Skyjacking A Cisco WLAN - What it means and how to protect against it?
-
date post
19-Oct-2014 -
Category
Technology
-
view
773 -
download
0
description
Transcript of Skyjacking A Cisco WLAN - What it means and how to protect against it?
![Page 1: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/1.jpg)
Webinar held on 02 Sept, 2009
��������� ����� � ��� �
�����������������
� ������ �������
Webinar held on 02 Sept, 2009
�����������
������ ������ ������
����� ������������ ������������������
� ���������
� !������ ���� �"�������!��� ������ ���
*Webinar Press Release URL : http://digg.com/d3130SK
![Page 2: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/2.jpg)
Cisco wireless LAN vulnerability could open ‘back door’
Cisco wireless LANs at risk of attack,
In the News
Cisco wireless LANs at risk of attack, ‘skyjacking’
Newly discovered vulnerability could threaten Cisco wireless LANs
![Page 3: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/3.jpg)
“No risk of data loss or interception”
“Could allow an attacker to cause a
What Cisco says
Severity = Mild
“Could allow an attacker to cause a denial of service (DoS) condition”
It’s not a big deal!
![Page 4: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/4.jpg)
Hmm…
??What exactly is skyjacking?
Do I need to worry about it?
How severe is the exploit?
??
?Do I need to worry about it?
![Page 5: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/5.jpg)
What you will learn today
The risk from skyjacking vulnerability is much bigger than stated
How to assess if you are vulnerableHow to assess if you are vulnerable
Countermeasures for skyjacking and other zero-day attacks
![Page 6: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/6.jpg)
Five ways a LAP can discover WLCs
Subnet-level broadcast
Configured
DNS
DHCP
Over-the-air provisioning (OTAP)
![Page 7: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/7.jpg)
Three criteria a LAP uses to select a WLC
Primary, Secondary, Tertiary
Master mode
Maximum excess capacity
Step 1
Step 2
Step 3
![Page 8: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/8.jpg)
Over-the-air provisioning (OTAP)
![Page 9: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/9.jpg)
OTAP exploited for “skyjacking”
![Page 10: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/10.jpg)
Skyjacked LAP denies service to wireless users
![Page 11: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/11.jpg)
����������������
������� ������
![Page 12: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/12.jpg)
Secure WLAN enterprise access
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
![Page 13: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/13.jpg)
Authorized LAP skyjacked – DoS
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
DoS
![Page 14: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/14.jpg)
Authorized LAP turned into Open Rogue AP
Before
SSID Security VLAN Comment
Corp OPEN 30 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
Rogue on Network
![Page 15: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/15.jpg)
Camouflaged Rogue LAP:a backdoor to your enterprise network!
![Page 16: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/16.jpg)
Wolf in Sheep Clothing
Before
SSID Security VLAN Comment
Corp WPA2 30 Internal to corporate networkAP Physically Connected To
30 Internal to corporate network
Rogue on Network
![Page 17: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/17.jpg)
Wolf in Sheep Clothing – Scenario 2
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate network
Guest OPEN 30 Internal to corporate networkAP Physically Connected To
30 Internal to corporate networkRogue on Network
DoS
![Page 18: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/18.jpg)
SpectraGuard® Enterprise WLAN policy set-up
Guest WLAN SSID
Allowed Subnet (VLAN)for Guest SSID
![Page 19: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/19.jpg)
Normal WLAN operation
Device list displayed on SpectraGuard Enterprise console
Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they connect
![Page 20: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/20.jpg)
Skyjacking on guest access
1 Change in the VLAN is detected
2 SSID marked as “misconfigured”(Background changes to amber)
3 Automatic Prevention started( Shield icon appears )
![Page 21: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/21.jpg)
Summary
Type of Skyjacking attack Only over-air threat detection
AirTight’s unique wireless-wired correlation based threat detection
Authorized SSID as Open Rogue AP � �
Open rogue
WPA2 rogueAuthorized SSID as “Privileged” Rogue AP
(Wolf in Sheep clothing)X �
Guest access as Open Rogue AP
(Wolf in Sheep clothing –scenario 2)
X �
WPA2 rogue
Open guest rogue
![Page 22: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/22.jpg)
AirTight’s SpectraGuard Enterprise
The only WIPS that can provide zero-day protection
Thanks to patented marker packet technology for accurate wired connectivity detection and unique VLAN Policy Mapping™ architecture
The only WIPS that can provide zero-day protectionagainst the most potent form of skyjacking attack
![Page 23: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/23.jpg)
Which LAPs can be skyjacked?
Type of Cisco LAP Vulnerable?
LAPs using auto discovery Yes
Configured with “preferred” WLCs (primary, secondary, tertiary) Mostly No
Configured with locally significant certificates (LSC) No
?
![Page 24: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/24.jpg)
Countermeasures
Manually configure LAPs with preferred WLCs (primary, secondary, tertiary)
Primarily HA and load balancing feature
Turn off OTAP on WLC Ineffective!
WLCs (primary, secondary, tertiary)
Manually configure LAPs with LSCs
balancing feature
Impractical
Block outgoing traffic from UDP ports 12222 and 12223 on your firewall
Not a common practice
![Page 25: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/25.jpg)
Practical difficulties: Do you know
� If your outgoing UDP ports on the firewall are blocked? Did you test it today?
� If all LAPs are configured with primary, secondary and tertiary WLC?
� If all LAPs are indeed connected to configured WLCs?
today?
� How many VLANs do you have authorized for wireless access?
� Are all SSIDs mapped to the correct VLANs?
� When was the last time your LAPs rebooted?
� When was the last time your WLC taken down for maintenance?
� If all your APs are compliant with your security policies? How do you know?
![Page 26: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/26.jpg)
One mistake and you could be exposed!
![Page 27: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/27.jpg)
Adding second, independent layer of WIPS protection
Misconfigurations
Zero-day attacksUndesirable connections
Misconfigurations
Zero-day attacks
Undesirable connections
MisconfigurationsDesigned for
security
Designed for WLAN access
connections
![Page 28: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/28.jpg)
AirTight’s SpectraGuard product family
������������ �� �
Industry’s Only Wireless Security Service
������������ ��������
Complete Wireless Intrusion Prevention
���������������
Wireless Security for Mobile Users WLAN Coverage & Security Planning
�������������� ��
![Page 29: Skyjacking A Cisco WLAN - What it means and how to protect against it?](https://reader034.fdocuments.in/reader034/viewer/2022051816/5444a1cab1af9f640a8b49b1/html5/thumbnails/29.jpg)
About AirTight Networks
The Global Leader in Wireless
For more information on wireless security risks, best practices, and solutions, visit:
http://www.airtightnetworks.comThe Global Leader in Wireless
Security and Compliance
http://www.airtightnetworks.com
Visit our blog to read the root cause analysis of
“Skyjacking: What Went Wrong?”
http://blog.airtightnetworks.com