Wireless LAN Security

Scott Clayton (Cisco) Systems Engineer, Richmond sclayton@cisco.com Dave Fraser (Cisco) Systems Engineer, Herndon davfrase@cisco.com

Jim Tucker (Cisco) Account Manager, Norfolk jtucker@cisco.com Jason (Jed) Krisch (ALI) Systems Engineer, Blacksburg jasonk@ali-inc.com
Cisco Confidential
1

Agenda

Self-Defending Network Strategy Deployment Example Why Cisco?

Cisco Confidential

Cisco Unified Wireless Network

Engineered to Deliver on the SDN Strategy

Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control

Endpoint Protection

Keep Clients Safe

Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies

Integrated Management

Network Admission Control Guest Access

Anomaly and IDS/IPS

Keep Clients Honest

Protect the Network

Rogue AP detection and containment Multilayer client exclusions

Cisco Confidential

Checklist for Secure Wireless LANs

Implementation Checklist 802.1X(EAP) WPA2 (AES) or WPA (TKIP) Management Frame Protection Cisco CSA

Endpoint Protection

Keep Clients Safe

Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies

Cisco Confidential

Protected Access
What are WPA and WPA2? Authentication and Encryption standards for Wi-Fi clients and APs 802.1X authentication WPA uses TKIP encryption WPA2 uses AES encryption Which should I use? Go for the Gold! Silver, if you have legacy clients Lead, if you absolutely have no other choice

Gold
WPA2/802.11i
EAP AES

Silver
WPA
EAP TKIP

Lead
dWEP (legacy)
EAP/LEAP VLANs + ACLs

Cisco Confidential

How does Extensible Authentication Protocol (EAP) Authenticate Clients?

WLAN Client

Access Point/ Controller

Corporate Network

RADIUS server

Client associates

Cannot send data until

Data from client

Blocked by AP

EAP

EAP authentication complete

802.1x

RADIUS

Client sends data

Data from client

Passed by AP

Cisco Confidential

EAP-FAST Simple, Versatile, and Secure

EAP-FAST tunnel
OTP

UID/PW Certs MSCHAPv2

AAA

PEAP-GTC
EA P S TL -

Simple

Simple to deploy No certs to provision or manage Supports secure username/password authentication Robust Support
Fast Roaming (CCKM) IOS Local Authentication Cisco NAC

EA P -TT LS
H A P v2

PEAP-MSC

Versatile

Client stacks from Funk and Meetinghouse

Secure

Support for multiple authentication types (OTP, MSCHAPv2, Certs) Open standard (on the path to RFC) Supported in CCXv4
Cisco Confidential
7

What makes 802.11 vulnerable to attacks?

Most common attacks are against management frames

Common Attacks: VOID11 Aireplay File2air Airforge ASLEAP Jack attacks FakeAP Hunter/Killer

P F M ed o ct c e is t C ro P
Cisco Confidential
8

Management Frame Protection (MFP)

A solution for clients and infrastructure (APs) Clients and APs add a MIC (signature) into every management frame Anomalies are detected instantly and reported to Wireless Control Server (WCS)
MFP Protected MFP Protected

Cisco Confidential

CCX- Driving Security Standardization

CCX v1 802.1X authentication EAP-TLS & LEAP Cisco pre-standard TKIP Client Rogue reporting CCX v5 MFP Client Policies CCX v2 WPA compliance Fast Roaming with CCKM PEAP CCX v4 CCKM with EAP-TLS, PEAP WIDS MBSSID CCX v3 WPA2 compliance EAP-FAST CCKM with EAP-FAST AES encryption

Cisco Confidential

10

Security and WLAN Clients

Trend: Embedded adapters in most devices Result: Adapter reference designs in most devices
How do you ensure that all of your client devices support your chosen 802.1X type(s) and encryption option(s)?

Options:
Try to standardize on adapters from one vendor USE WPA/WPA2 extended EAP certified clients Rely on what is available in Windows Use a commercial supplicant suite Support a mix of authentication types Use Cisco Compatible Extensions (CCX) adapters

Cisco Confidential

11

Cisco Security Agent (CSA) - Host Intrusion Prevention System

CSA Provides Day Zero Attack Protection
CSA stops day zero malicious code without reconfiguration or update. CSA has the industrys best record of stopping Zero Day exploits, worms, and viruses over past 4 years:
2001 Code Red, Nimda (all 5 exploits), Pentagone (Gonner) 2002 Sircam, Debploit, SQL Snake, Bugbear, 2003 SQL Slammer, So Big, Blaster/Welchia, Fizzer 2004 MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049) 2005 Internet Explorer Command Execution Vulnerability

No reconfiguration of the CSA default configuration, or update to the CSA binaries were required

CSA Wireless Awareness

Shutoff multiple network interfaces Disable Ad Hoc mode Connect to only corporate SSIDs
Cisco Confidential
12

Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy

Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control

Endpoint Protection

Keep Clients Safe

Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies

Integrated Management

Network Admission Control Guest Access

Anomaly and IDS/IPS

Keep Clients Honest

Protect the Network

Rogue AP detection and containment Multilayer client exclusions

Cisco Confidential

13

Checklist for Secure Wireless LANs

Implementation Checklist Cisco NAC for wired and wireless

Cisco CSA
Admission Control

Guest: Integrated captive portal w/traffic tunneling Keep Clients Honest

Network Admission Control Guest Access

Cisco Confidential

14

The Need for Admission Control

Viruses, worms, spyware, etc. continue to plague organizations
Viruses still #1 cause of financial loss*
(downtime, recovery, productivity, etc.)

Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.) are not checked for policy compliance Unprotected endpoint devices are often responsible for spreading infection
Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive
*2005 FBI/CSI Report
Cisco Confidential
15

Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.
Burton Group

The NAC Solution

NAC Framework
Sold through NACenabled products Integrated solution leveraging Cisco network and vendor products

NAC Appliance
Leverages Cisco Clean Access Sold as virtual or integrated appliance Self-contained product integrates with but does not rely on partners

NAC Infrastructure
Offers customers a deployment timeframe choice Adapts to customers investment protection requirements
Cisco Confidential
16

CCA Network Configuration

ACS / DHCP

.11

10.1.1.x/24

Clean Access Manager

192.168.2.4

.9
Wireless Controller

Internet

192.168.1.x/24

172.18.10.x/24
.1
VLAN 172 & 173

.8

.1

.10
.2

Clean Access Server

.21 192.168.2.x/24 192.168.3.x/24 .21

Intranet

172.18.10.0/24

SSID guest/ VLAN 172

172.19.10.0/24
Cisco Confidential

SSID regular/VLAN 173

17

NAC2 Ubiquitous Admission Control

CTA-Capable Endpoints with NAC-Capable 802.1X Supplicants
802.1x
1 2 8

EAPo802.1x

ACS
EAP o RA DIU S
7 6 5

Network Vendor Server

CTA

Network Access Device (NAD)

HCAP

1. 2. 3. 4. 5. 6. 7. 8.

802.1X connection setup between NAD and endpoint NAD requests credentials from endpoint (EAPo802.1X)
This may include user, device, and/or posture

CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X) NAD sends credentials to ACS (EAPoRADIUS) ACS can proxy portions of posture authentication to vendor server (HCAP)
User/device credentials sent to authentication databases (LDAP, Active Directory, etc)

ACS validates credentials, determines authorization rights

E.g. visitors given GUEST access, unhealthy devices given QUARANTINE access

ACS sends authorization policy to NAD (VLAN assignment) Host assigned VLAN, may then gain IP access (or denied, restricted)

Cisco Confidential

18

Secure Guest Access

Captive portal native in the controller Two options for guest access:
(1) Guest users can be placed on guest VLAN (2) All guest traffic is tunneled to a guest controller
Enterprise Network Switch-to-switch guest tunnel DMZ Guest controller

SSID Client Default Gateway = Internal = GUEST

User DB can be local or RADIUS Robust administration

Ambassador login
Enterprise user Guest user

Customizable web pages

Cisco Confidential
19

Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy

Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control

Endpoint Protection

Keep Clients Safe

Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies

Integrated Management

Network Admission Control Guest Access

Anomaly and IDS/IPS

Keep Clients Honest

Protect the Network

Rogue AP detection and containment Multilayer client exclusions

Cisco Confidential

20

Checklist for Secure Wireless LANs

Implementation Checklist Wireless IDS Rogue Detect/Containment FIPS

Anomaly and IDS/IPS Protect the Network
Rogue AP detection and containment Multilayer client exclusions

Cisco Confidential

21

Protect the Network: wIDS Detection and Containment

HYPE: External wIDS sensors are the best way to detect and remediate all wireless attacks REALITY: Most attacks/events occur on the AP/Client channel ROGUES and AD HOCs: Detected quickly via intelligent off channel scanning

On-channel attack detected 802.11a Channel 153 Off channel rogue detected Rogue AP AP contains rogue client Off channel ad hoc net detected AP contains ad 802.11g Channel 1 hoc net Ad Hoc client ent inm onta CRF Containment RF

802.11a Channel 153 Rogue client

802.11g Channel 1 Ad Hoc client

802.11g Channel 6 Valid client

Cisco Confidential

802.11g Channel 6 Attacker

802.11a Channel 152 Valid client

22

A Complete Solution for Handling Rogues

1. Detect Rogue AP (Generate alarm)

2. Assess Rogue AP (Identity, Location, ..)

3. Contain Rogue AP

4. View Historical Report

Can be automated Multiple rogues contained

simultaneously

Cisco Confidential

23

Cisco WCS Centralized Security Management

Cisco Confidential

24

Cisco Unified Wireless Network Engineered to Deliver on the SDN Strategy

Cisco strategy to An initiative improve the dramaticallyto dramatically improve the networks ability networks ability toto identify,prevent, and identify, prevent, and adapt to threats adapt to threats
Admission Control

Endpoint Protection

Keep Clients Safe

Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies

Integrated Management

Network Admission Control Guest Access

Anomaly and IDS/IPS

Keep Clients Honest

Protect the Network

Rogue AP detection and containment Multilayer client exclusions

Cisco Confidential

25

Security Management
CS-MARS Network wide anomaly detection Rules based correlation

WCS Simple, Powerful Dashboard Robust Reporting

Cisco Confidential

26

Checklist Summary
Admission Control

Strong Mutual Authentication Strong Encryption True Wireless IPS Adaptive Client Policies

Network Admission Control Guest Access

Anomaly and IDS/IPS

Endpoint Protection

Keep Clients Safe

Keep Clients Honest

Protect the Network

Rogue AP detection and containment Multilayer client exclusions

802.1X (EAP) WPA2 (AES) or WPA (TKIP) Management Frame Protection Cisco CSA

Cisco NAC for wired and wireless Cisco CSA Guest: Integrated captive portal w/traffic tunneling

Wireless IDS Rogue Detect/Contain FIPS

Cisco Confidential

27

Deployment Example

2005 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

28

Education: Campus-Wide Connectivity

Most U.S. college campuses have either deployed or are planning to deploy a WLAN Cheaper than wiring the campus Ubiquitous coverage increases value of the network
Users more likely to bring their laptops when they have confidence about wireless coverage Makes students less likely to set up a rogue AP in their dorm
Cisco Confidential
29

Education Deployment Example

Collaborative learning applications aid students and teachers Staff: Requirement to access student records and other sensitive data over WLAN Deployment Goals:
Non-Standardized client environment for Students Students: User Authentication only Staff: User authentication and data confidentiality

Non-standardized client environment for students means:

Students are allowed to bring any device Students could be using any OS Students could be using any vendor WLAN NIC

Standardized device (OS and WLAN NIC) for

Staff

Cisco Confidential

30

Education Deployment Example Contd

Education deployment Example
Open with Mac Address authentication along with Web-based authentication deployed for students Data confidentiality not provided to students due to non standardized client environment Client devices for staff standardized on Windows XP and 2000 with Cisco PCM350 and CB21AG client adapters EAP-FAST with WPA deployed for staff to provide user-based authentication and data confidentiality

Cisco Confidential

31

Education Deployment Example Contd.

Education deployment Example
Centralized WLAN deployment provides a scalable WLAN deployment model May use Cisco Clean Access to mitigate DoS attacks and viruses from infected WLAN hosts Deploy WLAN intrusion detection (rogue AP, excess management frame detection, etc.) Use separate VLANs/SSIDs for student and staff WLAN access Student WLAN configured for open access with web authentication Staff WLAN configured for EAP authentication, using an EAP type which is compatible with deployed staff client devices

Cisco Confidential

32

Why Cisco?

2005 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

33

The WLAN Market Leader

70.0%

61.4%
60.0%
57.9%

61% WLAN Market Share 4Xs Size Nearest Competitor Continued Focus 3Q04 on WLAN Growth Top 3 Cisco Advanced Technology $100M Year Investment in Wireless R&D
OTHER

50.0%

40.0%

30.0%

4Q04 1Q05 2Q05

21%

20.0%
12.6%

18%

10.0%

10.4%
4.5%

3.1%

3.1% 3.1%

0.0%
CISCO SYMBOL ARUBA 3COM

1.2% 0.4%
ALCATEL

1.6% 1.3%
BLUESOCKET

Cisco Confidential

34

Proven Customer Track Record

2.1+ Million Cisco APs deployed worldwide 70,000+ Cisco WLAN customers worldwide 95% of Fortune 500 companies use Cisco products 45,000+ dual-band APs largest Cisco deployment with Home Depot Cisco ranked Top 10 Most Powerful Networking Company by Network World Cisco # 1 for Innovations In IT by InformationWeek 500

Cisco Confidential

35

Shaping the Industry

Wi-Fi Alliance founding member Initial author of 802.11 and LWAPP (and subsequent resources on the subject) Chair of numerous IEEE Committees (802.11i, 802.11r, 802.11m) Founding contributors to Network Worlds Wireless Wizards column Award winning CCIE Program

Cisco Confidential

36

The Right Pieces for Success

Global Support Organization
24-hour, global access to a team of expert engineers 120 countries geographic coverage Technical Support Services - 390+ CCIEs Onsite field engineers

Global Partnerships
200,000 World Wide Partners 4000 Specialization Badges IBM, Intel, HP, EDS, CG&Y, Microsoft

Full Services Portfolio - Lifecycle Support

Advisory Services Advanced Services Technical Support Services
Cisco Confidential

E DS

37

Most Publicly Recognized Industry Platform

Product Awards

Head-to-Head Bakeoffs

Best of Show

Reommand
Cisco Confidential
38

The Cisco Wireless Strategy

Unification

Enabling the Secure, Mobile, Interactive Workplace

Innovation Investment Protection

Cisco Confidential

39

Education
Campus-wide connectivity Cheaper than wiring the campus Ubiquitous coverage increases value of the network Increased network security by reducing student rogue APs Multipurpose WLAN for students, faculty, staff and business operations

Cisco Confidential

40

Cisco Confidential

41