Filter
Top Products
5/26/05 Cisco WLAN Solution Security
OL-7426-03
Layer 3 SolutionsLayer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as
VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security)
protocols. The Cisco WLAN Solution L2TP implementation includes IPsec, and the IPSec implementation
includes IKE (internet key exchange), DH (Diffie-Hellman) groups, and three optional levels of
encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI X9.52-1998 data encryption
standard), or AES/CBC (advanced encryption standard/cipher block chaining). Disabling is also used to
automatically block Layer 3 access after an operator-set number of failed authentication attempts.
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication using:
MD5 (message digest algorithm), or SHA-1 (secure hash algorithm-1).
The Cisco WLAN Solution supports local and RADIUS MAC (media access control) filtering. This filtering
is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
Finally, the Cisco WLAN Solution supports local and RADIUS user/password authentication. This
authentication is best suited to small to medium client groups.
Single Point of Configuration Policy Manager SolutionsSingle Point of Configuration Policy Manager Solutions
When the Cisco WLAN Solution is equipped with Cisco WCS, you can configure system-wide security
policies on a per-WLAN basis. SOHO Access Points force you to individually configure security policies
on each access point, or use a third-party appliance to configure security policies across multiple access
points.
Because the Cisco WLAN Solution security policies can be applied across the whole system from the
Cisco Wireless Control System, errors can be eliminated and the overall effort is greatly reduced.
Rogue Access Point SolutionsRogue Access Point Solutions
Rogue Access Point ChallengesRogue Access Point Challenges
Rogue Access Points can disrupt WLAN operations by hijacking legitimate clients and using plaintext or
other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to
capture sensitive information, such as passwords and username. The hacker can then transmit a series
of clear-to-send (CTS) frames, which mimics an access point informing a particular NIC to transmit and
instructing all others to wait, which results in legitimate clients being unable to access the WLAN
resources. WLAN service providers thus have a strong interest in banning rogue access points from the
air space.
The Operating System Security solution uses the Radio Resource Management (RRM)
function to
continuously monitor all nearby Cisco 1000 Series lightweight access points, automatically discover
rogue access points and locate them as described in Detecting and Locating Rogue Access Points
.
Tagging and Containing Rogue Access PointsTagging and Containing Rogue Access Points
When the Cisco WLAN Solution is monitored using Cisco Wireless Control System, Cisco WCS generates
the flags as rogue access point traps, and displays the known rogue access points by MAC address. The
operator can then display a map showing the location of the Cisco 1000 Series lightweight access points
closest to each rogue access point, allowing Known or Acknowledged rogue access points (no further
action), marking them as Alert rogue access points (watch for and notify when active), or marking
them as Contained rogue access points (have between one and four Cisco 1000 Series lightweight
access points discourage rogue access point clients by sending the clients deauthenticate and
disassociate messages whenever they associate with the rogue access point).
When the Cisco WLAN Solution is monitored using an Web User Interface
or an Command Line
Interface, the interface displays the known rogue access points by MAC address. The operator then has
the option of marking them as Known or Acknowledged rogue access points (no further action),