Skyjacking   a Cisco WLAN: Attack Analysis and Countermeasures Presenters: Dr. Pravin Bhagwat, CTO Dr. Hemant Chaskar, Dir...
In the News Cisco wireless LAN vulnerability could open ‘back door’ Cisco wireless LANs at risk of attack, ‘skyjacking’ Ne...
What Cisco says “ No risk of data loss or interception” “ Could allow an attacker to cause a denial of service (DoS) condi...
Hmm… ? ? ? What exactly is skyjacking? Do I need to worry about it? How severe is the exploit?
What you will learn today The risk from skyjacking vulnerability is  much bigger than stated How to assess  if you are vul...
Five ways a LAP can discover WLCs Subnet-level broadcast Configured DNS DHCP Over-the-air provisioning (OTAP)
Three criteria a LAP uses to select a WLC Primary, Secondary, Tertiary Master mode Maximum excess capacity Step 1 Step 2 S...
Over-the-air provisioning (OTAP)
OTAP exploited for “skyjacking”
Skyjacked LAP denies service to wireless users
Is this just tip of the iceberg?
Secure WLAN enterprise access Before Internal to corporate network 20 WPA2 Corp Comment VLAN  Security SSID Internal to co...
Authorized LAP skyjacked – DoS Before DoS Internal to corporate network 20 WPA2 Corp Comment VLAN  Security SSID Internal ...
Authorized LAP turned into Open Rogue AP Before Rogue on Network Internal to corporate network 30 OPEN Corp Comment VLAN  ...
Camouflaged Rogue LAP:  a backdoor to your enterprise network!
Wolf in Sheep Clothing Before Rogue on Network Internal to corporate network 30 WPA2 Corp Comment VLAN  Security SSID Inte...
Wolf in Sheep Clothing – Scenario 2 Before Rogue on Network Internal to corporate network 20 WPA2 Corp Internal to corpora...
SpectraGuard ®  Enterprise WLAN policy set-up Guest WLAN SSID Allowed Subnet (VLAN)   for Guest SSID
Normal WLAN operation Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they conne...
Skyjacking on guest access 1 Change in the VLAN is detected 2 SSID marked as “misconfigured” (Background   changes to ambe...
Summary Open rogue WPA2 rogue Open guest rogue Guest access as Open Rogue AP   (Wolf in Sheep clothing – scenario 2) Autho...
AirTight’s SpectraGuard Enterprise Thanks to  patented marker packet technology  for accurate wired connectivity detection...
Which LAPs can be skyjacked? ? Vulnerable? Type of Cisco LAP No Configured with locally significant certificates (LSC) Mos...
Countermeasures Manually configure LAPs with preferred WLCs (primary, secondary, tertiary) Manually configure LAPs with LS...
Practical difficulties: Do you know <ul><li>If your outgoing UDP ports on the firewall are blocked? Did you test it today?...
One mistake and you could be exposed!
Adding second, independent layer of WIPS protection Misconfigurations Zero-day attacks Designed for security Designed for ...
AirTight’s SpectraGuard product family SpectraGuard SAFE Wireless Security for Mobile Users SpectraGuard Online Industry’s...
About AirTight Networks The Global Leader in Wireless Security and Compliance For more information on wireless security ri...
Upcoming SlideShare
Loading in …5
×

Skyjacking A Cisco Wlan Attack Analysis And Countermeasures

2,694 views

Published on

This presentation will deconstruct the skyjacking vulnerability - explaining why the vulnerability occurs in Cisco WLANs, which Cisco access points are affected, how skyjacking can be exploited to launch potent attacks, and what are the best practices to proactively protect your enterprise network against such zero-day vulnerabilities and attacks.

Published in: Technology, Education
1 Comment
7 Likes
Statistics
Notes
  • its superbbbbb.....!
    i need this ppt ...... please send it to meeeeeeeeee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,694
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide
  • 09/23/09
  • Skyjacking A Cisco Wlan Attack Analysis And Countermeasures

    1. 1. Skyjacking a Cisco WLAN: Attack Analysis and Countermeasures Presenters: Dr. Pravin Bhagwat, CTO Dr. Hemant Chaskar, Director of Technology Moderator: Sri Sundaralingam, VP of Product Management
    2. 2. In the News Cisco wireless LAN vulnerability could open ‘back door’ Cisco wireless LANs at risk of attack, ‘skyjacking’ Newly discovered vulnerability could threaten Cisco wireless LANs
    3. 3. What Cisco says “ No risk of data loss or interception” “ Could allow an attacker to cause a denial of service (DoS) condition” It’s not a big deal! Severity = Mild
    4. 4. Hmm… ? ? ? What exactly is skyjacking? Do I need to worry about it? How severe is the exploit?
    5. 5. What you will learn today The risk from skyjacking vulnerability is much bigger than stated How to assess if you are vulnerable Countermeasures for skyjacking and other zero-day attacks
    6. 6. Five ways a LAP can discover WLCs Subnet-level broadcast Configured DNS DHCP Over-the-air provisioning (OTAP)
    7. 7. Three criteria a LAP uses to select a WLC Primary, Secondary, Tertiary Master mode Maximum excess capacity Step 1 Step 2 Step 3
    8. 8. Over-the-air provisioning (OTAP)
    9. 9. OTAP exploited for “skyjacking”
    10. 10. Skyjacked LAP denies service to wireless users
    11. 11. Is this just tip of the iceberg?
    12. 12. Secure WLAN enterprise access Before Internal to corporate network 20 WPA2 Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
    13. 13. Authorized LAP skyjacked – DoS Before DoS Internal to corporate network 20 WPA2 Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
    14. 14. Authorized LAP turned into Open Rogue AP Before Rogue on Network Internal to corporate network 30 OPEN Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
    15. 15. Camouflaged Rogue LAP: a backdoor to your enterprise network!
    16. 16. Wolf in Sheep Clothing Before Rogue on Network Internal to corporate network 30 WPA2 Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
    17. 17. Wolf in Sheep Clothing – Scenario 2 Before Rogue on Network Internal to corporate network 20 WPA2 Corp Internal to corporate network 30 OPEN Guest Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To DoS
    18. 18. SpectraGuard ® Enterprise WLAN policy set-up Guest WLAN SSID Allowed Subnet (VLAN) for Guest SSID
    19. 19. Normal WLAN operation Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they connect Device list displayed on SpectraGuard Enterprise console
    20. 20. Skyjacking on guest access 1 Change in the VLAN is detected 2 SSID marked as “misconfigured” (Background changes to amber) 3 Automatic Prevention started ( Shield icon appears )
    21. 21. Summary Open rogue WPA2 rogue Open guest rogue Guest access as Open Rogue AP (Wolf in Sheep clothing – scenario 2) Authorized SSID as “Privileged” Rogue AP (Wolf in Sheep clothing) Authorized SSID as Open Rogue AP Type of Skyjacking attack  X  X   AirTight’s unique wireless-wired correlation based threat detection Only over-air threat detection
    22. 22. AirTight’s SpectraGuard Enterprise Thanks to patented marker packet technology for accurate wired connectivity detection and unique VLAN Policy Mapping ™ architecture The only WIPS that can provide zero-day protection against the most potent form of skyjacking attack
    23. 23. Which LAPs can be skyjacked? ? Vulnerable? Type of Cisco LAP No Configured with locally significant certificates (LSC) Mostly No Configured with “preferred” WLCs (primary, secondary, tertiary) Yes LAPs using auto discovery
    24. 24. Countermeasures Manually configure LAPs with preferred WLCs (primary, secondary, tertiary) Manually configure LAPs with LSCs Primarily HA and load balancing feature Impractical Block outgoing traffic from UDP ports 12222 and 12223 on your firewall Not a common practice Turn off OTAP on WLC Ineffective!
    25. 25. Practical difficulties: Do you know <ul><li>If your outgoing UDP ports on the firewall are blocked? Did you test it today? </li></ul><ul><li>How many VLANs do you have authorized for wireless access? </li></ul><ul><li>Are all SSIDs mapped to the correct VLANs? </li></ul><ul><li>When was the last time your LAPs rebooted? </li></ul><ul><li>When was the last time your WLC taken down for maintenance? </li></ul><ul><li>If all your APs are compliant with your security policies? How do you know? </li></ul><ul><li>If all LAPs are configured with primary, secondary and tertiary WLC? </li></ul><ul><li>If all LAPs are indeed connected to configured WLCs? </li></ul>
    26. 26. One mistake and you could be exposed!
    27. 27. Adding second, independent layer of WIPS protection Misconfigurations Zero-day attacks Designed for security Designed for WLAN access Undesirable connections Misconfigurations Zero-day attacks Undesirable connections
    28. 28. AirTight’s SpectraGuard product family SpectraGuard SAFE Wireless Security for Mobile Users SpectraGuard Online Industry’s Only Wireless Security Service SpectraGuard Enterprise Complete Wireless Intrusion Prevention WLAN Coverage & Security Planning SpectraGuard Planner
    29. 29. About AirTight Networks The Global Leader in Wireless Security and Compliance For more information on wireless security risks, best practices, and solutions, visit: www.airtightnetworks.com Visit our blog to read the root cause analysis of “ Skyjacking: What Went Wrong?” blog.airtightnetworks.com

    ×