Brkagg-2015 c2 Rev2

Integrated Defense-in-Depth Security for WLANs
BRKAGG-2015_c2
Presentation_ID
2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
WLAN Security Components Strong Authentication Strong Encryption
WLAN Security
Rogue device management
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Attack detection and mitigation

2
Authentication and Encryption

Best Practices
BRKAGG-2015_c2
Cisco Public
Authentication Evolution
MAC Address Authentication
WEP
802.1x/Dynamic WEP
WPA/WPA2
BRKAGG-2015_c2
Cisco Public
WPA/WPA2 Breakdown
BRKAGG-2015_c2
Cisco Public
Authentication Best Practices:

WPA2-Enterprise
BRKAGG-2015_c2
Cisco Public
EAP Protocol Flow

Authentication Server Client Authenticator
CAPWAP
BRKAGG-2015_c2
Cisco Public
Encryption Evolution
BRKAGG-2015_c2
Cisco Public
The TKIP Vulnerability

Once thought safe, TKIP encryption is cracked:
http://www.pcworld.com/businesscenter/article/153396/once_thought_safe _wpa_wifi_encryption_is_cracked.html
Security researchers claim that they can crack the message integrity (MIC) key used in TKIP Recovery of MIC key facilitates packet forgeries, but only between AP and client Encryption key is *not* recovered, therefore data traffic cannot be read via this attack this is not like the WEP crack of years back What is the Risk?
Common traffic types, such as ARP and DNS, can be replayed to client for very limited duration at most 7 times
BRKAGG-2015_c2
Cisco Public
Encryption Best Practices:

TKIP and AES
BRKAGG-2015_c2
Cisco Public
10
Rogue Detection, Classification and Mitigation
BRKAGG-2015_c2
Cisco Public
11
Rogue Devices
What is a Rogue?
Any device thats sharing your spectrum, but not managed by you Majority of rogues are setup by insiders (low cost, convenience, ignorance)
When is a Rogue dangerous?

When setup to use the same ESSID as your network (honeypot)
When its detected to be on the wired network too Ad-hoc rogues are arguably a big threat, too! Setup by an outsider, most times, with malicious intent
What needs to be done?

Detect Classify (over-the-air, and on-the-wire) Mitigate (Shutdown, Contain, etc)
12
Phases of Rogue Management
BRKAGG-2015_c2
Cisco Public
13
Cisco Rogue Management Diagram

Multiple Methods
Switchport Tracing
Si Si
Si
Network Core
Wireless Control System (WCS) Wireless LAN Controller
Distribution
Access
RLDP RRM Scanning
Rogue AP
Authorized AP
Rogue AP
Rogue Detector
Rogue AP
BRKAGG-2015_c2
Cisco Public
14
Listening for Rogues

Two Different AP Modes for RRM Scanning
Detect
BRKAGG-2015_c2
Cisco Public
15
RRM Channel Scanning

Local Mode AP
Detect
AP on channel 1 - 802.11 b/g/n US County Channels

10ms 10ms
16s 50ms 16s 50ms 1 2 1 3 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 1 4 1 5 1 6 1 7 1
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
AP on channel 36 - 802.11 a/n US Country Channels (w/o UNII-2 Extended)
10ms 10ms
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
16
RRM Channel Scanning

Monitor Mode AP
Detect
802.11b/g/n All Channels

10ms 10ms 1.2s 1.2s 1 2 1.2s 1.2s 3 4 1.2s 5 1.2s 6 1.2s 1.2s 7 8 1.2s 1.2s 9 10 1.2s 1.2s 11 12 1.2s
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration 802.11a/n All Channels
10ms 10ms 1.2s 36 1.2s 40 1.2s 1.2s 44 48 1.2s 1.2s 52 56 1.2s 60 1.2s 1.2s 1.2s 64 100 104 1.2s 1.2s 108 112 1.2s 1.2s 116 132 1.2s 1.2s 136 140
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
17
802.11n Rogue Detection
Detect
BRKAGG-2015_c2
Cisco Public
18
Rogue Information Available at WCS and Controller
Detect
Network Name Radio Type (11n) # of Clients

Both Local Mode and Monitor Mode APs provide the same information regarding the rogue.
19
Rogue Classification Rules

Concept
Classify
Classification based on threat severity and mitigation action Rules tailored to customer risk model
Lower Severity Off-Network Secured Foreign SSID Weak RSSI Distant location No clients
Higher Severity
On-Network Open Our SSID Strong RSSI On-site location Attracts clients
BRKAGG-2015_c2
Cisco Public
20

Examples
Classify
Rules are stored and executed on the Wireless LAN Controller

21

Configuration
Classify
Rules Sorted by Priority
BRKAGG-2015_c2
Cisco Public
22

Operation
Classify
BRKAGG-2015_c2
Cisco Public
23
Rogue Detector AP Mode

Concept
Rogue AP
Classify
Authorized AP
Client ARP
L2 Switched Network Trunk Port Wired Rogue Detector AP Detects all rogue client and AP ARPs Controller queries rogue detector to determine if rogue clients are on the network Does not work with NAT APs
Rogue Detector
24

Deployment Scenario
Classify
Floor 3
Rogue Detector Floor 3
Floor 2
Floor 1
Install one rogue detector per floor
BRKAGG-2015_c2
Cisco Public
25

Operation
Classify
WCS
Alarm Changed from Minor to Critical
WLC
Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68 has been detected on the wired network
0009.5b9c.8768
0021.4458.6652
Rogue Detector
> debug capwap rm rogue detector ROGUE_DET: Found a match for rogue entry 0021.4458.6652 ROGUE_DET: Sending notification to switch ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg
BRKAGG-2015_c2
Cisco Public
26

Configuration
Classify
WLC
All radios become disabled in this mode

interface GigabitEthernet1/0/5 description Rogue Detector switchport trunk encapsulation dot1q switchport trunk native vlan 113 switchport mode trunk spanning-tree portfast
2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch
BRKAGG-2015_c2
AP VLAN
27
Rogue Location Discovery Protocol

Concept
Connect as Client Managed AP Rogue AP
Classify
Routed/Switched Network
Send Packet to WLC
RLDP (Rogue Location Discovery Protocol) Connects to Rogue AP as a client Sends a packet to controllers IP address Only works with open rogue access points
Controller
28

Operation
Classify
WCS
Alarm Changed from Minor to Critical
WLC
Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 has been detected on the wired network
> debug dot11 rldp Successfully associated with rogue: 00:13:5f:fa:27:c0 Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Received 32 byte ARLDP message from: 172.20.226.253:52142
%LWAPP-5-RLDP: RLDP started on slot 0. %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up %LWAPP-5-RLDP: RLDP stopped on slot 0.
Cisco Public
00:13:5f:fa:27:c0
BRKAGG-2015_c2 2009 Cisco Systems, Inc. All rights reserved.
29

Automatic Operation
Classify
Two automatic modes of operation:

AllAPs Uses both local and monitor Aps
MonitorModeAPs Uses only monitor mode APs
Recommended: Monitor Mode APs RLDP can impact service on client serving APs
30

Manual Operation
RLDP can be manually initiated on a rogue MAC address
config rogue ap rldp initiate <rogue mac>
>debug dot11 rldp >config rogue ap rldp initiate 00:13:5f:fa:27:c0
Classify
WLC
Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP REQUEST RECV for rogue 00:13:5f:fa:27:c0 Received DHCP packet with xid 0xb080d074 from rogue AP 00:1d:70:f0:d4:c1 RLDP DHCP REQUEST received for rogue 00:13:5f:fa:27:c0 BOOTP[rldp] op: REPLY RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.198 (00:1D:70:F0:D4:C1) (gateway) Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:21:d8:48:c1:61 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Sending ARLDP packet to 00:1f:9e:9b:29:80 from 00:21:d8:48:c1:61 Send ARLDP to 0.0.0.0 (00:1D:70:F0:D4:C1) (gateway) Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:21:d8:48:c1:61 Received 32 byte ARLDP message from: 172.20.226.253:52142 Packet Dump: sourceIp: 172.20.226.253 destIp: 172.20.226.197 Rogue Mac: 00:13:5F:FA:27:C0
BRKAGG-2015_c2
31

Caveats
Classify
RLDP works only on open rogues (no authentication or encryption)

RLDP will impact client service when run on a local mode AP
RLDP works only if the rogue is connected to a VLAN that routes to the wireless LAN controller
RLDP will not work on rogues in DFS channels RLDP will attempt to identify each rogue AP only once
If the process fails, RLDP will not re-run
BRKAGG-2015_c2
Cisco Public
32
Switchport Tracing
Concept
Match Found
Classify
2
WCS
CAM Table
CAM Table
Show CDP Neighbors

Managed AP Rogue AP
WCS Switchport Tracing Identifies CDP Neighbors of APs detecting the rogue Queries the switches CAM table for the rogues MAC Works for rogues with security and NAT
33
WCS Switchport Tracing

Operation Tracing is done on-demand per rogue AP.
Classify
WCS
Switch port tracing started for rogue AP 00:09:5B:9C:87:68 Rogue AP 00:09:5B:9C:87:68 vendor is Netgear Following MAC addresses will be searched: 00:09:5B:9C:87:68, 00:09:5B:9C:87:67, 00:09:5B:9C:87:69 Following rogue client MAC addresses will be searched: 00:21:5D:AC:D8:98 Following vendor OUIs will be searched: 00:0F:B5, 00:22:3F, 00:1F:33, 00:18:4D, 00:14:6C, 00:09:5B Rogue AP 00:09:5B:9C:87:68 was reported by following APs: 1140-1 Reporting AP 1140-1 is connected to switch 172.20.226.193 Following are the Ethernet switches found at hop 0: 172.20.226.193 Started tracing the Ethernet switch 172.20.226.193 found at hop 0 Tracing is in progress for Ethernet switch 172.20.226.193 MAC entry 00:09:5B:9C:87:69 (MAC address +1/-1) found. Ethernet Switch: 172.20.226.193, VLAN: 113, Port: GigabitEthernet1/0/33 Finished tracing all the Ethernet switches at hop 0
BRKAGG-2015_c2
34

Operation (Cont)
Classify
To shut the port
Match Type
Number of MACs found on the port.
WCS
35

Configuration
Classify
Add Switches via IP, Wildcard or CSV File SNMP R/W or SNMP R/O Credentials
WCS
36

Configuration (Cont)
Classify
Configure Search Methods
Exclude Vendors from OUI Search
WCS
37
Wired-Side Tracing Techniques

Comparison
How it Works 1. AP hears rogue over air 2. Detecting AP advises of nearby switches 3. Trace starts on nearby switches 4. Results reported in order of probability 5. Administrator may disable port 1. AP hears rogue over air 2. Detecting AP connects as client to rogue AP 3. Detecting AP sends RLDP packet 4. If RLDP packet seen at WLC, then on wire 1. Place detector AP on trunk 2. Detector receives all rogue MACs from WLC 3. Detector AP matches rogue MACs from wired-side ARPs
Cisco Public
Classify
What It Detects Open APs Secured APs NAT APs
Accuracy Moderate
Switchport Tracing
Open APs NAT APs
100%
RLDP
Rogue Detector
BRKAGG-2015_c2
Open APs Secured APs NAT APs
High
38
Rogue Location
On-Demand with WCS
Mitigate
Allows an individual rogue AP to be located on-demand Keeps no historical record of rogue location Does not locate rogue clients
WCS
39
Rogue Location
In real-time with WCS and MSE Context-Aware
Mitigate
Track of multiple rogues in real-time (up to MSE limits) Can track and store rogue location historically Provides location of rogue clients Provides location of rouge ad-hoc networks
WCS
40
Rogue Containment
Mitigate
Mitigate
Concept
Rogue Client Authorized AP
De-Auth Packets
Rogue AP
Rogue AP Containment Sends De-Authentication Packets to Client and AP Can use local, monitor mode or H-REAP APs Impacts client performance on managed AP
41
Rogue Containment
Mitigate
Mitigate
Operation
WCS WLC
00:09:5b:9c:87:68
1 to 4 APs can be used for containment

42
Rogue Containment
Mitigate
Mitigate
AP Containment Methods
Scenario
Containment Method
Rogue AP Only
Broadcast Deauth frames only
Rogue AP and Client(s) Broadcast and Unicast Deauth frames

43
Rogue Containment
Auto-Containment
Mitigate
WLC
Use auto-containment to nullify the most alarming threats
Containment can have legal consequences when used improperly

44
Rogue Containment
Auto-Containment of Valid Client on Rogue AP
Mitigate
Corporate Valid Client List
Neighbor
ACS
WLC
Valid Client
Rogue AP
Client Contained from Invalid AP

45
Rogue Containment
Mitigate
Mitigate
Client Containment Method

Scenario
Containment Method
Rogue Client Only Unicast Deauth frames only

Rogue client containment is used to kick only one client off the rogue AP.
A broadcast de-auth is not used (unlike other containment scenarios)
Ideal when a managed client associates to a friendly AP (Example: A neighboring Starbucks)

46
Rogue Containment
Mitigate
Mitigate
Operation (Cont)
Containment sends a minimum of 2 packets every 100ms (20 packets per second)
~100ms
3
Local Mode
A local mode AP can contain 3 rogues per radio
6
Monitor Mode
BRKAGG-2015_c2
A monitor mode AP can contain 6 rogues per radio

Cisco Public
47
Rogue Containment
Caveats
Mitigate
An access point performing containment will offer reduced performance to data clients and lower voice quality. Data Performance Voice Performance
Test Setup: Cisco 1250, 802.11n Client, 40MHz Channel, IxChariot traffic, 3 rogue APs on separate channels
48
Rogue Containment
FAQ
Mitigate
Containment packets are sent at the lowest enabled data rate and at the power level of the access point.
If the rogue disappears, does containment stop automatically?
Yes, but rogue entry stays in WLC as containment pending and will be contained again if it reappears
Will doing a 4 AP containment cause the participating APs to share the containment load?
No, APs do not share the containment load, they each will send a minimum of 20 packets per second.
BRKAGG-2015_c2
Cisco Public
49
Security Attack Detection and Mitigation
BRKAGG-2015_c2
Cisco Public
50
WLAN Security
Vulnerabilities and Threats On-Wire Attacks
Ad-hoc Wireless Bridge
HACKER
Over-the-Air Attacks
Evil Twin/Honeypot AP
HACKERS AP
Reconnaissance
HACKER
Client-to-client backdoor access
Connection to malicious AP
Seeking network vulnerabilities
Rogue Access Points

HACKER
Denial of Service
DENIAL OF SERVICE
Cracking Tools
HACKER
Backdoor network access
Service disruption
Sniffing and eavesdropping
BRKAGG-2015_c2
Cisco Public
51
WLAN Security
Denial of Service Attacks
RF Jamming
Any intentional or un-intentional RF transmitter in the same frequency can adversely affect the WLAN
DoS using 802.11 Management frames

Management frames are not authenticated today
Trivial to fake the source of a management frame

De-Authentication floods are probably the most worrisome
Misuse of Spectrum (CSMA/CA Egalitarian Access!)

Silencing the network with RTS/CTS floods, Big-NAV Attacks
802.1X Authentication floods and Dictionary attacks

Overloading the system with unnecessary processing Legacy implementations are prone to dictionary attacks, in addition to other algorithm-based attacks
52
Wireless Security
MAC Address Spoofing
As with wired networks, MAC address and IP address spoofing are possible, if not easy, in Wireless Networks Outsider (hostile) attack scenario
Does not know key/encryption policy IP Address spoofing is not possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP) MAC Address spoofing alone (i.e., without IP Address spoofing) may not buy much if encryption is turned on
Insider attack scenario

Seeking to obtain users secure info
MAC address and IP Address spoofing will not succeed if EAP/802.1x authentication is used (unique encryption key is derived per user (i.e., per MAC address))
BRKAGG-2015_c2
Cisco Public
53
Wireless Security:
Sniffing and Reconnaissance
First Sniffing, or capturing packets over the air, is an extremely useful troubleshooting methodology
Sniffing, in the old days was reliant on very specific cards and drivers
Very easy to find support for most cards and drivers today
Cost (if you like to pay for it) of such software is negligible (or, just use free/open source software)
Provides an insight (with physical proximity) into the network, services, and devices which comes in handy when performing network reconnaissance
54
Wireless Security
Man in the Middle Attack
A MiTM is when an attacker poses as the network to the client(s) and as a client to the actual network
The attacker forces a legitimate client off the network The attacker lures the client to a honeypot The attacker gains security credentials by intercepting user traffic
Very easy to do with:

Sniffing, and war-driving to identify targets MAC Address Spoofing Rogue Device Setup DoS Attacks
BRKAGG-2015_c2
Cisco Public
55
Quick Look: Common WLAN Exploits/Tools

Remote-Exploit/Backtrack/Auditor Aircrack, WEPcrack, etc coWPAtty Kismet NetStumbler, Hotspotter, etc AirSnort Sniffing tools: OmniPeek, Wireshark dsniff, nmap wellenreiter asleap
BRKAGG-2015_c2
Cisco Public
56
Ounce of Prevention
Stop the Attack Before It Happens On-Wire Attacks
HACKER
HACKERS AP
Reconnaissance
HACKER
Cisco wIPS Detects These Attacks

Rogue Access Points
HACKER DENIAL OF SERVICE
Denial of Service
Cracking Tools
HACKER
Service disruption
BRKAGG-2015_c2
Cisco Public
57
Ounce of Prevention
Stop the Attack Before It Happens On-Wire Attacks
HACKER
HACKERS MFP Neutralizes all AP Management Frame Exploits, such as Man-inthe-Middle Attacks
Reconnaissance
HACKER
Rogue detection, classification and mitigation addresses Rogue Access Points these attacks
Denial of Service
DENIAL OF SERVICE
WPA2/802.11i Neutralizes Recon and Cracking Attacks
Cracking Tools
HACKER
HACKER
Service disruption
BRKAGG-2015_c2
Cisco Public
58
Ciscos Attack Detection Mechanisms
BRKAGG-2015_c2
Cisco Public
59
Adaptive wIPS Differences from Base Controller IDS
BRKAGG-2015_c2
Cisco Public
60
Adaptive wIPS Difference #1

Alarm Aggregation and Correlation Base Controller IDS
WCS
Adaptive wIPS
WCS
WLC
MSE
AP
WLC
AP
No Alarm Correlation
61

Breadth of Alarms Detected Base Controller IDS Adaptive wIPS
Only 17 signatures
62

(Cont) Attack Encyclopedia
Available for each alarm Accessible from the wIPS profile page
BRKAGG-2015_c2
Cisco Public
63

Forensic Packet Capture
BRKAGG-2015_c2
Cisco Public
64

Forensic Packet Capture
BRKAGG-2015_c2
Cisco Public
65

Historic Reporting
1. Alarm information stored in MSE database

Maximum of 6 million alarms stored in MSE database
2. WCS queries the MSE database during report generation 3. Reports created and viewed at WCS
66
Adaptive wIPS
Types of Reports
wIPS Alarm List Report

Use: Historic reporting of attacks Summarized list of alarms contained within the MSE Contains alarm type, SRC MAC, detecting AP, first seen time, last seen time
wIPS Top 10 AP Report

Use: Identifying hot zones of attack The top 10 wIPS access points with the most number of alarms Includes critical, major, minor and warning levels of alarms
BRKAGG-2015_c2
Cisco Public
67
Adaptive wIPS
Creating Reports
Filter by MSE Or by WLC
Add/Remove Columns Sort by Columns

68
Example Report
wIPS Alarm List
Attack Timeline
BRKAGG-2015_c2
Cisco Public
69
Example Report
wIPS Top 10 APs
Alarm Severities
BRKAGG-2015_c2
Cisco Public
70
WCS Security Dashboard

Controller IDS and Adaptive wIPS Alarms Security Index
Rogues by Category
BRKAGG-2015_c2
Cisco Public
71
Adaptive wIPS
Components and Functions
Over-the-Air Detection
wIPS AP Management
Complex Attack Analysis, Forensics, Events
Monitoring, Reporting
BRKAGG-2015_c2
Cisco Public
72
Mobility Services Engine

Support for Cisco Motion Services
3310 Mobility Services Engine 3350 Mobility Services Engine
Supports Adaptive wIPS for up to 2000 Monitor Mode APs Supports Context Aware for up to 2000 tracked devices Requires WLC software version 4.2.130 or later and WCS version 5.2 or later.
Supports Adaptive wIPS for up to 3000 Monitor Mode APs Supports Context Aware for up to 18000 tracked devices Requires WLC software version 4.2.130 or later and WCS version 5.1 or later.
Mobility services may have different WLC/WCS software requirements Adaptive wIPS is licensed on a per-monitor mode AP basis
73
wIPS System Communication Diagram
The MSE is not in the data path
BRKAGG-2015_c2
Cisco Public
74
wIPS AP Detection Logic

1. Authenticated 2. Associated 3. Passing Data 1. Authentication? 3. Passing Data 2. Association?
00:1F:3B:1A:A2:01
802.11 State Machine

wIPS AP 00:1F:3B:1A:A2:01 AP 00:1F:3B:7C:A2:13 Client
00:1F:3B:7C:A2:13
00:1F:3B:7C:A2:13
Device Database
Spoofed MAC
Attack Library
75
wIPS Mobility Services Engine

8/20/2008 17:09 Spoof MAC 8/22/2008 10:24 DoS Attack 8/24/2008 12:07 DoS Attack
Alarm Database
wIPS AP 00:55:9A:6A:34:01 AP 00:1F:3B:1A:A2:01 AP 00:1F:3B:7C:A2:13 Client
wIPS MSE System-wide Device Database

wIPS AP
Forensics Database
Anomaly Detection Engine

76
wIPS Alarm Flow
1. Attack Launched against infrastructure device (trusted AP) 2. Detected on AP

Communicated via CAPWAP to WLC
3. Passed transparently to MSE via NMSP 4. Logged into wIPS Database on MSE
Sent to WCS via SNMP trap
5. Displayed at WCS
77
Adaptive wIPS
A New Form of Monitor Mode
wIPS mode only available for 1130, 1240, 1140 and 1250.
BRKAGG-2015_c2
Cisco Public
78
Monitor Mode AP Range, Placement and Density
Range
Client-serving AP typically covers 3000-5000 square feet
Placement, Density
Monitor-mode wIPS APs do not serve clients, thus have greater range
wIPS AP typically covers 15,00035,000 square feet
Ratio of wIPS monitor-mode APs to local-mode traffic APs varies by network design, but 1:5 ratio is reasonable estimate wIPS APs can simultaneously run context-aware location in monitor-mode Cisco RF expertise ensures maximum coverage
79
Deployment Dependant on Environment
Open Indoor Environment

Less Dense wIPS Deployment
Walled Indoor Environment

More Dense wIPS Deployment
80
Walled Indoor - Recommendations

Environments such as healthcare, finance, enterprise and education. Different security confidence levels depending on detection requirements Select a security confidence level in the below chart:
Deploy 1 AP every XX,000 sqft based on the chart below
Walled Office Indoor Environment

Confidence Level Deployment Density 2.4GHz Detection 5GHz Detection Gold 15,000 sqft Exhaustive Comprehensive Silver 20,000 sqft Comprehensive Adequate Bronze 25,000 sqft Adequate Sparse
81
Open Indoor - Recommendations

Environments such as warehouses and manufacturing. Different security confidence levels depending on detection requirements Select a security confidence level in the below chart:
Deploy 1 AP every XX,000 sqft based on the chart below
Open Indoor Environment

Confidence Level Deployment Density 2.4GHz Detection 5GHz Detection Gold 30,000 sqft Exhaustive Comprehensive Silver 40,000 sqft Comprehensive Adequate Bronze 50,000 sqft Adequate Sparse
82
How Many wIPS Monitor Mode APs Do I Need?

Select a security confidence level
Gold Finance, Government, Retail Silver Enterprise Bronze Concern for 2.4GHz only
Assess overall deployment size

Divide by the recommended density (ex. 200,000 sqft / 15,000 sqft)
Examples: Deployment Financial Office Enterprise Office Size 200,000 sqft 200,000 sqft Level Gold Silver Density # of wIPS APs 15,000 sqft 14 20,000 sqft 10
Warehouse
200,000 sqft
Silver
30,000 sqft
5
83
BRKAGG-2015_c2
Cisco Public
Management Frame Protection

Concept
Problem
Wireless management frames are not authenticated, encrypted, or signed A common vector for exploits
Solution
Insert a signature (Message Integrity Code/MIC) into the management frames Clients and APs use MIC to validate authenticity of management frame APs can instantly identify rogue/exploited management frames
Infrastructure MFP Protected

AP Beacons Associations/Re-associations Probe Requests/ Probe Responses Disassociations Action Management Frames
Authentications/ De-authentications
Client MFP Protected
BRKAGG-2015_c2
Cisco Public
84
Benefits of MFP
Attack Protection: For rogue AP, man-in-the-middle exploits, other management frame attacks
Increases the fidelity of rogue AP and WLAN IDS signature detection
Attack Prevention: Will be supported in clients capable of decrypting the signature (CCXv5 clients) Integration with other Cisco security monitoring solutions in order to characterize attack vectors rules based correlation Cisco security leadership and innovation Proposed standardIEEE 802.11w (~Dec 2009)
CCX: http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_concept_home.html
85
MFP Configuration
Infrastructure
Configured globally on a per controller basis Can be overridden for specific APs and WLANs
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008 080dc8c.shtml
86
MFP Status
Infrastructure
MFP WLAN settings
MFP infrastructure settings
BRKAGG-2015_c2
Cisco Public
87
MFP Configuration
WLAN/Client
MFP client protection requires CCXv5 & WPA2 enabled
MFP WLAN/Client protection settings
BRKAGG-2015_c2
Cisco Public
88
MFP Status
Client
CCXv5 Client MFP is Active
BRKAGG-2015_c2
Cisco Public
89
Cisco Wired IPS Integration

Unified Intrusion Prevention
Business Challenge
Mitigate Network Misuse, Hacking and Malware from WLAN Clients

Client Shun
Inspects traffic flow for harmful applications and blocks wireless client connections
L2 IDS
Malicious Traffic
Layer 3-7 Deep Packet Inspection

Eliminates risk of contamination from wireless clients Zero-day response to viruses, malware and suspect signatures
Enterprise Intranet
L3-7 IDS
Cisco ASA 5500 Series w/ IPS
BRKAGG-2015_c2
Cisco Public
90
Cisco Wired IPS Integration

Configuration
How often to check excluded client list
Fingerprint is generated on Cisco IPS device
BRKAGG-2015_c2
Cisco Public
91
Client Exclusion Policies

Configuration
Per WLAN client exclusion timeout
A client exclusion timeout of 0 requires admin reset
BRKAGG-2015_c2
Cisco Public
92
Feature Specific Deployment Guides

Management Frame Protection
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_exampl e09186a008080dc8c.shtml
Wired/Wireless IDS Integration

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_exampl e09186a00807360fc.shtml
Adaptive wIPS Deployment Guide

http://www.cisco.com/en/US/docs/wireless/technology/wips/deployment/guide/wi psdep.html
BRKAGG-2015_c2
Cisco Public
93
Other Suggested Sessions

Wireless Endpoint Security (BRKAGG-2014)
Designing Guest Access with the Cisco Unified Wireless Network (BRKAGG-2016) Design and Deployment of Enterprise WLANs (BRKAGG-2010)
BRKAGG-2015_c2
Cisco Public
94
Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
95
BRKAGG-2015_c2
Cisco Public
BRKAGG-2015_c2
Cisco Public
96

Brkagg-2015 c2 Rev2

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Brkagg-2015 c2 Rev2

Cargado por

Copyright:

Formatos disponibles

Integrated Defense-in-Depth Security for WLANs

2009 Cisco Systems, Inc. All rights reserved.

WLAN Security Components Strong Authentication Strong Encryption

Attack detection and mitigation

Authentication and Encryption

2009 Cisco Systems, Inc. All rights reserved.

MAC Address Authentication

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

Authentication Best Practices:

2009 Cisco Systems, Inc. All rights reserved.

EAP Protocol Flow

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

The TKIP Vulnerability

2009 Cisco Systems, Inc. All rights reserved.

Encryption Best Practices:

2009 Cisco Systems, Inc. All rights reserved.

Rogue Detection, Classification and Mitigation

2009 Cisco Systems, Inc. All rights reserved.

When is a Rogue dangerous?

What needs to be done?

Phases of Rogue Management

2009 Cisco Systems, Inc. All rights reserved.

Cisco Rogue Management Diagram

Wireless Control System (WCS) Wireless LAN Controller

2009 Cisco Systems, Inc. All rights reserved.

Listening for Rogues

2009 Cisco Systems, Inc. All rights reserved.

RRM Channel Scanning

AP on channel 1 - 802.11 b/g/n US County Channels

RRM Channel Scanning

802.11b/g/n All Channels

802.11n Rogue Detection

2009 Cisco Systems, Inc. All rights reserved.

Rogue Information Available at WCS and Controller

Network Name Radio Type (11n) # of Clients

Rogue Classification Rules

2009 Cisco Systems, Inc. All rights reserved.

Rogue Classification Rules

Rules are stored and executed on the Wireless LAN Controller

Rogue Classification Rules

Rules Sorted by Priority

2009 Cisco Systems, Inc. All rights reserved.

Rogue Classification Rules

2009 Cisco Systems, Inc. All rights reserved.

Rogue Detector AP Mode

Rogue Detector AP Mode

Rogue Detector Floor 3

Rogue Detector Floor 2

Rogue Detector Floor 1

Install one rogue detector per floor

2009 Cisco Systems, Inc. All rights reserved.

Rogue Detector AP Mode

Alarm Changed from Minor to Critical

2009 Cisco Systems, Inc. All rights reserved.

Rogue Detector AP Mode

All radios become disabled in this mode

Rogue Location Discovery Protocol

Send Packet to WLC

Rogue Location Discovery Protocol

Alarm Changed from Minor to Critical

Rogue Location Discovery Protocol