802.11 Wireless LAN Security Fundamentals

BRKAGG-2015
13830_06_2007_c2
2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
802.11Wireless
LAN Security
Fundamentals
BRKAGG-2015
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Agenda
WLAN Security
Policy/Standards shaping Security
IEEE
Wi-Fi Alliance
IETF
Secure Wireless Components

Controlling Client Access
Ensuring Client Integrity
Protect the network
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
802.11 WLAN Standards Activities

The Alphabet Soup
Standard
5 GHz, 54 Mbps
2.4 GHz, 11 Mbps
Multiple Regulatory Domains
Quality of Service (QoS)
Inter-Access Point Protocol
2.4 GHz, 54 Mbps
DFS & TPC
Security
Japan 5 GHz Channels
Measurement
Maintenance
High-Speed
Fast Roaming
Mesh Networking
Management Frame Protection
Develop Spec
Interoperability
Testing
IEEE
802.11a
802.11b
802.11d
802.11e
802.11f
802.11g
802.11h
802.11i
802.11j
802.11k
802.11m
802.11n
802.11r
802.11s
802.11w
Wi-Fi Alliance
802.11a
802.11b
WMM
802.11g
WPA, WPA2
Legend:
Yellow Over the air protocols
Orange Key Wi-Fi standards
Black All other
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Wireless Security
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
802.11 Security
Summary 802.11,
WPA, WPA2 and
Regulations and
Standards
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
802.11 RF Is Not a Remote Access

Technology
802.11 is not remote access
802.11 isnt attacked from someone across the country
802.11 isnt by someone in another country
802.11 isnt attacked from the comfort of a bedroom or dorm room
Realistic Range for attack is around 2000 feet
Line of site, and elevation become an issue
The pool of potential attackers is vanishingly small compared to

the Internet
Yes you can be attacked

Yes WLANs should be secured
Rule number one in avoiding predators is, dont look like prey
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
It All Starts with WLAN Security

The Enterprise market, State & Local governments all follow
the lead of the Federal Government for security
Layer 3 / IPSec
Layer 2 / WPA2
Federal Agencies define what WLAN security is and how it

should be deployed within Government
FIPS 140-2, Common Criteria & DoD 8100.2
Ongoing dialogue with Federal and Enterprise customers is

essential for guiding product requirements for Government
solutions
Privacy, Authentication, WIDS, Location, etc.
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Security Paradigm Shift

In the past:
APs were unmanageable, untrusted devices
Segregated to DMZ
Secured w/ software overlay FIPS solutions
Wireless deployments today:

Thin APs w/ controllers and Enterprise Management have emerged
Cisco APs are now classified as Information Assurance devices which
perform authentication , encryption and Intrusion Detection/Prevention
IEEE has addressed security with ratification of 802.11i in 6/04
Embedded security obviates need for software overlays which
improves scalability, manageability, and reliability while eliminating
unnecessary components and costs
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
WLAN Security Standards

IEEE 802.11 TGi - Proposed Standard 802.11i
IEEE Task Group focused on WLAN Security Improvement
Enhancement Proposed - 802.1X, EAP, TKIP, MIC, AES
Ratified July 04
http://www.ieee.org
Wi-Fi Alliance: Wi-Fi Protected Access (WPAv2)

Compatibility Seal of Approval
WiFi Interoperability WiFi WLAN Interoperability CY2000
WiFi Protected Access (WPAv2) 802.1X, EAP, TKIP, MIC, AES
http://www.weca.net
FIPS Federal Information Processing Standard

Not specific for WLAN but does have implications for encrypting data
sent over WLANs
Regulated by NIST
http://csrc.nist.gov/publications/fips/index.html
http://www-08.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf - Federal WLAN
Guide
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
10
Wi-Fi Protected Access

What are WPA and WPA2?
Authentication and encryption
standards for Wi-Fi clients and APs
802.1x authentication
Gold
WPA2/802.11i
EAP Fast/TLS/PEAP
AES
WPA uses TKIP encryption

WPA2 uses AES block cipher
encryption
Which should I use?

Gold, for supporting NIC/OSs
Silver, if you have legacy clients
Lead, if you absolutely have no
other choice (i.e., ASDs)
Silver
WPA
EAP-Fast/TLS/PEAP
TKIP
Lead
Dynamic WEP
EAP-Fast/LEAP
VLANs + ACLs
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
11
IEEE 802.11i (WLAN Security)

Improvements
802.11i is the IEEE 802.11 subcommittee responsible
for WLAN security improvements
Key components of IEEE 802.11i standard are:

EAP/802.1x framework-based user authentication
TKIP: mitigate RC4 key scheduling vulnerability and
active attack vulnerabilities
IV expansion: 48-bit IVs
Key management: isolate encryption key management
from user authentication
AES: Long-term replacement protocol for RC4 (WEP)
WPAv2 is the Wi-Fi Alliance (WFA) inclusion of 802.11i

security recommendations
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
12
802.11i/WPA Authentication and Key

Management Architecture
Access
Point
WLC
Authentication
Server
802.11
UDP/IP
802.1X (EAPoL)
RADIUS
EAP
LEAP, PEAP, EAP-TLS and EAP-FAST

802.11i Specified
WPA Specified
IEEE standards provide device interoperability
WPA guarantees a degree of system interoperability

BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
13
Cisco WLAN FIPS Status

Federal Information Processing Standard (FIPS)
Validated for FIPS 140-2

and common criteria
4400 controller
AP1200, AP1100 and BR1300
(LWAPP and autonomous)
FIPS kits are required;

contents include:
Tamper-evidence labels
Download instructions for FIPS
approved Cisco IOS images
Download instructions for
security policies
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
14
Key Wireless Policies/Documents

DoD 8100.2 and Follow on Supplement
Mandates the use of:
Strong Authentication, Non-Repudiation and Personal Identification in accordance with
DoD PKI
Mandates the use of EAP-TLS for mutual authentication
Encryption of wireless traffic via an assured channel is mandatory and

must be FIPS140-2 validated
Solution must be:
802.11i (AES 128)
WPAv2 certified by Wi-Fi alliance
FIPS 140-2 Level 2 validated Hardware FIPS 140-2 Level 1 for Software
In-process for Common Criteria Certification against Basic Robustness
Protection Profile
Wireless Intrusion Detection, Denial of Service Mitigation as well as

actively screen for Wireless devices
WIDS is mandatory
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
15
Standardizing the WLAN Architecture

The Internet Engineering Task Force (IETF) focused on
delivering a standard
LWAPP selected as starting point, and follows the same
architecture
Renamed protocol to Configuration and Provisioning of
Wireless Access Points (CAPWAP)
Peer security review completed
Predicted ratification date Q108
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
16
Deploying a Secure WLAN

LWAPP/CAPWAP FIPS
Solution
Allows for 802.11i over
the air security
Allows for termination
of 802.11i in the AP
APs authenticate to
controller using X.509
certificate
Controller can
authorize certificates
Provides secure
management interface
between AP/Controller
FIPS Client
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
17
Wireless Security
Components
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
18
Secure WLAN Architectures

Building Castles not Islands
Security is now more than
just defending WAN attacks
Internet
Intranet
New Perimeter Security must

be pervasive in the network
Four Key Components

Authentication & Integrity
Privacy
Wireless Intrusion Prevention
Location
Si
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Si
19
Its About More than Just Securing the

Wireless Network
Need to take a Defense-in-depth approach
Wired/Wireless Integration
Integrate with Cisco framework for Self Defending Networks.
Cisco ASA/PIX Firewalls or Firewall Service Modules located
anywhere in the network.
Integrate with FIPS Validated Wireless Clients and Cisco

Security Agent
Future integration with CS-MARS for IDS event correlation
for both Wired and Wireless Network
Cisco Network Access Control

Wired side IDS to detect Ethernet DoS attacks with Cisco
4200 IDS or Catalyst 6500 IDSM
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
20
Cisco Unified Wireless Network

Engineered to Deliver on the SDN Strategy
BRKAGG-2015
13830_06_2007_c2
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Cisco strategy to
An initiative toimprove
dramatically
dramatically
the
improve
the networks
networks
abilityability
identify, prevent, and
totoidentify,
prevent, and
adapt to threats
adapt to threats
Integrated Management
Cisco Confidential
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
21
Checklist for Secure Wireless LANs
Implementation Checklist
Endpoint
Protection
a Authentication - 802.1x
BRKAGG-2015
13830_06_2007_c2
Encryption - FIPS Certified

WPA2 (AES)
Management Frame
Protection
Controlling Client
Access
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Cisco Confidential
22
Authentication
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
23
What Is the Problem?

802.11 Users Want Data Confidentiality
Enterprises want protected campus access.
Home users want to block unauthorized access.

Hot spots want to avoid the liability of one customer hacking
another.
Everyone wants to stop unauthorized usage of their networks
particularly illegal activities!
Users want to know they are connecting to a trusted access point
instead of an impostor.
Everyone wants to prevent credential theft.
Network Security is about Access Control

BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
24
Authentication
Discover the peers identity
The network proves who it is to you, so you can decide if you
really do want to talk with it (i.e., so you can make an
authorization decision)
You (or your device) proves who it is to the network can decide
whether to talk with you (i.e., so it can make an authorization
decision)
How:
Authentication based on credentials exchange
User name/password
One Time Password/Token
Certificate/PKI infrastructure
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
25
FirstSome IEEE Terminology
BRKAGG-2015
13830_06_2007_c2
IEEE Terms
Normal People Terms
Supplicant
Client
Authenticator
Network Access Device
Authentication Server
AAA/RADIUS Server
Cisco Confidential
26
EAP / 802.1X
Overview
802.1X authentication has three key components
Supplicant - WLAN Client
Authenticator -WLC
Authentication Server AAA Server
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
27
Authentication
IEEE 802.1x Port-Based Network Access Control
802.1x is an IEEE Standard for Port Based Network Access Control, EAP
based - NETWORK standard, not a wireless standard
Describes a standard link layer protocol used for transporting higher-level
authentication protocols.
Works between the Supplicant (Client) and the Authenticator (Network

Device).
Maintains backend communication to an Authentication Server (RADIUS).
Provides Network Authentication, not encryption
Transport authentication information in the form of Extensible

Authentication Protocol (EAP) payloads.
Improved authentication: username/password or certificate based
Is PART of the 802.11i Standard (WPA/WPAv2)
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
28
Extensible Authentication Protocol (EAP)

A flexible transport protocol used to carry arbitrary
authentication informationnot the authentication
method itself
EAP provides a flexible link layer security framework

Simple encapsulation protocol
No dependency on IP
Few link layer assumptions
Can run over any link layer (PPP, 802, etc.)
Assumes no reordering
Can run over loss full or lossless media
Originally specified in RFC 2284, obsolete by

RFC 3748
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
29
How Does Extensible Authentication

Protocol (EAP) Authenticate Clients?
WLAN
Client
WLAN
Controller/AP
RADIUS
Server
User
Database
Client Associates
Corporate Network
Cannot Send Data Until
Data from Client
Blocked by Controller/AP
EAP
EAP Authentication
Complete
802.1x
Data From Client
Client Sends Data
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
RADIUS
Passed by Controller/AP
30
EAP Authentication
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
31
Machine Authentication
Machine authentication using PEAP
Uses account information for the computer created
at the time the machine is added to the domain
Computer must be a member of the domain

If doing mutual authentication, the computer must
trust the signing CA of the RADIUS servers cert
Machine authentication using EAP-TLS

Authenticates the computer using certs
The computer must have a valid cert
If doing mutual authentication, the computer must

trust the signing CA of the RADIUS servers cert
Why do Machine Authentication Ensures that the devices

not just the user is allowed to connect to the Network
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
32
WLAN Security:
802.1X Client Authentication Choices
EAP-TLS
EAP-Transport Layer Security
Requires client & server certificates (PKI Infrastructure)
Radius
Server
Used in WPA interoperability testing
PEAP
Protected EAP
Uses server based certificate with client passwords
GTC (Cisco) & MSCHAPv2 (Microsoft) versions
AP
EAP-FAST
Uses TLS tunneling
No certificates required
Other EAP types (EAP-MD5, EAP-SIM, etc.)

Client
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
33
EAP Protocols: Feature Support

EAP-TLS
PEAP
LEAP
EAP-FAST
Single Sign-on
Yes
Yes
Yes
Yes
Login Scripts (MS DB)
Yes1
Yes1
Yes
Yes
Password Expiration (MS DB)
N/A
Yes
No
Yes
XP, 2000, CE,

and Others2
XP, 2000, CE,

CCXv2 Clients3,
and Others2
Cisco/CCXv1 or
Above Clients
and Others2
Cisco/CCXv3
Clients4 and
Others2
MS DB Support
Yes
Yes
Yes
Yes
LDAP DB Support
Yes
Yes5
No
Yes
OTP Support
No
Yes5
No
Yes6
Client and OS Availability
1 Windows
OS supplicant requires machine authentication (machine accounts on Microsoft AD)

operating system coverage is available from Meetinghouse and Funk supplicants
3 PEAP/GTC is supported on CCXv2 clients and above
4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems
EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients
5 Supported by PEAP/GTC only
6 Supported with 3rd party supplicant
2 Greater
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
34
EAP Protocols: Feature Support

EAP-TLS
PEAP
LEAP
EAP-FAST
Off-Line Dictionary Attacks?
No
No
Yes1
No
Local Authentication
No
No
Yes
Yes
WPA Support
Yes
Yes
Yes
Yes
Application Specific Device (ASD)

Support
No
No
Yes
Yes
Server Certificates?
Yes
Yes
No
No
Client Certificates?
Yes
No
No
No
Deployment Complexity
High
Medium
Low
Low
RADIUS Server Scalability Impact
High
High
Low
Low/Medium
1 Strong
password policy mitigates dictionary attacks; please refer to:

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
35
Privacy/Encryption
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
36
FIPS Validated End-to-End

Encryption/Privacy
Securing the Client
802.11i AES 128 used for Layer 2 Encryption between the client
and the Access Point
FIPS Certified AP and Client (3eti FIPS client)
Securing the Network

All Command and Control (C2) traffic between the Access Point
and the Wireless LAN Controller is secured via AES 128
Securing User Authentication

RADIUS Key Wrap (AES 128) used to secure all RADIUS
Authentication traffic between Wireless LAN Controller and the
RADIUS Server
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
37
Wi-Fi Protected Access (WPA) and WPA 2

Components of WPA:
Authenticated Key Management using 802.1X:
EAP-TLS and RADIUS are the nominated EAP test mechanism
Unicast and Broadcast Encryption Key Management

TKIP: Per-packet Keying
IV expansion: 48 bit IVs
Message Integrity Check (MIC)

Migration Mode coexistence of WPA and WEP devices
Why WPA
Migration from WEP using the same hardware, fixed known WEP issues
WPA 2 uses
AES CCMP Encryption rather than TKIP
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
38
Privacy802.11i
All components of Cisco WLAN infrastructure have achieved FIPS 140-2
Level 2 certification for 802.11i
802.11i Encrypted client traffic to Access Point
Hardware based AES encryption per-radio on AP
No single point of encryption failure

Encryption scales with deployment no crypto bottleneck
Only the per-user PTK is present on the AP PTK and config is erased upon power
disconnect. PTK is useless after session timer expiration
Greater probability of compromising the Mobile device to get the Pairwise Master Key
than the WLC
Trusted and Encrypted Command and Control Channel between AP

and WLC
Complete separation of C2 and user data channels
C2 Channel is AES 128 encrypted and FIPS validated
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
39
802.11i Termination in the AP

CAPWAPs default encryption
model is 802.11i in the AP
Most widely deployed model
Has undergone FIPS approval
Supports MAC features that

require direct access to RF
prior to encryption
802.11n A-MSDU
packet aggregation
802.11e HCCA
FIPS Client
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
40
FIPS 802.11i Client Server Key

Management
FIPS Compliant
Supplicant
1. EAP-TLS clientserver auth &

PMK derivation
PMK
FIPS Aironet AP
802.1X
EAP
FIPS WLAN Controller
PMK
RADIUS
EAP Transport
LWAPP
802.1X-EAPOL
RAD Keywrap PMK

AES-SHA-1
2. RAD distributes
PKM to Controller
PTK
PTK
3. Controller and
supplicant derive
PTK = KCK, KEK & GTK
4. Controller
distributes PTK
to AP
BRKAGG-2015
13830_06_2007_c2
PTK
FIPS Compliant
RADIUS
802.11i
802.11i
AES-CCMP
AES-CCMP (128b)
(128b)
Cisco Confidential
LWAPP
AES-CCM
PTK
41
Securing the LWAPP Join Process

LWAPP Join implements strong mutual
authentication between AP and WLC
AES key is used to encrypt the payloads of

subsequent LWAPP Control Messages
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
42
Leadership in Open Standards

Development
RADIUS Key Wrap
http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-08.txt
On going peer review in IETF RADIUS WG
RADIUS Extension provides FIPS compliance
Uses NIST approved algorithms (AES/SHA1)
Authors: Cisco, 3eTI, Intel
Lightweight Access Point Protocol (LWAPP)

http://www.ietf.org/internet-drafts/draft-ohara-capwap-lwapp-03.txt
Selected as recommended protocol within CAPWAP
Extensive industry peer review
Authors: Cisco, Nokia, Nexthop Technologies, Facetime
Communications
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
43
Client Protection
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
44
Association Process
Management Frames are not encrypted

Addressed by Management Frame Protection (MFP) Discussed later
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
45
Cisco Unified Wireless Network 4.0

Management Frame Protection
Provides for the authentication of 802.11 management frames
by the wireless network infrastructure
Allows detection of malicious rogues that are spoofing a valid

AP MAC or SSID in order to avoid detection as a rogue AP,
or as part of a man-in-the-middle attack
Increases the fidelity of rogue AP and WLAN IDS signature

detection
Will provide protection of client devices with CCX v5
Also supported with Autonomous AP/ WDS/ WLSE in
version 12.3(8)/ v2.13
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
46
Management Frame Protection (MFP)

Mitigating Man-in-the-Middle Attacks
Problem: theres no physical security
for wireless and management frames
are not
authenticated, encrypted, or signed
Solution: insert a signature (Message
Integrity Code/ MIC)
into the management frames
Managed AP1
MAC Addr A.B.C.D
Attacker Spoofing
AP1 MAC Addr
A.B.C.D
AP beacons
Probe requests/responses
Associations/re-associations
Disassociations
Signature
?
Authentications/de-authentications
Action management frames
Initially will be deployed as a security mechanism to validate

infrastructure equipment
Will be extended to client adapters via CCX
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
47
Management Frame Protection Function

A solution for clients and infrastructure (APs)
Clients and APs add a MIC (signature)

into every management frame
Anomalies are detected instantly and
reported to Controller/WCS
E.g. no threshold or rate checks required to detect anomalies
MFP Protected
MFP Protected
FUTURE- CCXv5
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
48
Benefits of MFP
Protection- for Rogue AP, Man-in-the-Middle exploits,
other Management Frame attacks
Prevention- will be available with clients capable of

decrypting the signature
Integration with other Cisco Security Monitoring
solutions in order to characterize attack vectors- rules
based correlation
Cisco Security Leadership and Innovation
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
49
Infrastructure MFP
Detectionquick response to WLAN events
Extra fidelity for rogue AP and typical exploits
Quick detection of exploits typically used to initiate MiTM
Protectionfor rogue AP, man-in-the-middle exploits,

other management frame attacks
Preventionwill be available with clients capable
of decrypting the signature
Specifics of MFP MIC
MFP Information Element adds timestamp, sequence number,
and MIC key to management frames
MFP employs HMAC-SHA1 hash algorithm to calculate MIC
key
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
50
Cisco Unified Wireless

BRKAGG-2015
13830_06_2007_c2
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Cisco strategy to
dramatically
dramatically
the
improve
the networks
networks
abilityability
totoidentify,
prevent, and
adapt to threats
adapt to threats
Cisco Confidential
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
51
NAC for wired and
a Cisco
wireless
Admission Control
Infection Contain.
a Cisco CSA
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Ensuring Client Integrity
Guest: Integrated captive

w/traffic tunneling
Network Admission
Control
portal
Dynamic, real time
policies updates
52
Network Admission Control

The Network is the Control Point
Policy (Vendor)
Remediation (Vendor)
REMEDIATION
(CISCO)
Remediation
(Cisco)
NETWORK
ACCESS DEVICE
NAC Cisco
EoU, Eo802.1x
Cisco
Appliance
Trust
NAC
CCA
2.Agent
DISCOVERY without
Agentwith
Discovery
AgentFramework
DISCOVERY
RADIUS
Radius
partners POLICY
POLICY
Policy
ENFORCEMENT
Enforcement
NAC App
Server
NAC
Manager
NAC App
Manager
AAA
NAC
Server
AAA
(ACS!)
AUTHENTICATION
Apply Network Admissions Control, no matter:

What system it is (Windows PC, Mac laptop, Linux workstation)
Where its coming from (VPN, LAN, WLAN, WAN)
Who owns it (company, employee, contractor, guest, unknown)
What applications are on the system (AV, personal firewall, patching tool)
How its checked and fixed (pre-configured, customized, 3rd party)
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
53
Network Access Control Appliance:

Cisco Clean Access
Interoperates with Cisco Unified Wireless Architecture
Wireless users can be subject to Clean Access
compliance when connecting through a Wi-Fi access
point
Cisco Clean Access can be deployed in-band to force

compliance for Wireless users
Cisco Aironet lightweight access points are configured
for Clean Access compliance via web-based setup on
the Wireless LAN Controller
Periodic reassessment of client security posture
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
54
Cisco NAC Appliance with Unified Wireless

Modes and Positioning Key Takeaways:
NAC Appliance accommodates several deployment
scenarios.
Unified Wireless and Campus Virtualization best
practices currently recommend centralized deployment:
Must be logically in-band with wireless topology
Virtual G/W mode with VLAN Mapping
Real IP G/W mode to be tested and documented in future
release of the Secure Pervasive Mobility Design Guide
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
55
Cisco NAC Appliance with Unified Wireless

Modes and Positioning: In-Band Virtual Gateway
Intranet/
Internet
VLAN 10
VLAN 10
VLAN 200
VLAN
Mapping
VLAN 131
User WLAN
VLAN 131
Access/
Distribution
WLAN Controller
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
56
CSA Wireless
Endpoint
Protection
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
57
Protecting the Road Warrior

Endpoint Security Must:
Protect the integrity of mobile
devices, desktops and servers, on
and off the corporate network,
from worms, viruses and spyware
CSA default behavioral rules

protect against Zero-Day virii,
worms, spyware, etc. sight
unseen
Identify data from critical or

important applications, so the
network can prioritize it
CSA with Trusted QoS control

ensures that traffic is marked so
that the network can apply correct
handling
Cooperate with the network

infrastructure to establish required
levels of trust and auditability, and
to react to threats in real-time
Federal Policy Compliance for
Network Connectivity
CSA integration with Cisco

NAC and Network IPS establishes
endpoint-network relationship
which enhances total network
security.
Wireless Integration - preventing
simultaneous Wired & Wireless
Access, only connecting to
approved SSIDs
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
58
CSA for Wireless Security Overview

CSA Overview
Identifies and prevents malicious or unauthorized behavior
Offers endpoint threat protection, often referred to as Hostbased IPS

Key element of end-to-end, defence-in-depth approach to
security
CSA for Wireless Security

Offers general endpoint threat protection, as for wired clients
CSA v5.2 features new wireless security policies
May be used to extend current policies to include wirelessspecific policy enforcement
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
59
Cisco Security Agent (CSA) and Cisco

Trust Agent (CTA)
Host IPS and Client Integrity
Shutoff multiple network interfaces
wired /wireless only
Disable Ad Hoc mode
Connect to only corporate SSIDs
Protection of Endpoint Regardless of
Posture
Protection of Endpoints Outside of Corp
Net
Detect/Prevent Malicious Behavior
Policy-based Control of Application Use
Security Posture Checks on Incoming
Systems (CTA)
Network admission Control According to
Posture (CTA)
Network Access Decisions for all Hosts
(CTA)
Enforce Patch and AV Policy for all
Hosts (CTA)
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
60
CSA v5.2 New Wireless Policy Features

Restrict wireless ad-hoc connections
Wireless ad-hoc networks may be leveraged by an
unauthorised or rogue device to access the client
Typically insecure, unencrypted connection
Restrict simultaneous wired and wireless connections

Risk of bridging traffic from insecure or rogue wireless networks
to the wired network, bypassing network security measures
Policy enforcement based on SSID or wireless

encryption type1
E.g. Corporate WLAN vs public hotspot
VPN enforcement when out of the office1

Use of VPN required if not on corporate network
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
61
Controller Guest Access Services

Internet
Access control
Wireless VLANs created with guest
SSID
DMZ Anchor
Guest Controller
WCS
Custom web auth configuration

Enforce time policies, QoS policies,
guest ACLs
Forces acceptance of DOD base legal
disclaimer before getting Internet
connectivity
Si
EtherIP
Guest
Tunnel
Core
Path isolation
Separate guest traffic from the Federal
Authorized local traffic w/ EoIP tunnels
Deployed in a centralized fashion:

authentication and authorization
on a centralized in-band device
Record the activity of guest users
while connected to the enterprise
Enterprise Guest
network
802.1X
https
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Si
Si
WLAN Controllers
Wireless
VLANs
Enterprise Guest
802.1X
https
62
Cisco Unified Wireless

BRKAGG-2015
13830_06_2007_c2
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Cisco strategy to
dramatically
dramatically
the
improve
the networks
networks
abilityability
totoidentify,
prevent, and
adapt to threats
adapt to threats
Cisco Confidential
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
63
Rogue/WLAN Attack
Detection
a Rogue Containment
a
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Anomaly and
IDS/IPS
Protect the
Network
Location Services Rogue AP
detection and
containment
Multilayer client
Security Management
exclusions
64
Top Wireless Threats

Ad Hoc
Rogue AP
Hacker
Hacker
Employees create opening to
enterprise network unknowingly
Client
Mis-association
DoS Attacks
Rogue
WLAN
Denial of
Service
Malicious hackers disrupt

critical business services
BRKAGG-2015
13830_06_2007_c2
Client-to-client connections,
bypassing infrastructure
security checkpoints
Cisco Confidential
Employees connect to an
external WLAN, creating portal to
enterprise wired network
65
Cisco Unified
Threat Detection
and Mitigation
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
66
WLAN Threat Detection and

Mitigation Overview
WLAN Threat Detection & Mitigation
Extend same end-to-end, defence-in-depth principles applied
on a wired network to a WLAN
Extend general network security policy to include a WLAN

Complementary to general threat detection and mitigation
measures which should already be in place on the network
Cisco Unified Wireless Self-Defending Network

Integrated end-to-end, defence-in-depth solution
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
67
Threat Detection and Mitigation

on a WLAN
Threat Detection
Threat detection is CRITICAL to visibility into network activity
Threat detection on a WLAN extends baseline network
monitoring and anomaly detection to include:
Monitoring of the 802.11 RF medium

Monitoring of general WLAN client traffic
Threat Mitigation
Threat mitigation involves reactive security measures applied in
response to an incident
Threat mitigation on a WLAN extends the actions available in
response to an incident to include:
Mitigation techniques for threats on the 802.11 RF medium

addressing WLAN clients themselves, as well as rogue
devices and networks
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
68
Cisco Unified Wireless Network Integrated

Wireless IDS/IPS Protects Your Business
Automatically detects:
Rogue access points and clients
X
Ad hoc networks
Enterprise
Network
Denial of service attacks

Client mis-associations
Intelligent RF scanning =
cost effective solution
Intrusion prevention under

IT control
802.11a
Rogue AP
RF Containment
Location appliance provides

precision mapping for
physical removal
802.11a
Rogue Client
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
69
Integrated Wireless Intrusion Protection

WIDS Detect common RF-related attacks
Netstumbler, wellenreiter, void11, FakeAP, address spoofing, DoS, etc.
Customizable attack signatures
Real-time 24x7 monitoring and alarming
Rogue AP/client detection, location, and containment
Identify known (i.e. trusted) rogues
Manually disable clients
Integrated WIDS is critical - 802.11i & 802.11w will not be decoded

via Standalone WIDS.
But WIDS only detects Wireless Attacks no visibility/defense

from Authenticated users that launch IP DOS attacks
Must provide comprehensive IPS solution by integrating Wired and
Wireless IPS
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
70
Cisco Unified Wireless Self-Defending

Network Threat Detection and Mitigation
Cisco Wireless IDS for RF Monitoring & Threat Mitigation
Rogue AP detection, location & containment
Rogue client detection & containment
Wireless ad-hoc network detection & containment
802.11 attack signatures
Excessive 802.11 association & authentication tracking, plus client blocking

IP theft & re-use tracking
Cisco IDS/IPS for General WLAN Client Traffic Monitoring & Threat
Mitigation
Detection of worms, viruses, application abuse, spyware, ad ware, etc, as well
as policy violations
Client shun to disconnect & block a WLAN client
Logging
SNMP, syslog & RADIUS accounting
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
71
Rogue AP Detection
Rogue AP detection has multiple facets:
Air/RF detectiondetection of rogue devices by
observing/sniffing beacons and 802.11 probe responses
Rogue AP locationuse of the detected RF characteristics and

known properties of the managed RF network to locate the
rogue device
Wire detectiona mechanism for tracking/correlating the rogue
device to the wired network
A WIDS may require different deployments to

effectively address all of these facets
For example, it is typically required to use a scanning-mode AP
as a rogue traffic injector to attempt to trace
the rogues connected port
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
72
Radio (Air/RF) Monitoring

Network
Core
Si
Si
NMS
Si
Wireless Control
System (WCS)
Distribution
Wireless
LAN
Controller
Access
Auto-RRM
RLDP
ARP Sniffing
Rogue
AP
BRKAGG-2015
13830_06_2007_c2
Rogue
AP
Cisco Confidential
Rogue
Detector
Rogue
AP
73
A Complete Solution for Handling

Rogues
1. Detect Rogue AP
(generate alarm)
2. Assess Rogue AP
(Identity, Location, ..)
3. Contain Rogue AP
4. View Historical
Report
Controlled by administrator
Multiple rogues contained
simultaneously
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
74
Rogue AP Detection and Suppression

Rogue AP detection methodology
WLAN system collects (via beacons and probe responses) and
reports BSSID information
System compares collected BSSID information versus

authorized (i.e., managed AP) BSSID information
Unauthorized APs are flagged and reported via fault monitoring
functionality
Rogue AP suppression techniques

Trace the rogue AP over the wired network to verify that the
rogue is internal and should be contained
Use of managed devices to disassociate clients from

unauthorized AP and prevent further associations via 802.11
de-authentication frames
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
75
Cisco Unified Wireless: Map Rogue AP
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
76
Cisco Unified Wireless:

Rogue Containment
Rogue AP, Rogue-Connected Client, or Ad-Hoc Client May Be
Contained by Controller Issuing Unicast De-Authentication Packets
Maximum number of APs participating in containment

is configurable
Maximum of three simultaneous containments may operate
on a single LWAPP AP
Rogue client devices may be authenticated to a RADIUS

(MAC address) database
Maximum time for auto-containment is configurable
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
77
Wireless IDS
The WLC comes with built in Wireless IDS signatures

that can be augmented with additional customer
signatures
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
78
Cisco WLC and IDS/IPS Collaboration

Overview
General WLAN Client Threat Detection
Cisco IDS/IPS offers the ability to monitor and detect general
malicious threats from WLAN clients, e.g. worms, viruses,
application abuse
Same as that which may be employed to monitor and detect
malicious threats from wired clients
WLAN Client Shun for Threat Mitigation

Cisco WLC and IDS/IPS collaboration to enable a WLAN client
to be shunned from the Cisco IDS/IPS, disconnecting the client
from the WLAN and blocking them from reconnecting
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
79
Cisco IDS/IPS Integration for General

WLAN Client Threat Detection
Cisco IDS for
Passive Monitoring
Cisco IPS for

Active, In-line Monitoring
IDS
IPS
WLC
WLC
WLAN client traffic

between WLC and
general network
Core
WLAN client traffic

between WLC and
general network
Client traffic between LAPs

and WLC over LWAPP Tunnel
LAP
BRKAGG-2015
13830_06_2007_c2
LAP
Cisco Confidential
Core
Client traffic between LAPs

and WLC over LWAPP Tunnel
80
WLC and IDS Products
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
81
WLAN Client Shun for Threat Mitigation

Mitigation action which may be initiated from Cisco
IDS/IPS
Shunned WLAN client disconnected from the WLC

whenever they are associated and for as long as a
shun action is enforced
WLC software release 4.0 or later and IPS software
release v5.x or later
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
82
Wired/Wireless IPS Integration

IDS Event and Client Shunning
Cisco Controller
2. Deep
Packet
Inspection
Enterprise
Network
1. Malicious
1. Client to AP/Controller
2. Controller to IDS
3. Shun IDS to controller
3. Shun
Problem
Wired IDS
4200 Series IDS Sensor
BRKAGG-2015
13830_06_2007_c2
Traffic from
Authenticated
User
Authorized users
laptop infected
with worm or
virus
Cisco Confidential
Solution
IDS/IPS sensor monitors traffic with deep

packet inspection (Layer 7) to identify and
triggers shun event; WLAN controller
shuns/blocks the MAC address of
compromised wireless client
Integration of wired and wireless security

83
Unified Wireless and IDS/IPS

Collaboration Summary
Deploy Cisco IDS/IPS for general WLAN client threat
detection
Deploy Cisco Wireless IDS for WLAN-specific threat

detection and mitigation
Cisco WLC and IDS/IPS collaboration enables a WLAN
client shun from a Cisco IDS/IPS to be available to
operational staff as a threat mitigation tool
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
84
Cisco Unified
Wireless Solution
and Firewall
Integration
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
85
WLCs and FWSM

WLC VLANs can map directly to Cisco security devices
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
86
WiSM FWSM Example

Using Cisco Unified Wireless Features and a FWSM to provide
firewall policies for different classes of users sharing the same
infrastructure
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
87
FWSM
Single or Multiple Security Contexts
The FWSM supports single or multiple
security contexts
In single context mode all security
administration is shared
In multiple context mode, administration of the
different security configurations can be
separated, creating multiple virtual FWSMs
Multiple context mode also supports more
VLAN interfaces, and allows load sharing
between FWSMs
Multiple Context mode supports most FWSM

features, but not dynamic routing or
multicast forwarding
Multiple Context Mode was chosen for use
in the design guide
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
88
Location
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
89
Location Services
Effectively Track clients as they enter your Wireless
Network
Visibility into the Wireless Network

4 key pieces of information
What Do We Have?
How Many Do We Have?
Where Is It?
What Is Its Status?
Locate and Track Rogue APs or Clients

Allow access based on location
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
90
Wi-Fi Location Enables Multiple

Applications
Security
Visibility
Asset Management
Streamline Workflow
Better rogue detection

Perimeter security
Policy enforcement
Location/movement
based alerts
Location Based Trending

RF Capacity Management
Troubleshooting
Security
Voice
Code Blue, Voice Alerts

E911
Location Based
Content Distribution
Telemetry
Relevant information
about tracked item
Location
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
91
Location Capabilities
Cisco 2700 Series Wireless
Location Appliance
RF Fingerprinting traces rays from every access point in the network

Accounts for reflection
Accounts for multipath to a destination

BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
92
Tracking Rogues, Tags, and Clients
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
93
Security ManagementWired and

Wireless Integration
Cisco Security Monitoring,
Analysis and Response System
(CS-MARS)
Network wide anomaly detection

Rules based correlation
WCS
Simple, Powerful Dashboard
Robust Reporting
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
94
802.1x Monitoring and Reporting

with CS-MARS
CS-MARS provides a centralized monitoring and reporting point for 802.1x-related
events from ACS, NADs, and third party security servers
pnAgent forwards logs from ACS to CS-MARS
Pinpoints where identity events are occurring in the network,
provides detailed logging information regarding events, and reports
NADS
pnAgent
Posture
Validation
Server
Audit
Server
802.1x Failed AuthenticationsTop

Users
Syslog
CS-MARS
ACSv4.0
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
95
Strong Mutual
Authentication
Strong Encryption
True Wireless IPS
Adaptive Client
Policies
a802.1X
aFIPS WPA2 (AES)
aManagement
Frame Protection
aCisco CSA
BRKAGG-2015
13830_06_2007_c2
Ensuring Client
Integrity
Network Admission
Control
Dynamic, real time
policies updates
NAC for
aCisco
wired and wireless
aCisco CSA
Anomaly and
IDS/IPS
Controlling Client
Access
Admission Control
Infection Contain.
Endpoint
Protection
Checklist Summary
Protect the
Network
Rogue AP detection
and containment
Multilayer client
exclusions
aRogue Detection
aRogue Containment
aLocation Services
Guest: Integrated
acaptive portal
w/traffic tunneling
Cisco Confidential
aSecurity
Management
96
Meeting Security Requirements

802.11i based WLAN with 802.1x, Radius, and all EAP
Types
FIPS Certified end-to-end Layer2 AES encryption

Support for EAP-TLS, certificates, and PKI
infrastructure
Wireless IDS embedded into WLAN
CSA for endpoint and server security for both the wired
and wireless networks
CS-MARS for event correlation
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
97
Defense In-Depth Security

Integrated Firewalls
Protect Against Network-based
Attacks
Defend the Applications:

Integrated Network WIDS
Rogue AP Detection and Containment
Signature Detection and Remediation
WLAN MFP
RF Jamming Remediation
Rogues
Benefits
BRKAGG-2015
13830_06_2007_c2
Hacker
Secure
Connectivity
Threat Defense
Protect the Servers:
Trust and
Identity
Making Wireless More Secure than Wired

Verify the User and Device:
Identity-Based Networking, CSA
+ NAC, RF Firewall, Blacklisting
Authenticate Who/What Has Access
Secure and Encrypt Transport:

FIPS Validated WPA2/AES
Provides Data/Voice Confidentiality
IPSec VPNs
X509 Certificates
Secure Control Channel
Viruses
Denial of
Service
Multi-layered security; wireless more secure than wired

Unification with Cisco Secure, ACS, CS-MARS
Uniform security framework across wired and wireless
Protection from unauthorized access and rogue devices
Cisco Confidential
98
Wireless System Security Highlights

Multiple layers of WLAN protection
RF: 802.11 interference, bleeding coverage areas
Network: rogue detection, location, containment; ad-hoc prevention
User: protection from dictionary, MiM, Asleep, and other attacks
Application: protect data from DoS and other attacks
X.509 certificates guarantee identity

Zero touch, if desired
AP must prove identity through unique private key
APs identity is validated and authorization check is performed

Only APs you want are allowed in
Zero false positives on AP impersonation

Trusted MAC address is not sufficient
Hacker steals trusted MAC address and runs Host AP
Both over the air and wire
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
99
Secure WLAN Architectures

Building Castles not Islands
Security is now more than
just defending WAN attacks
Internet
Intranet
New Perimeter Security must

be pervasive in the network
Four Key Components

Authentication & Integrity
Privacy
Wireless Intrusion Prevention
Location
Si
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
Si
100
Q and A
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
101
Recommended Reading
Continue your Networkers at Cisco
Live learning experience with
further reading from Cisco Press
Check the Recommended Reading

flyer for suggested books
Available Onsite at the Cisco Company Store

BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
102
Complete Your Online

Session Evaluation
Win fabulous prizes; give us
your feedback
Receive ten Passport Points

for each session evaluation
you complete
Go to the Internet stations
located throughout the
Convention Center to complete
your session evaluation
Winners will be announced
daily at the Internet stations
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
103
BRKAGG-2015
13830_06_2007_c2
Cisco Confidential
104

802.11 Wireless LAN Security Fundamentals

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

802.11 Wireless LAN Security Fundamentals

Încărcat de

Drepturi de autor:

Formate disponibile

BRKAGG-2015

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Secure Wireless Components

2007 Cisco Systems, Inc. All rights reserved.

802.11 WLAN Standards Activities

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

802.11 RF Is Not a Remote Access

The pool of potential attackers is vanishingly small compared to

Yes you can be attacked

2007 Cisco Systems, Inc. All rights reserved.

It All Starts with WLAN Security

Federal Agencies define what WLAN security is and how it

Ongoing dialogue with Federal and Enterprise customers is

2007 Cisco Systems, Inc. All rights reserved.

Security Paradigm Shift

Wireless deployments today:

2007 Cisco Systems, Inc. All rights reserved.

WLAN Security Standards

Wi-Fi Alliance: Wi-Fi Protected Access (WPAv2)

FIPS Federal Information Processing Standard

2007 Cisco Systems, Inc. All rights reserved.

Wi-Fi Protected Access

WPA uses TKIP encryption

Which should I use?

2007 Cisco Systems, Inc. All rights reserved.

IEEE 802.11i (WLAN Security)

Key components of IEEE 802.11i standard are:

WPAv2 is the Wi-Fi Alliance (WFA) inclusion of 802.11i

2007 Cisco Systems, Inc. All rights reserved.

802.11i/WPA Authentication and Key

LEAP, PEAP, EAP-TLS and EAP-FAST

IEEE standards provide device interoperability

WPA guarantees a degree of system interoperability

2007 Cisco Systems, Inc. All rights reserved.

Cisco WLAN FIPS Status

Validated for FIPS 140-2

FIPS kits are required;

2007 Cisco Systems, Inc. All rights reserved.

Key Wireless Policies/Documents

Encryption of wireless traffic via an assured channel is mandatory and

Wireless Intrusion Detection, Denial of Service Mitigation as well as

2007 Cisco Systems, Inc. All rights reserved.

Standardizing the WLAN Architecture

Predicted ratification date Q108

2007 Cisco Systems, Inc. All rights reserved.

Deploying a Secure WLAN

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Secure WLAN Architectures

New Perimeter Security must

Four Key Components

2007 Cisco Systems, Inc. All rights reserved.

Its About More than Just Securing the

Integrate with FIPS Validated Wireless Clients and Cisco

Cisco Network Access Control

2007 Cisco Systems, Inc. All rights reserved.

Cisco Unified Wireless Network

2007 Cisco Systems, Inc. All rights reserved.

Checklist for Secure Wireless LANs

Encryption - FIPS Certified

2007 Cisco Systems, Inc. All rights reserved.