AP to establish a secure session

2. Initial client 802.1X authentication goes to central AAA server (~ 500ms)

3. During a client roam, the client signals to the WDS it has roamed and WDS will send the clients key to the new AP (AP2)

4. The overall roam time is reduced to < 150ms, and in most cases < 100ms

Cisco ACS AAA Server

WAN

AP1AP2

AP-Based WDS

Note: Because the local WDS device handles roaming and re-authentication, the WAN Link is not used



Mitigation Strategies, and Cisco Unified Wireless


Cisco Unified Wireless: Security Highlights

Trusted wireless infrastructure—only authorized APs are permitted to join controller

Secure wireless infrastructure—encryption of control data and centralized configuration

Central policy enforcement point to simplify deployment and easily control WLAN network access

Integrated Intelligent Radio Resource Management

Integrated wIDS/wIPS



Cisco WLAN Security Components

3. Identity Networking

• Mutual authentication• Strong encryption• User policy enforcement• (AAA, ACLs, QoS

contracts)

1. Secure RF Mgmt• RF bleed-over protection• Coverage hole correction• Interference avoidance• Hi-res location tracking

5. Network Access Control• Host-based integrity checking• Anti-virus protection• Client remediation

2. Intrusion Protection• Rogue detection and

location map• IDS attack signatures• Client exclusion and

containment• Hi-res location tracking

4. Secure Enterprise Mobility• Persistent VPN connectivity• Pro-active Key Caching (PKC)• Fast secure roaming


LWAPP Tunnel

Ingress/Egress point from/to upstream switched/routed wired

network (802.1Q trunk)

Switched/Routed Wired NetworkLightweight

Access PointWireless LAN

Controller

Cisco Centralized WLAN — Architecture

“Lightweight” Access Points CONFIG and SOFTWARE from a centralized WLAN controller

DATA Forwarding functions of traditional AP split between

“Lightweight” AP and centralized WLAN controller

LWAPP defines CONTROL messaging and data encapsulation between access points and

centralized WLAN controller

Wireless LAN Client



Cisco Centralized WLAN –Functional Breakdown

LWAPP Tunnel

Ingress/Egress point from/to upstream switched/routed

wired network (802.1Q trunk)

Switched/Routed Wired Network

Lightweight Access Point

Wireless LAN Controller

Remote RF interfaceReal-time 802.11 MACRF spectral analysis

WLAN IDS/IPS Signature analysis

Security managementQoS policy enforcementCentralized configuration

Northbound management interfaces

LWAPP encapsulates all communication between access point and controller

Mutual authentication—X.509 certificate based

LWAPP control AES-CCM encryptedData encapsulation

Radio Resource Management (RRM) coordination

Mobility management

Wireless LAN Client


Cisco Unified Wireless IDS Implementation

WLAN services 802.11 traffic and provides most IDS functions

Rogue Detection

Denial-of-service detection

WLAN Exploit Signature Analysis

RF interference detection

Detection of attempts to access WLAN network and attempts to attract managed clients (e.g. honeypot)

Dedicated/hybrid Wireless IDS deploymentLWAPP APs may be deployed in one of three modes:

Local—serves 802.11 traffic and monitors

Monitor—monitors 802.11 traffic on all channels

Rogue Detector — does wired network correlation of rogue AP devices (via ARP sniffing)



Rogue AP Detection

Rogue AP detection has multiple facets:Air/RF detection—detection of rogue devices by observing/sniffing beacons and 802.11 probe responses

Rogue AP location—use of the detected RF characteristics and known properties of the managed RF network to locate the rogue device

Wire detection—a mechanism for tracking/correlating the rogue device to the wired network

A WIDS may require different deployments to effectively address all of these facets

For example, it is typically required to use a scanning-mode AP as a “rogue traffic injector” to attempt to trace the rogue’s connected port


Configure a Rogue AP Rule on the WLC:

Security --> Wireless Protection Policies --> Rogue Policies --> Rogue Rules (Malicious)

Rogue Classification – Configuration



Configure a Rogue AP Rule on the WLC:

Security --> Wireless Protection Policies --> Rogue Policies --> Rogue Rules (Friendly)

Rogue Classification – Configuration


Rogue AP Detection and Suppression

Rogue AP detection methodologyWLAN system collects (via beacons and probe responses) and reports BSSID informationSystem compares collected BSSID information versus authorized (i.e., managed AP) BSSID informationUnauthorized APs are flagged and reported via fault monitoring functionality

Rogue AP suppression techniquesTrace the rogue AP over the wired network to verify that the rogue is internal and should be containedUse of managed devices to disassociate clients from unauthorized AP and prevent further associations via 802.11

de-authentication frames



Cisco Unified Wireless: Map Rogue AP


Cisco Unified Wireless: Rogue Containment

Rogue AP, Rogue-Connected Client, or Ad-Hoc Client May Be Contained by Controller Issuing Unicast De-Authentication Packets

Maximum number of APs participating in containment is configurable

Maximum of three simultaneous containments may operate on a single LWAPP AP

Rogue client devices may be authenticated to a RADIUS (MAC address) database

Maximum time for auto-containment is configurable



Cisco Unified Wireless: Rogue AP Detection and Containment


Wireless IDS: Signature Detection The WLC comes with built in Wireless IDS signatures that can be augmented with additional customer signatures



Wireless IDS: Signature Configuration Signature frequency, Signature MAC frequency and Quite Time can be modified in WLC 5.0 release to reduce false positives


Switch-Port Tracing

Introduced in Release 5.1

Rogues on your network are potentially more dangerous

Allows tracing the port to which the rogue is connected to, and the ability to shutdown the port

SNMP communities of the switches in your network must be correctly configured

Supported on IOS-based switches only

Limited to 2 hops so that it does not impact performance

CDP must be enabled

Follow Enterprise design best practice – wired 802.1X



802.11 Management Frame Vulnerability

802.11 management frames are NOT authenticated

Anyone can spoof an AP’s MAC address or SSID and send an 802.11 management frame on behalf of that AP

Anyone can spoof a client’s MAC address and send an 802.11 management frame on behalf of that client

Threats:802.11 Denial of Service (DoS) attacks by spoofing AP or client 802.11 de-authentication or disassociation frames to disconnect users

Rogue AP or MITM avoids detection by spoofing valid AP MAC or SSID

Managed AP1MAC Addr A.B.C.D

Disassociation

Attacker SpoofingAP1 MAC Addr

A.B.C.D

X

User disconnected


Cisco Management Frame Protection (MFP)

Inserts a MIC (Message Integrity Code) as a signature into management frames

MFP employs HMAC-SHA1 hash algorithm to calculate MIC key

Mitigates management frame attacksInvalid management frames ignored

Immediate detection by WLC of malicious rogues or MITM devices that are spoofing a valid AP MAC or SSID

Infrastructure MFP supportIntroduced in Unified Wireless 4.0

Client MFP supportIntroduced in CCX version 5

MIC Valid?

X

Managed AP1MAC Addr A.B.C.D

Attacker SpoofingAP1 MAC Addr

A.B.C.D

Spoofed management frame discarded



Client MFP (MFP-2)

Protects class 3 (authenticated session) unicast management frames between an AP and an authenticated client.

A CCXv5 feature

Must be supported on the client

Uses WPA2 (AES-CCMP or TKIP) encryption

Protects the following unicast frames Deauth

Disassoc

Action

Spoofed frames are reported to the WCS as alerts

Spoofed frames are ignored by AP and client


Client Exclusion: Blacklisting

Client Exclusion Policy may be used to exclude client from WLAN network

No response is issued to excluded client probe requests

Client exclusion may be triggered by the following:

Client exclusion may also be manually invoked

Configurable timer or client may be indefinitely excluded until manually removed from exclusion list



Configuration Auditing


Operational Perspective of a Secure WLAN



Security Dashboard: Insight into the NetworkWCS Security Dashboard

Security Index

Quick Insight into Network Security


Compliance Reporting



Events and Alarms Reporting


End-to-End System-Level Security and Integration



Cisco Unified Wireless Solution and IDS/IPS Integration Overview

Cisco Unified Wireless Self-Defending NetworkIntegrated end-to-end, defence-in-depth solution

Threat detection and mitigation on a WLAN is a key element

Wireless & Traditional IDS/IPS Integration for WLAN Threat Detection & Mitigation

Wireless IDS/IPS (WIDS/IPS) features of the Cisco WLAN Controller (WLC)

Cisco IDS/IPS platforms

Extend same principles and policies of threat detection & mitigation on a wired network to a WLAN

Extend general network security policy to include a WLAN


WLAN Controller

ASA 5500 with IPS/IDS Module

1

2

Deep Packet Inspection

3 Shun Malicious traffic

Enterprise Network

Cisco WLC and IPS Integration:IPS Client Block Enforcement on a WLC

1 Client to AP/Controller2 Controller to IDS

3 Shun IDS to Controller



Cisco WLC and IPS Integration:IPS Client Block Enforcement on a WLC

Cisco IPS Host Block

Cisco WLC Shun List

Cisco WLC Client Exclusion


Cisco Firewall Integration

Cisco offers range of fully featured firewalls that can be integrated into the Secure Wireless solution

Enables a consistent firewall platform deployment across the wired and wireless network

Enables consistent policy enforcement across both the wired and wireless network

Provides lower TCO and easier management

Can be used to enforce policy on traffic between the WLAN and the wired network

Policies may be applied on layers L2-L7

Enables stateful firewall, network access restrictions, etc.

Integrated and extended features on common platformsIncluding SSL VPN, IPS, content security, security contexts



Cisco Firewall Integration Scenario: AAA Override and Policy Enforcement

Restricts user group access to permitted network resources only

802.1X allows a common WLAN but different user group VLAN assignment based upon AAA policy

Single SSID with RADIUS-assigned VLAN upon successful 802.1x/EAP authentication

VLAN mapped to different firewall VLANs and subject to different firewall policy

VLAN mapped to a specific virtual context (user group) in the firewall

Firewall policy enforced per user group


LWAPPAccess Point


CS-MARS

CS-MARS: Monitoring Analysis and Response System



Check for the DoS attack related alarms on the WLC

Dos Attack Related Events inWLAN Controller


Results of a query for WLAN related to the DoS Attacks showing the Access Point / Type / Mac-address of the attacker in the raw SNMP data

Query/Report for WLAN Related Events in CS-MARS



Cisco Unified Wireless with NAC Appliance: Summary

Cisco NAC appliance is an easily deployed NAC product that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.

The Cisco NAC appliance identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with network security policies, and repairs any vulnerabilities before permitting access to the network.

Cisco’s NAC solution is a natural complement to a Unified Wireless deployment and enhances overall wireless security by enforcing end station policy compliance.


Cisco Unified Wireless with NAC Appliance

NAC Appliance accommodates several deployment scenarios:Centralized and Distributed

In-band and Out-of-Band

Virtual Gateway or Real IP Gateway

Unified Wireless and Campus Virtualization best practices currently recommend a centralized deployment

Should be logically in-band, L2 adjacent with wireless topology

Virtual G/W mode with VLAN Mapping is preferred over IP GW mode for wireless deployments

Real IP G/W mode is compatible with wireless deployment, but with caveats.



LWAPPAccess Point


NAC ApplianceServer

Cisco Unified Wireless with NAC Appliance


CSA for WLAN Security Overview

CSA OverviewKey element of integrated end-to-end, defence-in-depthapproach to security

Identifies and prevents malicious or unauthorized behavior

Offers endpoint threat protection, often referred to as Host-based IPS (HIPS)

CSA for WLAN SecurityThreat detection and mitigation on a WLAN, along with policyenforcement

General client protection

WLAN-specific scenarios



Cisco Self-Defending Network

LWAPPAccess Point


NAC ApplianceServer

Wireless ClientCSSCCSA

NAC Agent

Guest Anchor Controller

Wired ClientCSSCCSA

NAC Agent

ASA IPS Edition

CS-MARS

CS-ACSCSA ManagerNAC ManagerDHCP Server


Cisco Security Agent



Wireless Ad-Hoc Connection Security Concerns

Typically little or no securityGenerally, unauthenticated, unencryptedconnection

High risk of connectivity to unauthorized or rogue device

Risk of bridging a rogue wireless ad-hoc device into a secure, wired network

Simultaneous wireless ad-hoc & wiredconnections

Microsoft Windows native WLAN client vulnerability

Microsoft Wireless Auto Configuration default behavior creates high risk of connectivity to a rogue device, particularly as a user may not even be aware that an 802.11 radio is enabled

RogueWLAN Device

AuthorizedDevice


CSA Wireless Ad-HocPre-Defined Rule Module Considerations

Wireless ad-hoc connections continue to be initiated, accepted, and remain active and connected

Only UDP and TCP traffic over a wireless ad-hoc connection is dropped

Additional CSA security measures should be in place toprotect clients from non-UDP and non-TCP threats

ICMP pings that route over a wireless ad-hoc interface are not filtered and remain a threat

Incoming ICMP packets may be filtered by enforcing a CSANetwork Shield rule module

No current solution to filter outgoing ICMP packets



Simultaneous Wired and WirelessSecurity Concerns

Risk of bridging a rogue device into a secure wired network

Risk of bridging an authorized device into the wired network, bypassing network security measures and policies

User may not be aware of 802.11 network connectivity

Active insecure or wireless ad-hoc profile may be used by rogue device, e.g. public hotspot or unauthenticated home WLAN profile

Rogue Device

Wireless ad-hoc connections

Corporate Network

Authorized Device

Wired connectionWLAN connection


CSA Location-Aware Policy Enforcement

CSA v5.2 introduced the ability to enforce different security policies based on the location of a client

Enables stronger security protection measures to be enforcedwhen a client is on an insecure or non-corporate network

CSA v5.2 also introduced a pre-defined location-aware Windows rule module

“Roaming - Force VPN”

Leverages system state conditions and interface sets to applyrules that force the use of VPN if a client is out of the office



CSA Force VPN When Roaming Pre-Defined Rule Module

CSA v5.2 introduced a pre-defined Windows rule module to module to force connectivity to the corporate network if a network connection is active

“Roaming - Force VPN”

If a network connection is active but the CSA MC is notreachable, all UDP or TCP traffic over any interface is denied,except HTTP/HTTPS for a period of 300 seconds

May be used to protect the roaming client itself, local data, and data in transit when on insecure, non-corporate networks


Q and A



Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.



Documents

Design and Deployment of WLAN Security Fundamentalsfaculty.ccc.edu/mmoizuddin/CISCO LIVE 2008/AGG/BRKAGG-2014.pdfDesign and Deployment of WLAN Security Fundamentals BRKAGG-2014