Wireless LAN Security and Threat Mitigationd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKEWN … ·...

Wireless LAN Security and Threat Mitigation

BRKEWN-2015

Karan Sheth, Sr. Technical Marketing Engineer

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public

Content Link

3

http://tinyurl.com/wireless-security2014





Abstract

• “Prevention is better than cure” – an old saying but an extremely important one to defend your enterprise wireless network from unauthorized access and rogue threats. The best security approach is a layered approach that encompasses authorized access, intrusion protection & mitigation. In this session, we will address the current state of wireless security & explore the best practices to protect against unauthorized and uncontrolled wireless access.

• We will discuss some of the commonly available attack tools that can cause serious damage to authorized enterprise user experience. Attendees will get familiar with advanced capabilities & tools that are available with Cisco Unified Wireless Network solution to properly lock-down and defend their network from wireless threats.

• Prerequisite knowledge of 802.11 fundamentals is recommended.

4


Objective

“Prevention is better than cure”

Without prevention you are screwed, because Wireless has No Boundaries

5


Agenda

• Wireless Security Threats

• Wireless Intrusion Prevention Best Practices

• Attack Detection & Mitigation Techniques

• Network Design Considerations

• DEMO – Rogue Detection & Mitigation

6

Wireless Security Threats


Denial of Service

DENIAL OF

SERVICE

Service disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

Wireless Attack Vectors

Rogue Access Points

Backdoor network access

HACKER

Evil Twin/Honeypot AP

HACKER’S

AP

Connection to malicious AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

On-Wire Attacks Over-the-Air Attacks

Non-802.11 Attacks

BLUETOOTH AP RADAR RF-JAMMERS BLUETOOTH MICROWAVE

8


Attackers Nirvana - Tools to hide from Infrastructure

Backtrack 5

(VM or Live CD)

Spoofing Pyramid

BSSID

ESSID

Channel & Tx Power

DHCP, DNS etc.

Radio MAC

Wireless SSID

Bridge/NAT

Interfaces

USB Wireless Cards

OR

No Regulatory

Restrictions

9


Demo

Service

Disruption Backdoor Access

Dupe the User

10

Wireless Intrusion Prevention Best Practices


Wireless Security Pre-requisites

12

Secure

Connection Identify Users

Classify

Applications Control Access

Across All Endpoints

Client Access Point Switch Wireless LAN

Controller

Identity Services

Engine

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

Secure the Connection


Authentication Best Practices: Use WPA2-Enterprise

Strong Authentication

• AES – Advanced Encryption Standard that requires Hardware Support & achieves line-rate speeds

Strong Encryption

Tunneling-Based (Protective Cover)

EAP-PEAP

EAP-TTLS

EAP-FAST

Inner Methods (Authentication Credentials)

EAP-GTC EAP-MSCHAPv2

Certificate-Based

EAP-TLS

14


EAP Methods Comparison

EAP-TLS PEAP EAP-FAST

Fast Secure Roaming Yes Yes Yes

Local WLC Authentication Yes Yes Yes

OTP (One Time Password) Support No Yes Yes

Server Certificates Yes Yes No

Client Certificates Yes No No

PAC (Protected Access Credentials)* No No Yes

Deployment Complexity High Medium Low

* PACs can be provisioned anonymously for minimal complexity.

For Your Reference

15


Secure Your Wireless Infrastructure End-Points

16

ISE 802.1x

Authentication

CAPWAP DTLS Using Manufactured Installed Certificates

Configure

802.1x

Supplicant

1 Enable Switch

Port Security

2

RADIUS

RADIUS

Default Out-of-Box

Behavior for Mutual

Authentication


Management Frame Protection (MFP) Problem

Problem • Wireless management frames are not

authenticated, encrypted, or signed

• A common vector for exploits

Solution • Insert a signature (Message Integrity

Code/MIC) into the management frames

• APs can instantly identify rogue/exploited

management frames

• Optionally, Clients and APs use MIC to

validate authenticity of management frame

Beacons

Probes

Association

Beacons

Probes

Association

17


Infrastructure MFP Operation

18

BSSID

11:11:11:11:11:11

BSSID

22:22:22:22:22:22

Corporate Building 1

BSSID

11:11:11:11:11:11

Corporate Building 2

Radios Cannot

Hear Each Other

Enable Infrastrutture MFP WLC GUI> Security> Wireless

Protection Policies > MFP

1

2 2

3


Client MFP and 802.11w Operation

19

Protected Management Frames with MIC

Protected Frames with Security Association (SA)

AP Beacons Probe Requests/ Probe Responses

Associations/Re-Associations Disassociations

Authentications/ De-Authentications

Action Management Frames

CCXv5

Spoofing

AP & Client

Identify Users & Enforce Policy


ISE Base ISE Wireless

ISE Advanced

Device

Profiling

& Policy

Control

by WLC

• AAA

• Guest

Provisioning

• AAA

• Guest Provisioning

• Device Profiling

• Device On-boarding

• Device Posturing

• Partner MDM Integration

Wireless Only

Profiling Strategies

POLICY

Profiling & Policy Enforcement Across Any

Access Medium

21


Profiling and Policy Enforcement Options

Time of Day Authentication Device Type User Role

POLICY

WLC Radius Server

(e.g. ISE Base, ACS)

Network Components

Profiling Factors

Policy Enforced VLAN Access List QoS Session Timeout

Only Wireless

AVC

22


ISE Base

Auth. Response

Auth. Request

Finance Personal

Device

Corporate

Device

AAA Services by

ISE Base Device Profiling & Policy

Enforcement by WLC

Cisco-AV-Pair

Role=Finance

VLAN 3

QoS = Silver VLAN 7

QoS = Platinum CAPWAP

3 7

Platinum

Profiling & Policy Enforcement Workflow

POLICY

23


Wi-Fi Direct Policy

24

Corporate

Laptop Corporate

WLAN

Unauthorized Devices Wi-Fi Direct allows simultaneous

access to Corporate WLAN &

Unauthorized Devices

Prevent access to Corporate WLAN when Wi-Fi Direct is enabled on

Corporate Wireless Devices

Backdoor

Access

Classify Applications & Control Access



What is the Need for Application Visibility and Control?

26

Why is the Wireless

Performance of my

Network so Low?

Should I add more

Access Points to

improve the User

Experience?

What if someone is running Bit-torrent against company policy & hurting the overall user experience?


Identify Applications using NBAR2

Introducing Application Visibility and Control on WLC

27

Voice

Video

Best-Effort

Background

Client Traffic

Control Application Behavior

Don’t Allow

Rate Limiting

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ


Attack Detection & Mitigation Techniques

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2015 Cisco Public 29

Local Mode AP Monitor Mode AP Rogue Detection Basics

Listening for Rogues Two Different AP Modes for RRM Scanning

Serve Client for

16s

Scan 50ms for Rogue

Scan 1.2s per

channel

RF Group = Corporate

24x7 Scanning

Any AP not Broadcasting

the same RF Group is

considered a Rogue

Best Effort Scanning


RRM Channel Scanning Basics Local Mode AP – Serves Data

1 2 1 3 1 4 1 5 1 6

36 40 36 44 36 48 36 52 36 56

1

36 60

16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s

14.5s 50ms

7 1

36 64 36 149

50ms 16s

AP on Channel 1 - 802.11 b/g/n (2.4GHz) – US Country Channels

AP on Channel 36 - 802.11 a/n (5Ghz) – US Country Channels (without UNII-2 Extended)

10ms 10ms

14.5s 50ms 50ms 50ms 50ms 50ms 50ms 50ms 14.5s 14.5s 14.5s 14.5s 14.5s 14.5s

10ms 10ms

…

…

Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)

Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)

Detect

Time

30


RRM Channel Scanning Basics Monitor Mode AP

1 2 3 4 5 6

36 40 44 48 52 56 60 64 100 104 108 112

1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s

1.2s 1.2s

7

116 132 136 140

1.2s

802.11b/g/n (2.4GHz) – All Channels

802.11a/n (5GHz) – All Channels

10ms 10ms

1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s

10ms 10ms

9 10 11 8 12 …

Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration

Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration

…

1.2s

Detect

Time

31


Rogue Classification Rules – Who is more harmful?

32

Classification based on threat severity and mitigation action

Rules tailored to customer risk model

Friendly Malicious

Off-Network Secured

Foreign SSID Weak RSSI

Distant location No clients

On-Network Open

Our SSID Strong RSSI

On-site location Attracts clients


Rogue Classification Rules Example

33


Rogue Detector AP Rogue Location Discovery

Protocol (RLDP)

Wired Rogue Detection Methods

Connects to Rogue AP as a client

Sends a packet to controller’s IP address

Only works with open rogue access points

Data Serving

Trunk

Port

Detects all rogue client and Access Point ARP’s

Controller queries rogue detector to determine if rogue clients are on the network

Does not work with NAT APs

Rogue Detector Data Serving AP


Rogue Detector AP Operation

Trunk Port

Rogue Detector

WLC

> debug capwap rm rogue detector

ROGUE_DET: Found a match for rogue entry 0021.4458.6652

ROGUE_DET: Sending notification to switch

ROGUE_DET: Sent rogue 0021.4458.6651 found on net msg

BSSID: 0021.4458.6652

Cisco Prime

Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address 0021.4458.6651 Has Been Detected on the Wired Network


Rogue Detector AP Mode Example Deployment Scenario

Rogue Detector Bldg 2



Install one rogue detector at each Layer 3 boundary.

Put more simply - ensure all VLANs are monitored by a rogue detector.

36


Rogue Detector AP Mode Configuration

All Radios Become Disabled

in This Mode

interface GigabitEthernet1/0/5

description Rogue Detector

switchport trunk encapsulation dot1q

switchport trunk native vlan 113

switchport mode trunk

spanning-tree portfast

WLC

Switch AP

VLAN

37


Rogue Location Discovery Protocol (RLDP) Operation

WLC

> debug dot11 rldp

Successfully associated with rogue: 00:21:44:58:66:52

Sending DHCP packet through rogue AP 00:21:44:58:66:52

RLDP DHCP BOUND state for rogue 00:21:44:58:66:52

Returning IP 172.20.226.253, netmask 255.255.255.192, gw

172.20.226.193

Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)

Received 32 byte ARLDP message from: 172.20.226.253:52142 BSSID:

0021.4458.6652

Cisco Prime

Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address 0021.4458.6652 Has

Been Detected on the Wired Network


Rogue Location Discovery Protocol Automatic Operation

39

• Two automatic modes of operation:

– ‘AllAPs’ – Uses both Local and Monitor APs

– ‘MonitorModeAPs’ – Uses only Monitor mode APs

• Recommended: Monitor Mode APs – RLDP can impact service on client serving Aps


Switchport Tracing (SPT) using Cisco Prime

40

Cisco Prime

Core

Corporate AP

Show CDP Neighbors

1

CAM Table 2

CAM Table 3

Switchport Tracing: On-Demand or Automatic

Identifies CDP Neighbors of APs detecting the rogue

Queries the switches CAM table for the rogue’s MAC

Works for rogues with security and NAT

SPT Matches On:

Rogue Client MAC Address

Rogue Vendor OUI

Rogue MAC +3/-3

Rogue MAC Address


Switchport Tracing (SPT) Action

Number of MACs Found on the Port Match Type Uncheck

to Shut the Port

41


Local Mode AP Monitor Mode AP

Wireless Rogue AP Containment

A monitor mode AP can contain 6 rogues per radio

Containment packets are sent every 100ms

Broadcast & Unicast De-auth

A local mode AP can contain 3 rogues per radio

Containment packets are sent every 500ms

Impacts associated clients performance

Unicast De-auth & Unicast Dis-assoc


Automatic Rogue AP Containment

• Use auto-containment to nullify the most alarming threats

• Containment can have legal consequences when used improperly

WLC

Ability to Use Only Monitor Mode APs for

Containment to Prevent Impact to Clients

43


Rogue Location On-Demand using Cisco Prime

44

• Allows an individual Rogue AP to be located On-demand

• Keeps no historical record of rogue location

• Does not locate rogue clients


Rogue Location In Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware

45

• Track of multiple rogues in real-time (up to MSE limits)

• Can track and store rogue location historically

• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers

Non-WiFi Interferer

WiFi Interferer

Microwave Bluetooth


Non-WiFi Interferers Rogue Access Point

Zone of Impact with Prime and MSE Context-Aware

46


Cisco’s Attack Detection Mechanisms

47

Core

• Rogue AP and Client Detection

• 17 Common Attack Signatures

• Alarm Aggregation, Consolidation and False Positive Reduction

• Enhanced DoS Attack Behaviour Analysis – 115 attack signatures

• Coordinated Rogue Containment

• Anomaly Detection

• Forensic, Blacklisting, Auto Containment, and Auto Immunity responses

Cisco Prime

WLC Base IDS Adaptive wIPS

Network Design Considerations


Enhanced Local Mode Monitor Mode AP WSSI Module

Adaptive wIPS Deployment Recommendations

Serve Client for

16s

Scan 50ms for Attacks

Scan 1.2s for Attacks

24x7 Scanning

Serve Clients

Local Mode

Monitor Mode

Best Effort Scanning

Enable ELM on every deployed AP

Deploy 1 MM AP for every 5 Local Mode AP

Local Mode

Serve Clients

Scan 1.2s for Attacks

Local Mode

24x7 Scanning

Deploy 1 WSSI for every 5 Local Mode AP

DEMO – Rogue Detection & Mitigation


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

51

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

52

Date post:	26-May-2018
Category:	Documents
Upload:	vuongnhi
View:	217 times
Download:	0 times

Wireless LAN Security and Threat Mitigationd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKEWN … ·...

Documents