Beruflich Dokumente
Kultur Dokumente
BRKEWN-2021
Cisco Public
Agenda
Strong Encryption Strong Authentication
Security Standards
Wireless Policy Using ACS and ISE Per User VLAN, ACL and QoS Device Fingerprinting
Rogue Management, Rogue Classification and Containment Attack Detection and Adaptive wIPS Monitor Mode and ELM Threat Mitigation MFP and Wired IPS Integration
BRKEWN-2021
Cisco Public
BRKEWN-2021
Cisco Public
Authentication Evolution
WEP
WPA/WPA2
BRKEWN-2021
Cisco Public
WPA/WPA2 Breakdown
A Snapshot of the 802.11i Standard Commonly Used with TKIP Encryption Final Version of 802.11i Commonly Used with AES Encryption
WPA
WPA2
Authentication Mechanisms
BRKEWN-2021
Cisco Public
Client
Authenticator
CAPWAP
BRKEWN-2021
Cisco Public
CertificateBased
Inner Methods
EAP-TLS
Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAPMSCHAPv2.
This provides security for the inner EAP type which may be vulnerable by itself.
Certificate-based For more security EAP-TLS provides mutual authentication of both the server and client.
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Yes
No Yes Yes
Yes
Yes Yes No
Yes
Yes No No
No
High
No
Medium
Yes
Low
8
Client Support
Most clients such as Windows, Mac OSX, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).
Additional supplicants can add more EAP types (Cisco AnyConnect).
Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encryption Evolution
WEP
(RC4)
TKIP
(RC4 and MIC)
AES
(CCMP)
BRKEWN-2021
Cisco Public
10
Use only for legacy clients without AES support Often a software update for WEP clients Can be run in conjunction with AES (mixedmode) Is being discontinued by the WiFi Alliance for certification.
AES (Advanced Encryption Standard)
Requires hardware support (~2005 chipsets or later) Achieves line-rate speeds Only encryption standard supported for 802.11n data rates
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
BRKEWN-2021
Cisco Public
12
WLC
Cisco ACS (or other RADIUS server which can provide Vendor Specific Attributes) can provide static user-based policy which is assigned upon initial authentication. Cisco Identity Services Engine can provide dynamic user-based policy which can be assigned upon initial authentication and changed during a session using CoA (Change of Authorization).
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
ACS*
Employee
Static Policy
Employee VLAN
Employee
Contractor
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved.
ACLs
Cisco Public
Phase 1 EAP
ACS
User Authentication
User Policy
QoS ACL
Allowed Access
VLAN
Cisco Public
BRKEWN-2021
Network Restrictions
Airespace-ACL-Name Sets the Access Control List used to filter traffic to/from the client.
Quality of Service
Airespace-QOS-Level Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold or Platinum). Airespace-802.1p-Tag and/or Airespace-DSCP-Tag Sets the maximum QoS tagging level available for use by the client.
BRKEWN-2021
Cisco Public
16
Outbound
ACLs provide L3-L4 policy and can be applied per interface or per user. Cisco 5508 and WiSM2 implement line-rate ACLs. Upto 64 rules can be configured per ACL.
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
IT is struggling with:
Classifying managed vs. unmanaged endpoints
Attribute X
Location
Time
User
18
BRKEWN-2021
Cisco Public
Time
ISE
User
19
iPad Template
Custom Template
Session Directory
NAC Profiler
NAC Server NAC Guest ISE
All-in-One HA Pair
Admin Console
M&T
Distributed PDPs
Location Access Rights
Policy Extensibility
ISE
With the ISE, Cisco wireless can support multiple users and device types on a single SSID.
Cisco Public
22
EAP
Phase 1
Device Authentication
Phase 2
Device Identification
Phase 3
Device Policy
Limited Access
Allowed Device?
WLC
QoS ACL
Allowed Access
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved.
VLAN
Cisco Public
24
Apple iPad
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
NCS
ISE
Central Point of Policy for Wired and Wireless Users and Endpoints
26
Client Type and Policy Visibility with NCS and ISE Integration
Device Identity from ISE Integration AAA Override Parameters Applied to Client Policy Information Including Posture
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
BRKEWN-2021
Cisco Public
28
BRKEWN-2021
Cisco Public
29
WLAN Security
Vulnerabilities and Threats On-Wire Attacks Over-the-Air Attacks
Ad-Hoc Wireless Bridge
HACKER
Evil Twin/Honeypot AP
HACKERS AP
Reconnaissance
HACKER
Connection to Malicious AP
Denial of Service
DENIAL OF SERVICE
Cracking Tools
HACKER
Service Disruption
Non-802.11 Attacks
Backdoor Access
BLUETOOTH AP
BRKEWN-2021
BLUETOOTH
RF-JAMMERS
RADAR
30
Si
Network Core
Distribution
Access
RLDP Rogue AP RRM Scanning Rogue AP Rogue Detector Rogue AP
Authorized AP
BRKEWN-2021
Cisco Public
31
Detect
BRKEWN-2021
Cisco Public
32
Detect
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
AP on Channel 36 - 802.11 a/n US Country Channels (without UNII-2 Extended)
10ms 10ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Detect
10
11
12
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration 802.11a/n All Channels
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
36
40
44
48
52
56
60
64
100
104
108
112
116
132
136
140
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
Detect
35
Classify
Lower Severity Off-Network Secured Foreign SSID Weak RSSI Distant Location No Clients
Higher Severity On-Network Open Our SSID Strong RSSI On-Site Location Attracts Clients
BRKEWN-2021
Cisco Public
36
Classify
Marked as Friendly
Detected as Rogue
Marked as Malicious
Marked as Unclassified
37
Classify
BRKEWN-2021
Cisco Public
38
Classify
Rogues by Category
BRKEWN-2021
Cisco Public
39
Classify
Authorized AP
Client ARP
L2 Switched Network Trunk Port Wired Rogue Detector AP Detects all rogue client and Access Point ARPs Controller queries rogue detector to determine if rogue clients are on the network Does not work with NAT APs
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue Detector
40
Classify
Floor 3
Floor 2
Floor 1
Install one rogue detector at each Layer 3 boundary. Put more simply - ensure all VLANs are monitored by a rogue detector.
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
Classify
WCS
WLC
Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68 Has Been Detected on the Wired Network
0009.5b9c.8768
0021.4458.6652
Rogue Detector
> debug capwap rm rogue detector ROGUE_DET: Found a match for rogue entry 0021.4458.6652 ROGUE_DET: Sending notification to switch ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg
BRKEWN-2021
Cisco Public
42
Classify
WLC
All Radios Become Disabled in This Mode
Switch
BRKEWN-2021
interface GigabitEthernet1/0/5 description Rogue Detector switchport trunk encapsulation dot1q switchport trunk native vlan 113 switchport mode trunk spanning-tree portfast
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
AP VLAN
43
Classify
Managed AP
Rogue AP
Routed/Switched Network
RLDP (Rogue Location Discovery Protocol) Connects to Rogue AP as a client Sends a packet to controllers IP address Only works with open rogue access points
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Controller
44
Classify
WCS
WLC
Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 Has Been Detected on the Wired Network
> debug dot11 rldp Successfully associated with rogue: 00:13:5f:fa:27:c0 Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Received 32 byte ARLDP message from: 172.20.226.253:52142
%LWAPP-5-RLDP: RLDP started on slot 0. %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up %LWAPP-5-RLDP: RLDP stopped on slot 0.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
00:13:5f:fa:27:c0
BRKEWN-2021
45
Classify
Recommended: Monitor Mode APs RLDP can impact service on client serving APs
BRKEWN-2021
Cisco Public
46
Switchport Tracing
Concept
Match Found
Classify
2
CAM Table
3
CAM Table
WCS
1
Show CDP Neighbors
Managed AP WCS Switchport Tracing Identifies CDP Neighbors of APs detecting the rogue Queries the switches CAM table for the rogues MAC Works for rogues with security and NAT
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rogue AP
SPT Matches On: Rogue Client MAC Address Rogue Vendor OUI Rogue MAC +1/-1 Rogue MAC Address
47
Classify
Match Type
WCS
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Rogue Location
On-Demand with WCS
Mitigate
Allows an individual rogue AP to be located on-demand Keeps no historical record of rogue location Does not locate rogue clients
WCS
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
Rogue Location
In Real-Time with WCS and MSE Context-Aware
Mitigate
Track of multiple rogues in real-time (up to MSE limits) Can track and store rogue location historically Provides location of rogue clients Provides location of rouge ad-hoc networks
WCS
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Rogue Containment
Mitigate
Mitigate
Concept
Rogue Client
Authorized AP
De-Auth Packets
Rogue AP
Rogue AP Containment Sends De-Authentication (or Disassociation) Packets to Client and AP Can use local, monitor mode or H-REAP APs Impacts client performance on local/H-REAP APs A temporary solution till the rogue can be tracked down.
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Rogue Containment
Local Mode APs
Mitigate
De-Auth
3
Local Mode
BRKEWN-2021
52
Rogue Containment
Monitor Mode APs
Mitigate
De-Auth
Unicast Deauth and Unicast Disassociation Frames
Dis-Association
6
Monitor Mode
BRKEWN-2021
A monitor mode AP can contain 6 rogues per radio Containment packet sent every 100ms
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
Rogue Containment
Auto-Containment Configuration
Ability to Use Only Monitor Mode APs for Containment to Prevent Impact to Clients
Mitigate
WLC
Use auto-containment to nullify the most alarming threats Containment can have legal consequences when used improperly
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
Base IDS
Built-In to Controller Software
Uses Local and Monitor Mode APs
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved.
Adaptive wIPS
Requires MSE
55
Adaptive wIPS
Components and Functions
AP WLC
Attack Detection
24x7 Scanning
Over-the-Air Detection
Configuration
wIPS AP Management
MSE
WCS / NCS
Alarm Archival
Capture Storage
Complex Attack Analysis, Forensics, Events
Centralized Monitoring
Historic Reporting
Monitoring, Reporting
BRKEWN-2021
Cisco Public
56
BRKEWN-2021
Cisco Public
57
Ratio of wIPS monitormode APs to local-mode traffic APs varies by network design, but 1:5 ratio is reasonable estimate wIPS APs can simultaneously run contextaware location in monitormode
BRKEWN-2021
Cisco Public
58
With ELM
Single Data and wIPS AP
Cisco Adaptive Wireless IPS with Enhanced Local Mode Can Reduce Capital Investment by > 50%
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Supports Adaptive wIPS for up to 2000 Monitor Mode APs Supports Context Aware for up to 2000 Tracked Devices
Supports Adaptive wIPS for up to 3000 Monitor Mode APs Supports Context Aware for up to 18000 Tracked Devices
Services can co-exist on the same MSE, but per-service maximums decrease.
For Example, the MSE3310 can handle 1000 wIPS APs + 1000 Context Tracked Items.
Mobility services may have different WLC/WCS software requirements Adaptive wIPS is licensed on a per-AP basis (both monitor mode and ELM APs count the same)
BRKEWN-2021 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Attacks Detected
Attack Encyclopedia
Forensics
Anomaly Detection MSE Required WCS Required
BRKEWN-2021
X
X X X
X
X X X
Cisco Public
Yes
Yes Yes Yes
Yes
Yes Yes Yes
61
Solution
Insert a signature (Message Integrity Code/MIC) into the management frames Clients and APs use MIC to validate authenticity of management frame APs can instantly identify rogue/exploited management frames
CCXv5
AP Beacons Associations/Re-Associations
Authentications/ De-Authentications
BRKEWN-2021
Cisco Public
62
Inspects traffic flow for harmful applications and blocks wireless client connections
L2 IDS
Malicious Traffic
L3-7 IDS
Enterprise Intranet
63
WLAN Security
Vulnerabilities and Threats On-Wire Attacks Over-the-Air Attacks
Ad-Hoc Wireless Bridge
HACKER
MFP Neutralizes All HACKERS Management Frame AP Exploits, Such as Man-inthe-Middle Attacks
Connection to Malicious AP
Evil Twin/Honeypot AP
Reconnaissance
HACKER
Rogue Detection, Classification and Mitigation Addresses Rogue Access Points These Attacks
HACKER
Denial of Service
wIPS Detects These DENIAL OF SERVICE Attacks
Service Disruption
Non-802.11 Attacks
Backdoor Access
BLUETOOTH AP
BRKEWN-2021
BLUETOOTH
RF-JAMMERS
RADAR
64
Interference Type
Near
(25 ft)
Far
(75 ft)
Reduced network capacity and coverage Poor quality voice and video
(busy neighbor)
Microwave Oven
Bluetooth Headset DECT Phone
65
100
63
90
20
35
Uniquely identify and track multiple interferers Detects security-risk interferers like RF Jammers and Video Camera. Assess unique impact to Wi-Fi performance Monitor AirQuality
Cisco CleanAir
BRKEWN-2021
High-Resolution Interference Detection and Classification Logic Built-In to Ciscos 802.11n Wi-Fi Chip Design. Inline Operation with No CPU or Performance Impact.
Cisco Public
66
WLAN Security
Vulnerabilities and Threats On-Wire Attacks Over-the-Air Attacks
Ad-Hoc Wireless Bridge
HACKER
MFP Neutralizes All HACKERS Management Frame AP Exploits, Such as Man-inthe-Middle Attacks
Connection to Malicious AP
Evil Twin/Honeypot AP
Reconnaissance
HACKER
Rogue Detection, Classification and Mitigation Addresses Rogue Access Points These Attacks
HACKER
Denial of Service
wIPS Detects These DENIAL OF SERVICE Attacks
Service Disruption
Non-802.11 Attacks
BLUETOOTH
RF-JAMMERS
RADAR
67
BRKEWN-2021
Cisco Public
68
BRKEWN-2021
Cisco Public
69
BRKEWN-2021
Cisco Public
70
Thank you.
BRKEWN-2021
Cisco Public
71