© 2006, Cisco Systems, Inc. All rights reserved. …...complex traffic pattern matching and ensure...

© 2006, Cisco Systems, Inc. All rights reserved.

Presentation_ID.scr

• Alair to do intro -


Presentation_ID.scr


Presentation_ID.scr

• With the value-add brought by WLANs, so too comes additional network threat possibilities. These fall into three main categories.


Presentation_ID.scr5

• On-Wire Attacks: whether you have a wireless network or not, the threat of unsanctioned wireless devices, called ‘rogues’, is still very real. The key thing to understand here is that whatever a customer’s WLAN strategy, rogues may compromise wired network security by allowing rogue wireless clients access to network resources.

• Rogue APs: very simply, an unsanctioned AP that is connected to the wired network and offers up service to unsanctioned clients. These APs can be ‘open’ or have security employed (to both limit the unsanctioned users allowed to connect and help stay off administrators’ radars).

• Ad-hoc Wireless Bridges: a subset of the 802.11 protocol allows peer-to-peer connectivity, called ad-hoc networking. The main threat these networks pose is the possibility that machines connected to the wired network may be configured to also participate in such an ad-hoc connection, and the link between the two networks could then be bridged, thereby allowing unsanctioned wireless access to wired network resources. Windows and Mac wi-fi-enabled laptops can function as an ad-hoc bridge. In Windows and MAC OS’s the ad-hoc functionality is on by default, in fact.

• Over-the-Air Attacks: any WLAN may be susceptible to both active and passive wireless attacks.

• Man-in-the-middle (Evil Twin, Honeypot AP, etc) Attacks: there are many types of these attacks, but all are based in the same exploit. An intruder inserts himself in between a legitimate client and the resources that client is attempting to access. This can be done between the client and the legitimate infrastructure, or by getting the client to connect to a rogue access point may serve as the means to provide visibility into sensitive traffic. Each attack takes aim at the same 802.11 vulnerability: unauthenticated management frames.

• Denial of Service (DoS) Attacks: there are myriad standards-based ways for interlopers to prevent sanctioned clients from accessing network resources. The vast majority of these attacks are simple exploits of unauthenticated management frames.

• Reconnaissance and Cracking: many passive or nearly passive recon tools exist to give administrators and hackers information on network configuration and topology. Cracking tools take that a step further and try to decipher wireless traffic, either on-the-fly or offline.

• Non-802.11 Attacks: many technologies occupy (intentionally, or otherwise) the same spectrum that 802.11 networks use (2.4 and 5GHz).

• Backdoor Access: other networking technologies, such as Bluetooth, not only interfere with 802.11 (which can cause degradation of wireless network performance), but can be used to sacrifice the integrity of the wired network or devices. A Bluetooth AP can serve as a rogue AP just like an 802.11 AP.

• Service Disruption: a multitude of devices coexist in the same RF space as 802.11 networks and these devices can interfere with proper WLAN operation.

• This slide shows the logical flow of our WIPS/rogue detection:

• Note that we scan all channels, detect rogue APs, rogue clients, ad-hoc connections as well as


Presentation_ID.scr

• Note that we scan all channels, detect rogue APs, rogue clients, ad-hoc connections as well as over-the-air wireless hacking attacks

• We can mitigate rogues over the air via de-auth frames and can do this manually (i.e. admin initiates) or have the system do it automatically (i.e. doesn’t require without human intervention)

• Cisco’s defends against all wireless rogue and client attacks are integrated into the system.

• The system is constantly monitoring all channels looking for rogue access points, their rogue clients, and performing traffic pattern identification to recognize malicious attacks as they occur.

• Once identified, these attacks are visible in a single, centralized location via WCS

• Attack locations are pinpointed on a map so personnel may be dispatched to mitigate the threat

• Simultaneously, the same monitoring infrastructure can contain the threat by cutting rogue APs and clients off from over-the-air communications

• Cisco’s advanced approach to detection—combining air monitoring, network traffic and anomaly analysis, real-time network device and topology information, and network configuration analysis—delivers a comprehensive view of the event to the Cisco Adaptive wIPS analysis engine. With that breadth of information, Adaptive wIPS detects events not traceable with over the air signatures alone and makes more accurate detection decisions, thus increasing effectiveness while reducing false positives.

• Building upon the core detection capabilities, Cisco Adaptive wIPS delivers rich attack classification, providing users with flexible rules for automatically classifying and mitigating security events. Automatic classification, coupled with the system’s inherent accuracy, greatly reduces the operational expenses associated with manual investigation of potential threats detected by the system.


Presentation_ID.scr

• Here’s what the wireless LAN deal looks like…



• We highly recommend deploying .11n APs as wIPS sensors…there will be more


Presentation_ID.scr

• We highly recommend deploying .11n APs as wIPS sensors…there will be more .11n-specific threats over time that will require a .11n AP to detect them.

• Also, you need a .11n AP to detect rogues running in .11n greenfield mode

Pretty Self Explanatory…



Bottom Row = 802.11n AP’s Driving Gigabit Upgrades to support Full Bandwidth and E-Series Switch Upgrades for 18-Watt power.



Presentation_ID.scr

This slide is a nice single slide overview of what our system does, what the customer can use it for, and a view of the network architecture.


Presentation_ID.scr

customer can use it for, and a view of the network architecture.

Cisco Adaptive Wireless IPS embeds complete wireless threat detection and mitigation into the wireless network infrastructure to deliver the industry’s most comprehensive, accurate and operationally cost-effective wireless security solution. Adaptive wIPS performs: rogue access point/client and ad-hoc connection detection and mitigation, over-the-air wireless hacking and threat detection, security vulnerability monitoring, performance monitoring and self-optimization, network hardening for proactive prevention of threats and complete wireless security management and reporting.

Just a quick overview of the new component of the CUWN that wIPS runs on –MSE. This is where wIPS:


Presentation_ID.scr

MSE. This is where wIPS:

• Performs anomaly analysis

• Stores wIPS events and forensics

• Correlates events before sending to WCS – thus greatly decreasing duplicate or false alarms.

The rest of the info on this slide is just general MSE value proposition – single platform for multiple services, etc.

This is a summary of what is new in 5.2. In our 5.2 aka “G-release” (4QCY08) we’re aiming to bring the feature-depth of conventional WIPS overlay systems into the wireless



to bring the feature-depth of conventional WIPS overlay systems into the wireless infrastructure. This approach of integrating market-leading WIPS functionality into the wireless infrastructure increases WIPS functionality and accuracy (as will be outlined in a later slide), while decreasing cap and op ex.

Note: This depth of functionality is licensed and requires on full-time “monitor-mode” WIPS APs.

• CUWN’s major extensions to its wIPS solution come in four key areas

• Greatly Expanded Functionality, without Sacrificing CUWN’s Characteristic Ease of Use:

•Wireless IPS operations work out-of-the-box

•Each threat is described in depth in the bundled wIPS encyclopedia

•Clear mitigation strategies are outlined for wIPS threats and security auditing functions

• Expanded Detection:

•24x7 wIPS scanning and constant CUWN security configuration auditing (to ensure administrators always have the hatches battened)

•Comprehensive wireless threat detection

•Suspect client traffic patterns that don’t necessarily trip known wIPS alarms are still identifiable via Cisco’s anomaly detection functionality

• Analysis and Reporting:

This slide shows examples of the different classes of over-the-air attacks we detect. It is not meant to be a comprehensive slide, but more of an illustration



detect. It is not meant to be a comprehensive slide, but more of an illustration of the attack detection breadth we have.

See the wIPS product collateral page on CEC for a document with a complete list of attacks detected. It’s changing all the time as we add more detection capabilities.

This is a key slide for talking to our turnkey, out of the box ease-of-use. This slide outlines the default configuration profiles customers can use out of the box upon installation. These profiles have been sourced


Presentation_ID.scr

configuration profiles customers can use out of the box upon installation. These profiles have been sourced from analysis of numerous live customer networks…one of the benefits of being an infrastructure vendor.

These profiles can be used as-is or can serve as a basis for getting a customer a headstart on their deployment configuration and then further tuning the profiles to their exact specifications and environment.

These profiles provide pre-populated configurations for types of attack detection enabled as well as thresholds/tuning for each attack detection type.

Default Detection Profiles: Default system detection tuning profiles, customized by customer-type, enable effective operation minutes after system bring-up and a head-start in system tuning

• Provides comprehensive information on all the types of attacks detected, how those attack function and how to tune the system for them


Presentation_ID.scr

• Provides comprehensive information on all the types of attacks detected, how those attack function and how to tune the system for them

• This is great for administrators who don’t really know that much about wireless attacks and security…makes the system approachable for them

• Knowledgebase-Driven Tuning: Detection tuning is tied to a threat knowledgebase in WCS, providing operators plain-language descriptions of attack types, detection methods and tuning guidance, thus easing tuning for even novice security operators

• Day zero attacks are new attacks that have just been created by hackers. For example someone could create a new attack this morning. There may not be any logic in the



someone could create a new attack this morning. There may not be any logic in the system to specifically identify it since it is new, but our anomaly detection will detect strange activity and alert the administrator that it may be indicative of a new type of attack.

• Illustrated is the anomaly detection logic employed to alert of those day zero attacks


Presentation_ID.scr

• The piece parts of the extended wIPS offering comprise hardware and software already integral to the CUWN architecture, but require a couple of


Presentation_ID.scr

already integral to the CUWN architecture, but require a couple of changes/additions:

• Full-time monitoring functions in LWAPP APs are necessary to perform complex traffic pattern matching and ensure timely identification of malicious activity. In essence, “monitor-mode” APs.

• The new software-licensed wIPS service running on the Mobility Solutions Engine (MSE) server appliance is required for all backend correlation and detailed wIPS policy enforcement

To price out a WIPS deployment, the following are the price components:

• Dedicated LWAPP APs (1130, 1140, 1240, 1250)

• WLCs to serve those APs

• WCS license to account for those APs

• MSE server appliance

• WIPS license, priced per dedicated AP

29


Presentation_ID.scr

© 2006, Cisco Systems, Inc. All rights reserved. …...complex traffic pattern matching and ensure...

Documents

Transcript of © 2006, Cisco Systems, Inc. All rights reserved. …...complex traffic pattern matching and ensure...