• Share
  • Email
  • Embed
  • Like
  • Private Content
W&M 2009 – Defending your wireless networks.

W&M 2009 – Defending your wireless networks.






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • 802.11i was ratified in summer 2004 The Wi-Fi Alliance uses the WPA2 certification to verify that vendor implementations comply with 802.11i CCMP = Counter Mode CBC-MAC Protocol AES is the most current and advanced bulk encryption algorithm used for wired and wireless networks For backward compatibility or support of environments with lower security requirements, 802.11i also supports the use of TKIP with RC4 encryption and can support pre-shared key authentication Key Caching allows users who have temporarily gone off line to be quickly reconnected without having to go through the full authentication process Pre-authentication allows roaming users to proactively authenticate with adjacent access points so that they are not subject to excessive delays when they move Both Key Caching and Pre-authentication are vital for real-time applications like voice-over-WLAN Because the 802.11i system borrows from the most powerful wired network security mechanisms, it is widely considered to have solved the WLAN security problem, and its integration with WLAN infrastructure makes it cost-effective as well

W&M 2009 – Defending your wireless networks. W&M 2009 – Defending your wireless networks. Presentation Transcript

  • Defending Your Wireless Networks Colin Corbett- Portfolio Manager FMC, Wireless & Data Siemens Enterprise Communications Ltd Best Practice
  • Wireless LAN Security Summary Requirements Complexity
    • Mummert&Partner Study in Germany…..
      • 60% of all company’s had been hacked.
      • 10% didn’t know how,
      • 85% had experienced financial losses,
      • 25% of the vulnerabilities were based on mistakes of employees
      • 66% of all attacks originated from inside the corporate network
    © 2009 Enterasys Networks, Inc. All rights reserved. Authentication and Access Control Data Confidentiality and Integrity Protection Against "Common" RF Threats Protection Against "Malicious" RF Threats
  • Best Practice Authentication and Access Control LAN/WLAN Infrastructure Workstation User Network Mgmt System Authentication Assessment
    • 802.1X Authentication
    • NAC detects connecting end-system
      • Each user and device is authenticated
      • The security (health) state of each end system is assessed
      • The user / end-system is then granted access, denied access or quarantined
      • The user /end-system is monitored for continuing compliance to security policy
    • The enforcement mechanism is embedded in the network or inline appliance
    • Monitoring and enforcement is continuous and persistent
    © 2009 Enterasys Networks, Inc. All rights reserved. IT Apps & Services
    • Other End-System
    • IP Phone
    • HVAC Sensor
    • Security Camera
    • Diagnostic System
    • Printer
    • Etc.
  • Best Practice Data Confidentiality and Integrity Availability of cracking tools Security improvement Open WEP WPA-PSK WPA-Ent WPA2-PSK WPA2-Ent © 2009 Enterasys Networks, Inc. All rights reserved.
  • 802.11i Best Practice
    • WPA2 Enterprise is based on the ratified 802.11i standard
    • Provides a framework for the most sophisticated encryption and authentication:
      • Data confidentiality dramatically improved through CCMP with AES encryption
      • CCMP also performs advanced hashing for integrity
      • Continued use of 802.1X authentication
    • Other features of 802.11i include:
      • Key Caching
      • Pre-authentication
    • Managers and analysts agree that 802.11i finally provides an integrated packet-level WLAN security solution that addresses enterprise security needs
    HiPath Wireless
  • Importance of Wireless IDS/IPS
    • Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security
    • However, industry standards focus on securing packets and validating users, but ignore securing the air
      • No industry standard exists for securing the RF level
    • Wireless Intrusion Detection and Prevention (IDS/IPS) complements frame-level mechanisms for complete WLAN security
    © 2009 Enterasys Networks, Inc. All rights reserved.
  • WLAN RF Security Threat Categories © 2009 Enterasys Networks, Inc. All rights reserved.
    • Malicious RF Threats
    • “ Honeypot” Access Point
    • MAC Spoofing Access Point
    • Denial of Service / Distributed Denial of Service Attacks
    • Common RF Threats
    • Rogue Access Points
    • Mis-configured Access Points
    • Ad-Hoc Connections
    • Client mis-association
    • Unauthorized client associations
  • What 802.11i won’t cover Ad Hoc Denial of Service Attack Rogue AP Mis-Configured AP Unauthorized Association Mis-association Honeypot Enterprise Network Neighboring Network AP MAC Spoofing
    • Multi-tasking Access Points
      • Any or all Access Points can scan for threats at configured intervals while also providing network access to users
      • Provides a suitable degree of RF security for many environments, but with trade-offs:
        • Time-slice limitations may limit comprehensiveness of scans
        • Potential performance impact on real-time user applications
    • Dedicated Access Point IDS scanners
      • Selected Access Points scan for threats full-time, allowing the other Access Points to focus solely on network access
    • Integration of advanced IPS sensors
      • Provides advanced threat prevention
      • Sophisticated graphical management and location services
      • Access Points should devote their attention to delivering the highest network performance
    Best Practice-- RF Security © 2009 Enterasys Networks, Inc. All rights reserved.
  • Automated Compliance Reports
    • Audits conducted at defined intervals based on event history and compared with regulatory compliance specifications
    • Available pre-defined reports:
      • Gramm-Leach-Bliley
      • Sarbanes-Oxley
      • HIPAA
      • PCI
    • Custom report tool enables definition of test criteria specific to your own company or industry
    © 2009 Enterasys Networks, Inc. All rights reserved.
  • Transparency & Cost-Effectiveness
    • Packet and RF security needs to optimized within the context of broader business considerations
    • For a security solution to be cost-effective :
      • Functionality should be integrated into the wireless equipment and/or leverage existing wired infrastructure to minimize capital investments
      • To minimize TCO, WLAN security should be easy to set up, configure, and monitor
    • Transparency means minimal complexity and performance degradation for the end-user
    Cost Security Security / Complexity Useability © 2009 Enterasys Networks, Inc. All rights reserved.
  • WLAN Security
    • Flexible:
      • Incorporate the right level of security for your environment, and integrate with virtually any network topology
    • Non-Disruptive:
      • Focuses on securing the wireless domain and seamlessly integrates into the wired domain security
      • Integrated solution with no added hardware or client software makes adding security transparent
    • Easy to Manage:
      • Quick and intuitive deployment, configuration, and monitoring capabilities minimize complexity and TCO
    © 2009 Enterasys Networks, Inc. All rights reserved.
  • Choosing the Right Level of Security Degree of Security Corporate Guest Access Hotels Public Hot Spots Hospitals Universities Manufacturing Enterprises using Voice over WLAN or real-time multimedia applications Government Financial Institutions © 2009 Enterasys Networks, Inc. All rights reserved. Packet Level None
    • WEP
    • CRC-32 (RC4) Encryption
    • Pre-shared Key Authentication
    • WPA
    • TKIP (RC4) Encryption
    • 802.1X Authentication
    • WPA2 (802.11i)
    • CCMP (AES) Encryption
    • 802.1X Authentication
    RF Level None Multi-tasking access points scan network & provide access “ Dedicated IDS” access points Integration of IPS Sensors & Management
  • Providing Complete Protection © 2009 Enterasys Networks, Inc. All rights reserved. Reporting (Internal audit and compliance to local regulation) Encryption & Authentication 2.4 GHz & 5 GHz All channels association activity Position Rogue Access Points and Clients on the floor-plan for permanent removal Visualize measured coverage for service, detection and prevention Auto-matically block threats through dedicated sensors to prevent any impact on the service level Limit user intervention to maximize the protection of all devices from all threats Locate Detect all Wi-Fi activity and correlate information from multiple sensors Identify Auto- classify Prevent Visualize Monitor
  • Comprehensive Integrated WLAN Security
    • Enterasys Wireless lets enterprises achieve the benefits of WLAN without the security risks:
      • 802.11i / WPA2 standard support for Authentication and Data Confidentiality
      • Proactive Intrusion Detection and Prevention via HiPath Wireless Manager HiGuard
      • Captive Portal and Guest Services
      • Seamless integration with wired network VPN, NAC and authentication infrastructure
    RF Level Security (Wireless IDS/IPS) Frame Level Security (802.11i/WPA2) Data Confidentiality and Integrity Authentication And Access Control Intrusion Detection and Prevention Session Level Security (802.1X), NAC © 2009 Enterasys Networks, Inc. All rights reserved.
  • Conclusion
    • Enterasys provides a powerful and flexible security solution that can easily meet the security needs of any enterprise:
      • Open standards-based solution meets enterprises’ packet level security needs today and in the future
      • Range of intrusion detection and prevention options addresses the RF space and provides a complete security offering
      • Intuitive management tools creates a cost-effective solution that is easy to use and transparent to end-users
    • The absence of a complete WLAN security solution is no longer an excuse to delay enterprise-wide deployments
    • Enterasys Wireless delivers security today
    © 2009 Enterasys Networks, Inc. All rights reserved.
  • © 2009 Enterasys Networks, Inc. All rights reserved. “ There is nothing more important than our customers” THANK YOU