802.11 Wireless LAN Security Fundamentals

7/21/2019 802.11 Wireless LAN Security Fundamentals

1/104

2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential

BRKAGG-2015

13830_06_2007_c2 1


2/104


BRKAGG-2015

13830_06_2007_c2 2

BRKAGG-2015

802.11WirelessLAN SecurityFundamentals


3/104


BRKAGG-2015

13830_06_2007_c2 3

Agenda

WLAN Security

Policy/Standards shaping Security

IEEE

Wi-Fi AllianceIETF

Secure Wireless Components

Controlling Client Access

Ensuring Client Integrity

Protect the network


4/104


BRKAGG-2015

13830_06_2007_c2 4

Quality of Service (QoS) 802.11e WMM

Security 802.11i WPA, WPA2

Multiple Regulatory Domains 802.11d

Inter-Access Point Protocol 802.11f

DFS & TPC 802.11h

Japan 5 GHz Channels 802.11j

Measurement 802.11k

Maintenance 802.11m

Fast Roaming 802.11r

Mesh Networking 802.11s

Standard IEEE Wi-Fi Alliance

5 GHz, 54 Mbps 802.11a 802.11a

2.4 GHz, 11 Mbps 802.11b 802.11b

2.4 GHz, 54 Mbps 802.11g 802.11g

High-Speed 802.11n

Management Frame Protection 802.11w

802.11 WLAN Standards ActivitiesThe Alphabet Soup

Develop Spec InteroperabilityTesting

Legend:

Yellow Over the air protocols

Orange Key Wi-Fi standards

Black All other


5/104


BRKAGG-2015

13830_06_2007_c2 5

Wireless Security


6/104


BRKAGG-2015

13830_06_2007_c2 6

802.11 SecuritySummary 802.11,

WPA, WPA2 andRegulations andStandards


7/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential

BRKAGG-2015

13830_06_2007_c2 7

802.11 RF Is Not a Remote AccessTechnology

802.11 is not remote access

802.11 isnt attacked from someone across the country

802.11 isnt by someone in another country

802.11 isnt attacked from the comfort of a bedroom or dorm room

Realistic Range for attack is around 2000 feet

Line of site, and elevation become an issue

The pool of potential attackers is vanishingly small compared tothe Internet

Yes you can be attacked

Yes WLANs should be secured

Rule number one in avoiding predators is, dont look like prey



BRKAGG-2015

13830_06_2007_c2 8

It All Starts with WLAN Security

The Enterprise market, State & Local governments all followthe lead of the Federal Government for security

Layer 3 / IPSec Layer 2 / WPA2

Federal Agencies define what WLAN security is and how itshould be deployed within Government

FIPS 140-2, Common Criteria & DoD 8100.2

Ongoing dialogue with Federal and Enterprise customers is

essential for guiding product requirements for Governmentsolutions

Privacy, Authentication, WIDS, Location, etc.



BRKAGG-2015

13830_06_2007_c2 9

Security Paradigm Shift

In the past:

APs were unmanageable, untrusted devices

Segregated to DMZ

Secured w/ software overlay FIPS solutions

Wireless deployments today:

Thin APs w/ controllers and Enterprise Management have emerged

Cisco APs are now classified as Information Assurance devices whichperform authentication , encryption and Intrusion Detection/Prevention

IEEE has addressed security with ratification of 802.11i in 6/04

Embedded security obviates need for software overlays whichimproves scalability, manageability, and reliability while eliminatingunnecessary components and costs



BRKAGG-2015

13830_06_2007_c2 10

WLAN Security Standards

IEEE 802.11 TGi - Proposed Standard 802.11iIEEE Task Group focused on WLAN Security Improvement

Enhancement Proposed - 802.1X, EAP, TKIP, MIC,AES

Ratified July 04

http://www.ieee.org

Wi-Fi Alliance: Wi-Fi Protected Access (WPAv2)Compatibility Seal of Approval

WiFi Interoperability WiFi WLAN Interoperability CY2000

WiFi Protected Access (WPAv2) 802.1X, EAP, TKIP, MIC, AES

http://www.weca.net

FIPS Federal Information Processing StandardNot specific for WLAN but does have implications for encrypting data

sent over WLANs

Regulated by NIST

http://csrc.nist.gov/publications/fips/index.html

http://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf- Federal WLANGuide
http://www.ieee.org/http://www.weca.net/http://csrc.nist.gov/publications/fips/index.htmlhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://csrc.nist.gov/publications/fips/index.htmlhttp://www.weca.net/http://www.ieee.org/



BRKAGG-2015

13830_06_2007_c2 11

Wi-Fi Protected Access

What are WPA and WPA2?

Authentication and encryptionstandards for Wi-Fi clients and APs

802.1x authentication

WPA uses TKIP encryption

WPA2 uses AES block cipherencryption

Which should I use?

Gold, for supporting NIC/OSs

Silver, if you have legacy clientsLead, if you absolutely have noother choice (i.e., ASDs)

Silver

WPA EAP-Fast/TLS/PEAP

TKIP

Gold

WPA2/802.11i EAP Fast/TLS/PEAP

AES

Lead

Dynamic WEP EAP-Fast/LEAP

VLANs + ACLs



BRKAGG-2015

13830_06_2007_c2 12

IEEE 802.11i (WLAN Security)Improvements

802.11i is the IEEE 802.11 subcommittee responsiblefor WLAN security improvements

Key components of IEEE 802.11i standard are:

EAP/802.1x framework-based user authentication

TKIP: mitigate RC4 key scheduling vulnerability andactive attack vulnerabilities

IV expansion: 48-bit IVs

Key management: isolate encryption key managementfrom user authentication

AES: Long-term replacement protocol for RC4 (WEP)

WPAv2 is the Wi-Fi Alliance (WFA) inclusion of 802.11i

security recommendations



BRKAGG-2015

13830_06_2007_c2 13

802.11i/WPA Authentication and KeyManagement Architecture

AccessPoint

AuthenticationServer

EAP

802.1X (EAPoL)

802.11

802.11i Specified

LEAP, PEAP, EAP-TLS and EAP-FAST

RADIUS

UDP/IP

WPA Specified

IEEE standards provide device interoperability

WPA guarantees a degree of system interoperability

WLC



BRKAGG-2015

13830_06_2007_c2 14

Cisco WLAN FIPS StatusFederal Information Processing Standard (FIPS)

Validated for FIPS 140-2and common criteria

4400 controller

AP1200, AP1100 and BR1300(LWAPP and autonomous)

FIPS kits are required;contents include:

Tamper-evidence labelsDownload instructions for FIPSapproved Cisco IOS images

Download instructions forsecurity policies



BRKAGG-2015

13830_06_2007_c2 15

Key Wireless Policies/Documents

DoD 8100.2 and Follow on Supplement

Mandates the use of:

Strong Authentication, Non-Repudiation and Personal Identification in accordance withDoD PKI

Mandates the use of EAP-TLS for mutual authentication

Encryption of wireless traffic via an assured channel is mandatory andmust be FIPS140-2 validated

Solution must be:

802.11i (AES 128)

WPAv2 certified by Wi-Fi alliance

FIPS 140-2 Level 2 validated Hardware FIPS 140-2 Level 1 for Software

In-process for Common Criteria Certification against Basic RobustnessProtection Profile

Wireless Intrusion Detection, Denial of Service Mitigation as well asactively screen for Wireless devices

WIDS is mandatory



BRKAGG-2015

13830_06_2007_c2 16

Standardizing the WLAN Architecture

The Internet Engineering Task Force (IETF) focused ondelivering a standard

LWAPP selected as starting point, and follows the samearchitecture

Renamed protocol to Configuration and Provisioning ofWireless Access Points (CAPWAP)

Peer security review completed

Predicted ratification date Q108



BRKAGG-2015

13830_06_2007_c2 17

Deploying a Secure WLAN

LWAPP/CAPWAP FIPSSolution

Allows for 802.11i overthe air security

Allows for terminationof 802.11i in the AP

APs authenticate tocontroller using X.509certificate

Controller can

authorize certificates

Provides securemanagement interfacebetween AP/Controller

FIPS Client



BRKAGG-2015

13830_06_2007_c2 18

Wireless SecurityComponents



BRKAGG-2015

13830_06_2007_c2 19

Secure WLAN ArchitecturesBuilding Castles not Islands

Security is now more thanjust defending WAN attacks

New Perimeter Security mustbe pervasive in the network

Four Key Components

Authentication & Integrity

Privacy

Wireless Intrusion Prevention

LocationSiSi SiSi

IntranetInternet



BRKAGG-2015

13830_06_2007_c2 20

Its About More than Just Securing theWireless Network

Need to take a Defense-in-depth approach

Wired/Wireless Integration

Integrate with Cisco framework for Self Defending Networks.

Cisco ASA/PIX Firewalls or Firewall Service Modules locatedanywhere in the network.

Integrate with FIPS Validated Wireless Clients and CiscoSecurity Agent

Future integration with CS-MARS for IDS event correlation

for both Wired and Wireless Network

Cisco Network Access Control

Wired side IDS to detect Ethernet DoS attacks with Cisco4200 IDS or Catalyst 6500 IDSM



BRKAGG-2015

13830_06_2007_c2 21

Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

Controlling ClientAccess

Strong MutualAuthentication

Strong Encryption True Wireless IPS Adaptive Client

Policies

Endpoint

Protection

Protect theNetwork

Rogue AP detectionand containment

Multilayer clientexclusions

Anomalyand

IDS/IPS

Ensuring ClientIntegrity

Network AdmissionControl

Dynamic, real timepolicies updates

AdmissionControl

InfectionContain.

An initiative to dramaticallyimprove the networks ability

to identify, prevent, andadapt to threats

Cisco strategy todramatically improve the

networks ability


Integrated Management



BRKAGG-2015

13830_06_2007_c2 22

Checklist for Secure Wireless LANs

Implementation Checklist

aAuthentication - 802.1x

aEncryption - FIPS CertifiedWPA2 (AES)

a Management FrameProtection



Strong EncryptionTrue Wireless IPSAdaptive Client

Policies

Endpoint

Protection



BRKAGG-2015

13830_06_2007_c2 23

Authentication



BRKAGG-2015

13830_06_2007_c2 24

What Is the Problem?

802.11 Users Want Data Confidentiality

Enterprises want protected campus access.

Home users want to block unauthorized access.

Hot spots want to avoid the liability of one customer hackinganother.

Everyone wants to stop unauthorized usage of their networksparticularly illegal activities!

Users want to know they are connecting to a trusted access point

instead of an impostor.

Everyone wants to prevent credential theft.

Network Security is about Access Control



BRKAGG-2015

13830_06_2007_c2 25

Authentication

Discover the peers identity

The network proves who it is to you, so you can decide if youreally do want to talk with it (i.e., so you can make anauthorization decision)

You (or your device) proves who it is to the network can decidewhether to talk with you (i.e., so it can make an authorizationdecision)

How:

Authentication based on credentials exchangeUser name/password

One Time Password/Token

Certificate/PKI infrastructure


26/104


BRKAGG-2015

13830_06_2007_c2 26

FirstSome IEEE Terminology

IEEE Terms Normal People Terms

Supplicant Client

Authenticator Network Access Device

Authentication Server AAA/RADIUS Server


27/104


BRKAGG-2015

13830_06_2007_c2 27

EAP / 802.1XOverview

802.1X authentication has three key components Supplicant - WLAN Client

Authenticator -WLC

Authentication ServerAAA Server


28/104


BRKAGG-2015

13830_06_2007_c2 28

Authentication

IEEE 802.1x Port-Based Network Access Control

802.1x is an IEEE Standard for Port Based Network Access Control, EAPbased - NETWORK standard, not a wireless standard

Describes a standard link layer protocol used for transporting higher-levelauthentication protocols.

Works between the Supplicant (Client) and theAuthenticator(NetworkDevice).

Maintains backend communication to anAuthentication Server (RADIUS).

Provides Network Authentication, not encryption

Transport authentication information in the form of ExtensibleAuthentication Protocol (EAP) payloads.

Improved authentication: username/password or certificate based

Is PART of the 802.11i Standard (WPA/WPAv2)


29/104


BRKAGG-2015

13830_06_2007_c2 29

Extensible Authentication Protocol (EAP)

A flexible transport protocol used to carry arbitraryauthentication informationnot the authenticationmethod itself

EAP provides a flexible link layer security framework

Simple encapsulation protocol

No dependency on IP

Few link layer assumptions

Can run over any link layer (PPP, 802, etc.)

Assumes no reorderingCan run over loss full or lossless media

Originally specified in RFC 2284, obsolete byRFC 3748


30/104


BRKAGG-2015

13830_06_2007_c2 30

How Does Extensible AuthenticationProtocol (EAP) Authenticate Clients?

Client Associates

Corporate Network

WLANClient

WLANController/AP

RADIUSServer

Cannot Send Data Until Data from Client Blocked by Controller/AP

EAP AuthenticationComplete802.1x RADIUS

EAP

Client Sends Data Data From Client Passed by Controller/AP

UserDatabase

X


31/104


BRKAGG-2015

13830_06_2007_c2 31

EAP Authentication


32/104


BRKAGG-2015

13830_06_2007_c2 32

Machine Authentication

Machine authentication using PEAP

Uses account information for the computer createdat the time the machine is added to the domain

Computer must be a member of the domain

If doing mutual authentication, the computer musttrust the signing CA of the RADIUS servers cert

Machine authentication using EAP-TLS

Authenticates the computer using certs

The computer must have a valid cert

If doing mutual authentication, the computer musttrust the signing CA of the RADIUS servers cert

Why do Machine Authentication Ensures that the devicesnot just the user is allowed to connect to the Network


33/104


BRKAGG-2015

13830_06_2007_c2 33

WLAN Security:802.1X Client Authentication Choices

EAP-TLSEAP-Transport Layer Security

Requires client & server certificates (PKI Infrastructure)

Used in WPA interoperability testing

PEAP

Protected EAP

Uses server based certificate with client passwords

GTC (Cisco) & MSCHAPv2 (Microsoft) versions

EAP-FAST

Uses TLS tunneling

No certificates required

Other EAP types (EAP-MD5, EAP-SIM, etc.)

Client

AP

Radius

Server


34/104


BRKAGG-2015

13830_06_2007_c2 34

EAP Protocols: Feature Support

EAP-TLS PEAP LEAP EAP-FAST

Single Sign-on Yes Yes Yes Yes

Login Scripts (MS DB) Yes1 Yes1 Yes Yes

Password Expiration (MS DB) N/A Yes No Yes

Client and OS AvailabilityXP, 2000, CE,and Others2

XP, 2000, CE,CCXv2 Clients3,

and Others2

Cisco/CCXv1 orAbove Clients

and Others2

Cisco/CCXv3Clients4 and

Others2

MS DB Support Yes Yes Yes Yes

LDAP DB Support Yes Yes5 No Yes

OTP Support No Yes5 No Yes6

1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD)2 Greater operating system coverage is available from Meetinghouse and Funk supplicants3 PEAP/GTC is supported on CCXv2 clients and above4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems

EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients5 Supported by PEAP/GTC only6

Supported with 3rd

party supplicant


35/104


BRKAGG-2015

13830_06_2007_c2 35

EAP Protocols: Feature Support

EAP-TLS PEAP LEAP EAP-FAST

Off-Line Dictionary Attacks? No No Yes1 No

Local Authentication No No Yes Yes

WPA Support Yes Yes Yes Yes

Application Specific Device (ASD)Support No No Yes Yes

Server Certificates? Yes Yes No No

Client Certificates? Yes No No No

Deployment Complexity High Medium Low Low

RADIUS Server Scalability Impact High High Low Low/Medium

1 Strong password policy mitigates dictionary attacks; please refer to:http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.htmlhttp://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html


36/104


BRKAGG-2015

13830_06_2007_c2 36

Privacy/Encryption

FIPS V lid t d E d t E d


37/104


BRKAGG-2015

13830_06_2007_c2 37

FIPS Validated End-to-EndEncryption/Privacy

Securing the Client

802.11i AES 128 used for Layer 2 Encryption between the clientand the Access Point

FIPS Certified AP and Client (3eti FIPS client)

Securing the Network

All Command and Control (C2) traffic between the Access Pointand the Wireless LAN Controller is secured via AES 128

Securing User Authentication

RADIUS Key Wrap (AES 128) used to secure all RADIUSAuthentication traffic between Wireless LAN Controller and theRADIUS Server


38/104


BRKAGG-2015

13830_06_2007_c2 38

Wi-Fi Protected Access (WPA) and WPA 2

Components of WPA:Authenticated Key Management using 802.1X:

EAP-TLS and RADIUS are the nominated EAP test mechanism

Unicast and Broadcast Encryption Key Management

TKIP: Per-packet KeyingIV expansion: 48 bit IVs

Message Integrity Check (MIC)

Migration Mode coexistence of WPA and WEP devices

Why WPA

Migration from WEP using the same hardware, fixed known WEP issues

WPA 2 uses

AES CCMP Encryption rather than TKIP


39/104


40/104


BRKAGG-2015

13830_06_2007_c2 40

802.11i Termination in the AP

CAPWAPs default encryptionmodel is 802.11i in the AP

Most widely deployed model

Has undergone FIPS approval

Supports MAC features thatrequire direct access to RFprior to encryption

802.11n A-MSDUpacket aggregation

802.11e HCCA

FIPS Client

FIPS 802 11i Cli t S K


41/104


BRKAGG-2015

13830_06_2007_c2 41

FIPS 802.11i Client Server KeyManagement

RAD KeywrapAES-SHA-1

2. RAD distributesPKM to Controller

PMK

PMKPMK1. EAP-TLS client-

server auth &PMK derivation

LWAPP802.1X-EAPOL

802.1XEAP

RADIUSEAP Transport

PTKLWAPPAES-CCM

PTK802.11i

AES-CCMP (128b)4. Controllerdistributes PTKto AP

3. Controller andsupplicant derivePTK = KCK, KEK & GTK

PTK PTK

FIPS Compliant

Supplicant

FIPS Compliant

RADIUS

FIPS WLAN ControllerFIPS Aironet AP

802.11iAES-CCMP (128b)


42/104


BRKAGG-2015

13830_06_2007_c2 42

Securing the LWAPP Join Process

LWAPP Join implements strong mutualauthentication between AP and WLC

AES key is used to encrypt the payloads ofsubsequent LWAPP Control Messages


43/104


44/104


BRKAGG-2015

13830_06_2007_c2 44

Client Protection


45/104


BRKAGG-2015

13830_06_2007_c2 45

Association Process

Management Frames are not encrypted

Addressed by Management Frame Protection (MFP)Discussed later


46/104


BRKAGG-2015

13830_06_2007_c2 46

Cisco Unified Wireless Network 4.0

Management Frame Protection

Provides for the authentication of 802.11 management framesby the wireless network infrastructure

Allows detection of malicious rogues that are spoofing a validAP MAC or SSID in order to avoid detection as a rogue AP,or as part of a man-in-the-middle attack

Increases the fidelity of rogue AP and WLAN IDS signaturedetection

Will provide protection of client devices with CCX v5

Also supported with Autonomous AP/ WDS/ WLSE inversion 12.3(8)/ v2.13

Management Frame Protection (MFP)


47/104


BRKAGG-2015

13830_06_2007_c2 47

Management Frame Protection (MFP)Mitigating Man-in-the-Middle Attacks

Problem: theres no physical securityfor wireless and management framesare notauthenticated, encrypted, or signed

Solution: insert a signature (MessageIntegrity Code/ MIC)

into the management framesAP beacons

Probe requests/responses

Associations/re-associations

Disassociations

Authentications/de-authentications

Action management frames

Managed AP1MAC Addr A.B.C.D

Signature?

Attacker SpoofingAP1 MAC Addr

A.B.C.D

Initially will be deployed as a security mechanism to validateinfrastructure equipment

Will be extended to client adapters via CCX


48/104


BRKAGG-2015

13830_06_2007_c2 48

Management Frame Protection Function

A solution for clients and infrastructure (APs) Clients and APs add a MIC (signature)

into every management frame

Anomalies are detected instantly andreported to Controller/WCS

E.g. no threshold or rate checks required to detect anomalies

MFP Protected

MFP Protected

FUTURE- CCXv5


49/104


BRKAGG-2015

13830_06_2007_c2 49

Benefits of MFP

Protection- for Rogue AP, Man-in-the-Middle exploits,other Management Frame attacks

Prevention- will be available with clients capable ofdecrypting the signature

Integration with other Cisco Security Monitoringsolutions in order to characterize attack vectors- rulesbased correlation

Cisco Security Leadership and Innovation


50/104


BRKAGG-2015

13830_06_2007_c2 50

Infrastructure MFP

Detectionquick response to WLAN events

Extra fidelity for rogue AP and typical exploits

Quick detection of exploits typically used to initiate MiTM

Protectionfor rogue AP, man-in-the-middle exploits,other management frame attacks

Preventionwill be available with clients capableof decrypting the signature

Specifics of MFP MICMFP Information Element adds timestamp, sequence number,and MIC key to management frames

MFP employs HMAC-SHA1 hash algorithm to calculate MIC

key

Ci U ifi d Wi l


51/104


BRKAGG-2015

13830_06_2007_c2 51

Cisco Unified WirelessEngineered to Deliver on the SDN Strategy




Policies

Endpoin

t

Protection

Protect theNetwork



Anomalya

nd

IDS/IPS




AdmissionCo

ntrol

InfectionCon

tain.




networks ability




52/104


BRKAGG-2015

13830_06_2007_c2 52



aCisco NAC for wired andwireless

a Cisco CSA

a Guest: Integrated captiveportal w/traffic tunneling

Ensuring Client Integrity



AdmissionCo

ntrol

InfectionCon

tain.

N t k Ad i i C t l


53/104


BRKAGG-2015

13830_06_2007_c2 53

AAA(ACS!)

ENFORCEMENT

NACAppliance

AgentDISCOVERY POLICY

NETWORKACCESS DEVICE

NAC AppServer

NAC App

Manager

AUTHENTICATION

2. CCA with Framework without partners

ENFORCEMENT

CiscoNAC

Agent DISCOVERY POLICY


NACServer

NACManager

REMEDIATION (CISCO)

EoU, Eo802.1xCiscoTrustAgent

RADIUS AAA

Network Admission ControlThe Network is the Control Point

2. CCA with Framework without partners

Enforcement

CiscoNAC

Agent Discovery Policy


NACServer

NACManager

Remediation (Cisco)

EoU, Eo802.1xCiscoTrustAgent

Radius AAA

Remediation (Vendor)

Po

licy(Vendor)

Apply Network Admissions Control, no matter:

What system it is (Windows PC, Mac laptop, Linux workstation)

Where its coming from (VPN, LAN, WLAN, WAN)

Who owns it (company, employee, contractor, guest, unknown)

What applications are on the system (AV, personal firewall, patching tool)

How its checked and fixed (pre-configured, customized, 3rd party)

Network Access Control Appliance:
http://www.mcafee.com/us/default.asphttp://www.ca.com/


54/104


BRKAGG-2015

13830_06_2007_c2 54

Network Access Control Appliance:Cisco Clean Access

Interoperates with Cisco Unified Wireless Architecture

Wireless users can be subject to Clean Accesscompliance when connecting through a Wi-Fi accesspoint

Cisco Clean Access can be deployed in-band to forcecompliance for Wireless users

Cisco Aironet lightweight access points are configuredfor Clean Access compliance via web-based setup onthe Wireless LAN Controller

Periodic reassessment of client security posture


55/104


BRKAGG-2015

13830_06_2007_c2 55

Cisco NAC Appliance with Unified Wireless

NAC Appliance accommodates several deploymentscenarios.

Unified Wireless and Campus Virtualization best

practices currently recommend centralized deployment:

Must be logically in-band with wireless topology

Virtual G/W mode with VLAN Mapping

Real IP G/W mode to be tested and documented in futurerelease of the Secure Pervasive Mobility Design Guide

Modes and Positioning Key Takeaways:


56/104


BRKAGG-2015

13830_06_2007_c2 56

Cisco NAC Appliance with Unified Wireless

Modes and Positioning: In-Band Virtual Gateway

Access/Distribution

Intranet/Internet

WLAN Controller

User WLANVLAN 131

VLAN 131

VLAN 10

VLAN 10

VLANMapping

VLAN 200


57/104


BRKAGG-2015

13830_06_2007_c2 57

CSA Wireless

EndpointProtection

Protecting the Road Warrior


58/104


BRKAGG-2015

13830_06_2007_c2 58

Protecting the Road WarriorEndpoint Security Must:

Protect the integrity of mobiledevices, desktops and servers, onand off the corporate network,from worms, viruses and spyware

Identify data from critical orimportant applications, so the

network can prioritize it

Cooperate with the networkinfrastructure to establish requiredlevels of trust and auditability, andto react to threats in real-time

Federal Policy Compliance forNetwork Connectivity

CSA default behavioral rulesprotect against Zero-Day virii,worms, spyware, etc. sightunseen

CSA with Trusted QoS controlensures that traffic is marked so

that the network can apply correcthandling

CSA integration with CiscoNAC and Network IPS establishesendpoint-network relationship

which enhances total networksecurity.

Wireless Integration - preventingsimultaneous Wired & Wireless

Access, only connecting toapproved SSIDs


59/104


BRKAGG-2015

13830_06_2007_c2 59

CSA for Wireless Security Overview

CSA OverviewIdentifies and prevents malicious or unauthorized behavior

Offers endpoint threat protection, often referred to as Host-based IPS

Key element of end-to-end, defence-in-depth approach tosecurity

CSA for Wireless Security

Offers general endpoint threat protection, as for wired clients

CSA v5.2 features new wireless security policies

May be used to extend current policies to include wireless-specific policy enforcement

Cisco Security Agent (CSA) and Cisco


60/104


BRKAGG-2015

13830_06_2007_c2 60

Cisco Security Agent (CSA) and CiscoTrust Agent (CTA)

Shutoff multiple network interfaceswired /wireless only

Disable Ad Hoc mode

Connect to only corporate SSIDs

Protection of Endpoint Regardless ofPosture

Protection of Endpoints Outside of CorpNet

Detect/Prevent Malicious Behavior

Policy-based Control of Application Use

Security Posture Checks on IncomingSystems (CTA)

Network admission Control According toPosture (CTA)

Network Access Decisions for all Hosts(CTA)

Enforce Patch and AV Policy for allHosts (CTA)

Host IPS and Client Integrity


61/104


BRKAGG-2015

13830_06_2007_c2 61

CSA v5.2 New Wireless Policy Features

Restrict wireless ad-hoc connectionsWireless ad-hoc networks may be leveraged by anunauthorised or rogue device to access the client

Typically insecure, unencrypted connection

Restrict simultaneous wired and wireless connectionsRisk of bridging traffic from insecure or rogue wireless networksto the wired network, bypassing network security measures

Policy enforcement based on SSID or wireless

encryption type1

E.g. Corporate WLAN vs public hotspot

VPN enforcement when out of the office1

Use of VPN required if not on corporate network


62/104


BRKAGG-2015

13830_06_2007_c2 62

Controller Guest Access Services

Access controlWireless VLANs created with guestSSID

Custom web auth configuration

Enforce time policies, QoS policies,guest ACLs

Forces acceptance of DOD base legal

disclaimer before getting Internetconnectivity

Path isolation

Separate guest traffic from the FederalAuthorized local traffic w/ EoIP tunnels

Deployed in a centralized fashion:

authentication and authorizationon a centralized in-band device

Record the activity of guest userswhile connected to the enterprisenetwork

Wireless

VLANs

Core

SiSi

SiSi SiSi

WCS

EtherIPGuestTunnel

Internet

Guesthttps

Enterprise802.1X

DMZ Anchor

Guest Controller

WLAN Controllers

Guesthttps

Enterprise802.1X

Cisco Unified Wireless


63/104


BRKAGG-2015

13830_06_2007_c2 63

Cisco Unified WirelessEngineered to Deliver on the SDN Strategy




Policies

Endpoi

nt

Protection

Protect theNetwork



Anomaly

and

IDS/IPS




AdmissionC

ontrol

InfectionCo

ntain.




networks ability




64/104


BRKAGG-2015

13830_06_2007_c2 64



a Rogue/WLAN AttackDetection

a Rogue Containment

a Location Services

a Security Management

Protect theNetwork

Rogue APdetection andcontainment


Anomaly

and

IDS/IPS


65/104


BRKAGG-2015

13830_06_2007_c2 65

Top Wireless Threats

ClientMis-association

Rogue

WLAN

Employees connect to anexternal WLAN, creating portal toenterprise wired network

DoS Attacks

Denial of

Service

Malicious hackers disruptcritical business services

Rogue AP

Employees create opening to

enterprise network unknowingly

Hacker

Ad Hoc

Client-to-client connections,bypassing infrastructuresecurity checkpoints

Hacker


66/104


BRKAGG-2015

13830_06_2007_c2 66

Cisco Unified

Threat Detectionand Mitigation

WLAN Threat Detection and


67/104


BRKAGG-2015

13830_06_2007_c2 67

WLAN Threat Detection andMitigation Overview

WLAN Threat Detection & MitigationExtend same end-to-end, defence-in-depth principles appliedon a wired network to a WLAN

Extend general network security policy to include a WLAN

Complementary to general threat detection and mitigationmeasures which should already be in place on the network

Cisco Unified Wireless Self-Defending Network

Integrated end-to-end, defence-in-depth solution

Threat Detection and Mitigation


68/104


BRKAGG-2015

13830_06_2007_c2 68

Threat Detection and Mitigationon a WLAN

Threat Detection

Threat detection is CRITICAL to visibility into network activity

Threat detection on a WLAN extends baseline networkmonitoring and anomaly detection to include:

Monitoring of the 802.11 RF medium

Monitoring of general WLAN client traffic

Threat Mitigation

Threat mitigation involves reactive security measures applied inresponse to an incident

Threat mitigation on a WLAN extends the actions available inresponse to an incident to include:

Mitigation techniques for threats on the 802.11 RF mediumaddressing WLAN clients themselves, as well as rogue

devices and networks

Cisco Unified Wireless Network Integrated


69/104


BRKAGG-2015

13830_06_2007_c2 69

802.11aRogue AP

Cisco Unified Wireless Network IntegratedWireless IDS/IPS Protects Your Business

Automatically detects:Rogue access points and clients

Ad hoc networks

Denial of service attacks

Client mis-associations

Intelligent RF scanning =cost effective solution

Intrusion prevention underIT control

Location appliance providesprecision mapping forphysical removal

802.11aRogue Client

RF Containment

EnterpriseNetwork

X


70/104


BRKAGG-2015

13830_06_2007_c2 70

Integrated Wireless Intrusion Protection

WIDS Detect common RF-related attacksNetstumbler, wellenreiter, void11, FakeAP, address spoofing, DoS, etc.

Customizable attack signatures

Real-time 24x7 monitoring and alarming

Rogue AP/client detection, location, and containment

Identify known (i.e. trusted) rogues

Manually disable clients

Integrated WIDS is critical - 802.11i & 802.11w will not be decoded

via Standalone WIDS. But WIDS only detects Wireless Attacks no visibility/defense

from Authenticated users that launch IP DOS attacks

Must provide comprehensive IPS solution by integrating Wired andWireless IPS

Cisco Unified Wireless Self-Defending


71/104


BRKAGG-2015

13830_06_2007_c2 71

gNetwork Threat Detection and Mitigation

Cisco Wireless IDS for RF Monitoring & Threat MitigationRogue AP detection, location & containment

Rogue client detection & containment

Wireless ad-hoc network detection & containment

802.11 attack signatures

Excessive 802.11 association & authentication tracking, plus client blocking

IP theft & re-use tracking

Cisco IDS/IPS for General WLAN Client Traffic Monitoring & ThreatMitigation

Detection of worms, viruses, application abuse, spyware, ad ware, etc, as wellas policy violations

Client shun to disconnect & block a WLAN client

Logging

SNMP, syslog & RADIUS accounting


72/104


BRKAGG-2015

13830_06_2007_c2 72

Rogue AP Detection

Rogue AP detection has multiple facets:Air/RF detectiondetection of rogue devices byobserving/sniffing beacons and 802.11 probe responses

Rogue AP locationuse of the detected RF characteristics and

known properties of the managed RF network to locate therogue device

Wire detectiona mechanism for tracking/correlating the roguedevice to the wired network

A WIDS may require different deployments toeffectively address all of these facets

For example, it is typically required to use a scanning-mode APas a rogue traffic injector to attempt to tracethe rogues connected port


73/104


BRKAGG-2015

13830_06_2007_c2 73

Radio (Air/RF) Monitoring

NetworkCore

Distribution

Access

SiSi

SiSi

SiSi

Rogue

AP

Rogue

AP

Wireless ControlSystem (WCS)

Wireless

LANController

RogueDetector

NMS

ARP Sniffing

Auto-RRM

Rogue

AP

RLDP

A Complete Solution for Handling


74/104


BRKAGG-2015

13830_06_2007_c2 74

p gRogues

Controlled by administrator

Multiple rogues containedsimultaneously

4. View Historical

Report

2. Assess Rogue AP

(Identity, Location, ..)

1. Detect Rogue AP

(generate alarm)

3. Contain Rogue AP

X X


75/104


BRKAGG-2015

13830_06_2007_c2 75

Rogue AP Detection and Suppression

Rogue AP detection methodologyWLAN system collects (via beacons and probe responses) andreports BSSID information

System compares collected BSSID information versus

authorized (i.e., managed AP) BSSID informationUnauthorized APs are flagged and reported via fault monitoringfunctionality

Rogue AP suppression techniques

Trace the rogue AP over the wired network to verify that therogue is internal and should be contained

Use of managed devices to disassociate clients fromunauthorized AP and prevent further associations via 802.11de-authentication frames


76/104


BRKAGG-2015

13830_06_2007_c2 76

Cisco Unified Wireless: Map Rogue AP

Cisco Unified Wireless:


77/104


BRKAGG-2015

13830_06_2007_c2 77

Rogue Containment

Rogue AP, Rogue-Connected Client, or Ad-Hoc Client May BeContained by Controller Issuing Unicast De-Authentication Packets

Maximum number of APs participating in containmentis configurable

Maximum of three simultaneous containments may operateon a single LWAPP AP

Rogue client devices may be authenticated to a RADIUS(MAC address) database

Maximum time for auto-containment is configurable

Wireless IDS


78/104


BRKAGG-2015

13830_06_2007_c2 78

Wireless IDS

The WLC comes with built in Wireless IDS signaturesthat can be augmented with additional customersignatures

Cisco WLC and IDS/IPS Collaboration


79/104


BRKAGG-2015

13830_06_2007_c2 79

Overview

General WLAN Client Threat DetectionCisco IDS/IPS offers the ability to monitor and detect generalmalicious threats from WLAN clients, e.g. worms, viruses,application abuse

Same as that which may be employed to monitor and detectmalicious threats from wired clients

WLAN Client Shun for Threat Mitigation

Cisco WLC and IDS/IPS collaboration to enable a WLAN clientto be shunned from the Cisco IDS/IPS, disconnecting the clientfrom the WLAN and blocking them from reconnecting

Cisco IDS/IPS Integration for General


80/104


BRKAGG-2015

13830_06_2007_c2 80

Cisco IDS/IPS Integration for GeneralWLAN Client Threat Detection

Client traffic between LAPs

and WLC over LWAPP Tunnel

LAP

Core

IDS

WLC WLC

Client traffic between LAPs

and WLC over LWAPP TunnelLAP

Core

IPS

WLAN client traffic

between WLC and

general network

Cisco IDS forPassive Monitoring Cisco IPS forActive, In-line Monitoring

WLAN client traffic

between WLC and

general network


81/104


BRKAGG-2015

13830_06_2007_c2 81

WLC and IDS Products


82/104


BRKAGG-2015

13830_06_2007_c2 82

WLAN Client Shun for Threat Mitigation

Mitigation action which may be initiated from CiscoIDS/IPS

Shunned WLAN client disconnected from the WLCwhenever they are associated and for as long as a

shun action is enforced WLC software release 4.0 or later and IPS software

release v5.x or later

Wired/Wireless IPS Integration


83/104


BRKAGG-2015

13830_06_2007_c2 83

IDS Event and Client Shunning

Cisco Controller

Wired IDS4200 Series IDS Sensor

1. Client to AP/Controller

2. Controller to IDS

3. Shun IDS to controller

2. Deep

PacketInspection

3. Shun

1. MaliciousTraffic fromAuthenticatedUser

EnterpriseNetwork

Authorized userslaptop infectedwith worm orvirus

IDS/IPS sensor monitors traffic with deeppacket inspection (Layer 7) to identify andtriggers shun event; WLAN controllershuns/blocks the MAC address ofcompromised wireless client

Integration of wired and wireless security

SolutionProblem

Unified Wireless and IDS/IPS


84/104


BRKAGG-2015

13830_06_2007_c2 84

Collaboration Summary

Deploy Cisco IDS/IPS for general WLAN client threatdetection

Deploy Cisco Wireless IDS for WLAN-specific threatdetection and mitigation

Cisco WLC and IDS/IPS collaboration enables a WLANclient shun from a Cisco IDS/IPS to be available tooperational staff as a threat mitigation tool


85/104


BRKAGG-2015

13830_06_2007_c2 85

Cisco UnifiedWireless Solution

and FirewallIntegration

W C d FWSM


86/104


BRKAGG-2015

13830_06_2007_c2 86

WLCs and FWSM

WLC VLANs can map directly to Cisco security devices

WiSM FWSM E l


87/104


BRKAGG-2015

13830_06_2007_c2 87

WiSM FWSM Example

Using Cisco Unified Wireless Features and a FWSM to providefirewall policies for different classes of users sharing the sameinfrastructure


88/104


89/104


BRKAGG-2015

13830_06_2007_c2 89

Location

L ti S i


90/104


BRKAGG-2015

13830_06_2007_c2 90

Location Services

Effectively Track clients as they enter your WirelessNetwork

Visibility into the Wireless Network

4 key pieces of information

What Do We Have?

How Many Do We Have?

Where Is It?

What Is Its Status? Locate and Track Rogue APs or Clients

Allow access based on location

Wi-Fi Location Enables MultipleA li ti


91/104


BRKAGG-2015

13830_06_2007_c2 91

Applications

Voice Code Blue, Voice Alerts E911

Security Better rogue detection Perimeter security Policy enforcement Location/movementbased alerts

Visibility Asset Management Streamline Workflow

Location Based Trending RF Capacity Management Troubleshooting Security

Location Based

Content Distribution

Telemetry

Relevant informationabout tracked item

Location

L ti C biliti


92/104


BRKAGG-2015

13830_06_2007_c2 92

Location Capabilities

RF Fingerprinting traces rays from every access point in the network

Accounts for reflection

Accounts for multipath to a destination

Cisco 2700 Series WirelessLocation Appliance

T ki R T d Cli t


93/104


BRKAGG-2015

13830_06_2007_c2 93

Tracking Rogues, Tags, and Clients

Security ManagementWired andWi l I t ti


94/104


BRKAGG-2015

13830_06_2007_c2 94

Wireless Integration

WCS

Simple, Powerful Dashboard

Robust Reporting

Cisco Security Monitoring,Analysis and Response System(CS-MARS)

Network wide anomaly detection

Rules based correlation

802.1x Monitoring and Reportingith CS MARS


95/104


BRKAGG-2015

13830_06_2007_c2 95

with CS-MARS

CS-MARS provides a centralized monitoring and reporting point for 802.1x-relatedevents from ACS, NADs, and third party security servers

pnAgent forwards logs from ACS to CS-MARS

Pinpoints where identity events are occurring in the network,provides detailed logging information regarding events, and reports

ACSv4.0CS-MARS

pnAgent

802.1x Failed AuthenticationsTopUsersPostureValidation

Server

AuditServer

NADS

Syslog

Checklist Summary


96/104


BRKAGG-2015

13830_06_2007_c2 96

Checklist Summary

aRogue Detection

aRogue Containment

aLocation Services

aSecurityManagement

a802.1X

aFIPS WPA2 (AES)

aManagementFrame Protection

aCisco CSA

aCisco NAC forwired and wireless

aCisco CSA

a

Guest: Integratedcaptive portalw/traffic tunneling




Policies

Endpoint

Protection




AdmissionControl

InfectionContain. Protect the

Network Rogue AP detection

and containment Multilayer client

exclusionsAnomalyand

IDS/IPS

Meeting Security Requirements


97/104


BRKAGG-2015

13830_06_2007_c2 97

Meeting Security Requirements

802.11i based WLAN with 802.1x, Radius, and all EAPTypes

FIPS Certified end-to-end Layer2 AES encryption

Support for EAP-TLS, certificates, and PKI

infrastructure

Wireless IDS embedded into WLAN

CSA for endpoint and server security for both the wired

and wireless networks CS-MARS for event correlation

Defense In-Depth SecurityM ki Wi l M S th Wi d


98/104


BRKAGG-2015

13830_06_2007_c2 98

Making Wireless More Secure than Wired

Multi-layered security; wireless more secure than wired

Unification with Cisco Secure, ACS, CS-MARS

Uniform security framework across wired and wireless

Protection from unauthorized access and rogue devices

Benef i ts

Trusta

nd

Identity Verify the User and Device:

Identity-Based Networking, CSA+ NAC, RF Firewall, BlacklistingAuthenticate Who/What Has Access

ThreatDefense

Protect the Servers:

Integrated FirewallsProtect Against Network-basedAttacks

Defend the Applications: Integrated Network WIDS

Rogue AP Detection and Containment

Signature Detection and Remediation

WLAN MFP

RF Jamming Remediation

Secure and Encrypt Transport: FIPS Validated WPA2/AES

Provides Data/Voice Confidentiality

IPSec VPNs X509 Certificates

Secure Control Channel

Se

cure

Conn

ectivity

HackerRogues VirusesDenial ofService

Wireless System Security Highlights


99/104


BRKAGG-2015

13830_06_2007_c2 99

Wireless System Security Highlights

Multiple layers of WLAN protection

RF: 802.11 interference, bleeding coverage areas

Network: rogue detection, location, containment; ad-hoc prevention

User: protection from dictionary, MiM, Asleep, and other attacks

Application: protect data from DoS and other attacks

X.509 certificates guarantee identity

Zero touch, if desired

AP must prove identity through unique private key

APs identity is validated and authorization check is performed

Only APs you want are allowed in

Zero false positives on AP impersonation

Trusted MAC address is not sufficient

Hacker steals trusted MAC address and runs Host AP

Both over the air and wire

Secure WLAN ArchitecturesBuilding Castles not Islands


100/104


BRKAGG-2015

13830_06_2007_c2 100

Building Castles not Islands

Security is now more thanjust defending WAN attacks

New Perimeter Security mustbe pervasive in the network

Four Key Components

Authentication & IntegrityPrivacy

Wireless Intrusion Prevention

LocationSiSi SiSi

IntranetInternet


101/104


BRKAGG-2015

13830_06_2007_c2 101

Q and A

Recommended Reading


102/104


BRKAGG-2015

13830_06_2007_c2 102

Recommended Reading

Continue your Networkers at CiscoLive learning experience withfurther reading from Cisco Press

Check the Recommended Readingflyer for suggested books

Available Onsite at the Cisco Company Store

Complete Your OnlineSession Evaluation


103/104


BRKAGG-2015

13830_06_2007_c2 103

Session Evaluation

Win fabulous prizes; give usyour feedback

Receive ten Passport Pointsfor each session evaluation

you complete Go to the Internet stations

located throughout theConvention Center to complete

your session evaluation Winners will be announced

daily at the Internet stations


104/104