AirTight Networks is a leader in wireless security solutions. The document discusses how wireless vulnerabilities pose security risks even for organizations that don't think they have wireless networks. It then summarizes AirTight's wireless intrusion prevention system (WIPS) which uses patented marker packet technology to accurately detect rogue access points and unauthorized wireless clients on a network. The WIPS solution provides comprehensive wireless security and monitoring to help organizations address wireless threats and compliance requirements.
7. Risk from WLAN Attacks Most Severe and Urgent Gartner: “Staying Ahead of Next-Generation Threats and Vulnerabilities,” by John Pescatore, June 28-July 1, 2009 Highest Severity & NOW!!
8.
9.
10. Layered Approach to Wireless Security Rogue AP Misconfigured AP Re-establishing network security perimeter Guest Access Firewall Wired IPS SPAM/AV URL filtering Protecting mobile wireless user WEP, WPA, WPA2 External APs Ad hoc connections Wi-Phishing Honeypots Other network interfaces: Bluetooth, Infrared, 1394 etc. Detachable interfaces: 2.5G/3G data-cards, WiFi adapters Eavesdropping Unauthorized Access Cracking Exploits MAC spoofing attacks Denial of Service Wi-Phishing Honeypots External Users External APs ~ ~
11. Classifying Threats And Enforcing Policy Authorized Connected to the network Following the security policy External Not connected to the network Visible in the air Rogue Connected to the network Violating the security policy Authorized Connected to an authorized AP External Connected to an external AP Access Points Clients Events Guest : Connected to the guest network Following the Guest security policy Can not connect to Authorized APs Guest Connected to a Guest AP Authorized External Rogue Authorized External Guest Guest
12. SpectraGuard Product Family Complete Wireless Intrusion Prevention SpectraGuard Enterprise Wireless Security for Mobile Users SpectraGuard SAFE Industry’s Only Wireless Security Service SpectraGuard Online WLAN Coverage & Security Planning SpectraGuard Planner
13. SpectraGuard Advanced WIPS Capabilities Applied AirTight’s approach of simplicity and ease of use to WLAN performance management and forensics Predictive Performance Smart Forensics TM Comprehensive Integration Dashboards and Reporting
14.
15. SpectraGuard Enterprise Overlay + SAFE Building - A Building - B No WiFi Premise Internet SpectraGuard Network Detector Corporate Firewall Enterprise Servers SpectraGuard Enterprise Appliance
16.
17. Marquis High Security Wins Government Transportation Telco Manufacturing Technology Services Financial
22. Innovations by AirTight Innovations by AirTight 2005 World’s first fully-automated WIPS 2010 2009 Comprehensive WLAN, SIM/SEM integration 2006/7 Usability Scalability Availability World’s first SaaS WIPS First 11n WIPS World’s first cloud Wi-Fi and security solution 20 patents granted/allowed 20+ more pending 2008
23.
24. UDP Marker Packets (L3) – Example 2 UDP packet containing signature NAT Rogue AP SGE Server LAN VLAN 1 VLAN 2
25. How CAM table lookup works? – Sensor sees Client on wireless – Reports its connection to AP 2 3 – Client connects thru AP – Client MAC gets in CAM – Server polls CAM tables 2 3 – AP marked wired to monitored network Network Connected Bridge AP (AP1) WIPS Sensor WIPS Server Network Switches 1 2 3 Client 1 1 1 1 1
26. Performance Comparison Summary Extensive None 6. Manual intervention for classification Poor Infinite 5. Scalability High Zero 4. Configuration, maintenance High (tens of minutes) Low (few minutes) 3. Latency of detection Often Never 2. False positive on neighbor AP Often Never 1. False negative on NAT APs MAC Correlation Marker Packets Criteria
29. Smart devices in everyone’s pocket US Smart phone and Tablet Projections 67 M 95 M 2010 Smartphones 2011 Smartphones 2011 Smartphones + Tablets 140 M http://www.eweek.com/c/a/Mobile-and-Wireless/ Smartphones-Not-Tablets-Top-Consumer-Shopping-Lists-Gartner-127190/
39. Monitoring unapproved use with AirTight WIPS Respond Analyze Violation Detect Violation Patented wireless client classification and policy enforcement platform in AirTight WIPS Define White List Criteria
43. For more information, please visit www.airtightnetworks.com blog.airtightnetworks.com Thank You [email_address]
Editor's Notes
You are not quite ready Unaware, WiFi security risks can throw you off guard before you realize And…all investments in IT Security Infrastructure comes to naught as WiFi opens a backdoor entry into your enterprise infrastructure. Some examples:
Government and industry Standards have existed mandating WIDS / WIPS for wired and wireless corporate environments such as DISA and PCI DSS Wireless guidelines. There are other Government guidelines such as Ministry of Home Affairs, Govt. of India and others that mandate use of WIPS to block malicious use of WiFi. It is noted that WIPS is needed whether or not WiFi is deployed. Because, a rogue AP can show up anywhere. Similarly, a user with corporate laptop most of which have WiFi today can connect to external WiFi, create ad-hoc and compromise self and enterprise network security.
06/29/11
That is precisely why Gartner has ranked WLAN attacks as most severe and one that needs most immediate attention!
No WiFi so no security: This is first barrier to getting WiFi security accepted. Its like saying, I don’t have chest pain and hence I am not vulnerable. The slide “Layered Approach to WiFi Security” illustrate scenarios when WiFi threats exist in spite of these conditions. Secure WiFi: Competition, all WiFi vendors down play need for overlay security and convince an uninitiated customer that proper encryption and authentication is best practice which it is and they have built in WIPS for rogue APs. Significant threats are left out. Smart phones have added concern on security. Mobile Device Management is being considered by many enterprise. Our sensors help block an unapproved device, block tethering and provide 1 st level of security hygiene for these devices as they use WiFi for connectivity.
Key Take Questions
Rogue APs on your network can open your network to outsider. Many network administrators think that shutting down the ports, locking ports and using 802.1x can eliminate this threat. Consider a corporate user who has turned his Windows 7 laptop into an AP or some one has inserted a USB like AP into his / her computer and bridged wired / wireless interface. Rogue APs does not mean getting an AP into the Ethernet jack. Its lot more sophisticated than that. Enterprise users can connect to external APs that can hijack the laptop and with it enterprise data. Many IT admin think that NAC solution. NAC can not prevent a corporate user who is in premises but has disconnected wired side and wireless from wandering to neighbouring devices. And remember neighbouring device is not just your harmless, benign neighbour. It can be a hacker parked just outside the building snooping on you. WiFishing is easy. Employees having WiFi at home will bring laptop to the office. The laptop will look for home connection while in office. A smart hacker will provide the handshake and get hold of the laptop. Ad-hoc peer to peer connections can be tapped easily. These are mostly unencrypted. IT Admin have a limited knowledge of WiFi and think ad-hoc is only between two laptops. Think of the following: Someone downloading files from laptops to iPhone; connecting to a WiFi enabled printer or projector in ad-hoc modes. In a real life wireless vulnerability assessment carried out by AirTight for a global multinational, it found 52 unauthorized wireless users connected to enterprise wireless, 18 Employees connected to vulnerable WiFi, 23 Ad-hoc connections, 7 Victims of Honeypot attacks, 5 Open connection and 2 Rogue APs. Rogue APs and iPhones, iPADs are routinely found connected to wireless printers, laptops using peer to peer unsecure ad-hoc connections. AirTight SpectraGuard technology determines unmanaged devices on enterprise networks and external devices and blocks all unauthorized connections (RED) while allowing authorized users to connect to enterprise APs and not disturbing all external connections that are visible in the enterprise space.
Key points to note: 1. Rogue Access point: If an access point is connected to the wired corporate network but is NOT in compliance with the authorized corporate WLAN set up defined for those specific VLAN(s) or subnets is a rogue access point on those specific VLAN(s) or subnets 2. Authorized Access Point: If an access point is connected to the wired corporate network and IS IN compliance with the authorized corporate WLAN set up defined for those specific VLAN(s) or subnets is a potentially authorised access point on those specific VLAN(s) or subnets. A GUEST access point is a specific case of authorised AP. Typically these APs provide internet connectivity and are separated from corporate VLANs. 3. Misconfigured Access Point: If an access point is connected to the wired corporate network, recognised as an authorised access point for specific VLAN(s) or subnets but is now NOT in compliance with the authorized corporate WLAN set up defined for those specific VLAN(s) or subnets is a misconfigured access point on those specific VLAN(s) or subnets.
06/29/11
06/29/11
SpectraGuard system of wireless security sensors is an overlay over WiFi access points and is WiFi vendor neutral as is depicted. SAFE protects wireless users when mobile and hence outside the surveillance of SpectraGuard sensors
Four reasons organizations acquire AirTight SpectraGuard technology. No WiFi is often the policy at Government organizations, Defence and security sensitive enterprises. Organizations having No WiFi policy have people with WiFi enabled laptops and smart devices such as phones. Unmanaged APs can be plugged in any time by any one. The system will basically not allow any WiFi connection from corporate users and quarantine any AP on the network. Secure WiFi is adopted by companies who have WiFi have put proper encryption on their WiFi but want comprehensive protection against WiFi. Threats such as those from rogue APs, users connecting to external un-trusted APs, ad-hoc connections can not be prevented without a WIPS. Many organizations have multiple policies in operations. For example No WiFi in select locations, data centers etc but WiFi else where. SpectraGuard will help enforce multiple polices at the same time. Among the compliances, PCI DSS v1.2 Wireless Guideline is the most potent for wireless IPS. It mandates quarterly scanning and / or deployment of WIPS. In fact for large user base, it strongly recomends WIPS. Many Defence and sensitive organizations would like to capture and analyse wireless activities in and around their air space. Police, Military and sensitive Government offices often this requirement.
All geographies All verticals Major companies Global deployment for many – Example: TI, TCS, Conexant, WL Gore
Major chains – retail and hospitality.
AirTight is the only vendor to be given highest rating in all Gartner Marketscope documents. Secondly, Gartner now endorses the notion of a WiFi vendor agnostic wireless security overlay system. AirTight is the only vendor in the market that has overlay WiFi security. Gartner also compliments AirTight for zero false alarms, ease of use and ease of deployment. This is enabled by active packet injection technology developed and patented by AirTight.
WIPS is today a $xxx market – Gartner’s forecast
Today smart phones, note book computers, wireless printers, overhead projectors and cameras are being enabled with WiFi. These are devices are flooding corporate environment. ‘Bring Your Own Device’ is getting popular whereby organizations encourage employees to use their personal tablet and Smart phone at work Following WiFi connections are often observed these days in corporate environment: Smart phone to Laptop for data transfer Smart phone or laptop to wireless printers or projectors These are per to peer ad-hoc connections and are mostly unencrypted.
We offer smart device monitoring and threat remediation in addition to all other WiFi threats
WiFi enabled smart devices are growing at phenomenal rate in corporate environments. Except company issued BlackBerry devices, these are typically personal smart phones or tablets and not known, supported or managed by the IT administration. Unless client side certificates are used, any device with, WiFi can be used to access corporate data through corporate WiFi as long as user name and password are correct. So an employee who has access to corporate WiFi using WPA2 and 802.1x based authentication, can use the same credentials to connect to corporate network from her iPhone, Android phone, iPAD what have you. Now corporate data - presentations, spreadsheets, text documents, contact details can be copied, downloaded to personal devices, not with malicious intent but for convenience and ease of use. Three security issues: Loss of such a device means corporate data is gone with it. A personal device may have malware as it is not administered by the corporate IT. Tethering by smart phones that have two wireless interfaces and can be used to transport enterprise data out of enterprise without going thru the firewall. Bridging network interfaces wired to wireless is another way the same can happen. Biggest worry is that Corporate IT Administration is often unaware of these threat scenarios and hence don’t plan proper defence mechanisms.
Employees have credentials to connect to the Enterprise network – User Name / Password. However, Enterprise security can not differentiate if an employee is connecting from her corporate laptop or personal iPhone. So iPhone is connected to Enterprise network and corporate information gets transferred to this unknown, unmanaged device, owned by a trusted employee. The enterprise security risks due to smart devices are three types. - risk of lost or stolen devices (apparent to all), risk of various types of malware on these devices; and finally from tethering and honey-pots. 1. Lost devices: Small form factor, portability of smart phones. If people carry smart phones to enterprise networks, download enterprise data and loose these devices, Enterprise data has leaked. 2. Risk of Malware or compromised devices: An iPhone can be jailbroken. There are tools and websites which allow you to do it pretty easily. Similarly, Android is open source and hence people find a back door into the device – like ‘rooting’ in Android. You get access to the root and then can do anything. 3. Tetherings and Honeypots: Smart phones have two simultaneous wireless interfaces open (WiFi and cellular). WiFi is connected to trusted WiFi and cellular is connected to un-trusted cellular. Bridging between these means trusted corporate network is bridged to un-trusted external network bypassing your firewall. In case of honeypots, we know an Android phone can be converted to AndroidAP in 2 clicks. It will be on network thru a trusted interface. And for a jailbroken iPhone there is a utility called My Y -- M-Y-Y -- to achieve the same kind of thing. So basically what happens here is that the phone acts like an AP on the WiFi side, and then uses this 3G link to forward traffic to the cloud. Personal honeypots create the possibility that your legitimate devices can connect to them and go to the cloud, bypassing enterprise firewall.
Smartphones can camouflage an access point. For example, one can convert an Android phone into an access point. Imagine a phone is connected using its USB cable to a desktop computer. People may think you are syncing the phone to Outlook address book, charging it etc. In reality, this phone may be functioning as an AP and connected to the enterprise network using the wired connection of the computer to which its connected. An outsider connects to enterprise network thru this Android phone which is now a Rogue AP. You can do the same with Connectify WiFi utility on a Win 7 laptop, a Windy 31 USB stick connected to any Windows machine. The issue is same when someone uses an iPAD or other PDAs like Samsung and others that are in the market. Its just diff utility that converts this into an AP. Another major issue with smart phones is that a corporate user can enter valid user name and password to access corporate WiFi but from an unapproved WiFi phone and download corporate data. This device can get lost, can have malware and, can provide a back door entry / exit to / from this device. Current Enterprise security infrastructure and best practices can not stop this.
Bridging / Tethering: A smart phone is connected to corporate network via corporate AP. Now the smart phone is also connected to cellular wireless and these are bridged. The data through this bridge exits to the external world via 3G connection BYPASSING corporate firewalls. Personal Hotspot: External un-trusted user accesses corporate network thru the smart phone. Personal Hotspot: You can create a WiFi hotspot on an Android phone. This is a built-in feature called a Mobile AP to achieve this. And for a jailbroken iPhone there is a utility called My Y -- M-Y-Y -- to achieve the same. No the phone acts as an AP on the WiFi side, and then uses 3G link to forward traffic to the cloud. Now there is a possibility that your legitimate corporate laptops can connect to the personal hotspot and go to the cloud, bypassing corporate firewall. .
Game plan for smart devices: Be a dictator and BAN these devices Selectively allow a few or white list or put more bluntly, play favouritism. Use some form of MDM None of these approaches solve the problem. All 3 approaches are kind of white-listing. Ban means white list is NULL. MDM is also a white list. Devices with MDM are part of the white list
If a new device pops up and tries to connect. How do we monitor. It is still possible for an employee to bring an unapproved device and connect.
Put in User Name and Password to the desired network. 802.1x with PEAP. It presents User Name / Password. Employee has to only enter the User Name and PW, the device is connected, no barrier. WiFi presents zero barrier for an unapproved employee owned smart device to connect. Using client side certificate can stop specific devices from connecting. However, it requires more work and many enterprise do not use client side cerificate. A wireless intrusion prevention system with sensors is a much easier solution that will not only solve this problem but all other wireless security threats.
A user can connect all there to connect to corporate NW. What u want: Laptop yes, BB yes, but iPhone: NO. Current access control mechanisms can not classify the type of end user device – whether it’s a laptop, BB or an iPhone .
People often mention MAC address based filtering – either a ban list or a white list. However, access control in WiFi has moved away from Access Control List or MAC list (ACL) to higher level and for good reasons. ACL management is tedious. You need higher level policy definition as above examples show. Such as policy should be easier to manage, must be flexible, intuitive and incremental. An example of an incremental Policy. Current Policy” BB is allowed but no iPhone and no Android Phone. Incremental policy: BB is allowed; No iPhone except on Executive Floor and Board Room and for today. . .
Definition of smart device policy needs to be at high level than ACL based filtering. Smart phone policy examples: Don’t want to allow any smart device Permit BB but don’t allow iPhones MDM: Don’t allow any unmanaged devices White Areas: Allow smart devices in Executive areas but not anywhere else Means are needed to enforce these and detect violation Example: Employee is outside the white-list, detect the violation. Ability to drill down and analyze, then respond. Selective allow to various network pieces
Take way: Policy – Allow based on a criteria and not a list. Flexible, easy to implement and incremental Visibility into intrusions – what type of devoice, who is the user, which AP, what location etc. Block if needed,
Smartphones can camouflage an access point. For example, one can convert an Android phone into an access point. Imagine a phone is connected using its USB cable to a desktop computer. People may think you are syncing the phone to Outlook address book, charging it etc. In reality, this phone may be functioning as an AP and connected to the enterprise network using the wired connection of the computer to which its connected. An outsider connects to enterprise network thru this Android phone which is now a Rogue AP. You can do the same with Connectify WiFi utility on a Win 7 laptop, a Windy 31 USB stick connected to any Windows machine. The issue is same when someone uses an iPAD or other PDAs like Samsung and others that are in the market. Its just diff utility that converts this into an AP. Another major issue with smart phones is that a corporate user can enter valid user name and password to access corporate WiFi but from an unapproved WiFi phone and download corporate data. This device can get lost, can have malware and, can provide a back door entry / exit to / from this device. Current Enterprise security infrastructure and best practices can not stop this.