real world wi l s itwireless security · pci dss 1.2 wireless security best practice pci dss 1.2 wi...

Real WorldWi l S itWireless SecurityCisco Expo 2009 Belgrade

Goran JosivljevicCopyright © Siemens AG 2009. All rights reserved.

Siemens IT Solutions and Services Serbia08.11.2009

[email protected]

ContentsContents

Abo t UsAbout Us

Enterprise Wireless InfrastructureEnterprise Wireless Infrastructure

Wireless Security AttacksWireless Security Attacks

Wireless Intrusion Prevention System

Wireless Security Best Practice





Siemens

About Us

Siemens

420k E l i 190 C t i420k Employers in 190 Countries

2009 Revenue €77.3bilions

High-Tech Company

IT Technology Trends

Wireless LAN ComplianceWireless LAN Compliance



Siemens IT Services and Solutions

About Us

Siemens IT Services and Solutions

43k E l i 40 C t i43k Employers in 40 Countries

Professional and System Services

Outsourcing and System Integration

Data Centar Infrastructure

NetworkingNetworking

Unified Communications



ContentsContents

Introd ctionIntroduction

Enterprise Wireless InfrastructureEnterprise Wireless Infrastructure

Wireless Infrastructure AttacksWireless Infrastructure Attacks







Wireless LAN Benefits

Enterprise Wireless Infrastructure

Wireless LAN Benefits

WLAN i SWLAN is Secure

WLAN Has Good Peformances

WLAN is Not Expensive

WLAN is Reliabile

WLAN is Ease for MaintanceWLAN is Ease for Maintance



Unified Wireless Network

Enterprise Wireless Security Infrastructure

Unified Wireless Network

MONITORWCS MSE

CONTROL

WCS MSE CSE

NME-WLC 2106 3750g 5508 WiSM

ACCESS

1522 3230 1252 1131 1242 1310

CLIENTS

1522 3230 1252 1131 1242 1310



Notebook IP Phone PDA Camera Industrial Tag IP Phone

Secure Wireless Architecture


Secure Wireless Architecture



Lwapp vs Capwap


Lwapp vs Capwap

Description LWAPP CAPWAP

Fragmentation/Re-assembly Relies on IPv4 CAPWAP itself does both

Path-MTU Discovery Not supported Robust P-MTU discovery mechanism canPath-MTU Discovery Not supported Robust P-MTU discovery mechanism, can also detect dynamic MTU changes

Control Channel Encryption between AP and WLC

Yes (using AES) Yes (Using DTLS)

Data Channel Encryption between AP and WLC

No Yes (using DTLS)

UDP Ports 12222, 12223 5246 (ctrl) 5247 (data)



ContentsContents


Enterprise Wireless Security p yInfrastructure

Wireless Security AttacksWireless Security Attacks







Wireless Security Myths

Wireless Security Attacks

Wireless Security Myths

N t k Fi ll / IPS P t t WLANNetwork Firewall / IPS Protect WLAN

We Don‘t Have WLAN - We Are Safe

WEP/WPA Encryptions are Strong

Non Broadcast SSID Means Invisible

MAC Access List is a Client FilterMAC Access List is a Client Filter



Configuration Vulnerabilities


Configuration Vulnerabilities

R A P i tRogue Access Points

Mis-configured Access Points/Controller

Client Mis-associations



Attack Against Encryption


Attack Against Encryption

WEP W kWEP Weakness

WPA/WPA2 Offline Dictionary Attack

WPA TKIP Packet Falsification



802.11i


802.11i



EAP Protocols Comparison


EAP Protocols Comparison

EAP-TLS

EAP-TTLS

plex

ity

EAP-MD5PEAP

Com

p

LEAP

EAP-OPEN EAP-FAST



Security

Wireless Threats


Wireless Threats

H P t A P i tHoney Pot Access Points

Rogue Clients

Denial of Service Attacks



Man in the Middle


Man in the Middle

WEB SERVERCLIENT ATTACKER

HTTPS to HTTP conversion

Null Prefix Certificate ExploitNull Prefix Certificate Exploit

Backdoor Trojan Attack






D S A i t I f t tDoS Against Infrastructure

DoS Against Access Point

DoS Against Client Station



802.11w/MFP


802.11w/MFP

I f t t d Cli t MFPInfrastructure and Client MFP

Client MFP for Only CCXv5 WPA2 TKIP or AES

Disassoc, Deauth and Action Management Protection

RF Jamming, Connection flooding are Not in the scope



ContentsContents










Cisco Adaptive Wireless Intrusion Prevention System



WCS

SOAP/XML

SNMPWCS MSE

NMSPSNMP

WLC CAPWAPCAPWAP

Local Mode AP Monitor Mode AP



Client

DoS Attack Detection IDS vs wIPS


DoS Attack Detection IDS vs wIPS

Alarm Name IDS wIPS Association flood X X Association table overflow X Authentication flood X X EAPOL-Start attack X X PS-Poll flood X Unauthenticated Association X CTS Flood X Queensland University of Technology Exploit X RF jamming attack X RTS flood X Virtual carrier attack X XVirtual carrier attack X X Authentication-failure attack X Deauthentication broadcast attack X X Deauthentication flood attack X X Disassociation broadcast attack XDisassociation broadcast attack X Disassociation flood attack X X EAPOL-logoff attack X X FATA-jack tool detected X Premature EAP-failure attack X



Premature EAP-success attack X

Security Penetration Detection Controller IDS vs wIPS


Security Penetration Detection Controller IDS vs wIPS

Alarm Name IDS wIPS Airsnarf attack X ChopChop Attack X D tt k b WLAN it l XDay-zero attack by WLAN security anomaly X Day-zero attack by device security anomaly X Device probing for access points X Dictionary attack on EAP methods X EAP attack against 802.1x authentication X F k i t d t t d X XFake access points detected X X Fake DHCP server detected X Fast WEP crack detected X Fragmentation Attack X Hotspotter tool detected X Malformed 802.11 packets detected X Man in the middle attack detected X NetStumbler detected X X PSPF violation X ASLEAP attack detected X Honey pot access point detected X X Soft access point or Host access point detected X Spoofed MAC address detected X Suspicious after-hours traffic X Unauthorized association by vendor list X



yUnauthorized association detected X Wellenreiter detected X X

ContentsContents













D fi d D t th P liDefine and Document the Policy

Securing the Enterprise LAN and WLAN

Educate Employers

Audit for Enterprise and Regulatory Compliance

EnforcementEnforcement

Revise and Tune



DoD 8100.2


DoD 8100.2

Wi Fi C tifi d I t bl P d tWi-Fi Certified Interoperable Products

IEEE 802.11i WPA2 Enteprise AES-CCMP EAP-TLS

Wireless Intrusion Detection with Location Sensing

Firewalls and Antivirus on Devices

NIAP Common Criteria CertifiedNIAP Common Criteria Certified



PCI DSS 1.2


PCI DSS 1.2

Wi l A l i Q t l I l t WIDS/WIPSWireless Analysis Quarterly or Implement WIDS/WIPS

Monitor Wireless Intrusion Alerts

Strong Encryption and Authentication

Implement an incident response plan

Develop and Enforce Wireless Policies and ProceduresDevelop and Enforce Wireless Policies and Procedures



HIPAA 164.308, 164.312


HIPAA 164.308, 164.312

A C t l LEAP WEP d VPNAccess Controls LEAP, WEP and VPN

Audit Controls

Security Management Process

Security Incident Procedures

Incident Reporting ProceduresIncident Reporting Procedures



SoX 404


SoX 404

A th ti ti /A C t lAuthentication/Access Controls

Intrusion Prevention and Detection policies

Internet Usage Policy

Laptop/Workstation Security

Firewall/VPN PoliciesFirewall/VPN Policies



Thank you for your attention!

Goran JosivljevicGoran JosivljevicSenior Network EngineerSIS / Serbia / SYS

Pariske Komune 2211070 Belgrade

Phone: 381 – 11 - 3012298Fax: 381 – 11 - 3012250Fax: 381 11 3012250Mobil: 381 – 64 - 8223371

E Mail goran josi lje ic@siemens com

Copyright © Siemens AG 2008. All rights reserved.

E-Mail: [email protected]

real world wi l s itwireless security · pci dss 1.2 wireless security best practice pci dss 1.2 wi...

Documents