Another One Bites the Dust – a classic 80’s hit song by Queen about the impending revenge of a young man named Steve, but it could also describe what happens to a broad range of attacks aimed at your wireless network after a few well-placed clicks of your mouse.
Most reconnaissance and denial of service (DoS) attacks against wireless networks are based on the misuse of management frames. Twelve of the seventeen standard signatures that wireless controllers constantly look for are based on management frames. Disassociation and de-authentication floods (which we commonly refer to as containment) fit in that group, as do null probe responses which give an attacker an easy way to lock up most wireless clients. These frames are all sent without any kind of encryption or authentication because they have to be sent that way – they operate at such a fundamental level of wireless networking that we have no choice, and because of that we are all vulnerable.
Or at least we were…until Management Frame Protection (MFP) came along. With MFP we are able to attach an encrypted informational element (IE) to the end of each management frame sent by our access points, making the identification of legitimate management frames simple and efficient, as well as impossible to spoof.
There are two flavors of MFP, Infrastructure MFP (aka MFP-1) and Client and Infrastructure MFP (MFP-2).
With MFP-1, the access points download an encryption key from the controller. For every management frame an AP sends, it will attach an IE that includes a sequence count, time stamp, and message integrity check embedded in it. The IE is encrypted with a key given by the controller.
This key is linked to the wired interface used by the WLAN. This means that if the WLANs use different VLANs, they will use different keys; if the WLANs use the same VLAN, they will use the same key.
Other APs that are in range will hear the management frame and be able to validate the attached IE. If the IE is incorrect in any way, the validator AP will forward that information to the controller, which can then forward the report to WCS. APs belonging to the same mobility group will use the same keys, so APs can validate management frames sent by APs on other controllers in an enterprise network.
With MFP-2, the clients download the key for their WLAN after they have authenticated to the network and they will validate every management frame they hear. If the client hears a valid frame they report nothing, and if the frame applies to them the client obey the commands. If the client hears an invalid frame they ignore the instructions delivered in the command and report the incident to their supporting AP, which then forwards the report to the controller and up to WCS. Let me rephrase the first part of that sentence for you
if someone tries to use a null probe response to lock up your clients, your clients shrug it off and report it! If someone tries to contain your network, your clients ignore their attempts to shut you down and, again, report it! Your clients become bulletproof to a wide range of wireless DoS attacks.
Before you get too excited, though, I need to let you know that only clients supporting Cisco Compatible Extensions (Version 5) can participate in MFP-2.
So, for any of you who ever hear me walking into the classroom or your job site humming Another One Bits the Dust, now you know the story behind it. I’m worry free and I love my WLAN.
Next time we’ll talk about how to set up MFP in three easy steps.
Guest Author: Bill Daniel, GigaWave Technologies