Documentos de Académico
Documentos de Profesional
Documentos de Cultura
BRKAGG-2015_c2
Presentation_ID
Cisco Public
WLAN Security
Rogue device management
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
BRKAGG-2015_c2
Cisco Public
Authentication Evolution
WEP
802.1x/Dynamic WEP
WPA/WPA2
BRKAGG-2015_c2
Cisco Public
WPA/WPA2 Breakdown
BRKAGG-2015_c2
Cisco Public
BRKAGG-2015_c2
Cisco Public
BRKAGG-2015_c2
Cisco Public
Encryption Evolution
BRKAGG-2015_c2
Cisco Public
Security researchers claim that they can crack the message integrity (MIC) key used in TKIP Recovery of MIC key facilitates packet forgeries, but only between AP and client Encryption key is *not* recovered, therefore data traffic cannot be read via this attack this is not like the WEP crack of years back What is the Risk?
Common traffic types, such as ARP and DNS, can be replayed to client for very limited duration at most 7 times
BRKAGG-2015_c2
Cisco Public
BRKAGG-2015_c2
Cisco Public
10
BRKAGG-2015_c2
Cisco Public
11
Rogue Devices
What is a Rogue?
Any device thats sharing your spectrum, but not managed by you Majority of rogues are setup by insiders (low cost, convenience, ignorance)
12
BRKAGG-2015_c2
Cisco Public
13
Si
Network Core
Distribution
Access
RLDP RRM Scanning
Rogue AP
Authorized AP
Rogue AP
Rogue Detector
Rogue AP
BRKAGG-2015_c2
Cisco Public
14
Detect
BRKAGG-2015_c2
Cisco Public
15
Detect
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
AP on channel 36 - 802.11 a/n US Country Channels (w/o UNII-2 Extended)
10ms 10ms
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
16
Detect
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration 802.11a/n All Channels
10ms 10ms 1.2s 36 1.2s 40 1.2s 1.2s 44 48 1.2s 1.2s 52 56 1.2s 60 1.2s 1.2s 1.2s 64 100 104 1.2s 1.2s 108 112 1.2s 1.2s 116 132 1.2s 1.2s 136 140
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
17
Detect
BRKAGG-2015_c2
Cisco Public
18
Detect
19
Classify
Classification based on threat severity and mitigation action Rules tailored to customer risk model
Lower Severity Off-Network Secured Foreign SSID Weak RSSI Distant location No clients
Higher Severity
On-Network Open Our SSID Strong RSSI On-site location Attracts clients
BRKAGG-2015_c2
Cisco Public
20
Classify
21
Classify
BRKAGG-2015_c2
Cisco Public
22
Classify
BRKAGG-2015_c2
Cisco Public
23
Classify
Authorized AP
Client ARP
L2 Switched Network Trunk Port Wired Rogue Detector AP Detects all rogue client and AP ARPs Controller queries rogue detector to determine if rogue clients are on the network Does not work with NAT APs
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Rogue Detector
24
Classify
Floor 3
Floor 2
Floor 1
BRKAGG-2015_c2
Cisco Public
25
Classify
WCS
WLC
Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68 has been detected on the wired network
0009.5b9c.8768
0021.4458.6652
Rogue Detector
> debug capwap rm rogue detector ROGUE_DET: Found a match for rogue entry 0021.4458.6652 ROGUE_DET: Sending notification to switch ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg
BRKAGG-2015_c2
Cisco Public
26
Classify
WLC
Switch
BRKAGG-2015_c2
AP VLAN
27
Classify
Routed/Switched Network
RLDP (Rogue Location Discovery Protocol) Connects to Rogue AP as a client Sends a packet to controllers IP address Only works with open rogue access points
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Controller
28
Classify
WCS
WLC
Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 has been detected on the wired network
> debug dot11 rldp Successfully associated with rogue: 00:13:5f:fa:27:c0 Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Received 32 byte ARLDP message from: 172.20.226.253:52142
%LWAPP-5-RLDP: RLDP started on slot 0. %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up %LWAPP-5-RLDP: RLDP stopped on slot 0.
Cisco Public
00:13:5f:fa:27:c0
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved.
29
Classify
Recommended: Monitor Mode APs RLDP can impact service on client serving APs
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
30
Classify
WLC
Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP REQUEST RECV for rogue 00:13:5f:fa:27:c0 Received DHCP packet with xid 0xb080d074 from rogue AP 00:1d:70:f0:d4:c1 RLDP DHCP REQUEST received for rogue 00:13:5f:fa:27:c0 BOOTP[rldp] op: REPLY RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.198 (00:1D:70:F0:D4:C1) (gateway) Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:21:d8:48:c1:61 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Sending ARLDP packet to 00:1f:9e:9b:29:80 from 00:21:d8:48:c1:61 Send ARLDP to 0.0.0.0 (00:1D:70:F0:D4:C1) (gateway) Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:21:d8:48:c1:61 Received 32 byte ARLDP message from: 172.20.226.253:52142 Packet Dump: sourceIp: 172.20.226.253 destIp: 172.20.226.197 Rogue Mac: 00:13:5F:FA:27:C0
2009 Cisco Systems, Inc. All rights reserved. Cisco Public
BRKAGG-2015_c2
31
Classify
RLDP works only if the rogue is connected to a VLAN that routes to the wireless LAN controller
RLDP will not work on rogues in DFS channels RLDP will attempt to identify each rogue AP only once
If the process fails, RLDP will not re-run
BRKAGG-2015_c2
Cisco Public
32
Switchport Tracing
Concept
Match Found
Classify
2
WCS
CAM Table
CAM Table
WCS Switchport Tracing Identifies CDP Neighbors of APs detecting the rogue Queries the switches CAM table for the rogues MAC Works for rogues with security and NAT
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
33
Classify
WCS
Switch port tracing started for rogue AP 00:09:5B:9C:87:68 Rogue AP 00:09:5B:9C:87:68 vendor is Netgear Following MAC addresses will be searched: 00:09:5B:9C:87:68, 00:09:5B:9C:87:67, 00:09:5B:9C:87:69 Following rogue client MAC addresses will be searched: 00:21:5D:AC:D8:98 Following vendor OUIs will be searched: 00:0F:B5, 00:22:3F, 00:1F:33, 00:18:4D, 00:14:6C, 00:09:5B Rogue AP 00:09:5B:9C:87:68 was reported by following APs: 1140-1 Reporting AP 1140-1 is connected to switch 172.20.226.193 Following are the Ethernet switches found at hop 0: 172.20.226.193 Started tracing the Ethernet switch 172.20.226.193 found at hop 0 Tracing is in progress for Ethernet switch 172.20.226.193 MAC entry 00:09:5B:9C:87:69 (MAC address +1/-1) found. Ethernet Switch: 172.20.226.193, VLAN: 113, Port: GigabitEthernet1/0/33 Finished tracing all the Ethernet switches at hop 0
2009 Cisco Systems, Inc. All rights reserved. Cisco Public
BRKAGG-2015_c2
34
Classify
Match Type
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
35
Classify
Add Switches via IP, Wildcard or CSV File SNMP R/W or SNMP R/O Credentials
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
36
Classify
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
37
Classify
Accuracy Moderate
Switchport Tracing
100%
RLDP
Rogue Detector
BRKAGG-2015_c2
High
38
Rogue Location
On-Demand with WCS
Mitigate
Allows an individual rogue AP to be located on-demand Keeps no historical record of rogue location Does not locate rogue clients
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
39
Rogue Location
In real-time with WCS and MSE Context-Aware
Mitigate
Track of multiple rogues in real-time (up to MSE limits) Can track and store rogue location historically Provides location of rogue clients Provides location of rouge ad-hoc networks
WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
40
Rogue Containment
Mitigate
Mitigate
Concept
Rogue Client Authorized AP
De-Auth Packets
Rogue AP
Rogue AP Containment Sends De-Authentication Packets to Client and AP Can use local, monitor mode or H-REAP APs Impacts client performance on managed AP
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
41
Rogue Containment
Mitigate
Mitigate
Operation
WCS WLC
00:09:5b:9c:87:68
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Rogue Containment
Mitigate
Mitigate
AP Containment Methods
Scenario
Containment Method
Rogue AP Only
43
Rogue Containment
Auto-Containment
Mitigate
WLC
44
Rogue Containment
Auto-Containment of Valid Client on Rogue AP
Mitigate
Neighbor
ACS
WLC
Valid Client
Rogue AP
45
Rogue Containment
Mitigate
Mitigate
Containment Method
46
Rogue Containment
Mitigate
Mitigate
Operation (Cont)
Containment sends a minimum of 2 packets every 100ms (20 packets per second)
~100ms
3
Local Mode
6
Monitor Mode
BRKAGG-2015_c2
47
Rogue Containment
Caveats
Mitigate
An access point performing containment will offer reduced performance to data clients and lower voice quality. Data Performance Voice Performance
Test Setup: Cisco 1250, 802.11n Client, 40MHz Channel, IxChariot traffic, 3 rogue APs on separate channels
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
48
Rogue Containment
FAQ
Mitigate
Containment packets are sent at the lowest enabled data rate and at the power level of the access point.
If the rogue disappears, does containment stop automatically?
Yes, but rogue entry stays in WLC as containment pending and will be contained again if it reappears
Will doing a 4 AP containment cause the participating APs to share the containment load?
No, APs do not share the containment load, they each will send a minimum of 20 packets per second.
BRKAGG-2015_c2
Cisco Public
49
BRKAGG-2015_c2
Cisco Public
50
WLAN Security
Vulnerabilities and Threats On-Wire Attacks
Ad-hoc Wireless Bridge
HACKER
Over-the-Air Attacks
Evil Twin/Honeypot AP
HACKERS AP
Reconnaissance
HACKER
Connection to malicious AP
Denial of Service
DENIAL OF SERVICE
Cracking Tools
HACKER
Service disruption
BRKAGG-2015_c2
Cisco Public
51
WLAN Security
Denial of Service Attacks
RF Jamming
Any intentional or un-intentional RF transmitter in the same frequency can adversely affect the WLAN
52
Wireless Security
MAC Address Spoofing
As with wired networks, MAC address and IP address spoofing are possible, if not easy, in Wireless Networks Outsider (hostile) attack scenario
Does not know key/encryption policy IP Address spoofing is not possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP) MAC Address spoofing alone (i.e., without IP Address spoofing) may not buy much if encryption is turned on
BRKAGG-2015_c2
Cisco Public
53
Wireless Security:
Sniffing and Reconnaissance
First Sniffing, or capturing packets over the air, is an extremely useful troubleshooting methodology
Sniffing, in the old days was reliant on very specific cards and drivers
Very easy to find support for most cards and drivers today
Cost (if you like to pay for it) of such software is negligible (or, just use free/open source software)
Provides an insight (with physical proximity) into the network, services, and devices which comes in handy when performing network reconnaissance
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
54
Wireless Security
Man in the Middle Attack
A MiTM is when an attacker poses as the network to the client(s) and as a client to the actual network
The attacker forces a legitimate client off the network The attacker lures the client to a honeypot The attacker gains security credentials by intercepting user traffic
BRKAGG-2015_c2
Cisco Public
55
BRKAGG-2015_c2
Cisco Public
56
Ounce of Prevention
Stop the Attack Before It Happens On-Wire Attacks
Ad-hoc Wireless Bridge
HACKER
Over-the-Air Attacks
Evil Twin/Honeypot AP
HACKERS AP
Reconnaissance
HACKER
Connection to malicious AP
Denial of Service
Cracking Tools
HACKER
Service disruption
BRKAGG-2015_c2
Cisco Public
57
Ounce of Prevention
Stop the Attack Before It Happens On-Wire Attacks
Ad-hoc Wireless Bridge
HACKER
Over-the-Air Attacks
Evil Twin/Honeypot AP
HACKERS MFP Neutralizes all AP Management Frame Exploits, such as Man-inthe-Middle Attacks
Reconnaissance
HACKER
Rogue detection, classification and mitigation addresses Rogue Access Points these attacks
Connection to malicious AP
Denial of Service
DENIAL OF SERVICE
Cracking Tools
HACKER
HACKER
Service disruption
BRKAGG-2015_c2
Cisco Public
58
BRKAGG-2015_c2
Cisco Public
59
BRKAGG-2015_c2
Cisco Public
60
Adaptive wIPS
WCS
WLC
MSE
AP
WLC
AP
No Alarm Correlation
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
61
Only 17 signatures
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
62
BRKAGG-2015_c2
Cisco Public
63
BRKAGG-2015_c2
Cisco Public
64
BRKAGG-2015_c2
Cisco Public
65
2. WCS queries the MSE database during report generation 3. Reports created and viewed at WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
66
Adaptive wIPS
Types of Reports
BRKAGG-2015_c2
Cisco Public
67
Adaptive wIPS
Creating Reports
Filter by MSE Or by WLC
68
Example Report
wIPS Alarm List
Attack Timeline
BRKAGG-2015_c2
Cisco Public
69
Example Report
wIPS Top 10 APs
Alarm Severities
BRKAGG-2015_c2
Cisco Public
70
Rogues by Category
BRKAGG-2015_c2
Cisco Public
71
Adaptive wIPS
Components and Functions
Over-the-Air Detection
wIPS AP Management
Monitoring, Reporting
BRKAGG-2015_c2
Cisco Public
72
Supports Adaptive wIPS for up to 2000 Monitor Mode APs Supports Context Aware for up to 2000 tracked devices Requires WLC software version 4.2.130 or later and WCS version 5.2 or later.
Supports Adaptive wIPS for up to 3000 Monitor Mode APs Supports Context Aware for up to 18000 tracked devices Requires WLC software version 4.2.130 or later and WCS version 5.1 or later.
Mobility services may have different WLC/WCS software requirements Adaptive wIPS is licensed on a per-monitor mode AP basis
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
73
BRKAGG-2015_c2
Cisco Public
74
00:1F:3B:1A:A2:01
00:1F:3B:7C:A2:13
00:1F:3B:7C:A2:13
Device Database
Spoofed MAC
Attack Library
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
75
Alarm Database
wIPS AP 00:55:9A:6A:34:01 AP 00:1F:3B:1A:A2:01 AP 00:1F:3B:7C:A2:13 Client
Forensics Database
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
3. Passed transparently to MSE via NMSP 4. Logged into wIPS Database on MSE
Sent to WCS via SNMP trap
5. Displayed at WCS
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
77
Adaptive wIPS
A New Form of Monitor Mode
wIPS mode only available for 1130, 1240, 1140 and 1250.
BRKAGG-2015_c2
Cisco Public
78
Range
Client-serving AP typically covers 3000-5000 square feet
Placement, Density
Monitor-mode wIPS APs do not serve clients, thus have greater range
wIPS AP typically covers 15,00035,000 square feet
Ratio of wIPS monitor-mode APs to local-mode traffic APs varies by network design, but 1:5 ratio is reasonable estimate wIPS APs can simultaneously run context-aware location in monitor-mode Cisco RF expertise ensures maximum coverage
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
79
81
82
Examples: Deployment Financial Office Enterprise Office Size 200,000 sqft 200,000 sqft Level Gold Silver Density # of wIPS APs 15,000 sqft 14 20,000 sqft 10
Warehouse
200,000 sqft
Silver
30,000 sqft
5
83
BRKAGG-2015_c2
Cisco Public
Solution
Insert a signature (Message Integrity Code/MIC) into the management frames Clients and APs use MIC to validate authenticity of management frame APs can instantly identify rogue/exploited management frames
Authentications/ De-authentications
BRKAGG-2015_c2
Cisco Public
84
Benefits of MFP
Attack Protection: For rogue AP, man-in-the-middle exploits, other management frame attacks
Increases the fidelity of rogue AP and WLAN IDS signature detection
Attack Prevention: Will be supported in clients capable of decrypting the signature (CCXv5 clients) Integration with other Cisco security monitoring solutions in order to characterize attack vectors rules based correlation Cisco security leadership and innovation Proposed standardIEEE 802.11w (~Dec 2009)
CCX: http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_concept_home.html
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
85
MFP Configuration
Infrastructure
Configured globally on a per controller basis Can be overridden for specific APs and WLANs
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008 080dc8c.shtml
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
86
MFP Status
Infrastructure
BRKAGG-2015_c2
Cisco Public
87
MFP Configuration
WLAN/Client
BRKAGG-2015_c2
Cisco Public
88
MFP Status
Client
BRKAGG-2015_c2
Cisco Public
89
Inspects traffic flow for harmful applications and blocks wireless client connections
L2 IDS
Malicious Traffic
L3-7 IDS
BRKAGG-2015_c2
Cisco Public
90
BRKAGG-2015_c2
Cisco Public
91
BRKAGG-2015_c2
Cisco Public
92
BRKAGG-2015_c2
Cisco Public
93
BRKAGG-2015_c2
Cisco Public
94
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
95
BRKAGG-2015_c2
Cisco Public
BRKAGG-2015_c2
Cisco Public
96