Skyjacking A Cisco WLAN - What it means and how to protect against it?
Upcoming SlideShare
Loading in...5
×
 

Skyjacking A Cisco WLAN - What it means and how to protect against it?

on

  • 1,280 views

A flaw in the Cisco WLAN operation was announced in late Aug 2009 that allows a hacker to "skyjack" or take control of a Cisco lightweight access point. The vulnerability is rooted in the ...

A flaw in the Cisco WLAN operation was announced in late Aug 2009 that allows a hacker to "skyjack" or take control of a Cisco lightweight access point. The vulnerability is rooted in the over-the-air-provisioning (OTAP) feature used by Cisco lightweight access points to discover and connect to a Cisco WLAN controller.

This webinar presentation will deconstruct the skyjacking vulnerability - explaining why the vulnerability occurs in Cisco WLANs, which Cisco access points are affected, how skyjacking can be exploited to launch potent attacks, and what are the best practices to proactively protect your enterprise network against such zero-day vulnerabilities and attacks.

Statistics

Views

Total Views
1,280
Views on SlideShare
1,280
Embed Views
0

Actions

Likes
1
Downloads
29
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Skyjacking A Cisco WLAN - What it means and how to protect against it? Skyjacking A Cisco WLAN - What it means and how to protect against it? Presentation Transcript

  • Webinar held on 02 Sept, 2009 *Webinar Press Release URL : http://digg.com/d3130SK ! " !
  • In the News Cisco wireless LAN vulnerability could open ‘back door’ Cisco wireless LANs at risk of attack, ‘skyjacking’ Newly discovered vulnerability could threaten Cisco wireless LANs
  • What Cisco says Severity = Mild “No risk of data loss or interception” “Could allow an attacker to cause a denial of service (DoS) condition” It’s not a big deal!
  • Hmm… How severe is the exploit? What exactly is skyjacking? ? ? Do I need to worry about it? ?
  • What you will learn today The risk from skyjacking vulnerability is much bigger than stated How to assess if you are vulnerable Countermeasures for skyjacking and other zero-day attacks
  • Five ways a LAP can discover WLCs Subnet-level broadcast Configured Over-the-air provisioning (OTAP) DNS DHCP
  • Three criteria a LAP uses to select a WLC Step 1 Primary, Secondary, Tertiary Step 2 Master mode Step 3 Maximum excess capacity
  • Over-the-air provisioning (OTAP)
  • OTAP exploited for “skyjacking”
  • Skyjacked LAP denies service to wireless users
  • Secure WLAN enterprise access Before SSID Security VLAN Comment Corp WPA2 20 Internal to corporate network AP Physically 30 Internal to corporate network Connected To
  • Authorized LAP skyjacked – DoS Before SSID Security VLAN Comment DoS Corp WPA2 20 Internal to corporate network AP Physically 30 Internal to corporate network Connected To
  • Authorized LAP turned into Open Rogue AP Before Rogue on SSID Security VLAN Comment Network Corp OPEN 30 Internal to corporate network AP Physically 30 Internal to corporate network Connected To
  • Camouflaged Rogue LAP: a backdoor to your enterprise network!
  • Wolf in Sheep Clothing Before Rogue on SSID Security VLAN Comment Network Corp WPA2 30 Internal to corporate network AP Physically 30 Internal to corporate network Connected To
  • Wolf in Sheep Clothing – Scenario 2 Before SSID Security VLAN Comment DoS Corp WPA2 20 Internal to corporate network Guest OPEN 30 Internal to corporate network Rogue on AP Physically 30 Internal to corporate network Network Connected To
  • SpectraGuard® Enterprise WLAN policy set-up Guest WLAN SSID Allowed Subnet (VLAN) for Guest SSID
  • Normal WLAN operation Device list displayed on SpectraGuard Enterprise console Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they connect
  • Skyjacking on guest access 1 Change in the VLAN is detected SSID marked as “misconfigured” 2 (Background changes to amber) Automatic Prevention started 3 ( Shield icon appears )
  • Summary AirTight’s unique wireless- Type of Skyjacking attack Only over-air wired correlation based Open rogue threat detection threat detection Authorized SSID as Open Rogue AP WPA2 rogue Authorized SSID as “Privileged” Rogue AP X (Wolf in Sheep clothing) Open guest Guest access as Open rogue Rogue AP (Wolf in Sheep clothing – X scenario 2)
  • AirTight’s SpectraGuard Enterprise The only WIPS that can provide zero-day protection against the most potent form of skyjacking attack Thanks to patented marker packet technology for accurate wired connectivity detection and unique VLAN Policy Mapping™ architecture
  • Which LAPs can be skyjacked? Type of Cisco LAP Vulnerable? LAPs using auto discovery Yes Configured with “preferred” WLCs ? (primary, secondary, tertiary) Mostly No Configured with locally significant No certificates (LSC)
  • Countermeasures Turn off OTAP on WLC Ineffective! Manually configure LAPs with preferred Primarily HA and load WLCs (primary, secondary, tertiary) balancing feature Manually configure LAPs with LSCs Impractical Block outgoing traffic from UDP ports Not a common 12222 and 12223 on your firewall practice
  • Practical difficulties: Do you know If all LAPs are configured with primary, secondary and tertiary WLC? If all LAPs are indeed connected to configured WLCs? If your outgoing UDP ports on the firewall are blocked? Did you test it today? How many VLANs do you have authorized for wireless access? Are all SSIDs mapped to the correct VLANs? When was the last time your LAPs rebooted? When was the last time your WLC taken down for maintenance? If all your APs are compliant with your security policies? How do you know?
  • One mistake and you could be exposed!
  • Adding second, independent layer of WIPS protection Zero-day attacks Misconfigurations Undesirable connections Zero-day attacks Undesirable Misconfigurations connections Designed for security Designed for WLAN access
  • AirTight’s SpectraGuard product family Complete Wireless Intrusion Prevention Industry’s Only Wireless Security Service Wireless Security for Mobile Users WLAN Coverage & Security Planning
  • About AirTight Networks For more information on wireless security risks, best practices, and solutions, visit: http://www.airtightnetworks.com The Global Leader in Wireless Security and Compliance Visit our blog to read the root cause analysis of “Skyjacking: What Went Wrong?” http://blog.airtightnetworks.com