1 / 26

Security

Security. 802.11 Security Fundamentals. Secure 802.11 is a three stage process Association – Establish Link Authentication – 802.1X/EAP Encryption – TKIP or AES. Association Process. Management Frames are not encrypted Addressed by Management Frame Protection (MFP) –Discussed later.

travis
Download Presentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security

  2. 802.11 Security Fundamentals • Secure 802.11 is a three stage process • Association – Establish Link • Authentication – 802.1X/EAP • Encryption – TKIP or AES

  3. Association Process • Management Frames are not encrypted • Addressed by Management Frame Protection (MFP) –Discussed later

  4. 802.11 Security • Enterprise WLAN Security relies upon 802.1x authentication. • 802.1x is port based security. • The association process establishes a virtual port • Encryption protects that virtual port

  5. EAP / 802.1XOverview • 802.1X authentication has three key components • Supplicant - WLAN Client • Authenticator -WLC • Authentication Server – AAA Server

  6. Wi-Fi Protected Access (WPA) and WPA 2 • Components of WPA: • Authenticated Key Management using 802.1X: • EAP-TLS and RADIUS are the nominated EAP test mechanism • Unicast and Broadcast Encryption Key Management • TKIP: Per-packet Keying • IV expansion: 48 bit IVs • Message Integrity Check (MIC) • Migration Mode – coexistence of WPA and WEP devices • Why WPA? • Migration from WEP using the same hardware, fixed known WEP issues • WPA 2 uses: • AES CCMP Encryption rather than TKIP

  7. EAP Authentication

  8. WPA 4 way handshake • WPA and WPA2 perform a 4 way handshake to establish encryption keyes • Unlike earlier 802.1X WEP implementations. WPA doesn’t use the derived key (PMK) directly • A 4 way handshake is used to generate a temporal key, and multicast group key

  9. EAP Protocols: Feature Support 1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD) 2 Greater operating system coverage is available from Meetinghouse and Funk supplicants 3 PEAP/GTC is supported on CCXv2 clients and above 4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients 5 Supported by PEAP/GTC only 6 Supported with 3rd party supplicant

  10. EAP Protocols: Feature Support 1 Strong password policy mitigates dictionary attacks; please refer to: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html

  11. Gold • WPA2/802.11i • EAP-Fast • AES • Silver • WPA • EAP-Fast • TKIP • Lead • Dynamic WEP • EAP-Fast/LEAP • VLANs + ACLs Wi-Fi Protected Access • What are WPA and WPA2? • Authentication and encryption standards for Wi-Fi clients and APs • 802.1x authentication • WPA uses TKIP encryption • WPA2 uses AES block cipher encryption • Which should I use? • Gold, for supporting NIC/OSs • Silver, if you have legacy clients • Lead, if you absolutely have no other choice (i.e., ASDs)

  12. Key WLC Behaviors • Default operation is no Multicast/broadcast traffic is sent out to the WLANs • WLC acts as ARP Proxy for WLANs • ARPs and Gratuitous ARPs are not sent to the WLANs • WLC blocks duplicate IP Spoofing • WLC acts as DHCP relay for WLAN clients • DHCP requests are checked against associated client MAC

  13. Cisco Unified Wireless Network 4.1 • Management Frame Protection • Provides for the authentication of 802.11 management frames by the wireless network infrastructure • Allows detection of malicious rogues that are spoofing a valid AP MAC or SSID in order to avoid detection as a rogue AP, or as part of a man-in-the-middle attack • Increases the fidelity of rogue AP and WLAN IDS signature detection • Provides protection of client devices with CCX v5 • Also supported with Autonomous AP/ WDS/ WLSE in version 12.3(8)/ v2.13

  14. MFP Protected MFP Protected Management Frame Protection Function • A solution for clients and infrastructure (APs) • Clients and APs add a MIC (signature)into every management frame • Anomalies are detected instantly andreported to Controller/WCS • E.g. no threshold or rate checks required to detect anomalies FUTURE- CCXv5

  15. Benefits of MFP • Protection- for Rogue AP, Man-in-the-Middle exploits, other Management Frame attacks • Prevention- will be available with clients capable of decrypting the signature • Integration with other Cisco Security Monitoring solutions in order to characterize “attack vectors”- rules based correlation • Cisco Security Leadership and Innovation

  16. Rogue AP Detection • Rogue AP detection has multiple facets: • Air/RF detection—detection of rogue devices by observing/sniffing beacons and 802.11 probe responses • Rogue AP location—use of the detected RF characteristics and known properties of the managed RF network to locate the rogue device • Wire detection—a mechanism for tracking/correlating the rogue device to the wired network • A WIDS may require different deployments to effectively address all of these facets • For example, it is typically required to use a scanning-mode AP as a “rogue traffic injector” to attempt to trace the rogue’s connected port

  17. Radio (Air/RF) Monitoring Network Core NMS Wireless Control System (WCS) Distribution Wireless LAN Controller Access Auto-RRM RLDP ARP Sniffing Rogue AP Rogue AP RogueDetector RogueAP

  18. X X A Complete Solution for Handling Rogues • Controlled by administrator • Multiple rogues contained simultaneously • Detect Rogue AP • (generate alarm) 2. Assess Rogue AP (Identity, Location, ..) 3. Contain Rogue AP 4. View Historical Report

  19. Rogue AP Detection and Suppression • Rogue AP detection methodology • WLAN system collects (via beacons and probe responses) and reports BSSID information • System compares collected BSSID information versus authorized (i.e., managed AP) BSSID information • Unauthorized APs are flagged and reported via fault monitoring functionality • Rogue AP suppression techniques • Trace the rogue AP over the wired network to verify that the rogue is internal and should be contained • Use of managed devices to disassociate clients from unauthorized AP and prevent further associations via 802.11 de-authentication frames

  20. Cisco Unified Wireless: Map Rogue AP

  21. Cisco Unified Wireless:Rogue Containment • Rogue AP, Rogue-Connected Client, or Ad-Hoc Client May Be Contained by Controller Issuing Unicast De-Authentication Packets • Maximum number of APs participating in containment is configurable • Maximum of three simultaneous containments may operate on a single LWAPP AP • Rogue client devices may be authenticated to a RADIUS (MAC address) database • Maximum time for auto-containment is configurable

  22. Cisco Unified Wireless:Rogue AP Detection and Containment

  23. Client Exclusion • WLC can deny access to suspect clients • Exclusion Policy is global • Exclusion enabled on a per WLAN basis

  24. Wireless IDS • The WLC comes with built in Wireless IDS signatures that can be augmented with additional customer signatures

  25. Integration into Cisco Network • Cisco Unified Wireless Network Integration features • Layer 2 Connection for WLAN client makes for easy integration of • Firewall and IDS Modules • NAC Appliance • Integration features with Cisco IDS/IPS

  26. WAN WLC 4.1 Feature - Local EAP Termination • Terminate EAP on Controller for 802.11i, WPA, and WPA2 authentication • Supports LEAP, EAP-FAST, EAP-TLS, MD5 • No RADIUS Server Required • Ideal for Remote Sites with unreliable WAN Links • Define Users on Controller or in an LDAP Database (e.g. Active Directory) • If the central RADIUS server is un-reachable, Local EAP can be used to authenticate users. RADIUS Server Cisco Wireless LAN Controller LDAP Server(Optional) Cisco AironetLightweight Access Point Regional Office

More Related