Security for WLANs - wIPS vs Base IDS

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 52

Denial of Service

DENIAL OFSERVICE

Service disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

WLAN Security Vulnerabilities and Threats

Rogue Access Points

Backdoor network access

HACKER

Evil Twin/Honeypot APHACKER’SAP

Connection to malicious AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

On-Wire Attacks Over-the-Air Attacks


WLAN SecurityDenial of Service Attacks

RF JammingAny intentional or un-intentional RF transmitter in the same frequency can adversely affect the WLAN

DoS using 802.11 Management framesManagement frames are not authenticated today

Trivial to fake the source of a management frame

De-Authentication floods are probably the most worrisome

Misuse of Spectrum (CSMA/CA – Egalitarian Access!)“Silencing” the network with RTS/CTS floods, Big-NAV Attacks

802.1X Authentication floods and Dictionary attacksOverloading the system with unnecessary processing

Legacy implementations are prone to dictionary attacks, in addition to other algorithm-based attacks


Wireless SecurityMAC Address Spoofing

As with wired networks, MAC address and IP address spoofingare possible, if not easy, in Wireless Networks

Outsider (hostile) attack scenarioDoes not know key/encryption policy

IP Address spoofing is not possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP)

MAC Address spoofing alone (i.e., without IP Address spoofing) may not buy much if encryption is turned on

Insider attack scenarioSeeking to obtain users’ secure info

MAC address and IP Address spoofing will not succeed if EAP/802.1x authentication is used (unique encryption key is derived per user (i.e., per MAC address))


Wireless Security:Sniffing and Reconnaissance

First – Sniffing, or capturing packets over the air, is an extremely useful troubleshooting methodology

Sniffing, in the old days was reliant on very specific cards and drivers

Very easy to find support for most cards and drivers today

Cost (if you like to pay for it) of such software is negligible (or, just use free/open source software)

Provides an insight (with physical proximity) into the network, services, and devices which comes in handy when performing network reconnaissance


Wireless SecurityMan in the Middle Attack

A MiTM is when an attacker poses as the network to the client(s) and as a client to the actual network

The attacker forces a legitimate client off the network

The attacker lures the client to a honeypot

The attacker gains security credentials by intercepting user traffic

Very easy to do with:Sniffing, and war-driving to identify targets

MAC Address Spoofing

Rogue Device Setup

DoS Attacks


Quick Look: Common WLAN Exploits/Tools

Remote-Exploit/Backtrack/Auditor

Aircrack, WEPcrack, etc

coWPAtty

Kismet

NetStumbler, Hotspotter, etc

AirSnort

Sniffing tools: OmniPeek, Wireshark

dsniff, nmap

wellenreiter

asleap


Denial of Service

DENIAL OFSERVICE

Service disruption



HACKER

Ounce of Prevention… Stop the Attack Before It Happens

Rogue Access Points


HACKER



Reconnaissance


HACKER

Cracking Tools


HACKER


Cisco wIPS Detects These Attacks


Denial of Service

DENIAL OFSERVICE

Service disruption



HACKER

Ounce of Prevention… Stop the Attack Before It Happens

Rogue Access Points


HACKER



Reconnaissance


HACKER

Cracking Tools


HACKER


MFP Neutralizes all Management Frame

Exploits, such as Man-in-the-Middle Attacks WPA2/802.11i

Neutralizes Recon and Cracking Attacks

Rogue detection, classificati

on and mitigation addresses these

attacks


Cisco’s Attack Detection Mechanisms

Base IDS

Built-in to controller software

Uses Local and Monitor Mode APs

Adaptive wIPS

Requires MSE

Uses wIPS Monitor Mode

APs


Adaptive wIPS Differences from Base Controller IDS


WCSWCS

AP

WLCAP

WLC

Adaptive wIPS Difference #1Alarm Aggregation and Correlation

MSE

Adaptive wIPSBase Controller IDS

No Alarm Correlation


Adaptive wIPS Difference #2Breadth of Alarms Detected

Adaptive wIPSBase Controller IDS

Only 17 signatures


Adaptive wIPS Difference #2(Cont) – Attack Encyclopedia

Available for each alarm

Accessible from the wIPS profile page


Adaptive wIPS Difference #3Forensic Packet Capture


Adaptive wIPS Difference #4Historic Reporting

1. Alarm information stored in MSE databaseMaximum of 6 million alarms stored in MSE database

2. WCS queries the MSE database during report generation

3. Reports created and viewed at WCS


Adaptive wIPSTypes of Reports

wIPS Alarm List ReportUse: Historic reporting of attacks

Summarized list of alarms contained within the MSE

Contains alarm type, SRC MAC, detecting AP, first seen time, last seen time

wIPS Top 10 AP ReportUse: Identifying ‘hot zones’ of attack

The top 10 wIPS access points with the most number of alarms

Includes critical, major, minor and warning levels of alarms


Adaptive wIPSCreating Reports

• Add/Remove Columns• Sort by Columns

• Filter by MSE• Or by WLC


Example ReportwIPS Alarm List

AttackTimeline


Example ReportwIPS Top 10 APs

Alarm Severities


WCS Security Dashboard

Security Index

Controller IDS and Adaptive wIPS Alarms

Rogues by Category


Adaptive wIPSComponents and Functions


Mobility Services EngineSupport for Cisco Motion Services

Mobility services may have different WLC/WCS software requirements

Adaptive wIPS is licensed on a per-monitor mode AP basis

3310 Mobility Services Engine 3350 Mobility Services Engine

Supports Adaptive wIPS for up to 2000 Monitor Mode APs

Supports Adaptive wIPS for up to 3000 Monitor Mode APs

Supports Context Aware for up to 2000 tracked devices

Supports Context Aware for up to 18000 tracked devices

Requires WLC software version 4.2.130 or later and WCS version 5.2 or later.

Requires WLC software version 4.2.130 or later and WCS version 5.1 or later.


wIPS System Communication Diagram

The MSE is not in the ‘data path’

Security for WLANs - wIPS vs Base IDS

Documents

Transcript of Security for WLANs - wIPS vs Base IDS