Sky[ack|ng a C|sco WLAN

:
Attack Ana|ys|s and
Countermeasures
ÞresenLers:
ur. Þravln 8hagwaL, C1C
ur. PemanL Chaskar, ulrecLor of 1echnology
ModeraLor:
Srl Sundarallngam, vÞ of ÞroducL ManagemenL
Cisco wireless LAN vulnerability could
open ‘back door’
Cisco wireless LANs at risk of attack,
‘skyjacking’
Newly discovered vulnerability could
threaten Cisco wireless LANs
In the News
“No risk of data loss or interception”
“Could allow an attacker to cause a
denial of service (DoS) condition”
What Cisco says
It’s not a big deal!
Severity = Mild
Hmm…
?
?
?
What exactly is skyjacking?
Do I need to worry about it?
How severe is the exploit?
What you will learn today
The risk from skyjacking vulnerability is much bigger
than stated
How to assess if you are vulnerable
Countermeasures for skyjacking and other zero-day
attacks
Five ways a LAP can discover WLCs
Subnet-level broadcast
Configured
DNS
DHCP
Over-the-air provisioning (OTAP)
Three criteria a LAP uses to select a WLC
Primary, Secondary, Tertiary
Master mode
Maximum excess capacity
Step 1
Step 2
Step 3
Over-the-air provisioning (OTAP)
OTAP exploited for “skyjacking”
Skyjacked LAP denies service to
wireless users
¡s this ]ust tip
of the iceberg?
Secure WLAN enterprise access
Before
Internal to corporate network 20 WPA2 Corp
Comment VLAN Security SSID
Internal to corporate network 30
AP Physically
Connected To
Authorized LAP skyjacked – DoS
Before
Internal to corporate network 20 WPA2 Corp
Comment VLAN Security SSID
Internal to corporate network 30
AP Physically
Connected To
DoS
Authorized LAP turned into Open Rogue AP
Before
Internal to corporate network 30 OPEN Corp
Comment VLAN Security SSID
Internal to corporate network 30
AP Physically
Connected To
Rogue on
Network
Camouflaged Rogue LAP:
a backdoor to your
enterprise network!
Wolf in Sheep Clothing
Before
Internal to corporate network 30 WPA2 Corp
Comment VLAN Security SSID
Internal to corporate network 30
AP Physically
Connected To
Rogue on
Network
Wolf in Sheep Clothing – Scenario 2
Before
Internal to corporate network 20 WPA2 Corp
Internal to corporate network 30 OPEN Guest
Comment VLAN Security SSID
Internal to corporate network 30
AP Physically
Connected To
Rogue on
Network
DoS
SpectraGuard
®
Enterprise WLAN policy set-up
Guest WLAN SSID
Allowed Subnet (VLAN)
for Guest SSID
Normal WLAN operation
Authorized SSIDs are seen in “Green” color and are
detected with VLAN identifier to which they connect
Device list displayed on SpectraGuard Enterprise console
Skyjacking on guest access
1
Change in the VLAN is detected
2
SSID marked as “misconfigured”
(Background changes to amber)
3
Automatic Prevention started
( Shield icon appears )
Summary
Guest access as Open
Rogue AP
(Wolf in Sheep clothing –
scenario 2)
Authorized SSID as
“Privileged” Rogue AP
(Wolf in Sheep clothing)
Authorized SSID as Open
Rogue AP
Type of Skyjacking attack

X

X

AirTight’s unique wireless-
wired correlation based
threat detection
Only over-air
threat detection
Open rogue
WPA2 rogue
Open guest
rogue
AirTight’s SpectraGuard Enterprise
Thanks to patented marker packet technology for
accurate wired connectivity detection and unique
VLAN Policy Mapping™architecture
The only WIPS that can provide zero-day protection
against the most potent form of skyjacking attack
Which LAPs can be skyjacked?
Vulnerable? Type of Cisco LAP
No
Configured with locally significant
certificates (LSC)
Mostly No
Configured with “preferred” WLCs
(primary, secondary, tertiary)
Yes LAPs using auto discovery
?
Countermeasures
Manually configure LAPs with preferred
WLCs (primary, secondary, tertiary)
Manually configure LAPs with LSCs
Primarily HA and load
balancing feature
Impractical
Block outgoing traffic from UDP ports
12222 and 12223 on your firewall
Not a common
practice
Turn off OTAP on WLC
Ineffective!
Practical difficulties:
Do you know
If your outgoing UDP ports on the firewall are blocked? Did you test it
today?
How many VLANs do you have authorized for wireless access?
Are all SSIDs mapped to the correct VLANs?
When was the last time your LAPs rebooted?
When was the last time your WLC taken down for maintenance?
If all your APs are compliant with your security policies? How do you
know?
If all LAPs are configured with primary,
secondary and tertiary WLC?
If all LAPs are indeed connected to
configured WLCs?
One mistake and you could
be exposed!
Adding second, independent layer of
WIPS protection
Misconfigurations
Zero-day attacks
Designed for
security
Designed for
WLAN access
Undesirable
connections
Misconfigurations
Zero-day attacks
Undesirable
connections
SpectraGuard SAFE
Wireless Security for Mobile Users
AirTight’s SpectraGuard product
family
SpectraGuard Online
Industry’s Only Wireless Security Service
SpectraGuard Enterprise
Complete Wireless Intrusion Prevention
WLAN Coverage & Security Planning
SpectraGuard Planner
About AirTight Networks
The Global Leader in Wireless
Security and Compliance
For more information on wireless security
risks, best practices, and solutions, visit:
www.airtightnetworks.com
Visit our blog to read the root cause
analysis of
“Skyjacking: What Went Wrong?”
blog.airtightnetworks.com

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times