SlideShare a Scribd company logo

ICC Networking Data Security

International Communications Corporation
International Communications Corporation

ICC's unified IP data networking solution also layers into its solution security features with a range of capabilities for the customer to select from. Inclusive of WDS, VLANs, DoS attack prevention, and a host of other capabilities, ICC's icXchange networking solutions are full features without additional licensing for enterprise features.

Technology
1 of 13
Download to read offline
1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem
2 Therefore, ICC's deployment strategy affixes various types of security technologies at every level of connectivity from the edge to the aggregation and to the distributed core. Edge networking devices: Unified Access Device (UAD) UADs are for managed access APs for an all wireless network. Designed with security in mind each device contains the UAD Operating System (UADOS) that includes Firewall, Routing, MAC Filtering, Wireless Intrusion Detection, VLAN Hidden SSID, Captive Portal among other features. The UAD is the first line of defense with a variety of security rules to prevent or allow initial user access based on policies set by an administrator. ICC's approach to a simple network ecosystem is demonstrated in these devices because they are self contained and can be completely separated from a network by being its own NAT router without the need to re-flash the unit. The administrator simply needs to enable AP mode or Router mode without updating firmware as with other vendors. Security Features Authentication and Security Security Standards Multiple authentication methods Wi-Fi Protected Access (WPA) WPA(PSK), WPA2(PSK), WEP IEEE 802.11i WPA Enterprise, WPA2 Enterprise RFC 1321 MD5 Message-Digest Algorithm RFC 2104 HMAC: Keyed Hashing for Message Authentication Multiple encryption algorithms RFC 2246 TLS Protocol Version 1.0 CCMP (AES) RFC 2401 Security Architecture for the Internet Protocol TKIP RFC 2407 Interpretation for ISAKMP CCMP and TKIP both RFC 2408 ISAKMP Hidden SSID support RFC 2409 IKE Wireless client isolation RFC 3280 Internet X.509 PKI Certificate and CRL Profile Remote Radius authentication and accounting support RFC 4347 Datagram Transport Layer Security Local authentication (Mac passing) RFC 4346 TLS Protocol Version 1.1
3 Authentication, Authorization and Accounting MAC Filter IEEE 802.1X Allow all except listed MAC addresses RFC 2548 Microsoft Vendor-Specific RADIUS Attributes Allow only listed MAC addresses RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting Shows all clients connected to each radio (if more than one) RFC 2867 RADIUS Tunnel Accounting Sets the minimum connection/transmission rate a user can connect (Multicast Tx rate) RFC 2869 RADIUS extensions Ability to limit/exclude certain channels RFC 3579 RADIUS Support for EAP Transmit power control to change the output of the radio RFC 3580 IEEE 802.1X RADIUS Guidelines RFC 3748 Extensible Authentication Protocol Web-based authentication The UADOS is also enhanced with ICC's patented icXengine that inspects and control IP data content flows. Deployments for either indoor or outdoor applications are complimented in these all wireless networks by the cloud AAA and Radius systems from icXcloud and icXmanager.
4 Enterprise networking devices: Link and activeARC Series Controller-based Solution The aggregation layer of the ICC solution consist of a unified switched controller system designed to ensure connectivity while increasing performance up to 10G for various distributed or centralized functions. The advanced security features include: 802.11 security BSSIDs (Up to 32 for dual band AP, 16 for single band AP) 802.11i (802.1x Authentication and PSK Authentication) Hidden SSID WEP (WEP64/WEP128) WPA, WPA2, TKIP, AES 11 different WIDS methods Rogue AP detection Rogue DHCP Server detection DoS attack prevention DDoS Password guessing protection Rate limiting Access Lists (ACLs) Layer-2 (MAC address based ACL) Layer-3 (IP address based ACL) Authentication MAC Filtering 802.1x Authentication (EAP-TLS, EAP- TTLS, EAP-PEAP, EAP-MD5) Captive Portal AAA RADIUS Client LDAP Local Authentication (5000 user entries) Accounting server IPv6 Support IPv6 ISATAP, 6to4 Tunnel, DHCPv6, DNSv6, ICMPv6,ACLv6, TCP/UDP for IPv6, SNMP v6, Ping /Trace, Route v6, RADIUS, Telnet/ SSH v6, NTP v6, IPv6 MIB support for SNMP, VRRP for IPv6, IPv6 QoS, Static Routing, OSPFv3, IPV6 Security RA Data forwarding Distributed forwarding architecture (CAPWAP) Centralized architecture (CAPWAP) Security is also enhanced by the system's ability to route data in a variety of methods. Administrators can more frequently change IP data routing measures to keep the system ever evolving so data traffic routes are harder to guess or set up for. Possessing the ability for central, distributed, encrypted, Q-in-Q, AP to AP or AP to Switch forwarding options, ICC's icXchange network architectures can evolve based on business demands and / or based on security concerns for data flows. Organizations can set up different routing measure allowing the controller systems to be in the data path, outside the data path, off or onsite, or a variety of other simple to change system abilities that enhance security.
5 Broadband Connectivity: Super Wi-Fi The WAN connectivity points are also very important and require a higher level of security to ensure data integrity and security. ICC's joint solution provides military level encryption that either starts with the system or can be added over time based on requirements and business needs. The backbone system consists of different security measures within the below four segments. Wireless Broadband: Whitespace (Super Wi-Fi) - VHF/UHF SECURITY Payload Encryption 128/256 bit Advanced Encryption Standard (AES) System Access/Authentication Capabilities Multifactor Authentication. Remote Access Token Based Authentication Authorization and Accounting Protects Against Non-Authorized Administration/ Maintenance and Over-the- Air Access Information Assurance Tools Integrated Firewall and Suite of Information Assurance Tools The ICC solution is a single integrated solution but with various types of security measures based on the type of requirements at each level.
6 Example: PCI Data Security Standards (DSS) PCI Data Security Standards (DSS) compliance is central to a vibrant and expanding economy that continues to utilize credit cards as a means or medium for payments. Credit card transactions are in the billions each year with the value being in the trillions of dollars. Network intruders continue to be a threat and could siphon off a variety of customer data including credit card numbers, PIN, account and personal information, and a variety of details to allow them to utilize the pilfered cards. The standards set both the technical and operational requirements for handling cardholder data. It provides guidance for everything from software, security, networking, applications, and anything that might come into contact, store, transmit, or touch in any way cardholder details. The standards are enforced by the founding members American Express, Discover Financial Service, JCB International, MasterCard Worldwide, and Visa Inc. Implementation PCI DSS was implemented as a way to provide security guidance to anyone conducting a credit card transaction. To adequately outline the requirements, a Wireless Operation Guide was implemented which identified two categories. The first requirement dealt with 'general applicable wireless requirements' which constituted such requirements as rogue or unknown device detection. The second requirement dealt with in-scope wireless equipment and the general protection against any non-authorized users to any system regardless of its proximity to the Cardholder Data Environment (CDE). The PCI DSS Wireless Guide outlines those requirements while utilizing a wireless local area network environment and how to segment credit card data, keep inventory statistics, detect Rogue access points or connections, enforce usage, and physical monitoring. The four main areas for concern 1. Inventory 2. Scanning and dealing with Rogue access points and devices 3. Wireless enforcement 4. Segmentation The ICC icXchange® solution helps various market segments as they strive to keep their PCI compliance as simple as possible. The true target audience for PCI DSS includes organizations that store, process, or transmit cardholder data and who may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessments pertaining to wireless. As further support to these groups, the ICC icXchange® solution helps ensure the highest level of technology, flexibility, and features that aide in the protection of CDE. The US Census Bureau: The Federal Reserve PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 2.0. Published by the PCI Security Standard Council 2010.
7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
8 Segmentation One of the core requirements from PCI DSS requirements is the segmentation of CDE (Cardholder Data Environments) traffic from the rest of the network. The ICC icXchange® solution sits within the network and can be connected separately to a designated firewall and gateway for external access. This is the most direct method for handling compliance however, it might not always be possible in all cases. In the event that the ICC icXchange® solution and CDE traffic must exist on the same network, then the ICC icXchange® solution has a variety of advanced segmentation features to separate and maintain data security while it traverses the network. PCI DSS recommends placing a firewall between the CDE and ICC icXchange® solution. This is demonstrated in the image to the right. The primary function of the firewall is to separate the traffic to ensure there's no possibility of CDE traffic being visible to, or mixed with other data traffic. The ICC icXchange® solution is a unified wired and wireless system with full Layer 3 routing. This additional feature provides the industry with several options for additional security. The solution supports a variety of routing protocols including RIP, OSPF, VRRP, IGMP, as well as other advanced features designed to keep IP data traffic contained and secure. While VLANs can be used, it's not the best method for separating the data from CDE traffic. Experienced hackers could filter between VLANs as a means to gather data. Keeping a completely separate segment is vital to enhancing network security. Beyond PCI Compliance The ICC icXchange® solution is a unified solution built for a multi-user data environment. The ability to control IP traffic is central to our system and is a ground up feature set supported at each level of the solution. Starting with full Layer 2 and Layer 3 MAC-based ACLs, the solution can route traffic separately via true Layer 3 segmentation or via various IP Forwarding methods. Distributed and Local forwarding with CAPWAP secure encryption add another layer of separation of data, as well as the ability to route separate data traffic to different locations. Therefore, whether the user needs to securely control guest traffic and segment it from the CDE traffic, or vice versa, the solution is able to keep those data paths completely separated. Client traffic can also be limited to the specific routable, controlled, and secure areas of the network based on PCI requirements. The solution’s various authentication methods (MAC Filtering 802.1x Authentication (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MD5) Captive Portal, AAA RADIUS, Client LDAP Local Authentication(5000 user entries), and Accounting server) direct non-corporate IP traffic to a specific secure part of the network. Combined with the embedded Wireless Intrusion Detection System (WIDS) utilizing 11 different modes (Blacklist, Whitelist, Rogue AP, Fake AP, etc.) for protecting against hackers, the network can be kept secure. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
9 The following is a list of compliance features and how they can be supported within the ICC icXchange® solution. Since the solution supports multiple methods per requirements, we maintain several technical labs and configuration details for each feature at http://www.iccnetworking.com.
10 The ICC icXchange® solution expands PCI DSS compliance with the addition of extensive IP control measures that reach beyond standard vendor requirements. The ICC icXchange® solution expands its unified approach to add advanced features to secure data. Those measures include such features as:  Access Management Configuration  Access List Control  SSL  Wireless Intrusion Detection  Wireless Security  Syslog and SNMP Access Management Configuration Access Management is a policy configuration option within the active500EM designed to only allow approved hardware to send messages into the network. The solution can refuse to allow data communication to start prior to the approval process. This is a vital part of the system because ill-intentioned individuals gain access by being able to have an IP dialogue with the network; however, the active500EM does not allow such a conversation to even commence if the hardware isn't included on the approved list. When the active500EM receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC- IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded. However, if the message does not match the approved list, the request and information is dumped, preventing possible intrusion. The ICC icXchange® Solution overview Optional solution design recommendations to meet or exceed PCI DSS requirements
11 Access Control Lists (ACL) ACL is a complex method for IP packet filtering deployed by Ethernet switching technology to protect against nefarious users from communicating with the rest of the network. The ICC icXchange® solution value can once again be seen as the unified wired/wireless capabilities allow for protection on both sides of the network. While highly publicized data breaches focus on the external threat to a network and customer data, the less frequently public breach occurs internal to the organization. The threat also occurs via different foreign devices installed by 'known' individuals (employees). According to a global study by InsightExpress of some 2000 IT professionals, 39% were more concerned with internal threats from their own employees and another 33% were concerned about lost data from foreign USB devices. Therefore, no longer can retailers dealing with cardholder data only be concerned with foreign threats over a predominantly wireless ecosystem. The threats are real and varied in nature which means that the ability to handle multiple threats from various directions, in different modes is the new requirement. The active500EM and its unified architecture does just that. Secure Socket Layer (SSL) SSL is an industry standard on how to establish a secure and encrypted link between a web browser and a web server. This technology can be enabled within the active500EM as a means for maintaining that secure link while the user passes through the Ethernet switch protocols on its way to the web server. While often discussed as sitting between Layer 4 Transport and Layer 7 Application support, SSL has clearly been the next necessary requirement in encryption and protection over the internet. Wireless Intrusion Detection Systems (WIDS) A wireless intrusion detection system (WIDS) monitors the radio spectrum for the presence of unauthorized, Rogue access points and the use of wireless attack tools. The active500EM is the central intelligence solution monitoring, calculating, and protecting the wireless environment. This would not be possible without the ARC Series access points to provide Wireless Intrusion Prevention System (WIPS). WIPS is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection). The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally this is achieved by comparing the MAC address of the participating wireless devices. The ICC icXchange® solution recognizes that Rogue devices can spoof MAC address of an authorized network device as their own. New methods now include a fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices. This is a heuristic and more intelligent method supported by the active500EM and allows for a more dynamic and evolving method of security.
12 Wireless Security Wireless networks are generally not as secure as wired networks. Wired networks, at their most basic level, send data between two points, A and B, which are connected by a network cable. While not impervious to attack, it is a more difficult task. IEEE802.11 networks, by their very nature, send user data in every direction and to every device that happens to be 'listening', within a limited range. Following are descriptions of the WEP, WPA, and WPA2 wireless security protocols:  Wired Equivalent Privacy (WEP): The original encryption protocol developed for wireless networks. As its name implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well- known security flaws, is difficult to configure, and is easily breached.  Wi-Fi® Protected Access (WPA): Introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was being developed. Most current WPA implementations use a pre-shared key (PSK), commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses an authentication server to generate keys or certificates.  Wi-Fi Protected Access version 2 (WPA2): Based on the 802.11i wireless security standard, which was finalized in 2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top secret.  WPA-Enterprise: The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a user logs in with their username and password or provides a valid digital certificate. Users never see the actual encryption keys and they aren't stored on the device. This protects you against rogue or terminated employees and lost or stolen devices. The active500EM supports multiple wireless securities that includes WPA, WPA2, WPA-Enterprise and WEP 128 & 64bit encryptions.
13 Syslog and SNMP The final stage in support of your PCI DSS compliance is the ability to track all data, be alerted to the various possibilities of an attack, and be provided ongoing reporting to ensure there is a dynamic means for evolving your security standards and policies. Two methods that the active500EM uses to help with this are Syslogs and SNMP management. Syslogs provide the ability to see all data running within a specific device including all traffic details. This information can be sent from the active500EM to a central Syslog server to aggregate data from all locations of logs and alerts. This option can be used in conjunction with a Syslog service, automated, and then provide detailed printed reporting of all data traffic. This form of logging is the best available for devices because it can provide protected long-term storage for logs. Since security methods must evolve, this reporting can build trends for both routine troubleshooting and in incident handling or reporting. The ICC icXchange® solution fully supports advanced SNMP standards-based TCP/IP protocols for network management. Featuring Management Information Base (MIB), the ICC icXchange® solution can be integrated into the management designs of any network administrator. The ability of the active500EM to integrate into the already existing management and monitoring infrastructure allows for a reduced cost structure while ensuring complete visibility of the network, content flowing over the network, and any possible threats to the environment. Summary The objective of PCI DSS compliance it to ensure complete protection of card holder data. The more sophisticated hackers, both internal and external, continue to be innovative in their approach. The only complete way of ensuring security is to have a strategic plan for both wired and wireless sides of your network ecosystem. The ICC icXchange® solution is a unified solution designed to keep separate data, prevent unauthorized devices from speaking to the network, and ensure proper reporting and routing of content. © 2015 International Communications Corporation, Inc. All Rights Reserved. Printed in USA. Issue 1.0 ICC 10/1012015. Wi-Fi® is the Trademark of Wi-Fi Alliance. icXchange® , icXchange® , icXengine, icXcloud, and icXmanager are the Trademark of International Communications Corporation, Inc. Contact: Phone: 888-209-0067 Email: sales@intcomcorp.com support@intcomcorp.com Web: www.iccnetworking.com

Recommended

IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and MethodsLeonardo De Moura Rocha Lima
 
Light sec for service providers brochure
Light sec for service providers brochureLight sec for service providers brochure
Light sec for service providers brochureGeorge Wainblat
 
WIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAWIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAAharon Aharon
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsurancePriyanka Aash
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019Advanced Technology Consulting (ATC)
 
Iot security amar prusty
Iot security amar prustyIot security amar prusty
Iot security amar prustyamarprusty
 

Recommended

IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and MethodsLeonardo De Moura Rocha Lima
 
Light sec for service providers brochure
Light sec for service providers brochureLight sec for service providers brochure
Light sec for service providers brochureGeorge Wainblat
 
WIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAWIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAAharon Aharon
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsurancePriyanka Aash
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019Advanced Technology Consulting (ATC)
 
Iot security amar prusty
Iot security amar prustyIot security amar prusty
Iot security amar prustyamarprusty
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cloud computing security infrastructure
Cloud computing security infrastructureCloud computing security infrastructure
Cloud computing security infrastructureIntel IT Center
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
IBM Qradar
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443WoMaster
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company PresentationChaitanyaS
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security TrainingBryan Len
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Brochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesBrochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesDavid Maciejak
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
IOT Security
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingCharles "Chuck" Speicher Jr.
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M SecurityYu-Hsin Hung
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Group 6 - GTC
Group 6 - GTCGroup 6 - GTC
Group 6 - GTCThiiban Thuraiv
 
Portfolio_June Lee (10212015)
Portfolio_June Lee (10212015)Portfolio_June Lee (10212015)
Portfolio_June Lee (10212015)June (Hye Jun) Lee
 
Fondi interprofessionali e loro utilizzo : guida pratica
Fondi interprofessionali e loro utilizzo : guida praticaFondi interprofessionali e loro utilizzo : guida pratica
Fondi interprofessionali e loro utilizzo : guida praticaTargetservicessolutions
 

More Related Content

What's hot

Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cloud computing security infrastructure
Cloud computing security infrastructureCloud computing security infrastructure
Cloud computing security infrastructureIntel IT Center
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443WoMaster
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company PresentationChaitanyaS
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security TrainingBryan Len
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Brochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesBrochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesDavid Maciejak
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingCharles "Chuck" Speicher Jr.
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 

What's hot (19)

Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cloud computing security infrastructure
Cloud computing security infrastructureCloud computing security infrastructure
Cloud computing security infrastructure
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
IoT security
IoT securityIoT security
IoT security
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company Presentation
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security Training
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Brochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesBrochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-Services
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 

Viewers also liked

Fondi interprofessionali e loro utilizzo : guida pratica
Fondi interprofessionali e loro utilizzo : guida praticaFondi interprofessionali e loro utilizzo : guida pratica
Fondi interprofessionali e loro utilizzo : guida praticaTargetservicessolutions
 
Ch 4 studying atoms
Ch 4 studying atoms Ch 4 studying atoms
Ch 4 studying atoms Art Pagar
 
Presentació: Com millorar el relleu de les direccions dels centres educatius?
Presentació: Com millorar el relleu de les direccions dels centres educatius?Presentació: Com millorar el relleu de les direccions dels centres educatius?
Presentació: Com millorar el relleu de les direccions dels centres educatius?Fundació Jaume Bofill
 
Todd Alan Greeneiii
Todd Alan GreeneiiiTodd Alan Greeneiii
Todd Alan GreeneiiiTodd Greene
 
Universidad De Panamá
Universidad De PanamáUniversidad De Panamá
Universidad De PanamáMaryelis Ruiz
 
Veale, Hennig & Gledhill (2015)
Veale, Hennig & Gledhill (2015)Veale, Hennig & Gledhill (2015)
Veale, Hennig & Gledhill (2015)Lucinda Gledhill
 
Space Qualified Resistors From Vishay Foil Resistors A VPG Brand
Space Qualified Resistors From Vishay Foil Resistors A VPG BrandSpace Qualified Resistors From Vishay Foil Resistors A VPG Brand
Space Qualified Resistors From Vishay Foil Resistors A VPG BrandRick Grigalunas
 
No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!
No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!
No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!AnyPresence
 

Viewers also liked (13)

Group 6 - GTC
Group 6 - GTCGroup 6 - GTC
Group 6 - GTC
 
Portfolio_June Lee (10212015)
Portfolio_June Lee (10212015)Portfolio_June Lee (10212015)
Portfolio_June Lee (10212015)
 
Fondi interprofessionali e loro utilizzo : guida pratica
Fondi interprofessionali e loro utilizzo : guida praticaFondi interprofessionali e loro utilizzo : guida pratica
Fondi interprofessionali e loro utilizzo : guida pratica
 
Ch 4 studying atoms
Ch 4 studying atoms Ch 4 studying atoms
Ch 4 studying atoms
 
Presentació: Com millorar el relleu de les direccions dels centres educatius?
Presentació: Com millorar el relleu de les direccions dels centres educatius?Presentació: Com millorar el relleu de les direccions dels centres educatius?
Presentació: Com millorar el relleu de les direccions dels centres educatius?
 
Celador- Anisha
Celador- AnishaCelador- Anisha
Celador- Anisha
 
bharat new
bharat newbharat new
bharat new
 
Todd Alan Greeneiii
Todd Alan GreeneiiiTodd Alan Greeneiii
Todd Alan Greeneiii
 
Вирус Бешенства
Вирус БешенстваВирус Бешенства
Вирус Бешенства
 
Universidad De Panamá
Universidad De PanamáUniversidad De Panamá
Universidad De Panamá
 
Veale, Hennig & Gledhill (2015)
Veale, Hennig & Gledhill (2015)Veale, Hennig & Gledhill (2015)
Veale, Hennig & Gledhill (2015)
 
Space Qualified Resistors From Vishay Foil Resistors A VPG Brand
Space Qualified Resistors From Vishay Foil Resistors A VPG BrandSpace Qualified Resistors From Vishay Foil Resistors A VPG Brand
Space Qualified Resistors From Vishay Foil Resistors A VPG Brand
 
No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!
No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!
No REST For The Wicked: Take the JustAPIs T-Shirt Challenge!
 

Similar to ICC Networking Data Security

Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesNir Cohen
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
Didiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - EnglishDidiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - EnglishDidiet Kusumadihardja
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of SystemsJamal Jamali
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Shakeel Ali
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Ahmed Mohamed Mahmoud
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour BrochureBlock Armour
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour BrochureFloyd DCosta
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdfMetaorange
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingChuck Speicher
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Russia
 
8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptxMetaorange
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 

Similar to ICC Networking Data Security (20)

Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deck
 
Didiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - EnglishDidiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - English
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
 
Aca presentation arm_
Aca presentation arm_Aca presentation arm_
Aca presentation arm_
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour Brochure
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour Brochure
 
Apani Ov V9
Apani Ov V9Apani Ov V9
Apani Ov V9
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPs
 
8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx
 
Cybersecurity in the Age of IoT - Skillmine
Cybersecurity in the Age of IoT - SkillmineCybersecurity in the Age of IoT - Skillmine
Cybersecurity in the Age of IoT - Skillmine
 
386sum08ch8
386sum08ch8386sum08ch8
386sum08ch8
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

ICC Networking Data Security

  • 1. 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem
  • 2. 2 Therefore, ICC's deployment strategy affixes various types of security technologies at every level of connectivity from the edge to the aggregation and to the distributed core. Edge networking devices: Unified Access Device (UAD) UADs are for managed access APs for an all wireless network. Designed with security in mind each device contains the UAD Operating System (UADOS) that includes Firewall, Routing, MAC Filtering, Wireless Intrusion Detection, VLAN Hidden SSID, Captive Portal among other features. The UAD is the first line of defense with a variety of security rules to prevent or allow initial user access based on policies set by an administrator. ICC's approach to a simple network ecosystem is demonstrated in these devices because they are self contained and can be completely separated from a network by being its own NAT router without the need to re-flash the unit. The administrator simply needs to enable AP mode or Router mode without updating firmware as with other vendors. Security Features Authentication and Security Security Standards Multiple authentication methods Wi-Fi Protected Access (WPA) WPA(PSK), WPA2(PSK), WEP IEEE 802.11i WPA Enterprise, WPA2 Enterprise RFC 1321 MD5 Message-Digest Algorithm RFC 2104 HMAC: Keyed Hashing for Message Authentication Multiple encryption algorithms RFC 2246 TLS Protocol Version 1.0 CCMP (AES) RFC 2401 Security Architecture for the Internet Protocol TKIP RFC 2407 Interpretation for ISAKMP CCMP and TKIP both RFC 2408 ISAKMP Hidden SSID support RFC 2409 IKE Wireless client isolation RFC 3280 Internet X.509 PKI Certificate and CRL Profile Remote Radius authentication and accounting support RFC 4347 Datagram Transport Layer Security Local authentication (Mac passing) RFC 4346 TLS Protocol Version 1.1
  • 3. 3 Authentication, Authorization and Accounting MAC Filter IEEE 802.1X Allow all except listed MAC addresses RFC 2548 Microsoft Vendor-Specific RADIUS Attributes Allow only listed MAC addresses RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting Shows all clients connected to each radio (if more than one) RFC 2867 RADIUS Tunnel Accounting Sets the minimum connection/transmission rate a user can connect (Multicast Tx rate) RFC 2869 RADIUS extensions Ability to limit/exclude certain channels RFC 3579 RADIUS Support for EAP Transmit power control to change the output of the radio RFC 3580 IEEE 802.1X RADIUS Guidelines RFC 3748 Extensible Authentication Protocol Web-based authentication The UADOS is also enhanced with ICC's patented icXengine that inspects and control IP data content flows. Deployments for either indoor or outdoor applications are complimented in these all wireless networks by the cloud AAA and Radius systems from icXcloud and icXmanager.
  • 4. 4 Enterprise networking devices: Link and activeARC Series Controller-based Solution The aggregation layer of the ICC solution consist of a unified switched controller system designed to ensure connectivity while increasing performance up to 10G for various distributed or centralized functions. The advanced security features include: 802.11 security BSSIDs (Up to 32 for dual band AP, 16 for single band AP) 802.11i (802.1x Authentication and PSK Authentication) Hidden SSID WEP (WEP64/WEP128) WPA, WPA2, TKIP, AES 11 different WIDS methods Rogue AP detection Rogue DHCP Server detection DoS attack prevention DDoS Password guessing protection Rate limiting Access Lists (ACLs) Layer-2 (MAC address based ACL) Layer-3 (IP address based ACL) Authentication MAC Filtering 802.1x Authentication (EAP-TLS, EAP- TTLS, EAP-PEAP, EAP-MD5) Captive Portal AAA RADIUS Client LDAP Local Authentication (5000 user entries) Accounting server IPv6 Support IPv6 ISATAP, 6to4 Tunnel, DHCPv6, DNSv6, ICMPv6,ACLv6, TCP/UDP for IPv6, SNMP v6, Ping /Trace, Route v6, RADIUS, Telnet/ SSH v6, NTP v6, IPv6 MIB support for SNMP, VRRP for IPv6, IPv6 QoS, Static Routing, OSPFv3, IPV6 Security RA Data forwarding Distributed forwarding architecture (CAPWAP) Centralized architecture (CAPWAP) Security is also enhanced by the system's ability to route data in a variety of methods. Administrators can more frequently change IP data routing measures to keep the system ever evolving so data traffic routes are harder to guess or set up for. Possessing the ability for central, distributed, encrypted, Q-in-Q, AP to AP or AP to Switch forwarding options, ICC's icXchange network architectures can evolve based on business demands and / or based on security concerns for data flows. Organizations can set up different routing measure allowing the controller systems to be in the data path, outside the data path, off or onsite, or a variety of other simple to change system abilities that enhance security.
  • 5. 5 Broadband Connectivity: Super Wi-Fi The WAN connectivity points are also very important and require a higher level of security to ensure data integrity and security. ICC's joint solution provides military level encryption that either starts with the system or can be added over time based on requirements and business needs. The backbone system consists of different security measures within the below four segments. Wireless Broadband: Whitespace (Super Wi-Fi) - VHF/UHF SECURITY Payload Encryption 128/256 bit Advanced Encryption Standard (AES) System Access/Authentication Capabilities Multifactor Authentication. Remote Access Token Based Authentication Authorization and Accounting Protects Against Non-Authorized Administration/ Maintenance and Over-the- Air Access Information Assurance Tools Integrated Firewall and Suite of Information Assurance Tools The ICC solution is a single integrated solution but with various types of security measures based on the type of requirements at each level.
  • 6. 6 Example: PCI Data Security Standards (DSS) PCI Data Security Standards (DSS) compliance is central to a vibrant and expanding economy that continues to utilize credit cards as a means or medium for payments. Credit card transactions are in the billions each year with the value being in the trillions of dollars. Network intruders continue to be a threat and could siphon off a variety of customer data including credit card numbers, PIN, account and personal information, and a variety of details to allow them to utilize the pilfered cards. The standards set both the technical and operational requirements for handling cardholder data. It provides guidance for everything from software, security, networking, applications, and anything that might come into contact, store, transmit, or touch in any way cardholder details. The standards are enforced by the founding members American Express, Discover Financial Service, JCB International, MasterCard Worldwide, and Visa Inc. Implementation PCI DSS was implemented as a way to provide security guidance to anyone conducting a credit card transaction. To adequately outline the requirements, a Wireless Operation Guide was implemented which identified two categories. The first requirement dealt with 'general applicable wireless requirements' which constituted such requirements as rogue or unknown device detection. The second requirement dealt with in-scope wireless equipment and the general protection against any non-authorized users to any system regardless of its proximity to the Cardholder Data Environment (CDE). The PCI DSS Wireless Guide outlines those requirements while utilizing a wireless local area network environment and how to segment credit card data, keep inventory statistics, detect Rogue access points or connections, enforce usage, and physical monitoring. The four main areas for concern 1. Inventory 2. Scanning and dealing with Rogue access points and devices 3. Wireless enforcement 4. Segmentation The ICC icXchange® solution helps various market segments as they strive to keep their PCI compliance as simple as possible. The true target audience for PCI DSS includes organizations that store, process, or transmit cardholder data and who may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessments pertaining to wireless. As further support to these groups, the ICC icXchange® solution helps ensure the highest level of technology, flexibility, and features that aide in the protection of CDE. The US Census Bureau: The Federal Reserve PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 2.0. Published by the PCI Security Standard Council 2010.
  • 7. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
  • 8. 8 Segmentation One of the core requirements from PCI DSS requirements is the segmentation of CDE (Cardholder Data Environments) traffic from the rest of the network. The ICC icXchange® solution sits within the network and can be connected separately to a designated firewall and gateway for external access. This is the most direct method for handling compliance however, it might not always be possible in all cases. In the event that the ICC icXchange® solution and CDE traffic must exist on the same network, then the ICC icXchange® solution has a variety of advanced segmentation features to separate and maintain data security while it traverses the network. PCI DSS recommends placing a firewall between the CDE and ICC icXchange® solution. This is demonstrated in the image to the right. The primary function of the firewall is to separate the traffic to ensure there's no possibility of CDE traffic being visible to, or mixed with other data traffic. The ICC icXchange® solution is a unified wired and wireless system with full Layer 3 routing. This additional feature provides the industry with several options for additional security. The solution supports a variety of routing protocols including RIP, OSPF, VRRP, IGMP, as well as other advanced features designed to keep IP data traffic contained and secure. While VLANs can be used, it's not the best method for separating the data from CDE traffic. Experienced hackers could filter between VLANs as a means to gather data. Keeping a completely separate segment is vital to enhancing network security. Beyond PCI Compliance The ICC icXchange® solution is a unified solution built for a multi-user data environment. The ability to control IP traffic is central to our system and is a ground up feature set supported at each level of the solution. Starting with full Layer 2 and Layer 3 MAC-based ACLs, the solution can route traffic separately via true Layer 3 segmentation or via various IP Forwarding methods. Distributed and Local forwarding with CAPWAP secure encryption add another layer of separation of data, as well as the ability to route separate data traffic to different locations. Therefore, whether the user needs to securely control guest traffic and segment it from the CDE traffic, or vice versa, the solution is able to keep those data paths completely separated. Client traffic can also be limited to the specific routable, controlled, and secure areas of the network based on PCI requirements. The solution’s various authentication methods (MAC Filtering 802.1x Authentication (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MD5) Captive Portal, AAA RADIUS, Client LDAP Local Authentication(5000 user entries), and Accounting server) direct non-corporate IP traffic to a specific secure part of the network. Combined with the embedded Wireless Intrusion Detection System (WIDS) utilizing 11 different modes (Blacklist, Whitelist, Rogue AP, Fake AP, etc.) for protecting against hackers, the network can be kept secure. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
  • 9. 9 The following is a list of compliance features and how they can be supported within the ICC icXchange® solution. Since the solution supports multiple methods per requirements, we maintain several technical labs and configuration details for each feature at http://www.iccnetworking.com.
  • 10. 10 The ICC icXchange® solution expands PCI DSS compliance with the addition of extensive IP control measures that reach beyond standard vendor requirements. The ICC icXchange® solution expands its unified approach to add advanced features to secure data. Those measures include such features as:  Access Management Configuration  Access List Control  SSL  Wireless Intrusion Detection  Wireless Security  Syslog and SNMP Access Management Configuration Access Management is a policy configuration option within the active500EM designed to only allow approved hardware to send messages into the network. The solution can refuse to allow data communication to start prior to the approval process. This is a vital part of the system because ill-intentioned individuals gain access by being able to have an IP dialogue with the network; however, the active500EM does not allow such a conversation to even commence if the hardware isn't included on the approved list. When the active500EM receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC- IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded. However, if the message does not match the approved list, the request and information is dumped, preventing possible intrusion. The ICC icXchange® Solution overview Optional solution design recommendations to meet or exceed PCI DSS requirements
  • 11. 11 Access Control Lists (ACL) ACL is a complex method for IP packet filtering deployed by Ethernet switching technology to protect against nefarious users from communicating with the rest of the network. The ICC icXchange® solution value can once again be seen as the unified wired/wireless capabilities allow for protection on both sides of the network. While highly publicized data breaches focus on the external threat to a network and customer data, the less frequently public breach occurs internal to the organization. The threat also occurs via different foreign devices installed by 'known' individuals (employees). According to a global study by InsightExpress of some 2000 IT professionals, 39% were more concerned with internal threats from their own employees and another 33% were concerned about lost data from foreign USB devices. Therefore, no longer can retailers dealing with cardholder data only be concerned with foreign threats over a predominantly wireless ecosystem. The threats are real and varied in nature which means that the ability to handle multiple threats from various directions, in different modes is the new requirement. The active500EM and its unified architecture does just that. Secure Socket Layer (SSL) SSL is an industry standard on how to establish a secure and encrypted link between a web browser and a web server. This technology can be enabled within the active500EM as a means for maintaining that secure link while the user passes through the Ethernet switch protocols on its way to the web server. While often discussed as sitting between Layer 4 Transport and Layer 7 Application support, SSL has clearly been the next necessary requirement in encryption and protection over the internet. Wireless Intrusion Detection Systems (WIDS) A wireless intrusion detection system (WIDS) monitors the radio spectrum for the presence of unauthorized, Rogue access points and the use of wireless attack tools. The active500EM is the central intelligence solution monitoring, calculating, and protecting the wireless environment. This would not be possible without the ARC Series access points to provide Wireless Intrusion Prevention System (WIPS). WIPS is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection). The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally this is achieved by comparing the MAC address of the participating wireless devices. The ICC icXchange® solution recognizes that Rogue devices can spoof MAC address of an authorized network device as their own. New methods now include a fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices. This is a heuristic and more intelligent method supported by the active500EM and allows for a more dynamic and evolving method of security.
  • 12. 12 Wireless Security Wireless networks are generally not as secure as wired networks. Wired networks, at their most basic level, send data between two points, A and B, which are connected by a network cable. While not impervious to attack, it is a more difficult task. IEEE802.11 networks, by their very nature, send user data in every direction and to every device that happens to be 'listening', within a limited range. Following are descriptions of the WEP, WPA, and WPA2 wireless security protocols:  Wired Equivalent Privacy (WEP): The original encryption protocol developed for wireless networks. As its name implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well- known security flaws, is difficult to configure, and is easily breached.  Wi-Fi® Protected Access (WPA): Introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was being developed. Most current WPA implementations use a pre-shared key (PSK), commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses an authentication server to generate keys or certificates.  Wi-Fi Protected Access version 2 (WPA2): Based on the 802.11i wireless security standard, which was finalized in 2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top secret.  WPA-Enterprise: The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a user logs in with their username and password or provides a valid digital certificate. Users never see the actual encryption keys and they aren't stored on the device. This protects you against rogue or terminated employees and lost or stolen devices. The active500EM supports multiple wireless securities that includes WPA, WPA2, WPA-Enterprise and WEP 128 & 64bit encryptions.
  • 13. 13 Syslog and SNMP The final stage in support of your PCI DSS compliance is the ability to track all data, be alerted to the various possibilities of an attack, and be provided ongoing reporting to ensure there is a dynamic means for evolving your security standards and policies. Two methods that the active500EM uses to help with this are Syslogs and SNMP management. Syslogs provide the ability to see all data running within a specific device including all traffic details. This information can be sent from the active500EM to a central Syslog server to aggregate data from all locations of logs and alerts. This option can be used in conjunction with a Syslog service, automated, and then provide detailed printed reporting of all data traffic. This form of logging is the best available for devices because it can provide protected long-term storage for logs. Since security methods must evolve, this reporting can build trends for both routine troubleshooting and in incident handling or reporting. The ICC icXchange® solution fully supports advanced SNMP standards-based TCP/IP protocols for network management. Featuring Management Information Base (MIB), the ICC icXchange® solution can be integrated into the management designs of any network administrator. The ability of the active500EM to integrate into the already existing management and monitoring infrastructure allows for a reduced cost structure while ensuring complete visibility of the network, content flowing over the network, and any possible threats to the environment. Summary The objective of PCI DSS compliance it to ensure complete protection of card holder data. The more sophisticated hackers, both internal and external, continue to be innovative in their approach. The only complete way of ensuring security is to have a strategic plan for both wired and wireless sides of your network ecosystem. The ICC icXchange® solution is a unified solution designed to keep separate data, prevent unauthorized devices from speaking to the network, and ensure proper reporting and routing of content. © 2015 International Communications Corporation, Inc. All Rights Reserved. Printed in USA. Issue 1.0 ICC 10/1012015. Wi-Fi® is the Trademark of Wi-Fi Alliance. icXchange® , icXchange® , icXengine, icXcloud, and icXmanager are the Trademark of International Communications Corporation, Inc. Contact: Phone: 888-209-0067 Email: sales@intcomcorp.com support@intcomcorp.com Web: www.iccnetworking.com