This presentation will deconstruct the skyjacking vulnerability - explaining why the vulnerability occurs in Cisco WLANs, which Cisco access points are affected, how skyjacking can be exploited to launch potent attacks, and what are the best practices to proactively protect your enterprise network against such zero-day vulnerabilities and attacks.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
1. Skyjacking a Cisco WLAN: Attack Analysis and Countermeasures Presenters: Dr. Pravin Bhagwat, CTO Dr. Hemant Chaskar, Director of Technology Moderator: Sri Sundaralingam, VP of Product Management
2. In the News Cisco wireless LAN vulnerability could open ‘back door’ Cisco wireless LANs at risk of attack, ‘skyjacking’ Newly discovered vulnerability could threaten Cisco wireless LANs
3. What Cisco says “ No risk of data loss or interception” “ Could allow an attacker to cause a denial of service (DoS) condition” It’s not a big deal! Severity = Mild
4. Hmm… ? ? ? What exactly is skyjacking? Do I need to worry about it? How severe is the exploit?
5. What you will learn today The risk from skyjacking vulnerability is much bigger than stated How to assess if you are vulnerable Countermeasures for skyjacking and other zero-day attacks
6. Five ways a LAP can discover WLCs Subnet-level broadcast Configured DNS DHCP Over-the-air provisioning (OTAP)
7. Three criteria a LAP uses to select a WLC Primary, Secondary, Tertiary Master mode Maximum excess capacity Step 1 Step 2 Step 3
12. Secure WLAN enterprise access Before Internal to corporate network 20 WPA2 Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
13. Authorized LAP skyjacked – DoS Before DoS Internal to corporate network 20 WPA2 Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
14. Authorized LAP turned into Open Rogue AP Before Rogue on Network Internal to corporate network 30 OPEN Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
16. Wolf in Sheep Clothing Before Rogue on Network Internal to corporate network 30 WPA2 Corp Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To
17. Wolf in Sheep Clothing – Scenario 2 Before Rogue on Network Internal to corporate network 20 WPA2 Corp Internal to corporate network 30 OPEN Guest Comment VLAN Security SSID Internal to corporate network 30 AP Physically Connected To DoS
19. Normal WLAN operation Authorized SSIDs are seen in “Green” color and are detected with VLAN identifier to which they connect Device list displayed on SpectraGuard Enterprise console
20. Skyjacking on guest access 1 Change in the VLAN is detected 2 SSID marked as “misconfigured” (Background changes to amber) 3 Automatic Prevention started ( Shield icon appears )
21. Summary Open rogue WPA2 rogue Open guest rogue Guest access as Open Rogue AP (Wolf in Sheep clothing – scenario 2) Authorized SSID as “Privileged” Rogue AP (Wolf in Sheep clothing) Authorized SSID as Open Rogue AP Type of Skyjacking attack X X AirTight’s unique wireless-wired correlation based threat detection Only over-air threat detection
22. AirTight’s SpectraGuard Enterprise Thanks to patented marker packet technology for accurate wired connectivity detection and unique VLAN Policy Mapping ™ architecture The only WIPS that can provide zero-day protection against the most potent form of skyjacking attack
23. Which LAPs can be skyjacked? ? Vulnerable? Type of Cisco LAP No Configured with locally significant certificates (LSC) Mostly No Configured with “preferred” WLCs (primary, secondary, tertiary) Yes LAPs using auto discovery
24. Countermeasures Manually configure LAPs with preferred WLCs (primary, secondary, tertiary) Manually configure LAPs with LSCs Primarily HA and load balancing feature Impractical Block outgoing traffic from UDP ports 12222 and 12223 on your firewall Not a common practice Turn off OTAP on WLC Ineffective!
27. Adding second, independent layer of WIPS protection Misconfigurations Zero-day attacks Designed for security Designed for WLAN access Undesirable connections Misconfigurations Zero-day attacks Undesirable connections
28. AirTight’s SpectraGuard product family SpectraGuard SAFE Wireless Security for Mobile Users SpectraGuard Online Industry’s Only Wireless Security Service SpectraGuard Enterprise Complete Wireless Intrusion Prevention WLAN Coverage & Security Planning SpectraGuard Planner
29. About AirTight Networks The Global Leader in Wireless Security and Compliance For more information on wireless security risks, best practices, and solutions, visit: www.airtightnetworks.com Visit our blog to read the root cause analysis of “ Skyjacking: What Went Wrong?” blog.airtightnetworks.com