Security Expert's Advice on Next - CiscoHACKER Wireless Attack Vectors Rogue Access Points Backdoor...
Transcript of Security Expert's Advice on Next - CiscoHACKER Wireless Attack Vectors Rogue Access Points Backdoor...
Security Expert's Advice on Next Generation Converged Access Network 4.1 EN Mobility
MinSe Kim, Sr. Technical Marketing Engineer
Cisco Systems
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Objective
“Prevention is better than cure”
Without prevention you are screwed, because Wireless has No Boundaries
3
Wireless Security Threats
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Denial of Service
DENIAL OF
SERVICE
Service disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Wireless Attack Vectors
Rogue Access Points
Backdoor network access
HACKER
Evil Twin/Honeypot AP
HACKER’S
AP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
Non-802.11 Attacks
BLUETOOTH AP RADAR RF-JAMMERS BLUETOOTH MICROWAVE
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Attackers Nirvana - Tools to hide from Infrastructure
Backtrack 5
(VM or Live CD)
Spoofing Pyramid
BSSID
ESSID
Channel & Tx Power
DHCP, DNS etc.
Radio MAC
Wireless SSID
Bridge/NAT
Interfaces
USB Wireless Cards
OR
No Regulatory
Restrictions
Wireless Intrusion Prevention Best Practices
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Wireless Security Pre-requisites
Secure
Connection Identify Users
Classify
Applications Control Access
Across All Endpoints
Client Access Point Switch Wireless LAN
Controller
Identity Services
Engine
Secure the Connection
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Authentication Best Practices: Use WPA2-Enterprise
Strong Authentication
• AES – Advanced Encryption Standard that requires Hardware Support & achieves line-rate speeds
Strong Encryption
Tunneling-Based (Protective Cover)
EAP-PEAP
EAP-TTLS
EAP-FAST
Inner Methods (Authentication Credentials)
EAP-GTC EAP-MSCHAPv2
Certificate-Based
EAP-TLS
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
EAP Methods Comparison
EAP-TLS PEAP EAP-FAST
Fast Secure Roaming Yes Yes Yes
Local WLC Authentication Yes Yes Yes
OTP (One Time Password) Support No Yes Yes
Server Certificates Yes Yes No
Client Certificates Yes No No
PAC (Protected Access Credentials)* No No Yes
Deployment Complexity High Medium Low
* PACs can be provisioned anonymously for minimal complexity.
For Your Reference
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Secure Your Wireless Infrastructure End-Points
12
ISE 802.1x
Authentication
CAPWAP DTLS Using Manufactured
Installed Certificates
Configure
802.1x
Supplicant
1 Enable Switch
Port Security
2
RADIUS
RADIUS
Default Out-of-Box
Behavior for Mutual
Authentication
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Management Frame Protection (MFP)
Problem
Problem • Wireless management frames are not
authenticated, encrypted, or signed
• A common vector for exploits
Solution • Insert a signature (Message Integrity
Code/MIC) into the management frames
• APs can instantly identify rogue/exploited
management frames
• Optionally, Clients and APs use MIC to
validate authenticity of management frame
Beacons
Probes
Association
Beacons
Probes
Association
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Infrastructure MFP Operation
14
BSSID
11:11:11:11:11:11
BSSID
22:22:22:22:22:22
Corporate Building 1
BSSID
11:11:11:11:11:11
Corporate Building 2
Radios Cannot
Hear Each Other
Enable Infrastrutture MFP WLC GUI> Security> Wireless
Protection Policies > MFP
1
2 2
3
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Client MFP and 802.11w Operation
Protected Management Frames with MIC
Protected Frames with Security Association (SA)
AP Beacons Probe Requests/ Probe Responses
Associations/Re-Associations
Disassociations
Authentications/ De-Authentications
Action Management Frames
CCXv5
Spoofing
AP & Client
Identify Users & Enforce Policy
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ISE Base ISE Wireless
ISE Advanced
Device
Profiling
& Policy
Control
by WLC
• AAA
• Guest
Provisioning
• AAA
• Guest Provisioning
• Device Profiling
• Device On-boarding
• Device Posturing
• Partner MDM Integration
Wireless Only
Profiling Strategies
POLICY
Profiling & Policy Enforcement Across Any
Access Medium
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Profiling and Policy Enforcement Options
18
Time of Day Authentication Device Type User Role
POLICY
WLC Radius Server
(e.g. ISE Base, ACS)
Network Components
Profiling Factors
Policy Enforced VLAN Access List QoS Session Timeout
Only Wireless
AVC
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
ISE Base
Auth. Response
Auth. Request
Finance Personal
Device
Corporate
Device
AAA Services by
ISE Base Device Profiling & Policy
Enforcement by WLC
Cisco-AV-Pair
Role=Finance
VLAN 3
QoS = Silver VLAN 7
QoS = Platinum CAPWAP
3 7
Platinum
Profiling & Policy Enforcement Workflow
POLICY
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Wi-Fi Direct Policy
20
Corporate
Laptop Corporate
WLAN
Unauthorized Devices Wi-Fi Direct allows simultaneous
access to Corporate WLAN &
Unauthorized Devices
Prevent access to Corporate WLAN when Wi-Fi Direct is enabled on
Corporate Wireless Devices
Backdoor
Access
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
What is the Need for Application Visibility and Control?
22
Why is the Wireless
Performance of my
Network so Low?
Should I add more
Access Points to
improve the User
Experience?
What if someone is running Bit-torrent against company policy & hurting the overall user experience?
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Identify Applications using NBAR2
Introducing Application Visibility and Control on WLC
23
Voice
Video
Best-Effort
Background
Client Traffic
Control Application Behavior
Don’t Allow
Rate Limiting
Attack Detection & Mitigation Techniques
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 25
Local Mode AP Monitor Mode AP Rogue Detection Basics
Listening for Rogues Two Different AP Modes for RRM Scanning
Serve Client for
16s
Scan 50ms for Rogue
Scan 250msec or 1.2s
per channel
RF Group = Corporate
24x7 Scanning
Any AP not Broadcasting
the same RF Group is
considered a Rogue
Best Effort Scanning
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Rogue Classification Rules – Who is more harmful?
26
Classification based on threat severity and mitigation action
Rules tailored to customer risk model
Friendly Malicious
Off-Network Secured
Foreign SSID Weak RSSI
Distant location No clients
On-Network Open
Our SSID Strong RSSI
On-site location Attracts clients
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Rogue Classification Rules Example
27
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 28
Rogue Detector AP
Rogue Location Discovery Protocol
(RLDP)
Wired Rogue Detection Methods
Connects to Rogue AP as a client
Sends a packet to controller’s IP address
Only works with open rogue access points
Data Serving
Trunk
Port
Detects all rogue client and Access Point ARP’s
Controller queries rogue detector to determine if rogue clients are on the network
Does not work with NAT APs
Rogue Detector Data Serving AP
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Rogue Location Discovery Protocol Automatic Operation
29
• Two automatic modes of operation:
– ‘AllAPs’ – Uses both Local and Monitor APs
– ‘MonitorModeAPs’ – Uses only Monitor mode APs
• Recommended: Monitor Mode APs – RLDP can impact service on client serving Aps
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Switchport Tracing (SPT) using Cisco Prime
30
Cisco Prime
Core
Corporate AP
Show CDP Neighbors
1
CAM Table 2
CAM Table 3
Switchport Tracing: On-Demand or Automatic
Identifies CDP Neighbors of APs detecting the rogue
Queries the switches CAM table for the rogue’s MAC
Works for rogues with security and NAT
SPT Matches On:
Rogue Client MAC Address
Rogue Vendor OUI
Rogue MAC +3/-3
Rogue MAC Address
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 31
Local Mode AP Monitor Mode AP
Wireless Rogue AP Containment
A monitor mode AP can contain 6 rogues per radio
Containment packets are sent every 100ms
Broadcast & Unicast De-auth
A local mode AP can contain 3 rogues per radio
Containment packets are sent every 500ms
Impacts associated clients performance
Unicast De-auth & Unicast Dis-assoc
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Automatic Rogue AP Containment
Use auto-containment to nullify the most alarming threats
Containment can have legal consequences when used improperly
WLC
Ability to Use Only Monitor Mode APs for
Containment to Prevent Impact to Clients
32
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Rogue Location In Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware
33
• Track of multiple rogues in real-time (up to MSE limits)
• Can track and store rogue location historically
• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers
Non-WiFi Interferer
WiFi Interferer
Microwave Bluetooth
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Non-WiFi Interferers Rogue Access Point
Zone of Impact with Prime and MSE Context-Aware
34
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco’s Attack Detection Mechanisms
35
Core
• Rogue AP and Client Detection
• 17 Common Attack Signatures
• Alarm Aggregation, Consolidation and False Positive Reduction
• Enhanced DoS Attack Behaviour Analysis – 115 attack signatures
• Coordinated Rogue Containment
• Anomaly Detection
• Forensic, Blacklisting, Auto Containment, and Auto Immunity responses
Cisco Prime
WLC Base IDS Adaptive wIPS
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Adaptive wIPS Deployment Recommendations
36
36
Enhanced Local Mode Monitor Mode AP WSSI Module
Serve Client for
16s
Scan 50ms for Attacks
Scan 1.2s for Attacks
24x7 Scanning
Serve Clients
Local Mode
Monitor Mode
Best Effort Scanning
Enable ELM on every deployed AP
Deploy 1 MM AP for every 5 Local Mode AP
Local Mode
Serve Clients
Scan 1.2s for Attacks
Local Mode
24x7 Scanning
Deploy 1 WSSI for every 5 Local Mode AP