KRACK AttaCK – #WirelessTuesday – November 2017 – Questions & Responses

Thank you very much for your interest in the Cisco #WirelessTuesday event and thanks to the hundreds of you that migrated with me from what was our #WirelessFriday event!  This article is a quick recap of the November 2017 event with the associated questions and panel responses.

I would like to make a public thanks to Stephen Orr, Distinguished SE here at Cisco (LinkedIn, Twitter)!  He weighed in on the WPA2 vulnerabilities known as KRACK and Cisco’ (and the industry’s) response.  I loved his first piece of advice: #DontPanic.  I would also like to thank my panelists Brad KincaidRush Johnson, and Mark Dellavalle.

If you’d like to hear the recording you can access it here.

Links from the Presentation

In-Event Questions and Responses

Q. Can or should both Infrastructure MFP and PMF (802.11w) be implemented together?
R. Steven is a fan of “defense in depth” so the recommendation is yes. 802.11w has 2 modes: MFP required and MFP capable. It’s always good to start with MFP capable until you know for sure your clients support it.

Q. Is it still recommended not to run 802.11r with PMF?
R. If you are using patched code you are good to use 802.11r. Know that both the infrastructure and clients need to be updated.

Q. Does the 5760 have a patched image yet?
R. Yes 5760 updates are available. Please work with TAC on specific recommendations.

Q. Are devices like 800-W series routers/ASAs vulnerable as well?
R. For those SoHo devices where roaming is capable, yes, they would be vulnerable.

Q. With MiTM attack this should be more of an impetus to disable lower data rates…? That should at least shrink the cell size the MiTM attach correct?
R. Not necessarily. This may have a negative effect on coverage and roaming.

Q. So, if AP’s/WLC’s are patched, but clients are not, we’re still vulnerable?
R. The clients not patched would be vulnerable.

Q. So, do either of the 2 threat vectors present vulnerabilities if 802.11r or 802.11ai are not enabled?
R. If they are not enabled on the infrastructure side, then the infrastructure is not exposed, however the client, if using vulnerable code, is exposed.

Q. What are we patching on the client side? Our devices do not use a software to access the AP’s. They just use the wireless app on the device
R. The device itself would need an update from the device manufacturer.

Q. When talking about patching the clients. Are you speaking about patching the workstations clients? For example, if you are using the windows wireless clients?
R. Essentially the supplicant on the device must be update…whether that is separate or part of the OS. Each vendor will need to address the vulnerabilities in their own firmware, drivers, supplicants.

Q. Do any of these vulnerabilities change in a flex-connect mode
R. No, your exposure does not change.

Q. Under WLANS, Security (802.11r) FT = Fast Transition or Authentication Key Management = FT 802.1X / FT PSK boxes checked?
R. On the PSIRT website there is a step-by-step guide to help you determine if you are vulnerable.

Q. I also think it’s important to clarify that the attacker needs to be present for this attack, nearby.
R. Great point… “in RF proximity…”

Q. How about the new Apple Cisco partnership, where apples “turn on” 802.11r
R. That is still the recommendation. The patches are available and should be used.

Q. So, on latest code, 802.11r can be “off” but enabling the Apple-Cisco Best Practices will turn it back “on”?
R. Yes, that is true.

Q. Will the WFA test plan be published and available?
R. For now, the test tool/plan it is available only for manufacturers

Q. Did Wi-Fi Alliance provide a time line to remediate for Infrastructure and all client devices?
R. For those devices that claim support for 802.11r or 802.11ai, mandatory test will be in place, likely by the end of 2017.

Q. Is Cisco publishing all client devices that were remediated
R. Best advice is contact each vendor.

5 Amazing New @Cisco_Mobility Features Because of Exclusive Apple/Cisco Partnership

THE EDGE MATTERS! It matters what kind of AP’s we join and what kind of switch we plug in to. There are some who want us to believe the edge is a commodity because they don’t (or can’t) have what we have. Our products are built for digital business with security woven throughout (Be sure to ask about the Stealthwatch (demo) promotion when you buy Cisco ONE licenses!).

I want to bring to your attention a new Cisco Blog article on Spark & the Cisco/Apple Exclusive Partnership. It’s a GREAT one to share on social media! Then as I was putting this note together an article came across my Spark feed:

Neat article on the Cisco / Apple partnership and iOS 10. http://www.zdnet.com/article/cisco-apple-partnership-comes-to-fruition-with-ios-10

How timely! It’s funny though because there’s either super high level descriptions of what these new features are or it’s super technical. The statement “Apple devices work better on a Cisco network” is 100% true and 100% defendable. AND it’s true for both On Premises and Meraki Cloud Managed wireless! Trouble is some of the available detail is way too high level:

  • Higher reliability for real-time applications—66 times decrease in probability of poor audio quality experiences
  • Improved quality of experience—10 times more successful web browsing experience
  • Enhanced network performance—86 percent reduction in network message load from the device during roaming
  • Ease of management—Up to 50 percent reduction in network overhead due to SSIDs

Or it gets vague & overly-technical in the On Premises release notes for the new 8.3 controller code:

  • Fastlane QoS
  • 802.11r Fast Transition
  • 802.11v BSS Transition Support
  • Assisted Roaming
  • EDCA Parameters

So here’s the medium-techie way to describe the new Apple features.  These are available NOW with our 8.3 code for On Premises controllers and AP’s as well as our Meraki Cloud managed solution…

  • Fastlane QoS: With iOS 10 devices customers have the ability to “fast lane” certain applications, granting prioritized network bandwidth to apps with an iOS 10-embedded quality of service (QoS) tag. The new capability offers end-to-end improvement in performance across iOS applications.

(Configure On Premises Fastlane QoS) (Fastlane on Meraki)

  • 802.11r Fast Transition: 802.11r (aka. Fast Roaming) introduces a new concept of roaming where the process of roaming is done even before the client actually moves to the target AP (this is called Fast Transition).

(Configure On Premises Fast Transition) (Configure 802.11r in Meraki)

  • 802.11v BSS Transition Support: Two cool things happen here:
    • Network assisted Power Savings which helps clients to improve battery life by enabling them to sleep longer. As an example, mobile devices typically use a certain amount of idle period to ensure that they remain connected to access points and therefore consume more power when performing the following tasks while in a wireless network.
    • Network assisted Roaming which enables the WLAN to send requests to associated clients, advising the clients as to better APs to associate to. This is useful for both load balancing and in directing poorly connected clients.

(Here’s how to configure it for On Premises.)

  • Assisted Roaming: This is also known as 802.11k. The 802.11k standard allows clients to request reports containing information about known neighbor APs that are candidates for roaming.

(Configure On Premises Assisted Roaming) (Configure in Meraki)

  • EDCA Parameters: Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic. This new version of code gives much better control to network administrators.

(Configure & tune On Premises EDCA) (Configure Meraki Bandwidth and Traffic Shaping)

Please comment below and share this article and ask your Cisco reseller/sales team about the Cisco & Apple partnership and how you can be ready to take advantage of these amazing features.