wireless lan security & threat mitigationd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brkewn...
TRANSCRIPT
Wireless LAN Security & Threat Mitigation
Karan Sheth, Sr. Technical Marketing Engineer
BRKEWN-2015
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3BRKEWN-2015
Abstract
• “Prevention is better than cure” – an old saying but an extremely importantone to defend your enterprise wireless network from unauthorized access androgue threats. The best security approach is a layered approach thatencompasses authorized access, intrusion protection & mitigation. In thissession, we will address the current state of wireless security & explore the bestpractices to protect against unauthorized and uncontrolled wireless access.
• We will discuss some of the commonly available attack tools that can causeserious damage to authorized enterprise user experience. Attendees will getfamiliar with advanced capabilities & tools that are available with Cisco UnifiedWireless Network solution to properly lock-down and defend their network fromwireless threats.
• Prerequisite knowledge of 802.11 fundamentals is recommended.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4BRKEWN-2015
Objective
“Prevention is better than cure”
Without prevention you are screwed, because Wireless has No Boundaries
• Wireless Security Threats
• DEMO – Think like an Attacker
• Wireless Intrusion Prevention Best Practices
• Attack Detection & Mitigation Techniques
• Network Design Considerations
• DEMO – Rogue Detection & Mitigation
Agenda
Wireless Security Threats
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKEWN-2015
Denial of Service
DENIAL OF
SERVICE
Service disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Wireless Attack Vectors
Rogue Access Points
Backdoor network access
HACKER
Evil Twin/Honeypot AP
HACKER’S
AP
Connection to malicious AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
On-Wire Attacks Over-the-Air Attacks
Non-802.11 Attacks
BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKEWN-2015
Attackers Nirvana - Tools to hide from Infrastructure
Spoofing Pyramid
BSSID
ESSID
Channel & Tx Power
DHCP, DNS, SSLstrip etc.
Radio MAC
Wireless SSID
Bridge/NAT
InterfacesUSB Wireless Cards
OR
No Regulatory
Restrictions
OR
Kali NetHunter
(Post-2014)
Demo – Think like an Attacker
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKEWN-2015
Demo
Dupe the
user
Service
disruption
Backdoor
access
Guest
portal
bypass
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKEWN-2015
Watch Demo On YouTube
https://www.youtube.com/user/karanyuj
Wireless Intrusion Prevention Best Practices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKEWN-2015
Wireless Security Pre-requisites
Secure
ConnectionIdentify Users
Classify
ApplicationsControl Access
Across All Endpoints
Client Access Point Switch Wireless LAN
Controller
Identity Services
Engine
Secure the Connection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKEWN-2015
Authentication Best Practices:Use WPA2-Enterprise
Strong Authentication
• AES – Advanced Encryption Standard that requires Hardware Support & achieves line-rate speeds
Strong Encryption
Tunneling-Based (Protective Cover)
EAP-PEAP
EAP-TTLS
EAP-FAST
Inner Methods (Authentication Credentials)
EAP-GTC EAP-MSCHAPv2
Certificate-Based
EAP-TLS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKEWN-2015
EAP Methods Comparison
EAP-TLS PEAP EAP-FAST
Fast Secure Roaming Yes Yes Yes
Local WLC Authentication Yes Yes Yes
OTP (One Time Password) Support No Yes Yes
Server Certificates Yes Yes No
Client Certificates Yes No No
PAC (Protected Access Credentials)* No No Yes
Deployment Complexity High Medium Low
* PACs can be provisioned anonymously for minimal complexity.
For YourReference
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKEWN-2015
Secure Your Wireless Infrastructure End-Points
ISE802.1x
Authentication
CAPWAP DTLS Using Manufactured Installed Certificates
Configure
802.1x
Supplicant
1Enable Switch
Port Security
2
RADIUS
RADIUS
Default Out-of-the-Box
Behavior for Mutual
Authentication
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKEWN-2015
Management Frame Protection (MFP)Problem
Problem
• Wireless management frames are not
authenticated, encrypted, or signed
• A common vector for exploits
Solution
• Insert a signature (Message Integrity
Code/MIC) into the management frames
• APs can instantly identify rogue/exploited
management frames
• Optionally, Clients and APs use MIC to
validate authenticity of management frame
Beacons
Probes
Association
Beacons
Probes
Association
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19BRKEWN-2015
Infrastructure MFP Operation
BSSID
11:11:11:11:11:11
BSSID
22:22:22:22:22:22
Corporate Building 1
BSSID
11:11:11:11:11:11
Corporate Building 2
Radios Cannot
Hear Each Other
Enable Infrastrutture MFPWLC GUI> Security> Wireless
Protection Policies > MFP
1
2 2
3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20BRKEWN-2015
Client MFP and 802.11w OperationProtected Management Frames with MIC
Protected Frames with Security Association (SA)
AP BeaconsProbe Requests/Probe Responses
Associations/Re-Associations Disassociations
Authentications/De-Authentications
Action Management Frames
CCXv5
Spoofing
AP & Client
Identify Users & Enforce Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKEWN-2015
ISE BaseISE Wireless
ISE Advanced
Device
Profiling
& Policy
Control
by WLC
• AAA
• Guest
Provisioning
• AAA
• Guest Provisioning
• Device Profiling
• Device On-boarding
• Device Posturing
• Partner MDM Integration
Wireless Only
POLICY
Profiling & Policy Enforcement Across Any
Access Medium
Profiling Strategies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKEWN-2015
Profiling and Policy Enforcement Options
Time of DayAuthenticationDevice TypeUser Role
POLICY
WLC Radius Server
(e.g. ISE Base, ACS)
Network Components
Profiling Factors
Policy EnforcedVLAN Access List QoS Session Timeout
Only Wireless
AVC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKEWN-2015
ISE Base
Auth. Response
Auth. Request
Finance Personal
Device
Corporate
Device
AAA Services by
ISE BaseDevice Profiling & Policy
Enforcement by WLC
Cisco-AV-Pair
Role=Finance
VLAN 3
QoS = SilverVLAN 7
QoS = PlatinumCAPWAP
37
Platinum
Profiling & Policy Enforcement Workflow
POLICY
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKEWN-2015
Wi-Fi Direct Policy
Corporate
LaptopCorporate
WLAN
Unauthorized Devices Wi-Fi Direct allows simultaneous
access to Corporate WLAN &
Unauthorized Devices
Prevent access to Corporate WLAN when Wi-Fi Direct is enabled on
Corporate Wireless Devices
Backdoor
Access
Classify Applications & Control Access
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27BRKEWN-2015
What is the Need for Application Visibility and Control?
Why is the Wireless
Performance of my
Network so Low?
Should I add more
Access Points to
improve the User
Experience?
What if someone is running Bit-torrent against company policy & hurting the overall user experience?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKEWN-2015
Identify Applications using NBAR2
Introducing Application Visibility and Control on WLC
Voice
Video
Best-Effort
Background
Client Traffic
Control Application Behavior
Don’t Allow
Rate Limiting
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29BRKEWN-2015
NetFlow Loop with Lancope & ISE
E.g.: Change of Authorization or Blacklist or Quarantine
WLC exports client
details via NetFlow v9
1ISE performs policy
based remediation
3
DEMO Links
https://www.youtube.com/watch?v=TuWYkrt94CQ
https://www.youtube.com/watch?v=0h_5qU4NTOM
2
Lancope performs network forensics to detect anomalies like insider threats, DDoS & malware
Attack Detection & Mitigation Techniques
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31BRKEWN-2015
Local Mode AP Monitor Mode AP
Two Different AP Modes for RRM Scanning
Serve Client for
16s
Scan 50ms for Rogue
Scan 1.2s per
channel
24x7 ScanningBest Effort Scanning
Rogue Detection Basics
RF Group = Corporate
Any AP not Broadcasting
the same RF Group is
considered a Rogue
Listening for Rogues
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32BRKEWN-2015
RRM Channel Scanning BasicsLocal Mode AP – Serves Data
1 2 1 3 1 4 1 5 1 6
36 40 36 44 36 48 36 52 36 56
1
36 60
16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s
14.5s 50ms
7 1
36 64 36 149
50ms 16s
AP on Channel 1 - 802.11 b/g/n (2.4GHz) – US Country Channels
AP on Channel 36 - 802.11 a/n (5Ghz) – US Country Channels (without UNII-2 Extended)
10ms 10ms
14.5s 50ms 50ms 50ms 50ms 50ms 50ms 50ms14.5s 14.5s 14.5s 14.5s 14.5s 14.5s
10ms 10ms
…
…
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
Detect
Time
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKEWN-2015
RRM Channel Scanning BasicsMonitor Mode AP
1 2 3 4 5 6
36 40 44 48 52 56 60 64 100 104 108 112
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
1.2s 1.2s
7
116 132 136 140
1.2s
802.11b/g/n (2.4GHz) – All Channels
802.11a/n (5GHz) – All Channels
10ms 10ms
1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s1.2s 1.2s 1.2s 1.2s 1.2s 1.2s
10ms 10ms
9 10 118 12 …
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
…
1.2s
Detect
Time
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34BRKEWN-2015
Rogue Classification Rules – Who is more harmful?
Classification based on threat severity and mitigation action
Rules tailored to customer risk model
Friendly Malicious
Off-NetworkSecured
Foreign SSIDWeak RSSI
Distant locationNo clients
On-NetworkOpen
Our SSIDStrong RSSI
On-site locationAttracts clients
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35BRKEWN-2015
Rogue Classification Rules Example
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36BRKEWN-2015
Rogue Detector AP
Data Serving
Trunk
Port
• Detects all rogue client and Access Point ARP’s
• Controller queries rogue detector to determine if rogue clients are on the network
• Does not work with NAT APs
Rogue Detector
Wired Rogue Detection Methods
Rogue Location Discovery Protocol (RLDP)
Connects to Rogue AP as a client
Sends a packet to controller’s IP address
Only works with open rogue access points
Data Serving AP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37BRKEWN-2015
Trunk Port> debug capwap rm rogue detector
ROGUE_DET: Found a match for rogue entry 0021.4458.6652
ROGUE_DET: Sending notification to switch
ROGUE_DET: Sent rogue 0021.4458.6651 found on net msg
BSSID: 0021.4458.6652
Alarm Changed from Minor to Critical
Security Alert: Rogue with MAC Address 0021.4458.6651Has Been Detected on the Wired Network
Rogue Detector AP Operation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38BRKEWN-2015
Rogue Detector AP ModeExample Deployment Scenario
Rogue DetectorBldg 2
Rogue DetectorBldg 3
Rogue DetectorBldg 1
Install one rogue detector at each Layer 3 boundary.
Put more simply - ensure all VLANs are monitored by a rogue detector.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKEWN-2015
Rogue Detector AP ModeConfiguration
All RadiosBecomeDisabled
in This Mode
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
switchport trunk native vlan 113
switchport mode trunk
spanning-tree portfast
WLC
SwitchAP
VLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40BRKEWN-2015
WLC
> debug dot11 rldp
Successfully associated with rogue: 00:21:44:58:66:52
Sending DHCP packet through rogue AP 00:21:44:58:66:52
RLDP DHCP BOUND state for rogue 00:21:44:58:66:52
Returning IP 172.20.226.253, netmask 255.255.255.192, gw
172.20.226.193
Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)
Received 32 byte ARLDP message from: 172.20.226.253:52142BSSID:
0021.4458.6652
Cisco Prime
Alarm Changed from Minor to Critical
Security Alert: Rogue with MAC Address 0021.4458.6652 Has
Been Detected on the Wired Network
Rogue Location Discovery Protocol (RLDP) Operation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41BRKEWN-2015
Rogue Location Discovery ProtocolAutomatic Operation
• Two automatic modes of operation:
– ‘AllAPs’ – Uses both Local and Monitor APs
– ‘MonitorModeAPs’ – Uses only Monitor mode APs
• Recommended: Monitor Mode APs –RLDP can impact service on client serving Aps
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKEWN-2015
Core
Corporate AP
Show CDP Neighbors
1
CAM Table2
CAM Table3
Switchport Tracing: On-Demand or Automatic
Identifies CDP Neighbors of APs detecting the rogue
Queries the switches CAM table for the rogue’s MAC
Works for rogues with security and NAT
SPT Matches On:
Rogue Client MAC Address
Rogue Vendor OUI
Rogue MAC +3/-3
Rogue MAC Address
Switchport Tracing (SPT) using Cisco Prime
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKEWN-2015
Switchport Tracing (SPT) Containment Action
Number of MACs Found on the Port Match TypeUncheck
to Shut the Port
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44BRKEWN-2015
Local Mode AP
Broadcast & Unicast De-auth
A local mode AP can contain 3 rogues per radio
Containment packets are sent every 500ms
Impacts associated clients performance
Monitor Mode AP
A monitor mode AP can contain 6 rogues per radio
Containment packets are sent every 100ms
Unicast De-auth & Unicast Dis-assoc
Wireless Rogue AP Containment
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45BRKEWN-2015
• Use auto-containment only to nullify the most alarming threats
• Containment can have legal consequences
WLC
Ability to Use Only Monitor Mode APs for
Containment to Prevent Impact to Clients
Automatic Rogue AP Containment
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKEWN-2015
Rogue LocationOn-Demand using Cisco Prime
• Allows an individual Rogue AP to be located On-demand
• Keeps no historical record of rogue location
• Does not locate rogue clients
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47BRKEWN-2015
Rogue LocationIn Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware
• Track of multiple rogues in real-time (up to MSE limits)
• Can track and store rogue location historically
• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers
Non-WiFi Interferer
WiFi Interferer
Microwave Bluetooth
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48BRKEWN-2015
Non-WiFi InterferersRogue Access Point
Zone of Impact with Prime and MSE Context-Aware
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49BRKEWN-2015
Cisco’s Attack Detection Mechanisms
Core
• Rogue AP and Client Detection
• 17 Common Attack Signatures
• Alarm Aggregation, Consolidation and False Positive Reduction
• Enhanced DoS Attack Behaviour Analysis –115 attack signatures
• Coordinated Rogue Containment
• Anomaly Detection
• Forensic, Blacklisting, Auto Containment, and Auto Immunity responses
Cisco Prime
WLC Base IDS Adaptive wIPS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50BRKEWN-2015
Adaptive wIPS Signature Example
ActionDNS Tunnel Detection
ICMP Tunnel Detection
Network Design Considerations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52BRKEWN-2015
Enhanced Local Mode Monitor Mode AP
Serve Client for
16s
Scan 50ms for Attacks
Scan 1.2s for Attacks
24x7 Scanning
ServeClients
Local Mode
Monitor Mode
Best Effort Scanning
Enable ELM on every deployed AP
Deploy 1 MM AP for every 5 Local Mode AP
Local Mode
WSSI Module
Serve Clients
Scan 1.2ms for Attacks
Local Mode
24x7 Scanning
Deploy 1 WSSI for every 5 Local Mode AP
Adaptive wIPS Deployment Recommendations
Demo - Rogue Detection & Mitigation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
54BRKEWN-2015
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
55BRKEWN-2015
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016
11:30 am - 12:30pm, In the Oceanside A room
What to expect from this innovation talk
• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or
watch the broadcast on cisco.com
Thank you