Slide 1

Team MAGICMichael GongJake KreiderChris LugoKwame Osafoh-KintankaWireless Network SecurityWhy wireless?Wifi, which is short for wireless fi something, allows your computer to connect to the Internet using magic.-Motel 6 commercial2 but it comes at a priceWireless networks present security risks far above and beyond traditional wired networksRogue access pointsEvil twinsPacket-based DoSSpectrum DoSEavesdroppingTraffic crackingCompromised clientsMAC spoofingAd-hoc networksMan-in-the-middleGrizzly bearsARP poisoningDHCP spoofingWar drivingIP leakageWired/wireless bridging3

Cisco Wireless Network SolutionThe Cisco Wireless Solution Architecture integrates existing Cisco networks with a robust, secure suite of wireless products.Agenda:The Cisco Wireless Network ArchitectureCisco Unified Wireless Network, CSA, Cisco NAC, firewalls, Cisco IPS, and CS-MARSCommon wireless threatsHow Cisco Wireless Security protects against them4Todays wireless network

5Cisco Unified Wireless NetworkCUWN extends the Cisco network portfolio with wireless-specific solutions for

SecurityDeploymentManagementControl issues

6

CUWN ArchitectureCentralized operation and management with Wireless LAN Controller (WLC)Simplified lightweight wireless access point operation (LWAP) Traffic tunneled from LWAP to WLCConsistent policy configuration and enforcement7

CUWN SecurityIntegrated and extended solutionsWireless intrusion preventionRogue access point detection & mitigationAccess controlTraffic encryptionUser authenticationRF interference & DoS protectionWireless vulnerability monitoringInfrastructure hardening

8CSA Cisco Security AgentFull featured agent-based endpoint protection

Two components:Managed client - Cisco Security AgentSingle point of configuration - Cisco Management Center9CSA - Purpose

10CSA Wireless Perspective

11CSA Combined Wireless FeaturesGeneral CSA featuresZero-day virus protectionControl of sensitive dataProvide integrity checking before allowing full network accessPolicy management and activity reporting

CSA Mobility featuresAble to block access to unauthorized or ad-hoc networksCan force VPN in unsecured environmentsStop unauthorized wireless-to-wired network bridging

12Cisco Network Admission Control (NAC)Determines the users, their machines, and their rolesGrant access to network based on level of security complianceInterrogation and remediation of noncompliant devicesAudits for security compliance

13Cisco NAC Architecture

14Cisco NAC FeaturesClient identificationAccess via Active Directory, Clean Access Agent, or even web formCompliance auditingNon-compliant or vulnerable devices through network scans or Clean Access AgentPolicy enforcementQuarantine access and provide notification to users of vulnerabilitiesWireless integrationBoth in-band and out-of-band between VLAN and WLAN15Cisco Firewall PurposeCommon first level of defense in the network & security infrastructureCompare corporate policies about user network access rights with the connection information surrounding each access attemptWLAN separation with firewall to limit access to sensitive data and protect from data lossFirewall segmentation is often required for regulatory compliancePCISOXHIPAAGLBA16Cisco Firewall FeaturesIntegrated approach WLC withFirewall Services ModulesAdaptive Security Appliance Layer 3 routed ModeLayer 2 bridged ModeSupport for virtual contexts to expand FWSM/ASA capabilities and further segment trafficMultiple contexts are similar to having multiple standalone devices. Most features are supported in multiple context mode

17Cisco IPSDesigned to accurately identify, classify and stop malicious trafficWorms, spyware, adware, network viruses which is achieved through detailed traffic inspectionCollaboration of IPS & WLC simplifies and automates threat detection & mitigation Institute a host block upon detection of malicious trafficWLC enforcement to the AP to curtail traffic at the source

18CS-MARSSimplified, centralized management planeNative support for CUWN componentsSNMP based integration into WLC & WCS

19Wireless Security Threats

20Rogue Access PointsRogue Access Points refer to unauthorized access points setup in a corporate networkTwo varieties:Added for intentionally malicious behaviorAdded by an employee not following policyEither case needs to be prevented

21Rogue Access Points - ProtectionCisco Wireless Unified Network security can:Detect Rogue APsDetermine if they are on the networkQuarantine and reportCS-MARS notification and reporting

Locate rogue APs

22Cisco Rogue AP Mapping

23Evil TwinsEvil Twins, also known as Hacker Access Points, are malicious APs setup to disguise as legitimate ones

Users will likely not realize they are not connecting to the intended APOnce connected, they can fall victim to multiple exploits, such as man-in-the-middle attacks.24Evil Twins - ProtectionThe Cisco Security Agent (CSA) can protect against Evil Twins.It can ensure it is connecting to a company-owned access point.If off-premise, it can force the user to use VPN.Additionally, rogue APs on campus can be detected.The network can even bring down the rogue AP using wireless de-auth packets (a loose form of DoS).

25Wireless DoSWireless networks are subject to two forms of DoS:Traditional (packet-based)RF-based (Jamming)

Cisco uses Management Frame Protection to guard against certain packet-based attacksCisco WIPS uses dynamic radio resource management to help guard against jamming attacks26Traffic CrackingBut were secure.MAC AuthenticationWEPWPAClose but not even on the network

Cisco WCSLayer 1/2/3 protectionCisco MARSDetection

27Cracking the protection28Compromised ClientsWifi ThreatSecurity ConcernCSA FeatureAd-hoc ConnectionsWide-open connectionsUnencryptedUnauthenticatedInsecurePre-defined ad-hoc policyConcurrent wired/wifi connectionContamenating secure wired environmentConcurrent wired/wifi pre-defined policyDisable wifi traffic if wired detectedAccess to unsecured wifiMay lack authentication / encryptionRisk of traffic cracking, rogue network devicesLocation based policiesRestrict allowed SSIDsEnforce stronger security policies

29Guest WirelessLet them on but dont let them on Cisco WCS

30

Guest Wifi with BenefitsNetwork segmentation

Policy management

Guest traffic monitoring

Customizable access portals

31Conclusion32Present unparalleled threats

The Cisco Unified Wireless Network Solution provides the best defense against these threats