Wireless LAN Security, Policy, and Deployment Best Practices
Upcoming SlideShare
Loading in...5
×
 

Wireless LAN Security, Policy, and Deployment Best Practices

on

  • 14,373 views

The current state of wireless security, covering wireless device access, preventing rogue threats and addressing wireless attacks. Special focus on device profiling and policy covering how to prevent ...

The current state of wireless security, covering wireless device access, preventing rogue threats and addressing wireless attacks. Special focus on device profiling and policy covering how to prevent unauthorized (such as smartphones and tablets) from accessing the network. Learn More: http://www.cisco.com/go/wireless

Statistics

Views

Total Views
14,373
Views on SlideShare
14,324
Embed Views
49

Actions

Likes
4
Downloads
754
Comments
2

3 Embeds 49

http://www.preparena.com 44
http://solutions-review.com 4
http://preparena.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Wireless LAN Security, Policy, and Deployment Best Practices Wireless LAN Security, Policy, and Deployment Best Practices Presentation Transcript

  • Wireless LAN Security,Policy and DeploymentBest PracticesBRKEWN-2021Jameson BlandfordTechnical Marketing Engineer, CCIE #27687July 2011 BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  • Agenda • Strong EncryptionSecurity Standards • Strong Authentication • Wireless Policy Using ACS and ISE User-Policy and • Per User VLAN, ACL and QoSDevice Identification • Device FingerprintingRogue Management, • Rogue Classification and ContainmentAttack Detection and • Adaptive wIPS Monitor Mode and ELM Threat Mitigation • MFP and Wired IPS Integration BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • Strong Authenticationand EncryptionBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • Authentication EvolutionMAC Address 802.1x / WEP WPA/WPA2Authentication Dynamic WEP BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • WPA/WPA2 Breakdown • A Snapshot of the 802.11i Standard WPA • Commonly Used with TKIP Encryption • Final Version of 802.11i WPA2 • Commonly Used with AES EncryptionAuthentication • Personal (PSK) – Home Use Mechanisms • Enterprise (802.1x/EAP) – Office UseBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • EAP — Protocol Flow Authentication ServerClient Authenticator CAPWAP BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • EAP Authentication Types Tunneling-Based Certificate- Based EAP- PEAP Inner Methods EAP- TTLS EAP-GTC EAP-MSCHAPv2 EAP-TLS EAP- FAST Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP- MSCHAPv2. This provides security for the inner EAP type which may be vulnerable by itself. Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • EAP Methods Comparison EAP-TLS PEAP EAP-FASTFast Secure Roaming (CCKM) Yes Yes YesLocal WLC Authentication Yes Yes YesOTP (One Time Password) Support No Yes YesServer Certificates Yes Yes NoClient Certificates Yes No NoPAC (Protected Access Credentials)* No No YesDeployment Complexity High Medium Low* PACs can be provisioned anonymously for minimal complexity. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • Choosing an EAP Method Security vs. Complexity Authentication Client Support Server Support EAP Type(s) Deployed Most clients such as Windows, Mac OSX, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2). Additional supplicants can add more EAP types (Cisco AnyConnect). Certain EAP types (TLS) can be more difficult to deploy than others depending on device type. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • Encryption Evolution WEP TKIP AES (RC4) (RC4 and MIC) (CCMP)BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • Encryption Best Practices:TKIP and AES TKIP (Temporal Key Integrity Protocol) • Use only for legacy clients without AES support • Often a software update for WEP clients • Can be run in conjunction with AES (mixed- mode) • Is being discontinued by the WiFi Alliance for certification. AES (Advanced Encryption Standard) • Requires hardware support (~2005 chipsets or later) • Achieves line-rate speeds • Only encryption standard supported for 802.11n data ratesBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • User-Based Policy andDevice IdentificationBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • Cisco User-Based Policy Offering • Dynamic Policy ISE User Specific Attributes • Device Profiling ACS • Static Policy WLC• Cisco ACS (or other RADIUS server which can provide Vendor Specific Attributes) can provide static user-based policy which is assigned upon initial authentication.• Cisco Identity Services Engine can provide dynamic user-based policy which can be assigned upon initial authentication and changed during a session using CoA (Change of Authorization). BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • Cisco User-Based Policy Solution with ACS Employees User • Employee VLAN Specific Attributes • Gold QoS Contractors • Contractor VLAN • No QoS • Restrictive ACL User Specific Attributes ACS* • Static PolicyEmployee Employee VLANEmployee WLC Contractor VLAN Contractor ACLs *This could also be any RADIUS server that supports VSAs. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • Cisco ACS User Policy Steps Phase 1 User Authentication EAP ACS Phase 2 User Policy Allowed WLCLimitedAccess User? QoS • Silver ACL • Allow-All Allowed Access VLAN • Employee BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • Cisco Controller User-Based PolicyAttributesNetwork Access • ―Airespace-Interface-Name‖ • Sets the Interface to which the client is connected.Network Restrictions • ―Airespace-ACL-Name‖ • Sets the Access Control List used to filter traffic to/from the client.Quality of Service • ―Airespace-QOS-Level‖ • Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold or Platinum). • ―Airespace-802.1p-Tag‖ and/or ―Airespace-DSCP-Tag‖ • Sets the maximum QoS tagging level available for use by the client. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • Cisco Wireless LAN Controller ACLs Inbound Wired LAN Outbound Implicit Deny All at the End• ACLs provide L3-L4 policy and can be applied per interface or per user.• Cisco 5508 and WiSM2 implement line-rate ACLs.• Upto 64 rules can be configured per ACL. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • Endpoint Access Challenges• IT is struggling with: - Classifying managed vs. unmanaged endpoints - ID devices that cannot authenticate Attribute X Location - User <-> Device association Device Time User• But there barriers: - Multiple access mediums - Endpoint certainty - No automated way to discover new endpoints PC and Non-PC Devices BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • Endpoint Profiling Solution - Cisco IdentityServices Engine (ISE)• New ground up solution - Multiple sensors – rich profiling - Complete visibility and tracking - Holistic (wired + wireless) Attribute X - Integrated Authentication, Location Authorization Device Time User - Other services (Guest, Posture, Device Registration) - Flexible deployment ISE BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • Integrated, Enhanced Device Profiling withCisco Identity Services Engine “iPad Template” “Custom Template”Visibility for Wired and Simplified “Device Create Your Own Wireless Devices Category” Policy Device Templates BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • Powerful Policy Deployments with ISE Consolidated Services, Session Directory Flexible Service SW Packages Deployment ACSNAC Manager User ID Device (and IP/MAC) All-in-One Admin M&T HA Pair Console NAC Profiler NAC Server ISE Distributed PDPs NAC Guest Location Access Rights Simplify Deployment and Admin Tracks Active Users and Devices Optimize Where Services Run Policy Extensibility Manage Security System-Wide Monitoring Group Access and Troubleshooting SGT Public Private Staff Permit Permit Guest Permit Deny Link in Policy Information Points Keep Existing Logical Design Consolidated Data, 3 Click Drill-In BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • Cisco’s User-Based Policy Solution with ISEUser and DeviceSpecific Attributes • Device Profiling ISE • Dynamic Policy Employees • Employee VLAN • Gold QoS Employee Mobiles • Employee VLAN • Gold QoS • Restrictive ACL Employee VLAN Contractors WLC • Contractor VLAN Contractor • No QoS VLAN • Restrictive ACL • With the ISE, Cisco wireless can Contractor Mobiles support multiple users and device • No Access types on a single SSID. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • Cisco ISE Device Profiling and Policy Steps EAP Phase 1 Device Authentication MAC, DHCP, DNS, HTTP Phase 2 Device Identification ISE Phase 3 Device Policy Allowed WLCLimitedAccess Device? QoS • Silver ACL • Allow-All Allowed Access VLAN • Employee BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • ISE Device Profiling Capabilities Smart Phones Minimum Confidence for a Match Multiple Rules to Establish Confidence Level Gaming Consoles Workstations BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • ISE Device Profiling Example - iPad • Once the device is profiled, it is stored within the ISE for future associations: Is the MAC Address from Apple? Does the Hostname Contain “iPad”? Is the Web Browser Safari on an iPad? ISE Apple iPad BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • Cisco ISE Provides Policy for Wired andWireless LANs NCS Centralized Monitoring of Wired and Wireless ISE Networking, Users and Endpoints Central Point of Policy for Wired and Wireless Users and Endpoints • Unified wired and wireless policy (ISE) and management (NCS). BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • Client Type and Policy Visibility with NCSand ISE Integration Device Identity from ISE Integration AAA Override Parameters Applied to Client Policy Information Including Posture BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • NCS Provides Cross-Linking to ISE Reportson Profiling BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • Rogue Management, AttackDetection and Threat Mitigation BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • WLAN Security Vulnerabilities and Threats On-Wire Attacks Over-the-Air AttacksAd-Hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance HACKER HACKER‟S HACKER APClient-to-Client Backdoor Access Connection to Malicious AP Seeking Network Vulnerabilities Rogue Access Points Denial of Service Cracking Tools HACKER HACKER DENIAL OF SERVICE Backdoor Network Access Service Disruption Sniffing and Eavesdropping Non-802.11 Attacks Backdoor Access BLUETOOTH AP Service Disruption MICROWAVE BLUETOOTH RF-JAMMERS RADAR BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • Cisco Rogue Management DiagramMultiple Methods Switchport Tracing Network Si Si Si CoreWireless Control System (WCS) Wireless Distribution LAN Controller Access RRM RLDP Scanning Rogue Rogue Rogue Rogue AP Authorized AP Detector AP APBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • Listening for Rogues Detect Two Different AP Modes for RRM Scanning Local Mode Access Monitor Mode Rogue Detection Points Access Points Mechanisms• Serves clients with • Dedicated to • Any AP not time-slicing off scanning broadcasting the channel scanning • Listens for 1.2s on same RF Group• Listens for 50ms each channel name or part of the on each channel • Scans all channels same mobility• Configurable to group is scan: considered a rogue • All Channels • Automatic white listing for • Country autonomous APs Channels managed by WCS (Default) • DCA Channels BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • RRM Channel Scanning Detect Local Mode AP AP on Channel 1 - 802.11 b/g/n – US Country Channels 10ms 10ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 50ms 16s 1 2 1 3 1 4 1 5 1 6 1 7 1 …  Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s) AP on Channel 36 - 802.11 a/n – US Country Channels (without UNII-2 Extended) 10ms 10ms14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 36 40 36 44 36 48 36 52 36 56 36 60 36 64 36 149 … Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s) BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • RRM Channel Scanning Detect Monitor Mode AP 802.11b/g/n – All Channels 10ms 10ms 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1 2 3 4 5 6 7 8 9 10 11 12 … Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration 802.11a/n – All Channels 10ms 10ms 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 1.2s 36 40 44 48 52 56 60 64 100 104 108 112 116 132 136 140 … Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • Detect802.11n Rogue Detection 802.11n - Mixed Mode • Detectable by 11a/g devices • The most common mode of 11n access points • Facilitates backwards compatibility with 802.11a/g clients by using 11a/g modulation for management and control frames. 802.11n – Greenfield Mode • Only detectable by 802.11n devices • In this case, management, control and data frames are sent using 11n modulation schemesBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • Rogue Classification Rules ClassifyConcept Classification based on threat severity and mitigation action Rules tailored to customer risk model Lower Severity Higher Severity Off-Network On-Network Secured Open Foreign SSID Our SSID Weak RSSI Strong RSSIDistant Location On-Site Location No Clients Attracts ClientsBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  • Rogue Classification Rules Classify Examples Rogue Rule: Marked as SSID: tmobile Friendly RSSI: -80dBm Rogue Rule:Detected as Marked as SSID: Corporate Rogue Malicious RSSI: -70dBm Rogues Marked as Matching No Unclassified Rule Rules Are Stored and Executed on the Wireless LAN Controller BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  • Rogue Classification Rules ClassifyConfiguration Rules Sorted by PriorityBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • ClassifyWCS Security Dashboard Controller IDS and Adaptive wIPS Alarms Security Index Rogues by CategoryBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • Rogue Detector AP Mode Classify Concept Rogue AP Authorized AP Client ARP L2 Switched Network Trunk PortWired Rogue Detector AP Detects all rogue client and Access Point ARP‟s Controller queries rogue detector to determine if Rogue rogue clients are on the network Detector Does not work with NAT APs BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • Rogue Detector AP Mode Classify Example Deployment ScenarioFloor 3 Rogue Detector Floor 3Floor 2 Rogue Detector Floor 2Floor 1 Rogue Detector Floor 1  Install one rogue detector at each Layer 3 boundary.  Put more simply - ensure all VLANs are monitored by a rogue detector. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • Rogue Detector AP Mode Classify Operation WCS Alarm Changed from Minor to Critical Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68 WLC Has Been Detected on the Wired Network 0009.5b9c.8768 0021.4458.6652 > debug capwap rm rogue detector Rogue ROGUE_DET: Found a match for rogue entry 0021.4458.6652Detector ROGUE_DET: Sending notification to switch ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  • Rogue Detector AP Mode Classify Configuration WLC All Radios Become Disabled in This Mode interface GigabitEthernet1/0/5 description Rogue Detector switchport trunk encapsulation dot1qSwitch switchport trunk native vlan 113 AP switchport mode trunk VLAN spanning-tree portfast BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  • Rogue Location Discovery Protocol Classify Concept Connect as Client Managed AP Rogue AP Send Packet Routed/Switched Network to WLCRLDP (Rogue Location Discovery Protocol) Connects to Rogue AP as a client Sends a packet to controller‟s IP address Controller Only works with open rogue access points BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • Rogue Location Discovery Protocol Classify Operation WCS Alarm Changed from Minor to Critical Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 Has WLC Been Detected on the Wired Network > debug dot11 rldp Successfully associated with rogue: 00:13:5f:fa:27:c0 Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Received 32 byte ARLDP message from: 172.20.226.253:52142 %LWAPP-5-RLDP: RLDP started on slot 0. %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up %LWAPP-5-RLDP: RLDP stopped on slot 0.00:13:5f:fa:27:c0 BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • Rogue Location Discovery Protocol Classify Automatic Operation Two automatic modes of operation: „AllAPs‟ – Uses both local and monitor Aps „MonitorModeAPs‟ – Uses only monitor mode APs Recommended: Monitor Mode APs – RLDP can impact service on client serving APs BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  • Switchport Tracing Classify Concept Match Found 2 3 CAM CAM Table Table WCS 1 Show CDP Neighbors Managed AP Rogue APWCS Switchport Tracing SPT Matches On: Identifies CDP Neighbors of APs detecting the rogue Rogue Client MAC Address Rogue Vendor OUI Queries the switches CAM table for the rogue‟s MAC Rogue MAC +1/-1 Rogue MAC Address Works for rogues with security and NAT BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • WCS Switchport Tracing Classify Operation (Cont.) Uncheck to Shut Match Type Number of MACs the Port Found on the PortWCS BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • Rogue Location Mitigate On-Demand with WCS Allows an individual rogue AP to be located on-demand Keeps no historical record of rogue location Does not locate rogue clients WCS BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • Rogue Location Mitigate In Real-Time with WCS and MSE Context-Aware Track of multiple rogues in real-time (up to MSE limits) Can track and store rogue location historically Provides location of rogue clients Provides location of rouge ad-hoc networks WCS BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • Rogue Containment Mitigate ConceptMitigate Rogue Client Authorized AP De-Auth Packets Rogue APRogue AP Containment Sends De-Authentication (or Disassociation) Packets to Client and AP Can use local, monitor mode or H-REAP APs Impacts client performance on local/H-REAP APs A temporary solution till the rogue can be tracked down. BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • Rogue Containment Mitigate Local Mode APs Broadcast and Unicast Deauth Frames De-Auth3  A local mode AP can contain 3 rogues per radioLocal Mode  Containment packets sent every 500ms BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  • Rogue Containment Mitigate Monitor Mode APs De-Auth Unicast Deauth and Unicast Disassociation Frames Dis-Association 6  A monitor mode AP can contain 6 rogues per radio  Containment packet sent every 100msMonitor Mode BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  • Rogue Containment Mitigate Auto-Containment Configuration Ability to Use Only Monitor Mode APs for Containment to Prevent Impact to ClientsWLC  Use auto-containment to nullify the most alarming threats  Containment can have legal consequences when used improperly BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  • Cisco’s Attack Detection Mechanisms Adaptive Base IDS wIPS Built-In to Controller Requires MSE Software Uses Local and Uses wIPS Monitor Mode Monitor Mode APs and/or Local APsBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  • Adaptive wIPSComponents and Functions AP Attack Detection 24x7 Scanning Over-the-Air Detection WLC Configuration wIPS AP Management MSE Alarm Archival Capture Storage Complex Attack Analysis, Forensics, Events WCS / Centralized Historic Monitoring Reporting NCS Monitoring, ReportingBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • Cisco Adaptive wIPS with DedicatedMonitor Mode APs Adaptive wIPS monitor mode is available for 1130/1240, 1040/1140/1250, 1260 and 3500 Access PointsBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  • Adaptive wIPS Monitor ModeDeployment Recommendations  Monitor-mode wIPS APs do not serve clients, thus have greater range  Client-serving AP typically covers 3000-5000 square feet  wIPS AP typically covers 15,000–35,000 square feet  Ratio of wIPS monitor- mode APs to local-mode traffic APs varies by network design, but 1:5 ratio is reasonable estimate  wIPS APs can simultaneously run context- aware location in monitor- modeBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  • Cisco Adaptive wIPS with Enhanced Local Mode (ELM)  Adaptive wIPS scanning in data serving access points, including H- REAP mode APs.  Provides protection without needing a separate overlay network.  ELM supported APs: 1040, 1140, 1250, 1260 & 3500 Without ELM With ELMData Serving wIPS Monitor Mode Single Data and wIPS AP Cisco Adaptive Wireless IPS with Enhanced Local Mode Can Reduce Capital Investment by > 50% BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  • Mobility Services Engine Support for Cisco Motion Services3310 Mobility Services Engine 3355 Mobility Services EngineSupports Adaptive wIPS for up to Supports Adaptive wIPS for up to 2000 Monitor Mode APs 3000 Monitor Mode APsSupports Context Aware for up to Supports Context Aware for up to 2000 Tracked Devices 18000 Tracked Devices Services can co-exist on the same MSE, but per-service maximums decrease. For Example, the MSE3310 can handle 1000 wIPS APs + 1000 Context Tracked Items. Mobility services may have different WLC/WCS software requirements Adaptive wIPS is licensed on a per-AP basis (both monitor mode and ELM APs count the same) BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  • Comparison Between Base IDS andAdaptive wIPS wIPS Local Monitor wIPS ELM MonitorClient Service Yes X Yes XRogueDetection and Yes Yes Yes YesContainmentAttacks 17 17 39 45DetectedAttack X X Yes YesEncyclopediaForensics X X Yes YesAnomaly X X Yes YesDetectionMSE Required X X Yes YesWCS Required X X Yes YesBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  • Management Frame Protection ConceptProblem Solution Wireless management frames are not  Insert a signature (Message Integrity authenticated, encrypted, or signed Code/MIC) into the management frames A common vector for exploits  Clients and APs use MIC to validate authenticity of management frame  APs can instantly identify rogue/exploited management frames Infrastructure MFP ProtectedCCXv5 AP Beacons Probe Requests/ Probe Responses Associations/Re-Associations Disassociations Authentications/ Action Management Frames De-Authentications Client MFP Protected BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  • Cisco Wired IPS Integration Unified Intrusion PreventionBusiness ChallengeMitigate Network Misuse, Hacking andMalware from WLAN Clients Client Shun  Inspects traffic flow for harmful applications and blocks wireless client connections Malicious Traffic L2 IDS  Layer 3-7 Deep Packet Inspection L3-7 IDS  Eliminates risk of contamination Enterprise from Intranet wireless clients  Zero-day response to viruses, malware and suspect signatures Cisco ASA with IPS http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  • WLAN Security Vulnerabilities and Threats On-Wire Attacks Over-the-Air AttacksAd-Hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance MFP Neutralizes All HACKER‟S HACKER HACKER Management Frame AP Exploits, Such as Man-in- the-Middle Attacks Rogue Detection,Client-to-Client Backdoor Access Connection to Malicious AP WPA2/802.11i Seeking Network Vulnerabilities Classification and Neutralizes Recon Mitigation Addresses Rogue Access Points Denial of Service and Cracking Attacks Cracking Tools These Attacks HACKER HACKER wIPS Detects These DENIAL OF Attacks SERVICE Backdoor Network Access Service Disruption Sniffing and Eavesdropping Non-802.11 Attacks Backdoor Access BLUETOOTH AP Service Disruption MICROWAVE BLUETOOTH RF-JAMMERS RADAR BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  • Interference Also Presents a Security Concern Throughput Reduction Near Far Interference Type (25 ft) (75 ft) End User Impact Jammer 100% 100% Reduced network capacity and coverage Video Camera 100% 57% Poor quality voice and video Wi-Fi 90% 75% Potential Denial of Service (busy neighbor) Microwave Oven 63% 53% IT Manager Impact Bluetooth Potential security breaches Headset 20% 17% Support calls DECT Phone 18% 10% Increased cost of operation BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  • CleanAir is Purpose Built to Deal withInterference Issues Detect and Classify 97 • Uniquely identify and 100 track multiple interferers 63 • Detects security-risk 90 interferers like RF 20 Jammers and Video Camera. 35 • Assess unique impact to Wi-Fi performance • Monitor AirQuality High-Resolution Interference Detection and Cisco Classification Logic Built-In to Cisco‟s 802.11n Wi-FiCleanAir Chip Design. Inline Operation with No CPU or BRKEWN-2021 Performance Impact. Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 66
  • WLAN Security Vulnerabilities and Threats On-Wire Attacks Over-the-Air AttacksAd-Hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance MFP Neutralizes All HACKER‟S HACKER HACKER Management Frame AP Exploits, Such as Man-in- the-Middle Attacks Rogue Detection,Client-to-Client Backdoor Access Connection to Malicious AP WPA2/802.11i Seeking Network Vulnerabilities Classification and Neutralizes Recon Mitigation Addresses Rogue Access Points Denial of Service and Cracking Attacks Cracking Tools These Attacks HACKER HACKER wIPS Detects These DENIAL OF Attacks SERVICE Backdoor Network Access Service Disruption Sniffing and Eavesdropping Non-802.11 Attacks Cisco CleanAir Detects These Attacks Backdoor Access BLUETOOTH AP Service Disruption MICROWAVE BLUETOOTH RF-JAMMERS RADAR BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  • Complete Your OnlineSession Evaluation Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don‟t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  • Visit the Cisco Store for Related Titles http://theciscostores.comBRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  • BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  • Thank you.BRKEWN-2021 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71