Professional Documents
Culture Documents
BRKEWN-2021
Cisco Public
Agenda
Security Standards
Strong Encryption
Strong Authentication
User-Policy and
Device Identification
BRKEWN-2021
Cisco Public
Strong Authentication
and Encryption
BRKEWN-2021
Cisco Public
Authentication Evolution
MAC Address
Authentication
BRKEWN-2021
WEP
802.1x /
Dynamic WEP
Cisco Public
WPA/WPA2
WPA/WPA2 Breakdown
WPA
WPA2
Authentication
Mechanisms
BRKEWN-2021
Cisco Public
Client
Authenticator
CAPWAP
BRKEWN-2021
Cisco Public
Tunneling-Based
EAPPEAP
Inner Methods
EAPTTLS
EAP-GTC
EAP-MSCHAPv2
EAP-TLS
EAPFAST
Cisco Public
PEAP
EAP-FAST
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Server Certificates
Yes
Yes
No
Client Certificates
Yes
No
No
No
No
Yes
High
Medium
Low
Deployment Complexity
* PACs can be provisioned anonymously for minimal complexity.
BRKEWN-2021
Cisco Public
Client Support
EAP
Type(s)
Deployed
Most clients such as Windows, Mac OSX, Apple iOS devices support
EAP-TLS, PEAP (MS-CHAPv2).
Additional supplicants can add more EAP types (Cisco AnyConnect).
Certain EAP types (TLS) can be more difficult to deploy than others
depending on device type.
BRKEWN-2021
Cisco Public
Encryption Evolution
WEP
TKIP
AES
(RC4)
(CCMP)
BRKEWN-2021
Cisco Public
10
Cisco Public
11
BRKEWN-2021
Cisco Public
12
Dynamic Policy
Device Profiling
ACS
Static Policy
WLC
Cisco ACS (or other RADIUS server which can provide Vendor
Specific Attributes) can provide static user-based policy which is
assigned upon initial authentication.
Cisco Identity Services Engine can provide dynamic user-based
policy which can be assigned upon initial authentication and changed
during a session using CoA (Change of Authorization).
BRKEWN-2021
Cisco Public
13
User
Specific Attributes
Contractors
Contractor VLAN
No QoS
Restrictive ACL
ACS*
Static Policy
Employee
Employee
VLAN
WLC
Employee
ACLs
Contractor
BRKEWN-2021
Contractor
VLAN
Cisco Public
14
Phase 1
User Authentication
Phase 2
User Policy
EAP
ACS
Limited
Access
Allowed
User?
WLC
Allowed
Access
BRKEWN-2021
QoS
Silver
ACL
Allow-All
VLAN
Cisco Public
Employee
15
Network Restrictions
Airespace-ACL-Name
Sets the Access Control List used to filter traffic to/from the client.
Quality of Service
Airespace-QOS-Level
Sets the maximum QoS queue level available for use by the client
(Bronze, Silver, Gold or Platinum).
Airespace-802.1p-Tag and/or Airespace-DSCP-Tag
Sets the maximum QoS tagging level available for use by the client.
BRKEWN-2021
Cisco Public
16
Outbound
ACLs provide L3-L4 policy and can be applied per interface or per
user.
Cisco 5508 and WiSM2 implement line-rate ACLs.
Upto 64 rules can be configured per ACL.
BRKEWN-2021
Cisco Public
17
Endpoint certainty
Attribute X
Time
User
Location
IT is struggling with:
Cisco Public
18
Integrated Authentication,
Authorization
Flexible deployment
Attribute X
Device
Time
Location
User
ISE
BRKEWN-2021
Cisco Public
19
iPad Template
Custom Template
Simplified Device
Category Policy
Cisco Public
Session Directory
Flexible Service
Deployment
ACS
Device (and IP/MAC)
User ID
NAC Manager
NAC Profiler
All-in-One
HA Pair
Admin
Console
M&T
ISE
NAC Server
Distributed PDPs
Location
NAC Guest
Access Rights
Policy Extensibility
Manage Security
Group Access
System-Wide Monitoring
and Troubleshooting
SGT
Public
Private
Staff
Permit
Permit
Guest
Permit
Deny
Cisco Public
ISE
Employees
Device Profiling
Dynamic Policy
Employee VLAN
Gold QoS
Employee Mobiles
Employee VLAN
Gold QoS
Restrictive ACL
Employee
VLAN
Contractors
WLC
Contractor VLAN
No QoS
Restrictive ACL
Contractor
VLAN
Contractor Mobiles
No Access
BRKEWN-2021
Cisco Public
22
EAP
Phase 1
Device Authentication
Phase 2
Device Identification
ISE
Phase 3
Limited
Access
Allowed
Device?
WLC
Allowed
Access
BRKEWN-2021
Device Policy
QoS
Silver
ACL
Allow-All
VLAN
Cisco Public
Employee
23
Minimum
Confidence for a
Match
Multiple
Rules to Establish
Confidence Level
Gaming
Consoles
Workstations
BRKEWN-2021
Cisco Public
24
Apple iPad
BRKEWN-2021
Cisco Public
25
NCS
ISE
Centralized Monitoring
of Wired and Wireless
Networking, Users and
Endpoints
Cisco Public
26
Device Identity
from ISE
Integration
AAA Override
Parameters
Applied to
Client
Policy
Information
Including
Posture
BRKEWN-2021
Cisco Public
27
BRKEWN-2021
Cisco Public
28
BRKEWN-2021
Cisco Public
29
WLAN Security
Vulnerabilities and Threats
On-Wire Attacks
Over-the-Air Attacks
Ad-Hoc Wireless Bridge
Reconnaissance
Evil Twin/Honeypot AP
HACKERS
AP
HACKER
Connection to Malicious AP
Denial of Service
HACKER
Cracking Tools
HACKER
HACKER
DENIAL OF
SERVICE
Service Disruption
Non-802.11 Attacks
Backdoor Access
BLUETOOTH AP
BRKEWN-2021
Cisco Public
BLUETOOTH
RF-JAMMERS
RADAR
30
Network
Core
Si
Si
Si
Wireless Control
System (WCS)
Distribution
Wireless
LAN
Controller
Access
RLDP
Rogue
AP
BRKEWN-2021
RRM
Scanning
Authorized
AP
Rogue
AP
Cisco Public
Rogue
Detector
Rogue
AP
31
Detect
Monitor Mode
Access Points
Rogue Detection
Mechanisms
Dedicated to
scanning
Listens for 1.2s on
each channel
Scans all channels
Any AP not
broadcasting the
same RF Group
name or part of the
same mobility
group is
considered a rogue
Automatic white
listing for
autonomous APs
managed by WCS
BRKEWN-2021
Cisco Public
32
Detect
Local Mode AP
Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s)
AP on Channel 36 - 802.11 a/n US Country Channels (without UNII-2 Extended)
10ms 10ms
14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms
36
40
36
44
36
48
36
52
36
56
36
60
36
64
36
149
Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)
BRKEWN-2021
Cisco Public
33
Detect
Monitor Mode AP
1.2s 1.2s
1.2s
1.2s
1.2s 1.2s
1.2s 1.2s
10
1.2s 1.2s
11
12
1.2s
Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration
802.11a/n All Channels
10ms 10ms
1.2s
1.2s
36
40
1.2s 1.2s
44
48
1.2s 1.2s
52
56
1.2s
60
64
100
104
1.2s 1.2s
108
112
1.2s 1.2s
116
132
1.2s 1.2s
136
140
Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration
BRKEWN-2021
Cisco Public
34
Detect
Cisco Public
35
Classify
Concept
Lower Severity
Higher Severity
Off-Network
Secured
Foreign SSID
Weak RSSI
Distant Location
No Clients
On-Network
Open
Our SSID
Strong RSSI
On-Site Location
Attracts Clients
BRKEWN-2021
Cisco Public
36
Classify
Examples
Detected as
Rogue
Rogue Rule:
SSID: tmobile
RSSI: -80dBm
Marked as
Friendly
Rogue Rule:
SSID: Corporate
RSSI: -70dBm
Marked as
Malicious
Rogues
Matching No
Rule
Marked as
Unclassified
Cisco Public
37
Classify
Configuration
Rules
Sorted
by
Priority
BRKEWN-2021
Cisco Public
38
Classify
Rogues by
Category
BRKEWN-2021
Cisco Public
39
Classify
Concept
Rogue AP
Authorized AP
Client ARP
L2 Switched Network
Trunk Port
Wired Rogue Detector AP
Detects all rogue client and Access Point ARPs
Controller queries rogue detector to determine if
rogue clients are on the network
Does not work with NAT APs
BRKEWN-2021
Cisco Public
Rogue
Detector
40
Classify
Floor 3
Rogue Detector
Floor 3
Floor 2
Rogue Detector
Floor 2
Floor 1
Rogue Detector
Floor 1
Cisco Public
41
Classify
Operation
WCS
WLC
0009.5b9c.8768
Rogue
Detector
BRKEWN-2021
0021.4458.6652
Cisco Public
42
Classify
Configuration
WLC
All Radios
Become
Disabled
in This Mode
Switch
BRKEWN-2021
interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
switchport trunk native vlan 113
switchport mode trunk
spanning-tree portfast
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
AP
VLAN
43
Classify
Concept
Connect as
Client
Rogue AP
Managed AP
Routed/Switched Network
Cisco Public
Send Packet
to WLC
Controller
44
Classify
Operation
WCS
WLC
00:13:5f:fa:27:c0
BRKEWN-2021
Cisco Public
45
Classify
Automatic Operation
BRKEWN-2021
Cisco Public
46
Switchport Tracing
Classify
Concept
Match
Found
3
CAM
Table
CAM
Table
WCS
1
Show CDP
Neighbors
Managed AP
WCS Switchport Tracing
Identifies CDP Neighbors of APs detecting the rogue
Queries the switches CAM table for the rogues MAC
Works for rogues with security and NAT
BRKEWN-2021
Cisco Public
Rogue AP
SPT Matches On:
Rogue Client MAC Address
Rogue Vendor OUI
Rogue MAC +1/-1
Rogue MAC Address
47
Classify
Operation (Cont.)
Uncheck
to Shut
the Port
Match Type
Number of MACs
Found on the Port
WCS
BRKEWN-2021
Cisco Public
48
Rogue Location
Mitigate
WCS
BRKEWN-2021
Cisco Public
49
Rogue Location
Mitigate
WCS
BRKEWN-2021
Cisco Public
50
Rogue Containment
Mitigate
Concept
Mitigate
Rogue Client
Authorized AP
De-Auth
Packets
Rogue AP
Rogue AP Containment
Sends De-Authentication (or Disassociation) Packets to Client and AP
Can use local, monitor mode or H-REAP APs
Impacts client performance on local/H-REAP APs
A temporary solution till the rogue can be tracked down.
BRKEWN-2021
Cisco Public
51
Rogue Containment
Mitigate
De-Auth
Local Mode
BRKEWN-2021
Cisco Public
52
Rogue Containment
Mitigate
De-Auth
Unicast Deauth and Unicast Disassociation Frames
Dis-Association
6
Monitor Mode
BRKEWN-2021
Cisco Public
53
Rogue Containment
Mitigate
Auto-Containment Configuration
Ability to Use Only
Monitor Mode APs for Containment
to Prevent Impact to Clients
WLC
Cisco Public
54
Base IDS
Adaptive
wIPS
Built-In to
Controller
Software
Requires MSE
Uses wIPS
Monitor Mode
and/or Local APs
BRKEWN-2021
Cisco Public
55
Adaptive wIPS
Components and Functions
AP
Attack
Detection
24x7
Scanning
Over-the-Air Detection
WLC
Configuration
wIPS AP Management
MSE
Alarm
Archival
Capture
Storage
Complex Attack Analysis,
Forensics, Events
WCS /
NCS
BRKEWN-2021
Centralized
Monitoring
Historic
Reporting
Monitoring,
Reporting
Cisco Public
56
BRKEWN-2021
Cisco Public
57
BRKEWN-2021
Cisco Public
58
Without ELM
Data Serving
Cisco Public
59
Services can co-exist on the same MSE, but per-service maximums decrease.
For Example, the MSE3310 can handle 1000 wIPS APs + 1000 Context Tracked Items.
Cisco Public
60
Monitor
wIPS ELM
wIPS
Monitor
Client Service
Yes
Yes
Rogue
Detection and
Containment
Yes
Yes
Yes
Yes
Attacks
Detected
17
17
39
45
Attack
Encyclopedia
Yes
Yes
Forensics
Yes
Yes
Anomaly
Detection
Yes
Yes
MSE Required
Yes
Yes
WCS Required
Yes
Yes
BRKEWN-2021
Cisco Public
61
Solution
CCXv5
AP Beacons
Probe Requests/
Probe Responses
Associations/Re-Associations
Disassociations
Authentications/
De-Authentications
BRKEWN-2021
Cisco Public
62
L2
IDS
Malicious Traffic
L3-7
IDS
Enterprise
Intranet
Cisco Public
63
WLAN Security
Vulnerabilities and Threats
On-Wire Attacks
Over-the-Air Attacks
Ad-Hoc Wireless Bridge
HACKER
Rogue Detection,
Classification and
Mitigation Addresses
Rogue
Access
Points
These
Attacks
Reconnaissance
Evil Twin/Honeypot AP
MFP Neutralizes
All
HACKERS
Management Frame AP
Exploits, Such as Man-inthe-Middle Attacks
HACKER
Connection to Malicious AP
SeekingWPA2/802.11i
Network Vulnerabilities
Denial of Service
Neutralizes Recon
and
CrackingTools
Attacks
Cracking
HACKER
HACKER
wIPS Detects
DENIAL OFThese
SERVICE
Attacks
Backdoor Network Access
Service Disruption
Non-802.11 Attacks
Backdoor Access
BLUETOOTH AP
BRKEWN-2021
Cisco Public
BLUETOOTH
RF-JAMMERS
RADAR
64
Near
Far
(25 ft)
(75 ft)
Jammer
100%
100%
Video Camera
100%
57%
90%
75%
Microwave
Oven
63%
53%
Bluetooth
Headset
20%
17%
DECT Phone
18%
10%
Interference Type
Wi-Fi
(busy neighbor)
Cisco Public
65
100
63
90
20
35
Cisco
CleanAir
BRKEWN-2021
Cisco Public
66
WLAN Security
Vulnerabilities and Threats
On-Wire Attacks
Over-the-Air Attacks
Ad-Hoc Wireless Bridge
HACKER
Rogue Detection,
Classification and
Mitigation Addresses
Rogue
Access
Points
These
Attacks
Reconnaissance
Evil Twin/Honeypot AP
MFP Neutralizes
All
HACKERS
Management Frame AP
Exploits, Such as Man-inthe-Middle Attacks
HACKER
Connection to Malicious AP
SeekingWPA2/802.11i
Network Vulnerabilities
Denial of Service
Neutralizes Recon
and
CrackingTools
Attacks
Cracking
HACKER
HACKER
wIPS Detects
DENIAL OFThese
SERVICE
Attacks
Backdoor Network Access
Service Disruption
Non-802.11 Attacks
Cisco
CleanAir
Detects These Attacks
Backdoor
Access
BLUETOOTH AP
BRKEWN-2021
Cisco Public
BLUETOOTH
RF-JAMMERS
RADAR
67
BRKEWN-2021
Cisco Public
68
BRKEWN-2021
Cisco Public
69
BRKEWN-2021
Cisco Public
70
Thank you.
BRKEWN-2021
Cisco Public
71