Security Collaboration: Cisco IPS and Cisco Wireless

Not many people realize that the Cisco IPS 4200 Series sensors can collaborate with a Cisco Wireless LAN Controller(WLC) to defend the network. This solution allows you to extend your security protection way beyond what the embedded wireless signatures can offer. It moves your wireless attack detection/prevention capabilities from the solely Layer 2 realm, that embedded wireless signatures offer, into the Layer 2-7 realm. And since Layer 2-7 protection is arguably where you want/need to be this solution gets you there.

So how does it work? Well picture this example; a user infected with a worm connects to your wireless. The worm trys to spread to some internal servers in your datacenter via a layer 7 attack. The Wireless IDS signatures don’t see the attack because they are only looking for Layer 2 attacks. But, an IPS sensor that is protecting your datacenter servers does see the attack. The IPS sensor communicates the attackers IP address to the Wireless controller. The Wireless controller does the IP address to MAC address correlation and finds the attacker is currently connected to Access Point XYZ. At that point the controller disassociates (kicks off) the attacker on the wireless network for a period of time. The wireless controller will also alert all other controllers in the same mobility group to not allow the attacker access. This behavior, in effect, will deny the attacker’s MAC address from re-connecting via wireless anywhere at your site for a set period of time.

The previous example demonstrates precisely how the Cisco IPS-Wireless collaboration works. A single Wireless controller can collaborate with up to 5 Cisco IPS sensors simultaneously. This increases the protection/detection envelope that a single controller can cover. One of the nice things about this solution is it doesn’t require you to put an IPS sensor inline behind every controller. You can use any sensor that is IP reachable from the controller. This allows you to leverage any existing Cisco sensors you may already have. It also allows you the flexibility to be able to deploy your sensors in either IDS mode or IPS mode since the controller is doing the blocking. Once a client is disassociated from a controller due to the IPS collaboration a message is sent both via the sensor platform and from the controller itself. So if wireless and security are being managed by different groups both groups will see the event.

The solution is granular enough so that it only disassociates users that have fired certain high risk IPS signatures of your choice. Or one better, only disassociate users that have fired an event that has a Risk Rating of between 80-100. If you are not familiar with how Cisco IPS calculates Risk Rating see here
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_white_paper0900aecd80191021.shtml .

The Cisco IPS-Wireless collaboration solution works with any Cisco WLC running code 4.x or later and any Cisco IPS sensor platform running code 5.x or later.
For more details see here
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807360fc.shtml

I think this is a pretty compelling solution, especially for current Cisco wireless and IPS customers. What do you think?

• Cisco
• Security
• cisco ips
• IPS
• Jamey Heary
• security
• self defending network
• wireless security