Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Design Guide
4-46
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
Summary of Findings
The results of the tests are presented in
.
Note that Cisco tested only those attacks that are targeted by the CISF features on wired access, and it
was always assumed that the attacker was wireless, while the target could be either wired or wireless
depending on the scenario considered. Finally, the solution reported in
depending on the scenario considered. Finally, the solution reported in
currently available using the CISF features on the access switch; when those features do not help, Cisco
proposes an alternative solution using features available directly on the access point.
proposes an alternative solution using features available directly on the access point.
Table 4-4
Summary of Findings
Targeted Attack
Applicability
Considerations
Solution
MAC flooding
No
Macof uses random
MAC addresses as
source and destination
MAC addresses as
source and destination
AP discards frames
from a source MAC not
in the association table
from a source MAC not
in the association table
DHCP starvation
Yes on H-REAP
Controller discards bad
DHCP requests
DHCP requests
The requesting MAC is
carried in the DHCP
payload
carried in the DHCP
payload
None–rate limiting
Rogue DHCP server
Yes on H-REAP
Controller blocks
DHCP offers from the
WLAN
DHCP offers from the
WLAN
It is assumed the rogue
DHCP server is wireless
DHCP server is wireless
None
MIM between wireless
clients
clients
Yes on H-REAP
Controller blocks
GARPs
GARPs
Traffic does not go
through the switch in
this case
through the switch in
this case
None
MIM between wireless
clients on different APs
clients on different APs
Yes on H-REAP
Controller blocks
GARPs
GARPs
The hacker can
intercept traffic only
toward the wire.
intercept traffic only
toward the wire.
DAI with violation
MIM between wireless
and wired clients
and wired clients
Yes on H-REAP
Not a supported
controller configuration
controller configuration
The hacker can
intercept traffic only
toward the wire.
intercept traffic only
toward the wire.
DAI with violation
IP spoofing
Yes on H-REAP
Controller checks IP
address and MAC
address binding
address and MAC
address binding
Encryption over the air
is required to prevent
identity spoofing
is required to prevent
identity spoofing
IP Source Guard