Third time’s NOT the charm for Cisco’s adaptive WIPS (aWIPS)
- Cisco Warns of Vulnerabilities in Wireless LAN Controllers by Mike Lennon Managing Editor at Security Week
- Cisco Wireless LAN Controllers Wireless Intrusion Prevention System Denial of Service Vulnerability via Cisco Vulnerability Alert
Particularly interesting is Cisco’s proposed workarounds which state:
While Cisco aWIPS touts to protect from wireless vulnerabilities, it is still facing a bigger, more basic problem, which is to first protect ITSELF, before it can protect others! Clearly these proposed workarounds are to salvage the system itself, or shall we say “self-heal”. Paradoxical, in light of Cisco’s recent “self-healing” acquisition
Cisco spends $475M on Intucell’s self-healing network software by Ricardo Bilton of VentureBeat
What about the customer’s network security posture in all of this?
A rogue AP is connected to a trusted network. Accordingly, it opens access to the trusted network for outsiders. The Cisco aWIPS is supposed to detect and contain this Rogue AP, but through this very same Rogue AP, the attacker launches the crafted packet and does DoS on aWIPS. So the Rogue AP itself is used to nuke the Cisco aWIPS that was supposed to protect the network from Rogue APs. Doesn’t this sound like plausible and severe scenario. Why take that chance?
Once, twice, three times aWIPS …
I don’t know about you but I think that Cisco needs to take a hard look at the architectural foundations of its aWIPS architecture. This is not the first, not the second, but the third time that Cisco’s aWIPS has been hacked. Could this be because aWIPS is not designed from the ground up as a security system, but it’s a third party signature engine patched to WLC architecture?
Going down memory lane, let’s revisit the first two Cisco-charms: 1) MFP security disorder, and 2) LAPs as rogues
1) Turn on yourself (autoimmune disorder of MFP security)
When Cisco launched MFP as a savior for deauth DoS attacks, security researchers showed that MFP not only not stopped deauth DoS attacks, but introduced new ones of its own which were easier to launch deauth DoS attacks. The technique that was supposed to stop DoS attacks was itself DoS’ed.
2) Turn Cisco lightweight APs (LAPs) into Rogue APs
You’ll recall the Cisco Skyjacking attack where the attacker could hijack Cisco APs and aWIPS sensors from the enterprise WLC and control them from outside of the trusted network. Skyjacking allowed Cisco APs and aWIPS sensors themselves to be turned into Rogue APs on the network.
With this third @Cisco alert, clearly this is not heading in the right direction. The devices which are supposed to be trusted for secure Wi-Fi are themselves turned into vulnerabilities in the Wi-Fi. You can practically hear Alanis Morissette signing IRONIC …
How many more can we expect? Instead of waiting for more Cisco charm, why not use the industry’s best of the breed WIPS that is built with a solid foundation so that it can protect your networks without giving itself in to attackers? Come to AirTight!