1. CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 1
WLAN SECURITY
FUNDAMENTALS
Presented by
Neil Bhave
Channel Enablement Manager

2. 2 2
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Better visibility, better control, seamless mobility
“Thin”
Access Points
Centralized
Mobility Controller
802.11a/b/g
Antennas
Policy
Mobility
Forwarding
Encryption
Authentication
Management
“Fat”
Access Points
Centralized Architecture = More Secure

3. 3 3
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Controlling Rogue APs
1. AP detection!
• See all APs"
2. AP classification!
• Are they neighbors?"
• Or are they a threat?"
3. Rogue containment!
• Stop users from
accessing rogue APs
over the wire & over
wireless "
• Leave neighbors alone"
4. Locate Rogue !
• Find where it is and
disconnect"

4. 4 4
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Aruba Air
Monitor
Client
Client Tarpit Containment
• Does not waste air-time during threat mitigation
• Works against any brand and type of wireless device
Aruba Air
Monitor
Œ

Œ
Client is trying to
associate to rogue AP
Air Monitor creates
tarpit with fake channel
or fake BSSID

Client associates to
Air Monitor tarpit in
preference to rogue
Ž
Client stops
association attempts
to rogue


Ž
Interfering
Access
Point
Interfering
Access
Point
Client

5. 5 5
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Controlling Uncontrolled Wireless
Windows XP
Laptop
Internal Network
Public Network
Bridge

6. 6 6
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Wireless Intrusion Prevention - RFProtect
• Uncontrolled wireless devices
– Rogue APs
– Laptops acting as bridges
– Misconfigured laptops
– Ad-Hoc networks
• Attacks against the WLAN
– Denial of Service/flooding
– Forged de-authenticate/disassociate
– Man-in-the-Middle
– WEP cracking
– WPA-PSK cracking

7. 7 7
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
TotalWatch Full Spectrum Monitoring
• Complete Coverage
– 2.4-GHz and 5-GHz scanning
– 4.9-GHz public safety band
• 5-MHz channel increment scanning
– Rogue detection in-between channels
2.4 GHz 4.9 GHz 5.0 GHz
5-MHz channel scanning

8. 8 8
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Authentication
• 802.1X is best for Wi-Fi.
Works with all modern client
operating systems
• Makes use of EAP
(Extensible Authentication
Protocol)
• 802.1X authentication
happens at L2 – users will be
authenticated before an IP
address is assigned

9. 9 9
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Authentication with 802.1X: PEAP
EAPOL (EAP over LAN) RADIUS
Encrypted Tunnel
Authentication
Server
AP/Controller
STA

10. 10 10
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Encrypt the Data
• If intruders can’t read the data,
there’s no need to worry where it goes
– WEP
• Simple to do, easy to crack
• No key management
• Don’t do it
– TKIP (Temporal Key Integrity Protocol)
• Works on legacy hardware (pre-2003)
• First major flaw published in November 2008
• Flaw is getting worse with more research
• Not currently recommended
– CCMP/AES
• Encryption using AES
• Considered state-of-the-art
• Government approved (FIPS, CESG, etc.)
• Works on all modern hardware

11. 11 11
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Combining Authentication & Encryption: WPA
• WPA == Wi-Fi Protected Access
• WPA
– Wi-Fi Alliance “standard” based on pre-802.11i
– Includes TKIP for encryption
• WPA2
– Wi-Fi Alliance “standard” based on ratified 802.11i
– Includes TKIP and CCMP for encryption
• For both:
– WPA-Enterprise == 802.1X for authentication, dynamic
encryption keys
– WPA-Personal == pre-shared authentication key – careful!

12. 12 12
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
WPA-Personal? Be careful..
• WPA Personal does not use 802.1X
• Pre-shared key
• Easier
• But less secure
• Problem 1: Scalability
• Need to re-key any time an employee/user leaves the
organization
• Problem 2: Using weak keys
• WPA-PSK keys that are weak can be cracked (dictionary attack)

13. 13 13
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Configure WPA Properly
• Configure the Common Name
of your RADIUS server
(matches CN in server
certificate)
• Configure trusted CAs (an in-
house CA is better than a
public CA)
• ALWAYS validate the server
certificate
• Do not allow users to add new
CAs or trust new servers
• Enforce with group policy

14. 14 14
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Authorize the Data
• Most organizations do a decent job of authentication (who
the user is), but a poor job of authorization (what the user
is allowed to do)
• Mobile networks are typically multi-use
• Authentication provides you with user identity – now use
it! Identity-aware firewall policies can restrict what a user
can do, based on that user’s needs
Virtual AP 1
SSID: CORP
Virtual AP 2
SSID: GUEST
Guest user
Employee
VoIP Device
Contractor
Default VLAN
Layer 2
Switch
Router
Firewall
Captive
Portal
Radius Server
DHCP
Pool
Firewall
Virtual AP 1
SSID: CORP
Virtual AP 2
SSID: GUEST
Guest user
Employee
VoIP Device
Contractor
Default VLAN
Layer 2
Switch
Router
Firewall
Captive
Portal
Radius Server
DHCP
Pool
Firewall

15. 15 15
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Why Worry About Authorization?
Where is the “network perimeter” today?
§ Mobility brings us:
§ Disappearance of physical
security
§ New mobile users, devices
appearing everyday
§ Increased exposure to
malware
§ Assuming that “the bad guys
are outside the firewall, the
good guys are inside” is a
recipe for disaster
We meet
again, 007!

16. 16 16
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
PEF to Control Wireless Performance
Multicast/
Broadcast
Chatty
Protocols
Power Users
Stealing B/W
Malicious or
Misconfigured
Clients
Lack of Policy Impacts Network
Reliability & Performance!
• What are Multicast and Broadcast currently being used for?"
• What problems am I creating by using large VLANs to solve
mobility issues?"
• What non-critical applications are consuming bandwidth?"
• Should users be connecting to 3rd party WLANs?"
• Should users be setting up their own WLANs?"
• Should users be connected to wireless while wired?"
• How are “Power” Users affecting others?"
• How are unauthorized users affecting network availability"
Bonjour!

17. 17 17
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Network Access Control (NAC)
• Identity-Based Policy Control
– Assess user role, device, location, time,
application.
– Policies follow users throughout network
– (Aruba PEF)
• Health-Based Assessment
– Client health validation
– Remediation
– Ongoing compliance
– (ClearPass OnGuard)
• Network-Based Protection
– Stateful firewalls to enforce policies
and quarantine
– User/device blacklisting based
on Policy Validation
– (Integration with ESI)
Network-Based
Protection
Identity-Based
Policy Control
Health-Based
Assessment

18. 18 18
CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved
Today’s Wireless Gold Standard
• Centralized wireless
• Keep clients updated – drivers too!
• Wireless intrusion detection
– Control uncontrolled wireless
– Locate and protect against rogue APs
• WPA-2
– Authentication using 802.1X and EAP-TLS
– AES for link-layer encryption
• Strong passwords
– SecureID or other token-card products
– Strong password policies
• Authorization with identity-aware firewalls
– Enforce principle of least privilege
– Provide separation of user/device classes

19. CONFIDENTIAL
© Copyright 2012. Aruba Networks, Inc.
All rights reserved 1919