Wireless LAN Security and Threat Mitigation
BRKEWN-2015
Karan Sheth, Sr. Technical Marketing Engineer
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Content Link
3
http://tinyurl.com/wireless-security2014
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Abstract
• “Prevention is better than cure” – an old saying but an extremely important one to defend your enterprise wireless network from unauthorized access and rogue threats. The best security approach is a layered approach that encompasses authorized access, intrusion protection & mitigation. In this session, we will address the current state of wireless security & explore the best practices to protect against unauthorized and uncontrolled wireless access.
• We will discuss some of the commonly available attack tools that can cause serious damage to authorized enterprise user experience. Attendees will get familiar with advanced capabilities & tools that are available with Cisco Unified Wireless Network solution to properly lock-down and defend their network from wireless threats.
• Prerequisite knowledge of 802.11 fundamentals is recommended.
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Objective
“Prevention is better than cure”
Without prevention you are screwed, because Wireless has No Boundaries
5
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Agenda
• Wireless Security Threats
• Wireless Intrusion Prevention Best Practices
• Attack Detection & Mitigation Techniques
• Network Design Considerations
• DEMO – Rogue Detection & Mitigation
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Denial of Service
DENIAL OF
SERVICE
Service disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Wireless Attack Vectors
Rogue Access Points
Backdoor network access
HACKER
Evil Twin/Honeypot AP
HACKER’S
AP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
Non-802.11 Attacks
BLUETOOTH AP RADAR RF-JAMMERS BLUETOOTH MICROWAVE
8
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Attackers Nirvana - Tools to hide from Infrastructure
Backtrack 5
(VM or Live CD)
Spoofing Pyramid
BSSID
ESSID
Channel & Tx Power
DHCP, DNS etc.
Radio MAC
Wireless SSID
Bridge/NAT
Interfaces
USB Wireless Cards
OR
No Regulatory
Restrictions
9
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Demo
Service
Disruption Backdoor Access
Dupe the User
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Wireless Security Pre-requisites
12
Secure
Connection Identify Users
Classify
Applications Control Access
Across All Endpoints
Client Access Point Switch Wireless LAN
Controller
Identity Services
Engine
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Authentication Best Practices: Use WPA2-Enterprise
Strong Authentication
• AES – Advanced Encryption Standard that requires Hardware Support & achieves line-rate speeds
Strong Encryption
Tunneling-Based (Protective Cover)
EAP-PEAP
EAP-TTLS
EAP-FAST
Inner Methods (Authentication Credentials)
EAP-GTC EAP-MSCHAPv2
Certificate-Based
EAP-TLS
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
EAP Methods Comparison
EAP-TLS PEAP EAP-FAST
Fast Secure Roaming Yes Yes Yes
Local WLC Authentication Yes Yes Yes
OTP (One Time Password) Support No Yes Yes
Server Certificates Yes Yes No
Client Certificates Yes No No
PAC (Protected Access Credentials)* No No Yes
Deployment Complexity High Medium Low
* PACs can be provisioned anonymously for minimal complexity.
For Your Reference
15
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Secure Your Wireless Infrastructure End-Points
16
ISE 802.1x
Authentication
CAPWAP DTLS Using Manufactured Installed Certificates
Configure
802.1x
Supplicant
1 Enable Switch
Port Security
2
RADIUS
RADIUS
Default Out-of-Box
Behavior for Mutual
Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Management Frame Protection (MFP) Problem
Problem • Wireless management frames are not
authenticated, encrypted, or signed
• A common vector for exploits
Solution • Insert a signature (Message Integrity
Code/MIC) into the management frames
• APs can instantly identify rogue/exploited
management frames
• Optionally, Clients and APs use MIC to
validate authenticity of management frame
Beacons
Probes
Association
Beacons
Probes
Association
17
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Infrastructure MFP Operation
18
BSSID
11:11:11:11:11:11
BSSID
22:22:22:22:22:22
Corporate Building 1
BSSID
11:11:11:11:11:11
Corporate Building 2
Radios Cannot
Hear Each Other
Enable Infrastrutture MFP WLC GUI> Security> Wireless
Protection Policies > MFP
1
2 2
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Client MFP and 802.11w Operation
19
Protected Management Frames with MIC
Protected Frames with Security Association (SA)
AP Beacons Probe Requests/ Probe Responses
Associations/Re-Associations Disassociations
Authentications/ De-Authentications
Action Management Frames
CCXv5
Spoofing
AP & Client
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
ISE Base ISE Wireless
ISE Advanced
Device
Profiling
& Policy
Control
by WLC
• AAA
• Guest
Provisioning
• AAA
• Guest Provisioning
• Device Profiling
• Device On-boarding
• Device Posturing
• Partner MDM Integration
Wireless Only
Profiling Strategies
POLICY
Profiling & Policy Enforcement Across Any
Access Medium
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Profiling and Policy Enforcement Options
Time of Day Authentication Device Type User Role
POLICY
WLC Radius Server
(e.g. ISE Base, ACS)
Network Components
Profiling Factors
Policy Enforced VLAN Access List QoS Session Timeout
Only Wireless
AVC
22
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
ISE Base
Auth. Response
Auth. Request
Finance Personal
Device
Corporate
Device
AAA Services by
ISE Base Device Profiling & Policy
Enforcement by WLC
Cisco-AV-Pair
Role=Finance
VLAN 3
QoS = Silver VLAN 7
QoS = Platinum CAPWAP
3 7
Platinum
Profiling & Policy Enforcement Workflow
POLICY
23
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Wi-Fi Direct Policy
24
Corporate
Laptop Corporate
WLAN
Unauthorized Devices Wi-Fi Direct allows simultaneous
access to Corporate WLAN &
Unauthorized Devices
Prevent access to Corporate WLAN when Wi-Fi Direct is enabled on
Corporate Wireless Devices
Backdoor
Access
Classify Applications & Control Access
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
What is the Need for Application Visibility and Control?
26
Why is the Wireless
Performance of my
Network so Low?
Should I add more
Access Points to
improve the User
Experience?
What if someone is running Bit-torrent against company policy & hurting the overall user experience?
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Identify Applications using NBAR2
Introducing Application Visibility and Control on WLC
27
Voice
Video
Best-Effort
Background
Client Traffic
Control Application Behavior
Don’t Allow
Rate Limiting
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 29
Local Mode AP Monitor Mode AP Rogue Detection Basics
Listening for Rogues Two Different AP Modes for RRM Scanning
Serve Client for
16s
Scan 50ms for Rogue
Scan 1.2s per
channel
RF Group = Corporate
24x7 Scanning
Any AP not Broadcasting
the same RF Group is
considered a Rogue
Best Effort Scanning
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
RRM Channel Scanning Basics Local Mode AP – Serves Data
1 2 1 3 1 4 1 5 1 6
36 40 36 44 36 48 36 52 36 56
1
36 60
16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s
14.5s 50ms
7 1
36 64 36 149
50ms 16s
AP on Channel 1 - 802.11 b/g/n (2.4GHz) – US Country Channels
AP on Channel 36 - 802.11 a/n (5Ghz) – US Country Channels (without UNII-2 Extended)
10ms 10ms
14.5s 50ms 50ms 50ms 50ms 50ms 50ms 50ms 14.5s 14.5s 14.5s 14.5s 14.5s 14.5s
10ms 10ms
…
…
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
Detect
Time
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
RRM Channel Scanning Basics Monitor Mode AP
1 2 3 4 5 6
36 40 44 48 52 56 60 64 100 104 108 112
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
1.2s 1.2s
7
116 132 136 140
1.2s
802.11b/g/n (2.4GHz) – All Channels
802.11a/n (5GHz) – All Channels
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
10ms 10ms
9 10 11 8 12 …
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration
…
1.2s
Detect
Time
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Classification Rules – Who is more harmful?
32
Classification based on threat severity and mitigation action
Rules tailored to customer risk model
Friendly Malicious
Off-Network Secured
Foreign SSID Weak RSSI
Distant location No clients
On-Network Open
Our SSID Strong RSSI
On-site location Attracts clients
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Classification Rules Example
33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 34
Rogue Detector AP Rogue Location Discovery
Protocol (RLDP)
Wired Rogue Detection Methods
Connects to Rogue AP as a client
Sends a packet to controller’s IP address
Only works with open rogue access points
Data Serving
Trunk
Port
Detects all rogue client and Access Point ARP’s
Controller queries rogue detector to determine if rogue clients are on the network
Does not work with NAT APs
Rogue Detector Data Serving AP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 35
Rogue Detector AP Operation
Trunk Port
Rogue Detector
WLC
> debug capwap rm rogue detector
ROGUE_DET: Found a match for rogue entry 0021.4458.6652
ROGUE_DET: Sending notification to switch
ROGUE_DET: Sent rogue 0021.4458.6651 found on net msg
BSSID: 0021.4458.6652
Cisco Prime
Alarm Changed from Minor to Critical
Security Alert: Rogue with MAC Address 0021.4458.6651 Has Been Detected on the Wired Network
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Detector AP Mode Example Deployment Scenario
Rogue Detector Bldg 2
Rogue Detector Bldg 3
Rogue Detector Bldg 1
Install one rogue detector at each Layer 3 boundary.
Put more simply - ensure all VLANs are monitored by a rogue detector.
36
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Detector AP Mode Configuration
All Radios Become Disabled
in This Mode
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
switchport trunk native vlan 113
switchport mode trunk
spanning-tree portfast
WLC
Switch AP
VLAN
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 38
Rogue Location Discovery Protocol (RLDP) Operation
WLC
> debug dot11 rldp
Successfully associated with rogue: 00:21:44:58:66:52
Sending DHCP packet through rogue AP 00:21:44:58:66:52
RLDP DHCP BOUND state for rogue 00:21:44:58:66:52
Returning IP 172.20.226.253, netmask 255.255.255.192, gw
172.20.226.193
Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)
Received 32 byte ARLDP message from: 172.20.226.253:52142 BSSID:
0021.4458.6652
Cisco Prime
Alarm Changed from Minor to Critical
Security Alert: Rogue with MAC Address 0021.4458.6652 Has
Been Detected on the Wired Network
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Location Discovery Protocol Automatic Operation
39
• Two automatic modes of operation:
– ‘AllAPs’ – Uses both Local and Monitor APs
– ‘MonitorModeAPs’ – Uses only Monitor mode APs
• Recommended: Monitor Mode APs – RLDP can impact service on client serving Aps
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Switchport Tracing (SPT) using Cisco Prime
40
Cisco Prime
Core
Corporate AP
Show CDP Neighbors
1
CAM Table 2
CAM Table 3
Switchport Tracing: On-Demand or Automatic
Identifies CDP Neighbors of APs detecting the rogue
Queries the switches CAM table for the rogue’s MAC
Works for rogues with security and NAT
SPT Matches On:
Rogue Client MAC Address
Rogue Vendor OUI
Rogue MAC +3/-3
Rogue MAC Address
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Switchport Tracing (SPT) Action
Number of MACs Found on the Port Match Type Uncheck
to Shut the Port
41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 42
Local Mode AP Monitor Mode AP
Wireless Rogue AP Containment
A monitor mode AP can contain 6 rogues per radio
Containment packets are sent every 100ms
Broadcast & Unicast De-auth
A local mode AP can contain 3 rogues per radio
Containment packets are sent every 500ms
Impacts associated clients performance
Unicast De-auth & Unicast Dis-assoc
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Automatic Rogue AP Containment
• Use auto-containment to nullify the most alarming threats
• Containment can have legal consequences when used improperly
WLC
Ability to Use Only Monitor Mode APs for
Containment to Prevent Impact to Clients
43
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Location On-Demand using Cisco Prime
44
• Allows an individual Rogue AP to be located On-demand
• Keeps no historical record of rogue location
• Does not locate rogue clients
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Rogue Location In Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware
45
• Track of multiple rogues in real-time (up to MSE limits)
• Can track and store rogue location historically
• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers
Non-WiFi Interferer
WiFi Interferer
Microwave Bluetooth
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Non-WiFi Interferers Rogue Access Point
Zone of Impact with Prime and MSE Context-Aware
46
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Cisco’s Attack Detection Mechanisms
47
Core
• Rogue AP and Client Detection
• 17 Common Attack Signatures
• Alarm Aggregation, Consolidation and False Positive Reduction
• Enhanced DoS Attack Behaviour Analysis – 115 attack signatures
• Coordinated Rogue Containment
• Anomaly Detection
• Forensic, Blacklisting, Auto Containment, and Auto Immunity responses
Cisco Prime
WLC Base IDS Adaptive wIPS
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 49
Enhanced Local Mode Monitor Mode AP WSSI Module
Adaptive wIPS Deployment Recommendations
Serve Client for
16s
Scan 50ms for Attacks
Scan 1.2s for Attacks
24x7 Scanning
Serve Clients
Local Mode
Monitor Mode
Best Effort Scanning
Enable ELM on every deployed AP
Deploy 1 MM AP for every 5 Local Mode AP
Local Mode
Serve Clients
Scan 1.2s for Attacks
Local Mode
24x7 Scanning
Deploy 1 WSSI for every 5 Local Mode AP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
52