real world wi l s itwireless security · pci dss 1.2 wireless security best practice pci dss 1.2 wi...
TRANSCRIPT
Real WorldWi l S itWireless SecurityCisco Expo 2009 Belgrade
Page 1 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
ContentsContents
Abo t UsAbout Us
Enterprise Wireless InfrastructureEnterprise Wireless Infrastructure
Wireless Security AttacksWireless Security Attacks
Wireless Intrusion Prevention System
Wireless Security Best Practice
Wireless Intrusion Prevention System
Page 2 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Wireless Security Best Practice
Siemens
About Us
Siemens
420k E l i 190 C t i420k Employers in 190 Countries
2009 Revenue €77.3bilions
High-Tech Company
IT Technology Trends
Wireless LAN ComplianceWireless LAN Compliance
Page 3 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Siemens IT Services and Solutions
About Us
Siemens IT Services and Solutions
43k E l i 40 C t i43k Employers in 40 Countries
Professional and System Services
Outsourcing and System Integration
Data Centar Infrastructure
NetworkingNetworking
Unified Communications
Page 4 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
ContentsContents
Introd ctionIntroduction
Enterprise Wireless InfrastructureEnterprise Wireless Infrastructure
Wireless Infrastructure AttacksWireless Infrastructure Attacks
Wireless Intrusion Prevention System
Wireless Security Best Practice
Wireless Intrusion Prevention System
Page 5 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Wireless Security Best Practice
Wireless LAN Benefits
Enterprise Wireless Infrastructure
Wireless LAN Benefits
WLAN i SWLAN is Secure
WLAN Has Good Peformances
WLAN is Not Expensive
WLAN is Reliabile
WLAN is Ease for MaintanceWLAN is Ease for Maintance
Page 6 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Unified Wireless Network
Enterprise Wireless Security Infrastructure
Unified Wireless Network
MONITORWCS MSE
CONTROL
WCS MSE CSE
NME-WLC 2106 3750g 5508 WiSM
ACCESS
1522 3230 1252 1131 1242 1310
CLIENTS
1522 3230 1252 1131 1242 1310
Page 7 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Notebook IP Phone PDA Camera Industrial Tag IP Phone
Secure Wireless Architecture
Enterprise Wireless Infrastructure
Secure Wireless Architecture
Page 8 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Lwapp vs Capwap
Enterprise Wireless Infrastructure
Lwapp vs Capwap
Description LWAPP CAPWAP
Fragmentation/Re-assembly Relies on IPv4 CAPWAP itself does both
Path-MTU Discovery Not supported Robust P-MTU discovery mechanism canPath-MTU Discovery Not supported Robust P-MTU discovery mechanism, can also detect dynamic MTU changes
Control Channel Encryption between AP and WLC
Yes (using AES) Yes (Using DTLS)
Data Channel Encryption between AP and WLC
No Yes (using DTLS)
UDP Ports 12222, 12223 5246 (ctrl) 5247 (data)
Page 9 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
ContentsContents
Introd ctionIntroduction
Enterprise Wireless Security p yInfrastructure
Wireless Security AttacksWireless Security Attacks
Wireless Intrusion Prevention System
Wireless Security Best Practice
Wireless Intrusion Prevention System
Page 10 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Wireless Security Best Practice
Wireless Security Myths
Wireless Security Attacks
Wireless Security Myths
N t k Fi ll / IPS P t t WLANNetwork Firewall / IPS Protect WLAN
We Don‘t Have WLAN - We Are Safe
WEP/WPA Encryptions are Strong
Non Broadcast SSID Means Invisible
MAC Access List is a Client FilterMAC Access List is a Client Filter
Page 11 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Configuration Vulnerabilities
Wireless Security Attacks
Configuration Vulnerabilities
R A P i tRogue Access Points
Mis-configured Access Points/Controller
Client Mis-associations
Page 12 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Attack Against Encryption
Wireless Security Attacks
Attack Against Encryption
WEP W kWEP Weakness
WPA/WPA2 Offline Dictionary Attack
WPA TKIP Packet Falsification
Page 13 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
802.11i
Wireless Security Attacks
802.11i
Page 14 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
EAP Protocols Comparison
Wireless Security Attacks
EAP Protocols Comparison
EAP-TLS
EAP-TTLS
plex
ity
EAP-MD5PEAP
Com
p
LEAP
EAP-OPEN EAP-FAST
Page 15 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Security
Wireless Threats
Wireless Security Attacks
Wireless Threats
H P t A P i tHoney Pot Access Points
Rogue Clients
Denial of Service Attacks
Page 16 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Man in the Middle
Wireless Security Attacks
Man in the Middle
WEB SERVERCLIENT ATTACKER
HTTPS to HTTP conversion
Null Prefix Certificate ExploitNull Prefix Certificate Exploit
Backdoor Trojan Attack
Page 17 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Denial of Service Attacks
Wireless Security Attacks
Denial of Service Attacks
D S A i t I f t tDoS Against Infrastructure
DoS Against Access Point
DoS Against Client Station
Page 18 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
802.11w/MFP
Wireless Security Attacks
802.11w/MFP
I f t t d Cli t MFPInfrastructure and Client MFP
Client MFP for Only CCXv5 WPA2 TKIP or AES
Disassoc, Deauth and Action Management Protection
RF Jamming, Connection flooding are Not in the scope
Page 19 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
ContentsContents
Introd ctionIntroduction
Enterprise Wireless Security p yInfrastructure
Wireless Infrastructure AttacksWireless Infrastructure Attacks
Wireless Intrusion Prevention System
Wireless Security Best Practice
Wireless Intrusion Prevention System
Page 20 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Wireless Security Best Practice
Cisco Adaptive Wireless Intrusion Prevention System
Wireless Intrusion Prevention System
Cisco Adaptive Wireless Intrusion Prevention System
WCS
SOAP/XML
SNMPWCS MSE
NMSPSNMP
WLC CAPWAPCAPWAP
Local Mode AP Monitor Mode AP
Page 21 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Client
Cisco Adaptive Wireless Intrusion Prevention System
Wireless Intrusion Prevention System
Cisco Adaptive Wireless Intrusion Prevention System
Page 22 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
DoS Attack Detection IDS vs wIPS
Wireless Intrusion Prevention System
DoS Attack Detection IDS vs wIPS
Alarm Name IDS wIPS Association flood X X Association table overflow X Authentication flood X X EAPOL-Start attack X X PS-Poll flood X Unauthenticated Association X CTS Flood X Queensland University of Technology Exploit X RF jamming attack X RTS flood X Virtual carrier attack X XVirtual carrier attack X X Authentication-failure attack X Deauthentication broadcast attack X X Deauthentication flood attack X X Disassociation broadcast attack XDisassociation broadcast attack X Disassociation flood attack X X EAPOL-logoff attack X X FATA-jack tool detected X Premature EAP-failure attack X
Page 23 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Premature EAP-success attack X
Security Penetration Detection Controller IDS vs wIPS
Wireless Intrusion Prevention System
Security Penetration Detection Controller IDS vs wIPS
Alarm Name IDS wIPS Airsnarf attack X ChopChop Attack X D tt k b WLAN it l XDay-zero attack by WLAN security anomaly X Day-zero attack by device security anomaly X Device probing for access points X Dictionary attack on EAP methods X EAP attack against 802.1x authentication X F k i t d t t d X XFake access points detected X X Fake DHCP server detected X Fast WEP crack detected X Fragmentation Attack X Hotspotter tool detected X Malformed 802.11 packets detected X Man in the middle attack detected X NetStumbler detected X X PSPF violation X ASLEAP attack detected X Honey pot access point detected X X Soft access point or Host access point detected X Spoofed MAC address detected X Suspicious after-hours traffic X Unauthorized association by vendor list X
Page 24 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
yUnauthorized association detected X Wellenreiter detected X X
ContentsContents
Introd ctionIntroduction
Enterprise Wireless Security p yInfrastructure
Wireless Infrastructure AttacksWireless Infrastructure Attacks
Wireless Intrusion Prevention System
Wireless Security Best Practice
Wireless Intrusion Prevention System
Page 25 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Wireless Security Best Practice
Wireless Security Best Practice
Wireless Security Best Practice
Wireless Security Best Practice
D fi d D t th P liDefine and Document the Policy
Securing the Enterprise LAN and WLAN
Educate Employers
Audit for Enterprise and Regulatory Compliance
EnforcementEnforcement
Revise and Tune
Page 26 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
DoD 8100.2
Wireless Security Best Practice
DoD 8100.2
Wi Fi C tifi d I t bl P d tWi-Fi Certified Interoperable Products
IEEE 802.11i WPA2 Enteprise AES-CCMP EAP-TLS
Wireless Intrusion Detection with Location Sensing
Firewalls and Antivirus on Devices
NIAP Common Criteria CertifiedNIAP Common Criteria Certified
Page 27 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
PCI DSS 1.2
Wireless Security Best Practice
PCI DSS 1.2
Wi l A l i Q t l I l t WIDS/WIPSWireless Analysis Quarterly or Implement WIDS/WIPS
Monitor Wireless Intrusion Alerts
Strong Encryption and Authentication
Implement an incident response plan
Develop and Enforce Wireless Policies and ProceduresDevelop and Enforce Wireless Policies and Procedures
Page 28 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
HIPAA 164.308, 164.312
Wireless Security Best Practice
HIPAA 164.308, 164.312
A C t l LEAP WEP d VPNAccess Controls LEAP, WEP and VPN
Audit Controls
Security Management Process
Security Incident Procedures
Incident Reporting ProceduresIncident Reporting Procedures
Page 29 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
SoX 404
Wireless Security Best Practice
SoX 404
A th ti ti /A C t lAuthentication/Access Controls
Intrusion Prevention and Detection policies
Internet Usage Policy
Laptop/Workstation Security
Firewall/VPN PoliciesFirewall/VPN Policies
Page 30 Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.
Siemens IT Solutions and Services Serbia08.11.2009
Thank you for your attention!
Goran JosivljevicGoran JosivljevicSenior Network EngineerSIS / Serbia / SYS
Pariske Komune 2211070 Belgrade
Phone: 381 – 11 - 3012298Fax: 381 – 11 - 3012250Fax: 381 11 3012250Mobil: 381 – 64 - 8223371
E Mail goran josi lje ic@siemens com
Copyright © Siemens AG 2008. All rights reserved.
E-Mail: [email protected]