Professional Documents
Culture Documents
Presentation_ID 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Session Agenda
Strong Strong
Authentication Encryption
WLAN
Security
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Authentication and Encryption
Best Practices
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Authentication Evolution
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
WPA/WPA2 Breakdown
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Authentication Best Practices:
WPA2-Enterprise
Strong Authentication
Strong Encryption
AES
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
EAP Protocol Flow
Authentication
Server
Client Authenticator
CAPWAP
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Encryption Evolution
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
The TKIP Vulnerability
Once thought safe, TKIP encryption is cracked:
http://www.pcworld.com/businesscenter/article/153396/once_thought_safe
_wpa_wifi_encryption_is_cracked.html
Security researchers claim that they can crack the message
integrity (MIC) key used in TKIP
Recovery of MIC key facilitates packet forgeries, but only between
AP and client
Encryption key is *not* recovered, therefore data traffic cannot be
read via this attack this is not like the WEP crack of years back
What is the Risk?
Common traffic types, such as ARP and DNS, can be replayed to client
for very limited duration at most 7 times
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Encryption Best Practices:
TKIP and AES
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Rogue Detection, Classification
and Mitigation
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Rogue Devices
What is a Rogue?
Any device thats sharing your spectrum, but not managed by you
Majority of rogues are setup by insiders (low cost, convenience,
ignorance)
When is a Rogue dangerous?
When setup to use the same ESSID as your network (honeypot)
When its detected to be on the wired network too
Ad-hoc rogues are arguably a big threat, too!
Setup by an outsider, most times, with malicious intent
What needs to be done?
Detect
Classify (over-the-air, and on-the-wire)
Mitigate (Shutdown, Contain, etc)
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Phases of Rogue Management
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Cisco Rogue Management Diagram
Multiple Methods
Switchport Tracing
Network
Si
Si Si
Core
Wireless Control
System (WCS)
Wireless Distribution
LAN
Controller
Access
RRM
RLDP Scanning
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Listening for Rogues Detect
Two Different AP Modes for RRM Scanning
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
RRM Channel Scanning Detect
Local Mode AP
10ms 10ms
16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s
1 2 1 3 1 4 1 5 1 6 1 7 1
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
10ms 10ms
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
RRM Channel Scanning Detect
Monitor Mode AP
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
1 2 3 4 5 6 7 8 9 10 11 12
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Detect
802.11n Rogue Detection
Network Name
Off-Network On-Network
Secured Open
Foreign SSID Our SSID
Weak RSSI Strong RSSI
Distant location On-site location
No clients Attracts clients
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Rogue Classification Rules Classify
Examples
Rogue Rule:
Marked as
SSID: tmobile
Friendly
RSSI: -80dBm
Rogue Rule:
Detected as Marked as
SSID: Corporate
Rogue Malicious
RSSI: -70dBm
Rogues
Marked as
Matching No
Unclassified
Rule
Rules
Sorted
by
Priority
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Rogue Classification Rules Classify
Operation
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Rogue Detector AP Mode Classify
Concept
Rogue AP
Authorized AP
Client ARP
L2 Switched Network
Trunk Port
Wired Rogue Detector AP
Detects all rogue client and AP ARPs
Controller queries rogue detector to determine if Rogue Detector
rogue clients are on the network
Does not work with NAT APs
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Rogue Detector AP Mode Classify
Deployment Scenario
Floor 3
Rogue Detector
Floor 3
Floor 2
Rogue Detector
Floor 2
Floor 1
Rogue Detector
Floor 1
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Rogue Detector AP Mode Classify
Operation
0009.5b9c.8768
0021.4458.6652
> debug capwap rm rogue detector
Rogue ROGUE_DET: Found a match for rogue entry 0021.4458.6652
Detector ROGUE_DET: Sending notification to switch
ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Rogue Detector AP Mode Classify
Configuration
WLC
All radios
become
disabled
in this
mode
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
Switch switchport trunk native vlan 113
AP
switchport mode trunk VLAN
spanning-tree portfast
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Rogue Location Discovery Protocol Classify
Concept
Connect as
Client
Managed AP Rogue AP
Send Packet
Routed/Switched Network to WLC
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Switchport Tracing Classify
Concept
Match
Found
2 3
CAM CAM
Table Table
WCS
1
Show CDP
Neighbors
Managed AP Rogue AP
WCS Switchport Tracing
Identifies CDP Neighbors of APs detecting the rogue
Queries the switches CAM table for the rogues MAC
Works for rogues with security and NAT
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
WCS Switchport Tracing Classify
Operation
Tracing is done
on-demand per
rogue AP.
To shut
Match Type Number of MACs
the port
found on the port.
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
WCS Switchport Tracing Classify
Configuration
Add Switches
via
IP, Wildcard or
CSV File
SNMP R/W
or
SNMP R/O
Credentials
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
WCS Switchport Tracing Classify
Configuration (Cont)
Configure
Search
Methods
Exclude
Vendors from
OUI Search
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Wired-Side Tracing Techniques Classify
Comparison
How it Works What It Detects Accuracy
1. AP hears rogue over air Open APs Moderate
2. Detecting AP advises of nearby Secured APs
switches NAT APs
3. Trace starts on nearby switches
Switchport
Tracing 4. Results reported in order of
probability
5. Administrator may disable port
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Rogue Location Mitigate
In real-time with WCS and MSE Context-Aware
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Rogue Containment Mitigate
Concept
Mitigate
Rogue Client
Authorized AP
De-Auth
Packets
Rogue AP
Rogue AP Containment
Sends De-Authentication Packets to Client and AP
Can use local, monitor mode or H-REAP APs
Impacts client performance on managed AP
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Rogue Containment Mitigate
Operation
Mitigate
WCS
WLC
Rogue
AP Only
Broadcast Deauth frames only
Rogue
AP and
Client(s)
Broadcast and Unicast Deauth frames
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Rogue Containment Mitigate
Auto-Containment
WLC
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Rogue Containment Mitigate
Auto-Containment of Valid Client on Rogue AP
Corporate Neighbor
Valid Client List
Client Contained
from Invalid AP
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
Rogue Containment Mitigate
Client Containment Method
Mitigate
Rogue
Client
Only
Rogue client containment is used to kick only one client off the
rogue AP.
A broadcast de-auth is not used (unlike other containment scenarios)
Ideal when a managed client associates to a friendly AP
(Example: A neighboring Starbucks)
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Rogue Containment Mitigate
Operation (Cont)
Mitigate
~100ms
3
A local mode AP can contain 3 rogues per radio
Local Mode
6
A monitor mode AP can contain 6 rogues per
Monitor Mode radio
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Rogue Containment Mitigate
Caveats
Test Setup: Cisco 1250, 802.11n Client, 40MHz Channel, IxChariot traffic, 3 rogue APs on separate
channels
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Rogue Containment Mitigate
FAQ
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Security Attack Detection and
Mitigation
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
WLAN Security
Vulnerabilities and Threats
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
WLAN Security
Denial of Service Attacks
RF Jamming
Any intentional or un-intentional RF transmitter in the same frequency
can adversely affect the WLAN
DoS using 802.11 Management frames
Management frames are not authenticated today
Trivial to fake the source of a management frame
De-Authentication floods are probably the most worrisome
Misuse of Spectrum (CSMA/CA Egalitarian Access!)
Silencing the network with RTS/CTS floods, Big-NAV Attacks
802.1X Authentication floods and Dictionary attacks
Overloading the system with unnecessary processing
Legacy implementations are prone to dictionary attacks, in addition to
other algorithm-based attacks
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Wireless Security
MAC Address Spoofing
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 54
Wireless Security:
Sniffing and Reconnaissance
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Wireless Security
Man in the Middle Attack
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Quick Look: Common WLAN
Exploits/Tools
Remote-Exploit/Backtrack/Auditor
Aircrack, WEPcrack, etc
coWPAtty
Kismet
NetStumbler, Hotspotter, etc
AirSnort
Sniffing tools: OmniPeek, Wireshark
dsniff, nmap
wellenreiter
asleap
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Ounce of Prevention
Stop the Attack Before It Happens
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58
Ounce of Prevention
Stop the Attack Before It Happens
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59
Ciscos Attack Detection Mechanisms
Adaptive
Base IDS
wIPS
Built-in to
controller Requires MSE
software
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 61
Adaptive wIPS Difference #1
Alarm Aggregation and Correlation
Base Controller IDS Adaptive wIPS
WCS
WCS
WLC MSE
AP WLC
AP
No Alarm Correlation
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 62
Adaptive wIPS Difference #2
Breadth of Alarms Detected
Base Controller IDS Adaptive wIPS
Only 17 signatures
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Adaptive wIPS Difference #2
(Cont) Attack Encyclopedia
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64
Adaptive wIPS Difference #3
Forensic Packet Capture
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65
Adaptive wIPS Difference #3
Forensic Packet Capture
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66
Adaptive wIPS Difference #4
Historic Reporting
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67
Adaptive wIPS
Types of Reports
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 68
Adaptive wIPS
Creating Reports Filter by MSE
Or by WLC
Add/Remove Columns
Sort by Columns
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Example Report
wIPS Alarm List
Attack
Timeline
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 70
Example Report
wIPS Top 10 APs
Alarm Severities
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 71
WCS Security Dashboard
Controller IDS
and Adaptive
wIPS Alarms
Security Index
Rogues by
Category
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 72
Adaptive wIPS
Components and Functions
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 73
Mobility Services Engine
Support for Cisco Motion Services
3310 Mobility Services Engine 3350 Mobility Services Engine
Supports Adaptive wIPS for up to 2000 Supports Adaptive wIPS for up to 3000
Monitor Mode APs Monitor Mode APs
Supports Context Aware for up to 2000 Supports Context Aware for up to 18000
tracked devices tracked devices
Requires WLC software version 4.2.130 or Requires WLC software version 4.2.130
later and WCS version 5.2 or later. or later and WCS version 5.1 or later.
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 75
wIPS AP Detection Logic
1. Authenticated
1 2. Associated
3. Passing Data
1. Authentication?
00:1F:3B:1A:A2:01 2 3. Passing Data
3 2. Association?
Spoofed
00:1F:3B:7C:A2:13 Device Database
MAC
00:1F:3B:7C:A2:13
Attack Library
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 76
wIPS Mobility Services Engine
8/20/2008 17:09 Spoof MAC
1 8/22/2008 10:24 DoS Attack
2 8/24/2008 12:07 DoS Attack
3
Alarm Database
wIPS AP 00:55:9A:6A:34:01 AP
00:1F:3B:1A:A2:01 AP
00:1F:3B:7C:A2:13 Client
wIPS MSE
Forensics Anomaly
Database Detection Engine
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 77
wIPS Alarm Flow
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 79
Monitor Mode AP Range, Placement
and Density
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Walled Indoor - Recommendations
Environments such as healthcare,
finance, enterprise and education.
Different security confidence
levels depending on detection
requirements
Select a security confidence level
in the below chart:
Deploy 1 AP every XX,000 sqft
based on the chart below
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 82
Open Indoor - Recommendations
Environments such as
warehouses and manufacturing.
Different security confidence
levels depending on detection
requirements
Select a security confidence level
in the below chart:
Deploy 1 AP every XX,000 sqft
based on the chart below
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 83
How Many wIPS Monitor Mode
APs Do I Need?
Select a security confidence level
Gold Finance, Government, Retail
Silver Enterprise
Bronze Concern for 2.4GHz only
Assess overall deployment size
Divide by the recommended density (ex. 200,000 sqft / 15,000 sqft)
Examples:
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 84
Management Frame Protection
Concept
Problem Solution
Wireless management frames are not Insert a signature (Message Integrity
authenticated, encrypted, or signed Code/MIC) into the management frames
A common vector for exploits Clients and APs use MIC to validate
authenticity of management frame
APs can instantly identify rogue/exploited
management frames
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Benefits of MFP
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008
080dc8c.shtml
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 87
MFP Status
Infrastructure
MFP WLAN
settings
MFP
infrastructure
settings
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 88
MFP Configuration
WLAN/Client
MFP
WLAN/Client
protection
MFP client protection requires settings
CCXv5 & WPA2 enabled
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 89
MFP Status
Client
CCXv5 Client
MFP is Active
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 90
Cisco Wired IPS Integration
Unified Intrusion Prevention
Business Challenge
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Cisco Wired IPS Integration
Configuration
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 92
Client Exclusion Policies
Configuration
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 93
Feature Specific Deployment Guides
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Other Suggested Sessions
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Please Visit the Cisco Booth in the
World of Solutions
See the technology in action
Mobility
MOB1 Collaboration in Motion
MOB2 Cisco Unified Wireless Network
MOB3 Mobile High-Speed Performance
with 802.11n
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 96
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for
each session evaluation you
complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal) or
visit one of the Internet stations
throughout the Convention
Dont forget to activate your
Center.
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 97
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 98