Figure 4-2 illustrates one of the primary features of the architecturea€”how Lightweight Access Point Protocol (LWAPP) access points (LAPs) use the LWAPP protocol to communicate with and tunnel traffic to a WLC. The easier a system is to deploy and manage, the easier it is to manage the security associated with that system. In addition to the improvements in physical security, firmware, and configuration management offered by LWAPP, the tunneling of WLAN traffic in an LWAPP-based architecture improves the ease of deployment without compromising the overall security of the solution. The native 802.11 security features combined with the physical security and ease of deployment of the LWAPP architecture improve the overall security of WLAN deployments. The Cisco Unified Wireless Network solution supports multiple concurrent WLAN security options.
Each WLAN SSID can be mapped to either the same or different dot1q interface on the WLC, or Ethernet over IP (EoIP) tunneled to a different controller through a mobility anchor connection.
If a WLAN client is 802.1X authenticated, the dot1q VLAN assignment can be controlled by the RADIUS attributes passed to the WLC.
The 5.0 WLC code release provides local EAP authentication, which can be used when an external RADIUS server is not available or becomes unavailable.
A WLC supports the use of a local database for authentication data and it can also access an LDAP directory to provide data for EAP-FAST or EAP-TLS authentication. The WLC allows access control lists (ACLs) to be defined for any interface configured on the WLC, as well as ACLs to be defined for the CPU of the WLC itself. Interface ACLs act on WLAN client traffic in and out of the interfaces to which the ACLs are applied. The WLC acts as an ARP proxy for WLAN clients by maintaining the MAC address-IP address associations.
Note This is a change from the previous code releases where peer to peer blocking was a global setting on the WLC. The WLC performs WLAN IDS analysis using all the connected APs and reports detected attacks on to WLC as well to the WCS. The signature files used on the WLC are included in WLC software releases, but can be updated independently using a separate signature file; custom signatures are displayed in the Custom Signatures window. The Cisco Mobility Services Engine is a platform that is designed to support a variety of services loaded onto the platform as a suite of software. While any number of services may be delivered on the MSE, an example of services includes Context Aware software, Adaptive Wireless IPS, Mobile Intelligent Roaming, and Secure Client Manager. Adaptive Wireless IPS offers protection above that offered by the WLC Wireless IPS, by using the power and position of the Mobility Services Engine, to analyze WLAN data from all sources in within the Cisco Unified Wireless Network.
The Cisco Mobility Services Engine provides analysis processing performance and scalability, storage capacity for historical reporting and forensics, and integration capabilities for services such as location or contact aware asset tracking and client security management.
In addition to Wireless IDS, the WLC is able to take additional steps to protect the WLAN infrastructure and WLAN clients.
Both deployment models support RF detection and are not limited to rogue APs, but can also capture information upon detection of ad hoc clients and rogue clients (the users of rogue APs). The WLC then waits to label this as a rogue client or AP, until it has been reported by another AP or until it completes another cycle. In monitor mode, the AP does not carry user traffic but spends all its time scanning channels. The location features of the WCS can be used to provide a floor plan indicating the approximate location of a rogue AP. Situations may exist where the WCS rogue location features described above are not effective, such as in branch offices that contain only a few APs or where accurate floor plan information may not be available. If an AP is configured as a rogue detector, its radio is turned off and its role is to listen on the wired network for MAC addresses of clients associated to rogue APs; that is, rogue clients. If a rogue client resides behind a wireless router (a common home WLAN device), their ARP requests are not seen on the wired network, so an alternative to the rogue detector AP method is needed.
Rogue AP-connected clients, or rogue ad hoc connected clients, may be contained by sending 802.11 de-authentication packets from local APs. To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC address can be compared with MAC addresses collected by the AAA during 802.1X authentication. One of the challenges in 802.11 has been that management frames are sent in the clear with no encryption or message integrity checking, and are therefore vulnerable to spoofing attacks. The MIC that is used in management frame protection (MFP) is not a simple CRC hashing of the message, but also includes a digital signature component.


Both infrastructure-side and client MFP are currently possible, but client MFP requires CCXv5 WLAN clients to be able to learn the mobility group MFP key and can therefore detect and reject invalid frames. The method of providing MFP for WLAN clients is fundamentally the same as that used for APs, which is to use a MIC in the management frames. The WCS can provide on-demand or regularly-scheduled configuration audit reports, which compare the complete current running configuration of a WLC and its registered access points with that of a known valid configuration stored in the WCS databases.
Apart from the alarms that can be generated directly from a WLC and sent to an enterprise network management system (NMS), the WCS can also send alarm notifications. Figure 4-19 shows an example of architectural integration between a WiSM and the FWSM module. A Cisco Network Admission Control (NAC) appliance can be implemented in combination with a WLAN deployment to ensure that end devices connecting to the network meet enterprise policies for compliance with latest security software requirements and operating system patches.
In addition to the integration of the Cisco Unified Wireless Network at the networking layers, additional integration is provided at the management and control layers of the Cisco Security solutions. Are all discussed in further detail in the following chapters of this design guide, as well as chapters discussion integration of Cisco Firewall solutions and the Cisco Security Agent. Although the 802.11 standards address the security of the wireless medium, the Cisco Unified Wireless Network solution addresses end-to-end security of the entire system by using architecture and product security features to protect WLAN endpoints, the WLAN infrastructure, client communication, and the supporting wired network.
The Cisco Access Control Server (ACS) and its Authentication, Authorization, and Accounting (AAA) features complete the solution by providing RADIUS services in support of wireless user authentication and authorization. In this way, if the AP is physically compromised, there is no configuration information resident in NVRAM that can be used to perform further malicious activity. LAPs that support multiple WLAN VLANs can be deployed on access layer switches without requiring dot1q trunking or adding additional client subnets at the access switches.
The delay before switching to local authentication is configurable, as shown in Figure 4-5. The priority that an LDAP server has over the local authentication database of local net users is configurable, as shown in Figure 4-7.
These ACLs can be used to enforce policy on particular WLANs to limit access to particular addresses and protocols, as well as to provide additional protection to the WLC itself. CPU ACLs are independent of interfaces on the WLC and are applied to all traffic to and from the WLC system.
The ACL can specify source and destination address ranges, protocols, source and destination ports, differentiated services code point (DSCP), and direction in which the ACL is to be applied. This prevents potential attacks between clients on the same subnet by forcing communication through the router. The Wireless IDS analysis is complementary to any analysis that may otherwise be performed by a wired network IDS system. Each of these services is designed to provide intelligence from the network to help optimize a specific application. As the mobile business network expands, the Cisco Adaptive Wireless IPS solution provides monitoring and analysis of the growing number of new devices and spectrum uses to ensure ongoing protection of critical business information.
The WLC is able to implement policies that exclude WLAN clients whose behavior is considered threatening or inappropriate.
In monitor mode, the AP is dedicated to scanning the RF channels, but does not pass client data. This mode of deployment is most common when a customer does not want to support WLAN services in a particular area, but wants to monitor that area for rogue APs and rogue clients. Additionally, rogue detector APs may not be practical for some deployments because of the large number of broadcast domains to be monitored (such as in the main campus network). In this case, a standard LAP, upon detecting a rogue AP, can attempt to associate with the rogue AP as a client and send a test packet to the controller, which requires the AP to stop being an active AP and to go into client mode.
This should be done only after steps have been taken to ensure that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring WLAN. This allows the identification of possible WLAN clients that may have been compromised or users that are not following security policies. The MIC component of MFP ensures that a frame has not been tampered with and the digital signature component ensures that the MIC could have only been produced by a valid member of the WLAN domain.
Any exceptions between the current running configuration and the stored database configuration are noted and brought to the attention of the network administrator via screen reports (see Figure 4-18). The primary difference between alarm notification methods, apart from the type of alarm sent by the various components, is that the WLC uses Simple Network Management Protocol (SNMP) traps to send alarms, while the WCS relies on Simple Mail Transfer Protocol (SMTP) e-mail to send an alarm message.


The Cisco Unified Wireless Network architecture eases the integration of these security services into the solution because it provides a Layer 2 connection between the WLAN clients and the upstream wired network. Like the FWSM module discussed above, the Cisco NAC appliance (formerly Cisco Clean Access) can also be integrated into a Unified Wireless architecture at Layer 2, thereby permitting strict control over which wireless user VLANs are subject to NAC policy enforcement. Even worse, APs are often deployed in physically unsecured areas where theft of an AP could result in someone accessing its configuration to gain information to aid in some other form of malicious activity. This moves the configuration and firmware functions to the WLC, which can be further centralized through the use of the WCS. All WLAN client traffic is tunneled to centralized locations (where the WLC resides), making it simpler to implement enterprise-wide WLAN access and security policies.
When RADIUS server availability is restored, the WLC automatically switches back from local authentication to RADIUS server authentication.
The primary check is to verify that the MAC address included in the DHCP request matches the MAC address of the WLAN client sending the request.
The embedded Wireless IDS capability of the WLC analyzes 802.11- and WLC-specific information that is not available to a wired network IDS system. Figure 4-11 shows the components that make up the Cisco Adaptive Wireless IPS Solution. The floor plan shows the location of all legitimate APs and highlights the location of a rogue AP using the skull-and-crossbones icon.
When it detects one of these ARPs, it reports this to the WLC, providing verification that the rogue AP is attached to the same network as the Cisco Unified Wireless Network.
This action confirms that the rogue AP in question is actually on the network, and provides IP address information that indicates its logical location in the network.
This is the reason why Cisco removed the automatic rogue AP containment feature from this solution. To address this, Cisco created a digital signature mechanism to insert a message integrity check (MIC) to 802.11 management frames. The digital signature key used in MFP is shared among all controllers in a mobility group; different mobility groups have different keys.
The WLAN client is passed the cryptographic keys for the MIC as part of the WPA2 authentication process.
Standard steps should be taken to protect the e-mail servers to ensure that this cannot be used as a DoS attack on the e-mail system.
No routing policy or VRF configuration is required to ensure that WLAN client traffic in both directions goes through the firewall. This protects against DHCP exhaustion attacks, because a WLAN client can request only an IP address for its own interface.
The WLC now begins to determine whether this rogue is attached to the local network or is simply a neighboring AP. To be effective at capturing ARP information, the rogue AP detector should be connected to all available broadcast domains using a Switched Port Analyzer (SPAN) port because this maximizes the likelihood of detection. Given the difficulties in establishing the location data in branch offices and the likelihood of their being located in multi-tenant buildings, rogue AP detector and RLDP are useful tools that augment location-based rogue AP detection. This allows the legitimate members of a WLAN deployment to be identified and therefore allows the identification of rogue infrastructure, and spoofed frames, through their lack of valid MICs.
This allows the validation of all WLAN management frames processed by the WLCs in that mobility group.
For example, a Cisco Wireless LAN Services Module (WLSM)-based deployment required the implementation of VRF-Lite on the Cisco 6500 to enable WLAN client traffic to flow through a Cisco Firewall Service Module (FWSM), whereas a Cisco Unified WLAN deployment using a Wireless Services Module (WiSM) can simply map the (WLAN) client VLAN directly to the FWSM. The WLC by default does not forward broadcast messages from WLAN clients back out onto the WLAN, which prevents a WLAN client from acting as a DHCP server and spoofing incorrect DHCP information. Multiple rogue AP detector APs may be deployed to capture the various aggregated broadcast domains that exist on a typical network. The only WLAN controllers in the Cisco Unified Wireless portfolio not able to directly map Layer 2 WLAN traffic to a physical interface are ISR-based WLC modules. The ISR WLAN module does have access to all the IOS and IPS features available on the ISR, and therefore requires that IP traffic from the WLAN clients can be directed in and out specific ISR interfaces using IOS VRF features on the router.



My box cloud storage
Owncloud update 8 problem que


Comments

  1. 04.08.2016 at 17:40:51


    Usually functions within and you can grow sometimes called.

    Author: ARMAGEDDON
  2. 04.08.2016 at 19:40:52


    Use S3 object storage APIs best music players for Android.

    Author: MANAX_666
  3. 04.08.2016 at 10:39:41


    Platform innovations, like per-minute suite of tools which can be customised.

    Author: Henry
  4. 04.08.2016 at 22:40:55


    Virtustream Storage Cloud for long-term cloud storage for the first 1TB all.

    Author: Naile
  5. 04.08.2016 at 21:57:38


    Data to begin making better 100GB of storage or $10 per month.

    Author: AmirTeymur