Defending Your Wireless Networks Colin Corbett- Portfolio Manager FMC, Wireless & Data Siemens Enterprise Communications L...
Wireless LAN Security Summary Requirements Complexity <ul><li>Mummert&Partner Study in Germany….. </li></ul><ul><ul><li>60...
Best Practice Authentication and Access Control LAN/WLAN Infrastructure Workstation User Network Mgmt System Authenticatio...
Best Practice Data Confidentiality and Integrity Availability of cracking tools Security improvement Open WEP WPA-PSK WPA-...
802.11i Best Practice <ul><li>WPA2 Enterprise is based on the ratified 802.11i standard </li></ul><ul><li>Provides a frame...
Importance of Wireless IDS/IPS <ul><li>Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security </li...
WLAN RF Security Threat Categories © 2009 Enterasys Networks, Inc.  All rights reserved. <ul><li>Malicious RF Threats </li...
What 802.11i won’t cover Ad Hoc Denial of Service Attack Rogue AP Mis-Configured AP Unauthorized Association Mis-associati...
<ul><li>Multi-tasking Access Points </li></ul><ul><ul><li>Any or all Access Points can scan for threats at configured inte...
Automated Compliance Reports <ul><li>Audits conducted at defined intervals based on event history and compared with regula...
Transparency & Cost-Effectiveness <ul><li>Packet and RF security needs to optimized within the context of broader business...
WLAN Security <ul><li>Flexible: </li></ul><ul><ul><li>Incorporate the right level of security for your environment, and in...
Choosing the Right Level of Security Degree of Security Corporate Guest Access Hotels Public Hot Spots Hospitals Universit...
Providing Complete Protection © 2009 Enterasys Networks, Inc.  All rights reserved. Reporting (Internal audit and complian...
Comprehensive Integrated WLAN Security <ul><li>Enterasys Wireless lets enterprises achieve the benefits of WLAN without th...
Conclusion <ul><li>Enterasys provides a powerful and flexible security solution that can easily meet the security needs of...
© 2009 Enterasys Networks, Inc.  All rights reserved. “ There is nothing more important than our customers” THANK YOU
Upcoming SlideShare
Loading in …5
×

W&M 2009 – Defending your wireless networks.

560 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
560
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 802.11i was ratified in summer 2004 The Wi-Fi Alliance uses the WPA2 certification to verify that vendor implementations comply with 802.11i CCMP = Counter Mode CBC-MAC Protocol AES is the most current and advanced bulk encryption algorithm used for wired and wireless networks For backward compatibility or support of environments with lower security requirements, 802.11i also supports the use of TKIP with RC4 encryption and can support pre-shared key authentication Key Caching allows users who have temporarily gone off line to be quickly reconnected without having to go through the full authentication process Pre-authentication allows roaming users to proactively authenticate with adjacent access points so that they are not subject to excessive delays when they move Both Key Caching and Pre-authentication are vital for real-time applications like voice-over-WLAN Because the 802.11i system borrows from the most powerful wired network security mechanisms, it is widely considered to have solved the WLAN security problem, and its integration with WLAN infrastructure makes it cost-effective as well
  • W&M 2009 – Defending your wireless networks.

    1. 1. Defending Your Wireless Networks Colin Corbett- Portfolio Manager FMC, Wireless & Data Siemens Enterprise Communications Ltd Best Practice
    2. 2. Wireless LAN Security Summary Requirements Complexity <ul><li>Mummert&Partner Study in Germany….. </li></ul><ul><ul><li>60% of all company’s had been hacked. </li></ul></ul><ul><ul><li>10% didn’t know how, </li></ul></ul><ul><ul><li>85% had experienced financial losses, </li></ul></ul><ul><ul><li>25% of the vulnerabilities were based on mistakes of employees </li></ul></ul><ul><ul><li>66% of all attacks originated from inside the corporate network </li></ul></ul>© 2009 Enterasys Networks, Inc. All rights reserved. Authentication and Access Control Data Confidentiality and Integrity Protection Against &quot;Common&quot; RF Threats Protection Against &quot;Malicious&quot; RF Threats
    3. 3. Best Practice Authentication and Access Control LAN/WLAN Infrastructure Workstation User Network Mgmt System Authentication Assessment <ul><li>802.1X Authentication </li></ul><ul><li>NAC detects connecting end-system </li></ul><ul><ul><li>Each user and device is authenticated </li></ul></ul><ul><ul><li>The security (health) state of each end system is assessed </li></ul></ul><ul><ul><li>The user / end-system is then granted access, denied access or quarantined </li></ul></ul><ul><ul><li>The user /end-system is monitored for continuing compliance to security policy </li></ul></ul><ul><li>The enforcement mechanism is embedded in the network or inline appliance </li></ul><ul><li>Monitoring and enforcement is continuous and persistent </li></ul>© 2009 Enterasys Networks, Inc. All rights reserved. IT Apps & Services <ul><li>Other End-System </li></ul><ul><li>IP Phone </li></ul><ul><li>HVAC Sensor </li></ul><ul><li>Security Camera </li></ul><ul><li>Diagnostic System </li></ul><ul><li>Printer </li></ul><ul><li>Etc. </li></ul>
    4. 4. Best Practice Data Confidentiality and Integrity Availability of cracking tools Security improvement Open WEP WPA-PSK WPA-Ent WPA2-PSK WPA2-Ent © 2009 Enterasys Networks, Inc. All rights reserved.
    5. 5. 802.11i Best Practice <ul><li>WPA2 Enterprise is based on the ratified 802.11i standard </li></ul><ul><li>Provides a framework for the most sophisticated encryption and authentication: </li></ul><ul><ul><li>Data confidentiality dramatically improved through CCMP with AES encryption </li></ul></ul><ul><ul><li>CCMP also performs advanced hashing for integrity </li></ul></ul><ul><ul><li>Continued use of 802.1X authentication </li></ul></ul><ul><li>Other features of 802.11i include: </li></ul><ul><ul><li>Key Caching </li></ul></ul><ul><ul><li>Pre-authentication </li></ul></ul><ul><li>Managers and analysts agree that 802.11i finally provides an integrated packet-level WLAN security solution that addresses enterprise security needs </li></ul>HiPath Wireless
    6. 6. Importance of Wireless IDS/IPS <ul><li>Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security </li></ul><ul><li>However, industry standards focus on securing packets and validating users, but ignore securing the air </li></ul><ul><ul><li>No industry standard exists for securing the RF level </li></ul></ul><ul><li>Wireless Intrusion Detection and Prevention (IDS/IPS) complements frame-level mechanisms for complete WLAN security </li></ul>© 2009 Enterasys Networks, Inc. All rights reserved.
    7. 7. WLAN RF Security Threat Categories © 2009 Enterasys Networks, Inc. All rights reserved. <ul><li>Malicious RF Threats </li></ul><ul><li>“ Honeypot” Access Point </li></ul><ul><li>MAC Spoofing Access Point </li></ul><ul><li>Denial of Service / Distributed Denial of Service Attacks </li></ul><ul><li>Common RF Threats </li></ul><ul><li>Rogue Access Points </li></ul><ul><li>Mis-configured Access Points </li></ul><ul><li>Ad-Hoc Connections </li></ul><ul><li>Client mis-association </li></ul><ul><li>Unauthorized client associations </li></ul>
    8. 8. What 802.11i won’t cover Ad Hoc Denial of Service Attack Rogue AP Mis-Configured AP Unauthorized Association Mis-association Honeypot Enterprise Network Neighboring Network AP MAC Spoofing
    9. 9. <ul><li>Multi-tasking Access Points </li></ul><ul><ul><li>Any or all Access Points can scan for threats at configured intervals while also providing network access to users </li></ul></ul><ul><ul><li>Provides a suitable degree of RF security for many environments, but with trade-offs: </li></ul></ul><ul><ul><ul><li>Time-slice limitations may limit comprehensiveness of scans </li></ul></ul></ul><ul><ul><ul><li>Potential performance impact on real-time user applications </li></ul></ul></ul><ul><li>Dedicated Access Point IDS scanners </li></ul><ul><ul><li>Selected Access Points scan for threats full-time, allowing the other Access Points to focus solely on network access </li></ul></ul><ul><li>Integration of advanced IPS sensors </li></ul><ul><ul><li>Provides advanced threat prevention </li></ul></ul><ul><ul><li>Sophisticated graphical management and location services </li></ul></ul><ul><ul><li>Access Points should devote their attention to delivering the highest network performance </li></ul></ul>Best Practice-- RF Security © 2009 Enterasys Networks, Inc. All rights reserved.
    10. 10. Automated Compliance Reports <ul><li>Audits conducted at defined intervals based on event history and compared with regulatory compliance specifications </li></ul><ul><li>Available pre-defined reports: </li></ul><ul><ul><li>Gramm-Leach-Bliley </li></ul></ul><ul><ul><li>Sarbanes-Oxley </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>PCI </li></ul></ul><ul><li>Custom report tool enables definition of test criteria specific to your own company or industry </li></ul>© 2009 Enterasys Networks, Inc. All rights reserved.
    11. 11. Transparency & Cost-Effectiveness <ul><li>Packet and RF security needs to optimized within the context of broader business considerations </li></ul><ul><li>For a security solution to be cost-effective : </li></ul><ul><ul><li>Functionality should be integrated into the wireless equipment and/or leverage existing wired infrastructure to minimize capital investments </li></ul></ul><ul><ul><li>To minimize TCO, WLAN security should be easy to set up, configure, and monitor </li></ul></ul><ul><li>Transparency means minimal complexity and performance degradation for the end-user </li></ul>Cost Security Security / Complexity Useability © 2009 Enterasys Networks, Inc. All rights reserved.
    12. 12. WLAN Security <ul><li>Flexible: </li></ul><ul><ul><li>Incorporate the right level of security for your environment, and integrate with virtually any network topology </li></ul></ul><ul><li>Non-Disruptive: </li></ul><ul><ul><li>Focuses on securing the wireless domain and seamlessly integrates into the wired domain security </li></ul></ul><ul><ul><li>Integrated solution with no added hardware or client software makes adding security transparent </li></ul></ul><ul><li>Easy to Manage: </li></ul><ul><ul><li>Quick and intuitive deployment, configuration, and monitoring capabilities minimize complexity and TCO </li></ul></ul>© 2009 Enterasys Networks, Inc. All rights reserved.
    13. 13. Choosing the Right Level of Security Degree of Security Corporate Guest Access Hotels Public Hot Spots Hospitals Universities Manufacturing Enterprises using Voice over WLAN or real-time multimedia applications Government Financial Institutions © 2009 Enterasys Networks, Inc. All rights reserved. Packet Level None <ul><li>WEP </li></ul><ul><li>CRC-32 (RC4) Encryption </li></ul><ul><li>Pre-shared Key Authentication </li></ul><ul><li>WPA </li></ul><ul><li>TKIP (RC4) Encryption </li></ul><ul><li>802.1X Authentication </li></ul><ul><li>WPA2 (802.11i) </li></ul><ul><li>CCMP (AES) Encryption </li></ul><ul><li>802.1X Authentication </li></ul>RF Level None Multi-tasking access points scan network & provide access “ Dedicated IDS” access points Integration of IPS Sensors & Management
    14. 14. Providing Complete Protection © 2009 Enterasys Networks, Inc. All rights reserved. Reporting (Internal audit and compliance to local regulation) Encryption & Authentication 2.4 GHz & 5 GHz All channels association activity Position Rogue Access Points and Clients on the floor-plan for permanent removal Visualize measured coverage for service, detection and prevention Auto-matically block threats through dedicated sensors to prevent any impact on the service level Limit user intervention to maximize the protection of all devices from all threats Locate Detect all Wi-Fi activity and correlate information from multiple sensors Identify Auto- classify Prevent Visualize Monitor
    15. 15. Comprehensive Integrated WLAN Security <ul><li>Enterasys Wireless lets enterprises achieve the benefits of WLAN without the security risks: </li></ul><ul><ul><li>802.11i / WPA2 standard support for Authentication and Data Confidentiality </li></ul></ul><ul><ul><li>Proactive Intrusion Detection and Prevention via HiPath Wireless Manager HiGuard </li></ul></ul><ul><ul><li>Captive Portal and Guest Services </li></ul></ul><ul><ul><li>Seamless integration with wired network VPN, NAC and authentication infrastructure </li></ul></ul>RF Level Security (Wireless IDS/IPS) Frame Level Security (802.11i/WPA2) Data Confidentiality and Integrity Authentication And Access Control Intrusion Detection and Prevention Session Level Security (802.1X), NAC © 2009 Enterasys Networks, Inc. All rights reserved.
    16. 16. Conclusion <ul><li>Enterasys provides a powerful and flexible security solution that can easily meet the security needs of any enterprise: </li></ul><ul><ul><li>Open standards-based solution meets enterprises’ packet level security needs today and in the future </li></ul></ul><ul><ul><li>Range of intrusion detection and prevention options addresses the RF space and provides a complete security offering </li></ul></ul><ul><ul><li>Intuitive management tools creates a cost-effective solution that is easy to use and transparent to end-users </li></ul></ul><ul><li>The absence of a complete WLAN security solution is no longer an excuse to delay enterprise-wide deployments </li></ul><ul><li>Enterasys Wireless delivers security today </li></ul>© 2009 Enterasys Networks, Inc. All rights reserved.
    17. 17. © 2009 Enterasys Networks, Inc. All rights reserved. “ There is nothing more important than our customers” THANK YOU

    ×