Secure Wireless LAN Design and Deployment

Similar documents
Securing Wireless LANs

Configuring Layer2 Security

Configuring Management Frame Protection

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Chapter 24 Wireless Network Security

Securing Cisco Wireless Enterprise Networks ( )

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless LAN Security & Threat Mitigation

Cisco Questions & Answers

Cisco Exactexams Questions & Answers

Exam Questions CWSP-205

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Securing Wireless Enterprise Networks.

CCIE Wireless v3 Lab Video Series 1 Table of Contents

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

WLAN Roaming and Fast-Secure Roaming on CUWN

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring Authentication Types

Troubleshooting WLANs

CCIE Wireless v3 Workbook Volume 1

Cisco Exam Questions & Answers

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

WPA-GPG: Wireless authentication using GPG Key

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Configuring the Client Adapter through Windows CE.NET

CCIE Wireless v3.1 Workbook Volume 1

Overview. Information About wips CHAPTER

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Configuring Hybrid REAP

Troubleshooting WLANs (Part 2)

Chapter 17. Wireless Network Security

WPA Passive Dictionary Attack Overview

Network Encryption 3 4/20/17

COPYRIGHTED MATERIAL. Contents

Configuring a WLAN for Static WEP

FlexConnect. Information About FlexConnect

TestsDumps. Latest Test Dumps for IT Exam Certification

Wireless KRACK attack client side workaround and detection

Cisco Unified Wireless Network Software Release 7.4

The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

CertifyMe. CISCO EXAM QUESTIONS & ANSWERS

Wireless Network Security

Configuring a VAP on the WAP351, WAP131, and WAP371

Wireless Intrusion Detection System

Cisco Actualtests Exam Questions & Answers

Chapter 1 Describing Regulatory Compliance

Configuring the Client Adapter through the Windows XP Operating System

Identity Based Network Access

The following chart provides the breakdown of exam as to the weight of each section of the exam.

P ART 3. Configuring the Infrastructure

ENH900EXT N Dual Radio Concurrent AP. 2.4GHz/5GHz 900Mbps a/b/g/n Flexible Application

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Configuring the Client Adapter

Wireless Network Security Spring 2015

Wireless Attacks and Countermeasures

Wireless Network Security Spring 2016

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Cisco Deploying Basic Wireless LANs

802.11ac 3x3 Dual Band High-Powered Wireless Access Point/Client Bridge

Configuring the Wireless Parameters (CPE and WBS)

Configuring OfficeExtend Access Points

Mobile MOUSe WIRELESS TECHNOLOGY SPECIALIST ONLINE COURSE OUTLINE

Template information can be overridden on individual devices.

Q&As. Implementing Cisco Unified Wireless Voice Networks (IUWVN) v2.0. Pass Cisco Exam with 100% Guarantee

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

Configuring WLANsWireless Device Access

Configuring the Client Adapter through the Windows XP Operating System

Cisco Exam Implementing Cisco unified Wireless Voice Networks (IUWVN) v2.0 Version: 10.0 [ Total Questions: 188 ]

Template information can be overridden on individual devices.

Wireless Network Security

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

CertKiller q

DCWS-6028 Enterprise-Class Smart Wireless Access Controller. The Simple and Powerful Enterprise Smart Wireless LAN Controller

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Configuring Cipher Suites and WEP

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

A-to-Z Design Guide for the All-Wireless Workplace

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Borderless Networks. Tom Schepers, Director Systems Engineering

Per-WLAN Wireless Settings

Cisco Troubleshooting Cisco Wireless Enterprise Networks WITSHOOT v1.1

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Wireless LAN Endpoint Security Fundamentals

Physical and Link Layer Attacks

Cisco Exam Questions & Answers

IP network that supports DHCP or manual assignment of IP address, gateway, and subnet mask

WLAN Security Preparing For BYOD and IoT

Software-Defined Access Wireless

Appendix E Wireless Networking Basics

Configuring FlexConnect Groups

Wireless LAN Security. Gabriel Clothier

FAQ on Cisco Aironet Wireless Security

Cisco Catalyst 6500 Series Wireless LAN Services Module: Detailed Design and Implementation Guide

What Is Wireless Setup

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Implementing X Security Solutions for Wired and Wireless Networks

Securing Wireless LAN Controllers (WLCs)

Network aspects of School infrastructure

Transcription:

Secure Wireless LAN Design and Deployment Mark Krischer CTO, Enterprise Networks Asia Pacific, Japan and Greater China

Abstract The proliferation of mobile devices and the rise of BYOD has raised the profile of the enterprise wireless network and the challenges associated with secure and scalable wireless network design. In this session we will explore the threats associated with wireless networks and consider the 802.11 standards and Cisco solutions which address them. This will include an understanding of enforcing policies based on authentication and authorisation; the implications of fast secure roaming in voice and video deployments; and more advanced topics such as rogue AP detection, wireless intrusion detection and prevention, and spectrum intelligence.

Session Objectives What this session will cover And what it won t Wireless Threats Wireless Security Fundamentals Authentication Encryption Authorisation Wireless Security Standards Advanced Wireless Security Network Design Implications Configuration Details Version Discrepancies Roadmap Except when it does

Wireless Threats and Vulnerabilities Wireless propagates beyond the traditional physical boundaries of the wired network Rogue APs can be a source of different vulnerabilities Honeypot APs Unsecured backdoor access Attack from anywhere within the bounds Passive scanning attacks Active spoofing attacks Active jamming or DoS attacks Wireless Clients themselves can introduce vulnerabilities as well Bridge wireless to wired network Unsecured Hot-Spot usage Data Exposure

Wireless Protected Access WPA A snapshot of the 802.11i Standard Commonly used with TKIP encryption WPA2 Final version of 802.11i Commonly used with AES encryption Authentication Mechanisms Personal (PSK Pre-Shared Key) Enterprise (802.1X/EAP)

802.11 Fundamentals Beacons and Probes Beacon Beacon Probe Request Probe Response Probe Request Probe Response SSID = blizzard, Security = WPA2-Enterprise SSID = ciscolive, Security = Open SSID = blizzard SSID = blizzard, Security = WPA2-Enterprise SSID = ciscolive SSID = ciscolive, Security = Open

802.11 Fundamentals Association CAPWAP Wireless LAN Controller Association Request Association Response Disassociation Request Disassociation Response Reassociation Request Association Response SSID = blizzard SSID = blizzard, Security = WPA2-Enterprise SSID = blizzard SSID = blizzard SSID = blizzard SSID = blizzard, Security = WPA2-Enterprise

802.11 Fundamentals Authentication CAPWAP Wireless LAN Controller RADIUS Identity Services Engine Supplicant Authenticator Authentication Server 802.1x RADIUS EAP

802.11 Fundamentals Authentication CAPWAP Wireless LAN Controller RADIUS Identity Services Engine Association Response Identify Request Identity Response Identity Response EAP Type Negotiation Authentication Sequence Between Supplicant and Authentication Server EAP Success EAP Success

WPA-Enterprise 802.1x and Extensible Authentication Protocols Tunnel-Based Outer Methods EAP-PEAP EAP-FAST Inner Methods EAP-MSCHAPv2 EAP-GTC EAP-TLS Certificate-Based EAP-TLS

802.11 Fundamentals Encryption AES CAPWAP Wireless LAN Controller RADIUS Identity Services Engine PMK EAP Success ANonce PTK SNonce, MIC PTK, GTK ANonce, MIC, GTK, Sequence # ACK EAP Success (PMK) Four-Way Handshake PMK PTK = SHA(PMK + ANonce + SNonce + AP MAC + STA MAC)

GTK Randomisation Hole 196 NOTE: Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate an error. GTKs do not have this property. When enabled, GTK should be randomised for each client Clients will not be able to decrypt the Broadcast and Multicast packets received from other clients Consider the implications for certain applications IGMP membership report queries are send as broadcast Downstream IGMP client membership report queries will not be decipherable by all clients

Secure Fast Roaming Challenges Client channel scanning and AP selection Re-authentication of client device and re-keying

Secure Fast Roaming Cisco Compatible Extensions Client channel scanning and AP selection Improved via Cisco Compatible Extensions (CCX) Neighbour Lists Re-authentication of client device and re-keying Cisco Centralised Key Management (CCKM) In highly controlled test environments, CCKM roam times measure 5-8ms Available in CCX enabled clients

Secure Fast Roaming Voice-Enterprise and 802.11k and 802.11r Client channel scanning and AP selection Improved via 802.11k Neighbour Lists Re-authentication of client device and re-keying 802.11r based on CCKM Available in Voice-Enterprise certified clients Due to changes to 802.11 management frames, older client drivers may not understand the 11r response frame

Management Frame Protection Infrastructure Management Frame Protection Detection Client Management Frame Protection Prevention MFP Protected MFP Protected Enterprise Network

Management Frame Protection 802.11w and Protected Management Frames Unicast Management Frames Confidentiality and Integrity Protection Multicast Management Frames Integrity Protection 802.11w Protected Enterprise Network

Security Association Teardown Protection 802.11w and Protected Management Frames 802.11w Protected

Security Association Teardown Protection 802.11w and Protected Management Frames 802.11w Protected Reassociation Request Reassociation Response SA Query Request SA Query Response Request SA Query Request Reassociation Request Association Response Reject: Try again later SA Query Timeout Comeback Timer Reassociation Request Accepted

Security Association Teardown Protection 802.11w and Protected Management Frames 802.11w Protected Reassociation Request Reassociation Response SA Query Request SA Query Response Request Reject: Try again later Reassociation Request Ignored

WPA Personal Pre-Shared Key AES PSK PSK ANonce PTK SNonce PTK, GTK GTK ACK Four-Way Handshake Offline Attack Dictionary Rainbow Table Strong Passwords Matter PTK = SHA(PSK + ANonce + SNonce + AP MAC + STA MAC)

Wi-Fi Protected Setup Brute Force Attack Feasibility Online Attack Brute force PIN Identity Request Identity Response EAP-NACK EAP-NACK PIN WFA-SimpleConfig Key Space 10 8 = 100,000,000 Prove Possession of 1 st half of the PIN Key Space 10 4 = 10,000 Prove Possession of 2 nd half of the PIN Key Space 10 4 + 10 4 = 20,000 Key Space 10 4 + 10 3 = 11,000

Wi-Fi Direct Wi-Fi Direct allows devices to make direct connection groupings to enable printing, syncing and content sharing Wi-Fi Direct leverages both WPA2 for security and WMM for QoS But, WPS is used to enable the quick and easy connection Worse, Wi-Fi Direct supports simultaneous connections to both infrastructure networks and Wi-Fi Direct groups WiFi Network Group Video Streaming Group Game Controller Group

Data Exposure

AnyConnect Desktop Microsoft Windows Clients Mac OS X Linux Mobile Apple ios iphone and ipad Android Smartphones Tablets BB10 (future) Smartphones Playbook Clientless HTC Motorola Samsung Version 4.0+ HTC Lenovo Motorola Samsung Version 4.0+

Advanced Security Capabilities 2 1 2 1 3 3 Enterprise Network Rogue AP Detection and Containment Layer 1 active jamming attacks Layer 2 active spoofing attacks

Rogue AP Detection Rogue Location Discovery Protocol RLDP Packet

Rogue AP Detection Switch Port Tracing Show CDP Neighbours SNMP CAM Table Lookup Prime Infrastructure

Integrated IDS and Adaptive wips 2 1 2 1 3 3 Enterprise Network Monitor Mode AP / WLC Integrated IDS Rogue AP and Client Detection 17 Common Attack Signatures Enhanced Local Mode Enables Client Serving APs to periodically go off-channel for IDS scanning Adaptive wips Alarm Aggregation, Consolidation and False Positive Reduction Enhanced DoS Attack Behaviour Analysis Coordinated Rogue Containment Anomaly Detection Forensic, Blacklisting, Auto Containment, and Auto Immunity responses

Alarm Consolidation MDK3 Secret Destruction Mode MDK3 is a wireless penetration test tool Beacon Flooding Attack Fills the environment with fake APs EAPOL Flooding Attack Generates multiple authentication requests from spoofed MAC addresses Deauthentication/Disassociation Attacks Michael MIC Countermeasure DoS Exploit

Wireless Security and Spectrum Intelligence Deployment Modes Enhanced Local Mode Data, wips & CleanAir Data Monitor Mode wips & CleanAir AP3600/3700 with WSSI Data, wips & CleanAir Data with wips & CleanAir On Channel Data with CleanAir On Channel Best Effort wips coverage Off Channel wips & CleanAir All Channels

Wireless Security and Spectrum Intelligence Off Channel Scanning Enhanced Local Mode Monitor Mode Local Mode with WSSI Module Dwell time ELM: 50ms per-channel MM: 1.2s per channel Monitor Mode 1 Monitor Mode AP : 5 Local Mode WSSI Module 1:5 Clean Air 2:5 wips

Wireless Security and Spectrum Intelligence CleanAir Integration Detection and location of RF layer DoS attacks Non-standard channel threat detection Detection and mitigation of non-wi-fi device interference

Network Security and Segmentation

Authorisation Network Segmentation Branch Office ISE PI WLC Core WAN WLC SSID Employees SSID Voice WLC SSID Guests

Authorisation Static VLAN Assignment VLAN based on SSID VLAN segregation based on security policy Dynamic VLAN Assignment VLAN based on authentication credentials VLAN segregation based on role TrustSec Secure Group Access Security based on TAGs instead of source and destination addresses ACLs applied at the packet level

45

Network Design Implications Centralised Wireless Deployment WLC acts as a chokepoint ASA provides policy enforcement and threat detection on wireless traffic before bridging onto the Enterprise network Enterprise Network ASA WLC Wireless traffic tunneled to the network core Wireless traffic treated differently to wired traffic Core/Distribution Access

Network Design Implications Converged Access Deployment Wireless traffic bridged at the access layer Wireless traffic treated the same as wired traffic Wireless wips Rogue AP Detection Containment Switch Port Tracing WSSI support pending ACLs Airespace Downloadable SGACL Wired Security Features Storm Control Protected Ports IP Source Guard IPv6 First Hop Security Flexible Netflow Wireshark EEM Enterprise Network ASA Core/Distribution Converged Access

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2014 Polo Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback