secured unified wireless - cisco · detect over 120 different attack tools and techniques. also, we...

Secured Unified Wireless

© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1

Wireless

Ng Tock Hiong

Director, Systems Engineering

[email protected]

� Wireless Security Risks

� Self Defending Network – Secure Wireless

Unified Wireless Security FeaturesAdaptive Wireless Intrusion Prevention System (wIPS)Integrated Security Solutions

Agenda


SP1

SP1 we’ve moved away from ‘Secure Wireless” naming. And we have begun drawing strong distinction between CUWN-integrated security and the collaboration we can do with wired security. I;d suggest the following:

Wireless Security:Security Built-into the Cisco Unfied Wireless NetworkAdaptive Wireless IPS on the CUWNCollaboration between wired and wireless securityScott Pope, 11/18/2008

Evolution of Wireless Security Challenges

Late 90s. WLAN Technologies Were Proprietary and Provided Minimal Security Features. Security Threat Was Low

2001. WEP Is Easily Cracked by Researchers at Berkeley. Majority of Businesses and Consumers Leave Security Default “Off”; War Driving Expands. Rogue APs Emerge as Viable Business Threat

2001. Cisco Delivers

2004. Ratification of IEEE 802.11i for Robust WLAN Security. WPA and WPA2 Expand in Popularity

2007. Unified Wired and Wireless


1998

2000

2001 2004

2002 2007

2000. 802.11b Standard Ratification Included WEP for Basic Link Encryption Although Lacked Method for Authentication

2001. Cisco Delivers the LEAP Protocol for Mutual Authentication and Improves upon WEP Using CKIP. Many Rely on VPNs

Wired and Wireless Security with Integrated Wireless IPS. Management Frame Protection

Why Are Wireless LANs Prone to Attack?

� Increasing Wi-Fi Devices

Over 1.1 billion Wi-Fi devices will enter the market by 2011

New 802.11 and non-802.11 RF devices

� Confidential Data in “Open Air”

No physical barriers to RF intrusion

Physical SecurityWired Security

EnterpriseNetwork


� 802.11 is in Unlicensed Spectrum

Easy access to inexpensive technologies

Well documented and understood

� RF Spectrum is an asset to be managed

Lax security can lead to attacks, loss of data and regulatory and legal action

Wireless Access Outside of Physical/Wired Boundaries

Wireless WLAN Security ThreatsTop Attacks

Evil Twin/Honeypot APHACKER’S

AP

Connection to malicious AP

Reconnaissance

Seeking network vulnerabilities

HACKER

On-Wire Attacks Over-the-Air Attacks

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER


Denial of Service

DENIAL OFSERVICE

Service disruption

Cracking Tools

Sniffing and eavesdropping

HACKER

Non-802.11 Attacks

Backdoor access

BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption

Rogue Access Points

Backdoor network access

HACKER

Agenda� Wireless Security Risks


Unified Wireless Security FeaturesAdaptive Wireless Intrusion Prevention System (wIPS)

Integrated Security Solutions


Agebda

Cisco Wireless Threat Control & Containment –Comprehensive Layer 1-7 Protection

Wired Intrusion Prevention CollaborationWired Intrusion Prevention CollaborationInappropriate Client ActivityInappropriate Client ActivityMalware Detection/MitigationMalware Detection/Mitigation

Layers 3-7


RF Spectrum AnalysisRF Spectrum AnalysisNonNon--802.11 Devices802.11 Devices

RF Airspace ProtectionRF Airspace Protection

Wireless Intrusion PreventionWireless Intrusion PreventionRogue Detection/ContainmentRogue Detection/Containment

Wireless Hacking/Intrusion DetectionWireless Hacking/Intrusion Detection

Layer 1

Layers 1-2

SP4

SP4 I;d use the following slide instead.Scott Pope, 11/18/2008

Overview

Cisco Wireless Security Overview

Built into the wireless

infrastructure

Hardened wireless core to prevent

attacks before they happen

Wired and wireless network security working

together

Integrated CollaborativeProactive

WIPS Access Control


Unified Wireless Network

WLAN Controllers Access Points RF Intelligence Mobility ServicesWCS

Self-Defending Network

WIPS

Clean RF

Management & Reporting

Access Control

Auth/Privacy

MFP

Automated Vulnerability Monitoring Unified Security

Management

Malware Mitigation

Posture Assessment

Infrastructure Authentication

Secure Wireless Solution Architecture

WCSASA 5500 w/

Internet

Guest Anchor Controller

Cisco Security Agent

Untr

uste

d

Public • Host intrusion prevention

• Endpoint malware mitigation

Endpoint Protection

Traffic and Access Control

Cisco Secure

ServiesClient

Cisco VPN Client


WCS

CS-MARS

ASA 5500 w/ IPS Module

Enterprise

Controller

NAC Appliance

NAC Manager

GuestSSC

WPA2802.1X MFP

CSA Server

Tru

ste

d

Wirele

ss

Wired

• Device posture assessment

• Dynamic, role-based network access and managed connectivity

• WLAN threat mitigation with IPS/IDS

Traffic and Access Control

• Strong user authentication

• Strong transport encryption

• RF Monitoring

• Secure Guest Access

WLAN Security Fundamentals

NGS

Unified Wireless Security Features


SP6

SP6 So I talk about rogues as part of Adaptive wIPS, as the market defines a wIPS solution as something that does rogue detection/mitigation. Up to you, though.Scott Pope, 11/18/2008

Protected Access

What are WPA and WPA2?

� Authentication and Encryption standards for Wi-Fi clients and APs

� 802.1X authentication

� WPA uses TKIP encryption

Gold

WPA2/802.11i•EAP•AES

Gold

WPA2/802.11i•EAP•AES

SilverSilver


� WPA uses TKIP encryption

� WPA2 uses AES encryption

Which should I use?

� Go for the Gold!

� Silver, if you have legacy clients

� Lead, if you absolutely have no other choice (i.e. ASDs)

Silver

WPA•EAP•TKIP

Silver

WPA•EAP•TKIP

Lead

dWEP (legacy)•EAP/LEAP

•VLANs + ACLs

Lead

dWEP (legacy)•EAP/LEAP

•VLANs + ACLs

User and Device Authentication

Authentication Server

User and device authentication maps identity to appropriate access to network services and resources

Only Cisco delivers an end-to-end authentication framework for wired and wireless


Cisco Secure ACS

SSC

Network Access

User and Device

Wired Switch Wireless Access Point

for wired and wireless

�The Cisco Secure Services Client is an 802.1X supplicant for wired & wireless networks

�Cisco supports all leading EAP types – and leads the industry with EAP-FAST

Secure Services Client

Protect the Network:Rogue Detection and Containment

802.11a Channel 153Rogue AP

ROGUES and AD-HOCs: Detected via intelligent on & off channel scanning

802.11g Channel 1

�On-channel attack detected

�Off channel rogue detected

�AP contains rogue client

�Off channel ad hoc net detected

�AP contains ad hoc net

� Integrated 24/7 RF monitoring to identify, locate and contain unauthorized wireless activity

� Proactive threat defense to ensure regulatory compliance


802.11a Channel 152Valid client

802.11g Channel 6Valid client

802.11g Channel 6Attacker

802.11a Channel 153Rogue client

802.11g Channel 1Ad Hoc client

802.11g Channel 1Ad Hoc client

RF Containment


Location-enabled

View Historical ReportAssess Attack(Identity, On/Off-Wire,

Location)

Detect Attack(Begin Analysis)

Alert and Contain(Generate Alarm)

1 2 3 4

Cisco Integrated Wireless IPS Detection and Mitigation Overview

Proactive RF Defense Integrated into the Cisco Unified Wireless Network


� Automated or manual mitigation

� Multiple rogues contained simultaneously

�On-channel attack detected

�Off channel attack detected

�AP contains rogue AP/client

�Off channel ad hoc net detected


�Attack locatedon map

SP8

SP8 I'd ditch this slide...it's really old. Please use the following...it provides a more comprehensive view of the system.Scott Pope, 11/18/2008

Mechanics of Rogue Detection and Mitigation

� WLAN system collects (via beacons and probe responses) and reports BSSID information

� System compares collected BSSID information versus authorized (i.e. managed AP) BSSID information

Over the Air Detection TechniqueOver the Air Detection Technique Wired-Side Tracing TechniquesWired-Side Tracing Techniques

� Rogue Wired Switchport Tracing

� Rogue Location Discovery Protocol

� Rogue Detector on wired trunks


� Unauthorized APs are flagged and reported

� Use of managed APs to disassociate clients from unauthorized AP and prevent further associations via 802.11 de-association frames

� Mitigation may be automated or manual

� Rogue Wired Switchport Disable

� Rogue client devices may be authenticated to a RADIUS (MAC address) database

Over the Air Mitigation TechniqueOver the Air Mitigation Technique Wired-Side Mitigation TechniquesWired-Side Mitigation Techniques

SP9

SP9 I find that a slide like this really helps people understand what all the different mechanisms are. what role they play, and when to deploy.Scott Pope, 11/18/2008

Wired-Side Tracing Techniques

�Secured APs

�Open APs

�NAT APs

SwitchportTracingSwitchportTracing

�Moderate1. AP hears rogue over air

2. Detecting AP advises of nearby switches

3. Trace starts on nearby switches

4. Results reported in order of probability

5. Administrator may disable port

How it Works What It Detects Accuracy


RLDPRLDP

RogueDetectorRogueDetector

�Open APs

�NAT APs

�100%1. AP hears rogue over air

2. Detecting AP connects as client to rogue AP

3. Detecting AP sends RLDP packet

4. If RLDP packet seen at WLC, then on wire

�High1. Place detector AP on trunk

2. Detector receives all rogue MACs from WLC

3. Detector AP matches rogue MACs from wired-side ARPs

�Secured APs

�Open APs

�NAT APs

SP10

SP10 Scott Pope 11/18/2008I find that a slide like this really helps people understand what all the different mechanisms are. what role they play, and when to deploy.Scott Pope, 11/18/2008

Management Frame Protection

� Wireless management frames are not authenticated, encrypted, or signed

� A common vector for exploits

� Insert a signature (Message Integrity Code/MIC) into the management frames

� Clients and APs use MIC to validate authenticity of management frame

� APs can instantly identify rogue/exploited management frames

Problem Solution

•Cisco security leadership and innovation•Proposed standard—IEEE 802.11w


MFP Protected

MFP Protected

AP BeaconsProbe Requests/Probe Responses

Associations/Re-associations Disassociations

Authentications/De-authentications

Action Management Frames

Features

• Provides network-wide security health summary

• Proactively monitors entire wireless network

• WLCs, APs and

• management interfaces

• Identifies vulnerabilities in:

• Encryption

Automated Wireless Security Vulnerability Assessment (v5.1)


• Encryption

• User/network auth

• Threat mitigation

• Management

Benefits

• Reduces configuration errors by recommending optimal security settings

• Increases awareness of potential security issues

Adaptive wIPS Threat Detection and Mitigation

Rogue AP/Clients AdHoc Connections

CrackingRecon

DoS

Over-the-Air AttacksTh

rea

ts

Device Inventory Analysis

Signatures & Anomaly Detection

Network Traffic Analysis

Detection

Accurate Threat Detection, Efficient and Scalable MitigationAccurate Threat Detection, Efficient and Scalable Mitigation

On/Off Channel Scanning


Cla

ss

ific

ati

on

DetectDetect ClassifyClassify MitigateMitigateNotify

Log

Notify

Log

Report

Archive

Report

Archive

No

tifi

ca

tio

n

Mit

iga

tio

n

Ma

na

ge

me

nt•Default Tuning

Profiles

•Customizable Event Auto-Classification

•Wired-Side Tracing

•Physical Location

•Unified WCS Security Dashboard

•Flexible Staff Notification

•Device Location

•Wired Port Disable

•Over-the-Air Mitigation

•Auto or Manual

•Uses all APs for superior scale

•Role-based with Audit Trails

•Customizable Event Reporting

•PCI Reporting

•Full Event Forensics

How is this different than controller IDS?

� wIPS Access Points can detect over 45 different signatures and tools

–Controller IDS does 17 today

� wIPS provides forensics (packet capture) abilities

� wIPS on MSE provides centralized database for attack


� wIPS on MSE provides centralized database for attack correlation and alarm archival

� wIPS provides an attack encyclopedia

SP14

SP14 45 is incorrect. We have 45 signatures. Each of these signatures can detect multiple attack toosl and techniques. As such, we can detect over 120 different attack tools and techniques.

Also, we have:

GUI-based signature tuning

12 system-default configuration profiles based on customer vertical and site characteristics

Anomaly detectionScott Pope, 11/18/2008

Adaptive wIPS – One Alarm per Attack

MSE

Adaptive wIPSController IDS

WCS WCS


MSE

Controller IDS has no correlation

Over-the-Air Attack Techniques and ToolsExamples of Attacks Detected

Network Profiling and Reconnaissance

Authentication and Encryption Cracking

�Honeypot AP�Netstumbler

�Dictionary attacks�AirSnarf�Hotspotter�WEPCrack

�Kismet�Wellenreiter

�Excessive device error �Excessive multicast/broadcast

�ASLEAP�EAP-based attacks�CoWPAtty�Chop-Chop

�Airckrack�Airsnort�PSPF violation�WEP Attack

�Illegal frame types�Excessive association retries�Excessive auth retries�LEAPCracker


Man-in-the-Middle

Denial of Service

�MAC/IP Spoofing�Fake AP

�Malformed 802.11 frames�FATA-Jack, AirJack�Fragmentation attacks�Excessive authentication�De-auth attacks�Association attacks�CTS attacks

�RTS attacks

�Excessive device bandwidth

�Fake DHCP server�Pre-standard APs (a,b,g,n)

�EAPOL attacks�Probe-response�Resource management�RF Jamming�Michael�Queensland�Virtual carrier

�Big NAV

�Power-save attacks

�Microwave interference�Bluetooth interference�Radar interference�Other non-802.11 interference �Device error-rate exceeded�Interfering APs �Co-channel interference

�VoWLAN-based attacks

�Excessive roaming

�Evil Twin AP�ARP Request Replay Attack

wIPS Components

� wIPS Monitor Mode AP – attack detection (scanning at 250ms per channel)

� Controller – manages wIPS APs, forwards wIPS data to MSE

Over-the-Air DetectionOver-the-Air Detection

wIPS AP ManagementwIPS AP Management


forwards wIPS data to MSE

� MSE with wIPS Service – attack archival and alarm aggregation

� WCS – centralized configuration and monitoring

Monitoring, ReportingMonitoring, Reporting

wIPS AP ManagementwIPS AP Management

Complex Attack Analysis, Forensics, EventsComplex Attack Analysis, Forensics, Events

WCS

wIPS System Communication


wIPS - Access Point Engine

AAAA.AAAA.AAAA

3

2

11. Authentication2. Association

3. Passing Data


wIPS AP

Device Database

AAAA.AAAA.AAAA – AP

BBBB.BBBB.BBBB – Client

BBBB.BBBB.BBBB

802.11 State Machine

Attack Library

wIPS – AP Detection Logic

00:1F:3B:1A:A2:01

3

2

1

1. Authenticated

2. Associated3. Passing Data1. Authentication?3. Passing Data

2. Association?


wIPS AP

Device Database

00:1F:3B:1A:A2:01 – AP

00:1F:3B:7C:A2:13 – Client

00:1F:3B:7C:A2:13

802.11 State Machine

00:1F:3B:7C:A2:13 Spoofed MAC

Attack Library

wIPS – Mobility Services Engine

wIPS AP 00:55:9A:6A:34:01– AP

00:1F:3B:1A:A2:01 – AP

Attack Database

8/20/2008 – 17:09 – Spoof MAC

8/22/2008 – 10:24 – DoS Attack

8/24/2008 – 12:07 – DoS Attack3

2

1


wIPS MSE

wIPS AP

System-wide Device Database

00:1F:3B:1A:A2:01 – AP

00:1F:3B:7C:A2:13 – Client

Anomaly Detection Engine

Forensics Database

3

2

1

wIPS Alarm Flow


� 1. Attack Launched against ‘infrastructure device’

� 2. Detected on AP

� Communicated via CAPWAP to WLC

� 3. Passed transparently to MSE via NMSP

� 4. Logged into wIPS Database on MSE

� Sent to WCS via SNMP trap

� 5. Displayed on WCS

wIPS Alarms on Security Dashboard

wIPS Denial of Service


AlarmsServiceAlarms

Category

wIPS AlarmsUnder‘Security’Category

Alarms

wIPS Penetration Alarms

wIPS Example Alarm


� Click ‘Help’ for more info on the attack

wIPS Integrated Attack Encyclopedia

� Available for each alarm

� Accessible from the wIPS


from the wIPS Profile page or by clicking ‘Help’ on each attack alarm

Forensics

� User configurable per attack

� Captured the first time the attack is detected


� A .cap capture of packets

–Opened by Wireshark, Omnipeek, etc.

� Stored on the MSE

–Can be requested by WCS on-demand

Agenda� Wireless Security Risks


Unified Wireless Security FeaturesAdaptive Wireless Intrusion Prevention System (wIPS)

Integrated Security Solutions


Agenda

Simple, Secure Client Connectivity

• Deploying and Managing a Common Security Profile Across an Increasingly Diverse Array of Wireless Clients

Business Challenge

Cisco Unified

Wireless NetworkEnd-to-End

IBNS

End-to-End

NAC

Solution• A single 802.1X authentication

supplicant for wired and wireless devices


SSC

Wireless Network IBNS NAC

Secure ACS

� Management Frame Protection

� Fast Secure Roaming

� LEAP and EAP-FAST

� Integrated VPN Client

devices

Simplified management

Improved security

Lower total cost of ownership (TCO)

• Encryption of management frames

• Products:

Cisco Secure Services Client

Cisco Secure ACS

Cisco Compatible Extensions

Endpoint Protection

• User desktop is the weakest link – prime entry point for hackers and malware

• Provide zero-day malware Solution

Business Challenge• Ad-Hoc Connection

Attempt

• Traffic Sniffing


• Provide zero-day malware protection and wireless client control with CSA (Cisco Security Agent)

• Disable wireless NIC when wired NIC is active

• Connection restrictions – by SSID, encryption type, ad-hoc

• Require VPN connection when out of the office

W-NIC Disabled

�Ad-Hoc Disabled

�SSID Allowed

�VPN Established

�Malware Disabled & Contained

�Wireless NIC Disabled

�Malware Disabled & Contained

CSA

L2 IDS

Unified IDS/IPS

Malicious traffic

Client

Shun

• Authorized user’s laptop infected with worm or virus

• IDS/IPS sensor monitors traffic Solution

Business Challenge

Unified Wired and Wireless IDS/IPS


EnterpriseIntranetEnterpriseIntranet

Wired IDS

Application

Inspection/Control

• IDS/IPS sensor monitors traffic with application inspection and control (Layer 7) to identify and triggers shun event

• The network blocks the MAC address of compromised wireless client

• Integration of wired and wireless security

L3-7 IDS

Client Validation and Posture Assessment

Authenticate and Authorize

� Enforces authorization policies and privileges

Scan and Evaluate

� Agent and network scan for required versions and infections

• Identify Who Is on the Network and Enforce Granular Policies to Prevent Exposure to Viruses and “Malware”

Business Challenge

Solution• Ensures wireless client is ‘up-to-

date’ with latest security policies


Quarantine and Enforce

� Isolate non-compliant devices from rest of network

Update and Remediate

� Network-based tools for

remediation of threats and

vulnerabilities

required versions and infectionsdate’ with latest security policies

• Quarantines and fixes any wireless client that is non-compliant

• Enforces differentiated policies and network services based on user role

• Products:

NAC Appliance

WLAN Controller

Wireless and CS MARS: WLC code 4.2 and above with MARS 5.3.2 and 6.0.1� Device Discovery:

�Add WLC’s IPs in MARS

�Initiate MARS Discovery to WLCs to Learn APs

� Event parsing:�SNMP Trap from WLC to MARS

�MARS Parses SNMP Trap and Presents “Event Type” and “AP Name” in MARS Incident Table

CS MARS


Branch Office

Corporate Office

LAN

in MARS Incident Table

� Event Manipulation:�MARS Searches Raw SNMP Message to Create Incidents

� Mitigation Assistance: �MARS Suggests Mitigation Actions (WLC and AP) in Common MARS Format

� Real-time Notification:�MARS Performs Incident Notification Based on Current MARS Framework

� Report and Query:�MARS Performs Reporting Based on Current MARS Framework

WiSM

LAN

Summary


Key Takeaways

� Leverage the Cisco Unified Wireless security features

802.1X/EAP, WPA/WPA2/802.11i, CCX

Management Frame Protection (MFP), Wireless IDS/IPS features of the WLC, Wireless Control System (WCS), Cisco Secure Services Client (CSSC)

� Integrate and extend the general network security elements according to your network risk assessment and security policies

CSA: General client endpoint protection, location-aware policies, simultaneous wired and wireless, wireless ad-hoc, upstream QoS policy enforcement


Cisco NAC Appliance Integration: WLAN client security policy compliance through assessment and remediation

Cisco Firewall Integration: Fully featured, highly scalable firewalls for enhanced policy enforcement

CS MARS: Cross-network anomaly visibility, detection, correlation and mitigation

Cisco WLC and IPS Integration: Automated threat mitigation with enforcement by the WLC on the access edge

� Leverage the design guides

Lots of detailed information, including step-by-step configuration

www.cisco.com/go/cvd

Q and A


secured unified wireless - cisco · detect over 120 different attack tools and techniques. also, we...

Documents