security expert's advice on next - ciscohacker wireless attack vectors rogue access points...

Security Expert's Advice on Next Generation Converged Access Network 4.1 EN Mobility

MinSe Kim, Sr. Technical Marketing Engineer

Cisco Systems

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Objective

“Prevention is better than cure”

Without prevention you are screwed, because Wireless has No Boundaries

3

Wireless Security Threats


Denial of Service

DENIAL OF

SERVICE

Service disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

Wireless Attack Vectors

Rogue Access Points

Backdoor network access

HACKER

Evil Twin/Honeypot AP

HACKER’S

AP

Connection to malicious AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

On-Wire Attacks Over-the-Air Attacks

Non-802.11 Attacks

BLUETOOTH AP RADAR RF-JAMMERS BLUETOOTH MICROWAVE


Attackers Nirvana - Tools to hide from Infrastructure

Backtrack 5

(VM or Live CD)

Spoofing Pyramid

BSSID

ESSID

Channel & Tx Power

DHCP, DNS etc.

Radio MAC

Wireless SSID

Bridge/NAT

Interfaces

USB Wireless Cards

OR

No Regulatory

Restrictions

Wireless Intrusion Prevention Best Practices


Wireless Security Pre-requisites

Secure

Connection Identify Users

Classify

Applications Control Access

Across All Endpoints

Client Access Point Switch Wireless LAN

Controller

Identity Services

Engine

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

Secure the Connection


Authentication Best Practices: Use WPA2-Enterprise

Strong Authentication

• AES – Advanced Encryption Standard that requires Hardware Support & achieves line-rate speeds

Strong Encryption

Tunneling-Based (Protective Cover)

EAP-PEAP

EAP-TTLS

EAP-FAST

Inner Methods (Authentication Credentials)

EAP-GTC EAP-MSCHAPv2

Certificate-Based

EAP-TLS


EAP Methods Comparison

EAP-TLS PEAP EAP-FAST

Fast Secure Roaming Yes Yes Yes

Local WLC Authentication Yes Yes Yes

OTP (One Time Password) Support No Yes Yes

Server Certificates Yes Yes No

Client Certificates Yes No No

PAC (Protected Access Credentials)* No No Yes

Deployment Complexity High Medium Low

* PACs can be provisioned anonymously for minimal complexity.

For Your Reference


Secure Your Wireless Infrastructure End-Points

12

ISE 802.1x

Authentication

CAPWAP DTLS Using Manufactured

Installed Certificates

Configure

802.1x

Supplicant

1 Enable Switch

Port Security

2

RADIUS

RADIUS

Default Out-of-Box

Behavior for Mutual

Authentication


Management Frame Protection (MFP)

Problem

Problem • Wireless management frames are not

authenticated, encrypted, or signed

• A common vector for exploits

Solution • Insert a signature (Message Integrity

Code/MIC) into the management frames

• APs can instantly identify rogue/exploited

management frames

• Optionally, Clients and APs use MIC to

validate authenticity of management frame

Beacons

Probes

Association

Beacons

Probes

Association


Infrastructure MFP Operation

14

BSSID

11:11:11:11:11:11

BSSID

22:22:22:22:22:22

Corporate Building 1

BSSID

11:11:11:11:11:11

Corporate Building 2

Radios Cannot

Hear Each Other

Enable Infrastrutture MFP WLC GUI> Security> Wireless

Protection Policies > MFP

1

2 2

3


Client MFP and 802.11w Operation

Protected Management Frames with MIC

Protected Frames with Security Association (SA)

AP Beacons Probe Requests/ Probe Responses

Associations/Re-Associations

Disassociations

Authentications/ De-Authentications

Action Management Frames

CCXv5

Spoofing

AP & Client

Identify Users & Enforce Policy


ISE Base ISE Wireless

ISE Advanced

Device

Profiling

& Policy

Control

by WLC

• AAA

• Guest

Provisioning

• AAA

• Guest Provisioning

• Device Profiling

• Device On-boarding

• Device Posturing

• Partner MDM Integration

Wireless Only

Profiling Strategies

POLICY

Profiling & Policy Enforcement Across Any

Access Medium


Profiling and Policy Enforcement Options

18

Time of Day Authentication Device Type User Role

POLICY

WLC Radius Server

(e.g. ISE Base, ACS)

Network Components

Profiling Factors

Policy Enforced VLAN Access List QoS Session Timeout

Only Wireless

AVC


ISE Base

Auth. Response

Auth. Request

Finance Personal

Device

Corporate

Device

AAA Services by

ISE Base Device Profiling & Policy

Enforcement by WLC

Cisco-AV-Pair

Role=Finance

VLAN 3

QoS = Silver VLAN 7

QoS = Platinum CAPWAP

3 7

Platinum

Profiling & Policy Enforcement Workflow

POLICY


Wi-Fi Direct Policy

20

Corporate

Laptop Corporate

WLAN

Unauthorized Devices Wi-Fi Direct allows simultaneous

access to Corporate WLAN &

Unauthorized Devices

Prevent access to Corporate WLAN when Wi-Fi Direct is enabled on

Corporate Wireless Devices

Backdoor

Access

Classify Applications & Control Access



What is the Need for Application Visibility and Control?

22

Why is the Wireless

Performance of my

Network so Low?

Should I add more

Access Points to

improve the User

Experience?

What if someone is running Bit-torrent against company policy & hurting the overall user experience?


Identify Applications using NBAR2

Introducing Application Visibility and Control on WLC

23

Voice

Video

Best-Effort

Background

Client Traffic

Control Application Behavior

Don’t Allow

Rate Limiting

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ


Attack Detection & Mitigation Techniques

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 25

Local Mode AP Monitor Mode AP Rogue Detection Basics

Listening for Rogues Two Different AP Modes for RRM Scanning

Serve Client for

16s

Scan 50ms for Rogue

Scan 250msec or 1.2s

per channel

RF Group = Corporate

24x7 Scanning

Any AP not Broadcasting

the same RF Group is

considered a Rogue

Best Effort Scanning


Rogue Classification Rules – Who is more harmful?

26

Classification based on threat severity and mitigation action

Rules tailored to customer risk model

Friendly Malicious

Off-Network Secured

Foreign SSID Weak RSSI

Distant location No clients

On-Network Open

Our SSID Strong RSSI

On-site location Attracts clients


Rogue Classification Rules Example

27


Rogue Detector AP

Rogue Location Discovery Protocol

(RLDP)

Wired Rogue Detection Methods

Connects to Rogue AP as a client

Sends a packet to controller’s IP address

Only works with open rogue access points

Data Serving

Trunk

Port

Detects all rogue client and Access Point ARP’s

Controller queries rogue detector to determine if rogue clients are on the network

Does not work with NAT APs

Rogue Detector Data Serving AP


Rogue Location Discovery Protocol Automatic Operation

29

• Two automatic modes of operation:

– ‘AllAPs’ – Uses both Local and Monitor APs

– ‘MonitorModeAPs’ – Uses only Monitor mode APs

• Recommended: Monitor Mode APs – RLDP can impact service on client serving Aps


Switchport Tracing (SPT) using Cisco Prime

30

Cisco Prime

Core

Corporate AP

Show CDP Neighbors

1

CAM Table 2

CAM Table 3

Switchport Tracing: On-Demand or Automatic

Identifies CDP Neighbors of APs detecting the rogue

Queries the switches CAM table for the rogue’s MAC

Works for rogues with security and NAT

SPT Matches On:

Rogue Client MAC Address

Rogue Vendor OUI

Rogue MAC +3/-3

Rogue MAC Address


Local Mode AP Monitor Mode AP

Wireless Rogue AP Containment

A monitor mode AP can contain 6 rogues per radio

Containment packets are sent every 100ms

Broadcast & Unicast De-auth

A local mode AP can contain 3 rogues per radio

Containment packets are sent every 500ms

Impacts associated clients performance

Unicast De-auth & Unicast Dis-assoc


Automatic Rogue AP Containment

Use auto-containment to nullify the most alarming threats

Containment can have legal consequences when used improperly

WLC

Ability to Use Only Monitor Mode APs for

Containment to Prevent Impact to Clients

32


Rogue Location In Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware

33

• Track of multiple rogues in real-time (up to MSE limits)

• Can track and store rogue location historically

• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers

Non-WiFi Interferer

WiFi Interferer

Microwave Bluetooth


Non-WiFi Interferers Rogue Access Point

Zone of Impact with Prime and MSE Context-Aware

34


Cisco’s Attack Detection Mechanisms

35

Core

• Rogue AP and Client Detection

• 17 Common Attack Signatures

• Alarm Aggregation, Consolidation and False Positive Reduction

• Enhanced DoS Attack Behaviour Analysis – 115 attack signatures

• Coordinated Rogue Containment

• Anomaly Detection

• Forensic, Blacklisting, Auto Containment, and Auto Immunity responses

Cisco Prime

WLC Base IDS Adaptive wIPS


Adaptive wIPS Deployment Recommendations

36

36

Enhanced Local Mode Monitor Mode AP WSSI Module

Serve Client for

16s

Scan 50ms for Attacks

Scan 1.2s for Attacks

24x7 Scanning

Serve Clients

Local Mode

Monitor Mode

Best Effort Scanning

Enable ELM on every deployed AP

Deploy 1 MM AP for every 5 Local Mode AP

Local Mode

Serve Clients

Scan 1.2s for Attacks

Local Mode

24x7 Scanning

Deploy 1 WSSI for every 5 Local Mode AP

security expert's advice on next - ciscohacker wireless attack vectors rogue access points...

Documents