Documente Academic
Documente Profesional
Documente Cultură
13830_06_2007_c2
Cisco Confidential
802.11Wireless
LAN Security
Fundamentals
BRKAGG-2015
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Agenda
WLAN Security
Policy/Standards shaping Security
IEEE
Wi-Fi Alliance
IETF
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Standard
5 GHz, 54 Mbps
2.4 GHz, 11 Mbps
Multiple Regulatory Domains
Quality of Service (QoS)
Inter-Access Point Protocol
2.4 GHz, 54 Mbps
DFS & TPC
Security
Japan 5 GHz Channels
Measurement
Maintenance
High-Speed
Fast Roaming
Mesh Networking
Management Frame Protection
Develop Spec
Interoperability
Testing
IEEE
802.11a
802.11b
802.11d
802.11e
802.11f
802.11g
802.11h
802.11i
802.11j
802.11k
802.11m
802.11n
802.11r
802.11s
802.11w
Wi-Fi Alliance
802.11a
802.11b
WMM
802.11g
WPA, WPA2
Legend:
Yellow Over the air protocols
Orange Key Wi-Fi standards
Black All other
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Wireless Security
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
802.11 Security
Summary 802.11,
WPA, WPA2 and
Regulations and
Standards
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Layer 2 / WPA2
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
10
Gold
WPA2/802.11i
EAP Fast/TLS/PEAP
AES
Silver
WPA
EAP-Fast/TLS/PEAP
TKIP
Lead
Dynamic WEP
EAP-Fast/LEAP
VLANs + ACLs
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
11
Cisco Confidential
12
WLC
Authentication
Server
802.11
UDP/IP
802.1X (EAPoL)
RADIUS
EAP
WPA Specified
Cisco Confidential
13
Cisco Confidential
14
Cisco Confidential
15
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
16
Provides secure
management interface
between AP/Controller
FIPS Client
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
17
Wireless Security
Components
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
18
Internet
Intranet
Location
Si
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Si
19
Cisco Confidential
20
BRKAGG-2015
13830_06_2007_c2
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the networks
networks
abilityability
identify, prevent, and
totoidentify,
prevent, and
adapt to threats
adapt to threats
Integrated Management
Cisco Confidential
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
21
Implementation Checklist
Endpoint
Protection
a Authentication - 802.1x
BRKAGG-2015
13830_06_2007_c2
Management Frame
Protection
Controlling Client
Access
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Cisco Confidential
22
Authentication
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
23
Cisco Confidential
24
Authentication
Discover the peers identity
The network proves who it is to you, so you can decide if you
really do want to talk with it (i.e., so you can make an
authorization decision)
You (or your device) proves who it is to the network can decide
whether to talk with you (i.e., so it can make an authorization
decision)
How:
Authentication based on credentials exchange
User name/password
One Time Password/Token
Certificate/PKI infrastructure
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
25
BRKAGG-2015
13830_06_2007_c2
IEEE Terms
Supplicant
Client
Authenticator
Authentication Server
AAA/RADIUS Server
Cisco Confidential
26
EAP / 802.1X
Overview
802.1X authentication has three key components
Supplicant - WLAN Client
Authenticator -WLC
Authentication Server AAA Server
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
27
Authentication
IEEE 802.1x Port-Based Network Access Control
802.1x is an IEEE Standard for Port Based Network Access Control, EAP
based - NETWORK standard, not a wireless standard
Describes a standard link layer protocol used for transporting higher-level
authentication protocols.
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
28
Assumes no reordering
Can run over loss full or lossless media
Cisco Confidential
29
WLAN
Controller/AP
RADIUS
Server
User
Database
Client Associates
Corporate Network
Blocked by Controller/AP
EAP
EAP Authentication
Complete
802.1x
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
RADIUS
Passed by Controller/AP
30
EAP Authentication
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
31
Machine Authentication
Machine authentication using PEAP
Uses account information for the computer created
at the time the machine is added to the domain
Cisco Confidential
32
WLAN Security:
802.1X Client Authentication Choices
EAP-TLS
EAP-Transport Layer Security
Requires client & server certificates (PKI Infrastructure)
Radius
Server
PEAP
Protected EAP
Uses server based certificate with client passwords
GTC (Cisco) & MSCHAPv2 (Microsoft) versions
AP
EAP-FAST
Uses TLS tunneling
No certificates required
Cisco Confidential
33
PEAP
LEAP
EAP-FAST
Single Sign-on
Yes
Yes
Yes
Yes
Yes1
Yes1
Yes
Yes
N/A
Yes
No
Yes
Cisco/CCXv1 or
Above Clients
and Others2
Cisco/CCXv3
Clients4 and
Others2
MS DB Support
Yes
Yes
Yes
Yes
LDAP DB Support
Yes
Yes5
No
Yes
OTP Support
No
Yes5
No
Yes6
1 Windows
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
34
PEAP
LEAP
EAP-FAST
No
No
Yes1
No
Local Authentication
No
No
Yes
Yes
WPA Support
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Server Certificates?
Yes
Yes
No
No
Client Certificates?
Yes
No
No
No
Deployment Complexity
High
Medium
Low
Low
High
High
Low
Low/Medium
1 Strong
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
35
Privacy/Encryption
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
36
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
37
Why WPA
Migration from WEP using the same hardware, fixed known WEP issues
WPA 2 uses
AES CCMP Encryption rather than TKIP
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
38
Privacy802.11i
All components of Cisco WLAN infrastructure have achieved FIPS 140-2
Level 2 certification for 802.11i
802.11i Encrypted client traffic to Access Point
Hardware based AES encryption per-radio on AP
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
39
FIPS Client
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
40
PMK
FIPS Aironet AP
802.1X
EAP
PMK
RADIUS
EAP Transport
LWAPP
802.1X-EAPOL
2. RAD distributes
PKM to Controller
PTK
PTK
3. Controller and
supplicant derive
PTK = KCK, KEK & GTK
4. Controller
distributes PTK
to AP
BRKAGG-2015
13830_06_2007_c2
PTK
FIPS Compliant
RADIUS
802.11i
802.11i
AES-CCMP
AES-CCMP (128b)
(128b)
Cisco Confidential
LWAPP
AES-CCM
PTK
41
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
42
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
43
Client Protection
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
44
Association Process
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
45
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
46
Managed AP1
MAC Addr A.B.C.D
Attacker Spoofing
AP1 MAC Addr
A.B.C.D
AP beacons
Probe requests/responses
Associations/re-associations
Disassociations
Signature
?
Authentications/de-authentications
Action management frames
Cisco Confidential
47
FUTURE- CCXv5
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
48
Benefits of MFP
Protection- for Rogue AP, Man-in-the-Middle exploits,
other Management Frame attacks
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
49
Infrastructure MFP
Detectionquick response to WLAN events
Extra fidelity for rogue AP and typical exploits
Cisco Confidential
50
BRKAGG-2015
13830_06_2007_c2
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the networks
networks
abilityability
identify, prevent, and
totoidentify,
prevent, and
adapt to threats
adapt to threats
Integrated Management
Cisco Confidential
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
51
Implementation Checklist
NAC for wired and
a Cisco
wireless
Admission Control
Infection Contain.
a Cisco CSA
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Network Admission
Control
portal
Dynamic, real time
policies updates
52
Policy (Vendor)
Remediation (Vendor)
REMEDIATION
(CISCO)
Remediation
(Cisco)
NETWORK
ACCESS DEVICE
NAC Cisco
EoU, Eo802.1x
Cisco
Appliance
Trust
NAC
CCA
2.Agent
DISCOVERY without
Agentwith
Discovery
AgentFramework
DISCOVERY
RADIUS
Radius
partners POLICY
POLICY
Policy
ENFORCEMENT
Enforcement
NAC App
Server
NAC
Manager
NAC App
Manager
AAA
NAC
Server
AAA
(ACS!)
AUTHENTICATION
What applications are on the system (AV, personal firewall, patching tool)
How its checked and fixed (pre-configured, customized, 3rd party)
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
53
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
54
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
55
Intranet/
Internet
VLAN 10
VLAN 10
VLAN 200
VLAN
Mapping
VLAN 131
User WLAN
VLAN 131
Access/
Distribution
WLAN Controller
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
56
CSA Wireless
Endpoint
Protection
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
57
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
58
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
59
Cisco Confidential
60
Cisco Confidential
61
Access control
Wireless VLANs created with guest
SSID
DMZ Anchor
Guest Controller
WCS
Si
EtherIP
Guest
Tunnel
Core
Path isolation
Separate guest traffic from the Federal
Authorized local traffic w/ EoIP tunnels
Cisco Confidential
Si
Si
WLAN Controllers
Wireless
VLANs
Enterprise Guest
802.1X
https
62
BRKAGG-2015
13830_06_2007_c2
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the networks
networks
abilityability
identify, prevent, and
totoidentify,
prevent, and
adapt to threats
adapt to threats
Integrated Management
Cisco Confidential
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
63
Implementation Checklist
Rogue/WLAN Attack
Detection
a Rogue Containment
a
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Anomaly and
IDS/IPS
Protect the
Network
Location Services Rogue AP
detection and
containment
Multilayer client
Security Management
exclusions
64
Rogue AP
Hacker
Hacker
Employees create opening to
enterprise network unknowingly
Client
Mis-association
DoS Attacks
Rogue
WLAN
Denial of
Service
BRKAGG-2015
13830_06_2007_c2
Client-to-client connections,
bypassing infrastructure
security checkpoints
Cisco Confidential
Employees connect to an
external WLAN, creating portal to
enterprise wired network
65
Cisco Unified
Threat Detection
and Mitigation
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
66
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
67
Threat Mitigation
Threat mitigation involves reactive security measures applied in
response to an incident
Threat mitigation on a WLAN extends the actions available in
response to an incident to include:
Cisco Confidential
68
Ad hoc networks
Enterprise
Network
Intelligent RF scanning =
cost effective solution
802.11a
Rogue AP
RF Containment
Cisco Confidential
69
Cisco Confidential
70
Cisco IDS/IPS for General WLAN Client Traffic Monitoring & Threat
Mitigation
Detection of worms, viruses, application abuse, spyware, ad ware, etc, as well
as policy violations
Client shun to disconnect & block a WLAN client
Logging
SNMP, syslog & RADIUS accounting
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
71
Rogue AP Detection
Rogue AP detection has multiple facets:
Air/RF detectiondetection of rogue devices by
observing/sniffing beacons and 802.11 probe responses
Cisco Confidential
72
Si
Si
NMS
Si
Wireless Control
System (WCS)
Distribution
Wireless
LAN
Controller
Access
Auto-RRM
RLDP
ARP Sniffing
Rogue
AP
BRKAGG-2015
13830_06_2007_c2
Rogue
AP
Cisco Confidential
Rogue
Detector
Rogue
AP
73
2. Assess Rogue AP
(Identity, Location, ..)
3. Contain Rogue AP
4. View Historical
Report
Controlled by administrator
Multiple rogues contained
simultaneously
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
74
Cisco Confidential
75
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
76
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
77
Wireless IDS
Cisco Confidential
78
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
79
IDS
IPS
WLC
WLC
Core
BRKAGG-2015
13830_06_2007_c2
LAP
Cisco Confidential
Core
80
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
81
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
82
2. Deep
Packet
Inspection
Enterprise
Network
1. Malicious
1. Client to AP/Controller
2. Controller to IDS
3. Shun IDS to controller
3. Shun
Problem
Wired IDS
4200 Series IDS Sensor
BRKAGG-2015
13830_06_2007_c2
Traffic from
Authenticated
User
Authorized users
laptop infected
with worm or
virus
Cisco Confidential
Solution
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
84
Cisco Unified
Wireless Solution
and Firewall
Integration
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
85
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
86
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
87
FWSM
Single or Multiple Security Contexts
The FWSM supports single or multiple
security contexts
In single context mode all security
administration is shared
In multiple context mode, administration of the
different security configurations can be
separated, creating multiple virtual FWSMs
Multiple context mode also supports more
VLAN interfaces, and allows load sharing
between FWSMs
Cisco Confidential
88
Location
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
89
Location Services
Effectively Track clients as they enter your Wireless
Network
Cisco Confidential
90
Asset Management
Streamline Workflow
Troubleshooting
Security
Voice
Location Based
Content Distribution
Telemetry
Relevant information
about tracked item
Location
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
91
Location Capabilities
Cisco 2700 Series Wireless
Location Appliance
Cisco Confidential
92
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
93
WCS
Simple, Powerful Dashboard
Robust Reporting
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
94
NADS
pnAgent
Posture
Validation
Server
Audit
Server
Syslog
CS-MARS
ACSv4.0
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
95
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
a802.1X
aFIPS WPA2 (AES)
aManagement
Frame Protection
aCisco CSA
BRKAGG-2015
13830_06_2007_c2
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
NAC for
aCisco
wired and wireless
aCisco CSA
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Checklist Summary
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
aRogue Detection
aRogue Containment
aLocation Services
Guest: Integrated
acaptive portal
w/traffic tunneling
Cisco Confidential
aSecurity
Management
96
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
97
Rogues
Benefits
BRKAGG-2015
13830_06_2007_c2
Hacker
Secure
Connectivity
Threat Defense
Trust and
Identity
IPSec VPNs
X509 Certificates
Secure Control Channel
Viruses
Denial of
Service
Cisco Confidential
98
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
99
Internet
Intranet
Location
Si
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Si
100
Q and A
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
101
Recommended Reading
Continue your Networkers at Cisco
Live learning experience with
further reading from Cisco Press
Cisco Confidential
102
Cisco Confidential
103
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
104