Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | airtightnetworks |
View: | 223 times |
Download: | 0 times |
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 1/29
!"!
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 2/29
Cisco wireless LAN vulnerability could
open ‘back door’
Cisco wireless LANs at risk of attack,‘skyjacking’
Newly discovered vulnerability couldthreaten Cisco wireless LANs
In the News
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 3/29
“No risk of data loss or interception”
“Could allow an attacker to cause a
denial of service (DoS) condition”
What Cisco says
It’s not a big deal!
Severity = Mild
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 4/29
Hmm…
? ??
What exactly is skyjacking?
Do I need to worry about it?
How severe is the exploit?
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 5/29
What you will learn today
The risk from skyjacking vulnerability is much bigger
than stated
How to assess if you are vulnerable
Countermeasures for skyjacking and other zero-day
attacks
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 6/29
Five ways a LAP can discover WLCs
Subnet-level broadcast
Configured
DNS
DHCP
Over-the-air provisioning (OTAP)
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 7/29
Three criteria a LAP uses to select a WLC
Primary, Secondary, Tertiary
Master mode
Maximum excess capacity
Step 1
Step 2
Step 3
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 8/29
Over-the-air provisioning (OTAP)
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 9/29
OTAP exploited for “skyjacking”
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 10/29
Skyjacked LAP denies service to
wireless users
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 11/29
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 12/29
Secure WLAN enterprise access
Before
Internal to corporate network20WPA2Corp
CommentVLANSecuritySSID
Internal to corporate network30AP PhysicallyConnected To
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 13/29
Authorized LAP skyjacked – DoS
Before
Internal to corporate network20WPA2Corp
CommentVLANSecuritySSID
Internal to corporate network30AP PhysicallyConnected To
DoS
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 14/29
Authorized LAP turned into Open Rogue AP
Before
Internal to corporate network30OPENCorp
CommentVLANSecuritySSID
Internal to corporate network30AP PhysicallyConnected To
Rogue onNetwork
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 15/29
Camouflaged Rogue LAP:a backdoor to your
enterprise network!
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 16/29
Wolf in Sheep Clothing
Before
Internal to corporate network30WPA2Corp
CommentVLANSecuritySSID
Internal to corporate network30AP PhysicallyConnected To
Rogue onNetwork
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 17/29
Wolf in Sheep Clothing – Scenario 2
Before
Internal to corporate network20WPA2Corp
Internal to corporate network30OPENGuest
CommentVLANSecuritySSID
Internal to corporate network30AP PhysicallyConnected To
Rogue onNetwork
DoS
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 18/29
SpectraGuard ® Enterprise WLAN policy set-up
Guest WLAN SSID
Allowed Subnet (VLAN)for Guest SSID
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 19/29
Normal WLAN operation
Authorized SSIDs are seen in “Green” color and are
detected with VLAN identifier to which they connect
Device list displayed on SpectraGuard Enterprise console
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 20/29
Skyjacking on guest access
1 Change in the VLAN is detected
2SSID marked as “misconfigured”
(Background changes to amber)
3Automatic Prevention started( Shield icon appears )
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 21/29
Summary
Guest access as Open
Rogue AP
(Wolf in Sheep clothing – scenario 2)
Authorized SSID as“Privileged” Rogue AP
(Wolf in Sheep clothing)
Authorized SSID as OpenRogue AP
Type of Skyjacking attack
X
X
AirTight’s unique wireless-wired correlation basedthreat detection
Only over-airthreat detection
Open rogue
WPA2 rogue
Open guest
rogue
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 22/29
AirTight’s SpectraGuard Enterprise
Thanks to patented marker packet technology foraccurate wired connectivity detection and uniqueVLAN Policy Mapping™ architecture
The only WIPS that can provide zero-day protectionagainst the most potent form of skyjacking attack
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 23/29
Which LAPs can be skyjacked?
Vulnerable?Type of Cisco LAP
NoConfigured with locally significantcertificates (LSC)
Mostly NoConfigured with “preferred” WLCs(primary, secondary, tertiary)
YesLAPs using auto discovery
?
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 24/29
Countermeasures
Manually configure LAPs with preferredWLCs (primary, secondary, tertiary)
Manually configure LAPs with LSCs
Primarily HA and loadbalancing feature
Impractical
Block outgoing traffic from UDP ports12222 and 12223 on your firewall
Not a commonpractice
Turn off OTAP on WLC Ineffective!
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 25/29
Practical difficulties:
Do you know
If your outgoing UDP ports on the firewall are blocked? Did you test ittoday?
How many VLANs do you have authorized for wireless access?
Are all SSIDs mapped to the correct VLANs?
When was the last time your LAPs rebooted?
When was the last time your WLC taken down for maintenance?
If all your APs are compliant with your security policies? How do youknow?
If all LAPs are configured with primary,secondary and tertiary WLC?
If all LAPs are indeed connected toconfigured WLCs?
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 26/29
One mistake and you couldbe exposed!
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 27/29
Adding second, independent layer of
WIPS protection
Misconfigurations
Zero-day attacks
Designed forsecurity
Designed forWLAN access
Undesirableconnections
Misconfigurations
Zero-day attacks
Undesirable
connections
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 28/29
Wireless Security for Mobile Users
AirTight’s SpectraGuard product
family
Industry’s Only Wireless Security Service
Complete Wireless Intrusion Prevention
WLAN Coverage & Security Planning
8/3/2019 Skyjacking a Cisco WLAN Attack Analysis and Countermeasures
http://slidepdf.com/reader/full/skyjacking-a-cisco-wlan-attack-analysis-and-countermeasures 29/29
About AirTight Networks
The Global Leader in Wireless
Security and Compliance
For more information on wireless securityrisks, best practices, and solutions, visit:
www.airtightnetworks.com
Visit our blog to read the root causeanalysis of
“Skyjacking: What Went Wrong?”blog.airtightnetworks.com