Wireless LAN Security, Policy and Deployment Best Practices Flipbook PDF

Session ID 20PT Wireless LAN Security, Policy and Deployment Best Practices •BRKEWN-2021 •Israel Gonzalez, Security Solu

---

329 Views
75 Downloads
FLIP PDF 3.44MB

DOWNLOAD FLIP

REPORT DMCA

Wireless LAN Security, Policy and Deployment Best Practices • BRKEWN-2021 • Israel Gonzalez, Security Solutions Architect • CCIE#15732 Session ID 20PT

Agenda Security Standards

• Strong Encryption • Strong Authentication

User-Policy and Device Identification

• Wireless Policy Using ACS and ISE • Per User VLAN, ACL and QoS • Device Fingerprinting

Rogue Management, • Rogue Classification and Containment Attack Detection and • Adaptive wIPS Monitor Mode and ELM Threat Mitigation • MFP and Wired IPS Integration

Strong Authentication and Encryption

Authentication Evolution

MAC Address Authentication

WEP

802.1x / Dynamic WEP

WPA/WPA2

WPA/WPA2 Breakdown WPA

WPA2 Authentication Mechanisms

• A Snapshot of the 802.11i Standard • Commonly Used with TKIP Encryption • Final Version of 802.11i • Commonly Used with AES Encryption

• Personal (PSK) – Home Use • Enterprise (802.1x/EAP) – Office Use

About EAP  Extensible Authentication Protocol (EAP)  RFC 2284 http://www.ietf.org/rfc/rfc 2284.txt  RFC 3748 (Obsoletes 2284) http://www.ietf.org/rfc/rfc3748.txt  It is an authentication framework over data link layer  An authentication framework which supports multiple authentication methods.  EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP .

EAP — Protocol Flow Authentication Server Client

Authenticator CAPWAP

EAP Authentication Types CertificateBased

Tunneling-Based EAPPEAP

Inner Methods

EAPTTLS EAP-GTC

EAP-MSCHAPv2

EAP-TLS

EAPFAST

 Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAPMSCHAPv2. This provides security for the inner EAP type which may be vulnerable by itself.

 Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.

EAP Methods Comparison EAP-TLS

PEAP

EAP-FAST

Fast Secure Roaming (CCKM)

Yes

Yes

Yes

Local WLC Authentication

Yes

Yes

Yes

OTP (One Time Password) Support

No

Yes

Yes

Server Certificates

Yes

Yes

No

Client Certificates

Yes

No

No

PAC (Protected Access Credentials)*

No

No

Yes

High

Medium

Low

Deployment Complexity * PACs can be provisioned anonymously for minimal complexity.

Choosing an EAP Method Security vs. Complexity Authentication Server Support

Client Support

EAP Type(s) Deployed

 Most clients such as Windows, Mac OSX, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2). Additional supplicants can add more EAP types (Cisco AnyConnect).

 Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.

Encryption Evolution

WEP

TKIP

AES

(RC4)

(RC4 and MIC)

(CCMP)

Encryption Best Practices: TKIP and AES TKIP (Temporal Key Integrity Protocol)

• Use only for legacy clients without AES support • Often a software update for WEP clients • Can be run in conjunction with AES (mixedmode) • Is being discontinued by the WiFi Alliance for certification. AES (Advanced Encryption Standard)

• Requires hardware support (~2005 chipsets or later) • Achieves line-rate speeds • Only encryption standard supported for 802.11n data rates

User-Based Policy and Device Identification

Cisco User-Based Policy Offering ISE

• Dynamic Policy • Device Profiling

ACS

• Static Policy

User Specific Attributes

WLC

• Cisco ACS (or other RADIUS server which can provide Vendor Specific Attributes) can provide static user-based policy which is assigned upon initial authentication. • Cisco Identity Services Engine can provide dynamic user-based policy which can be assigned upon initial authentication and changed during a session using CoA (Change of Authorization).

Cisco User-Based Policy Solution with ACS Employees

User Specific Attributes

• Employee VLAN • Gold QoS Contractors • Contractor VLAN • No QoS • Restrictive ACL

User Specific Attributes

ACS*

• Static Policy

Employee

Employee VLAN Employee

Contractor

WLC

ACLs

Contractor VLAN

*This could also be any RADIUS server that supports VSAs.

Cisco ACS User Policy Steps

Phase 1

User Authentication

Phase 2

User Policy

EAP ACS

Limited Access

Allowed User?

Allowed Access

WLC

QoS

• Silver

ACL

• Allow-All

VLAN

• Employee

Cisco Controller User-Based Policy Attributes Network Access • “Airespace-Interface-Name” • Sets the Interface to which the client is connected.

Network Restrictions • “Airespace-ACL-Name” • Sets the Access Control List used to filter traffic to/from the client.

Quality of Service • “Airespace-QOS-Level” • Sets the maximum QoS queue level available for use by the client (Bronze, Silver, Gold or Platinum). • “Airespace-802.1p-Tag” and/or “Airespace-DSCP-Tag” • Sets the maximum QoS tagging level available for use by the client.

Cisco Wireless LAN Controller ACLs Inbound Wired LAN

Outbound

Implicit Deny All at the End

• ACLs provide L3-L4 policy and can be applied per interface or per user. • Cisco 5508 and WiSM2 implement line-rate ACLs. • Upto 64 rules can be configured per ACL.

Endpoint Access Challenges •

-

User Device association

•

But there barriers: -

Multiple access mediums

-

Endpoint certainty

-

No automated way to discover new endpoints

Attribute X

ID devices that cannot authenticate Device

-

Time

Classifying managed vs. unmanaged endpoints Location

-

User

IT is struggling with:

PC and Non-PC Devices

Endpoint Profiling Solution - Cisco Identity Services Engine (ISE) •

-

Holistic (wired + wireless)

-

Integrated Authentication, Authorization

-

Other services (Guest, Posture, Device Registration)

-

Flexible deployment ISE

Attribute X

Complete visibility and tracking

Device

-

Time

Multiple sensors – rich profiling

Location

-

User

New ground up solution

Integrated, Enhanced Device Profiling with Cisco Identity Services Engine

“iPad Template”

“Custom Template”

Visibility for Wired and Wireless Devices

Simplified “Device Category” Policy

Create Your Own Device Templates

Powerful Policy Deployments with ISE Consolidated Services, SW Packages

Session Directory

Flexible Service Deployment

ACS User ID

NAC Manager

Device (and IP/MAC)

All-in-One HA Pair

Admin Console

M&T

NAC Profiler ISE

NAC Server

Distributed PDPs NAC Guest

Simplify Deployment and Admin

Policy Extensibility

Link in Policy Information Points

Location

Access Rights

Tracks Active Users and Devices

Manage Security Group Access SGT

Public

Private

Staff

Permit

Permit

Guest

Permit

Deny

Keep Existing Logical Design

Optimize Where Services Run

System-Wide Monitoring and Troubleshooting

Consolidated Data, 3 Click Drill-In

Cisco’s User-Based Policy Solution with ISE User and Device Specific Attributes Employees

ISE

• Device Profiling • Dynamic Policy

• Employee VLAN • Gold QoS Employee Mobiles • Employee VLAN • Gold QoS • Restrictive ACL Contractors • Contractor VLAN • No QoS • Restrictive ACL Contractor Mobiles • No Access

Employee VLAN WLC Contractor VLAN

• With the ISE, Cisco wireless can support multiple users and device types on a single SSID.

Cisco ISE Device Profiling and Policy Steps

EAP

Phase 1

Device Authentication

MAC, DHCP, DNS, HTTP

Phase 2

Device Identification

ISE

Phase 3 Limited Access

Allowed Device?

Allowed Access

Device Policy

WLC

QoS

• Silver

ACL

• Allow-All

VLAN

• Employee

ISE Device Profiling Capabilities Smart Phones Minimum Confidence for a Match

Multiple Rules to Establish Confidence Level Gaming Consoles

Workstations

ISE Device Profiling Example - iPad • Once the device is profiled, it is stored within the ISE for future associations: Is the MAC Address from Apple?

Does the Hostname Contain “iPad”?

Is the Web Browser Safari on an iPad? ISE

Apple iPad

Cisco ISE Provides Policy for Wired and Wireless LANs

NCS ISE

Centralized Monitoring of Wired and Wireless Networking, Users and Endpoints

Central Point of Policy for Wired and Wireless Users and Endpoints

• Unified wired and wireless policy (ISE) and management (NCS).

Client Type and Policy Visibility with NCS and ISE Integration

Device Identity from ISE Integration AAA Override Parameters Applied to Client Policy Information Including Posture

NCS Provides Cross-Linking to ISE Reports on Profiling

Rogue Management, Attack Detection and Threat Mitigation

WLAN Security Vulnerabilities and Threats On-Wire Attacks Ad-Hoc Wireless Bridge

Over-the-Air Attacks Reconnaissance

Evil Twin/Honeypot AP HACKER’S AP

HACKER

Client-to-Client Backdoor Access

Connection to Malicious AP

Rogue Access Points

Denial of Service

HACKER

Seeking Network Vulnerabilities

Cracking Tools HACKER

HACKER DENIAL OF SERVICE

Backdoor Network Access

Service Disruption

Sniffing and Eavesdropping

Non-802.11 Attacks Backdoor Access BLUETOOTH AP

Service Disruption MICROWAVE

BLUETOOTH

RF-JAMMERS

RADAR

Cisco Rogue Management Diagram Multiple Methods Switchport Tracing

Si

Si

Network Core

Si

Wireless Control System (WCS)

Distribution

Wireless LAN Controller

Access RLDP Rogue AP

RRM Scanning

Authorized AP

Rogue AP

Rogue Detector

Rogue AP

Listening for Rogues

Detect

Two Different AP Modes for RRM Scanning Local Mode Access Points

Monitor Mode Access Points

Rogue Detection Mechanisms

• Serves clients with time-slicing off channel scanning • Listens for 50ms on each channel • Configurable to scan: • All Channels • Country Channels (Default) • DCA Channels

• Dedicated to scanning • Listens for 1.2s on each channel • Scans all channels

• Any AP not broadcasting the same RF Group name or part of the same mobility group is considered a rogue • Automatic white listing for autonomous APs managed by WCS

RRM Channel Scanning

Detect

Local Mode AP AP on Channel 1 - 802.11 b/g/n – US Country Channels 10ms 10ms 16s 50ms 16s 50ms 1

2

1

16s

3

50ms 16s 50ms 16s 50ms 16s 50ms 16s

1

4

1

5

1

6

1

7

1

…

 Every 16s, a new channel is scanned for 50ms (180sec / 11 channels = ~16s) AP on Channel 36 - 802.11 a/n – US Country Channels (without UNII-2 Extended) 10ms 10ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 14.5s 50ms 36

40

36

44

36

48

36

52

36

56

36

60

36

64

36

149

…

 Every 14.5s, a new channel is scanned for 50ms (180sec / 12 channels = ~14.5s)

RRM Channel Scanning

Detect

Monitor Mode AP 802.11b/g/n – All Channels 10ms 10ms 1.2s 1.2s 1

1.2s 1.2s

2

3

1.2s

1.2s

5

6

4

1.2s 1.2s 7

1.2s 1.2s

8

9

10

1.2s 1.2s 11

12

1.2s …

 Each channel is scanned a total of ~10.7s ((180s / 1.2s) / 14ch) within the 180s channel scan duration 802.11a/n – All Channels 10ms 10ms 1.2s

1.2s

36

40

1.2s 1.2s 44

48

1.2s 1.2s 52

56

1.2s 60

1.2s 1.2s 64

100

1.2s

1.2s

1.2s

1.2s

1.2s

104

108

112

116

132

1.2s 1.2s 136

140

…

 Each channel is scanned a total of ~6.8s ((180s / 1.2s) / 22ch) within the 180s channel scan duration

Detect

802.11n Rogue Detection 802.11n - Mixed Mode • Detectable by 11a/g devices • The most common mode of 11n access points • Facilitates backwards compatibility with 802.11a/g clients by using 11a/g modulation for management and control frames. 802.11n – Greenfield Mode • Only detectable by 802.11n devices • In this case, management, control and data frames are sent using 11n modulation schemes

Rogue Classification Rules

Classify

Concept  Classification based on threat severity and mitigation action  Rules tailored to customer risk model

Lower Severity

Higher Severity

Off-Network Secured Foreign SSID Weak RSSI Distant Location No Clients

On-Network Open Our SSID Strong RSSI On-Site Location Attracts Clients

Rogue Classification Rules

Classify

Examples

Detected as Rogue

Rogue Rule: SSID: speedy RSSI: -80dBm

Marked as Friendly

Rogue Rule: SSID: Corporate RSSI: -70dBm

Marked as Malicious

Rogues Matching No Rule

Marked as Unclassified

Rules Are Stored and Executed on the Wireless LAN Controller

Rogue Classification Rules

Classify

Configuration

Rules Sorted by Priority

Classify

WCS Security Dashboard Controller IDS and Adaptive wIPS Alarms Security Index

Rogues by Category

Rogue Detector AP Mode

Classify

Concept

Authorized AP

Rogue AP

Client ARP

L2 Switched Network Trunk Port Wired Rogue Detector AP  Detects all rogue client and Access Point ARP’s  Controller queries rogue detector to determine if rogue clients are on the network  Does not work with NAT APs

Rogue Detector

Rogue Detector AP Mode

Classify

Floor 3

Rogue Detector Floor 3

Floor 2

Rogue Detector Floor 2

Floor 1

Example Deployment Scenario

Rogue Detector Floor 1

 Install one rogue detector at each Layer 3 boundary.  Put more simply - ensure all VLANs are monitored by a rogue detector.

Rogue Detector AP Mode

Classify

Operation

WCS

WLC

Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address: 00:09:5b:9c:87:68 Has Been Detected on the Wired Network

0009.5b9c.8768

Rogue Detector

0021.4458.6652

> debug capwap rm rogue detector ROGUE_DET: Found a match for rogue entry 0021.4458.6652 ROGUE_DET: Sending notification to switch ROGUE_DET: Sent rogue 0021.4458.6652 found on net msg

Rogue Detector AP Mode

Classify

Configuration

WLC All Radios Become Disabled in This Mode

Switch

interface GigabitEthernet1/0/5 description Rogue Detector switchport trunk encapsulation dot1q switchport trunk native vlan 113 switchport mode trunk spanning-tree portfast

AP VLAN

Rogue Location Discovery Protocol

Classify

Concept Connect as Client Managed AP

Rogue AP

Routed/Switched Network

RLDP (Rogue Location Discovery Protocol)  Connects to Rogue AP as a client  Sends a packet to controller’s IP address  Only works with open rogue access points

Send Packet to WLC

Controller

Rogue Location Discovery Protocol

Classify

Operation

WCS

WLC

Alarm Changed from Minor to Critical

Security Alert: Rogue with MAC Address: 00:13:5f:fa:27:c0 Has Been Detected on the Wired Network > debug dot11 rldp Successfully associated with rogue: 00:13:5f:fa:27:c0 Sending DHCP packet through rogue AP 00:13:5f:fa:27:c0 RLDP DHCP BOUND state for rogue 00:13:5f:fa:27:c0 Returning IP 172.20.226.253, netmask 255.255.255.192, gw 172.20.226.193 Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Received 32 byte ARLDP message from: 172.20.226.253:52142

00:13:5f:fa:27:c0

%LWAPP-5-RLDP: RLDP started on slot 0. %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up %LWAPP-5-RLDP: RLDP stopped on slot 0.

Rogue Location Discovery Protocol Automatic Operation

• Two automatic modes of operation: ‘AllAPs’ – Uses both local and monitor Aps ‘MonitorModeAPs’ – Uses only monitor mode APs

• Recommended: Monitor Mode APs – RLDP can impact service on client serving APs

Classify

Switchport Tracing

Classify

Concept Match Found

2

3 CAM Table

CAM Table

WCS

1 Show CDP Neighbors

Managed AP WCS Switchport Tracing  Identifies CDP Neighbors of APs detecting the rogue  Queries the switches CAM table for the rogue’s MAC  Works for rogues with security and NAT

Rogue AP SPT Matches On: Rogue Client MAC Address Rogue MAC Address Rogue MAC +1/-1 Rogue Vendor OUI

WCS Switchport Tracing

Classify

Operation (Cont.)

Uncheck to Shut the Port

WCS

Match Type

Number of MACs Found on the Port

Rogue Location

Mitigate

On-Demand with WCS

• Allows an individual rogue AP to be located on-demand • Keeps no historical record of rogue location • Does not locate rogue clients

WCS

Rogue Location

Mitigate

In Real-Time with WCS and MSE Context-Aware

• Track of multiple rogues in real-time (up to MSE limits) • Can track and store rogue location historically • Provides location of rogue clients • Provides location of rouge ad-hoc networks

WCS

Rogue Containment

Mitigate

Concept

Mitigate

Rogue Client Authorized AP

De-Auth Packets

Rogue AP

Rogue AP Containment  Sends De-Authentication (or Disassociation) Packets to Client and AP  Can use local, monitor mode or H-REAP APs  Impacts client performance on local/H-REAP APs  A temporary solution till the rogue can be tracked down.

Rogue Containment

Mitigate

Local Mode APs

De-Auth

3 Local Mode

Broadcast and Unicast Deauth Frames

 A local mode AP can contain 3 rogues per radio  Containment packets sent every 500ms

Rogue Containment

Mitigate

Monitor Mode APs

De-Auth Unicast Deauth and Unicast Disassociation Frames Dis-Association

6 Monitor Mode

 A monitor mode AP can contain 6 rogues per radio  Containment packet sent every 100ms

Rogue Containment

Mitigate

Auto-Containment Configuration Ability to Use Only Monitor Mode APs for Containment to Prevent Impact to Clients

WLC

• Use auto-containment to nullify the most alarming threats • Containment can have legal consequences when used improperly

Cisco’s Attack Detection Mechanisms

Base IDS

Adaptive wIPS

Built-In to Controller Software

Requires MSE

Uses Local and Monitor Mode APs

Uses wIPS Monitor Mode and/or Local APs

Adaptive wIPS Components and Functions

AP

Attack Detection

24x7 Scanning Over-the-Air Detection

WLC

Configuration wIPS AP Management

MSE

Alarm Archival

Capture Storage Complex Attack Analysis, Forensics, Events

WCS / NCS

Centralized Monitoring

Historic Reporting Monitoring, Reporting

Cisco Adaptive wIPS with Dedicated Monitor Mode APs • Adaptive wIPS monitor mode is available for 1130/1240, 1040/1140/1250, 1260 and 3500 Access Points

Adaptive wIPS Monitor Mode Deployment Recommendations • Monitor-mode wIPS APs do not serve clients, thus have greater range  Client-serving AP typically covers 914.4-1524 square meters  wIPS AP typically covers 4572– 10668 square meters

• Ratio of wIPS monitor-mode APs to local-mode traffic APs varies by network design, but 1:5 ratio is reasonable estimate • wIPS APs can simultaneously run contextaware location in monitormode

Cisco Adaptive wIPS with Enhanced Local Mode (ELM) • Adaptive wIPS scanning in data serving access points, including HREAP mode APs. • Provides protection without needing a separate overlay network. • ELM supported APs: 1040, 1140, 1250, 1260 & 3500 Without ELM Data Serving

wIPS Monitor Mode

With ELM Single Data and wIPS AP

Cisco Adaptive Wireless IPS with Enhanced Local Mode Can Reduce Capital Investment by > 50%

Mobility Services Engine Support for Cisco Motion Services 3310 Mobility Services Engine

3355 Mobility Services Engine

Supports Adaptive wIPS for up to 2000 Monitor Mode APs

Supports Adaptive wIPS for up to 3000 Monitor Mode APs

Supports Context Aware for up to 2000 Tracked Devices

Supports Context Aware for up to 18000 Tracked Devices

• Services can co-exist on the same MSE, but per-service maximums decrease. For Example, the MSE3310 can handle 1000 wIPS APs + 1000 Context Tracked Items.

• Mobility services may have different WLC/WCS software requirements • Adaptive wIPS is licensed on a per-AP basis (both monitor mode and ELM APs count the same)

Comparison Between Base IDS and Adaptive wIPS Local

Monitor

wIPS ELM

wIPS Monitor

Client Service

Yes

X

Yes

X

Rogue Detection and Containment

Yes

Yes

Yes

Yes

Attacks Detected

17

17

39

45

Attack Encyclopedia

X

X

Yes

Yes

Forensics

X

X

Yes

Yes

Anomaly Detection

X

X

Yes

Yes

MSE Required

X

X

Yes

Yes

WCS Required

X

X

Yes

Yes

Management Frame Protection Concept Problem

Solution

• Wireless management frames are not authenticated, encrypted, or signed • A common vector for exploits

• Insert a signature (Message Integrity Code/MIC) into the management frames • Clients and APs use MIC to validate authenticity of management frame • APs can instantly identify rogue/exploited management frames

Infrastructure MFP Protected

CCXv5

AP Beacons

Probe Requests/ Probe Responses

Associations/Re-Associations

Disassociations

Authentications/ De-Authentications

Action Management Frames

Client MFP Protected

Cisco Wired IPS Integration Unified Intrusion Prevention Business Challenge

Mitigate Network Misuse, Hacking and Malware from WLAN Clients Client Shun

• Inspects traffic flow for harmful applications and blocks wireless client connections • Layer 3-7 Deep Packet Inspection • Eliminates risk of contamination from wireless clients

L2 IDS

Malicious Traffic

L3-7 IDS Enterprise Intranet

• Zero-day response to viruses, malware and suspect signatures Cisco ASA with IPS http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml

WLAN Security Vulnerabilities and Threats On-Wire Attacks Ad-Hoc Wireless Bridge HACKER

Rogue Detection, Classification and Mitigation Addresses Rogue Access Points These Attacks

Client-to-Client Backdoor Access

Over-the-Air Attacks Reconnaissance

Evil Twin/Honeypot AP

MFP Neutralizes All HACKER’S Management Frame AP Exploits, Such as Man-inthe-Middle Attacks

HACKER

Connection to Malicious AP

SeekingWPA2/802.11i Network Vulnerabilities

Denial of Service

Neutralizes Recon and CrackingTools Attacks Cracking HACKER

HACKER

wIPS Detects DENIAL OFThese SERVICE Attacks Backdoor Network Access

Service Disruption

Sniffing and Eavesdropping

Non-802.11 Attacks Backdoor Access BLUETOOTH AP

Service Disruption MICROWAVE

BLUETOOTH

RF-JAMMERS

RADAR

Interference Also Presents a Security Concern Throughput Reduction Near

Far

(7.6 m)

(22.8 ft)

Jammer

100%

100%

Video Camera

100%

57%

90%

75%

Microwave Oven

63%

53%

Bluetooth Headset

20%

17%

DECT Phone

18%

10%

Interference Type

End User Impact  



Reduced network capacity and coverage Poor quality voice and video

Wi-Fi

Potential Denial of Service IT Manager Impact

 Potential security breaches  Support calls  Increased cost of operation

(busy neighbor)

CleanAir is Purpose Built to Deal with Interference Issues Detect and Classify 97

• 100

•

63 90 20 35

• •

Cisco CleanAir

Uniquely identify and track multiple interferers Detects security-risk interferers like RF Jammers and Video Camera. Assess unique impact to Wi-Fi performance Monitor AirQuality

High-Resolution Interference Detection and Classification Logic Built-In to Cisco’s 802.11n Wi-Fi Chip Design. Inline Operation with No CPU or Performance Impact.

WLAN Security Vulnerabilities and Threats On-Wire Attacks Ad-Hoc Wireless Bridge HACKER

Rogue Detection, Classification and Mitigation Addresses Rogue Access Points These Attacks

Client-to-Client Backdoor Access

Over-the-Air Attacks Reconnaissance

Evil Twin/Honeypot AP

MFP Neutralizes All HACKER’S Management Frame AP Exploits, Such as Man-inthe-Middle Attacks

HACKER

Connection to Malicious AP

SeekingWPA2/802.11i Network Vulnerabilities

Denial of Service

Neutralizes Recon and CrackingTools Attacks Cracking HACKER

HACKER

wIPS Detects DENIAL OFThese SERVICE Attacks Backdoor Network Access

Service Disruption

Sniffing and Eavesdropping

Non-802.11 Attacks

Cisco CleanAir Detects These Attacks Backdoor Access BLUETOOTH AP

Service Disruption MICROWAVE

BLUETOOTH

RF-JAMMERS

RADAR

Thank you.