Brkagg-2015 0101

Integrated Defense-in-Depth
Security for WLANs

BRKAGG-2015
Presentation_ID 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Session Agenda
Topics covered in this session:

Authentication and encryption best practices
Rogue device detection, classification and
mitigation
Attack detection and mitigation
Management Frame Protection
Wired/Wireless IDS Integration
Prerequisites for this session:

Knowledge of 802.11 fundamentals
Basic wireless security concepts
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
WLAN Security Components
Strong Strong
Authentication Encryption
WLAN
Security
Rogue device Attack detection

management and mitigation
Authentication and Encryption
Best Practices
Authentication Evolution
MAC Address 802.1x/Dynamic

WEP WPA/WPA2
Authentication WEP
WPA/WPA2 Breakdown
A snapshot of the 802.11i Standard

WPA Commonly used with TKIP
encryption
Final version of 802.11i

WPA2 Commonly used with AES encryption
Authentication Personal (PSK) Home Use

Mechanisms Enterprise (802.1x/EAP) Office Use
Authentication Best Practices:
WPA2-Enterprise
Strong Authentication
Extensible Authentication Protocol (EAP)

Outside Methods (Protective Tunnel):
PEAP
EAP-FAST
Inside Methods (Authentication Credentials):
EAP-MSCHAPv2
EAP-GTC
Strong Encryption
AES
EAP Protocol Flow
Authentication
Server
Client Authenticator
CAPWAP
Encryption Evolution
WEP TKIP AES

(RC4) (RC4 and MIC) (CCMP)
The TKIP Vulnerability
Once thought safe, TKIP encryption is cracked:
http://www.pcworld.com/businesscenter/article/153396/once_thought_safe
_wpa_wifi_encryption_is_cracked.html
Security researchers claim that they can crack the message
integrity (MIC) key used in TKIP
Recovery of MIC key facilitates packet forgeries, but only between
AP and client
Encryption key is *not* recovered, therefore data traffic cannot be
read via this attack this is not like the WEP crack of years back
What is the Risk?
Common traffic types, such as ARP and DNS, can be replayed to client
for very limited duration at most 7 times
Encryption Best Practices:
TKIP and AES
TKIP (Temporal Key Integrity Protocol)
Use only for legacy clients without AES support

Often a software update for WEP clients
Can be run in conjunction with AES (mixed-mode)
AES (Advanced Encryption Standard)
Requires hardware support (~2005 chipsets or later)

Achieves line-rate speeds
Only encryption standard supported for 802.11n
data rates
Rogue Detection, Classification
and Mitigation
Rogue Devices
What is a Rogue?
Any device thats sharing your spectrum, but not managed by you
Majority of rogues are setup by insiders (low cost, convenience,
ignorance)
When is a Rogue dangerous?
When setup to use the same ESSID as your network (honeypot)
When its detected to be on the wired network too
Ad-hoc rogues are arguably a big threat, too!
Setup by an outsider, most times, with malicious intent
What needs to be done?
Detect
Classify (over-the-air, and on-the-wire)
Mitigate (Shutdown, Contain, etc)
Phases of Rogue Management
Listen for non-infrastructure access points, clients

and ad-hocs
Detect 11n rogue considerations
Rogue rules based on RSSI, SSID, Clients, etc.

Assessing if rogue is on wired infrastructure
Classify Switch port tracing
Switch port shutting

Location pin-pointing
Mitigate Over the air containment
Cisco Rogue Management Diagram
Multiple Methods
Switchport Tracing
Network
Si
Si Si
Core
Wireless Control
System (WCS)
Wireless Distribution
LAN
Controller
Access
RRM
RLDP Scanning
Rogue Rogue Rogue Rogue

AP Authorized AP Detector AP
AP
Listening for Rogues Detect
Two Different AP Modes for RRM Scanning
Local Mode Access Monitor Mode Rogue Detection

Points Access Points Mechanisms
Serves clients with Dedicated to Any AP not
time-slicing off scanning broadcasting the
channel scanning Listens for 1.2s on same RF Group
Listens for 50ms each channel name or part of the
on each channel Scans all channels same mobility
Configurable to group is
scan: considered a rogue
All Channels Automatic white
listing for
Country
autonomous APs
Channels
managed by WCS
(Default)
DCA Channels
RRM Channel Scanning Detect
Local Mode AP
AP on channel 1 - 802.11 b/g/n US County Channels
10ms 10ms
16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s
1 2 1 3 1 4 1 5 1 6 1 7 1
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
AP on channel 36 - 802.11 a/n US Country Channels (w/o UNII-2 Extended)
10ms 10ms
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
RRM Channel Scanning Detect
Monitor Mode AP
802.11b/g/n All Channels

10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
1 2 3 4 5 6 7 8 9 10 11 12
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration
802.11a/n All Channels
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
36 40 44 48 52 56 60 64 100 104 108 112 116 132 136 140
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
Detect
802.11n Rogue Detection
802.11n - Mixed Mode
Detectable by 11a/g devices

The most common mode of 11n access points
Facilitates backwards compatibility with 802.11a/g
clients by using 11a/g modulation for
management and control frames.
802.11n Greenfield Mode
Only detectable by 802.11n devices

In this case, management, control and data
frames are sent using 11n modulation schemes
Rogue Information Available at WCS Detect
and Controller
Network Name
Radio Type (11n)

# of Clients
Both Local Mode and

Monitor Mode APs provide
the same information
regarding the rogue.
Rogue Classification Rules Classify
Concept
Classification based on threat severity and mitigation action

Rules tailored to customer risk model
Lower Severity Higher Severity
Off-Network On-Network
Secured Open
Foreign SSID Our SSID
Weak RSSI Strong RSSI
Distant location On-site location
No clients Attracts clients
Examples
Rogue Rule:
Marked as
SSID: tmobile
Friendly
RSSI: -80dBm
Rogue Rule:
Detected as Marked as
SSID: Corporate
Rogue Malicious
RSSI: -70dBm
Rogues
Marked as
Matching No
Unclassified
Rule
Rules are stored and executed on the Wireless LAN Controller

Configuration
Rules
Sorted
by
Priority
Operation
Rogue Detector AP Mode Classify
Concept
Rogue AP
Authorized AP
Client ARP
L2 Switched Network
Trunk Port
Wired Rogue Detector AP
Detects all rogue client and AP ARPs
Controller queries rogue detector to determine if Rogue Detector
rogue clients are on the network
Does not work with NAT APs
Deployment Scenario
Floor 3
Rogue Detector
Floor 3
Floor 2
Rogue Detector
Floor 2
Floor 1
Rogue Detector
Floor 1
Install one rogue detector per floor
Operation
WCS Alarm Changed from Minor to Critical
Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68

WLC has been detected on the wired network
0009.5b9c.8768
0021.4458.6652
> debug capwap rm rogue detector
Rogue ROGUE_DET: Found a match for rogue entry 0021.4458.6652
Detector ROGUE_DET: Sending notification to switch
ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg
Configuration
WLC
All radios
become
disabled
in this
mode
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
Switch switchport trunk native vlan 113
AP
switchport mode trunk VLAN
spanning-tree portfast
Rogue Location Discovery Protocol Classify
Concept
Connect as
Client
Managed AP Rogue AP
Send Packet
Routed/Switched Network to WLC
RLDP (Rogue Location Discovery Protocol)

Connects to Rogue AP as a client
Sends a packet to controllers IP address Controller
Only works with open rogue access points
Operation
WCS Alarm Changed from Minor to Critical
Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 has

WLC been detected on the wired network
> debug dot11 rldp
Successfully associated with rogue: 00:13:5f:fa:27:c0
Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0
RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning
IP 172.20.226.253, netmask 255.255.255.192, gw
172.20.226.193
Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)
Received 32 byte ARLDP message from: 172.20.226.253:52142
%LWAPP-5-RLDP: RLDP started on slot 0.

%LINK-5-CHANGED: Interface Dot11Radio0, changed state to
reset
%LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
%LWAPP-5-RLDP: RLDP stopped on slot 0.
00:13:5f:fa:27:c0
Automatic Operation
Two automatic modes of operation:

AllAPs Uses both local and monitor Aps
MonitorModeAPs Uses only monitor mode APs
Recommended: Monitor Mode APs RLDP can impact

service on client serving APs
Manual Operation
RLDP can be manually initiated on a rogue MAC address

config rogue ap rldp initiate <rogue mac>
>debug dot11 rldp
>config rogue ap rldp initiate 00:13:5f:fa:27:c0
Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0

WLC RLDP DHCP REQUEST RECV for rogue 00:13:5f:fa:27:c0
Received DHCP packet with xid 0xb080d074 from rogue AP 00:1d:70:f0:d4:c1
RLDP DHCP REQUEST received for rogue 00:13:5f:fa:27:c0
BOOTP[rldp] op: REPLY
RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0
Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193
Send ARLDP to 172.20.226.198 (00:1D:70:F0:D4:C1) (gateway)
Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:21:d8:48:c1:61
Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)
Sending ARLDP packet to 00:1f:9e:9b:29:80 from 00:21:d8:48:c1:61
Send ARLDP to 0.0.0.0 (00:1D:70:F0:D4:C1) (gateway)
Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:21:d8:48:c1:61
Received 32 byte ARLDP message from: 172.20.226.253:52142
Packet Dump:
sourceIp: 172.20.226.253
destIp: 172.20.226.197
Rogue Mac: 00:13:5F:FA:27:C0
Caveats
RLDP works only on open rogues (no authentication or

encryption)
RLDP will impact client service when run on a local
mode AP
RLDP works only if the rogue is connected to a VLAN
that routes to the wireless LAN controller
RLDP will not work on rogues in DFS channels
RLDP will attempt to identify each rogue AP only once
If the process fails, RLDP will not re-run
Switchport Tracing Classify
Concept
Match
Found
2 3
CAM CAM
Table Table
WCS
1
Show CDP
Neighbors
Managed AP Rogue AP
WCS Switchport Tracing
Identifies CDP Neighbors of APs detecting the rogue
Queries the switches CAM table for the rogues MAC
Works for rogues with security and NAT
WCS Switchport Tracing Classify
Operation
Tracing is done
on-demand per
rogue AP.
WCS Switch port tracing started for rogue AP 00:09:5B:9C:87:68

Rogue AP 00:09:5B:9C:87:68 vendor is Netgear
Following MAC addresses will be searched:
00:09:5B:9C:87:68, 00:09:5B:9C:87:67, 00:09:5B:9C:87:69
Following rogue client MAC addresses will be searched:
00:21:5D:AC:D8:98
Following vendor OUIs will be searched:
00:0F:B5, 00:22:3F, 00:1F:33, 00:18:4D, 00:14:6C, 00:09:5B
Rogue AP 00:09:5B:9C:87:68 was reported by following APs: 1140-1
Reporting AP 1140-1 is connected to switch 172.20.226.193
Following are the Ethernet switches found at hop 0: 172.20.226.193
Started tracing the Ethernet switch 172.20.226.193 found at hop 0
Tracing is in progress for Ethernet switch 172.20.226.193
MAC entry 00:09:5B:9C:87:69 (MAC address +1/-1) found.
Ethernet Switch: 172.20.226.193, VLAN: 113, Port: GigabitEthernet1/0/33
Finished tracing all the Ethernet switches at hop 0
Operation (Cont)
To shut
Match Type Number of MACs
the port
found on the port.
WCS
Configuration
Add Switches
via
IP, Wildcard or
CSV File
SNMP R/W
or
SNMP R/O
Credentials
WCS
Configuration (Cont)
Configure
Search
Methods
Exclude
Vendors from
OUI Search
WCS
Wired-Side Tracing Techniques Classify
Comparison
How it Works What It Detects Accuracy
1. AP hears rogue over air Open APs Moderate
2. Detecting AP advises of nearby Secured APs
switches NAT APs
3. Trace starts on nearby switches
Switchport
Tracing 4. Results reported in order of
probability
5. Administrator may disable port
1. AP hears rogue over air Open APs 100%

2. Detecting AP connects as client to NAT APs
rogue AP
RLDP
3. Detecting AP sends RLDP packet
4. If RLDP packet seen at WLC, then
on wire
1. Place detector AP on trunk Open APs High

2. Detector receives all rogue MACs Secured APs
Rogue
Detector from WLC NAT APs
3. Detector AP matches rogue MACs
from wired-side ARPs
Rogue Location Mitigate
On-Demand with WCS
Allows an individual rogue AP to be located on-demand

Keeps no historical record of rogue location
Does not locate rogue clients
WCS
Rogue Location Mitigate
In real-time with WCS and MSE Context-Aware
Track of multiple rogues in real-time (up to MSE limits)

Can track and store rogue location historically
Provides location of rogue clients
Provides location of rouge ad-hoc networks
WCS
Rogue Containment Mitigate
Concept
Mitigate
Rogue Client
Authorized AP
De-Auth
Packets
Rogue AP
Rogue AP Containment
Sends De-Authentication Packets to Client and AP
Can use local, monitor mode or H-REAP APs
Impacts client performance on managed AP
Operation
Mitigate
WCS
WLC
1 to 4 APs can be used

00:09:5b:9c:87:68
for containment
AP Containment Methods
Mitigate
Scenario Containment Method
Rogue
AP Only
Broadcast Deauth frames only
Rogue
AP and
Client(s)
Broadcast and Unicast Deauth frames
Auto-Containment
WLC
Use auto-containment to nullify the most alarming threats

Containment can have legal consequences when used improperly
Auto-Containment of Valid Client on Rogue AP
Corporate Neighbor
Valid Client List
ACS WLC Valid Client Rogue AP
Client Contained
from Invalid AP
Client Containment Method
Mitigate
Scenario Containment Method
Rogue
Client
Only
Unicast Deauth frames only
Rogue client containment is used to kick only one client off the
rogue AP.
A broadcast de-auth is not used (unlike other containment scenarios)
Ideal when a managed client associates to a friendly AP
(Example: A neighboring Starbucks)
Operation (Cont)
Mitigate
Containment sends a minimum of 2 packets every

100ms (20 packets per second)
~100ms
3
A local mode AP can contain 3 rogues per radio
Local Mode
6
A monitor mode AP can contain 6 rogues per
Monitor Mode radio
Caveats
An access point performing containment will offer

reduced performance to data clients and lower voice
quality.
Data Performance Voice Performance
Test Setup: Cisco 1250, 802.11n Client, 40MHz Channel, IxChariot traffic, 3 rogue APs on separate
channels
FAQ
Containment packets are sent at the lowest enabled

data rate and at the power level of the access point.
If the rogue disappears, does containment stop
automatically?
Yes, but rogue entry stays in WLC as containment pending and
will be contained again if it reappears
Will doing a 4 AP containment cause the participating

APs to share the containment load?
No, APs do not share the containment load, they each will send
a minimum of 20 packets per second.
Security Attack Detection and
Mitigation
WLAN Security
Vulnerabilities and Threats
On-Wire Attacks Over-the-Air Attacks

Ad-hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance
HACKER HACKERS HACKER
AP
Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities
Rogue Access Points Denial of Service Cracking Tools

HACKER HACKER
DENIAL OF
SERVICE
Backdoor network access Service disruption Sniffing and eavesdropping
WLAN Security
Denial of Service Attacks
RF Jamming
Any intentional or un-intentional RF transmitter in the same frequency
can adversely affect the WLAN
DoS using 802.11 Management frames
Management frames are not authenticated today
Trivial to fake the source of a management frame
De-Authentication floods are probably the most worrisome
Misuse of Spectrum (CSMA/CA Egalitarian Access!)
Silencing the network with RTS/CTS floods, Big-NAV Attacks
802.1X Authentication floods and Dictionary attacks
Overloading the system with unnecessary processing
Legacy implementations are prone to dictionary attacks, in addition to
other algorithm-based attacks
Wireless Security
MAC Address Spoofing
As with wired networks, MAC address and IP address spoofing

are possible, if not easy, in Wireless Networks
Outsider (hostile) attack scenario
Does not know key/encryption policy
IP Address spoofing is not possible if Encryption is turned on (DHCP
messages are encrypted between the client and the AP)
MAC Address spoofing alone (i.e., without IP Address spoofing) may not
buy much if encryption is turned on
Insider attack scenario
Seeking to obtain users secure info
MAC address and IP Address spoofing will not succeed if EAP/802.1x
authentication is used (unique encryption key is derived per
user (i.e., per MAC address))
Wireless Security:
Sniffing and Reconnaissance
First Sniffing, or capturing packets over the air, is an

extremely useful troubleshooting methodology
Sniffing, in the old days was reliant on very specific
cards and drivers
Very easy to find support for most cards and drivers
today
Cost (if you like to pay for it) of such software is
negligible (or, just use free/open source software)
Provides an insight (with physical proximity) into the
network, services, and devices which comes in handy
when performing network reconnaissance
Wireless Security
Man in the Middle Attack
A MiTM is when an attacker poses as the network to

the client(s) and as a client to the actual network
The attacker forces a legitimate client off the network
The attacker lures the client to a honeypot
The attacker gains security credentials by intercepting user traffic
Very easy to do with:

Sniffing, and war-driving to identify targets
MAC Address Spoofing
Rogue Device Setup
DoS Attacks
Quick Look: Common WLAN
Exploits/Tools
Remote-Exploit/Backtrack/Auditor
Aircrack, WEPcrack, etc
coWPAtty
Kismet
NetStumbler, Hotspotter, etc
AirSnort
Sniffing tools: OmniPeek, Wireshark
dsniff, nmap
wellenreiter
asleap
Ounce of Prevention
Stop the Attack Before It Happens

HACKER HACKERS HACKER
AP
Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities

Cisco wIPS Detects These Attacks
Rogue Access Points Denial of Service Cracking Tools
HACKER HACKER
DENIAL OF
SERVICE
Ounce of Prevention
Stop the Attack Before It Happens

HACKER MFP NeutralizesHACKERS
all HACKER
AP
Management Frame
Exploits, such as Man-in-
the-Middle Attacks
Rogue
Client-to-client backdoor access
WPA2/802.11i
Connection to malicious AP Seeking network vulnerabilities
detection, classificati Neutralizes Recon
on and mitigation and Cracking Attacks
Rogue Access
addresses Points
these Denial of Service Cracking Tools
attacks HACKER HACKER
DENIAL OF
SERVICE
Ciscos Attack Detection Mechanisms
Adaptive
Base IDS
wIPS
Built-in to
controller Requires MSE
software
Uses Local Uses wIPS

and Monitor Monitor Mode
Mode APs APs
Adaptive wIPS Differences from Base
Controller IDS
Adaptive wIPS Difference #1
Alarm Aggregation and Correlation
Base Controller IDS Adaptive wIPS
WCS
WCS
WLC MSE
AP WLC
AP
No Alarm Correlation
Breadth of Alarms Detected
Base Controller IDS Adaptive wIPS
Only 17 signatures
(Cont) Attack Encyclopedia
Available for each

alarm
Accessible from the
wIPS profile page
Forensic Packet Capture
Forensic Packet Capture
Historic Reporting
1. Alarm information stored in MSE database

Maximum of 6 million alarms stored in MSE database
2. WCS queries the MSE database during report

generation
3. Reports created and viewed at WCS
Adaptive wIPS
Types of Reports
wIPS Alarm List Report

Use: Historic reporting of attacks
Summarized list of alarms contained within the MSE
Contains alarm type, SRC MAC, detecting AP, first seen time,
last seen time
wIPS Top 10 AP Report

Use: Identifying hot zones of attack
The top 10 wIPS access points with the most number of alarms
Includes critical, major, minor and warning levels of alarms
Adaptive wIPS
Creating Reports Filter by MSE
Or by WLC
Add/Remove Columns
Sort by Columns
Example Report
wIPS Alarm List
Attack
Timeline
Example Report
wIPS Top 10 APs
Alarm Severities
WCS Security Dashboard
Controller IDS
and Adaptive
wIPS Alarms
Security Index
Rogues by
Category
Adaptive wIPS
Components and Functions
Mobility Services Engine
Support for Cisco Motion Services
3310 Mobility Services Engine 3350 Mobility Services Engine
Supports Adaptive wIPS for up to 2000 Supports Adaptive wIPS for up to 3000
Monitor Mode APs Monitor Mode APs
Supports Context Aware for up to 2000 Supports Context Aware for up to 18000
tracked devices tracked devices
Requires WLC software version 4.2.130 or Requires WLC software version 4.2.130
later and WCS version 5.2 or later. or later and WCS version 5.1 or later.
Mobility services may have different WLC/WCS software

requirements
Adaptive wIPS is licensed on a per-monitor mode AP basis
wIPS System Communication Diagram
The MSE is not

in the data path
wIPS AP Detection Logic
1. Authenticated
1 2. Associated
3. Passing Data
1. Authentication?
00:1F:3B:1A:A2:01 2 3. Passing Data
3 2. Association?
802.11 State Machine

00:1F:3B:1A:A2:01 AP
wIPS AP 00:1F:3B:7C:A2:13 Client
Spoofed
00:1F:3B:7C:A2:13 Device Database
MAC
00:1F:3B:7C:A2:13
Attack Library
wIPS Mobility Services Engine
8/20/2008 17:09 Spoof MAC
1 8/22/2008 10:24 DoS Attack
2 8/24/2008 12:07 DoS Attack
3
Alarm Database
wIPS AP 00:55:9A:6A:34:01 AP
00:1F:3B:1A:A2:01 AP
00:1F:3B:7C:A2:13 Client
wIPS MSE
System-wide Device Database

wIPS AP 1
2
3
Forensics Anomaly
Database Detection Engine
wIPS Alarm Flow
1. Attack Launched against infrastructure device (trusted AP)

2. Detected on AP
Communicated via CAPWAP to WLC
3. Passed transparently to MSE via NMSP
4. Logged into wIPS Database on MSE
Sent to WCS via SNMP trap
5. Displayed at WCS
Adaptive wIPS
A New Form of Monitor Mode
wIPS mode only available for 1130, 1240, 1140 and

1250.
Monitor Mode AP Range, Placement
and Density
Range Placement, Density

Monitor-mode wIPS APs do not serve clients, thus have greater range
Client-serving AP typically covers 3000-5000 square feet
wIPS AP typically covers 15,00035,000 square feet
Ratio of wIPS monitor-mode APs to local-mode traffic APs varies by network

design, but 1:5 ratio is reasonable estimate
wIPS APs can simultaneously run context-aware location in monitor-mode
Cisco RF expertise ensures maximum coverage
Deployment Dependant on Environment
Open Indoor Environment Walled Indoor Environment
Less Dense wIPS More Dense wIPS

Deployment Deployment
Walled Indoor - Recommendations
Environments such as healthcare,
finance, enterprise and education.
Different security confidence
levels depending on detection
requirements
Select a security confidence level
in the below chart:
Deploy 1 AP every XX,000 sqft
based on the chart below
Walled Office Indoor Environment

Confidence Level Deployment Density 2.4GHz Detection 5GHz Detection
Gold 15,000 sqft Exhaustive Comprehensive
Silver 20,000 sqft Comprehensive Adequate
Bronze 25,000 sqft Adequate Sparse
Open Indoor - Recommendations
Environments such as
warehouses and manufacturing.
Different security confidence
levels depending on detection
requirements
in the below chart:
Deploy 1 AP every XX,000 sqft
based on the chart below
Open Indoor Environment

Confidence Level Deployment Density 2.4GHz Detection 5GHz Detection
Gold 30,000 sqft Exhaustive Comprehensive
Silver 40,000 sqft Comprehensive Adequate
Bronze 50,000 sqft Adequate Sparse
How Many wIPS Monitor Mode
APs Do I Need?
Gold Finance, Government, Retail
Silver Enterprise
Bronze Concern for 2.4GHz only
Assess overall deployment size
Divide by the recommended density (ex. 200,000 sqft / 15,000 sqft)
Examples:
Deployment Size Level Density # of wIPS APs

Financial Office 200,000 sqft Gold 15,000 sqft 14
Enterprise Office 200,000 sqft Silver 20,000 sqft 10
Warehouse 200,000 sqft Silver 30,000 sqft 5
Concept
Problem Solution
Wireless management frames are not Insert a signature (Message Integrity
authenticated, encrypted, or signed Code/MIC) into the management frames
A common vector for exploits Clients and APs use MIC to validate
authenticity of management frame
APs can instantly identify rogue/exploited
management frames
Infrastructure MFP Protected

Probe Requests/
AP Beacons
Probe Responses
Associations/Re-associations Disassociations
Authentications/
Action Management Frames
De-authentications
Client MFP Protected
Benefits of MFP
Attack Protection: For rogue AP, man-in-the-middle

exploits, other management frame attacks
Increases the fidelity of rogue AP and WLAN IDS signature
detection
Attack Prevention: Will be supported in clients capable

of decrypting the signature (CCXv5 clients)
Integration with other Cisco security monitoring
solutions in order to characterize attack vectors
rules based correlation
Cisco security leadership and innovation
Proposed standardIEEE 802.11w (~Dec 2009)
CCX: http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_concept_home.html
MFP Configuration
Infrastructure
Configured globally on a per controller basis
Can be overridden for specific APs and WLANs
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008
080dc8c.shtml
MFP Status
Infrastructure
MFP WLAN
settings
MFP
infrastructure
settings
MFP Configuration
WLAN/Client
MFP
WLAN/Client
protection
MFP client protection requires settings
CCXv5 & WPA2 enabled
MFP Status
Client
CCXv5 Client
MFP is Active
Cisco Wired IPS Integration
Unified Intrusion Prevention
Business Challenge
Mitigate Network Misuse, Hacking and

Malware from WLAN Clients
Client Shun
Inspects traffic flow for harmful

applications and blocks wireless L2 Malicious Traffic
client connections IDS
Layer 3-7 Deep Packet Inspection L3-7
IDS
Eliminates risk of contamination
from Enterprise
Intranet
wireless clients
Zero-day response to viruses,
malware and suspect signatures
Cisco ASA 5500
Series
w/ IPS
Cisco Wired IPS Integration
Configuration
How often to check

excluded client list Fingerprint is generated
on Cisco IPS device
Client Exclusion Policies
Configuration
Per WLAN client

exclusion timeout A client exclusion timeout
of 0 requires admin reset
Feature Specific Deployment Guides

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_exampl
e09186a008080dc8c.shtml
Wired/Wireless IDS Integration

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_exampl
e09186a00807360fc.shtml
Adaptive wIPS Deployment Guide

http://www.cisco.com/en/US/docs/wireless/technology/wips/deployment/guide/wi
psdep.html
Other Suggested Sessions
Wireless Endpoint Security (BRKAGG-2014)

Designing Guest Access with the Cisco Unified
Wireless Network (BRKAGG-2016)
Design and Deployment of Enterprise WLANs
(BRKAGG-2010)
Please Visit the Cisco Booth in the
World of Solutions
See the technology in action
Mobility
MOB1 Collaboration in Motion
MOB2 Cisco Unified Wireless Network
MOB3 Mobile High-Speed Performance
with 802.11n
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for
each session evaluation you
complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal) or
visit one of the Internet stations
throughout the Convention
Dont forget to activate your
Center.
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.

Brkagg-2015 0101

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkagg-2015 0101

Uploaded by

Copyright:

Available Formats

Integrated Defense-in-Depth

Security for WLANs

Topics covered in this session:

Prerequisites for this session:

Rogue device Attack detection

MAC Address 802.1x/Dynamic

A snapshot of the 802.11i Standard

Final version of 802.11i

Authentication Personal (PSK) Home Use

Extensible Authentication Protocol (EAP)

WEP TKIP AES

TKIP (Temporal Key Integrity Protocol)

Use only for legacy clients without AES support

AES (Advanced Encryption Standard)

Requires hardware support (~2005 chipsets or later)

Listen for non-infrastructure access points, clients

Rogue rules based on RSSI, SSID, Clients, etc.

Switch port shutting

Rogue Rogue Rogue Rogue

Local Mode Access Monitor Mode Rogue Detection

AP on channel 1 - 802.11 b/g/n US County Channels

AP on channel 36 - 802.11 a/n US Country Channels (w/o UNII-2 Extended)

802.11b/g/n All Channels

802.11a/n All Channels

36 40 44 48 52 56 60 64 100 104 108 112 116 132 136 140

802.11n - Mixed Mode

Detectable by 11a/g devices

802.11n Greenfield Mode

Only detectable by 802.11n devices

Radio Type (11n)

Both Local Mode and

Classification based on threat severity and mitigation action

Lower Severity Higher Severity

Rules are stored and executed on the Wireless LAN Controller

Install one rogue detector per floor

WCS Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68

RLDP (Rogue Location Discovery Protocol)

WCS Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 has

%LWAPP-5-RLDP: RLDP started on slot 0.

Two automatic modes of operation:

Recommended: Monitor Mode APs RLDP can impact

RLDP can be manually initiated on a rogue MAC address

Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0

RLDP works only on open rogues (no authentication or

WCS Switch port tracing started for rogue AP 00:09:5B:9C:87:68

1. AP hears rogue over air Open APs 100%

1. Place detector AP on trunk Open APs High

Allows an individual rogue AP to be located on-demand

Track of multiple rogues in real-time (up to MSE limits)

1 to 4 APs can be used

Scenario Containment Method

Use auto-containment to nullify the most alarming threats

ACS WLC Valid Client Rogue AP

Scenario Containment Method

Unicast Deauth frames only

Containment sends a minimum of 2 packets every

An access point performing containment will offer

Data Performance Voice Performance

Containment packets are sent at the lowest enabled

Will doing a 4 AP containment cause the participating

On-Wire Attacks Over-the-Air Attacks