skyjacking a cisco wlan - what it means and how to protect against it?
Post on 19-Oct-2014
771 views
DESCRIPTION
A flaw in the Cisco WLAN operation was announced in late Aug 2009 that allows a hacker to "skyjack" or take control of a Cisco lightweight access point. The vulnerability is rooted in the over-the-air-provisioning (OTAP) feature used by Cisco lightweight access points to discover and connect to a Cisco WLAN controller.This presentation will deconstruct the skyjacking vulnerability - explaining why the vulnerability occurs in Cisco WLANs, which Cisco access points are affected, how skyjacking can be exploited to launch potent attacks, and what are the best practices to proactively protect your enterprise network against such zero-day vulnerabilities and attacks.TRANSCRIPT
Webinar held on 02 Sept, 2009
��������� ����� � ��� �
�����������������
� ������ �������
Webinar held on 02 Sept, 2009
�����������
������ ������ ������
����� ������������ ������������������
� ���������
� !������ ���� �"�������!��� ������ ���
*Webinar Press Release URL : http://digg.com/d3130SK
Cisco wireless LAN vulnerability could open ‘back door’
Cisco wireless LANs at risk of attack,
In the News
Cisco wireless LANs at risk of attack, ‘skyjacking’
Newly discovered vulnerability could threaten Cisco wireless LANs
“No risk of data loss or interception”
“Could allow an attacker to cause a
What Cisco says
Severity = Mild
“Could allow an attacker to cause a denial of service (DoS) condition”
It’s not a big deal!
Hmm…
??What exactly is skyjacking?
Do I need to worry about it?
How severe is the exploit?
??
?Do I need to worry about it?
What you will learn today
The risk from skyjacking vulnerability is much bigger than stated
How to assess if you are vulnerableHow to assess if you are vulnerable
Countermeasures for skyjacking and other zero-day attacks
Five ways a LAP can discover WLCs
Subnet-level broadcast
Configured
DNS
DHCP
Over-the-air provisioning (OTAP)
Three criteria a LAP uses to select a WLC
Primary, Secondary, Tertiary
Master mode
Maximum excess capacity
Step 1
Step 2
Step 3
Over-the-air provisioning (OTAP)
OTAP exploited for “skyjacking”
Skyjacked LAP denies service to wireless users
����������������
������� ������
Secure WLAN enterprise access
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
Authorized LAP skyjacked – DoS
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
DoS
Authorized LAP turned into Open Rogue AP
Before
SSID Security VLAN Comment
Corp OPEN 30 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
Rogue on Network
Camouflaged Rogue LAP:a backdoor to your enterprise network!
Wolf in Sheep Clothing
Before
SSID Security VLAN Comment
Corp WPA2 30 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
Rogue on Network
Wolf in Sheep Clothing – Scenario 2
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate network
Guest OPEN 30 Internal to corporate networkAP Physically Connected To
30 Internal to corporate networkRogue on Network
DoS
SpectraGuard® Enterprise WLAN policy set-up
Guest WLAN SSID
Allowed Subnet (VLAN)for Guest SSID
Normal WLAN operation
Device list displayed on SpectraGuard Enterprise console
Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they connect
Skyjacking on guest access
1 Change in the VLAN is detected
2 SSID marked as “misconfigured”(Background changes to amber)
3 Automatic Prevention started( Shield icon appears )
Summary
Type of Skyjacking attack Only over-air threat detection
AirTight’s unique wireless-wired correlation based threat detection
Authorized SSID as Open Rogue AP � �
Open rogue
WPA2 rogueAuthorized SSID as “Privileged” Rogue AP
(Wolf in Sheep clothing)X �
Guest access as Open Rogue AP
(Wolf in Sheep clothing –scenario 2)
X �
WPA2 rogue
Open guest rogue
AirTight’s SpectraGuard Enterprise
The only WIPS that can provide zero-day protection
Thanks to patented marker packet technology for accurate wired connectivity detection and unique VLAN Policy Mapping™ architecture
The only WIPS that can provide zero-day protectionagainst the most potent form of skyjacking attack
Which LAPs can be skyjacked?
Type of Cisco LAP Vulnerable?
LAPs using auto discovery Yes
Configured with “preferred” WLCs (primary, secondary, tertiary) Mostly No
Configured with locally significant certificates (LSC) No
?
Countermeasures
Manually configure LAPs with preferred WLCs (primary, secondary, tertiary)
Primarily HA and load balancing feature
Turn off OTAP on WLC Ineffective!
WLCs (primary, secondary, tertiary)
Manually configure LAPs with LSCs
balancing feature
Impractical
Block outgoing traffic from UDP ports 12222 and 12223 on your firewall
Not a common practice
Practical difficulties: Do you know
� If your outgoing UDP ports on the firewall are blocked? Did you test it today?
� If all LAPs are configured with primary, secondary and tertiary WLC?
� If all LAPs are indeed connected to configured WLCs?
today?
� How many VLANs do you have authorized for wireless access?
� Are all SSIDs mapped to the correct VLANs?
� When was the last time your LAPs rebooted?
� When was the last time your WLC taken down for maintenance?
� If all your APs are compliant with your security policies? How do you know?
One mistake and you could be exposed!
Adding second, independent layer of WIPS protection
Misconfigurations
Zero-day attacksUndesirable connections
Misconfigurations
Zero-day attacks
Undesirable connections
MisconfigurationsDesigned for
security
Designed for WLAN access
connections
AirTight’s SpectraGuard product family
������������ �� �
Industry’s Only Wireless Security Service
������������ ��������
Complete Wireless Intrusion Prevention
���������������
Wireless Security for Mobile Users WLAN Coverage & Security Planning
�������������� ��
About AirTight Networks
The Global Leader in Wireless
For more information on wireless security risks, best practices, and solutions, visit:
http://www.airtightnetworks.comThe Global Leader in Wireless
Security and Compliance
http://www.airtightnetworks.com
Visit our blog to read the root cause analysis of
“Skyjacking: What Went Wrong?”
http://blog.airtightnetworks.com