Webinar held on 02 Sept, 2009

��������� ����� � ��� �

�����������������

� ������ �������

Webinar held on 02 Sept, 2009

�����������

������ ������ ������

����� ������������ ������������������

� ���������

� !������ ���� �"�������!��� ������ ���

*Webinar Press Release URL : http://digg.com/d3130SK

Cisco wireless LAN vulnerability could open ‘back door’

Cisco wireless LANs at risk of attack,

In the News

Cisco wireless LANs at risk of attack, ‘skyjacking’

Newly discovered vulnerability could threaten Cisco wireless LANs

“No risk of data loss or interception”

“Could allow an attacker to cause a

What Cisco says

Severity = Mild

“Could allow an attacker to cause a denial of service (DoS) condition”

It’s not a big deal!

Hmm…

??What exactly is skyjacking?

Do I need to worry about it?

How severe is the exploit?

??

?Do I need to worry about it?

What you will learn today

The risk from skyjacking vulnerability is much bigger than stated

How to assess if you are vulnerableHow to assess if you are vulnerable

Countermeasures for skyjacking and other zero-day attacks

Five ways a LAP can discover WLCs

Subnet-level broadcast

Configured

DNS

DHCP

Over-the-air provisioning (OTAP)

Three criteria a LAP uses to select a WLC

Primary, Secondary, Tertiary

Master mode

Maximum excess capacity

Step 1

Step 2

Step 3

Over-the-air provisioning (OTAP)

OTAP exploited for “skyjacking”

Skyjacked LAP denies service to wireless users

����������������

������� ������

Secure WLAN enterprise access

Before

SSID Security VLAN Comment

Corp WPA2 20 Internal to corporate networkAP Physically Connected To

30 Internal to corporate network

Authorized LAP skyjacked – DoS

Before

SSID Security VLAN Comment

Corp WPA2 20 Internal to corporate networkAP Physically Connected To

30 Internal to corporate network

DoS

Authorized LAP turned into Open Rogue AP

Before

SSID Security VLAN Comment

Corp OPEN 30 Internal to corporate networkAP Physically Connected To

30 Internal to corporate network

Rogue on Network

Camouflaged Rogue LAP:a backdoor to your enterprise network!

Wolf in Sheep Clothing

Before

SSID Security VLAN Comment

Corp WPA2 30 Internal to corporate networkAP Physically Connected To

30 Internal to corporate network

Rogue on Network

Wolf in Sheep Clothing – Scenario 2

Before

SSID Security VLAN Comment

Corp WPA2 20 Internal to corporate network

Guest OPEN 30 Internal to corporate networkAP Physically Connected To

30 Internal to corporate networkRogue on Network

DoS

SpectraGuard® Enterprise WLAN policy set-up

Guest WLAN SSID

Allowed Subnet (VLAN)for Guest SSID

Normal WLAN operation

Device list displayed on SpectraGuard Enterprise console

Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they connect

Skyjacking on guest access

1 Change in the VLAN is detected

2 SSID marked as “misconfigured”(Background changes to amber)

3 Automatic Prevention started( Shield icon appears )

Summary

Type of Skyjacking attack Only over-air threat detection

AirTight’s unique wireless-wired correlation based threat detection

Authorized SSID as Open Rogue AP � �

Open rogue

WPA2 rogueAuthorized SSID as “Privileged” Rogue AP

(Wolf in Sheep clothing)X �

Guest access as Open Rogue AP

(Wolf in Sheep clothing –scenario 2)

X �

WPA2 rogue

Open guest rogue

AirTight’s SpectraGuard Enterprise

The only WIPS that can provide zero-day protection

Thanks to patented marker packet technology for accurate wired connectivity detection and unique VLAN Policy Mapping™ architecture

The only WIPS that can provide zero-day protectionagainst the most potent form of skyjacking attack

Which LAPs can be skyjacked?

Type of Cisco LAP Vulnerable?

LAPs using auto discovery Yes

Configured with “preferred” WLCs (primary, secondary, tertiary) Mostly No

Configured with locally significant certificates (LSC) No

?

Countermeasures

Manually configure LAPs with preferred WLCs (primary, secondary, tertiary)

Primarily HA and load balancing feature

Turn off OTAP on WLC Ineffective!

WLCs (primary, secondary, tertiary)

Manually configure LAPs with LSCs

balancing feature

Impractical

Block outgoing traffic from UDP ports 12222 and 12223 on your firewall

Not a common practice

Practical difficulties: Do you know

� If your outgoing UDP ports on the firewall are blocked? Did you test it today?

� If all LAPs are configured with primary, secondary and tertiary WLC?

� If all LAPs are indeed connected to configured WLCs?

today?

� How many VLANs do you have authorized for wireless access?

� Are all SSIDs mapped to the correct VLANs?

� When was the last time your LAPs rebooted?

� When was the last time your WLC taken down for maintenance?

� If all your APs are compliant with your security policies? How do you know?

One mistake and you could be exposed!

Adding second, independent layer of WIPS protection

Misconfigurations

Zero-day attacksUndesirable connections

Misconfigurations

Zero-day attacks

Undesirable connections

MisconfigurationsDesigned for

security

Designed for WLAN access

connections

AirTight’s SpectraGuard product family

������������ �� �

Industry’s Only Wireless Security Service

������������ ��������

Complete Wireless Intrusion Prevention

���������������

Wireless Security for Mobile Users WLAN Coverage & Security Planning

�������������� ��

About AirTight Networks

The Global Leader in Wireless

For more information on wireless security risks, best practices, and solutions, visit:

http://www.airtightnetworks.comThe Global Leader in Wireless

Security and Compliance

http://www.airtightnetworks.com

Visit our blog to read the root cause analysis of

“Skyjacking: What Went Wrong?”

http://blog.airtightnetworks.com