Putting Your Air Space to Work with Business-Class Wireless · WPA-PSK • WPA-PSK becoming...

1© 2005 Cisco Systems, Inc. All rights reserved.CiscoExpo04/2006 Kiev

Putting Your Air Space to Workwith Business-Class Wireless

Dmitry [email protected]

[email protected]

Cisco Expo 2006 Kiev


Cisco Unified Wireless Security

© 2005 Cisco Systems, Inc. All rights reserved.


Cisco WLAN Security Leadership and Innovation

• Industry's first implementation of 802.1X/EAP authentication and dynamic key derivation

• Chaired and led the 802.11i work group• Wrote or co-wrote many EAP RFCs• Technical leadership role in Fast Secure

Roaming 802.11r• Industry leading, patent pending rogue

detection, mitigation and suppression• Continuing to innovate with Self-

Defending NetworkLocation enabled security; Access Control / IDS alertsInvented host posture analysis (NAC)Invented Management Frame Protection (MFP)Invented Self Defending Network (NIC)


Cisco Unified Wireless NetworkEngineered to Deliver on the SDN Strategy

Keep Clients SafeKeep Clients Safe•Strong Mutual Authentication•Strong Encryption •True Wireless IPS•Adaptive Client Policies

Endp

oint

Prot

ectio

n

Protect the Network

Protect the Network

•Rogue AP detection and containment•Multilayer client exclusions

Ano

mal

y an

d ID

S/IP

S

Keep Clients HonestKeep Clients Honest

•Network Admission Control•Guest Access

Adm

issi

on C

ontr

ol

An initiative to dramatically improve the network’s

ability to identify, prevent, and

adapt to threats



adapt to threats

Cisco strategy to dramatically improve the

network’s ability to identify, prevent, and

adapt to threats



adapt to threats

Integrated Management


Checklist for Secure Wireless LANs

Implementation Checklist802.1X(EAP)

WPA2 (AES) or WPA (TKIP)

Management Frame Protection

Cisco CSA


Endp

oint

Prot

ectio

n


Protected Access

What are WPA and WPA2?

• Authentication and Encryption standards for Wi-Fi clients and APs

• 802.1X authentication

• WPA uses TKIP encryption

• WPA2 uses AES encryption

Which should I use?

• Go for the Gold!

• Silver, if you have legacy clients

• Lead, if you absolutely have no other choice (i.e. ASDs)

Gold

WPA2/802.11i•EAP•AES

Gold

WPA2/802.11i•EAP•AES

Silver

WPA•EAP•TKIP

Silver

WPA•EAP•TKIP

Lead

dWEP (legacy)•EAP/LEAP•VLANs + ACLs

Lead

dWEP (legacy)•EAP/LEAP•VLANs + ACLs


How does Extensible Authentication Protocol (EAP) Authenticate Clients?

Client associates CorporateNetwork

WLAN Client Access Point/Controller

RADIUS server

Cannot send data until… Data from client Blocked by AP

…EAP authentication complete

802.1x RADIUS

EAP

Client sends data Data from client Passed by AP


EAP Protocols and Database Compatibility

EAP-TLS PEAP EAP-TTLS LEAP EAP-FAST

Login scripts (MS DB)

Yes1 Yes1 Yes

Yes

Funk

Yes

Yes

Yes

Yes Yes

Password expiration (MS DB)

N/A Yes No Yes

Client & OS availability

XP, 2000, CE,

and others2

XP, 2000, CE, CCXv2 clients3,

and others2

Cisco/CCXv1 or above clients and

others2

Cisco/CCXv3 clients4

and others2

MS DB support Yes Yes Yes Yes

LDAP DB support Yes Yes5 No Yes

OTP support No Yes5 No No

1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD)2 Greater Operating System coverage is available from Meetinghouse and Funk supplicants3 PEAP/GTC is supported on CCXv2 clients and above4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems. EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients5 Supported by PEAP/GTC only, i.e., not PEAP-MSCHAPv2


EAP Best Practices

• Leverage existing database where possible

• Consider TCO of solution, not just client s/w cost

• Consider future of 802.1X (e.g. NAC) when deploying authentication infrastructure

• Be aware of EAP timing parameters, dot1x holdoff, client exclusion policies


EAP Best Practices

• Where practical, eliminate key authentication issues when initially implementing EAP

• Use Active Directory Group Policy Security configsto ease deployment of root certificate (PEAP)- or obtain EAP server cert from public CA

• Verify EAP server certificate includes “EKU” field for “server authentication”

Self-signed certificates may be helpful for proof-of-concept or where customers are not deploying PKI


802.11i PMK Caching

• Whenever an AP and a STA have successfully passed dot1x based authentication, both of them may cache the PMK record to be used later.

• When a STA is going to (re-)associate to an AP, it may attach a list of PMKIDs (which were derived via dot1x process with this AP before) in its RSNIE in the (re-)association request frame.

• When PMKID exists in STA’s RSNIE, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address. AP can bypass dot1x authentication process, and directly starts WPA2 4-way key handshake session with the STA.

• PMK cache records will be kept for 1 hour for non associated STAs

• Enable PMK caching to bypass 802.1X Authentication


WPA-PSK

• WPA-PSK becoming somewhat popular recentlyAvailable on some handhelds, esp. Symbol

Advantage: unique per-client, temporal keys

Disadvantage: PSK shared across all clients (similar key management issues with static WEP)

• WPA-PSK does not function on Distributed Architecture with AAA MAC auth

• Make sure that customers are aware of Dictionary Attack potential with WPA-PSK

PSK may be set explicitly as 64 Hex character or with “passphrase”which uses a well-known expansion to generate PSK

Brute force attack on 256 bit key is non-trivial

Strong passwords should be used if utilizing “passphrase”


EAP-TLS PEAP EAP-TTLS LEAP EAP-FASTOff-line Dictionary attack vulnerability

No No No

No

No

Yes

No

Medium

High

Yes No

Application Specific Device (ASD) support (Cisco NIC)

No No Yes Yes

Local authentication (IOS)

No No Yes Yes

Server certificates? Yes Yes No No

Deployment complexity High Medium Low Low

Client certificates? Yes No No No

RADIUS server scalability Impact

High High Low Low/Medium

EAP Protocols: Feature Support


Microsoft XP Supplicant info

• KB885453 must be obtained from Microsoft directly

• Beware of reauthenticationbehaviors in Microsoft XP SP2

• Should only impact non-Microsoft servers


End-user requirements

• Login scripts, drive mappingNetwork must be available to machine prior to user login

• Machine authenticationMachine certificate

Machine ID (i.e. username)

• CiscoSecure ACS machine authentication restrictionCapability for ACS group mapping user auth w/o machine auth (note that “No Access” is default when enabled)


EAP-FAST – Simple, Versatile, and Secure

EAP-TLS

PEAP-GTC

PEAP-MSCHAPv2

EAP-TTLS

AAAEAP-FAST tunnel

OTPMSCHAPv2 CertsUID/PW

VersatileVersatile • Robust SupportFast Roaming (CCKM)IOS Local AuthenticationCisco NAC

• Client stacks from Funk and Meetinghouse

SimpleSimple • Simple to deploy• No certs to provision or manage• Supports secure username/password

authentication

SecureSecure • Support for multiple authentication types (OTP, MSCHAPv2, Certs)

• Open standard (on the path to RFC)• Supported in CCXv4


What makes 802.11 vulnerable to attacks?

Most common attacks are against management frames

Common Attacks:• VOID11• Aireplay• File2air• Airforge• ASLEAP• Jack attacks• FakeAP• Hunter/Killer

Cisco MFP

Protected


Management Frame Protection (MFP)

• A solution for clients and infrastructure (APs)

• Clients and APs add a MIC (signature)into every management frame

• Anomalies are detected instantly andreported to Wireless Control Server (WCS)

MFP Protected

MFP Protected


CCX v5• MFP• Client Policies

CCX v5• MFP• Client Policies

CCX- Driving Security Standardization

CCX v1• 802.1X authentication• EAP-TLS & LEAP• Cisco pre-standard TKIP• Client Rogue reporting

CCX v1• 802.1X authentication• EAP-TLS & LEAP• Cisco pre-standard TKIP• Client Rogue reporting

CCX v2• WPA compliance• Fast Roaming with CCKM• PEAP

CCX v2• WPA compliance• Fast Roaming with CCKM• PEAP

CCX v3• WPA2 compliance• EAP-FAST• CCKM with EAP-FAST• AES encryption

CCX v3• WPA2 compliance• EAP-FAST• CCKM with EAP-FAST• AES encryption

CCX v4• CCKM with EAP-

TLS, PEAP• WIDS• MBSSID

CCX v4• CCKM with EAP-

TLS, PEAP• WIDS• MBSSID


• Trend: Embedded adapters in most devices• Result: Adapter reference designs in most

devicesHow do you ensure that all of your client devices support your chosen 802.1X type(s) and encryption option(s)?

• Options:Try to standardize on adapters from one vendorUse WPA/WPA2 “extended EAP” certified clientsRely on what is available in WindowsUse a commercial supplicant suiteSupport a mix of authentication typesUse Cisco Compatible Extensions (CCX) adapters

Security and WLAN Clients


Cisco Security Agent (CSA) - Host Intrusion Prevention System

• CSA stops day zero malicious code without reconfiguration or update.

• CSA has the industry’s best record of stopping Zero Day exploits, worms, and viruses over past 4 years:

2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)2005 – Internet Explorer Command Execution Vulnerability

• No reconfiguration of the CSA default configuration, or update to the CSA binaries were required

CSA Provides Day Zero Attack Protection

CSA Wireless Awareness• Shutoff multiple network interfaces• Disable Ad Hoc mode• Connect to only corporate SSIDs


Cisco IDS SupportCisco Controller Architecture

Cisco Distributed Architecture

Rogue AP Detection/Location

Ad-hoc network Detection

Rogue AP Containment

RF Interference Detection

Rogue/Unregistered client with scan-mode AP

Ad-hoc Network Location and Containment

Mgmt Frame (assoc, authentication) FloodEAP Frame Flood

MAC Spoofing

Switchport Tracing

WIDS Signature Analysis

Client Exclusion




Endp

oint

Prot

ectio

n

Protect the Network

Protect the Network


Ano

mal

y an

d ID

S/IP

S



Adm

issi

on C

ontr

ol



adapt to threats



adapt to threats



adapt to threats



adapt to threats




Implementation ChecklistCisco NAC for wired and wireless

Cisco CSA

Guest: Integrated captive portal w/traffic tunnelingKeep Clients HonestKeep Clients Honest


Adm

issi

on C

ontr

ol


The Need for Admission Control

• Viruses, worms, spyware, etc. continue to plague organizations

Viruses still #1 cause of financial loss* (downtime, recovery, productivity, etc.)

• Most users are routinely authenticated, but their endpoint devices (laptops, PCs, PDAs, etc.) are not checked for policy compliance

• Unprotected endpoint devices are often responsible for spreading infection

Ensuring devices accessing the network comply with policy (security tools installed, enabled, and current) is difficult and expensive

“Endpoint systems are vulnerable and represent the most likely point of infection from which a virus or worm can spread rapidly and cause serious disruption and economic damage.”

– Burton Group*2005 FBI/CSI Report


NAC ApplianceLeverages Cisco Clean Access

• Sold as virtual or integrated appliance

• Self-contained product integrates with but does not rely on partners

The NAC Solution

• Offers customers a deployment timeframe choice• Adapts to customers’ investment protection requirements

NAC Infrastructure

NAC Framework

•Sold through NAC-enabled products

• Integrated solution leveraging Cisco network and vendor products


Cisco Clean Access: Out of Band Deployment

• VLAN based QuarantineManager performs switch management and port assignmentServer performs remediation and is deployed on the quarantine VLAN.

• Support for multiple switch infrastructures (2950, 3550, 3750, 4500, 6500)

SNMP v1/v2c for “reads”SNMP v1/v2c/v3 for “writes”

• Supports multi gigabit network deployment because:

Server is only in the data path for non-certified devices

• Host retains IP address after “certification”

Based on smart internal VLAN and DHCP mapping

• Does not require 802.1X infrastructure

CCA Server

CCA Manager


.1

.1

Internet

192.168.1.x/24

.9

172.18.10.x/24

.2

ACS / DHCP

10.1.1.x/24.11

Wireless Controller

192.168.2.4

192.168.2.x/24

.21

172.18.10.0/24 SSID “guest”/ VLAN 172

Clean Access Server

Clean Access Manager

.8

192.168.3.x/24

.21

172.19.10.0/24 SSID “regular”/VLAN 173

CCA Network Configuration

VLAN 172 & 173

Intranet

.10


CCA Design Requirements

• All Guest & Corporate/”Regular” wireless traffic coming into the Controller must go through CAS before being allowed access to the Internet and Internal/corporate network

• Configure dynamic interfaces called “Guest” and “Regular”in the Controller for vlan 172 and 173, respectively

• Trunk vlans 172 and 173 to the untrusted interface of the CAS

• Configure network scanning for well-known viruses and an Acceptable User Page for Guest users; Configure agentscanning for Windows Hotfixes and an Acceptable User Page for Regular users

• Optionally, set user timeout session, bandwidth and access control management uniquely for Guest and Regular users

• The Guest user will be redirected to a weblogin and must click on Guest access button; Regular user will be redirected to a weblogin and must use the CCA Agent


NAC2 – Ubiquitous Admission ControlCTA-Capable Endpoints with NAC-Capable 802.1X Supplicants

CTA NetworkAccess Device

(NAD)

NetworkACS

VendorServer

802.1x

EAPo802.1xEAPoRADIUS HCAP

12

3

4

5

67

8

1. 802.1X connection setup between NAD and endpoint2. NAD requests credentials from endpoint (EAPo802.1X)

This may include user, device, and/or posture

3. CTA, via NAC-capable supplicant, sends credentials to NAD (EAPo802.1X)

4. NAD sends credentials to ACS (EAPoRADIUS)

5. ACS can proxy portions of posture authentication to vendor server (HCAP)User/device credentials sent to authentication databases (LDAP, Active Directory, etc)

6. ACS validates credentials, determines authorization rightsE.g. visitors given GUEST access, unhealthy devices given QUARANTINE access

7. ACS sends authorization policy to NAD (VLAN assignment)

8. Host assigned VLAN, may then gain IP access (or denied, restricted)


Secure Guest Access

SSID Client Default Gateway= Internal= GUEST

Enterprise user Guest user

Switch-to-switch guest tunnel

EnterpriseNetwork

DMZ Guest controller• Captive portal native in

the controller• Two options for guest

access:(1) Guest users can be placed on guest VLAN(2) All guest traffic is tunneled to a guest controller

• User DB can be local or RADIUS

• Robust administrationAmbassador loginCustomizable web pages




Endp

oint

Prot

ectio

n

Protect the Network

Protect the Network


Ano

mal

y an

d ID

S/IP

S



Adm

issi

on C

ontr

ol



adapt to threats



adapt to threats



adapt to threats



adapt to threats




Implementation ChecklistWireless IDS

Rogue Detect/Containment

FIPS Protect the Network

Protect the Network


Ano

mal

y an

d ID

S/IP

S


HYPE: External wIDS sensors are the best way to detect and remediate all wireless attacks

Protect the Network:wIDS Detection and Containment

REALITY: Most attacks/events occur on the AP/Client channel

802.11a Channel 152Valid client

802.11g Channel 6Valid client

802.11g Channel 6Attacker

802.11a Channel 153Rogue AP

802.11a Channel 153Rogue client

ROGUES and AD HOCs: Detected quickly via intelligent off channel scanning

802.11g Channel 1Ad Hoc client

802.11g Channel 1Ad Hoc client

RF Containment

RF Containment

On-channel attack detectedOff channel rogue detectedAP contains rogue clientOff channel ad hoc net

detectedAP contains ad hoc net


A Complete Solution for Handling Rogues

4. View Historical Report

2. Assess Rogue AP (Identity, Location, ..)

1. Detect Rogue AP(Generate alarm)

3. Contain Rogue AP

• Can be automated• Multiple rogues contained

simultaneously


Cisco WCS – Centralized Security Management




Endp

oint

Prot

ectio

n

Protect the Network

Protect the Network


Ano

mal

y an

d ID

S/IP

S



Adm

issi

on C

ontr

ol



adapt to threats



adapt to threats



adapt to threats



adapt to threats



Security Management

CS-MARS• Network wide

anomaly detection• Rules based

correlation

WCS• Simple, Powerful

Dashboard• Robust Reporting


Checklist Summary

Wireless IDS

Rogue Detect/Contain

FIPS

802.1X (EAP)

WPA2 (AES) or WPA (TKIP)Management Frame Protection

Cisco CSA

Cisco NAC for wired and wireless

Cisco CSA

Guest: Integrated captive portal w/traffic tunneling


Endp

oint

Prot

ectio

n



Adm

issi

on C

ontr

ol Protect the Network

Protect the Network

•Rogue AP detection and containment•Multilayer client exclusionsA

nom

aly

and

IDS/

IPS


The Cisco Difference• Unifying wireless and wire line

Utilizing all of Cisco’s security expertise and product line

Not reinventing the wheel

• Location, Location, LocationOnly WLAN system with RF fingerprinting for rogue location accuracy

• INTEGRATED air monitoringOnly WLAN system that does not require separate air monitors

Built-in rogue protection and intrusion detection

• Security Designed for Real-Time ApplicationsFast Secure roaming

• Active leadership in standards bodies802.11i, 802.11r, 802.11w, 802.11k

Putting Your Air Space to Work with Business-Class Wireless · WPA-PSK • WPA-PSK becoming...

Documents

Transcript of Putting Your Air Space to Work with Business-Class Wireless · WPA-PSK • WPA-PSK becoming...