what is cisco 200-301

what is cisco 200-301.268 Chapter 3 Wireless Network Security Assurance spoofed, the client could be connecting to a potentially unsafe network. Suppose the following scenario occurs: An attacker learns the SSID of your corporate network and uses this information to send a beacon to inform you of the SSID, and a wireless workstation within range of the illegal AP connects to that AP, which allows connectivity to the Internet, but is not actually on your corporate wired network. Another client connected to the same illegal AP can then use easily accessible tools on the Internet to attack the wrongly associated client and steal valuable corporate data. This scenario utilizes a variety of attack methods. It uses a method known as managementframespoofing and an active attack on the misassociated client. So how do you defend against these methods of attack? The answer starts with a feature called ManagementFrameProtection.4. Management Frame ProtectionOne approach to Management Frame Protection (MFP, ManagementFrameProtection) is InfrastructureMFPO. With this approach, each management frame includes a cryptographic hash algorithm called MessageIntegrityCheck, which is added to the MIC of each frame. The MIC is added before the Frame Check Sequence (FCS) of each frame. When this is enabled, each WLAN has a unique key that is sent to each radio on the AP. The AP then sends a management frame, and the network is informed that the AP is in protected mode. If this frame is changed, or if someone spoofs the SSID of the WLAN without the unique key, the message is considered invalid. This causes other APs listening to the invalid frame to report it to the controller.Another method of MFP is called Client MFP (Client MFP)O If the client is running Cisco Compatible Extensions (CCX, CiscoCompatibleExtensions) version 5 or later, it communicates with the AP and looks for its MICO In addition to listening to and verifying management frames sent out by the AP providing the feature, the client can also verify the management frames received and sent to the AP. client to also verify other management frames that are received and heard. The main advantage of this mode is the extended detection range. In Figure 17-1, the AP is in the center of the network and the client is on the outside. These clients can detect the AP called BAD_AP, which is generating invalid frames, even though the BAD_AP is out of range of the APs in protected mode.For MFP version 1, all local mode APs are protectors. They issue digital signatures on all frames sent. ° Any other AP or AP in the same local mode may be a validator for this purpose.For MFP Release 2, the client must be running the Cisco Security Services Client (CSSC, CiscoSecure Services Client drops the Client) or be able to run CCXv5, which allows the client to listen for illegal behavior and report illegal frames. Because of the invalid frames, you don't have to worry about your client being associated with an illegal AP.Client MFP has another advantage. Assuming a neighboring AP has a deauthentication frame for suppression, it will suppress your network as a Denial of Service (DOS, Denial-Of-Service). The client will see that the suppression frame has no MIC and will therefore ignore the deauthentication frame. This prevents people from suppressing your network in the form of a DoS attack.Select SECURITY>WirelessProtectionPolicies>APAuthentication/MFP to enable MFP@ As shown in Figure 17-2, you can view the WLAN controller's MFP by selecting SECURITY >Wireless Protection Policies > Management Frame Protection to view the WLAN controller's MFPO17.2 Basic Topics 269Figure 17-1 Running Client MFP