Wireless Campus Networks Security BRKCAM-2010 Sujit Ghosh, CCIE #7204 Technical Marketing Engineer Wireless Networking Business Unit BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential HOUSEKEEPING ƒ We value your feedback, don’t forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Friday ƒ Visit the World of Solutions on Level -01! ƒ Please remember this is a ‘No Smoking’ venue! ƒ Please switch off your mobile phones! ƒ Please remember to wear your badge at all times including the Party! ƒ Do you have a question? Feel free to ask them during the Q&A section or write your question on the Question form given to you and hand it to the Room Monitor when you see them holding up the Q&A sign BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Agenda ƒ WLAN Security Overview ƒ WLAN Security Vulnerabilities and Threats ƒ WLAN Security Authentication and Encryption ƒ Unified Wireless Deployment ƒ Wired and Wireless IDS ƒ WLAN Security Best Practices BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Why WLAN Security Is Important? Hackers/Criminal Employees Vulnerabilities: “War Driving” Lessons: ƒ ƒ ƒ BRKCAM-2010 Do not rely on basic WEP encryption; requirement for enterprise class security (WPA, EAP/802.1x protocols, Wireless IDS, VLANs/SSIDs, etc.) Employees often install WLAN equipment on their own (compromises security of your entire network) Business impact due to stolen data: Potential financial and legal consequences (laws to protect data confidentiality; example: healthcare, retail, financial, government)` © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential WLAN Security “Visibility” ƒ Prevalence of technology PWLAN and other public 802.11 networks ƒ Other security fears—identity theft, phishing, etc “Hackers shift focus to financial gain”, Sept 26, 2005 http://www.cnn.tv/2005/TECH/internet/09/26/ identity.hacker/index.html ƒ Public availability of tools Example exploit/reconnaissance tools: www.remote-exploit.org/index.php/Auditor_main www.wellenreiter.net Aircrack—WEP key exploit coWPAtty—WPA-PSK exploit Kismac—MAC-based implementation of Kismet BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential WLAN Security Vulnerabilities and Threats BRKCAM-2010 © 2005 Cisco Systems, Inc All rights reserved © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential Agenda ƒ WLAN Security Overview ƒ WLAN Security Vulnerabilities and Threats ƒ WLAN Security Authentication and Encryption ƒ Unified Wireless Deployments ƒ Wired and Wireless IDS ƒ WLAN Security Best Practices BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential WLAN Security Vulnerabilities and Threats Examples of Existing Vulnerabilities and Threats ƒ WLAN sniffing/war driving ƒ Encryption vulnerabilities: WEP ƒ Denial of Service (DoS) attacks: using 802.11 de-authentication/disassociation frames, RF jamming, etc ƒ Authentication vulnerabilities: dictionary attacks, MITM attacks ƒ Address spoofing: MAC-address spoofing and IP address spoofing (both hostile/outsider attacks as well as insider attacks) BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential An Example: How Does a Wireless Exploit Take Place? ƒ Probe response “listening” (to get SSID) ƒ Passive WEP key sniffing ƒ Initial phases of WLAN security exploit Discovery of WLAN networks by monitoring for probe/probe responses Collection of sufficient encrypted packets, offline processing and attempt to calculate WEP key BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential An Example: How Does a Wireless Exploit Take Place? Active De-Auth to Induce Clients to Probe (Reduces Time to Overcome SSID “Cloaking”) ƒ For example, “Kismac” tool: offers a “suite” of exploit tools with a easy-to-use GUI ƒ http://www.ethicalhack.org/videos.php ƒ Authentication exploits can then be undertaken, once a client has been provoked to re-authenticate ƒ Or, if client may be induced to negotiate unauthenticated/unencrypted connection, a direct exploit on client may be undertaken BRKCAM-2010 © 2006 Cisco Systems, Inc All rights reserved Cisco Confidential 10 ... Agenda ƒ WLAN Security Overview ƒ WLAN Security Vulnerabilities and Threats ƒ WLAN Security Authentication and Encryption ƒ Unified Wireless Deployment ƒ Wired and Wireless IDS ƒ WLAN Security Best... Security Overview ƒ WLAN Security Vulnerabilities and Threats ƒ WLAN Security Authentication and Encryption ƒ Unified Wireless Deployments ƒ Wired and Wireless IDS ƒ WLAN Security Best Practices... network in order to lure wireless station to associate to “rogue network” ƒ Attacker attempts to obtain security credentials or security key by intercepting credentials Wireless Station Access