Download Best Practices for Wireless LAN Security & Operational Support

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Computer and network surveillance wikipedia , lookup

Information security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Authentication wikipedia , lookup

Distributed firewall wikipedia , lookup

Unix security wikipedia , lookup

Computer security wikipedia , lookup

Access control wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Transcript 
AirDefense
Market Leader in Enabling Risk-Free Wireless LANs
Wireless Monitoring & Intrusion Protection
COPYRIGHT © 2003 – 2004 AIRDEFENSE, INC.
www.airdefense.net
Put Wireless LAN Security
Monitoring in your budget.
ALL RIGHTS RESERVED.
- Gartner
About AirDefense
WHAT WE DO
OUR TECHNOLOGY
 Proactive 24 x 7 Monitoring of Enterprise
Airwaves against Rogues, Intruders,
Hackers, Interference & Network Abuses
 Ensures Regulatory & Enterprise Policy
Compliances
 Any Vendor, Any Protocol, Any Device
 Enterprise Class Distributed Monitoring
Architecture – 13 Patents Pending
 Wireless Intrusion Detection &
Protection System with Multiple
Correlation & Analysis Engines
CUSTOMER PROFILE
 250+ Govt. Organizations & Blue-Chip
Enterprises (over 80% market share)
 Proven solution monitoring:
 Tens of thousands of Access Points
 Hundreds of thousands of Devices
BENEFITS
 Control over air space
 Auto-Discovery of all Wireless
Assets & Threats
 Risk-free Wireless Deployments
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Wireless LAN Risks:
Hype or Reality
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Understanding SSID & Mac Address
 SSID helps stations find APs around
- 32 byte unique Service Set Identifier of AP
- Like your company name on the building
- Sent when AP receives a probe request from station
- Can be seen in the air
SSID
 Mac Address

To deliver traffic, a unique Identifier must be available for
each device – Media Access Control (MAC) Address

Example: 00-04-5a-03-3c-0f
OUI
(Organizationally Unique Serial Number
Identifier, first 3 characters)
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Vendor
OUI
Cisco (Aironet)
00-04-96
Agere (Orinoco)
00-02-2D
Nokia
00-e0-03
Linksys
00-04-5a
Understanding Probes & Beacons
User Station
PROBES:
 A Station sends a probe request frame when
it needs to obtain information from another
station. (For example, a station would send a probe request to
determine which access points are within range.)
Probes
BEACONS:
 The Access point (AP) periodically
sends a beacon frame to announce its
presence and relay information, such as
timestamp, SSID, and other parameters
regarding the access point
Beacons
Access Point
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Problem: Uncontrolled Medium
Wireless LAN is extension of Wired LAN
 With a single access point, walls come tumbling down
The walls of the facility provide aasolid
solidline
lineofof
defense
defenseagainst
againstintruders
intruders
The walls
of thetofacility
provide
 Ethernet
now extends
the parking
lot!
Intruder
t
r
2
Intruder
Server
Server
Server
Computer
RF in the AIR is uncontrolled…
e
a k
Vs.
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
AIR
Self-Deploying & Transient Networks
CORPORATE NETWORK
Ad Hoc
Network
NEIGHBOR A
Accidental
Association
PARKING LOT
CONFERENCE ROOM
Malicious
Association
1. User Station transmits PROBES
SHIPPING DEPARTMENT
2. APs transmit BEACONS
3. User Station connects to BEST
ACCESS POINT
We Don’t Control who we connect to…
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Easier to Attack: Growing Security Threats
New & Easier Attack Tools
Increasing Sophistication of Attacks
Attack Sophistication
High
WiGLE.net
Low
1980
2005
Knowledge Required by Intruder
New & Easier Tools make it
very easy to attack the Network
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
WLAN – Real World Risks
46 % Of Companies Have Been Victim Of A Security Breach
- PwC
61% Of Attacks Were
From Hackers
10% Of Attacks Were From Former
Employees/ Contractors
83% Of Companies Reported A Monetary Loss
Downtime Averaged 1.33 Days Per Employee
WLAN Facts: Top 8
Companies That Found
A Rogue Device
Found Devices
With No Security
Average Cost Of
Loss Per Attack
(US Study)
90%
Average Cost Of
Loss Per Attack
(UK Study)
80%
Companies That
Have Deployed
Insecure WLANs
60%
Current Growth
Of Access
Points
$416K
Current
Growth of
Stations
$220K
Avg. # Of
Serious Attacks
Per Month
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
100
2M/Qtr
10M/Qtr
Best Practices for Wireless
LAN Security & Monitoring
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Layered Approach to Security
Control the Uncontrollable
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Gartner on WLAN Security Risks
3 “Must Have” WLAN Security
 Install a centrally managed personal firewall on laptops that are issued
wireless NICs
 Perform wireless intrusion detection to discover rogue access points, foreign
devices connecting to corporate access points and accidental associations to
nearby access points in use by other companies.
 Turn on some form of encryption and authentication for supported WLAN use.
July 31, 2003
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Best Practices for Securing Enterprise
WLANs
 No WLANs
Monitor &
Root out
Rogue
WLANs
WLAN POLICY
Lock down
APs & User
Stations
 Sanctioned WLANs
Use Strong
Encryption &
Authentication
&
Authorization
Monitor your
Air Space
Securing the perimeter
© Giga Research, a wholly owned
subsidiary of Forrester Research, Inc.
802.11 Security Standards
WEP: Wired Equivalent Privacy, a wireless encryption standard, which was developed by the IEEE 802.11 standards
committee.
802.1X: IEEE 802.1 standard for authentication, which supports multiple authentication modes, including RADIUS,
that can be used in wireline and wireless networks.
LEAP: Lightweight Extensible Authentication Protocol , which includes Cisco’s proprietary extensions to 802.1X to
share authentication data between Cisco WLAN access points and the Cisco Secure Access Control Server.
TKIP: Temporal Key Integrity Protocol, which was developed by the IEEE 802.11i standards committee as a WEP
improvement.
TTLS: Tunneled Transport Layered Security, which was developed by Funk Software and Certicom, now is an IETF
draft standard. It is an alternative to PEAP.
PEAP: Protected Extensible Authentication Protocol , which was developed by Microsoft, Cisco and RSA Security, is
now an IETF draft standard. PEAP encrypts authentication data using a tunneling method.
WPA: Wi-Fi Protected Access – Announced by the Wi-Fi Alliance to describe 802.1x with TKIP and MIC. Subset of the
802.11i security standard expected in Q4 ‘03
802.11i: IEEE standards group effort that involves fixing perceived weaknesses in 802.1X and WEP and creating an
umbrella standard for 802.11 security
Copyright © 2003 AirDefense Proprietary and Confidential.
AirDefense Solution: Plug & Protect
Wireless
Stations
Access
Points
Smart
Sensor
Appliance
Remote Secure
Browser
Hacker


Smart
Sensor

Rogue Access
Point


Real-time Monitoring
Multiple Correlation,
Analysis & IDS Engines
Integrated Reporting
Centralized
Management
Smart Sensors
scanning 802.11 a/ b/ g
Selective processing,
Encryption
Designed for Enterprise Scalability & Central Management
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
AirDefense Functionality
1
SECURITY
 Rogue Detection, Analysis & Mitigation
 Intrusion Detection System
 Forensics & Incident Analysis
Active Defenses
2
COMPLIANCE
 Enterprise Policy
Monitoring
 Regulatory Compliance
 DoD, HIPAA
 SOX, FDIC, OCC,
GLBA
3
TROUBLESHOOTING
 Remote Troubleshooting
 Availability
 Network Usage &
Performance
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Experience: Fortune 500 Consumer Goods Company
AIRPORT
26-STORY
ATRIUM
SOUTH
AFRICA
IRELAND
JAPAN
HONG KONG
20-STORY
3-STORY
ARGENTINA
MEXICO
11-STORY
HEADQUARTERS, USA
Centralized Management Console
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
BRAZIL
Customer Examples
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Southeastern Hospital - Background
Main driver: point of care access to
computerized care systems at the bedside:
Recent contract with McKesson and Siemens for
wireless application deployment
Reduction of errors on medications and physician’s
orders
Reduction of paper in all medical records
Improved care through access to information at
point of diagnosis and treatment
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Southeastern Hospital - Background
Physical plant was saturated with cable, no
room for real growth
Additional devices required additional
equipment in the closets
More personnel resources are needed to
support additional lines
Wireless access will speed up application
deployment
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Southeastern Hospital
Issues With Rogue Devices
Columbus is saturated with wireless deployments
Local universities are moving to wireless deployments in
their classrooms
All students are now outfitted with laptops with WLAN
cards for their class work
Two largest competitors share a property line with
our campus
Fear of unauthorized access and HIPAA’s implications
Physicians and clinicians bringing in unauthorized
devices with wireless access cards
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Southeastern Hospital
Rogue Incident #1 – Physician Unauthorized Access / Use
New PACS systems was installed in radiology
Contract radiologist connected WLAN device to
viewing station
Was pulling images from other hospitals via this
device to be manipulated by 3-D imaging system
HIPAA concerns, ownership of data, patient
confidentiality
Solution – identified rogue device via air defense,
removed device, contract was terminated
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Southeastern Hospital
Rogue Incident #2 – Vendor With Hacking Software
An unauthorized vendor came to sell to a
department in hospital
Obtained temporary access to WLAN from ED
nodes for email and internet
Intercepted emails from materials management staff
in a matter of minutes
Solution – identified rogue vendor as they
passed through the hospital with AirDefense,
had security meet them, and escorted off the
building
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Large Systems Integrator
Case #1: Probing Vendor
Vendor probing for WLAN within LM Aero
controlled facility
AirDefense alerted security officer via
email.
Security resolved situation before any
damage was done.
Large Systems Integrator
Case #2: Mis-configured WLAN
Approved WLAN with several
configurations out of security specs
AirDefense alerted security and network
services
Security and network services resolved
problem.
Large Systems Integrator
Case #3: Default Configuration
Approved AP accidentally reset to factory
defaults during construction in area of
building
AirDefense alerted security of default
configuration.
Security was able to shut AP down before
any intrusions.
A Large University
Issues:

As an educational institution we provide an open
flexible network infrastructure

Many departments with network admins who
want to install their own APs

Must maintain a standard configuration policy
regardless of hardware used

Employees bringing in access points

Difficulty identifying WLAN performance issues
A Large University
How Can the Issues Be Addressed?
 Communication
to staff, faculty, students –
difficult at best
 Create
policy not allowing WLAN outside of ITS
control – not good, people usually want and
push for what they can’t have
 War-walking
24-7
– time consuming, doesn’t monitor
A Large University
24 X 7 Monitoring with AirDefense

24/7 monitoring of airwaves

Security policy enforcement

A better view of our WLAN than EVER before

Time savings



Network management
Security
Product was purchased by security for security purposes
– but the reality is that it’s been as much a WLAN
performance & management tool
Summary
1.
2.



3.
4.
5.
6.
WLAN risks made severe by:
We don’t control the medium
We don’t control who we connect to
Every organization has WLANs (rogue or sanctioned)
Check out wigle.net
Detect and root out rogue WLANs





NetStumbler > Kismet > 24 X 7 monitoring
Lock down laptops (Probing, ad hoc)
WLAN policy is critical (Deployed or prohibited)
Define > Monitor > Enforce
When deploying, use layered security approach
Encryption > Authentication > 24 X 7 RF Monitoring
Have Control over your Air Space
Assets > Relationships > Behavior
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Contact us

Web: www.AirDefense.NET

HQs Phone: 770-663-8115

More info or demo?

Darren Hamrick


Email: [email protected]
Phone: 404-786-1440
Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.
Related documents
Customer Spend Profile
Customer Spend Profile
Workplace Wellness: Learn from Yesterday, Focus Today and
Workplace Wellness: Learn from Yesterday, Focus Today and
7studios.com
7studios.com
Forrester: Email Marketing Vendor Wave
Forrester: Email Marketing Vendor Wave
Competitive Analysis - Green Technology Asia Pte Ltd
Competitive Analysis - Green Technology Asia Pte Ltd
Session 1
Session 1
Social - Marketing Cloud
Social - Marketing Cloud
Slide 1
Slide 1
Terms of Use - ZenCompliance
Terms of Use - ZenCompliance
Product Development Workshop Part 6: Marketing
Product Development Workshop Part 6: Marketing
354603Specification
354603Specification
RockerBox Brief April 14
RockerBox Brief April 14