How I Learned to Stop Worrying and Love the Wireless LAN

Another One Bites the Dust – a classic 80’s hit song by Queen about the impending revenge of a young man named Steve, but it could also describe what happens to a broad range of attacks aimed at your wireless network after a few well-placed clicks of your mouse.

Most reconnaissance and denial of service (DoS) attacks against wireless networks are based on the misuse of management frames. Twelve of the seventeen standard signatures that wireless controllers constantly look for are based on management frames. Disassociation and de-authentication floods (which we commonly refer to as containment) fit in that group, as do null probe responses which give an attacker an easy way to lock up most wireless clients. These frames are all sent without any kind of encryption or authentication because they have to be sent that way – they operate at such a fundamental level of wireless networking that we have no choice, and because of that we are all vulnerable.

Or at least we were…until Management Frame Protection (MFP) came along.  With MFP we are able to attach an encrypted informational element (IE) to the end of each management frame sent by our access points, making the identification of legitimate management frames simple and efficient, as well as impossible to spoof.

There are two flavors of MFP, Infrastructure MFP (aka MFP-1) and Client and Infrastructure MFP (MFP-2).

With MFP-1, the access points download an encryption key from the controller.  For every management frame an AP sends, it will attach an IE that includes a sequence count, time stamp, and message integrity check embedded in it. The IE is encrypted with a key given by the controller.

This key is linked to the wired interface used by the WLAN. This means that if the WLANs use different VLANs, they will use different keys; if the WLANs use the same VLAN, they will use the same key.

Other APs that are in range will hear the management frame and be able to validate the attached IE. If the IE is incorrect in any way, the validator AP will forward that information to the controller, which can then forward the report to WCS. APs belonging to the same mobility group will use the same keys, so APs can validate management frames sent by APs on other controllers in an enterprise network.

With MFP-2, the clients download the key for their WLAN after they have authenticated to the network and they will validate every management frame they hear.  If the client hears a valid frame they report nothing, and if the frame applies to them the client obey the commands. If the client hears an invalid frame they ignore the instructions delivered in the command and report the incident to their supporting AP, which then forwards the report to the controller and up to WCS. Let me rephrase the first part of that sentence for you

if someone tries to use a null probe response to lock up your clients, your clients shrug it off and report it! If someone tries to contain your network, your clients ignore their attempts to shut you down and, again, report it! Your clients become bulletproof to a wide range of wireless DoS attacks.

Before you get too excited, though, I need to let you know that only clients supporting Cisco Compatible Extensions (Version 5) can participate in MFP-2.

So, for any of you who ever hear me walking into the classroom or your job site humming Another One Bits the Dust, now you know the story behind it.  I’m worry free and I love my WLAN.

Next time we’ll talk about how to set up MFP in three easy steps.

Guest Author: Bill Daniel, GigaWave Technologies

In this article

Join the Conversation

3 comments

  1. Winston Reply

    Great blog.. MFP v2 has been out for awhile now and very affective.. It should be more in use than it currently is.. Why do you think this is?

  2. Bill Daniel - Blog Author Reply

    Hi Winston,

    You’re right – MFPv2 has been out for years and is extremely effective… so why don’t more people use it? I think it comes down to one of two reasons:

    1. Ignorance. That should not be taken as a slight by anyone reading this blog. There are a LOT of features in Cisco’s controller code that can be configured. Knowing all of them and keeping up with all the updates is a Herculean task, so I find it easy to believe that many admins don’t understand what MFP can do for them.

    2. Small number of CCXv5 clients and money. The only clients I know of that support CCXv5 are the Cisco Secure Services Client (SSC) and Cisco’s Aironet Desktop Utility (ADU), niether of which is free. The SSC is licensed per seat and the ADU (which is free to download) only works on Cisco’s CB21AG or PI21AG wireless network cards (which are not free). A corporate customer who is not already using one of these clients may decide the extra protection is something they are not ready to pay for, in spite of its usefulness.

    I hope that helps. Stay thirsty for knowledge!
    Bill

  3. Don Parker Reply

    Hi Bill,

    I still don’t get what MFP-1 does for you. Is it that the legit WAP’s on your WLAN will recognize rogue WAP’s seen as they don’t have the right IE?

    Thanks,

    Don