AirTight Networks WIPS at Wireless Field Day 6 WFD6

2,345 views
2,132 views

Published on

AirTight Networks WIPS at Wireless Field Day 6 WFD6 by Hemant Chaskar

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,345
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AirTight Networks WIPS at Wireless Field Day 6 WFD6

  1. 1. @AirTight WIPS #WFD6 Jan 29, 2014 Part 1: WIPS Product Demo @RickLikesWIPS Rick Farina Part 2: Technology Deep Dive @CHemantC Hemant Chaskar © 2014 AirTight Networks, Inc. All rights reserved. 1
  2. 2. AirTight WIPS § Overlay WIPS or WIPS as part of AirTight APs § Best in the industry § Customer base of 1500+ enterprises including large/Fortune companies, Government & DoD § Extensive patent portfolio © 2014 AirTight Networks, Inc. All rights reserved. 2
  3. 3. WIPS Basics § WIPS addresses threat vectors orthogonal to WPA2 § Offers protection for both - Wired network (e.g. rogue APs), and - Wireless clients/connections (e.g. Evil Twin) § Requires scanning all channels (not just managed AP channels) - Dedicated & background scanning radios 3 © 2014 AirTight Networks, Inc. All rights reserved.
  4. 4. WPA2 and WIPS BYOD 4 © 2014 AirTight Networks, Inc. All rights reserved.
  5. 5. Traditional Approach § User defined rules for classifying devices as managed, neighbor, rogue § Signature matching on packet fields to detect attack tools § Packet statistics based anomaly detection § Lots of alerts § Manual intervention driven reactive workflow © 2014 AirTight Networks, Inc. All rights reserved. 5
  6. 6. User Defined Rules Are No Match For Wireless Environ § Requires cumbersome configuration of rules § Can’t keep up with dynamic wireless environment © 2014 AirTight Networks, Inc. All rights reserved. 6
  7. 7. User Defined Rules Are More Nuisance Than Help § Device alerts, false alarms, manual intervention to act on alerts § Fear of automatic prevention © 2014 AirTight Networks, Inc. All rights reserved. 7
  8. 8. Signature Matching On Packets Is False Alarm Prone § All attack tools don’t have signatures § Signature fields in tools are modifiable § Signatures lag attack tools § Result: Signatures matching approach creates abundant false positives & negatives Does anyone still think that (SSID) signatures is good idea? © 2014 AirTight Networks, Inc. All rights reserved. 8
  9. 9. Packet Anomaly Detection On Unknown Thresholds § Inaccurate stats based on partial observation - Scanning Sensor - RSSI limitations § It doesn’t help to give threshold comparators, when users don’t know the right thresholds - Right threshold to catch real threats, while avoiding false alarms © 2014 AirTight Networks, Inc. All rights reserved. 9
  10. 10. Changing the Status Quo Traditional Approach AirTight Approach WIPS Compass © 2014 AirTight Networks, Inc. All rights reserved. 10
  11. 11. Traditional vs AirTight § Overhead of user defined rules for device categorization § Signatures & threshold anomaly detection § Out of box auto-classification into intrinsic categories § Proactive blocking of risky connections § Constant manual intervention § Highly automated § Alert flood § Concise alerts § Fear of automatic prevention § Reliable automatic prevention © 2014 AirTight Networks, Inc. All rights reserved. 11
  12. 12. AP Auto-classification into Foundation Categories § No user configured rules (SSID, OUI, RSSI, …), § Runs 24x7 Unmanaged APs (Dynamic Part) All APs visible Managed APs (Static Part) Authorized APs External APs © 2014 AirTight Networks, Inc. All rights reserved. Rogue APs 12
  13. 13. Marker Packets™ for Connectivity Detection § No reliance on managed switch infra (CAM tables) § Prompt detection with localized operation for any network size AirTight Device § No false negatives: No “suspects” in neighbor category (like in wired & wireless MAC co-relation) § No false positives: No “legal disclaimers” in automatically AirTight Device containing real rogues © 2014 AirTight Networks, Inc. All rights reserved. 13
  14. 14. Client Auto-classification Connects to secure Authorized AP: Authorized Client Additional ways to autoclassify Clients: Newly discovered Client: Uncategorized Connects to External AP: External Client Integration APIs with leading WLAN controllers to fetch Authorized Clients list. Import MAC addresses of Authorized Clients from file. Connects to Rogue AP: Rogue Client © 2014 AirTight Networks, Inc. All rights reserved. 14
  15. 15. AirTight WIPS Security Policy AP Classification Authorized APs Block Misconfig Policy GO Detect DoS Client Classification Authorized Clients STOP Rogue APs (On Network) Neighborhood APs Rogue Clients STOP IGNORE Neighborhood Clients DETECT AND BLOCK RED PATHS! © 2014 AirTight Networks, Inc. All rights reserved. 15
  16. 16. Reliable prevention § One size doesn’t fit all • There are many permutations & combinations on connection type & Wi-Fi interface hw/sw § Bag of tricks for comprehensive prevention • Deauth, timed deauth, client chasing, ARP manipulation, cell splitting, wireless side, wired side © 2014 AirTight Networks, Inc. All rights reserved. 16
  17. 17. Accurate Location Tracking § Stochastic triangulation – maximum likelihood estimation based technique § No need for RF site survey § No search squads to locate Wi-Fi devices § 15 ft accuracy in most environments © 2014 AirTight Networks, Inc. All rights reserved. 17
  18. 18. Why AirTight WIPS? Automatic Device Classification Cloud Managed or Onsite Reliable Threat Prevention Detailed Compliance Reporting © 2014 AirTight Networks, Inc. All rights reserved. Ease of Operation & Lowest TCO Accurate Location Tracking 18

×