《了解无线安全及其对安全无线网络设计的影响.pdf》由会员分享,可在线阅读,更多相关《了解无线安全及其对安全无线网络设计的影响.pdf(118页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveMark Krischer,Principal Wireless Architect,Asia Pacific,Japan&Greater ChinamkrischBRKEWN-3004And the Implications for Secure Wireless Network DesignUnderstanding Wireless Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbstractThis session will
2、 explore secure wireless network design,with a key focus on the latest WPA3 and Wi-Fi 6 standards.Mobility brings unique challenges to network security,such as the need for secure fast roaming.Participants will learn how 802.11 addresses theses requirements,and explore the changes WPA3 brings and th
3、e implications for wireless deployments.We will also address specific scenarios such as BYOD,Cloud Identity Providers and Zero Trust.This session will also explore how Cisco DNA Center expands upon the wireless security standards with Rogue AP detection and location,and Advanced Wireless Intrusion D
4、etection and Prevention,including upcoming capabilities.The intent is to provide a deeper understanding,not just about the security capabilities themselves,but to do so from the perspective of the attacks that they defend against.BRKEWN-30043 2023 Cisco and/or its affiliates.All rights reserved.Cisc
5、o Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex
6、 spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKEWN-30044#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaWireless Security FundamentalsWPA3Authentication and Au
7、thorizationWi-Fi 6E SecurityRogue Detection and Advanced WIPSThreat 360Rogue Detection and ContainmentAdvanced Wireless Intrusion PreventionBRKEWN-30045Wireless Security Fundamentals 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWireless Attack SurfaceWireless networks p
8、ropagate beyond the physical constraints of the wired networkAttacks may originate from anywhere within the wireless coveragePassive scanning attacksLayer 2 active spoofing attacksLayer 1 active jamming or DoS attacksRogue APs Honeypot and Evil Twin APsUnsecured backdoor accessBRKEWN-30047 2023 Cisc
9、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecuring the Wireless NetworkSecure the Secure the AirAirSecure the Secure the DevicesDevicesSecure the Secure the NetworkNetworkBRKEWN-30048 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWireless Protecte
10、d Access A snapshot of the 802.11i Wireless Security Standard Commonly used with TKIP encryptionWPA Final version of 802.11i Wireless Security Standard Commonly used with AES encryptionWPA2 Personal(PSK Pre-Shared Key)Enterprise(802.1X/EAP)AuthenticationMechanisms Wi-Fi Alliance security update Incl
11、udes new capabilities and new certification requirementsWPA3BRKEWN-30049 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMandatory for Wi-Fi 6 CertificationRemove insecure legacy protocolsWEPTKIPSHA1Negative TestingKRACKWPA310Protected Management Frames(802.11w)Simultaneou
12、s Authentication of Equals(SAE)Wi-Fi Certified Enhanced OpenOpportunistic Wireless Encryption(OWE)BRKEWN-3004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive802.11 FundamentalsAuthenticationCAPWAPRADIUSSupplicantAuthenticatorAuthentication ServerWireless LAN ControllerIde
13、ntity Services EngineBRKEWN-300411 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive802.11 FundamentalsAuthenticationLDAPCredential ServerCAPWAPRADIUSAuthenticatorAuthentication ServerWireless LAN ControllerIdentity Services EngineBRKEWN-300412 2023 Cisco and/or its affilia
14、tes.All rights reserved.Cisco Public#CiscoLive802.11 FundamentalsAuthenticationEAPRADIUS802.1xBRKEWN-300413CAPWAPRADIUSSupplicantAuthenticatorAuthentication ServerWireless LAN ControllerIdentity Services Engine 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive802.11 Fundame
15、ntalsAuthenticationIdentity RequestIdentity ResponseIdentity ResponseEAP Type NegotiationAuthentication Sequence Between Supplicant and Authentication ServerEAP SuccessEAP SuccessCAPWAPRADIUSWireless LAN ControllerIdentity Services EngineAssociation ResponseAuthenticatorSupplicantBRKEWN-300414Authen
16、tication Server 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCAPWAPRADIUSSupplicantAuthenticatorAuthentication ServerWireless LAN ControllerIdentity Services EngineEAP SuccessAES802.11 FundamentalsEncryptionPMKPMKPTK=SHA(PMK+ANonce+SNonce+AP MAC+STA MAC)ANoncePTKSNonce,
17、MICPTK,GTKANonce,MIC,GTK,Sequence#ACKEAP SuccessFour-Way HandshakeEAP Success(PMK)BRKEWN-300415 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAuthentication and AuthorisationVLAN/VNSGT/Group PolicyQoS/BDRLURL Redirect/FilterBonjour Service PolicyApplication ControlPolicy
18、 ElementsIdentity ElementsMAC AddressUser CredentialsDevice TypeDevice Posture802.1x/MAB/WebAuthContextAccess TypeDay and TimeLocationBRKEWN-300416 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAuthorization OptionsTimerTimerControl session,idle-timeout,active hoursURLUR
19、L-FilterFilterControls which FQDNs the endpoint can reach or notBandwidthBandwidthControl maximum bandwidth and burst rate per endpoint/userService TemplateService Template&Roles&RolesAssigns multiple access characteristics:VLAN,ACL,QoS,Timer,etc.Application Visibility Profile is assigned per endpoi
20、ntAVC ProfileAVC ProfileAssigns Open DNS profile to intercept DNS packets for custom responseOpen DNSOpen DNSAssigns mDNS profile to broker mDNS advertisementmDNS ProfilemDNS ProfileURLURL-RedirectRedirectProvide conditional web redirect when traffic is blockedQoS Profile is assigned per endpointQoS
21、QoSCalendar ProfileCalendar ProfileControls active hours for endpoint access.2020BRKEWN-300417 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAuthorisationNetwork Segmentation VLAN based on SSID VLAN segregation based on security policyStatic VLAN Assignment VLAN based on
22、 authentication credentials VLAN segregation based on roleDynamic VLAN Assignment Security based on TrustSec Scalable Group Tags instead of source and destination addresses ACLs applied at the packet level with enforcement across the network(or network fabric)TrustSec/Group Based Policy/Software Def
23、ined Access8 SSIDs2 SSIDsBRKEWN-300418 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Fast Roaming ChallengesClient channel scanning and AP selectionRe-authentication of client device and re-keyingCAPWAPRADIUSWireless LAN ControllerIdentity Services EngineAESBRKEWN
24、-300419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Fast RoamingClient channel scanning and AP selection802.11k Neighbor Lists based on CCX(Cisco Compatible Extensions)802.11v BSS Transition802.11k/v/r and Wi-Fi Agile MultibandRe-authentication of client device
25、and re-keying802.11r Fast BSS Transition based on CCKM(Cisco Centralised Key Management)CAPWAPRADIUSWireless LAN ControllerIdentity Services EngineAESBRKEWN-300420 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive802.11r Fast TransitionOver the DSOver the AirBRKEWN-300421 2
26、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOver the Air is recommended for best client interoperability802.11r Fast TransitionBRKEWN-300422 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive10 Vulnerabilities were discoveredMay allow the reinst
27、allation of keys already in useOnly 1 impacts Access PointsSpecific to 802.11r(Fast BSS Transition)CVE-2017-13082Key Reinstallation AttaCK23This was an industry wide issueNot specific to any one vendorWPA3 certification includes KRACK exploit testingThe attacker positions a rogue AP clone to perform
28、 a MitM attackThis flaw causes all WPA2 encryption protocols to reuse the keystream when encrypting packetsRogue AP detection and WIDS/WIPS can detect potential attack vectorsBRKEWN-3004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn February 26th,2020,researchers tefa
29、n Svorenck and Robert Lipovsky disclosed a vulnerability in the packet processing of certain Wi-Fi chipsetsThis vulnerability could allow an unauthenticated,adjacent attacker to decrypt Wi-Fi frames without the knowledge of the PTKKrk Vulnerability24After an affected device handles a disassociation
30、event,it could send a limited number of Wi-Fi frames encrypted with a static,weak PTKAn attacker could exploit this vulnerability by triggering a disassociation and then acquiring these frames and decrypting them with the static PTKWIDS/WIPS can detect potential attack vectorsBRKEWN-3004 2023 Cisco
31、and/or its affiliates.All rights reserved.Cisco Public#CiscoLive802.11w Protected Management FramesEnterprise Network802.11w ProtectedBRKEWN-300425 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive132ABCABC213AP Placement and Roaming OptimizationBRKEWN-300426 2023 Cisco and
32、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSeamless Roaming at Scale27BRKEWN-3004Subnet xSubnet YSubnet ZL3 switchL2 switchSeamless roamingwithin the same subnetSession disconnectionClient re-DHCPSeamless roamingwithin the same subnetL2 switchSession disconnectionClient re-DHCPFor
33、L2 seamless roaming everywhere need to span the same VLAN across all roaming domainLarge broadcast domains do not scale and is counter to networking best practice 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSeamless Roaming at Scale28BRKEWN-3004Subnet xSubnet YSubnet Z
34、L3 switchL2 switchFor L3 seamless roaming an extended VLAN network overlay is requiredA data termination point is required to roam across L3 boundariesL2 switchSeamless roamingwithin the same subnetSeamless roamingwithin the same subnetSeamless roamingwithin the same subnetSeamless roamingwithin the
35、 same subnetClient VLAN L2 Network Overlay 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSeamless Roaming at Scale29BRKEWN-3004Subnet xSubnet YSubnet ZL3 switchL2 switchEdge Wireless Service Data Plane(DP)TerminationCan be deployed as centralized(CAPWAP/EoGRE)or distribu
36、ted(fabric)architecturesL2 switchSeamless roamingwithin the same subnetSeamless roamingwithin the same subnetSeamless roamingwithin the same subnetSeamless roamingwithin the same subnetClient VLAN L2 Network Overlay802.11k/v/r802.11k/v/r802.11k/v/r802.11k/v/r 2023 Cisco and/or its affiliates.All rig
37、hts reserved.Cisco Public#CiscoLiveSeamless Roaming at Scale30BRKEWN-3004Subnet xSubnet YSubnet ZL3 switchL2 switchEdge Wireless Service Data Plane(DP)TerminationCan be deployed as centralized(CAPWAP/EoGRE)or distributed(fabric)architecturesL2 switchSeamless roamingwithin the same subnetSeamless roa
38、mingwithin the same subnetSeamless roamingwithin the same subnetSeamless roamingwithin the same subnetClient VLAN L2 Network Overlay802.11k/v/r802.11k/v/r802.11k/v/r802.11k/v/r 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-Prem and Cloud Identity31BRKEWN-3004Cloud Ide
39、ntityVPN,Application AccessSAMLv2,OpenID ConnectOn-Prem Identity802.1x,Network AccessPEAP-MSCHAPv2,EAP-FAST,EAP-TLSPAP,MAC Auth Bypass 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Identity with EAP-TLS32BRKEWN-3004 2023 Cisco and/or its affiliates.All rights reser
40、ved.Cisco Public#CiscoLiveMulti-Factor Authentication33BRKEWN-3004EAP-TLSWebAuthSAML2MFA+802.1X or PSKOIDCMFA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero TrustRansomwareEast/West TraversalAuthorisation Micro-segmentationRapid Threat ContainmentPhishing and comprom
41、ised or stolen credentialsUsername/PasswordDigital CertificatesEAP-TLSOIDCMFABRKEWN-300434 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCentral Web AuthenticationURL RedirectCAPWAPRADIUSWireless LAN ControllerIdentity Services EngineRADIUS Access RequestRADIUS Access Ac
42、ceptNetwork Access GrantedRedirect ACLAny PacketHTTP PacketRedirect to ISE Web PageWeb Authentication SequenceRADIUS CoA ACKRADIUS CoA RequestCoA Request Re-authenticate sessionTerminate sessionTerminate session with port bounceDisable host portBRKEWN-300435 2023 Cisco and/or its affiliates.All righ
43、ts reserved.Cisco Public#CiscoLiveAccess-AcceptUrl-Redirect+Url-Redirect-AclCentral Web Authentication36BRKEWN-3004Traffic denied(AireOS)/permitted(IOS-XE)by theUrl-Redirect-Acl triggers redirection to the Url-RedirectAssociationdACL permits DHCP,DNS,and other resourcesHTTP(S)traffic hits the Url-Re
44、direct-Acl and triggers redirection to ISEChange of Authorization(CoA)Final(L2/L3)policyCENTRALCENTRAL because the redirection URL,the pre-webauth ACL are centrallycentrallyconfigured on ISE and dynamically communicated to the WLC(NAD*)via RADIUS.CWA is partially L2(MAC Authentication)and partially
45、L3(redirect on IP resolution).802.1x/MAC AuthLogin/AUP Page submissionEndpoints session updatedMAC(Re-)Authentication*Network Access DeviceISEGuest/BYOD/posture/MDMportal redirection ruleISE portal for guest,BYOD,posture,MDM,etc.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
46、LiveSelf-Registration of BYOD DevicesDevices can be Blacklisted By the User.2New Devices Can be Added with a Description1Devices Can be Self-Registered,Up to an Administrator Defined Limit3BRKEWN-300437 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClient ProvisioningCAC
47、A-ServerServerInitial Connection Using PEAP(or Dual-SSID)ISEISEWLCWLC1Device Provisioning Wizard2Future Connections Using EAP-TLS3Change of AuthorizationCACA-ServerServerISEISEWLCWLCBRKEWN-300438 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAndroid Device ProvisioningIn
48、itial Connection Using PEAP1Redirection to Android Marketplace to Install Provisioning Utility2Future Connections Using EAP-TLS4Provisioning using Cisco Wi-Fi Setup Assistant3Change of AuthorizationCACA-ServerServerISEISEWLCWLCCACA-ServerServerISEISEWLCWLCBRKEWN-300439 2023 Cisco and/or its affiliat
49、es.All rights reserved.Cisco Public#CiscoLiveClient Provisioning PolicyUserUserOSOSSupplicantSupplicantBRKEWN-300440 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMDM Integration41BRKEWN-3004Jail BrokenJail BrokenPIN LockedPIN LockedEncryptionEncryptionISE RegisteredISE
50、RegisteredPIN LockedPIN LockedMDM RegisteredMDM RegisteredJail BrokenJail Broken 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNative operating system support to detect captive portalsUser is aware of captive portal even when not using browserSimplifies guest access adop
51、tionAvoids the need to redirect HTTPS trafficCaptive Portal Detection42BRKEWN-3004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCentral Web AuthenticationMAC Authentication BypassCAPWAPRADIUSWireless LAN ControllerIdentity Services EngineRADIUS Access RequestRADIUS Acce
52、ss AcceptNetwork Access GrantedMAB Access RuleAny PacketBRKEWN-300443 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRandom MAC and Private AddressesiOS 14+,Android 10+and Windows 10+add supportfor random MAC Addresses even when associatedA random MAC is generated for eac
53、h SSIDThat MAC may remain constant for the saved profileThis will impact services based on MAC addressMAC authentication bypassWeb authenticationLocation analytics44BRKEWN-3004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetailed implementationWindows 10+Windows 10+And
54、roid 10+Android 10+iOS 14+,iPadOS 14+,watchOS 7+iOS 14+,iPadOS 14+,watchOS 7+Randomization enabled by defaultRandomization enabled by defaultNoYesYesSame random MAC used for Same random MAC used for subsequent connection subsequent connection YesYesYesRandomization saved between device Randomization
55、 saved between device rebootrebootYesYesYesRandom MAC saved when WiRandom MAC saved when Wi-Fi profile Fi profile recreatedrecreatedNoYesYesRandomization per day and/or per Randomization per day and/or per associationassociationOptionalOptional(Android 11 Developer Mode)NoRandomization enabled upon
56、upgrade Randomization enabled upon upgrade for existing Wifor existing Wi-Fi profileFi profileNoNoYesCan be enabled/disabled globallyCan be enabled/disabled globallyYesNoNoAPI to control randomization existsAPI to control randomization existsUnknownYes(Android 11+)YesRandomization saved between fact
57、ory Randomization saved between factory resetresetNoNoUnknownBRKEWN-300445 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRandom MAC ImplicationsProfilingBYODMDM FlowGuestWhitelistingLocation lookupUser Defined NetworkEndpoint AnalyticsForensicsQuarantineBRKEWN-300446 202
58、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetecting Random MAC Addresses32-28-6D-51-13-AF56-EF-68-F6-0D-300A-13-A8-8E-B5-EFAE-83-37-55-A7-22By Inductiveload,modified/corrected by Kju-SVG drawing based on PNG uploaded by User:Vtraveller.This can be found on Wikipedia her
59、e.,CC BY-SA 2.5,https:/commons.wikimedia.org/w/index.php?curid=1852032 BRKEWN-300447 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnique Device IdentifierIn open seating environments with docking stations for PCs and Ethernet dongles for Apple MacBooks,lead to a differe
60、nt challenge:The same MAC address will be used by different users.ISE can perform authorization for managed end-points leveraging the laptop UDID(Unique Device Identifier)instead of the MAC address.RequirementsISE 2.6,AnyConnect 4.701669b65.05ee9300:1A:00:1A:22:2200:1A:00:1A:11:11UDIDMAC Address(s)C
61、ompliance00:1a:00:1a:11:1100:1a:00:1a:22:22BRKEWN-300448 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMDM/EMMCisco SpacesDNA-C+AI Endpoint AnalyticsISE Shared via telemetry Shared via NMSPGlobally Unique IdentifierClientCatalyst 9800 Generate GUID Provide compliance sta
62、tus Certificate&Wi-Fi profile Disable MAC Randomisation Wi-Fi configured for EAP-TLS Provide Random MAC visibility Generate GUID(BYOD)Certificate&Wi-Fi profile Share GUID via RADIUS-Accept and pxGrid Provide Random MAC visibility Police Random MAC devices Provide Random MAC visibility Police Random
63、MAC devices Provide Random MAC visibility within AI Endpoint AnalyticsBRKEWN-300449 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMAC Authentication BypassCAPWAPRADIUSWireless LAN ControllerIdentity Services EngineRADIUS Access RequestRADIUS Access AcceptNetwork Access G
64、rantedMAB Access RuleAny PacketWhat access is provided on the MAB VLAN?BRKEWN-300450 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi Certified Easy ConnectDevice Provisioning Protocol(DPP)3 PhasesBootstrappingObtains the public key of new deviceAuthentication and Pro
65、visioningPublic key is used to create a secure tunnel for credential exchangeNetwork AccessPMK derivedFour-Way Handshake used as normalSupports Protected Management FramesWPA3BRKEWN-300451 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWPA PersonalPre-Shared KeyCAPWAPRADI
66、USWireless LAN ControllerIdentity Services EngineBRKEWN-300452 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePTK=SHA(PSK+ANonce+SNonce+AP MAC+STA MAC)PSKPSKWPA PersonalPre-Shared KeyOffline AttacksDictionaryRainbow TableStrong Passwords MatterPTKANonceSNonceGTKACKPTK,GTK
67、Four-Way HandshakeAESBRKEWN-300453 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIdentity PSKPSK WLANPSK=uTx6oDm1PSK=Ktghmo9MPSK=Ktghmo9MPSK=PY9CK5tLISEWLCMAC-FilteringMAC=20:C9:D0:2B:80:F7PSK=PY9CK5tLPSK=uTx6oDm1PSK=Ktghmo9MPSK=Ktghmo9MMAC=50:C7:BF:BA:D9:75MAC=50:C7:BF:
68、BA:D3:23MAC=9C:3D:CF:4A:72:4Dhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIdentity PSKPSK WLANPSK=uTx6oDm1PSK=Ktghmo9MPSK=Ktghmo9MPSK=PY9CK5tLISEWLCMAC-FilteringMAC=20:C9:D0:2B:80:F7PSK=PY9CK5tLPSK=uTx6oDm1PSK=Ktghmo9MPSK=Ktghmo9MMAC=50:C7:BF:BA:D9:75MAC=50:C7:B
69、F:BA:D3:23MAC=9C:3D:CF:4A:72:4DGroup=Medical CartPSK=zD235o1MPSK=8GB10vaqProfile=Security Camerahttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveiPSK ManagerSQLAPIISEiPSKiPSK ManagerManager-Linux-Apache-MySQL-PHPWLC/APAdministrationAdminEnd UsersiPSK Lifecycle Manag
70、ementRADIUSCoAhttp:/cs.co/iPSK-ManagerBRKEWN-300456 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMAC-FilteringISEPSK=Cisco123PSK=uTx6oDm1PSK=PY9CK5tLPSK=Ktghmo9MPSK=Ktghmo9MPSK=uTx6oDm1PSK=PY9CK5tLPSK=Ktghmo9MPSK=zD235o1MWLC/APMulti Pre-Shared KeyPSK WLANhttps:/ 2023 Ci
71、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMAC-FilteringISEPSK=Cisco123PSK=uTx6oDm1PSK=PY9CK5tLPSK=Ktghmo9MPSK=Ktghmo9MPSK=uTx6oDm1PSK=PY9CK5tLPSK=Ktghmo9MPSK=zD235o1MWLC/APMulti Pre-Shared KeyPSK WLANhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#
72、CiscoLiveIdentity PSK without RADIUSPSK=uTx6oDm1PSK=Ktghmo9MPSK=zD235o1MPSK=PY9CK5tLMeraki MRPSK WLANMAC=20:C9:D0:2B:80:F7PSK=PY9CK5tLPSK=uTx6oDm1PSK=Ktghmo9MPSK=zD235o1MMAC=50:C7:BF:BA:D9:75MAC=50:C7:BF:BA:D3:23MAC=9C:3D:CF:4A:72:4DMeraki Cloudhttps:/ 2023 Cisco and/or its affiliates.All rights res
73、erved.Cisco Public#CiscoLiveUser Defined NetworkCAPWAPRADIUSCoAWLAN/iPSKOn-premises componentsIdentity providerSAML 2.0 based SSO gateway or Azure ADAPIUDN=25546UDN=30074UDN=25546UDN=30074Splash accessSelf Service Portal Splash accessSelf Service PortalMAC=9C:3D:CF:4A:72:4DUDN=30074MAC=20:09:DO:2B:8
74、0:F7UDN=25546 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi Personal Networkhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimultaneous Authentication of EqualsBased on the Dragonfly Key ExchangeBalanced Password Authenticated Ke
75、y ExchangeSecurity of SAE not tied to the complexity of the shared secretSAE exchanges results in a 32-byte PMKProtects against offline dictionary attacksForward secrecy protects traffic if the password is compromised in futureSupports Protected Management FramesWPA3-SAE Transition Mode supports bot
76、h WPA2-PSK and WPA3-SAE on the same SSIDWPA3BRKEWN-300462 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBackwards Compatibility AttackClients can be tricked into connecting to a Rogue WPA2 Personal only networkThe attacker uses the partial WPA2 handshake for offline atta
77、cksCertain devices,even when connected to WPA3 Personal only networks,could be tricked into using WPA2Dragonblood63Denial of Services AttacksAPs should implement anti-exhaustion mechanismsAPs should implement detection mechanism and blacklist misbehaving clientsBRKEWN-3004Dragonblood:Analysing WPA3s
78、 Dragonfly Handshake 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTiming-Based Side-Channel AttacksThe time it takes an AP to respond to commit frames may leak information about the passwordDragonblood64BRKEWN-3004y2=x3+ax+b 2023 Cisco and/or its affiliates.All rights r
79、eserved.Cisco Public#CiscoLiveWi-Fi Certified Enhanced OpenOpportunistic Wireless Encryption(OWE)Replaces 802.11“open”authentication supportClient and AP perform an unauthenticated Diffie-Hellman Key Exchange to establish a PMKFour-Way Handshake used as normalSupports Protected Management FramesDiff
80、ie-Hellman is susceptible to MitM attacksWould allow the attacker same visibility as on an Open networkWPA365BRKEWN-3004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccessIdentityAccess and IdentityDecoupling Access and IdentityBRKEWN-300466 2023 Cisco and/or its affil
81、iates.All rights reserved.Cisco Public#CiscoLiveDecoupling Access and IdentityBRKEWN-300467AccessIdentity 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJoinJoinJoinJoinAccessIdentityOpenRoamingEAPRADIUS802.1xBRKEWN-300468 2023 Cisco and/or its affiliates.All rights reser
82、ved.Cisco Public#CiscoLiveWi-Fi 6E SecurityWPA3 and OWE are mandatorymandatory for Wi-Fi 6EWPA2 and Open are notnotsupported on 6GHzBRKEWN-300469 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWi-Fi 6E SecurityWPA3 and OWE are mandatorymandatory for Wi-Fi 6EWPA2 and Open
83、are notnotsupported on 6GHzBRKEWN-300470 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClient device profiles must select WPA2 oror WPA3And only one profile for a given SSID is permittedWi-Fi 6E SecurityBRKEWN-300471 2023 Cisco and/or its affiliates.All rights reserved.C
84、isco Public#CiscoLiveNetwork Access Security SpectrumBRKEWN-300472Rogue Detection and Advanced WIPS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCentralized wireless threat managementRogue detectionRogue location and mitigationMonitor and classify threatsEvent correlati
85、onSecurity compliance reportingRogue Detection and Advanced WIPShttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCentralized wireless threat managementRogue detectionRogue location and mitigationMonitor and classify threatsEvent correlationSecurity compliance report
86、ingRogue Detection and Advanced WIPShttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCentralized wireless threat managementRogue detectionRogue location and mitigationMonitor and classify threatsEvent correlationSecurity compliance reportingRogue Detection and Advan
87、ced WIPShttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWireless threat detectionForensic captureClient exclusion policies Rogue Detection and Advanced WIPSBRKEWN-300477 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRogue and WIPS Repor
88、ting and APIsBRKEWN-300478 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Point Scanning OptionsOff-Channel Scanning All channels scanned every 180s within a 3m period Dwell time is 50ms Channel change is 10 ms AP is off-channel for 60msMonitor Mode Access Point Co
89、ntinuous cycle 1200ms dwell across all channels Supports Rogue Detection&WIPS,RRM&CleanAir,and Fast LocateDedicated Scanning Radio Catalyst 9136 Catalyst 9130 Catalyst 9120 Catalyst 9166 Catalyst 9164 Catalyst 9162BRKEWN-300479 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL
90、iveInterferersLayer 1 Denial of Service AttackRogue AP DetectionInvertedInvalid Channel6GHz SupportRogue Detection and WIPSCleanAir Spectrum IntelligenceBRKEWN-300480 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA Rogue AP is any AP which is not part of our infrastructu
91、reMost of them will be legitimateSome of them may be maliciousRogue Access PointsBRKEWN-300481 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA Rogue AP is any AP which is not part of our infrastructureMost of them will be legitimateSome of them may be maliciousCorrectly
92、differentiating between the two is criticalDetecting APs on the wired network is hardWired 802.1x mattersRogue Access PointsBRKEWN-300482 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA Rogue Client is any client which is connected to a Rogue APWhat we care about are our
93、clients which have connected to the Rogue APBut this is not necessarily a riskRogue ClientsClients may create ad-hoc wireless networksThis can be a risk if they have bridged to the wired networkBRKEWN-300483 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center
94、Threat LevelsInformationalRSSI-75 dBm and not on wire Rogue Type:InterfererHighRogue Types Honeypot Impersonation AP Rogue on wire Beacon DS attack All WIPS threatsBRKEWN-300484 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCreate Rogue Rules to classify rogues as Malici
95、ous or Friendly based on specific criteriaSSID nameRSSI valueEncryption conditionMinimum rogue client countRules can also define actions AlertContainRogue AP RulesBRKEWN-300485 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Catalyst 9800 has aggressive rogue notificat
96、ion thresholds by defaultIn environments with a large number of Rogues,this may result in excessive notifications sent to the receiverRogue Notification TriggersIn these scenarios,increase the Rogue AP and Client RSSI notification thresholdThe default value is 0Recommendation to increase to 5 or hig
97、herC9800(config)#wireless wps rogue ap notify-rssi-deviation 5C9800(config)#wireless wps rogue clients notify-rssi-deviation 5BRKEWN-300486 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow do we contain Rogue APs?Containment is a spoofed 802.11 disassociation/deauthenti
98、cationrequest attackRogue AP ContainmentBRKEWN-300487 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow do we contain Rogue APs?Containment is a spoofed 802.11 disassociation/deauthenticationrequest attackRogue AP ContainmentBRKEWN-300488 2023 Cisco and/or its affiliates
99、.All rights reserved.Cisco Public#CiscoLiveHow do we contain Rogue APs?Containment is a spoofed 802.11 disassociation/deauthenticationrequest attackHow does WPA3 affect Rogue AP containment?802.11w will change how we can mitigate Rogue AP related threatsThe ability to physically locate rogues will b
100、e keyRogue AP ContainmentBRKEWN-300489 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRogue Containment with WPA3BRKEWN-300490802.11w Protected 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhile we can configure the network to automatically c
101、ontain detect Rogue APs,consider your environment and how to ensure that only malicious Rogues are being containedRogue AP Auto ContainmentBRKEWN-300491 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnabling Location ServicesCatalyst 9800Wireless ControllerCatalyst 9100
102、SeriesAccess PointCisco Spaces ConnectorCisco SpacesCisco DNA CenterBRKEWN-300492 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnabling Location ServicesCatalyst 9800Wireless ControllerCatalyst 9100 SeriesAccess PointCisco DNA CenterCMXBRKEWN-300493 2023 Cisco and/or it
103、s affiliates.All rights reserved.Cisco Public#CiscoLiveRogue on WireMatching AlgorithmsMAC Address 3/2/1Vendor matching algorithmsBRKEWN-300494 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRogue on WireMatching AlgorithmsMAC Address 3/2/1Vendor matching algorithmsRogue
104、AP in Bridge ModeLocate the Rogue AP via the Rogue Client MAC address and Gateway MAC AddressBRKEWN-300495 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRogue on WireMatching AlgorithmsMAC Address 3/2/1Vendor matching algorithmsRogue AP in Bridge ModeLocate the Rogue AP
105、via the Rogue Client MAC address and Gateway MAC AddressBRKEWN-300496 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecuring AP Switch Port AccessRADIUSIdentity Services Engine802.1x Authentication(EAP-FAST)How do we bootstrap configure the AP?Pre-Provision before deploy
106、ing the APsEnable 802.1x after bringing up the wireless networkBRKEWN-300497 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCAPWAPAP Join RequestCAPWAP ControlUDP 5246CAPWAP DataUDP 5247Securing AP to Controller CommunicationCAPWAP Control encrypted by defaultCAPWAP Data
107、encapsulated but not encrypted by defaultExcept for Office Extend AP(OEAP)ModeDTLS ExchangeWireless LAN ControllerBRKEWN-300498 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurePortMR connected to MS1MS permits Meraki dashboard connection for MR2MR requests certificat
108、e from Cisco PKI3MR authenticates with acquired certificate4MS authorizes port based on configured profile5BRKEWN-300499SecurePort 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAir MarshalRogue AP Detection Wired RogueWIDS/WIPS Spoofed Management Frames Malicious Broadca
109、sts/DoS Packet FloodsBRKEWN-3004100 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNext StepsMSE WIPS End of LifeWIPS service on MSE is declared as EoL from 11th May 2022 onwards.WIPS service on MSE is declared as EoL from 11th May 2022 onwards.MSE platform had already be
110、en declared EoL in Nov 2018.MSE 8.x had already been declared EoL Aug 2018.All the PIDs corresponding to WIPS license would be EoL.The EoL is applicable to all the MSE 7.x and 8.x releases7-Oct-20227-March-202311-May-2022External EoL External EoL AnnouncementAnnouncementEnd of Software maintenance R
111、eleases7-Oct-2023End of Sale(Last Ship date,End of Service attachments)Last date of Support Product IDProduct IDProduct DescriptionProduct DescriptionAIR-LM-WIPS-*Cisco Enhanced Local Mode wIPS LicenseAIR-WIPS-*Cisco wIPS LicenseC1-MSE-WIPS-*Cisco ONE Mobility Svcs L-LM-WIPS-*Wireless IPS Lic For En
112、hanced Local Mode AP-E DeliveryL-MM-WIPS-*Wireless IPS Lic For Monitor Mode AP-E DeliveryL-WIPS-*WIPS Monitor Mode and Enhanced Local Mode licensesMSE-WIPS-*MSE WIPS Tracker Term NextGen aWIPS solution is available with DNA Center and WLC 9800 with DNA-A license.No separate local mode or monitor mod
113、e licenses are required for APs.High touch escalation support based on customer needs is available.BRKEWN-3004101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center Security AdvisoriesBRKEWN-3004102 2023 Cisco and/or its affiliates.All rights reserved.Cisco P
114、ublic#CiscoLiveCisco DNA Center Security AdvisoriesBRKEWN-3004103 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center Security AdvisoriesBRKEWN-3004104 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center Security Advisor
115、iesBRKEWN-3004105 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center Security AdvisoriesBRKEWN-3004106 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center Security AdvisoriesBRKEWN-3004107 2023 Cisco and/or its affiliat
116、es.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center Security AdvisoriesBRKEWN-3004108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center AI Endpoint AnalyticsML AnalyticsML AnalyticsEndpointEndpointProfilingProfilingDataDataAggregationAggregationNet
117、work Telemetry ProbesEasy Onboarding ToolsDPI-based Fingerprint/BehaviorCMDB Connector?BRKEWN-3004109 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork as a SensorSecure Network Analytics Integration0001011110001
118、000000000000000000000000000110101010
119、00000000010101Malware detection and cryptographic complianceon Cisco StealthwatchNetflowNetflowBRKEWN-3004110 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwo
120、rk as an EnforcerRapid Threat ContainmentSecure Network AnalyticsManagement ConsoleIdentity Services EnginepxGridMitigationQuarantine or Unquarantine infected hostContextInformation shared with other network and security productsBRKEWN-3004111 2023 Cisco and/or its affiliates.All rights reserved.Cis
121、co Public#CiscoLiveSecuring the Wireless NetworkSecure the Secure the AirAirSecure the Secure the DevicesDevicesSecure the Secure the NetworkNetwork000010110BRKEWN-3004112 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustworthy SystemsSecure the P
122、latformSecure the DevelopmentSecure the NetworkWIPSDHCP SnoopingPort SecuritySecure the AirIP Source GuardACLs802.11i,r,wSecure the DeviceCounterfeit ProtectionsRuntime Defenses Secure Boot ModernCryptoImage SigningHardware Trust AnchorSecure DeviceOnboardingOS ValidationSecure NetworkAnalyticsSDAUm
123、brellaISEPSIRT AdvisoriesSecurity TrainingProduct Security BaselineThreat ModelingOpen Source RegistrationValue Chain Securityhttps:/ you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four sessio
124、n surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKEWN-3004
125、115 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessio
126、ns at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive117Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive