wireless lan security & threat mitigationd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brkewn...

Wireless LAN Security & Threat Mitigation

Karan Sheth, Sr. Technical Marketing Engineer

BRKEWN-2015

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3BRKEWN-2015

Abstract

• “Prevention is better than cure” – an old saying but an extremely importantone to defend your enterprise wireless network from unauthorized access androgue threats. The best security approach is a layered approach thatencompasses authorized access, intrusion protection & mitigation. In thissession, we will address the current state of wireless security & explore the bestpractices to protect against unauthorized and uncontrolled wireless access.

• We will discuss some of the commonly available attack tools that can causeserious damage to authorized enterprise user experience. Attendees will getfamiliar with advanced capabilities & tools that are available with Cisco UnifiedWireless Network solution to properly lock-down and defend their network fromwireless threats.

• Prerequisite knowledge of 802.11 fundamentals is recommended.


Objective

“Prevention is better than cure”

Without prevention you are screwed, because Wireless has No Boundaries

• Wireless Security Threats

• DEMO – Think like an Attacker

• Wireless Intrusion Prevention Best Practices

• Attack Detection & Mitigation Techniques

• Network Design Considerations

• DEMO – Rogue Detection & Mitigation

Agenda

Wireless Security Threats


Denial of Service

DENIAL OF

SERVICE

Service disruption

Ad-hoc Wireless Bridge

Client-to-client backdoor access

HACKER

Wireless Attack Vectors

Rogue Access Points

Backdoor network access

HACKER

Evil Twin/Honeypot AP

HACKER’S

AP

Connection to malicious AP

Reconnaissance

Seeking network vulnerabilities

HACKER

Cracking Tools

Sniffing and eavesdropping

HACKER

On-Wire Attacks Over-the-Air Attacks

Non-802.11 Attacks

BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVE


Attackers Nirvana - Tools to hide from Infrastructure

Spoofing Pyramid

BSSID

ESSID

Channel & Tx Power

DHCP, DNS, SSLstrip etc.

Radio MAC

Wireless SSID

Bridge/NAT

InterfacesUSB Wireless Cards

OR

No Regulatory

Restrictions

OR

Kali NetHunter

(Post-2014)

Demo – Think like an Attacker


Demo

Dupe the

user

Service

disruption

Backdoor

access

Guest

portal

bypass


Watch Demo On YouTube

https://www.youtube.com/user/karanyuj

https://www.youtube.com/user/karanyuj

Wireless Intrusion Prevention Best Practices


Wireless Security Pre-requisites

Secure

ConnectionIdentify Users

Classify

ApplicationsControl Access

Across All Endpoints

Client Access Point Switch Wireless LAN

Controller

Identity Services

Engine

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ


http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ


Secure the Connection


Authentication Best Practices:Use WPA2-Enterprise

Strong Authentication

• AES – Advanced Encryption Standard that requires Hardware Support & achieves line-rate speeds

Strong Encryption

Tunneling-Based (Protective Cover)

EAP-PEAP

EAP-TTLS

EAP-FAST

Inner Methods (Authentication Credentials)

EAP-GTC EAP-MSCHAPv2

Certificate-Based

EAP-TLS


EAP Methods Comparison

EAP-TLS PEAP EAP-FAST

Fast Secure Roaming Yes Yes Yes

Local WLC Authentication Yes Yes Yes

OTP (One Time Password) Support No Yes Yes

Server Certificates Yes Yes No

Client Certificates Yes No No

PAC (Protected Access Credentials)* No No Yes

Deployment Complexity High Medium Low

* PACs can be provisioned anonymously for minimal complexity.

For YourReference


Secure Your Wireless Infrastructure End-Points

ISE802.1x

Authentication

CAPWAP DTLS Using Manufactured Installed Certificates

Configure

802.1x

Supplicant

1Enable Switch

Port Security

2

RADIUS

RADIUS

Default Out-of-the-Box

Behavior for Mutual

Authentication


Management Frame Protection (MFP)Problem

Problem

• Wireless management frames are not

authenticated, encrypted, or signed

• A common vector for exploits

Solution

• Insert a signature (Message Integrity

Code/MIC) into the management frames

• APs can instantly identify rogue/exploited

management frames

• Optionally, Clients and APs use MIC to

validate authenticity of management frame

Beacons

Probes

Association

Beacons

Probes

Association


Infrastructure MFP Operation

BSSID

11:11:11:11:11:11

BSSID

22:22:22:22:22:22

Corporate Building 1

BSSID

11:11:11:11:11:11

Corporate Building 2

Radios Cannot

Hear Each Other

Enable Infrastrutture MFPWLC GUI> Security> Wireless

Protection Policies > MFP

1

2 2

3


Client MFP and 802.11w OperationProtected Management Frames with MIC

Protected Frames with Security Association (SA)

AP BeaconsProbe Requests/Probe Responses

Associations/Re-Associations Disassociations

Authentications/De-Authentications

Action Management Frames

CCXv5

Spoofing

AP & Client

Identify Users & Enforce Policy


ISE BaseISE Wireless

ISE Advanced

Device

Profiling

& Policy

Control

by WLC

• AAA

• Guest

Provisioning

• AAA

• Guest Provisioning

• Device Profiling

• Device On-boarding

• Device Posturing

• Partner MDM Integration

Wireless Only

POLICY

Profiling & Policy Enforcement Across Any

Access Medium

Profiling Strategies


Profiling and Policy Enforcement Options

Time of DayAuthenticationDevice TypeUser Role

POLICY

WLC Radius Server

(e.g. ISE Base, ACS)

Network Components

Profiling Factors

Policy EnforcedVLAN Access List QoS Session Timeout

Only Wireless

AVC


ISE Base

Auth. Response

Auth. Request

Finance Personal

Device

Corporate

Device

AAA Services by

ISE BaseDevice Profiling & Policy

Enforcement by WLC

Cisco-AV-Pair

Role=Finance

VLAN 3

QoS = SilverVLAN 7

QoS = PlatinumCAPWAP

37

Platinum

Profiling & Policy Enforcement Workflow

POLICY


Wi-Fi Direct Policy

Corporate

LaptopCorporate

WLAN

Unauthorized Devices Wi-Fi Direct allows simultaneous

access to Corporate WLAN &

Unauthorized Devices

Prevent access to Corporate WLAN when Wi-Fi Direct is enabled on

Corporate Wireless Devices

Backdoor

Access

Classify Applications & Control Access




What is the Need for Application Visibility and Control?

Why is the Wireless

Performance of my

Network so Low?

Should I add more

Access Points to

improve the User

Experience?

What if someone is running Bit-torrent against company policy & hurting the overall user experience?


Identify Applications using NBAR2

Introducing Application Visibility and Control on WLC

Voice

Video

Best-Effort

Background

Client Traffic

Control Application Behavior

Don’t Allow

Rate Limiting






NetFlow Loop with Lancope & ISE

E.g.: Change of Authorization or Blacklist or Quarantine

WLC exports client

details via NetFlow v9

1ISE performs policy

based remediation

3

DEMO Links

https://www.youtube.com/watch?v=TuWYkrt94CQ

https://www.youtube.com/watch?v=0h_5qU4NTOM

2

Lancope performs network forensics to detect anomalies like insider threats, DDoS & malware

https://www.youtube.com/watch?v=TuWYkrt94CQ

https://www.youtube.com/watch?v=0h_5qU4NTOM

Attack Detection & Mitigation Techniques


Local Mode AP Monitor Mode AP

Two Different AP Modes for RRM Scanning

Serve Client for

16s

Scan 50ms for Rogue

Scan 1.2s per

channel

24x7 ScanningBest Effort Scanning

Rogue Detection Basics

RF Group = Corporate

Any AP not Broadcasting

the same RF Group is

considered a Rogue

Listening for Rogues


RRM Channel Scanning BasicsLocal Mode AP – Serves Data

1 2 1 3 1 4 1 5 1 6

36 40 36 44 36 48 36 52 36 56

1

36 60

16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s

14.5s 50ms

7 1

36 64 36 149

50ms 16s

AP on Channel 1 - 802.11 b/g/n (2.4GHz) – US Country Channels

AP on Channel 36 - 802.11 a/n (5Ghz) – US Country Channels (without UNII-2 Extended)

10ms 10ms

14.5s 50ms 50ms 50ms 50ms 50ms 50ms 50ms14.5s 14.5s 14.5s 14.5s 14.5s 14.5s

10ms 10ms

…

…

Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)

Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)

Detect

Time


RRM Channel Scanning BasicsMonitor Mode AP

1 2 3 4 5 6

36 40 44 48 52 56 60 64 100 104 108 112

1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s

1.2s 1.2s

7

116 132 136 140

1.2s

802.11b/g/n (2.4GHz) – All Channels

802.11a/n (5GHz) – All Channels

10ms 10ms

1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s1.2s 1.2s 1.2s 1.2s 1.2s 1.2s

10ms 10ms

9 10 118 12 …

Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration

…

1.2s

Detect

Time


Rogue Classification Rules – Who is more harmful?

Classification based on threat severity and mitigation action

Rules tailored to customer risk model

Friendly Malicious

Off-NetworkSecured

Foreign SSIDWeak RSSI

Distant locationNo clients

On-NetworkOpen

Our SSIDStrong RSSI

On-site locationAttracts clients


Rogue Classification Rules Example


Rogue Detector AP

Data Serving

Trunk

Port

• Detects all rogue client and Access Point ARP’s

• Controller queries rogue detector to determine if rogue clients are on the network

• Does not work with NAT APs

Rogue Detector

Wired Rogue Detection Methods

Rogue Location Discovery Protocol (RLDP)

Connects to Rogue AP as a client

Sends a packet to controller’s IP address

Only works with open rogue access points

Data Serving AP


Trunk Port> debug capwap rm rogue detector

ROGUE_DET: Found a match for rogue entry 0021.4458.6652

ROGUE_DET: Sending notification to switch

ROGUE_DET: Sent rogue 0021.4458.6651 found on net msg

BSSID: 0021.4458.6652

Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address 0021.4458.6651Has Been Detected on the Wired Network

Rogue Detector AP Operation


Rogue Detector AP ModeExample Deployment Scenario

Rogue DetectorBldg 2



Install one rogue detector at each Layer 3 boundary.

Put more simply - ensure all VLANs are monitored by a rogue detector.


Rogue Detector AP ModeConfiguration

All RadiosBecomeDisabled

in This Mode

interface GigabitEthernet1/0/5

description Rogue Detector

switchport trunk encapsulation dot1q

switchport trunk native vlan 113

switchport mode trunk

spanning-tree portfast

WLC

SwitchAP

VLAN


WLC

> debug dot11 rldp

Successfully associated with rogue: 00:21:44:58:66:52

Sending DHCP packet through rogue AP 00:21:44:58:66:52

RLDP DHCP BOUND state for rogue 00:21:44:58:66:52

Returning IP 172.20.226.253, netmask 255.255.255.192, gw

172.20.226.193

Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)

Received 32 byte ARLDP message from: 172.20.226.253:52142BSSID:

0021.4458.6652

Cisco Prime

Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address 0021.4458.6652 Has

Been Detected on the Wired Network

Rogue Location Discovery Protocol (RLDP) Operation


Rogue Location Discovery ProtocolAutomatic Operation

• Two automatic modes of operation:

– ‘AllAPs’ – Uses both Local and Monitor APs

– ‘MonitorModeAPs’ – Uses only Monitor mode APs

• Recommended: Monitor Mode APs –RLDP can impact service on client serving Aps


Core

Corporate AP

Show CDP Neighbors

1

CAM Table2

CAM Table3

Switchport Tracing: On-Demand or Automatic

Identifies CDP Neighbors of APs detecting the rogue

Queries the switches CAM table for the rogue’s MAC

Works for rogues with security and NAT

SPT Matches On:

Rogue Client MAC Address

Rogue Vendor OUI

Rogue MAC +3/-3

Rogue MAC Address

Switchport Tracing (SPT) using Cisco Prime


Switchport Tracing (SPT) Containment Action

Number of MACs Found on the Port Match TypeUncheck

to Shut the Port


Local Mode AP

Broadcast & Unicast De-auth

A local mode AP can contain 3 rogues per radio

Containment packets are sent every 500ms

Impacts associated clients performance

Monitor Mode AP

A monitor mode AP can contain 6 rogues per radio

Containment packets are sent every 100ms

Unicast De-auth & Unicast Dis-assoc

Wireless Rogue AP Containment


• Use auto-containment only to nullify the most alarming threats

• Containment can have legal consequences

WLC

Ability to Use Only Monitor Mode APs for

Containment to Prevent Impact to Clients

Automatic Rogue AP Containment


Rogue LocationOn-Demand using Cisco Prime

• Allows an individual Rogue AP to be located On-demand

• Keeps no historical record of rogue location

• Does not locate rogue clients


Rogue LocationIn Real-Time with Prime and Mobility Services Engine (MSE) Context-Aware

• Track of multiple rogues in real-time (up to MSE limits)

• Can track and store rogue location historically

• Provides location of Rogue Clients, Rouge Ad-Hoc networks & Non-WiFi Interferers

Non-WiFi Interferer

WiFi Interferer

Microwave Bluetooth


Non-WiFi InterferersRogue Access Point

Zone of Impact with Prime and MSE Context-Aware


Cisco’s Attack Detection Mechanisms

Core

• Rogue AP and Client Detection

• 17 Common Attack Signatures

• Alarm Aggregation, Consolidation and False Positive Reduction

• Enhanced DoS Attack Behaviour Analysis –115 attack signatures

• Coordinated Rogue Containment

• Anomaly Detection

• Forensic, Blacklisting, Auto Containment, and Auto Immunity responses

Cisco Prime

WLC Base IDS Adaptive wIPS


Adaptive wIPS Signature Example

ActionDNS Tunnel Detection

ICMP Tunnel Detection

Network Design Considerations


Enhanced Local Mode Monitor Mode AP

Serve Client for

16s

Scan 50ms for Attacks

Scan 1.2s for Attacks

24x7 Scanning

ServeClients

Local Mode

Monitor Mode

Best Effort Scanning

Enable ELM on every deployed AP

Deploy 1 MM AP for every 5 Local Mode AP

Local Mode

WSSI Module

Serve Clients

Scan 1.2ms for Attacks

Local Mode

24x7 Scanning

Deploy 1 WSSI for every 5 Local Mode AP

Adaptive wIPS Deployment Recommendations

Demo - Rogue Detection & Mitigation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

54BRKEWN-2015

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

55BRKEWN-2015

Please join us for the Service Provider Innovation Talk featuring:

Yvette Kanouff | Senior Vice President and General Manager, SP Business

Joe Cozzolino | Senior Vice President, Cisco Services

Thursday, July 14th, 2016

11:30 am - 12:30pm, In the Oceanside A room

What to expect from this innovation talk

• Insights on market trends and forecasts

• Preview of key technologies and capabilities

• Innovative demonstrations of the latest and greatest products

• Better understanding of how Cisco can help you succeed

Register to attend the session live now or

watch the broadcast on cisco.com

Thank you

wireless lan security & threat mitigationd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brkewn...

Documents