SlideShare a Scribd company logo
1 of 13
Download to read offline
1
ICC Security Philosophy
There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can
eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or
consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially
unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to
deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the
connectivity elements, thereby making hacking activities not worth the cost of breaking our systems.
Core Objective
ICC agrees with E&Y's cost benefit review of looking at Security.
 Linking security and business—Tie security programs to business goals and engage
stakeholders in the security conversation.
 Thinking outside the compliance (check) box—Go beyond control- or audit-centered
approaches and align with two key elements: the business itself and the nature of the threats
the enterprise faces.
 Governing the extended enterprise—Establish appropriate frameworks, policies and controls
to protect extended IT environments.
 Keeping pace with persistent threats—Adopt a dynamic approach including intelligence,
analytics and response to deal with a widening variety of attacks.
 Addressing the security supply & demand imbalance—Develop and retain staff
experienced in security architecture planning and design, tools and integration to increase
likelihood of successful outcomes.
These layers ensure full integration of data security with all parts of a
business model as well as marrying it to the top risks facing
telecommunications with security.
The ICC icXchange®
Solution Security Review
IP Data Security in an Internet of Things ecosystem
1
ICC Security Philosophy
There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can
eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or
consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially
unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to
deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the
connectivity elements, thereby making hacking activities not worth the cost of breaking our systems.
Core Objective
ICC agrees with E&Y's cost benefit review of looking at Security.
 Linking security and business—Tie security programs to business goals and engage
stakeholders in the security conversation.
 Thinking outside the compliance (check) box—Go beyond control- or audit-centered
approaches and align with two key elements: the business itself and the nature of the threats
the enterprise faces.
 Governing the extended enterprise—Establish appropriate frameworks, policies and controls
to protect extended IT environments.
 Keeping pace with persistent threats—Adopt a dynamic approach including intelligence,
analytics and response to deal with a widening variety of attacks.
 Addressing the security supply & demand imbalance—Develop and retain staff
experienced in security architecture planning and design, tools and integration to increase
likelihood of successful outcomes.
These layers ensure full integration of data security with all parts of a
business model as well as marrying it to the top risks facing
telecommunications with security.
The ICC icXchange®
Solution Security Review
IP Data Security in an Internet of Things ecosystem
1
ICC Security Philosophy
There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can
eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or
consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially
unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to
deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the
connectivity elements, thereby making hacking activities not worth the cost of breaking our systems.
Core Objective
ICC agrees with E&Y's cost benefit review of looking at Security.
 Linking security and business—Tie security programs to business goals and engage
stakeholders in the security conversation.
 Thinking outside the compliance (check) box—Go beyond control- or audit-centered
approaches and align with two key elements: the business itself and the nature of the threats
the enterprise faces.
 Governing the extended enterprise—Establish appropriate frameworks, policies and controls
to protect extended IT environments.
 Keeping pace with persistent threats—Adopt a dynamic approach including intelligence,
analytics and response to deal with a widening variety of attacks.
 Addressing the security supply & demand imbalance—Develop and retain staff
experienced in security architecture planning and design, tools and integration to increase
likelihood of successful outcomes.
These layers ensure full integration of data security with all parts of a
business model as well as marrying it to the top risks facing
telecommunications with security.
The ICC icXchange®
Solution Security Review
IP Data Security in an Internet of Things ecosystem
2
Therefore, ICC's deployment strategy affixes various types of security technologies at every level of connectivity from
the edge to the aggregation and to the distributed core.
Edge networking devices: Unified Access Device (UAD)
UADs are for managed access APs for an all wireless network. Designed with security in mind each device contains the
UAD Operating System (UADOS) that includes Firewall, Routing, MAC Filtering, Wireless Intrusion Detection, VLAN
Hidden SSID, Captive Portal among other features. The UAD is the first line of defense with a variety of security rules to
prevent or allow initial user access based on policies set by an administrator.
ICC's approach to a simple network ecosystem is demonstrated in these devices because they are self contained and can
be completely separated from a network by being its own NAT router without the need to re-flash the unit. The
administrator simply needs to enable AP mode or Router mode without updating firmware as with other vendors.
Security Features
Authentication and Security Security Standards
Multiple authentication methods Wi-Fi Protected Access (WPA)
WPA(PSK), WPA2(PSK), WEP IEEE 802.11i
WPA Enterprise, WPA2 Enterprise RFC 1321 MD5 Message-Digest Algorithm
RFC 2104 HMAC: Keyed Hashing for Message Authentication
Multiple encryption algorithms RFC 2246 TLS Protocol Version 1.0
CCMP (AES) RFC 2401 Security Architecture for the Internet Protocol
TKIP RFC 2407 Interpretation for ISAKMP
CCMP and TKIP both RFC 2408 ISAKMP
Hidden SSID support RFC 2409 IKE
Wireless client isolation RFC 3280 Internet X.509 PKI Certificate and CRL Profile
Remote Radius authentication and accounting
support RFC 4347 Datagram Transport Layer Security
Local authentication (Mac passing) RFC 4346 TLS Protocol Version 1.1
3
Authentication, Authorization and Accounting
MAC Filter IEEE 802.1X
Allow all except listed MAC addresses RFC 2548 Microsoft Vendor-Specific RADIUS Attributes
Allow only listed MAC addresses RFC 2865 RADIUS Authentication
RFC 2866 RADIUS Accounting
Shows all clients connected to each radio (if more
than one) RFC 2867 RADIUS Tunnel Accounting
Sets the minimum connection/transmission rate a
user can connect (Multicast Tx rate) RFC 2869 RADIUS extensions
Ability to limit/exclude certain channels RFC 3579 RADIUS Support for EAP
Transmit power control to change the output of
the radio RFC 3580 IEEE 802.1X RADIUS Guidelines
RFC 3748 Extensible Authentication Protocol
Web-based authentication
The UADOS is also enhanced with ICC's patented icXengine that inspects and control IP data content flows.
Deployments for either indoor or outdoor applications are complimented in these all wireless networks by the cloud
AAA and Radius systems from icXcloud and icXmanager.
4
Enterprise networking devices: Link and activeARC Series Controller-based Solution
The aggregation layer of the ICC solution consist of a unified switched controller system designed to ensure connectivity
while increasing performance up to 10G for various distributed or centralized functions. The advanced security features
include:
802.11 security BSSIDs (Up to 32 for dual band AP, 16
for single band AP)
802.11i (802.1x Authentication and PSK Authentication)
Hidden SSID WEP (WEP64/WEP128)
WPA, WPA2, TKIP, AES
11 different WIDS methods
Rogue AP detection
Rogue DHCP Server detection
DoS attack prevention
DDoS
Password guessing protection
Rate limiting
Access Lists (ACLs)
Layer-2 (MAC address based ACL)
Layer-3 (IP address based ACL)
Authentication MAC Filtering
802.1x Authentication (EAP-TLS, EAP- TTLS, EAP-PEAP,
EAP-MD5)
Captive Portal
AAA
RADIUS Client
LDAP Local Authentication (5000 user entries)
Accounting server
IPv6 Support
IPv6 ISATAP, 6to4 Tunnel, DHCPv6, DNSv6,
ICMPv6,ACLv6, TCP/UDP for IPv6, SNMP v6,
Ping /Trace, Route v6, RADIUS, Telnet/ SSH
v6, NTP v6, IPv6 MIB support for SNMP,
VRRP for IPv6, IPv6 QoS, Static Routing,
OSPFv3, IPV6 Security RA Data forwarding
Distributed forwarding architecture
(CAPWAP) Centralized architecture
(CAPWAP)
Security is also enhanced by the system's
ability to route data in a variety of methods.
Administrators can more frequently change IP data routing measures to keep the system ever evolving so data traffic
routes are harder to guess or set up for. Possessing the ability for central, distributed, encrypted, Q-in-Q, AP to AP or AP
to Switch forwarding options, ICC's icXchange network architectures can evolve based on business demands and / or
based on security concerns for data flows. Organizations can set up different routing measure allowing the controller
systems to be in the data path, outside the data path, off or onsite, or a variety of other simple to change system
abilities that enhance security.
5
Broadband Connectivity: Super Wi-Fi
The WAN connectivity points are also very important and require a higher level of security to ensure data integrity and
security. ICC's joint solution provides military level encryption that either starts with the system or can be added over
time based on requirements and business needs.
The backbone system consists of different security measures within the below four segments.
Wireless Broadband: Whitespace (Super Wi-Fi) - VHF/UHF
SECURITY
Payload Encryption 128/256 bit Advanced Encryption Standard (AES)
System Access/Authentication
Capabilities
Multifactor Authentication. Remote Access Token Based Authentication
Authorization and Accounting
Protects Against Non-Authorized Administration/ Maintenance and Over-the-
Air Access
Information Assurance Tools Integrated Firewall and Suite of Information Assurance Tools
The ICC solution is a single integrated solution but with various types of security measures based on the type of
requirements at each level.
6
Example: PCI Data Security Standards (DSS)
PCI Data Security Standards (DSS) compliance is central to a vibrant and expanding
economy that continues to utilize credit cards as a means or medium for payments.
Credit card transactions are in the billions each year with the value being in the trillions
of dollars. Network intruders continue to be a threat and could siphon off a variety of
customer data including credit card numbers, PIN, account and personal information,
and a variety of details to allow them to utilize the pilfered cards.
The standards set both the technical and operational requirements for handling cardholder data. It provides guidance
for everything from software, security, networking, applications,
and anything that might come into contact, store, transmit, or
touch in any way cardholder details. The standards are enforced
by the founding members American Express, Discover Financial
Service, JCB International, MasterCard Worldwide, and Visa Inc.
Implementation
PCI DSS was implemented as a way to provide security guidance to anyone conducting a credit card transaction. To
adequately outline the requirements, a Wireless Operation Guide was implemented which identified two categories.
The first requirement dealt with 'general applicable wireless requirements' which constituted such requirements as
rogue or unknown device detection. The second requirement dealt with in-scope wireless equipment and the general
protection against any non-authorized users to any system regardless of its proximity to the Cardholder Data
Environment (CDE). The PCI DSS Wireless Guide outlines those requirements while utilizing a wireless local area
network environment and how to segment credit card data, keep inventory statistics, detect Rogue access points or
connections, enforce usage, and physical monitoring.
The four main areas for concern
1. Inventory
2. Scanning and dealing with Rogue access points and devices
3. Wireless enforcement
4. Segmentation
The ICC icXchange® solution helps various market segments as they strive to keep their PCI compliance as simple as
possible. The true target audience for PCI DSS includes organizations that store, process, or transmit cardholder data
and who may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessments
pertaining to wireless. As further support to these groups, the ICC icXchange® solution helps ensure the highest level of
technology, flexibility, and features that aide in the protection of CDE.
The US Census Bureau: The Federal Reserve
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data
Security Standard version 2.0. Published by the PCI Security Standard Council 2010.
7
Inventory
The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and
updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's
connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also
suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network.
Scanning and handling Rogue Access Points
The PCI DSS standard requires mechanisms for
identifying unauthorized devices on the network.
Many of these particularly heinous devices more
often strike wireless networks and are known as
Rogue Access Points. Therefore, scanning and
handling requirements were central to the PCI
standards in section 11.1.
The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide
advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for
rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and
mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified
wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3
feature set.
Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on
the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the
threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active
involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can,
through the ICC icXchange® solution, automate and immediately handle that threat.
Wireless enforcement and usage
The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering,
etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the
user to change the default password, enable higher level security features, and deploy the included security features.
The system simplifies management of the ecosystem by providing the ability to 'group' access points into named
sections to more easily push similar configuration, security, and requirements to deployments of any size.
Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
7
Inventory
The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and
updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's
connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also
suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network.
Scanning and handling Rogue Access Points
The PCI DSS standard requires mechanisms for
identifying unauthorized devices on the network.
Many of these particularly heinous devices more
often strike wireless networks and are known as
Rogue Access Points. Therefore, scanning and
handling requirements were central to the PCI
standards in section 11.1.
The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide
advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for
rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and
mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified
wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3
feature set.
Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on
the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the
threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active
involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can,
through the ICC icXchange® solution, automate and immediately handle that threat.
Wireless enforcement and usage
The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering,
etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the
user to change the default password, enable higher level security features, and deploy the included security features.
The system simplifies management of the ecosystem by providing the ability to 'group' access points into named
sections to more easily push similar configuration, security, and requirements to deployments of any size.
Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
7
Inventory
The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and
updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's
connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also
suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network.
Scanning and handling Rogue Access Points
The PCI DSS standard requires mechanisms for
identifying unauthorized devices on the network.
Many of these particularly heinous devices more
often strike wireless networks and are known as
Rogue Access Points. Therefore, scanning and
handling requirements were central to the PCI
standards in section 11.1.
The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide
advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for
rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and
mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified
wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3
feature set.
Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on
the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the
threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active
involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can,
through the ICC icXchange® solution, automate and immediately handle that threat.
Wireless enforcement and usage
The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering,
etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the
user to change the default password, enable higher level security features, and deploy the included security features.
The system simplifies management of the ecosystem by providing the ability to 'group' access points into named
sections to more easily push similar configuration, security, and requirements to deployments of any size.
Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
8
Segmentation
One of the core requirements from PCI DSS requirements is the
segmentation of CDE (Cardholder Data Environments) traffic from the
rest of the network. The ICC icXchange® solution sits within the
network and can be connected separately to a designated firewall and
gateway for external access. This is the most direct method for
handling compliance however, it might not always be possible in all
cases.
In the event that the ICC icXchange® solution and CDE traffic must exist on the same network, then the ICC icXchange®
solution has a variety of advanced segmentation features to separate and maintain data security while it traverses the
network. PCI DSS recommends placing a firewall between the CDE and ICC icXchange® solution. This is demonstrated in
the image to the right.
The primary function of the firewall is to separate the traffic to
ensure there's no possibility of CDE traffic being visible to, or
mixed with other data traffic. The ICC icXchange® solution is a
unified wired and wireless system with full Layer 3 routing. This
additional feature provides the industry with several options for
additional security. The solution supports a variety of routing
protocols including RIP, OSPF, VRRP, IGMP, as well as other
advanced features designed to keep IP data traffic contained and
secure.
While VLANs can be used, it's not the best method for separating the data from CDE traffic. Experienced hackers could
filter between VLANs as a means to gather data. Keeping a completely separate segment is vital to enhancing network
security.
Beyond PCI Compliance
The ICC icXchange® solution is a unified solution built for a multi-user data environment. The ability to control IP traffic
is central to our system and is a ground up feature set supported at each level of the solution. Starting with full Layer 2
and Layer 3 MAC-based ACLs, the solution can route traffic separately via true Layer 3 segmentation or via various IP
Forwarding methods. Distributed and Local forwarding with CAPWAP secure encryption add another layer of separation
of data, as well as the ability to route separate data traffic to different locations. Therefore, whether the user needs to
securely control guest traffic and segment it from the CDE traffic, or vice versa, the solution is able to keep those data
paths completely separated.
Client traffic can also be limited to the specific routable, controlled, and secure areas of the network based on PCI
requirements. The solution’s various authentication methods (MAC Filtering 802.1x Authentication (EAP-TLS, EAP-TTLS,
EAP-PEAP, EAP-MD5) Captive Portal, AAA RADIUS, Client LDAP Local Authentication(5000 user entries), and Accounting
server) direct non-corporate IP traffic to a specific secure part of the network. Combined with the embedded Wireless
Intrusion Detection System (WIDS) utilizing 11 different modes (Blacklist, Whitelist, Rogue AP, Fake AP, etc.) for
protecting against hackers, the network can be kept secure.
Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG)
Implementation Team; July 2009.
9
The following is a list of compliance features and how they can be supported within the ICC icXchange® solution. Since
the solution supports multiple methods per requirements, we maintain several technical labs and configuration details
for each feature at http://www.iccnetworking.com.
10
The ICC icXchange® solution expands PCI DSS compliance with the addition of extensive IP control measures that reach
beyond standard vendor requirements. The ICC icXchange® solution expands its unified approach to add advanced
features to secure data. Those measures include such features as:
 Access Management Configuration
 Access List Control
 SSL
 Wireless Intrusion Detection
 Wireless Security
 Syslog and SNMP
Access Management Configuration
Access Management is a policy configuration option within the active500EM designed to only allow approved hardware
to send messages into the network. The solution can refuse to allow data communication to start prior to the approval
process. This is a vital part of the system because ill-intentioned individuals gain access by being able to have an IP
dialogue with the network; however, the active500EM does not allow such a conversation to even commence if the
hardware isn't included on the approved
list. When the active500EM receives an IP
or ARP message, it will compare the
information extracted from the message
(such as source IP address or source MAC-
IP address) with the configured hardware
address pool. If there is an entry in the
address pool matching the information
(source IP address or source MAC-IP
address), the message will be forwarded.
However, if the message does not match
the approved list, the request and
information is dumped, preventing
possible intrusion.
The ICC icXchange®
Solution overview
Optional solution design recommendations
to meet or exceed PCI DSS requirements
11
Access Control Lists (ACL)
ACL is a complex method for IP packet filtering deployed by Ethernet switching technology to protect against nefarious
users from communicating with the rest of the network. The ICC icXchange® solution value can once again be seen as
the unified wired/wireless capabilities allow for protection on both sides of the network. While highly publicized data
breaches focus on the external threat to a network and customer data, the less frequently public breach occurs internal
to the organization. The threat also occurs via different foreign devices installed by 'known' individuals (employees).
According to a global study by InsightExpress of some 2000 IT professionals, 39% were more concerned with internal
threats from their own employees and another 33% were concerned about lost data from foreign USB devices.
Therefore, no longer can retailers dealing with cardholder data only be concerned with foreign threats over a
predominantly wireless ecosystem. The threats are real and varied in nature which means that the ability to handle
multiple threats from various directions, in different modes is the new requirement. The active500EM and its unified
architecture does just that.
Secure Socket Layer (SSL)
SSL is an industry standard on how to establish a secure and encrypted link between a web browser and a web server.
This technology can be enabled within the active500EM as a means for maintaining that secure link while the user
passes through the Ethernet switch protocols on its way to the web server. While often discussed as sitting between
Layer 4 Transport and Layer 7 Application support, SSL has clearly been the next necessary requirement in encryption
and protection over the internet.
Wireless Intrusion Detection Systems (WIDS)
A wireless intrusion detection system (WIDS) monitors the radio spectrum for the presence of unauthorized, Rogue
access points and the use of wireless attack tools. The active500EM is the central intelligence solution monitoring,
calculating, and protecting the wireless environment. This would not be possible without the ARC Series access points
to provide Wireless Intrusion Prevention System (WIPS). WIPS is a network device that monitors the radio spectrum for
the presence of unauthorized access points (intrusion detection). The system monitors the radio spectrum used by
wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected.
Conventionally this is achieved by comparing the MAC address of the participating wireless devices.
The ICC icXchange® solution recognizes that Rogue devices can spoof MAC address of an authorized network device as
their own. New methods now include a fingerprinting approach to weed out devices with spoofed MAC addresses. The
idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known
signatures of pre-authorized, known wireless devices. This is a heuristic and more intelligent method supported by the
active500EM and allows for a more dynamic and evolving method of security.
12
Wireless Security
Wireless networks are generally not as secure as wired networks. Wired networks, at their most basic level, send data
between two points, A and B, which are connected by a network cable. While not impervious to attack, it is a more
difficult task. IEEE802.11 networks, by their very nature, send user data in every direction and to every device that
happens to be 'listening', within a limited range.
Following are descriptions of the WEP, WPA, and WPA2 wireless security protocols:
 Wired Equivalent Privacy (WEP): The original encryption protocol developed for wireless networks. As its name
implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well-
known security flaws, is difficult to configure, and is easily breached.
 Wi-Fi® Protected Access (WPA): Introduced as an interim security enhancement over WEP while the 802.11i
wireless security standard was being developed. Most current WPA implementations use a pre-shared key (PSK),
commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for
encryption. WPA Enterprise uses an authentication server to generate keys or certificates.
 Wi-Fi Protected Access version 2 (WPA2): Based on the 802.11i wireless security standard, which was finalized in
2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES)
for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt
information classified as top secret.
 WPA-Enterprise: The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a user
logs in with their username and password or provides a valid digital certificate. Users never see the actual
encryption keys and they aren't stored on the device. This protects you against rogue or terminated employees and
lost or stolen devices.
The active500EM supports multiple wireless securities that includes WPA, WPA2, WPA-Enterprise and WEP 128 & 64bit
encryptions.
13
Syslog and SNMP
The final stage in support of your PCI DSS compliance is the ability to track all data, be alerted to the various possibilities
of an attack, and be provided ongoing reporting to ensure there is a dynamic means for evolving your security standards
and policies. Two methods that the active500EM uses to help with this are Syslogs and SNMP management.
Syslogs provide the ability to see all data running within a specific device including all traffic details. This information
can be sent from the active500EM to a central Syslog server to aggregate data from all locations of logs and alerts. This
option can be used in conjunction with a Syslog service, automated, and then provide detailed printed reporting of all
data traffic. This form of logging is the best available for devices because it can provide protected long-term storage for
logs. Since security methods must evolve, this reporting can build trends for both routine troubleshooting and in
incident handling or reporting.
The ICC icXchange® solution fully supports advanced SNMP standards-based TCP/IP protocols for network management.
Featuring Management Information Base (MIB), the ICC icXchange® solution can be integrated into the management
designs of any network administrator. The ability of the active500EM to integrate into the already existing management
and monitoring infrastructure allows for a reduced cost structure while ensuring complete visibility of the network,
content flowing over the network, and any possible threats to the environment.
Summary
The objective of PCI DSS compliance it to ensure complete protection of card holder data. The more sophisticated
hackers, both internal and external, continue to be innovative in their approach. The only complete way of ensuring
security is to have a strategic plan for both wired and wireless sides of your network ecosystem. The ICC icXchange®
solution is a unified solution designed to keep separate data, prevent unauthorized devices from speaking to the
network, and ensure proper reporting and routing of content.
© 2015 International Communications Corporation, Inc. All Rights Reserved. Printed in USA. Issue 1.0 ICC 10/1012015. Wi-Fi®
is the Trademark of Wi-Fi
Alliance. icXchange®
, icXchange®
, icXengine, icXcloud, and icXmanager are the Trademark of International Communications Corporation, Inc.
Contact:
Phone: 888-209-0067
Email: sales@intcomcorp.com
support@intcomcorp.com
Web: www.iccnetworking.com

More Related Content

What's hot

Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cloud computing security infrastructure
Cloud computing security   infrastructureCloud computing security   infrastructure
Cloud computing security infrastructureIntel IT Center
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS   ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS   ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443WoMaster
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company PresentationChaitanyaS
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security TrainingBryan Len
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack  on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack  on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com -  IoT SecurityRyan Wilson - ryanwilson.com -  IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Brochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesBrochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesDavid Maciejak
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Sfa community of practice a natural way of building
Sfa community of practice  a natural way of buildingSfa community of practice  a natural way of building
Sfa community of practice a natural way of buildingCharles "Chuck" Speicher Jr.
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 

What's hot (19)

Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cloud computing security infrastructure
Cloud computing security   infrastructureCloud computing security   infrastructure
Cloud computing security infrastructure
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS   ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS   ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
IoT security
IoT securityIoT security
IoT security
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company Presentation
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security Training
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack  on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack  on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com -  IoT SecurityRyan Wilson - ryanwilson.com -  IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Brochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-ServicesBrochure-FortiGuard-Security-Services
Brochure-FortiGuard-Security-Services
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Sfa community of practice a natural way of building
Sfa community of practice  a natural way of buildingSfa community of practice  a natural way of building
Sfa community of practice a natural way of building
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 

Viewers also liked

Семінар з образотворчого мистецтва 31.10.16 р.
Семінар з образотворчого мистецтва 31.10.16 р.Семінар з образотворчого мистецтва 31.10.16 р.
Семінар з образотворчого мистецтва 31.10.16 р.Володимир Мороз
 
El hombre digital
El hombre digitalEl hombre digital
El hombre digitalGustavo Ciz
 
How to Build a SaaS Revenue Growth Engine
How to Build a SaaS Revenue Growth EngineHow to Build a SaaS Revenue Growth Engine
How to Build a SaaS Revenue Growth EngineRyan Cahill
 
Potentials and limitations of ‘Automated Sentiment Analysis
Potentials and limitations of ‘Automated Sentiment AnalysisPotentials and limitations of ‘Automated Sentiment Analysis
Potentials and limitations of ‘Automated Sentiment AnalysisKarthik Sharma
 
Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013
Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013
Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013AbilityNet
 
Capturing Inbound Leads with Contributed Content
Capturing Inbound Leads with Contributed ContentCapturing Inbound Leads with Contributed Content
Capturing Inbound Leads with Contributed ContentAddThis
 
maqueta del folleto de presentacion turistica de galicia
maqueta del folleto de presentacion turistica de galiciamaqueta del folleto de presentacion turistica de galicia
maqueta del folleto de presentacion turistica de galiciaVanesa Borlaff Rubio
 
Pybcn machine learning for dummies with python
Pybcn machine learning for dummies with pythonPybcn machine learning for dummies with python
Pybcn machine learning for dummies with pythonJavier Arias Losada
 

Viewers also liked (12)

Семінар з образотворчого мистецтва 31.10.16 р.
Семінар з образотворчого мистецтва 31.10.16 р.Семінар з образотворчого мистецтва 31.10.16 р.
Семінар з образотворчого мистецтва 31.10.16 р.
 
POPULISMO
POPULISMOPOPULISMO
POPULISMO
 
El hombre digital
El hombre digitalEl hombre digital
El hombre digital
 
How to Build a SaaS Revenue Growth Engine
How to Build a SaaS Revenue Growth EngineHow to Build a SaaS Revenue Growth Engine
How to Build a SaaS Revenue Growth Engine
 
SAIW-ASME Codes Of Manufacture
SAIW-ASME Codes Of ManufactureSAIW-ASME Codes Of Manufacture
SAIW-ASME Codes Of Manufacture
 
Economía
Economía Economía
Economía
 
HSE AWARD CEREMONY NOV. 2015.ppt
HSE AWARD CEREMONY NOV. 2015.pptHSE AWARD CEREMONY NOV. 2015.ppt
HSE AWARD CEREMONY NOV. 2015.ppt
 
Potentials and limitations of ‘Automated Sentiment Analysis
Potentials and limitations of ‘Automated Sentiment AnalysisPotentials and limitations of ‘Automated Sentiment Analysis
Potentials and limitations of ‘Automated Sentiment Analysis
 
Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013
Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013
Accessibility Goes Mobile: AbilityNet Webinar 26 June 2013
 
Capturing Inbound Leads with Contributed Content
Capturing Inbound Leads with Contributed ContentCapturing Inbound Leads with Contributed Content
Capturing Inbound Leads with Contributed Content
 
maqueta del folleto de presentacion turistica de galicia
maqueta del folleto de presentacion turistica de galiciamaqueta del folleto de presentacion turistica de galicia
maqueta del folleto de presentacion turistica de galicia
 
Pybcn machine learning for dummies with python
Pybcn machine learning for dummies with pythonPybcn machine learning for dummies with python
Pybcn machine learning for dummies with python
 

Similar to ICC Networking Data Security

Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesNir Cohen
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
Didiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - EnglishDidiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - EnglishDidiet Kusumadihardja
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of SystemsJamal Jamali
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Shakeel Ali
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Ahmed Mohamed Mahmoud
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour BrochureBlock Armour
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour BrochureFloyd DCosta
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdfMetaorange
 
Sfa community of practice a natural way of building
Sfa community of practice  a natural way of buildingSfa community of practice  a natural way of building
Sfa community of practice a natural way of buildingChuck Speicher
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Russia
 
8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptxMetaorange
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 

Similar to ICC Networking Data Security (20)

Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deck
 
Didiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - EnglishDidiet Cybersecurity Consultant Portfolio - English
Didiet Cybersecurity Consultant Portfolio - English
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
 
Aca presentation arm_
Aca presentation arm_Aca presentation arm_
Aca presentation arm_
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour Brochure
 
Block Armour Brochure
Block Armour BrochureBlock Armour Brochure
Block Armour Brochure
 
Apani Ov V9
Apani Ov V9Apani Ov V9
Apani Ov V9
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf
 
Sfa community of practice a natural way of building
Sfa community of practice  a natural way of buildingSfa community of practice  a natural way of building
Sfa community of practice a natural way of building
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPs
 
8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx
 
Cybersecurity in the Age of IoT - Skillmine
Cybersecurity in the Age of IoT - SkillmineCybersecurity in the Age of IoT - Skillmine
Cybersecurity in the Age of IoT - Skillmine
 
386sum08ch8
386sum08ch8386sum08ch8
386sum08ch8
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 

More from International Communications Corporation (8)

ICC Data and Device management
ICC Data and Device managementICC Data and Device management
ICC Data and Device management
 
ICC Networking Link Series unified controller solution
ICC Networking Link Series unified controller solutionICC Networking Link Series unified controller solution
ICC Networking Link Series unified controller solution
 
ICC Networking handles BYOD & BYOC
ICC Networking handles BYOD & BYOCICC Networking handles BYOD & BYOC
ICC Networking handles BYOD & BYOC
 
ICC Networking Value Proposition
ICC Networking Value PropositionICC Networking Value Proposition
ICC Networking Value Proposition
 
Who is ICC Networking
Who is ICC NetworkingWho is ICC Networking
Who is ICC Networking
 
ICC icXchange Community Wireless Mobility
ICC icXchange Community Wireless MobilityICC icXchange Community Wireless Mobility
ICC icXchange Community Wireless Mobility
 
How Technology Enables Retail Business Growth
How Technology Enables Retail Business GrowthHow Technology Enables Retail Business Growth
How Technology Enables Retail Business Growth
 
ICC icXchange Solution Brochure
ICC icXchange Solution BrochureICC icXchange Solution Brochure
ICC icXchange Solution Brochure
 

Recently uploaded

Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoUXDXConf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 

Recently uploaded (20)

Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 

ICC Networking Data Security

  • 1. 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem 1 ICC Security Philosophy There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive can eventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, or consumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financially unsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is to deliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within the connectivity elements, thereby making hacking activities not worth the cost of breaking our systems. Core Objective ICC agrees with E&Y's cost benefit review of looking at Security.  Linking security and business—Tie security programs to business goals and engage stakeholders in the security conversation.  Thinking outside the compliance (check) box—Go beyond control- or audit-centered approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.  Governing the extended enterprise—Establish appropriate frameworks, policies and controls to protect extended IT environments.  Keeping pace with persistent threats—Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.  Addressing the security supply & demand imbalance—Develop and retain staff experienced in security architecture planning and design, tools and integration to increase likelihood of successful outcomes. These layers ensure full integration of data security with all parts of a business model as well as marrying it to the top risks facing telecommunications with security. The ICC icXchange® Solution Security Review IP Data Security in an Internet of Things ecosystem
  • 2. 2 Therefore, ICC's deployment strategy affixes various types of security technologies at every level of connectivity from the edge to the aggregation and to the distributed core. Edge networking devices: Unified Access Device (UAD) UADs are for managed access APs for an all wireless network. Designed with security in mind each device contains the UAD Operating System (UADOS) that includes Firewall, Routing, MAC Filtering, Wireless Intrusion Detection, VLAN Hidden SSID, Captive Portal among other features. The UAD is the first line of defense with a variety of security rules to prevent or allow initial user access based on policies set by an administrator. ICC's approach to a simple network ecosystem is demonstrated in these devices because they are self contained and can be completely separated from a network by being its own NAT router without the need to re-flash the unit. The administrator simply needs to enable AP mode or Router mode without updating firmware as with other vendors. Security Features Authentication and Security Security Standards Multiple authentication methods Wi-Fi Protected Access (WPA) WPA(PSK), WPA2(PSK), WEP IEEE 802.11i WPA Enterprise, WPA2 Enterprise RFC 1321 MD5 Message-Digest Algorithm RFC 2104 HMAC: Keyed Hashing for Message Authentication Multiple encryption algorithms RFC 2246 TLS Protocol Version 1.0 CCMP (AES) RFC 2401 Security Architecture for the Internet Protocol TKIP RFC 2407 Interpretation for ISAKMP CCMP and TKIP both RFC 2408 ISAKMP Hidden SSID support RFC 2409 IKE Wireless client isolation RFC 3280 Internet X.509 PKI Certificate and CRL Profile Remote Radius authentication and accounting support RFC 4347 Datagram Transport Layer Security Local authentication (Mac passing) RFC 4346 TLS Protocol Version 1.1
  • 3. 3 Authentication, Authorization and Accounting MAC Filter IEEE 802.1X Allow all except listed MAC addresses RFC 2548 Microsoft Vendor-Specific RADIUS Attributes Allow only listed MAC addresses RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting Shows all clients connected to each radio (if more than one) RFC 2867 RADIUS Tunnel Accounting Sets the minimum connection/transmission rate a user can connect (Multicast Tx rate) RFC 2869 RADIUS extensions Ability to limit/exclude certain channels RFC 3579 RADIUS Support for EAP Transmit power control to change the output of the radio RFC 3580 IEEE 802.1X RADIUS Guidelines RFC 3748 Extensible Authentication Protocol Web-based authentication The UADOS is also enhanced with ICC's patented icXengine that inspects and control IP data content flows. Deployments for either indoor or outdoor applications are complimented in these all wireless networks by the cloud AAA and Radius systems from icXcloud and icXmanager.
  • 4. 4 Enterprise networking devices: Link and activeARC Series Controller-based Solution The aggregation layer of the ICC solution consist of a unified switched controller system designed to ensure connectivity while increasing performance up to 10G for various distributed or centralized functions. The advanced security features include: 802.11 security BSSIDs (Up to 32 for dual band AP, 16 for single band AP) 802.11i (802.1x Authentication and PSK Authentication) Hidden SSID WEP (WEP64/WEP128) WPA, WPA2, TKIP, AES 11 different WIDS methods Rogue AP detection Rogue DHCP Server detection DoS attack prevention DDoS Password guessing protection Rate limiting Access Lists (ACLs) Layer-2 (MAC address based ACL) Layer-3 (IP address based ACL) Authentication MAC Filtering 802.1x Authentication (EAP-TLS, EAP- TTLS, EAP-PEAP, EAP-MD5) Captive Portal AAA RADIUS Client LDAP Local Authentication (5000 user entries) Accounting server IPv6 Support IPv6 ISATAP, 6to4 Tunnel, DHCPv6, DNSv6, ICMPv6,ACLv6, TCP/UDP for IPv6, SNMP v6, Ping /Trace, Route v6, RADIUS, Telnet/ SSH v6, NTP v6, IPv6 MIB support for SNMP, VRRP for IPv6, IPv6 QoS, Static Routing, OSPFv3, IPV6 Security RA Data forwarding Distributed forwarding architecture (CAPWAP) Centralized architecture (CAPWAP) Security is also enhanced by the system's ability to route data in a variety of methods. Administrators can more frequently change IP data routing measures to keep the system ever evolving so data traffic routes are harder to guess or set up for. Possessing the ability for central, distributed, encrypted, Q-in-Q, AP to AP or AP to Switch forwarding options, ICC's icXchange network architectures can evolve based on business demands and / or based on security concerns for data flows. Organizations can set up different routing measure allowing the controller systems to be in the data path, outside the data path, off or onsite, or a variety of other simple to change system abilities that enhance security.
  • 5. 5 Broadband Connectivity: Super Wi-Fi The WAN connectivity points are also very important and require a higher level of security to ensure data integrity and security. ICC's joint solution provides military level encryption that either starts with the system or can be added over time based on requirements and business needs. The backbone system consists of different security measures within the below four segments. Wireless Broadband: Whitespace (Super Wi-Fi) - VHF/UHF SECURITY Payload Encryption 128/256 bit Advanced Encryption Standard (AES) System Access/Authentication Capabilities Multifactor Authentication. Remote Access Token Based Authentication Authorization and Accounting Protects Against Non-Authorized Administration/ Maintenance and Over-the- Air Access Information Assurance Tools Integrated Firewall and Suite of Information Assurance Tools The ICC solution is a single integrated solution but with various types of security measures based on the type of requirements at each level.
  • 6. 6 Example: PCI Data Security Standards (DSS) PCI Data Security Standards (DSS) compliance is central to a vibrant and expanding economy that continues to utilize credit cards as a means or medium for payments. Credit card transactions are in the billions each year with the value being in the trillions of dollars. Network intruders continue to be a threat and could siphon off a variety of customer data including credit card numbers, PIN, account and personal information, and a variety of details to allow them to utilize the pilfered cards. The standards set both the technical and operational requirements for handling cardholder data. It provides guidance for everything from software, security, networking, applications, and anything that might come into contact, store, transmit, or touch in any way cardholder details. The standards are enforced by the founding members American Express, Discover Financial Service, JCB International, MasterCard Worldwide, and Visa Inc. Implementation PCI DSS was implemented as a way to provide security guidance to anyone conducting a credit card transaction. To adequately outline the requirements, a Wireless Operation Guide was implemented which identified two categories. The first requirement dealt with 'general applicable wireless requirements' which constituted such requirements as rogue or unknown device detection. The second requirement dealt with in-scope wireless equipment and the general protection against any non-authorized users to any system regardless of its proximity to the Cardholder Data Environment (CDE). The PCI DSS Wireless Guide outlines those requirements while utilizing a wireless local area network environment and how to segment credit card data, keep inventory statistics, detect Rogue access points or connections, enforce usage, and physical monitoring. The four main areas for concern 1. Inventory 2. Scanning and dealing with Rogue access points and devices 3. Wireless enforcement 4. Segmentation The ICC icXchange® solution helps various market segments as they strive to keep their PCI compliance as simple as possible. The true target audience for PCI DSS includes organizations that store, process, or transmit cardholder data and who may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessments pertaining to wireless. As further support to these groups, the ICC icXchange® solution helps ensure the highest level of technology, flexibility, and features that aide in the protection of CDE. The US Census Bureau: The Federal Reserve PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 2.0. Published by the PCI Security Standard Council 2010.
  • 7. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009. 7 Inventory The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained and updated frequently by the organization. The recommendation hinges on the fact that if you don't know what's connected to your network, how can you determine a 'friend or foe' on your securely managed network? They also suggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network. Scanning and handling Rogue Access Points The PCI DSS standard requires mechanisms for identifying unauthorized devices on the network. Many of these particularly heinous devices more often strike wireless networks and are known as Rogue Access Points. Therefore, scanning and handling requirements were central to the PCI standards in section 11.1. The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provide advanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans for rogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, and mitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unified wired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3 feature set. Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based on the administrator's local requirement, threats can be reported for further action or they can proactively eliminate the threat to the network. This means that part of the ongoing and most effective means of deterring threats is the active involvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can, through the ICC icXchange® solution, automate and immediately handle that threat. Wireless enforcement and usage The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering, etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for the user to change the default password, enable higher level security features, and deploy the included security features. The system simplifies management of the ecosystem by providing the ability to 'group' access points into named sections to more easily push similar configuration, security, and requirements to deployments of any size. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
  • 8. 8 Segmentation One of the core requirements from PCI DSS requirements is the segmentation of CDE (Cardholder Data Environments) traffic from the rest of the network. The ICC icXchange® solution sits within the network and can be connected separately to a designated firewall and gateway for external access. This is the most direct method for handling compliance however, it might not always be possible in all cases. In the event that the ICC icXchange® solution and CDE traffic must exist on the same network, then the ICC icXchange® solution has a variety of advanced segmentation features to separate and maintain data security while it traverses the network. PCI DSS recommends placing a firewall between the CDE and ICC icXchange® solution. This is demonstrated in the image to the right. The primary function of the firewall is to separate the traffic to ensure there's no possibility of CDE traffic being visible to, or mixed with other data traffic. The ICC icXchange® solution is a unified wired and wireless system with full Layer 3 routing. This additional feature provides the industry with several options for additional security. The solution supports a variety of routing protocols including RIP, OSPF, VRRP, IGMP, as well as other advanced features designed to keep IP data traffic contained and secure. While VLANs can be used, it's not the best method for separating the data from CDE traffic. Experienced hackers could filter between VLANs as a means to gather data. Keeping a completely separate segment is vital to enhancing network security. Beyond PCI Compliance The ICC icXchange® solution is a unified solution built for a multi-user data environment. The ability to control IP traffic is central to our system and is a ground up feature set supported at each level of the solution. Starting with full Layer 2 and Layer 3 MAC-based ACLs, the solution can route traffic separately via true Layer 3 segmentation or via various IP Forwarding methods. Distributed and Local forwarding with CAPWAP secure encryption add another layer of separation of data, as well as the ability to route separate data traffic to different locations. Therefore, whether the user needs to securely control guest traffic and segment it from the CDE traffic, or vice versa, the solution is able to keep those data paths completely separated. Client traffic can also be limited to the specific routable, controlled, and secure areas of the network based on PCI requirements. The solution’s various authentication methods (MAC Filtering 802.1x Authentication (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MD5) Captive Portal, AAA RADIUS, Client LDAP Local Authentication(5000 user entries), and Accounting server) direct non-corporate IP traffic to a specific secure part of the network. Combined with the embedded Wireless Intrusion Detection System (WIDS) utilizing 11 different modes (Blacklist, Whitelist, Rogue AP, Fake AP, etc.) for protecting against hackers, the network can be kept secure. Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.
  • 9. 9 The following is a list of compliance features and how they can be supported within the ICC icXchange® solution. Since the solution supports multiple methods per requirements, we maintain several technical labs and configuration details for each feature at http://www.iccnetworking.com.
  • 10. 10 The ICC icXchange® solution expands PCI DSS compliance with the addition of extensive IP control measures that reach beyond standard vendor requirements. The ICC icXchange® solution expands its unified approach to add advanced features to secure data. Those measures include such features as:  Access Management Configuration  Access List Control  SSL  Wireless Intrusion Detection  Wireless Security  Syslog and SNMP Access Management Configuration Access Management is a policy configuration option within the active500EM designed to only allow approved hardware to send messages into the network. The solution can refuse to allow data communication to start prior to the approval process. This is a vital part of the system because ill-intentioned individuals gain access by being able to have an IP dialogue with the network; however, the active500EM does not allow such a conversation to even commence if the hardware isn't included on the approved list. When the active500EM receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC- IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded. However, if the message does not match the approved list, the request and information is dumped, preventing possible intrusion. The ICC icXchange® Solution overview Optional solution design recommendations to meet or exceed PCI DSS requirements
  • 11. 11 Access Control Lists (ACL) ACL is a complex method for IP packet filtering deployed by Ethernet switching technology to protect against nefarious users from communicating with the rest of the network. The ICC icXchange® solution value can once again be seen as the unified wired/wireless capabilities allow for protection on both sides of the network. While highly publicized data breaches focus on the external threat to a network and customer data, the less frequently public breach occurs internal to the organization. The threat also occurs via different foreign devices installed by 'known' individuals (employees). According to a global study by InsightExpress of some 2000 IT professionals, 39% were more concerned with internal threats from their own employees and another 33% were concerned about lost data from foreign USB devices. Therefore, no longer can retailers dealing with cardholder data only be concerned with foreign threats over a predominantly wireless ecosystem. The threats are real and varied in nature which means that the ability to handle multiple threats from various directions, in different modes is the new requirement. The active500EM and its unified architecture does just that. Secure Socket Layer (SSL) SSL is an industry standard on how to establish a secure and encrypted link between a web browser and a web server. This technology can be enabled within the active500EM as a means for maintaining that secure link while the user passes through the Ethernet switch protocols on its way to the web server. While often discussed as sitting between Layer 4 Transport and Layer 7 Application support, SSL has clearly been the next necessary requirement in encryption and protection over the internet. Wireless Intrusion Detection Systems (WIDS) A wireless intrusion detection system (WIDS) monitors the radio spectrum for the presence of unauthorized, Rogue access points and the use of wireless attack tools. The active500EM is the central intelligence solution monitoring, calculating, and protecting the wireless environment. This would not be possible without the ARC Series access points to provide Wireless Intrusion Prevention System (WIPS). WIPS is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection). The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally this is achieved by comparing the MAC address of the participating wireless devices. The ICC icXchange® solution recognizes that Rogue devices can spoof MAC address of an authorized network device as their own. New methods now include a fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices. This is a heuristic and more intelligent method supported by the active500EM and allows for a more dynamic and evolving method of security.
  • 12. 12 Wireless Security Wireless networks are generally not as secure as wired networks. Wired networks, at their most basic level, send data between two points, A and B, which are connected by a network cable. While not impervious to attack, it is a more difficult task. IEEE802.11 networks, by their very nature, send user data in every direction and to every device that happens to be 'listening', within a limited range. Following are descriptions of the WEP, WPA, and WPA2 wireless security protocols:  Wired Equivalent Privacy (WEP): The original encryption protocol developed for wireless networks. As its name implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well- known security flaws, is difficult to configure, and is easily breached.  Wi-Fi® Protected Access (WPA): Introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was being developed. Most current WPA implementations use a pre-shared key (PSK), commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses an authentication server to generate keys or certificates.  Wi-Fi Protected Access version 2 (WPA2): Based on the 802.11i wireless security standard, which was finalized in 2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top secret.  WPA-Enterprise: The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a user logs in with their username and password or provides a valid digital certificate. Users never see the actual encryption keys and they aren't stored on the device. This protects you against rogue or terminated employees and lost or stolen devices. The active500EM supports multiple wireless securities that includes WPA, WPA2, WPA-Enterprise and WEP 128 & 64bit encryptions.
  • 13. 13 Syslog and SNMP The final stage in support of your PCI DSS compliance is the ability to track all data, be alerted to the various possibilities of an attack, and be provided ongoing reporting to ensure there is a dynamic means for evolving your security standards and policies. Two methods that the active500EM uses to help with this are Syslogs and SNMP management. Syslogs provide the ability to see all data running within a specific device including all traffic details. This information can be sent from the active500EM to a central Syslog server to aggregate data from all locations of logs and alerts. This option can be used in conjunction with a Syslog service, automated, and then provide detailed printed reporting of all data traffic. This form of logging is the best available for devices because it can provide protected long-term storage for logs. Since security methods must evolve, this reporting can build trends for both routine troubleshooting and in incident handling or reporting. The ICC icXchange® solution fully supports advanced SNMP standards-based TCP/IP protocols for network management. Featuring Management Information Base (MIB), the ICC icXchange® solution can be integrated into the management designs of any network administrator. The ability of the active500EM to integrate into the already existing management and monitoring infrastructure allows for a reduced cost structure while ensuring complete visibility of the network, content flowing over the network, and any possible threats to the environment. Summary The objective of PCI DSS compliance it to ensure complete protection of card holder data. The more sophisticated hackers, both internal and external, continue to be innovative in their approach. The only complete way of ensuring security is to have a strategic plan for both wired and wireless sides of your network ecosystem. The ICC icXchange® solution is a unified solution designed to keep separate data, prevent unauthorized devices from speaking to the network, and ensure proper reporting and routing of content. © 2015 International Communications Corporation, Inc. All Rights Reserved. Printed in USA. Issue 1.0 ICC 10/1012015. Wi-Fi® is the Trademark of Wi-Fi Alliance. icXchange® , icXchange® , icXengine, icXcloud, and icXmanager are the Trademark of International Communications Corporation, Inc. Contact: Phone: 888-209-0067 Email: sales@intcomcorp.com support@intcomcorp.com Web: www.iccnetworking.com