Question: I’ve heard a lot about how Cisco’s containment can be used to lock down rogue access points… but sometimes legitimate networks get contained by their neighbors. How can I make sure that never happens to my company’s network?
Answer: The answer is to implement Management Frame Protection (MFP). MFP is easy to set up and it will make your network bulletproof to containment, as well as a slew of other attacks.
Another One Bites the Dust – a classic 80’s hit song by Queen about the impending revenge of a young man named Steve, but could also describe what happens to a broad range of attacks aimed at your wireless network after a few well-placed clicks of your mouse.
Most reconnaissance and denial of service attacks against wireless networks are based on the misuse of management frames. Twelve of the seventeen standard signatures that wireless controllers constantly look for are based on management frames. Disassociation and deauthentication floods, which we commonly refer to as containment, fit in that group, as do null probe responses, which give an attacker an easy way to lock up most wireless clients. These frames are all sent without any kind of encryption or authentication because they have to be sent that way – they operate at such a fundamental level of wireless networking that we have no choice, and because of that we are all vulnerable.
Or at least we were… until MFP came along. With MFP we are able to attach an encrypted informational element, or IE, to the end of each management frame sent by our access points, making the identification of legitimate management frames simple and efficient, as well as impossible to spoof.
There are two flavors of MFP, Infrastructure MFP (aka MFP-1) and Client and Infrastructure MFP (MFP-2).
With MFP-1 the access points download an encryption key from the controller. For every management frame an AP sends, it will attach an IE that includes a sequence count, time stamp, and message integrity check embedded in it. The IE is encrypted with a key given by the controller. This key is linked to the wired interface used by the WLAN. This means that if the WLANs use different VLANs, they will use different keys; if the WLANs use the same VLAN, they will use the same key. Other APs that are in range will hear the management frame and be able to validate the attached IE. If the IE is incorrect in any way, the validator AP will forward that information to the controller, which can then forward the report to WCS. APs belonging to the same mobility group will use the same keys, so APs can validate management frames sent by APs on other controllers in an enterprise network.
With MFP-2, the clients download the key for their WLAN after they have authenticated to the network and they will validate every management frame they hear. If the client hears a valid frame they report nothing, and if the frame applies to them the client obey the commands. If the client hears an invalid frame they ignore the instructions delivered in the command and report the incident to their supporting AP, which then forwards the report to the controller and up to WCS. Let me rephrase the first part of that sentence for you: if someone tries to use a null probe response to lock up your clients, your clients shrug it off and report it! If someone tries to contain your network, your clients ignore their attempts to shut you down and, again, report it! Your clients become bulletproof to a wide range of wireless DoS attacks. Before you get too excited, though, I need to let you know that only clients supporting Cisco Compatible Extensions (Version 5) can participate in MFP-2.
Now that we’ve told you what MFP can do, let’s talk about how you set it up; it only takes three steps.
- In the controller’s GUI, navigate to Security > Wireless Protection Policies > AP Authentication/MFP, and in the Protection Type drop down menu select Management Frame Protection. This enables MFP globally on the controller, letting you use MFP on WLANs that you designate.
- Navigate to WLANs > wlan_id_number > Security > Layer 2 Policies. WPA2 is required in order for the WLAN to use MFP, so in the Layer 2 Security drop down menu, select WPA+WPA2. In the fields below, make sure you have enabled WPA2 policy and WPA2 encryption (TKIP or AES are both acceptable).
- Navigate to WLANs > wlan_id_number > Advanced. Check the box for Infrastructure MFP Protection. This enables access points to participate in Infrastructure MFP, causing the APs to digitally sign their management frames. Then use the MFP Client Protection drop down menu to select either “Disabled”, “Optional” or “Required”, according to your client’s capabilities and the level of protection you desire. The setting of “Disabled” turns off client support for MFP. “Optional” enables client devices to participate as validator devices if they are capable, but still allows clients that can not support MFP to participate in the network. The “Required” setting makes client MFP support mandatory – devices which don’t support MFP will not be allowed to join the network.
So, for any of you who ever hear me walking into the classroom or your job site humming Another One Bits the Dust, now you know the story behind it. I’m worry free and I love my WLAN.