The Cisco Unified Wireless architecture eases the integration of these security features into the solution because it provides a Layer 2 connection between the WLAN clients and the extended network. If the box is checked and the configuration is correct, the connection is active if the box is unchecked, the connection is inactive.Ĭisco provides a wide variety of security features that are either integrated into Cisco IOS, integrated into modules, or offered as appliances. The state check box controls whether the WLC attempts to connect with the IPS. A Transport Layer Security (TLS) certificate hash of the IPS server is also required. A viewing account must exist on the IPS to which the WLC can connect through its username and password. The WLC establishes the connection to the IPS, normally through port 443. WLC features can enforce IP address spoofing protection, but the protection must extend to the remaining network to ensure that IPS shunning is not used to create a denial-of-service (DoS) attack through the spoofing of IP addresses.įigure 9-5 shows the WLC configuration page for connection to an IPS. Enterprises where the shunning of a client may cause excessive disruption to business or are vulnerable to attacks from spoofed IP address (source address checking not enforced at the access layer) may choose not to shun the client, or may only turn to shunning in special temporary circumstances. The decision to shun WLAN clients based on IPS information needs to be made within the context of the enterprise IPS implementation. Note This IPS integration features specifically uses the shunning of clients based on the information from the IPS. The delay introduced by polling needs to be viewed in context of the overall IPS system, where the IPS itself has taken action to block an attack and shuns the client, and the WLC acting to augment functionality by disconnecting the offending client from the network. The minimum polling time is ten seconds, which means that there is a potential delay between the time that the attack is detected and the time the attacker is blocked at the WLC.Īlthough this means that there may be a delay in disconnecting the detected client because of the polling interval, it removes any requirement for the IPS to be aware of the network topology, and to send shun information to a specific WLC. The IPS returns the IP addresses of currently shunned clients the WLC uses this information to disconnect clients with those IP addresses in the WLC mobility group. To do this, the WLC regularly polls the IPS for information on which clients are currently targets for shunning. This gives the IPS the ability to block an attack on the fly rather than simply detecting it.įigure 9-1 illustrates the IPS concept of the IPS being inserted into the data path, and signaling the Wireless LAN Controller (WLC) when an attack is blocked.įor the WLC to be able to disconnect a client attack detected by the IPS, it must learn about the client. Rather than simply notifying network nodes about security issues, an IPS can block traffic that matches attack signatures. These are not discussed in detail in this design guide for more information on security solutions, see the following URL: Īn IDS operates by first detecting an attack occurring at the network level, and then by either triggering a corrective action or notifying a management system so that an administrator can take action.Īn IPS performs a similar analysis to that of an IDS, but is inline with the traffic flow. Note A wide range of Cisco security solutions do not directly interact with the Cisco Unified Wireless Solution, but are applicable to both wired and wireless deployments. Cisco Integrated Security Features (CISF) integration.Intrusion detection systems (IDS) and intrusion protection systems (IPS) integration.The three areas of discussion are the following: This chapter provides a collection of best practices that help integrate the most common security features and products into a wireless environment. This chapter discusses the integration of wired network security into the Cisco Unified Wireless Solution.Ĭisco provides a wide range of security features and products that are applicable to the Cisco Unified Wireless Solution. Using IP Source Guard to Mitigate IP and MAC Spoofing Using Dynamic ARP Inspection to Mitigate a Man-in-the-Middle Attack
Using DHCP Snooping to Mitigate a Rogue DHCP Server Attack Using Port Security to Mitigate a DHCP Starvation Attack Using Port Security to Mitigate a MAC Flooding Attack Cisco Unified Wireless Security IntegrationĬisco Integrated Security Features IntegrationĪRP Spoofing-based Man-In-the-Middle Attack
0 kommentar(er)
