unified wireless lan security - cisco€¦ · presentation_id © 2006 cisco systems, inc. all...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Unified Wireless LAN Security
Ong Poh SengCisco Systems (USA) Pte LtdSecurity & Wireless Specialist6th March 2008
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2© 2005 시스코시스템s, Inc. All rights reserved.
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
WLAN Security Overview
WLAN Security Vulnerabilities and Threats
Cisco Unified Wireless Security
Summary
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3© 2005 시스코시스템s, Inc. All rights reserved.
Evolution of Wireless Security Challenges
1998
2000
2001 2004
2002 2007
Late 90s. WLAN Technologies Were Proprietary and Provided Minimal Security Features. Security Threat Was Low
2000. 802.11b Standard Ratification Included WEP for Basic Link Encryption Although Lacked Method for Authentication
2001. WEP Is Easily Cracked by Researchers at Berkeley. Majority of Businesses and Consumers Leave Security Default “Off”; War Driving Expands. Rogue APs Emerge as Viable Business Threat
2001. Cisco Delivers the LEAP Protocol for Mutual Authentication and Improves upon WEP Using CKIP. Many Rely on VPNs
2004. Ratification of IEEE 802.11i for Robust WLAN Security. WPA and WPA2 Expand in Popularity
2007. Unified Wired and Wireless Security with Integrated Wireless IPS. Management Frame Protection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4© 2005 시스코시스템s, Inc. All rights reserved.
As WiFi Becomes Pervasive ……
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5© 2005 시스코시스템s, Inc. All rights reserved.
Why Are Wireless LANs Prone to Attack?
“Open air”No physical barriers to intrusion
Standard 802.11 protocolWell-documented and understoodThe most common attacks against WLAN networks are targeted at management frames
UnlicensedEasy access to inexpensive technology
Wireless Access Outside of Physical/Wired Boundaries
Physical SecurityWired Security
EnterpriseNetwork
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6© 2005 시스코시스템s, Inc. All rights reserved.
WRONG!
No Wi-Fi =Good Security
• A single rogue access point creates enormous risk
• Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc) don’t address
• Perpetrated unknowingly by your own employees
WRONG!
WRONG!
A handheld walk-around survey is sufficient
(i.e. AirMagnet)
I use 802.11i, WPA or VPN, so my network is
secure
• Would you only turn on your firewall periodically?
• Not practical for branch or remote offices with no local IT personnel
• Laborious and expensive
• Only protects authorized clients and infrastructure
• No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)
Wi-Fi Security Myths
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7© 2005 시스코시스템s, Inc. All rights reserved.
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
WLAN Security Overview
WLAN Security Vulnerabilities and Threats
Cisco Unified Wireless Security
Summary
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8© 2005 시스코시스템s, Inc. All rights reserved.
WLAN Security Vulnerabilities and Threats Summary
Wireless LAN’s have become easy targets for both “traditional” network exploits, as well as criminal elements
Passive SSID probe sniffing and WEP key attacks are just the first stage in WLAN exploits
More sophisticated WLAN exploits are likely to employ management frames, as most management packets are not encrypted
If an attacker can gain access to a WLAN, it ispossible to launch a variety of higher-layer exploitsover this media
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9© 2005 시스코시스템s, Inc. All rights reserved.
WLAN Sniffing and SSID Broadcasting
The Simplest Type of WLAN ExploitHowever, given the “open” characteristics of 802.11 association behavior, one that is not easily fixedDisabling SSID “broadcast” simply overcomes passive sniffing; SSID is easily discovered by observing probe responses from clientsThus, SSID “cloaking” shouldn’t be considered a security mechanism
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10© 2005 시스코시스템s, Inc. All rights reserved.
Sniff Client MACand IP Address
Overview of Key WLAN Security Vulnerabilities and Threats
RF Denial of Service(DoS) attacksSSID broadcastingAuthentication attacks
Address spoofingMan-in-the-middle
RF-Jamming/DoS Attack
Address Spoofing Attack Man-in-the-Middle Attack
WirelessStation
MiTM Attacker
Access Point/Controller
EAPServer
AccessPoint
AuthorizedClient
Inject Packets into the WLAN Network Using Client’s MAC/IP Address
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11© 2005 시스코시스템s, Inc. All rights reserved.
Radio Frequency Based ThreatsTop Attacks
Client Mis-association
RogueWLAN
• Employees connect to anexternal WLAN, creating portal to enterprise wired network
DoS Attacks
Denial ofService
• Malicious hackers disrupt criticalbusiness services
Rogue AP
• Employees create opening to enterprise network unknowingly
Hacker
Ad Hoc
• Client-to-client connections,bypassing infrastructuresecurity checkpoints
Hacker
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12© 2005 시스코시스템s, Inc. All rights reserved.
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
WLAN Security Overview
WLAN Security Vulnerabilities and Threats
Cisco Unified Wireless Security
Summary
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13© 2005 시스코시스템s, Inc. All rights reserved.
Cisco WLAN Security Leadership and InnovationIndustry's first implementation of 802.1X/EAP authentication and dynamic key derivationChaired and led the 802.11i work groupWrote or co-wrote many EAP RFCsTechnical leadership role in Fast Secure Roaming 802.11rIndustry leading, patent pending rogue detection, mitigation and suppressionContinuing to innovate with Self-Defending Network
Location enabled security; Access Control / IDS alertsInvented host posture analysis (NAC)Invented Management Frame Protection (MFP)Invented Self Defending Network (NIC)Unified Wired-Wireless IDS/IPS integration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14© 2005 시스코시스템s, Inc. All rights reserved.
Hacking and malware can compromise
network performance
and datasecurity
Proliferation of user types, devices, and network access methods introduces significant risks to the
reliability and security of the network
Cisco Self Defending NetworkSecure Wireless
Mobility dissolves traditional security boundaries anddrives a shift towards securing informationas opposed to securing perimeters
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15© 2005 시스코시스템s, Inc. All rights reserved.
Confidential Communications
•Secure the network connection•Protect network traffic•Verify the user and/or device identity•Match resources to user or device identity•Protect infrastructure•Secure data on the device
Business Challenge
• Mobility dissolves traditional security boundaries and drives a shift towards securing information as opposed to securing perimeters
Benefits of Confidential Communications
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16© 2005 시스코시스템s, Inc. All rights reserved.
Wireless Link Encryption
Cisco supports Industry standards for robust encryption
WPA and WPA2 are preferred for in-building encryption and authentication
Cisco wireless is FIPS compliant for AES 128bit encryption (WPA2)
Cisco VPNs for public hotspot or home office wireless
All wireless traffic must be encrypted between the client and the access point to ensure information integrity
Confidential Communications
Gold
WPA2/802.11i•AES•EAP-FAST
Gold
WPA2/802.11i•AES•EAP-FAST
Silver
WPA•EAP•TKIP
Silver
WPA•EAP•TKIP
Lead
Dynamic WEP•EAP/LEAP•VLANs + ACLs
Lead
Dynamic WEP•EAP/LEAP•VLANs + ACLs
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17© 2005 시스코시스템s, Inc. All rights reserved.
Basic Requirements to Secure Wireless LANs
Protection of the WLAN network—Management Frame Protection (MFP) and Wireless IDS
Protect the network from external sources and devices not controlled by infrastructure (secure infrastructure)
Protection of the WLAN devices and managed user/device connectivity
Encryption/authentication of managed 802.11 devicesAuthentication framework—framework to facilitate authentication messages between clients, access point, and AAA serverAuthentication algorithm—mechanism to validate client credentialsEncryption algorithm—mechanism to provide data privacyMessage integrity—ensures data frames are tamper free and truly originate from the source address
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18© 2005 시스코시스템s, Inc. All rights reserved.
Disassociation
Management Frame Protection (MFP)
Problem: there’s no “physical security” for wireless and management frames are not authenticated, encrypted, or signed
Solution: insert a signature (Message Integrity Code/ MIC) into the management frames
AP beacons
Probe requests/responses
Associations/re-associations
Disassociations
Authentications/de-authentications
Action management frames
Managed AP1MAC Addr A.B.C.D
Signature?
No = Discard
Attacker SpoofingAP1 MAC Addr
A.B.C.D
Initially will be deployed as a security mechanism to validate infrastructure equipmentWill be extended to client adapters via CCX (version 5)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19© 2005 시스코시스템s, Inc. All rights reserved.
Operational Control & Policy Management
• Eliminate “high risk” wireless behaviors• Control peer-to-peer (ad hoc) wireless mode• Ensure device compliance prior to network
access• Protect network from worms, viruses, malware
Business ChallengesProliferation of user types, devices, and network access methodsintroduces significant risks to the reliability and security of the network
Benefits of Operational Control & Policy Management
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20© 2005 시스코시스템s, Inc. All rights reserved.
Wireless Security Management: WCS
Asset tracking and wireless device management
WLAN controllers: associated APsAccess points: usage reports
Security reporting on clientsState information (associated, authenticated, probing, etc.)Link statusSearch by address (IP/MAC), name, category; etc.
Role based management
Cisco Wireless Control System (WCS) is the management platform for the Cisco Unified Wireless Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21© 2005 시스코시스템s, Inc. All rights reserved.
Wireless Security Management: MARS
Vector AnalysisAnalyze incidents to determine valid threats
Path analysisVulnerability analysis for suspected hostsVulnerability scanner correlation
CorrelationProfile network traffic (NetFlow) and detect anomaliesCorrelate events into sessionsApply correlation rules to sessions to identify incidents
Cisco MARS goes beyond simple incident capture and correlation: it creates a map of all network traffic and mitigates incidents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22© 2005 시스코시스템s, Inc. All rights reserved.
Client Risks: Notebook computers have embedded networking/wireless software
“ad hoc” networking mode on by default
Security exposure differs by environmentOffice vs. conference room vs. on-the-road
Action:Establish policies based on:
Location of computer: is it in a cubicle, a conference room, or a public hotspot?Services running on the device: is “ad hoc”networking enabled? Should Windows AutoUpdates be enabled?
Wireless Client Connection Policies
Policy 2.1.0:
Employees in conferencerooms cannot accesshuman resources database
Policy 4.3.1:
Computers with “ad hoc”networking enabled must disable service.
Policy 5.2.2:
Employees accessing the network through the VPN cannot access company financial information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23© 2005 시스코시스템s, Inc. All rights reserved.
Wireless Network Admission Control
RADIUS
Internal ServerWireless LAN Controller
Clean Access Manager
Clean Access Server
Internet
EnterpriseNetwork
Remediation Server
802.1XAuth Req’d
Auth Complete,Client is in!
NAC Complete,Client is in!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24© 2005 시스코시스템s, Inc. All rights reserved.
Threat Control & Containment
•Gain visibility & control of the wireless domain
•Automate detection & quicken removal of unauthorized networks
•Defend against network based attacks•Prevent denial of service attacks
Business Challenges
• Hacking and malware can compromise network performance and data security
Benefits of Threat Control & Containment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25© 2005 시스코시스템s, Inc. All rights reserved.
802.11a Channel 152Valid client
802.11g Channel 6Valid client
802.11g Channel 6Attacker
802.11a Channel 153Rogue AP
802.11a Channel 153Rogue client
802.11g Channel 1Ad Hoc client
802.11g Channel 1Ad Hoc client
RF Containment
RF Containment
On-channel attack detectedOff channel rogue detectedAP contains rogue clientOff channel ad hoc net detectedAP contains ad hoc net
Locate Rogue
Rogue and ad hoc networks detected via off channel scanning although most attacks occur on the AP/client channel
wIDS Detection and Containment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26© 2005 시스코시스템s, Inc. All rights reserved.
View Historical Report
Assess Rogue AP(Identity, Location)
Detect Rogue AP(Generate Alarm)
Contain Rogue AP
• Manual mitigation• Multiple rogues contained
simultaneously
1 2 3 4
Rogues
Wireless Rogue Mitigation OverviewProactive RF Defense Integrated into the Cisco Unified Wireless Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27© 2005 시스코시스템s, Inc. All rights reserved.
Rule-Based Rogue Classification How it Works
Criteria for Classification Rules:
Rule NameClassification Type (Malicious/Friendly/Unclassified)Priority of the ruleMatch All or Match Any of the following conditions:
Matches managed SSIDMatches user configured SSID No encryptionMeets minimum RSSIMeets time durationMeets number of clients associated
Multiple rules supported
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28© 2005 시스코시스템s, Inc. All rights reserved.
00Location
3400Access Points012Controllers
7100164Security
3Coverage
6865Rogues
Rogue Location Discovery Protocol (RLDP)
Rogue AP
Managed APConnect
Controller
1. Determine if Rogue Is on the Network
2. If it Is, Raise the AlarmPriority from “Minor”
to “Critical”Routed/Switched Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29© 2005 시스코시스템s, Inc. All rights reserved.
Rogue Detector AP Mode
Rogue APManaged AP
L2 Switched Network
Dedicated Rogue Detector AP• Detects all client ARPs• Controller queries rogue detector
to determine if rogue clients are on the network
Trunk
00Location
3400Access Points012Controllers
7100164Security
3Coverage
6865Rogues
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30© 2005 시스코시스템s, Inc. All rights reserved.
EnterpriseIntranet
EnterpriseIntranet
Wired IDS
L2 IDS
Unified IDS/IPS
Malicious traffic
Application Inspection/Control
Client Shun
• Authorized user’s laptop infected with worm or virus
• IDS/IPS sensor monitors traffic with application inspection and control (Layer 7) to identify and triggers shun event
• The network blocks the MAC address of compromised wireless client
• Integration of wired and wireless security
Solution
Problem
L3-7 IDS
Unified Wired and Wireless IDS/IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31© 2005 시스코시스템s, Inc. All rights reserved.
Endpoint Protection
• User desktop is the weakest link – prime entry point for hackers and malware
• Provide zero-day malware protection and wireless client control with CSA (Cisco Security Agent)
• Disable wireless NIC when wired NIC is active
• Connection restrictions – by SSID, encryption type, ad-hoc
• Require VPN connection when out of the office
Solution
Problem • Ad-Hoc Connection Attempt
• Traffic Sniffing
W-NIC Disabled
Ad-Hoc DisabledSSID AllowedVPN EstablishedMalware Disabled & Contained
Wireless NIC DisabledMalware Disabled & Contained
CSA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32© 2005 시스코시스템s, Inc. All rights reserved.
RF jamming and inference degrade performance or completely disable service
Proactive RF scanning detects malicious and inadvertent RF jamming
Cisco Spectrum Expert identifies sources of spectrum problemsLeverages your existing laptop – easy to carry form factor, no extra platforms to carry
Malicious RF-Jamming Random RF Interference
RF Denial of Service & Interference Detection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33© 2005 시스코시스템s, Inc. All rights reserved.
The Problem: RF Interference
+ =
Wi-Fi DevicesOther Devices
Bad Experiences
Wi-Fi Competes for RF Spectrum
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34© 2005 시스코시스템s, Inc. All rights reserved.
Cisco WCS and Spectrum Expert Integration EnhancementsMultiple Cisco Spectrum Expert sensors
Up to 10 remote sensors can simultaneously interface with Cisco WCSCisco WCS shows snapshot of a given sensor and summarized view of all sensors
New Spectrum Expert screens and menu optionsDetected interferer types with severityImpacted channelsAffected access points and client devices
Search capabilitiesInterferer typesInterference properties
Approximate location of interferers
Cisco WCS licensed feature: $4,000 list price,Cisco Part # WCS-ADV-SI-SE-10 (option, spare)
BenefitsEfficient identification and troubleshooting of remote or intermittent RF interference problemsEnhanced network performance and security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35© 2005 시스코시스템s, Inc. All rights reserved.
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
WLAN Security Overview
WLAN Security Vulnerabilities and Threats
Cisco Unified Wireless Security
Summary
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36© 2005 시스코시스템s, Inc. All rights reserved.
Summary
Your wireless network is always on. It’s an open port anyone can see and use, so it requires 24/7 monitoring and defense-in-depth to keep it safe
1. Create a security policy for your wireless network. Schedule regular audits and policy reviews
2. Enable the baseline security in your wireless devices3. Control your WLAN traffic, including information integrity and
network access4. Integrate your wireless and wired security solutions for end-to-
end protection5. Apply endpoint inspection, hardening, and control wherever
possible6. Fully integrate your wired and wireless networks for network-
wide visibility, event reporting, and correlation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37© 2005 시스코시스템s, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38© 2005 시스코시스템s, Inc. All rights reserved.