Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

WLAN Solution Security Audit & Vulnerability

Hi All,

Recently, we have deployed WLAN Solution at one of the customers.

Solution components are WLC - HA Pair, CPI 1.4, Cisco ISE

After the solution deployment, customer ran a security aduit on the network (Wireless Infrastructure) and came to me with the following vulnerabilities that I have to fix.

Vulnerability 1. Synopsis:

The remote service supports the use of medium strength SSL ciphers.&#8232;&#8232;Description&#8232;The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. &#8232;&#8232;Note: This is considerably easier to exploit if the attacker is on the same physical network.&#8232;&#8232;Solution&#8232;Reconfigure the affected application if possible to avoid use of medium strength ciphers.&#8232;&#8232;Risk Factor: Medium&#8232;&#8232;CVSS Base Score&#8232;4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)&#8232;&#8232;Plugin Output&#8232;Here is the list of medium strength SSL ciphers supported by the remote server : &#8232;&#8232; Medium Strength Ciphers (>= 56-bit and < 112-bit key) &#8232;&#8232; SSLv3 &#8232; DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 &#8232;&#8232; TLSv1 &#8232; DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 &#8232;&#8232;The fields above are : &#8232;&#8232; {OpenSSL ciphername} &#8232; Kx={key exchange} &#8232; Au={authentication} &#8232; Enc={symmetric encryption method} &#8232; Mac={message authentication code} &#8232; {export flag}

Vulnerability 2. Synopsis: The remote DNS server is vulnerable to cache snooping attacks.&#8232;&#8232;Description&#8232;The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. &#8232;&#8232;This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. &#8232;&#8232;For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. &#8232;&#8232;Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.&#8232;&#8232;Solution&#8232;Contact the vendor of the DNS software for a fix.&#8232;&#8232;See Also&#8232;http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Risk Factor: Medium&#8232;&#8232;CVSS Base Score&#8232;5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)&#8232;&#8232;Plugin Output&#8232;Nessus sent a non-recursive query for example.com &#8232;and received 1 answer : xx.xx.xx.xx (an IP Address)

Please find the actual screenshots of the Audit result attached here.

I am novice in Security field and I am not sure as how to answer the above 2 questions.

Any help is much appreciated in interpreting the above vulnerabilities wrt Wireless and how to eliminate these vulnerabilities.

Thanks,

CJ

6 REPLIES

WLAN Solution Security Audit & Vulnerability

What security are you using on your WiFi ?

These sounds like devices that are on your WiFi and not your network itself.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

WLAN Solution Security Audit & Vulnerability

3 SSIDs.

SSID 1 for  Employees - WPA2-AES with 802.1x authentication with ISE. ISE has 2 factor authentication with AD credentials and MAC filtering.

SSID 2 for On-Boarding of mobile devices - 802.1x authentication with ISE. Its planned, but not configured completely, at least as of now.

SSID 3 for Guests - Cisco Prime Guest portal (Lobby Ambassador) with Scheduling Guest User Accounts to generate new credentials every day.

WLAN Solution Security Audit & Vulnerability

I assume they connected to your wireless network and they did a scan ? Help me out here

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

WLAN Solution Security Audit & Vulnerability

I am not sure as how they are connected to the network, when they did the scanning. But I know that they used Nessus security scan.

I can check with customer on how they scanned the WLC & APs, from a machine Wired to network or over wireless.

WLAN Solution Security Audit & Vulnerability

The DNS issue is pretty easy. Look at your DNS server and google the issue or patch it. As for the SSL. As for the other issue, did the list a ip address or host name so you can find out what it is ? Doesnt sounds like they did anything on the wireless itself ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

WLAN Solution Security Audit & Vulnerability

Hi George,

The Nessus scan application is on the server, client connects to it using web console from their laptop, which is on the LAN. They were not connected wirelessly to the network.

Using Nessus Scan Application, they were scanning to audit configuration & compliance of the Primary WLC, HA-Unit & APs.

Thanks,

CJ

261
Views
0
Helpful
6
Replies
CreatePlease to create content