unified wireless lan security - cisco€¦ · presentation_id © 2006 cisco systems, inc. all...

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Unified Wireless LAN Security

Ong Poh SengCisco Systems (USA) Pte LtdSecurity & Wireless Specialist6th March 2008

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2© 2005 시스코시스템s, Inc. All rights reserved.

Contents


WLAN Security Overview

WLAN Security Vulnerabilities and Threats

Cisco Unified Wireless Security

Summary

Q and A


Evolution of Wireless Security Challenges

1998

2000

2001 2004

2002 2007

Late 90s. WLAN Technologies Were Proprietary and Provided Minimal Security Features. Security Threat Was Low

2000. 802.11b Standard Ratification Included WEP for Basic Link Encryption Although Lacked Method for Authentication

2001. WEP Is Easily Cracked by Researchers at Berkeley. Majority of Businesses and Consumers Leave Security Default “Off”; War Driving Expands. Rogue APs Emerge as Viable Business Threat

2001. Cisco Delivers the LEAP Protocol for Mutual Authentication and Improves upon WEP Using CKIP. Many Rely on VPNs

2004. Ratification of IEEE 802.11i for Robust WLAN Security. WPA and WPA2 Expand in Popularity

2007. Unified Wired and Wireless Security with Integrated Wireless IPS. Management Frame Protection


As WiFi Becomes Pervasive ……


Why Are Wireless LANs Prone to Attack?

“Open air”No physical barriers to intrusion

Standard 802.11 protocolWell-documented and understoodThe most common attacks against WLAN networks are targeted at management frames

UnlicensedEasy access to inexpensive technology

Wireless Access Outside of Physical/Wired Boundaries

Physical SecurityWired Security

EnterpriseNetwork


WRONG!

No Wi-Fi =Good Security

• A single rogue access point creates enormous risk

• Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc) don’t address

• Perpetrated unknowingly by your own employees

WRONG!

WRONG!

A handheld walk-around survey is sufficient

(i.e. AirMagnet)

I use 802.11i, WPA or VPN, so my network is

secure

• Would you only turn on your firewall periodically?

• Not practical for branch or remote offices with no local IT personnel

• Laborious and expensive

• Only protects authorized clients and infrastructure

• No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)

Wi-Fi Security Myths


Contents





Summary

Q and A


WLAN Security Vulnerabilities and Threats Summary

Wireless LAN’s have become easy targets for both “traditional” network exploits, as well as criminal elements

Passive SSID probe sniffing and WEP key attacks are just the first stage in WLAN exploits

More sophisticated WLAN exploits are likely to employ management frames, as most management packets are not encrypted

If an attacker can gain access to a WLAN, it ispossible to launch a variety of higher-layer exploitsover this media


WLAN Sniffing and SSID Broadcasting

The Simplest Type of WLAN ExploitHowever, given the “open” characteristics of 802.11 association behavior, one that is not easily fixedDisabling SSID “broadcast” simply overcomes passive sniffing; SSID is easily discovered by observing probe responses from clientsThus, SSID “cloaking” shouldn’t be considered a security mechanism


Sniff Client MACand IP Address

Overview of Key WLAN Security Vulnerabilities and Threats

RF Denial of Service(DoS) attacksSSID broadcastingAuthentication attacks

Address spoofingMan-in-the-middle

RF-Jamming/DoS Attack

Address Spoofing Attack Man-in-the-Middle Attack

WirelessStation

MiTM Attacker

Access Point/Controller

EAPServer

AccessPoint

AuthorizedClient

Inject Packets into the WLAN Network Using Client’s MAC/IP Address


Radio Frequency Based ThreatsTop Attacks

Client Mis-association

RogueWLAN

• Employees connect to anexternal WLAN, creating portal to enterprise wired network

DoS Attacks

Denial ofService

• Malicious hackers disrupt criticalbusiness services

Rogue AP

• Employees create opening to enterprise network unknowingly

Hacker

Ad Hoc

• Client-to-client connections,bypassing infrastructuresecurity checkpoints

Hacker


Contents





Summary

Q and A


Cisco WLAN Security Leadership and InnovationIndustry's first implementation of 802.1X/EAP authentication and dynamic key derivationChaired and led the 802.11i work groupWrote or co-wrote many EAP RFCsTechnical leadership role in Fast Secure Roaming 802.11rIndustry leading, patent pending rogue detection, mitigation and suppressionContinuing to innovate with Self-Defending Network

Location enabled security; Access Control / IDS alertsInvented host posture analysis (NAC)Invented Management Frame Protection (MFP)Invented Self Defending Network (NIC)Unified Wired-Wireless IDS/IPS integration


Hacking and malware can compromise

network performance

and datasecurity

Proliferation of user types, devices, and network access methods introduces significant risks to the

reliability and security of the network

Cisco Self Defending NetworkSecure Wireless

Mobility dissolves traditional security boundaries anddrives a shift towards securing informationas opposed to securing perimeters


Confidential Communications

•Secure the network connection•Protect network traffic•Verify the user and/or device identity•Match resources to user or device identity•Protect infrastructure•Secure data on the device

Business Challenge

• Mobility dissolves traditional security boundaries and drives a shift towards securing information as opposed to securing perimeters

Benefits of Confidential Communications


Wireless Link Encryption

Cisco supports Industry standards for robust encryption

WPA and WPA2 are preferred for in-building encryption and authentication

Cisco wireless is FIPS compliant for AES 128bit encryption (WPA2)

Cisco VPNs for public hotspot or home office wireless

All wireless traffic must be encrypted between the client and the access point to ensure information integrity

Confidential Communications

Gold

WPA2/802.11i•AES•EAP-FAST

Gold

WPA2/802.11i•AES•EAP-FAST

Silver

WPA•EAP•TKIP

Silver

WPA•EAP•TKIP

Lead

Dynamic WEP•EAP/LEAP•VLANs + ACLs

Lead

Dynamic WEP•EAP/LEAP•VLANs + ACLs


Basic Requirements to Secure Wireless LANs

Protection of the WLAN network—Management Frame Protection (MFP) and Wireless IDS

Protect the network from external sources and devices not controlled by infrastructure (secure infrastructure)

Protection of the WLAN devices and managed user/device connectivity

Encryption/authentication of managed 802.11 devicesAuthentication framework—framework to facilitate authentication messages between clients, access point, and AAA serverAuthentication algorithm—mechanism to validate client credentialsEncryption algorithm—mechanism to provide data privacyMessage integrity—ensures data frames are tamper free and truly originate from the source address


Disassociation

Management Frame Protection (MFP)

Problem: there’s no “physical security” for wireless and management frames are not authenticated, encrypted, or signed

Solution: insert a signature (Message Integrity Code/ MIC) into the management frames

AP beacons

Probe requests/responses

Associations/re-associations

Disassociations

Authentications/de-authentications

Action management frames

Managed AP1MAC Addr A.B.C.D

Signature?

No = Discard

Attacker SpoofingAP1 MAC Addr

A.B.C.D

Initially will be deployed as a security mechanism to validate infrastructure equipmentWill be extended to client adapters via CCX (version 5)


Operational Control & Policy Management

• Eliminate “high risk” wireless behaviors• Control peer-to-peer (ad hoc) wireless mode• Ensure device compliance prior to network

access• Protect network from worms, viruses, malware

Business ChallengesProliferation of user types, devices, and network access methodsintroduces significant risks to the reliability and security of the network

Benefits of Operational Control & Policy Management


Wireless Security Management: WCS

Asset tracking and wireless device management

WLAN controllers: associated APsAccess points: usage reports

Security reporting on clientsState information (associated, authenticated, probing, etc.)Link statusSearch by address (IP/MAC), name, category; etc.

Role based management

Cisco Wireless Control System (WCS) is the management platform for the Cisco Unified Wireless Network


Wireless Security Management: MARS

Vector AnalysisAnalyze incidents to determine valid threats

Path analysisVulnerability analysis for suspected hostsVulnerability scanner correlation

CorrelationProfile network traffic (NetFlow) and detect anomaliesCorrelate events into sessionsApply correlation rules to sessions to identify incidents

Cisco MARS goes beyond simple incident capture and correlation: it creates a map of all network traffic and mitigates incidents


Client Risks: Notebook computers have embedded networking/wireless software

“ad hoc” networking mode on by default

Security exposure differs by environmentOffice vs. conference room vs. on-the-road

Action:Establish policies based on:

Location of computer: is it in a cubicle, a conference room, or a public hotspot?Services running on the device: is “ad hoc”networking enabled? Should Windows AutoUpdates be enabled?

Wireless Client Connection Policies

Policy 2.1.0:

Employees in conferencerooms cannot accesshuman resources database

Policy 4.3.1:

Computers with “ad hoc”networking enabled must disable service.

Policy 5.2.2:

Employees accessing the network through the VPN cannot access company financial information


Wireless Network Admission Control

RADIUS

Internal ServerWireless LAN Controller

Clean Access Manager

Clean Access Server

Internet

EnterpriseNetwork

Remediation Server

802.1XAuth Req’d

Auth Complete,Client is in!

NAC Complete,Client is in!


Threat Control & Containment

•Gain visibility & control of the wireless domain

•Automate detection & quicken removal of unauthorized networks

•Defend against network based attacks•Prevent denial of service attacks

Business Challenges

• Hacking and malware can compromise network performance and data security

Benefits of Threat Control & Containment


802.11a Channel 152Valid client

802.11g Channel 6Valid client

802.11g Channel 6Attacker

802.11a Channel 153Rogue AP

802.11a Channel 153Rogue client

802.11g Channel 1Ad Hoc client

802.11g Channel 1Ad Hoc client

RF Containment

RF Containment

On-channel attack detectedOff channel rogue detectedAP contains rogue clientOff channel ad hoc net detectedAP contains ad hoc net

Locate Rogue

Rogue and ad hoc networks detected via off channel scanning although most attacks occur on the AP/client channel

wIDS Detection and Containment


View Historical Report

Assess Rogue AP(Identity, Location)

Detect Rogue AP(Generate Alarm)

Contain Rogue AP

• Manual mitigation• Multiple rogues contained

simultaneously

1 2 3 4

Rogues

Wireless Rogue Mitigation OverviewProactive RF Defense Integrated into the Cisco Unified Wireless Network


Rule-Based Rogue Classification How it Works

Criteria for Classification Rules:

Rule NameClassification Type (Malicious/Friendly/Unclassified)Priority of the ruleMatch All or Match Any of the following conditions:

Matches managed SSIDMatches user configured SSID No encryptionMeets minimum RSSIMeets time durationMeets number of clients associated

Multiple rules supported


00Location

3400Access Points012Controllers

7100164Security

3Coverage

6865Rogues

Rogue Location Discovery Protocol (RLDP)

Rogue AP

Managed APConnect

Controller

1. Determine if Rogue Is on the Network

2. If it Is, Raise the AlarmPriority from “Minor”

to “Critical”Routed/Switched Network


Rogue Detector AP Mode

Rogue APManaged AP

L2 Switched Network

Dedicated Rogue Detector AP• Detects all client ARPs• Controller queries rogue detector

to determine if rogue clients are on the network

Trunk

00Location

3400Access Points012Controllers

7100164Security

3Coverage

6865Rogues


EnterpriseIntranet

EnterpriseIntranet

Wired IDS

L2 IDS

Unified IDS/IPS

Malicious traffic

Application Inspection/Control

Client Shun

• Authorized user’s laptop infected with worm or virus

• IDS/IPS sensor monitors traffic with application inspection and control (Layer 7) to identify and triggers shun event

• The network blocks the MAC address of compromised wireless client

• Integration of wired and wireless security

Solution

Problem

L3-7 IDS

Unified Wired and Wireless IDS/IPS


Endpoint Protection

• User desktop is the weakest link – prime entry point for hackers and malware

• Provide zero-day malware protection and wireless client control with CSA (Cisco Security Agent)

• Disable wireless NIC when wired NIC is active

• Connection restrictions – by SSID, encryption type, ad-hoc

• Require VPN connection when out of the office

Solution

Problem • Ad-Hoc Connection Attempt

• Traffic Sniffing

W-NIC Disabled

Ad-Hoc DisabledSSID AllowedVPN EstablishedMalware Disabled & Contained

Wireless NIC DisabledMalware Disabled & Contained

CSA


RF jamming and inference degrade performance or completely disable service

Proactive RF scanning detects malicious and inadvertent RF jamming

Cisco Spectrum Expert identifies sources of spectrum problemsLeverages your existing laptop – easy to carry form factor, no extra platforms to carry

Malicious RF-Jamming Random RF Interference

RF Denial of Service & Interference Detection


The Problem: RF Interference

+ =

Wi-Fi DevicesOther Devices

Bad Experiences

Wi-Fi Competes for RF Spectrum


Cisco WCS and Spectrum Expert Integration EnhancementsMultiple Cisco Spectrum Expert sensors

Up to 10 remote sensors can simultaneously interface with Cisco WCSCisco WCS shows snapshot of a given sensor and summarized view of all sensors

New Spectrum Expert screens and menu optionsDetected interferer types with severityImpacted channelsAffected access points and client devices

Search capabilitiesInterferer typesInterference properties

Approximate location of interferers

Cisco WCS licensed feature: $4,000 list price,Cisco Part # WCS-ADV-SI-SE-10 (option, spare)

BenefitsEfficient identification and troubleshooting of remote or intermittent RF interference problemsEnhanced network performance and security


Contents





Summary

Q and A


Summary

Your wireless network is always on. It’s an open port anyone can see and use, so it requires 24/7 monitoring and defense-in-depth to keep it safe

1. Create a security policy for your wireless network. Schedule regular audits and policy reviews

2. Enable the baseline security in your wireless devices3. Control your WLAN traffic, including information integrity and

network access4. Integrate your wireless and wired security solutions for end-to-

end protection5. Apply endpoint inspection, hardening, and control wherever

possible6. Fully integrate your wired and wireless networks for network-

wide visibility, event reporting, and correlation


Q and A

unified wireless lan security - cisco€¦ · presentation_id © 2006 cisco systems, inc. all...

Documents