Security For WLANs - wIPS Vs Base IDS

WLAN Security
Vulnerabilities and Threats
On-Wire Attacks Over-the-Air Attacks

Ad-hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance
HACKER HACKER’S HACKER
AP
Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities
Rogue Access Points Denial of Service Cracking Tools

HACKER HACKER
DENIAL OF
SERVICE
Backdoor network access Service disruption Sniffing and eavesdropping
BRKAGG-2015_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
WLAN Security
Denial of Service Attacks
 RF Jamming
Any intentional or un-intentional RF transmitter in the same frequency
can adversely affect the WLAN
 DoS using 802.11 Management frames
Management frames are not authenticated today
Trivial to fake the source of a management frame
De-Authentication floods are probably the most worrisome
 Misuse of Spectrum (CSMA/CA – Egalitarian Access!)
“Silencing” the network with RTS/CTS floods, Big-NAV Attacks
 802.1X Authentication floods and Dictionary attacks
Overloading the system with unnecessary processing
Legacy implementations are prone to dictionary attacks, in addition to
other algorithm-based attacks
Wireless Security
MAC Address Spoofing
 As with wired networks, MAC address and IP address spoofing

are possible, if not easy, in Wireless Networks
 Outsider (hostile) attack scenario
Does not know key/encryption policy
IP Address spoofing is not possible if Encryption is turned on (DHCP
messages are encrypted between the client and the AP)
MAC Address spoofing alone (i.e., without IP Address spoofing) may not
buy much if encryption is turned on
 Insider attack scenario
Seeking to obtain users’ secure info
MAC address and IP Address spoofing will not succeed if EAP/802.1x
authentication is used (unique encryption key is derived per
user (i.e., per MAC address))
Wireless Security:
Sniffing and Reconnaissance
 First – Sniffing, or capturing packets over the air, is an

extremely useful troubleshooting methodology
 Sniffing, in the old days was reliant on very specific
cards and drivers
 Very easy to find support for most cards and drivers
today
 Cost (if you like to pay for it) of such software is
negligible (or, just use free/open source software)
 Provides an insight (with physical proximity) into the
network, services, and devices which comes in handy
when performing network reconnaissance
Wireless Security
Man in the Middle Attack
 A MiTM is when an attacker poses as the network to

the client(s) and as a client to the actual network
The attacker forces a legitimate client off the network
The attacker lures the client to a honeypot
The attacker gains security credentials by intercepting user traffic
 Very easy to do with:

Sniffing, and war-driving to identify targets
MAC Address Spoofing
Rogue Device Setup
DoS Attacks
Quick Look: Common WLAN
Exploits/Tools
 Remote-Exploit/Backtrack/Auditor
 Aircrack, WEPcrack, etc
 coWPAtty
 Kismet
 NetStumbler, Hotspotter, etc
 AirSnort
 Sniffing tools: OmniPeek, Wireshark
 dsniff, nmap
 wellenreiter
 asleap
Ounce of Prevention…
Stop the Attack Before It Happens

HACKER HACKER’S HACKER
AP
Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities

Cisco wIPS Detects These Attacks
Rogue Access Points Denial of Service Cracking Tools
HACKER HACKER
DENIAL OF
SERVICE
Ounce of Prevention…
Stop the Attack Before It Happens

HACKER MFP NeutralizesHACKER’S
all HACKER
AP
Management Frame
Exploits, such as Man-in-
the-Middle Attacks
Rogue
Client-to-client backdoor access
WPA2/802.11i
Connection to malicious AP Seeking network vulnerabilities
detection, classificati Neutralizes Recon
on and mitigation and Cracking Attacks
Rogue Access
addresses Points
these Denial of Service Cracking Tools
attacks HACKER HACKER
DENIAL OF
SERVICE
Cisco’s Attack Detection Mechanisms
Adaptive
Base IDS
wIPS
Built-in to
controller Requires MSE
software
Uses Local Uses wIPS

and Monitor Monitor Mode
Mode APs APs
Adaptive wIPS Differences from Base
Controller IDS
Adaptive wIPS Difference #1
Alarm Aggregation and Correlation
Base Controller IDS Adaptive wIPS
WCS
WCS
WLC MSE
AP WLC
AP
 No Alarm Correlation
Breadth of Alarms Detected
Base Controller IDS Adaptive wIPS
 Only 17 signatures
(Cont) – Attack Encyclopedia
 Available for each

alarm
 Accessible from the
wIPS profile page
Forensic Packet Capture
Forensic Packet Capture
Historic Reporting
1. Alarm information stored in MSE database

Maximum of 6 million alarms stored in MSE database
2. WCS queries the MSE database during report

generation
3. Reports created and viewed at WCS
Adaptive wIPS
Types of Reports
 wIPS Alarm List Report

Use: Historic reporting of attacks
Summarized list of alarms contained within the MSE
Contains alarm type, SRC MAC, detecting AP, first seen time,
last seen time
 wIPS Top 10 AP Report

Use: Identifying ‘hot zones’ of attack
The top 10 wIPS access points with the most number of alarms
Includes critical, major, minor and warning levels of alarms
Adaptive wIPS
Creating Reports • Filter by MSE
• Or by WLC
• Add/Remove Columns
• Sort by Columns
Example Report
wIPS Alarm List
Attack
Timeline
Example Report
wIPS Top 10 APs
Alarm Severities
WCS Security Dashboard
Controller IDS
and Adaptive
wIPS Alarms
Security Index
Rogues by
Category
Adaptive wIPS
Components and Functions
Mobility Services Engine
Support for Cisco Motion Services
3310 Mobility Services Engine 3350 Mobility Services Engine
Supports Adaptive wIPS for up to 2000 Supports Adaptive wIPS for up to 3000
Monitor Mode APs Monitor Mode APs
Supports Context Aware for up to 2000 Supports Context Aware for up to 18000
tracked devices tracked devices
Requires WLC software version 4.2.130 or Requires WLC software version 4.2.130
later and WCS version 5.2 or later. or later and WCS version 5.1 or later.
 Mobility services may have different WLC/WCS software

requirements
 Adaptive wIPS is licensed on a per-monitor mode AP basis
wIPS System Communication Diagram
The MSE is not

in the ‘data path’

Security For WLANs - wIPS Vs Base IDS

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security For WLANs - wIPS Vs Base IDS

Încărcat de

Drepturi de autor:

Formate disponibile

WLAN Security

Vulnerabilities and Threats

On-Wire Attacks Over-the-Air Attacks

Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities

Rogue Access Points Denial of Service Cracking Tools

Backdoor network access Service disruption Sniffing and eavesdropping

 As with wired networks, MAC address and IP address spoofing

 First – Sniffing, or capturing packets over the air, is an

 A MiTM is when an attacker poses as the network to

 Very easy to do with:

On-Wire Attacks Over-the-Air Attacks

Client-to-client backdoor access Connection to malicious AP Seeking network vulnerabilities

Backdoor network access Service disruption Sniffing and eavesdropping

On-Wire Attacks Over-the-Air Attacks

Backdoor network access Service disruption Sniffing and eavesdropping

Uses Local Uses wIPS

 Available for each

1. Alarm information stored in MSE database

2. WCS queries the MSE database during report

 wIPS Alarm List Report

 wIPS Top 10 AP Report

 Mobility services may have different WLC/WCS software

The MSE is not

S-ar putea să vă placă și