security for wlans - wips vs base ids
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 52
Denial of Service
DENIAL OFSERVICE
Service disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
WLAN Security Vulnerabilities and Threats
Rogue Access Points
Backdoor network access
HACKER
Evil Twin/Honeypot APHACKER’SAP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 53
WLAN SecurityDenial of Service Attacks
RF JammingAny intentional or un-intentional RF transmitter in the same frequency can adversely affect the WLAN
DoS using 802.11 Management framesManagement frames are not authenticated today
Trivial to fake the source of a management frame
De-Authentication floods are probably the most worrisome
Misuse of Spectrum (CSMA/CA – Egalitarian Access!)“Silencing” the network with RTS/CTS floods, Big-NAV Attacks
802.1X Authentication floods and Dictionary attacksOverloading the system with unnecessary processing
Legacy implementations are prone to dictionary attacks, in addition to other algorithm-based attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 54
Wireless SecurityMAC Address Spoofing
As with wired networks, MAC address and IP address spoofingare possible, if not easy, in Wireless Networks
Outsider (hostile) attack scenarioDoes not know key/encryption policy
IP Address spoofing is not possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP)
MAC Address spoofing alone (i.e., without IP Address spoofing) may not buy much if encryption is turned on
Insider attack scenarioSeeking to obtain users’ secure info
MAC address and IP Address spoofing will not succeed if EAP/802.1x authentication is used (unique encryption key is derived per user (i.e., per MAC address))
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 55
Wireless Security:Sniffing and Reconnaissance
First – Sniffing, or capturing packets over the air, is an extremely useful troubleshooting methodology
Sniffing, in the old days was reliant on very specific cards and drivers
Very easy to find support for most cards and drivers today
Cost (if you like to pay for it) of such software is negligible (or, just use free/open source software)
Provides an insight (with physical proximity) into the network, services, and devices which comes in handy when performing network reconnaissance
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 56
Wireless SecurityMan in the Middle Attack
A MiTM is when an attacker poses as the network to the client(s) and as a client to the actual network
The attacker forces a legitimate client off the network
The attacker lures the client to a honeypot
The attacker gains security credentials by intercepting user traffic
Very easy to do with:Sniffing, and war-driving to identify targets
MAC Address Spoofing
Rogue Device Setup
DoS Attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 57
Quick Look: Common WLAN Exploits/Tools
Remote-Exploit/Backtrack/Auditor
Aircrack, WEPcrack, etc
coWPAtty
Kismet
NetStumbler, Hotspotter, etc
AirSnort
Sniffing tools: OmniPeek, Wireshark
dsniff, nmap
wellenreiter
asleap
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 58
Denial of Service
DENIAL OFSERVICE
Service disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Ounce of Prevention… Stop the Attack Before It Happens
Rogue Access Points
Backdoor network access
HACKER
Evil Twin/Honeypot APHACKER’SAP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
Cisco wIPS Detects These Attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 59
Denial of Service
DENIAL OFSERVICE
Service disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Ounce of Prevention… Stop the Attack Before It Happens
Rogue Access Points
Backdoor network access
HACKER
Evil Twin/Honeypot APHACKER’SAP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
MFP Neutralizes all Management Frame
Exploits, such as Man-in-the-Middle Attacks WPA2/802.11i
Neutralizes Recon and Cracking Attacks
Rogue detection, classificati
on and mitigation addresses these
attacks
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 60
Cisco’s Attack Detection Mechanisms
Base IDS
Built-in to controller software
Uses Local and Monitor Mode APs
Adaptive wIPS
Requires MSE
Uses wIPS Monitor Mode
APs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 61
Adaptive wIPS Differences from Base Controller IDS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 62
WCSWCS
AP
WLCAP
WLC
Adaptive wIPS Difference #1Alarm Aggregation and Correlation
MSE
Adaptive wIPSBase Controller IDS
No Alarm Correlation
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 63
Adaptive wIPS Difference #2Breadth of Alarms Detected
Adaptive wIPSBase Controller IDS
Only 17 signatures
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 64
Adaptive wIPS Difference #2(Cont) – Attack Encyclopedia
Available for each alarm
Accessible from the wIPS profile page
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 65
Adaptive wIPS Difference #3Forensic Packet Capture
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 66
Adaptive wIPS Difference #3Forensic Packet Capture
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 67
Adaptive wIPS Difference #4Historic Reporting
1. Alarm information stored in MSE databaseMaximum of 6 million alarms stored in MSE database
2. WCS queries the MSE database during report generation
3. Reports created and viewed at WCS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 68
Adaptive wIPSTypes of Reports
wIPS Alarm List ReportUse: Historic reporting of attacks
Summarized list of alarms contained within the MSE
Contains alarm type, SRC MAC, detecting AP, first seen time, last seen time
wIPS Top 10 AP ReportUse: Identifying ‘hot zones’ of attack
The top 10 wIPS access points with the most number of alarms
Includes critical, major, minor and warning levels of alarms
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 69
Adaptive wIPSCreating Reports
• Add/Remove Columns• Sort by Columns
• Filter by MSE• Or by WLC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 70
Example ReportwIPS Alarm List
AttackTimeline
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 71
Example ReportwIPS Top 10 APs
Alarm Severities
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 72
WCS Security Dashboard
Security Index
Controller IDS and Adaptive wIPS Alarms
Rogues by Category
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 73
Adaptive wIPSComponents and Functions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 74
Mobility Services EngineSupport for Cisco Motion Services
Mobility services may have different WLC/WCS software requirements
Adaptive wIPS is licensed on a per-monitor mode AP basis
3310 Mobility Services Engine 3350 Mobility Services Engine
Supports Adaptive wIPS for up to 2000 Monitor Mode APs
Supports Adaptive wIPS for up to 3000 Monitor Mode APs
Supports Context Aware for up to 2000 tracked devices
Supports Context Aware for up to 18000 tracked devices
Requires WLC software version 4.2.130 or later and WCS version 5.2 or later.
Requires WLC software version 4.2.130 or later and WCS version 5.1 or later.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAGG-2015_c2 75
wIPS System Communication Diagram
The MSE is not in the ‘data path’