+ All Categories
Home > Documents > Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

Date post: 07-Apr-2018
Category:

Documents
Upload: airtightnetworks
View: 223 times
Download: 0 times
Download Report this document
Share this document with a friend
29
!"!
Transcript
Page 1: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 1/29

!"!

Page 2: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 2/29

Cisco wireless LAN vulnerability could

open ‘back door’

Cisco wireless LANs at risk of attack,‘skyjacking’

Newly discovered vulnerability couldthreaten Cisco wireless LANs

In the News

Page 3: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 3/29

“No risk of data loss or interception”

“Could allow an attacker to cause a

denial of service (DoS) condition”

What Cisco says

It’s not a big deal!

Severity = Mild

Page 4: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 4/29

Hmm…

? ??

What exactly is skyjacking?

Do I need to worry about it?

How severe is the exploit?

Page 5: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 5/29

What you will learn today

The risk from skyjacking vulnerability is much bigger

than stated

How to assess if you are vulnerable

Countermeasures for skyjacking and other zero-day

attacks

Page 6: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 6/29

Five ways a LAP can discover WLCs

Subnet-level broadcast

Configured

DNS

DHCP

Over-the-air provisioning (OTAP)

Page 7: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 7/29

Three criteria a LAP uses to select a WLC

Primary, Secondary, Tertiary

Master mode

Maximum excess capacity

Step 1

Step 2

Step 3

Page 8: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 8/29

Over-the-air provisioning (OTAP)

Page 9: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 9/29

OTAP exploited for “skyjacking”

Page 10: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 10/29

Skyjacked LAP denies service to

wireless users

Page 11: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 11/29

Page 12: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 12/29

Secure WLAN enterprise access

Before

Internal to corporate network20WPA2Corp

CommentVLANSecuritySSID

Internal to corporate network30AP PhysicallyConnected To

Page 13: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 13/29

Authorized LAP skyjacked – DoS

Before

Internal to corporate network20WPA2Corp

CommentVLANSecuritySSID

Internal to corporate network30AP PhysicallyConnected To

DoS

Page 14: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 14/29

Authorized LAP turned into Open Rogue AP

Before

Internal to corporate network30OPENCorp

CommentVLANSecuritySSID

Internal to corporate network30AP PhysicallyConnected To

Rogue onNetwork

Page 15: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 15/29

Camouflaged Rogue LAP:a backdoor to your

enterprise network!

Page 16: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 16/29

Wolf in Sheep Clothing

Before

Internal to corporate network30WPA2Corp

CommentVLANSecuritySSID

Internal to corporate network30AP PhysicallyConnected To

Rogue onNetwork

Page 17: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 17/29

Wolf in Sheep Clothing – Scenario 2

Before

Internal to corporate network20WPA2Corp

Internal to corporate network30OPENGuest

CommentVLANSecuritySSID

Internal to corporate network30AP PhysicallyConnected To

Rogue onNetwork

DoS

Page 18: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 18/29

SpectraGuard ® Enterprise WLAN policy set-up

Guest WLAN SSID

Allowed Subnet (VLAN)for Guest SSID

Page 19: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 19/29

Normal WLAN operation

Authorized SSIDs are seen in “Green” color and are

detected with VLAN identifier to which they connect

Device list displayed on SpectraGuard Enterprise console

Page 20: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 20/29

Skyjacking on guest access

1 Change in the VLAN is detected

2SSID marked as “misconfigured”

(Background changes to amber)

3Automatic Prevention started( Shield icon appears )

Page 21: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 21/29

Summary

Guest access as Open

Rogue AP

(Wolf in Sheep clothing – scenario 2)

Authorized SSID as“Privileged” Rogue AP

(Wolf in Sheep clothing)

Authorized SSID as OpenRogue AP

Type of Skyjacking attack

X

X

AirTight’s unique wireless-wired correlation basedthreat detection

Only over-airthreat detection

Open rogue

WPA2 rogue

Open guest

rogue

Page 22: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 22/29

AirTight’s SpectraGuard Enterprise

Thanks to patented marker packet technology foraccurate wired connectivity detection and uniqueVLAN Policy Mapping™ architecture

The only WIPS that can provide zero-day protectionagainst the most potent form of skyjacking attack

Page 23: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 23/29

Which LAPs can be skyjacked?

Vulnerable?Type of Cisco LAP

NoConfigured with locally significantcertificates (LSC)

Mostly NoConfigured with “preferred” WLCs(primary, secondary, tertiary)

YesLAPs using auto discovery

?

Page 24: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 24/29

Countermeasures

Manually configure LAPs with preferredWLCs (primary, secondary, tertiary)

Manually configure LAPs with LSCs

Primarily HA and loadbalancing feature

Impractical

Block outgoing traffic from UDP ports12222 and 12223 on your firewall

Not a commonpractice

Turn off OTAP on WLC Ineffective!

Page 25: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 25/29

Practical difficulties:

Do you know

If your outgoing UDP ports on the firewall are blocked? Did you test ittoday?

How many VLANs do you have authorized for wireless access?

Are all SSIDs mapped to the correct VLANs?

When was the last time your LAPs rebooted?

When was the last time your WLC taken down for maintenance?

If all your APs are compliant with your security policies? How do youknow?

If all LAPs are configured with primary,secondary and tertiary WLC?

If all LAPs are indeed connected toconfigured WLCs?

Page 26: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 26/29

One mistake and you couldbe exposed!

Page 27: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 27/29

Adding second, independent layer of

WIPS protection

Misconfigurations

Zero-day attacks

Designed forsecurity

Designed forWLAN access

Undesirableconnections

Misconfigurations

Zero-day attacks

Undesirable

connections

Page 28: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 28/29

Wireless Security for Mobile Users

AirTight’s SpectraGuard product

family

Industry’s Only Wireless Security Service

Complete Wireless Intrusion Prevention

WLAN Coverage & Security Planning

Page 29: Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures

http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 29/29

About AirTight Networks

The Global Leader in Wireless

Security and Compliance

For more information on wireless securityrisks, best practices, and solutions, visit:

www.airtightnetworks.com

Visit our blog to read the root causeanalysis of

“Skyjacking: What Went Wrong?”blog.airtightnetworks.com


Recommended
Trooper-Trainee Active Countermeasures Training Evaluation Countermeasures... · Trooper-Trainee Active Countermeasures Training Evaluation Prepared for ... Federal Law Enforcement

Trooper-Trainee Active Countermeasures Training Evaluation Countermeasures... · Trooper-Trainee Active Countermeasures Training Evaluation Prepared for ... Federal Law Enforcement

Documents

Green WLANs: On-demand WLAN Infrastructures · Green WLANs: On-demand WLAN Infrastructures ... the WLAN in the enterprise, ... Figure 1: A centralized WLAN infrastructure.

Green WLANs: On-demand WLAN Infrastructures · Green WLANs: On-demand WLAN Infrastructures ... the WLAN in the enterprise, ... Figure 1: A centralized WLAN infrastructure.

Documents

HEC 23 Countermeasures

HEC 23 Countermeasures

Documents

Protective Countermeasures

Protective Countermeasures

Documents

Section 1 Promoting Global Warming Countermeasures 1 ... · Section 1 Promoting Global Warming Countermeasures 1 Implementing Global Warming Countermeasures At the 21st session of

Section 1 Promoting Global Warming Countermeasures 1 ... · Section 1 Promoting Global Warming Countermeasures 1 Implementing Global Warming Countermeasures At the 21st session of

Documents

IR countermeasures

IR countermeasures

Documents

Medical countermeasures research

Medical countermeasures research

Technology

Roadway Departure Countermeasures

Roadway Departure Countermeasures

Documents

COUNTERMEASURES - Chemring Group/media/Files/C/Chemring-V2/PDFs/Countermeasures... Delivering global ... • Modelling including ‘CounterSim ... countermeasures business, we continually

COUNTERMEASURES - Chemring Group/media/Files/C/Chemring-V2/PDFs/Countermeasures... Delivering global ... • Modelling including ‘CounterSim ... countermeasures business, we continually

Documents

Real-time Traffic over WLAN Security · Real-time Traffic over WLAN Security ThesecurityofawirelessLAN(WLAN)systemisalwaysacriticalconsiderationineveryWLANdeployment ...

Real-time Traffic over WLAN Security · Real-time Traffic over WLAN Security ThesecurityofawirelessLAN(WLAN)systemisalwaysacriticalconsiderationineveryWLANdeployment ...

Documents

Wireless Local Area Network (WLAN): Security Risk ...831198/FULLTEXT01.pdf · Wireless Local Area Network (WLAN): Security Risk Assessment and Countermeasures Nwabude Arinze Sunday

Wireless Local Area Network (WLAN): Security Risk ...831198/FULLTEXT01.pdf · Wireless Local Area Network (WLAN): Security Risk Assessment and Countermeasures Nwabude Arinze Sunday

Documents

Performance of Splitting LTE-WLAN Aggregationliny.csie.nctu.edu.tw/document/Performance of Splitting LTE-WLAN... · Keywords Data Radio Bearer (DRB) ·LTE-WLAN aggregation (LWA) ·LTE-to-WLAN

Performance of Splitting LTE-WLAN Aggregationliny.csie.nctu.edu.tw/document/Performance of Splitting LTE-WLAN... · Keywords Data Radio Bearer (DRB) ·LTE-WLAN aggregation (LWA) ·LTE-to-WLAN

Documents

Ethical Hacking and CountermeasuresEthical Hacking and Countermeasures Copyright © by EC-Council Countermeasures

Ethical Hacking and CountermeasuresEthical Hacking and Countermeasures Copyright © by EC-Council Countermeasures

Documents

Threats and Countermeasures for Network Security … · Threats and Countermeasures for Network Security ... Threats and Countermeasures for Network Security ... Computer Recreations

Threats and Countermeasures for Network Security … · Threats and Countermeasures for Network Security ... Threats and Countermeasures for Network Security ... Computer Recreations

Documents

Phishing Attack & Countermeasures

Phishing Attack & Countermeasures

Documents

BARDA Thermal Burn Medical Countermeasures Program. CBRN... · BARDA Thermal Burn Medical Countermeasures Program Julio Barrera-Oro, Ph.D. Health Scientist Burn Medical Countermeasures

BARDA Thermal Burn Medical Countermeasures Program. CBRN... · BARDA Thermal Burn Medical Countermeasures Program Julio Barrera-Oro, Ph.D. Health Scientist Burn Medical Countermeasures

Documents

Threats and Countermeasures

Threats and Countermeasures

Documents

15.3.2020 Z21-WLAN- Gateway und WLAN ... - Bahn-in-Haan.debahn-in-haan.de/resources/27wlanrm/WLAN_Gateway_Sensor_Inbetri… · 15.3.2020 Z21-WLAN-Gateway und WLAN-Sensorknoten Inbetriebnahme

15.3.2020 Z21-WLAN- Gateway und WLAN ... - Bahn-in-Haan.debahn-in-haan.de/resources/27wlanrm/WLAN_Gateway_Sensor_Inbetri… · 15.3.2020 Z21-WLAN-Gateway und WLAN-Sensorknoten Inbetriebnahme

Documents