Upload
yopie-lisyadi
View
242
Download
0
Embed Size (px)
Citation preview
7/21/2019 802.11 Wireless LAN Security Fundamentals
1/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 1
7/21/2019 802.11 Wireless LAN Security Fundamentals
2/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 2
BRKAGG-2015
802.11WirelessLAN SecurityFundamentals
7/21/2019 802.11 Wireless LAN Security Fundamentals
3/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 3
Agenda
WLAN Security
Policy/Standards shaping Security
IEEE
Wi-Fi AllianceIETF
Secure Wireless Components
Controlling Client Access
Ensuring Client Integrity
Protect the network
7/21/2019 802.11 Wireless LAN Security Fundamentals
4/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 4
Quality of Service (QoS) 802.11e WMM
Security 802.11i WPA, WPA2
Multiple Regulatory Domains 802.11d
Inter-Access Point Protocol 802.11f
DFS & TPC 802.11h
Japan 5 GHz Channels 802.11j
Measurement 802.11k
Maintenance 802.11m
Fast Roaming 802.11r
Mesh Networking 802.11s
Standard IEEE Wi-Fi Alliance
5 GHz, 54 Mbps 802.11a 802.11a
2.4 GHz, 11 Mbps 802.11b 802.11b
2.4 GHz, 54 Mbps 802.11g 802.11g
High-Speed 802.11n
Management Frame Protection 802.11w
802.11 WLAN Standards ActivitiesThe Alphabet Soup
Develop Spec InteroperabilityTesting
Legend:
Yellow Over the air protocols
Orange Key Wi-Fi standards
Black All other
7/21/2019 802.11 Wireless LAN Security Fundamentals
5/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 5
Wireless Security
7/21/2019 802.11 Wireless LAN Security Fundamentals
6/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 6
802.11 SecuritySummary 802.11,
WPA, WPA2 andRegulations andStandards
7/21/2019 802.11 Wireless LAN Security Fundamentals
7/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 7
802.11 RF Is Not a Remote AccessTechnology
802.11 is not remote access
802.11 isnt attacked from someone across the country
802.11 isnt by someone in another country
802.11 isnt attacked from the comfort of a bedroom or dorm room
Realistic Range for attack is around 2000 feet
Line of site, and elevation become an issue
The pool of potential attackers is vanishingly small compared tothe Internet
Yes you can be attacked
Yes WLANs should be secured
Rule number one in avoiding predators is, dont look like prey
7/21/2019 802.11 Wireless LAN Security Fundamentals
8/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 8
It All Starts with WLAN Security
The Enterprise market, State & Local governments all followthe lead of the Federal Government for security
Layer 3 / IPSec Layer 2 / WPA2
Federal Agencies define what WLAN security is and how itshould be deployed within Government
FIPS 140-2, Common Criteria & DoD 8100.2
Ongoing dialogue with Federal and Enterprise customers is
essential for guiding product requirements for Governmentsolutions
Privacy, Authentication, WIDS, Location, etc.
7/21/2019 802.11 Wireless LAN Security Fundamentals
9/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 9
Security Paradigm Shift
In the past:
APs were unmanageable, untrusted devices
Segregated to DMZ
Secured w/ software overlay FIPS solutions
Wireless deployments today:
Thin APs w/ controllers and Enterprise Management have emerged
Cisco APs are now classified as Information Assurance devices whichperform authentication , encryption and Intrusion Detection/Prevention
IEEE has addressed security with ratification of 802.11i in 6/04
Embedded security obviates need for software overlays whichimproves scalability, manageability, and reliability while eliminatingunnecessary components and costs
7/21/2019 802.11 Wireless LAN Security Fundamentals
10/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 10
WLAN Security Standards
IEEE 802.11 TGi - Proposed Standard 802.11iIEEE Task Group focused on WLAN Security Improvement
Enhancement Proposed - 802.1X, EAP, TKIP, MIC,AES
Ratified July 04
http://www.ieee.org
Wi-Fi Alliance: Wi-Fi Protected Access (WPAv2)Compatibility Seal of Approval
WiFi Interoperability WiFi WLAN Interoperability CY2000
WiFi Protected Access (WPAv2) 802.1X, EAP, TKIP, MIC, AES
http://www.weca.net
FIPS Federal Information Processing StandardNot specific for WLAN but does have implications for encrypting data
sent over WLANs
Regulated by NIST
http://csrc.nist.gov/publications/fips/index.html
http://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf- Federal WLANGuide
http://www.ieee.org/http://www.weca.net/http://csrc.nist.gov/publications/fips/index.htmlhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdfhttp://csrc.nist.gov/publications/fips/index.htmlhttp://www.weca.net/http://www.ieee.org/7/21/2019 802.11 Wireless LAN Security Fundamentals
11/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 11
Wi-Fi Protected Access
What are WPA and WPA2?
Authentication and encryptionstandards for Wi-Fi clients and APs
802.1x authentication
WPA uses TKIP encryption
WPA2 uses AES block cipherencryption
Which should I use?
Gold, for supporting NIC/OSs
Silver, if you have legacy clientsLead, if you absolutely have noother choice (i.e., ASDs)
Silver
WPA EAP-Fast/TLS/PEAP
TKIP
Gold
WPA2/802.11i EAP Fast/TLS/PEAP
AES
Lead
Dynamic WEP EAP-Fast/LEAP
VLANs + ACLs
7/21/2019 802.11 Wireless LAN Security Fundamentals
12/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 12
IEEE 802.11i (WLAN Security)Improvements
802.11i is the IEEE 802.11 subcommittee responsiblefor WLAN security improvements
Key components of IEEE 802.11i standard are:
EAP/802.1x framework-based user authentication
TKIP: mitigate RC4 key scheduling vulnerability andactive attack vulnerabilities
IV expansion: 48-bit IVs
Key management: isolate encryption key managementfrom user authentication
AES: Long-term replacement protocol for RC4 (WEP)
WPAv2 is the Wi-Fi Alliance (WFA) inclusion of 802.11i
security recommendations
7/21/2019 802.11 Wireless LAN Security Fundamentals
13/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 13
802.11i/WPA Authentication and KeyManagement Architecture
AccessPoint
AuthenticationServer
EAP
802.1X (EAPoL)
802.11
802.11i Specified
LEAP, PEAP, EAP-TLS and EAP-FAST
RADIUS
UDP/IP
WPA Specified
IEEE standards provide device interoperability
WPA guarantees a degree of system interoperability
WLC
7/21/2019 802.11 Wireless LAN Security Fundamentals
14/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 14
Cisco WLAN FIPS StatusFederal Information Processing Standard (FIPS)
Validated for FIPS 140-2and common criteria
4400 controller
AP1200, AP1100 and BR1300(LWAPP and autonomous)
FIPS kits are required;contents include:
Tamper-evidence labelsDownload instructions for FIPSapproved Cisco IOS images
Download instructions forsecurity policies
7/21/2019 802.11 Wireless LAN Security Fundamentals
15/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 15
Key Wireless Policies/Documents
DoD 8100.2 and Follow on Supplement
Mandates the use of:
Strong Authentication, Non-Repudiation and Personal Identification in accordance withDoD PKI
Mandates the use of EAP-TLS for mutual authentication
Encryption of wireless traffic via an assured channel is mandatory andmust be FIPS140-2 validated
Solution must be:
802.11i (AES 128)
WPAv2 certified by Wi-Fi alliance
FIPS 140-2 Level 2 validated Hardware FIPS 140-2 Level 1 for Software
In-process for Common Criteria Certification against Basic RobustnessProtection Profile
Wireless Intrusion Detection, Denial of Service Mitigation as well asactively screen for Wireless devices
WIDS is mandatory
7/21/2019 802.11 Wireless LAN Security Fundamentals
16/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 16
Standardizing the WLAN Architecture
The Internet Engineering Task Force (IETF) focused ondelivering a standard
LWAPP selected as starting point, and follows the samearchitecture
Renamed protocol to Configuration and Provisioning ofWireless Access Points (CAPWAP)
Peer security review completed
Predicted ratification date Q108
7/21/2019 802.11 Wireless LAN Security Fundamentals
17/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 17
Deploying a Secure WLAN
LWAPP/CAPWAP FIPSSolution
Allows for 802.11i overthe air security
Allows for terminationof 802.11i in the AP
APs authenticate tocontroller using X.509certificate
Controller can
authorize certificates
Provides securemanagement interfacebetween AP/Controller
FIPS Client
7/21/2019 802.11 Wireless LAN Security Fundamentals
18/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 18
Wireless SecurityComponents
7/21/2019 802.11 Wireless LAN Security Fundamentals
19/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 19
Secure WLAN ArchitecturesBuilding Castles not Islands
Security is now more thanjust defending WAN attacks
New Perimeter Security mustbe pervasive in the network
Four Key Components
Authentication & Integrity
Privacy
Wireless Intrusion Prevention
LocationSiSi SiSi
IntranetInternet
7/21/2019 802.11 Wireless LAN Security Fundamentals
20/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 20
Its About More than Just Securing theWireless Network
Need to take a Defense-in-depth approach
Wired/Wireless Integration
Integrate with Cisco framework for Self Defending Networks.
Cisco ASA/PIX Firewalls or Firewall Service Modules locatedanywhere in the network.
Integrate with FIPS Validated Wireless Clients and CiscoSecurity Agent
Future integration with CS-MARS for IDS event correlation
for both Wired and Wireless Network
Cisco Network Access Control
Wired side IDS to detect Ethernet DoS attacks with Cisco4200 IDS or Catalyst 6500 IDSM
7/21/2019 802.11 Wireless LAN Security Fundamentals
21/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 21
Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy
Controlling ClientAccess
Strong MutualAuthentication
Strong Encryption True Wireless IPS Adaptive Client
Policies
Endpoint
Protection
Protect theNetwork
Rogue AP detectionand containment
Multilayer clientexclusions
Anomalyand
IDS/IPS
Ensuring ClientIntegrity
Network AdmissionControl
Dynamic, real timepolicies updates
AdmissionControl
InfectionContain.
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve the
networks ability
to identify, prevent, andadapt to threats
Integrated Management
7/21/2019 802.11 Wireless LAN Security Fundamentals
22/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 22
Checklist for Secure Wireless LANs
Implementation Checklist
aAuthentication - 802.1x
aEncryption - FIPS CertifiedWPA2 (AES)
a Management FrameProtection
Controlling ClientAccess
Strong MutualAuthentication
Strong EncryptionTrue Wireless IPSAdaptive Client
Policies
Endpoint
Protection
7/21/2019 802.11 Wireless LAN Security Fundamentals
23/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 23
Authentication
7/21/2019 802.11 Wireless LAN Security Fundamentals
24/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 24
What Is the Problem?
802.11 Users Want Data Confidentiality
Enterprises want protected campus access.
Home users want to block unauthorized access.
Hot spots want to avoid the liability of one customer hackinganother.
Everyone wants to stop unauthorized usage of their networksparticularly illegal activities!
Users want to know they are connecting to a trusted access point
instead of an impostor.
Everyone wants to prevent credential theft.
Network Security is about Access Control
7/21/2019 802.11 Wireless LAN Security Fundamentals
25/104 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 25
Authentication
Discover the peers identity
The network proves who it is to you, so you can decide if youreally do want to talk with it (i.e., so you can make anauthorization decision)
You (or your device) proves who it is to the network can decidewhether to talk with you (i.e., so it can make an authorizationdecision)
How:
Authentication based on credentials exchangeUser name/password
One Time Password/Token
Certificate/PKI infrastructure
7/21/2019 802.11 Wireless LAN Security Fundamentals
26/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 26
FirstSome IEEE Terminology
IEEE Terms Normal People Terms
Supplicant Client
Authenticator Network Access Device
Authentication Server AAA/RADIUS Server
7/21/2019 802.11 Wireless LAN Security Fundamentals
27/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 27
EAP / 802.1XOverview
802.1X authentication has three key components Supplicant - WLAN Client
Authenticator -WLC
Authentication ServerAAA Server
7/21/2019 802.11 Wireless LAN Security Fundamentals
28/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 28
Authentication
IEEE 802.1x Port-Based Network Access Control
802.1x is an IEEE Standard for Port Based Network Access Control, EAPbased - NETWORK standard, not a wireless standard
Describes a standard link layer protocol used for transporting higher-levelauthentication protocols.
Works between the Supplicant (Client) and theAuthenticator(NetworkDevice).
Maintains backend communication to anAuthentication Server (RADIUS).
Provides Network Authentication, not encryption
Transport authentication information in the form of ExtensibleAuthentication Protocol (EAP) payloads.
Improved authentication: username/password or certificate based
Is PART of the 802.11i Standard (WPA/WPAv2)
7/21/2019 802.11 Wireless LAN Security Fundamentals
29/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 29
Extensible Authentication Protocol (EAP)
A flexible transport protocol used to carry arbitraryauthentication informationnot the authenticationmethod itself
EAP provides a flexible link layer security framework
Simple encapsulation protocol
No dependency on IP
Few link layer assumptions
Can run over any link layer (PPP, 802, etc.)
Assumes no reorderingCan run over loss full or lossless media
Originally specified in RFC 2284, obsolete byRFC 3748
7/21/2019 802.11 Wireless LAN Security Fundamentals
30/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 30
How Does Extensible AuthenticationProtocol (EAP) Authenticate Clients?
Client Associates
Corporate Network
WLANClient
WLANController/AP
RADIUSServer
Cannot Send Data Until Data from Client Blocked by Controller/AP
EAP AuthenticationComplete802.1x RADIUS
EAP
Client Sends Data Data From Client Passed by Controller/AP
UserDatabase
X
7/21/2019 802.11 Wireless LAN Security Fundamentals
31/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 31
EAP Authentication
7/21/2019 802.11 Wireless LAN Security Fundamentals
32/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 32
Machine Authentication
Machine authentication using PEAP
Uses account information for the computer createdat the time the machine is added to the domain
Computer must be a member of the domain
If doing mutual authentication, the computer musttrust the signing CA of the RADIUS servers cert
Machine authentication using EAP-TLS
Authenticates the computer using certs
The computer must have a valid cert
If doing mutual authentication, the computer musttrust the signing CA of the RADIUS servers cert
Why do Machine Authentication Ensures that the devicesnot just the user is allowed to connect to the Network
7/21/2019 802.11 Wireless LAN Security Fundamentals
33/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 33
WLAN Security:802.1X Client Authentication Choices
EAP-TLSEAP-Transport Layer Security
Requires client & server certificates (PKI Infrastructure)
Used in WPA interoperability testing
PEAP
Protected EAP
Uses server based certificate with client passwords
GTC (Cisco) & MSCHAPv2 (Microsoft) versions
EAP-FAST
Uses TLS tunneling
No certificates required
Other EAP types (EAP-MD5, EAP-SIM, etc.)
Client
AP
Radius
Server
7/21/2019 802.11 Wireless LAN Security Fundamentals
34/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 34
EAP Protocols: Feature Support
EAP-TLS PEAP LEAP EAP-FAST
Single Sign-on Yes Yes Yes Yes
Login Scripts (MS DB) Yes1 Yes1 Yes Yes
Password Expiration (MS DB) N/A Yes No Yes
Client and OS AvailabilityXP, 2000, CE,and Others2
XP, 2000, CE,CCXv2 Clients3,
and Others2
Cisco/CCXv1 orAbove Clients
and Others2
Cisco/CCXv3Clients4 and
Others2
MS DB Support Yes Yes Yes Yes
LDAP DB Support Yes Yes5 No Yes
OTP Support No Yes5 No Yes6
1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD)2 Greater operating system coverage is available from Meetinghouse and Funk supplicants3 PEAP/GTC is supported on CCXv2 clients and above4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems
EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients5 Supported by PEAP/GTC only6
Supported with 3rd
party supplicant
7/21/2019 802.11 Wireless LAN Security Fundamentals
35/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 35
EAP Protocols: Feature Support
EAP-TLS PEAP LEAP EAP-FAST
Off-Line Dictionary Attacks? No No Yes1 No
Local Authentication No No Yes Yes
WPA Support Yes Yes Yes Yes
Application Specific Device (ASD)Support No No Yes Yes
Server Certificates? Yes Yes No No
Client Certificates? Yes No No No
Deployment Complexity High Medium Low Low
RADIUS Server Scalability Impact High High Low Low/Medium
1 Strong password policy mitigates dictionary attacks; please refer to:http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.htmlhttp://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html7/21/2019 802.11 Wireless LAN Security Fundamentals
36/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 36
Privacy/Encryption
FIPS V lid t d E d t E d
7/21/2019 802.11 Wireless LAN Security Fundamentals
37/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 37
FIPS Validated End-to-EndEncryption/Privacy
Securing the Client
802.11i AES 128 used for Layer 2 Encryption between the clientand the Access Point
FIPS Certified AP and Client (3eti FIPS client)
Securing the Network
All Command and Control (C2) traffic between the Access Pointand the Wireless LAN Controller is secured via AES 128
Securing User Authentication
RADIUS Key Wrap (AES 128) used to secure all RADIUSAuthentication traffic between Wireless LAN Controller and theRADIUS Server
7/21/2019 802.11 Wireless LAN Security Fundamentals
38/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 38
Wi-Fi Protected Access (WPA) and WPA 2
Components of WPA:Authenticated Key Management using 802.1X:
EAP-TLS and RADIUS are the nominated EAP test mechanism
Unicast and Broadcast Encryption Key Management
TKIP: Per-packet KeyingIV expansion: 48 bit IVs
Message Integrity Check (MIC)
Migration Mode coexistence of WPA and WEP devices
Why WPA
Migration from WEP using the same hardware, fixed known WEP issues
WPA 2 uses
AES CCMP Encryption rather than TKIP
7/21/2019 802.11 Wireless LAN Security Fundamentals
39/104
7/21/2019 802.11 Wireless LAN Security Fundamentals
40/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 40
802.11i Termination in the AP
CAPWAPs default encryptionmodel is 802.11i in the AP
Most widely deployed model
Has undergone FIPS approval
Supports MAC features thatrequire direct access to RFprior to encryption
802.11n A-MSDUpacket aggregation
802.11e HCCA
FIPS Client
FIPS 802 11i Cli t S K
7/21/2019 802.11 Wireless LAN Security Fundamentals
41/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 41
FIPS 802.11i Client Server KeyManagement
RAD KeywrapAES-SHA-1
2. RAD distributesPKM to Controller
PMK
PMKPMK1. EAP-TLS client-
server auth &PMK derivation
LWAPP802.1X-EAPOL
802.1XEAP
RADIUSEAP Transport
PTKLWAPPAES-CCM
PTK802.11i
AES-CCMP (128b)4. Controllerdistributes PTKto AP
3. Controller andsupplicant derivePTK = KCK, KEK & GTK
PTK PTK
FIPS Compliant
Supplicant
FIPS Compliant
RADIUS
FIPS WLAN ControllerFIPS Aironet AP
802.11iAES-CCMP (128b)
7/21/2019 802.11 Wireless LAN Security Fundamentals
42/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 42
Securing the LWAPP Join Process
LWAPP Join implements strong mutualauthentication between AP and WLC
AES key is used to encrypt the payloads ofsubsequent LWAPP Control Messages
7/21/2019 802.11 Wireless LAN Security Fundamentals
43/104
7/21/2019 802.11 Wireless LAN Security Fundamentals
44/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 44
Client Protection
7/21/2019 802.11 Wireless LAN Security Fundamentals
45/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 45
Association Process
Management Frames are not encrypted
Addressed by Management Frame Protection (MFP)Discussed later
7/21/2019 802.11 Wireless LAN Security Fundamentals
46/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 46
Cisco Unified Wireless Network 4.0
Management Frame Protection
Provides for the authentication of 802.11 management framesby the wireless network infrastructure
Allows detection of malicious rogues that are spoofing a validAP MAC or SSID in order to avoid detection as a rogue AP,or as part of a man-in-the-middle attack
Increases the fidelity of rogue AP and WLAN IDS signaturedetection
Will provide protection of client devices with CCX v5
Also supported with Autonomous AP/ WDS/ WLSE inversion 12.3(8)/ v2.13
Management Frame Protection (MFP)
7/21/2019 802.11 Wireless LAN Security Fundamentals
47/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 47
Management Frame Protection (MFP)Mitigating Man-in-the-Middle Attacks
Problem: theres no physical securityfor wireless and management framesare notauthenticated, encrypted, or signed
Solution: insert a signature (MessageIntegrity Code/ MIC)
into the management framesAP beacons
Probe requests/responses
Associations/re-associations
Disassociations
Authentications/de-authentications
Action management frames
Managed AP1MAC Addr A.B.C.D
Signature?
Attacker SpoofingAP1 MAC Addr
A.B.C.D
Initially will be deployed as a security mechanism to validateinfrastructure equipment
Will be extended to client adapters via CCX
7/21/2019 802.11 Wireless LAN Security Fundamentals
48/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 48
Management Frame Protection Function
A solution for clients and infrastructure (APs) Clients and APs add a MIC (signature)
into every management frame
Anomalies are detected instantly andreported to Controller/WCS
E.g. no threshold or rate checks required to detect anomalies
MFP Protected
MFP Protected
FUTURE- CCXv5
7/21/2019 802.11 Wireless LAN Security Fundamentals
49/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 49
Benefits of MFP
Protection- for Rogue AP, Man-in-the-Middle exploits,other Management Frame attacks
Prevention- will be available with clients capable ofdecrypting the signature
Integration with other Cisco Security Monitoringsolutions in order to characterize attack vectors- rulesbased correlation
Cisco Security Leadership and Innovation
7/21/2019 802.11 Wireless LAN Security Fundamentals
50/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 50
Infrastructure MFP
Detectionquick response to WLAN events
Extra fidelity for rogue AP and typical exploits
Quick detection of exploits typically used to initiate MiTM
Protectionfor rogue AP, man-in-the-middle exploits,other management frame attacks
Preventionwill be available with clients capableof decrypting the signature
Specifics of MFP MICMFP Information Element adds timestamp, sequence number,and MIC key to management frames
MFP employs HMAC-SHA1 hash algorithm to calculate MIC
key
Ci U ifi d Wi l
7/21/2019 802.11 Wireless LAN Security Fundamentals
51/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 51
Cisco Unified WirelessEngineered to Deliver on the SDN Strategy
Controlling ClientAccess
Strong MutualAuthentication
Strong Encryption True Wireless IPS Adaptive Client
Policies
Endpoin
t
Protection
Protect theNetwork
Rogue AP detectionand containment
Multilayer clientexclusions
Anomalya
nd
IDS/IPS
Ensuring ClientIntegrity
Network AdmissionControl
Dynamic, real timepolicies updates
AdmissionCo
ntrol
InfectionCon
tain.
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve the
networks ability
to identify, prevent, andadapt to threats
Integrated Management
7/21/2019 802.11 Wireless LAN Security Fundamentals
52/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 52
Checklist for Secure Wireless LANs
Implementation Checklist
aCisco NAC for wired andwireless
a Cisco CSA
a Guest: Integrated captiveportal w/traffic tunneling
Ensuring Client Integrity
Network AdmissionControl
Dynamic, real timepolicies updates
AdmissionCo
ntrol
InfectionCon
tain.
N t k Ad i i C t l
7/21/2019 802.11 Wireless LAN Security Fundamentals
53/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 53
AAA(ACS!)
ENFORCEMENT
NACAppliance
AgentDISCOVERY POLICY
NETWORKACCESS DEVICE
NAC AppServer
NAC App
Manager
AUTHENTICATION
2. CCA with Framework without partners
ENFORCEMENT
CiscoNAC
Agent DISCOVERY POLICY
NETWORKACCESS DEVICE
NACServer
NACManager
REMEDIATION (CISCO)
EoU, Eo802.1xCiscoTrustAgent
RADIUS AAA
Network Admission ControlThe Network is the Control Point
2. CCA with Framework without partners
Enforcement
CiscoNAC
Agent Discovery Policy
NETWORKACCESS DEVICE
NACServer
NACManager
Remediation (Cisco)
EoU, Eo802.1xCiscoTrustAgent
Radius AAA
Remediation (Vendor)
Po
licy(Vendor)
Apply Network Admissions Control, no matter:
What system it is (Windows PC, Mac laptop, Linux workstation)
Where its coming from (VPN, LAN, WLAN, WAN)
Who owns it (company, employee, contractor, guest, unknown)
What applications are on the system (AV, personal firewall, patching tool)
How its checked and fixed (pre-configured, customized, 3rd party)
Network Access Control Appliance:
http://www.mcafee.com/us/default.asphttp://www.ca.com/7/21/2019 802.11 Wireless LAN Security Fundamentals
54/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 54
Network Access Control Appliance:Cisco Clean Access
Interoperates with Cisco Unified Wireless Architecture
Wireless users can be subject to Clean Accesscompliance when connecting through a Wi-Fi accesspoint
Cisco Clean Access can be deployed in-band to forcecompliance for Wireless users
Cisco Aironet lightweight access points are configuredfor Clean Access compliance via web-based setup onthe Wireless LAN Controller
Periodic reassessment of client security posture
7/21/2019 802.11 Wireless LAN Security Fundamentals
55/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 55
Cisco NAC Appliance with Unified Wireless
NAC Appliance accommodates several deploymentscenarios.
Unified Wireless and Campus Virtualization best
practices currently recommend centralized deployment:
Must be logically in-band with wireless topology
Virtual G/W mode with VLAN Mapping
Real IP G/W mode to be tested and documented in futurerelease of the Secure Pervasive Mobility Design Guide
Modes and Positioning Key Takeaways:
7/21/2019 802.11 Wireless LAN Security Fundamentals
56/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 56
Cisco NAC Appliance with Unified Wireless
Modes and Positioning: In-Band Virtual Gateway
Access/Distribution
Intranet/Internet
WLAN Controller
User WLANVLAN 131
VLAN 131
VLAN 10
VLAN 10
VLANMapping
VLAN 200
7/21/2019 802.11 Wireless LAN Security Fundamentals
57/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 57
CSA Wireless
EndpointProtection
Protecting the Road Warrior
7/21/2019 802.11 Wireless LAN Security Fundamentals
58/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 58
Protecting the Road WarriorEndpoint Security Must:
Protect the integrity of mobiledevices, desktops and servers, onand off the corporate network,from worms, viruses and spyware
Identify data from critical orimportant applications, so the
network can prioritize it
Cooperate with the networkinfrastructure to establish requiredlevels of trust and auditability, andto react to threats in real-time
Federal Policy Compliance forNetwork Connectivity
CSA default behavioral rulesprotect against Zero-Day virii,worms, spyware, etc. sightunseen
CSA with Trusted QoS controlensures that traffic is marked so
that the network can apply correcthandling
CSA integration with CiscoNAC and Network IPS establishesendpoint-network relationship
which enhances total networksecurity.
Wireless Integration - preventingsimultaneous Wired & Wireless
Access, only connecting toapproved SSIDs
7/21/2019 802.11 Wireless LAN Security Fundamentals
59/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 59
CSA for Wireless Security Overview
CSA OverviewIdentifies and prevents malicious or unauthorized behavior
Offers endpoint threat protection, often referred to as Host-based IPS
Key element of end-to-end, defence-in-depth approach tosecurity
CSA for Wireless Security
Offers general endpoint threat protection, as for wired clients
CSA v5.2 features new wireless security policies
May be used to extend current policies to include wireless-specific policy enforcement
Cisco Security Agent (CSA) and Cisco
7/21/2019 802.11 Wireless LAN Security Fundamentals
60/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 60
Cisco Security Agent (CSA) and CiscoTrust Agent (CTA)
Shutoff multiple network interfaceswired /wireless only
Disable Ad Hoc mode
Connect to only corporate SSIDs
Protection of Endpoint Regardless ofPosture
Protection of Endpoints Outside of CorpNet
Detect/Prevent Malicious Behavior
Policy-based Control of Application Use
Security Posture Checks on IncomingSystems (CTA)
Network admission Control According toPosture (CTA)
Network Access Decisions for all Hosts(CTA)
Enforce Patch and AV Policy for allHosts (CTA)
Host IPS and Client Integrity
7/21/2019 802.11 Wireless LAN Security Fundamentals
61/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 61
CSA v5.2 New Wireless Policy Features
Restrict wireless ad-hoc connectionsWireless ad-hoc networks may be leveraged by anunauthorised or rogue device to access the client
Typically insecure, unencrypted connection
Restrict simultaneous wired and wireless connectionsRisk of bridging traffic from insecure or rogue wireless networksto the wired network, bypassing network security measures
Policy enforcement based on SSID or wireless
encryption type1
E.g. Corporate WLAN vs public hotspot
VPN enforcement when out of the office1
Use of VPN required if not on corporate network
7/21/2019 802.11 Wireless LAN Security Fundamentals
62/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 62
Controller Guest Access Services
Access controlWireless VLANs created with guestSSID
Custom web auth configuration
Enforce time policies, QoS policies,guest ACLs
Forces acceptance of DOD base legal
disclaimer before getting Internetconnectivity
Path isolation
Separate guest traffic from the FederalAuthorized local traffic w/ EoIP tunnels
Deployed in a centralized fashion:
authentication and authorizationon a centralized in-band device
Record the activity of guest userswhile connected to the enterprisenetwork
Wireless
VLANs
Core
SiSi
SiSi SiSi
WCS
EtherIPGuestTunnel
Internet
Guesthttps
Enterprise802.1X
DMZ Anchor
Guest Controller
WLAN Controllers
Guesthttps
Enterprise802.1X
Cisco Unified Wireless
7/21/2019 802.11 Wireless LAN Security Fundamentals
63/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 63
Cisco Unified WirelessEngineered to Deliver on the SDN Strategy
Controlling ClientAccess
Strong MutualAuthentication
Strong Encryption True Wireless IPS Adaptive Client
Policies
Endpoi
nt
Protection
Protect theNetwork
Rogue AP detectionand containment
Multilayer clientexclusions
Anomaly
and
IDS/IPS
Ensuring ClientIntegrity
Network AdmissionControl
Dynamic, real timepolicies updates
AdmissionC
ontrol
InfectionCo
ntain.
An initiative to dramaticallyimprove the networks ability
to identify, prevent, andadapt to threats
Cisco strategy todramatically improve the
networks ability
to identify, prevent, andadapt to threats
Integrated Management
7/21/2019 802.11 Wireless LAN Security Fundamentals
64/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 64
Checklist for Secure Wireless LANs
Implementation Checklist
a Rogue/WLAN AttackDetection
a Rogue Containment
a Location Services
a Security Management
Protect theNetwork
Rogue APdetection andcontainment
Multilayer clientexclusions
Anomaly
and
IDS/IPS
7/21/2019 802.11 Wireless LAN Security Fundamentals
65/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 65
Top Wireless Threats
ClientMis-association
Rogue
WLAN
Employees connect to anexternal WLAN, creating portal toenterprise wired network
DoS Attacks
Denial of
Service
Malicious hackers disruptcritical business services
Rogue AP
Employees create opening to
enterprise network unknowingly
Hacker
Ad Hoc
Client-to-client connections,bypassing infrastructuresecurity checkpoints
Hacker
7/21/2019 802.11 Wireless LAN Security Fundamentals
66/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 66
Cisco Unified
Threat Detectionand Mitigation
WLAN Threat Detection and
7/21/2019 802.11 Wireless LAN Security Fundamentals
67/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 67
WLAN Threat Detection andMitigation Overview
WLAN Threat Detection & MitigationExtend same end-to-end, defence-in-depth principles appliedon a wired network to a WLAN
Extend general network security policy to include a WLAN
Complementary to general threat detection and mitigationmeasures which should already be in place on the network
Cisco Unified Wireless Self-Defending Network
Integrated end-to-end, defence-in-depth solution
Threat Detection and Mitigation
7/21/2019 802.11 Wireless LAN Security Fundamentals
68/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 68
Threat Detection and Mitigationon a WLAN
Threat Detection
Threat detection is CRITICAL to visibility into network activity
Threat detection on a WLAN extends baseline networkmonitoring and anomaly detection to include:
Monitoring of the 802.11 RF medium
Monitoring of general WLAN client traffic
Threat Mitigation
Threat mitigation involves reactive security measures applied inresponse to an incident
Threat mitigation on a WLAN extends the actions available inresponse to an incident to include:
Mitigation techniques for threats on the 802.11 RF mediumaddressing WLAN clients themselves, as well as rogue
devices and networks
Cisco Unified Wireless Network Integrated
7/21/2019 802.11 Wireless LAN Security Fundamentals
69/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 69
802.11aRogue AP
Cisco Unified Wireless Network IntegratedWireless IDS/IPS Protects Your Business
Automatically detects:Rogue access points and clients
Ad hoc networks
Denial of service attacks
Client mis-associations
Intelligent RF scanning =cost effective solution
Intrusion prevention underIT control
Location appliance providesprecision mapping forphysical removal
802.11aRogue Client
RF Containment
EnterpriseNetwork
X
7/21/2019 802.11 Wireless LAN Security Fundamentals
70/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 70
Integrated Wireless Intrusion Protection
WIDS Detect common RF-related attacksNetstumbler, wellenreiter, void11, FakeAP, address spoofing, DoS, etc.
Customizable attack signatures
Real-time 24x7 monitoring and alarming
Rogue AP/client detection, location, and containment
Identify known (i.e. trusted) rogues
Manually disable clients
Integrated WIDS is critical - 802.11i & 802.11w will not be decoded
via Standalone WIDS. But WIDS only detects Wireless Attacks no visibility/defense
from Authenticated users that launch IP DOS attacks
Must provide comprehensive IPS solution by integrating Wired andWireless IPS
Cisco Unified Wireless Self-Defending
7/21/2019 802.11 Wireless LAN Security Fundamentals
71/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 71
gNetwork Threat Detection and Mitigation
Cisco Wireless IDS for RF Monitoring & Threat MitigationRogue AP detection, location & containment
Rogue client detection & containment
Wireless ad-hoc network detection & containment
802.11 attack signatures
Excessive 802.11 association & authentication tracking, plus client blocking
IP theft & re-use tracking
Cisco IDS/IPS for General WLAN Client Traffic Monitoring & ThreatMitigation
Detection of worms, viruses, application abuse, spyware, ad ware, etc, as wellas policy violations
Client shun to disconnect & block a WLAN client
Logging
SNMP, syslog & RADIUS accounting
7/21/2019 802.11 Wireless LAN Security Fundamentals
72/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 72
Rogue AP Detection
Rogue AP detection has multiple facets:Air/RF detectiondetection of rogue devices byobserving/sniffing beacons and 802.11 probe responses
Rogue AP locationuse of the detected RF characteristics and
known properties of the managed RF network to locate therogue device
Wire detectiona mechanism for tracking/correlating the roguedevice to the wired network
A WIDS may require different deployments toeffectively address all of these facets
For example, it is typically required to use a scanning-mode APas a rogue traffic injector to attempt to tracethe rogues connected port
7/21/2019 802.11 Wireless LAN Security Fundamentals
73/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 73
Radio (Air/RF) Monitoring
NetworkCore
Distribution
Access
SiSi
SiSi
SiSi
Rogue
AP
Rogue
AP
Wireless ControlSystem (WCS)
Wireless
LANController
RogueDetector
NMS
ARP Sniffing
Auto-RRM
Rogue
AP
RLDP
A Complete Solution for Handling
7/21/2019 802.11 Wireless LAN Security Fundamentals
74/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 74
p gRogues
Controlled by administrator
Multiple rogues containedsimultaneously
4. View Historical
Report
2. Assess Rogue AP
(Identity, Location, ..)
1. Detect Rogue AP
(generate alarm)
3. Contain Rogue AP
X X
7/21/2019 802.11 Wireless LAN Security Fundamentals
75/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 75
Rogue AP Detection and Suppression
Rogue AP detection methodologyWLAN system collects (via beacons and probe responses) andreports BSSID information
System compares collected BSSID information versus
authorized (i.e., managed AP) BSSID informationUnauthorized APs are flagged and reported via fault monitoringfunctionality
Rogue AP suppression techniques
Trace the rogue AP over the wired network to verify that therogue is internal and should be contained
Use of managed devices to disassociate clients fromunauthorized AP and prevent further associations via 802.11de-authentication frames
7/21/2019 802.11 Wireless LAN Security Fundamentals
76/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 76
Cisco Unified Wireless: Map Rogue AP
Cisco Unified Wireless:
7/21/2019 802.11 Wireless LAN Security Fundamentals
77/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 77
Rogue Containment
Rogue AP, Rogue-Connected Client, or Ad-Hoc Client May BeContained by Controller Issuing Unicast De-Authentication Packets
Maximum number of APs participating in containmentis configurable
Maximum of three simultaneous containments may operateon a single LWAPP AP
Rogue client devices may be authenticated to a RADIUS(MAC address) database
Maximum time for auto-containment is configurable
Wireless IDS
7/21/2019 802.11 Wireless LAN Security Fundamentals
78/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 78
Wireless IDS
The WLC comes with built in Wireless IDS signaturesthat can be augmented with additional customersignatures
Cisco WLC and IDS/IPS Collaboration
7/21/2019 802.11 Wireless LAN Security Fundamentals
79/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 79
Overview
General WLAN Client Threat DetectionCisco IDS/IPS offers the ability to monitor and detect generalmalicious threats from WLAN clients, e.g. worms, viruses,application abuse
Same as that which may be employed to monitor and detectmalicious threats from wired clients
WLAN Client Shun for Threat Mitigation
Cisco WLC and IDS/IPS collaboration to enable a WLAN clientto be shunned from the Cisco IDS/IPS, disconnecting the clientfrom the WLAN and blocking them from reconnecting
Cisco IDS/IPS Integration for General
7/21/2019 802.11 Wireless LAN Security Fundamentals
80/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 80
Cisco IDS/IPS Integration for GeneralWLAN Client Threat Detection
Client traffic between LAPs
and WLC over LWAPP Tunnel
LAP
Core
IDS
WLC WLC
Client traffic between LAPs
and WLC over LWAPP TunnelLAP
Core
IPS
WLAN client traffic
between WLC and
general network
Cisco IDS forPassive Monitoring Cisco IPS forActive, In-line Monitoring
WLAN client traffic
between WLC and
general network
7/21/2019 802.11 Wireless LAN Security Fundamentals
81/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 81
WLC and IDS Products
7/21/2019 802.11 Wireless LAN Security Fundamentals
82/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 82
WLAN Client Shun for Threat Mitigation
Mitigation action which may be initiated from CiscoIDS/IPS
Shunned WLAN client disconnected from the WLCwhenever they are associated and for as long as a
shun action is enforced WLC software release 4.0 or later and IPS software
release v5.x or later
Wired/Wireless IPS Integration
7/21/2019 802.11 Wireless LAN Security Fundamentals
83/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 83
IDS Event and Client Shunning
Cisco Controller
Wired IDS4200 Series IDS Sensor
1. Client to AP/Controller
2. Controller to IDS
3. Shun IDS to controller
2. Deep
PacketInspection
3. Shun
1. MaliciousTraffic fromAuthenticatedUser
EnterpriseNetwork
Authorized userslaptop infectedwith worm orvirus
IDS/IPS sensor monitors traffic with deeppacket inspection (Layer 7) to identify andtriggers shun event; WLAN controllershuns/blocks the MAC address ofcompromised wireless client
Integration of wired and wireless security
SolutionProblem
Unified Wireless and IDS/IPS
7/21/2019 802.11 Wireless LAN Security Fundamentals
84/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 84
Collaboration Summary
Deploy Cisco IDS/IPS for general WLAN client threatdetection
Deploy Cisco Wireless IDS for WLAN-specific threatdetection and mitigation
Cisco WLC and IDS/IPS collaboration enables a WLANclient shun from a Cisco IDS/IPS to be available tooperational staff as a threat mitigation tool
7/21/2019 802.11 Wireless LAN Security Fundamentals
85/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 85
Cisco UnifiedWireless Solution
and FirewallIntegration
W C d FWSM
7/21/2019 802.11 Wireless LAN Security Fundamentals
86/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 86
WLCs and FWSM
WLC VLANs can map directly to Cisco security devices
WiSM FWSM E l
7/21/2019 802.11 Wireless LAN Security Fundamentals
87/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 87
WiSM FWSM Example
Using Cisco Unified Wireless Features and a FWSM to providefirewall policies for different classes of users sharing the sameinfrastructure
7/21/2019 802.11 Wireless LAN Security Fundamentals
88/104
7/21/2019 802.11 Wireless LAN Security Fundamentals
89/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 89
Location
L ti S i
7/21/2019 802.11 Wireless LAN Security Fundamentals
90/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 90
Location Services
Effectively Track clients as they enter your WirelessNetwork
Visibility into the Wireless Network
4 key pieces of information
What Do We Have?
How Many Do We Have?
Where Is It?
What Is Its Status? Locate and Track Rogue APs or Clients
Allow access based on location
Wi-Fi Location Enables MultipleA li ti
7/21/2019 802.11 Wireless LAN Security Fundamentals
91/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 91
Applications
Voice Code Blue, Voice Alerts E911
Security Better rogue detection Perimeter security Policy enforcement Location/movementbased alerts
Visibility Asset Management Streamline Workflow
Location Based Trending RF Capacity Management Troubleshooting Security
Location Based
Content Distribution
Telemetry
Relevant informationabout tracked item
Location
L ti C biliti
7/21/2019 802.11 Wireless LAN Security Fundamentals
92/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 92
Location Capabilities
RF Fingerprinting traces rays from every access point in the network
Accounts for reflection
Accounts for multipath to a destination
Cisco 2700 Series WirelessLocation Appliance
T ki R T d Cli t
7/21/2019 802.11 Wireless LAN Security Fundamentals
93/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 93
Tracking Rogues, Tags, and Clients
Security ManagementWired andWi l I t ti
7/21/2019 802.11 Wireless LAN Security Fundamentals
94/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 94
Wireless Integration
WCS
Simple, Powerful Dashboard
Robust Reporting
Cisco Security Monitoring,Analysis and Response System(CS-MARS)
Network wide anomaly detection
Rules based correlation
802.1x Monitoring and Reportingith CS MARS
7/21/2019 802.11 Wireless LAN Security Fundamentals
95/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 95
with CS-MARS
CS-MARS provides a centralized monitoring and reporting point for 802.1x-relatedevents from ACS, NADs, and third party security servers
pnAgent forwards logs from ACS to CS-MARS
Pinpoints where identity events are occurring in the network,provides detailed logging information regarding events, and reports
ACSv4.0CS-MARS
pnAgent
802.1x Failed AuthenticationsTopUsersPostureValidation
Server
AuditServer
NADS
Syslog
Checklist Summary
7/21/2019 802.11 Wireless LAN Security Fundamentals
96/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 96
Checklist Summary
aRogue Detection
aRogue Containment
aLocation Services
aSecurityManagement
a802.1X
aFIPS WPA2 (AES)
aManagementFrame Protection
aCisco CSA
aCisco NAC forwired and wireless
aCisco CSA
a
Guest: Integratedcaptive portalw/traffic tunneling
Controlling ClientAccess
Strong MutualAuthentication
Strong Encryption True Wireless IPS Adaptive Client
Policies
Endpoint
Protection
Ensuring ClientIntegrity
Network AdmissionControl
Dynamic, real timepolicies updates
AdmissionControl
InfectionContain. Protect the
Network Rogue AP detection
and containment Multilayer client
exclusionsAnomalyand
IDS/IPS
Meeting Security Requirements
7/21/2019 802.11 Wireless LAN Security Fundamentals
97/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 97
Meeting Security Requirements
802.11i based WLAN with 802.1x, Radius, and all EAPTypes
FIPS Certified end-to-end Layer2 AES encryption
Support for EAP-TLS, certificates, and PKI
infrastructure
Wireless IDS embedded into WLAN
CSA for endpoint and server security for both the wired
and wireless networks CS-MARS for event correlation
Defense In-Depth SecurityM ki Wi l M S th Wi d
7/21/2019 802.11 Wireless LAN Security Fundamentals
98/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 98
Making Wireless More Secure than Wired
Multi-layered security; wireless more secure than wired
Unification with Cisco Secure, ACS, CS-MARS
Uniform security framework across wired and wireless
Protection from unauthorized access and rogue devices
Benef i ts
Trusta
nd
Identity Verify the User and Device:
Identity-Based Networking, CSA+ NAC, RF Firewall, BlacklistingAuthenticate Who/What Has Access
ThreatDefense
Protect the Servers:
Integrated FirewallsProtect Against Network-basedAttacks
Defend the Applications: Integrated Network WIDS
Rogue AP Detection and Containment
Signature Detection and Remediation
WLAN MFP
RF Jamming Remediation
Secure and Encrypt Transport: FIPS Validated WPA2/AES
Provides Data/Voice Confidentiality
IPSec VPNs X509 Certificates
Secure Control Channel
Se
cure
Conn
ectivity
HackerRogues VirusesDenial ofService
Wireless System Security Highlights
7/21/2019 802.11 Wireless LAN Security Fundamentals
99/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 99
Wireless System Security Highlights
Multiple layers of WLAN protection
RF: 802.11 interference, bleeding coverage areas
Network: rogue detection, location, containment; ad-hoc prevention
User: protection from dictionary, MiM, Asleep, and other attacks
Application: protect data from DoS and other attacks
X.509 certificates guarantee identity
Zero touch, if desired
AP must prove identity through unique private key
APs identity is validated and authorization check is performed
Only APs you want are allowed in
Zero false positives on AP impersonation
Trusted MAC address is not sufficient
Hacker steals trusted MAC address and runs Host AP
Both over the air and wire
Secure WLAN ArchitecturesBuilding Castles not Islands
7/21/2019 802.11 Wireless LAN Security Fundamentals
100/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 100
Building Castles not Islands
Security is now more thanjust defending WAN attacks
New Perimeter Security mustbe pervasive in the network
Four Key Components
Authentication & IntegrityPrivacy
Wireless Intrusion Prevention
LocationSiSi SiSi
IntranetInternet
7/21/2019 802.11 Wireless LAN Security Fundamentals
101/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 101
Q and A
Recommended Reading
7/21/2019 802.11 Wireless LAN Security Fundamentals
102/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 102
Recommended Reading
Continue your Networkers at CiscoLive learning experience withfurther reading from Cisco Press
Check the Recommended Readingflyer for suggested books
Available Onsite at the Cisco Company Store
Complete Your OnlineSession Evaluation
7/21/2019 802.11 Wireless LAN Security Fundamentals
103/104
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
BRKAGG-2015
13830_06_2007_c2 103
Session Evaluation
Win fabulous prizes; give usyour feedback
Receive ten Passport Pointsfor each session evaluation
you complete Go to the Internet stations
located throughout theConvention Center to complete
your session evaluation Winners will be announced
daily at the Internet stations
7/21/2019 802.11 Wireless LAN Security Fundamentals
104/104