Download Slide 1

Name
Title
Contact information
WWW.AIRDEFENSE.NET
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
About AirDefense
 Pioneers in Anywhere, Anytime Wireless Protection for large
Enterprises and Government organizations
 Quickly growing & clear market leader in space with over 80%
market share
 Deep intellectual property portfolio with 15 patents pending
 Selected by over 350 customers including leaders in all major
industries and government sectors
 Partnerships with recognized industry leaders e.g. Cisco, IBM, CSC
among others
 Seasoned management team with history of building successful
businesses
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Are Wireless Network Risks Real?
Minneapolis TV Station
A News Clip on Wireless LAN Security
http://www.airdefense.net/education/video/
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
What Makes Wireless Risky?
1. We don’t control the medium (AIR)...
2. We don’t control who we connect to
Wireless Eliminates Traditional Security Barriers and
Wired Network is Protected by Physical
Introduces New Challenges - Signal Bleeding
Barriers
outside theand
FourLogical
Walls and
the Firewall
3. WLANs can be an easy launch pad to the network
NEIGHBOR A
•
•
•
•
•
•
Server
Server
Most CriticalIntruder
WLAN Risks
Rogue Devices & Associations
Documented & Day Zero Intrusions
Accidental
Exposure to WIRED Network
Association
Device Misconfigurations
Policy & Regulatory Compliance
Malicious
Hot Spot Protection
Association
Soft AP
Ad Hoc
Network
PARKING LOT
Confidential Data
CORPORATE NETWORK
Rogue Connected to Network
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Risk Validation – Hacked Organizations
A California Public School
District
School district’s unprotected
WLAN allowed full unauthorized
access to sensitive files &
enabled hackers to upload their
own files into servers
A North Carolina Medical
Consulting Firm
Broke into the computer system
of a local medical consulting firm
& illegally accessed information
of hundreds of patients, including
checks and insurance forms
A County Court in Texas
Computer security analyst accessed information filed by the clerk of
courts by using only a laptop computer and wireless card
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
The AirDefense Product Family
AirDefense
BlueWatch
AirDefense
Personal
 Personal agent
monitoring for policy
compliance & security
risks & notifies user &
enterprise
 Monitors air space for
Bluetooth security
vulnerabilities
AirDefense Mobile
 Real-time snapshot of
wireless infrastructure
 Vulnerability Assessment
Tool
AirDefense Sensor
 Smart Sensors scanning
802.11 a/ b/ g
 Selective processing,
Secured Communication
AirDefense Enterprise Server
 Real-time Monitoring
 Multiple Correlation, Analysis & IDS
Engines
 Integrated Reporting
Remote Secure
Browser
 Centralized Mgmt
AirDefense provides a complete suite of products to secure your enterprise
and
all personnel, 24x7, anytime, anywhere
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Example AirDefense Enterprise Deployment
11-STORY
IRELAND
SOUTH
AFRICA
20-STORY
JAPAN
26-STORY
HONG KONG
ARGENTINA
MEXICO
HEADQUARTERS, USA
22,000 sq. ft. per floor, 4 floors
176 Devices (16 APs, 160 Stations)
Sensors = 2
BRAZIL
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense Technologies: A True IDS System
Cisco WLSE
Cisco Switch
AD Mobile
AD SERVER
APPLIANCE
Correlation
Across
Other Sensors
Sensors
Policy
Anomalous
Manager Behavior
Correlation
Across IDS
AD Sensors
Notification
Engine
Compliance
Accurate
Detection
Reporting &
Analysis
Forensics
Active
Defenses
AD Personal
Accurate Detection, Proactive Protection & Actionable Intelligence
= A System You Can Trust
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Self-managing, Anywhere, Anytime Wireless Protection
Active Defenses
Protection Anywhere
Advanced
Rogue
Management
Comprehensive
Intrusion
Detection
Forensic &
Incident
Analysis
Policy Compliance
Self-Managing Platform
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Anywhere Protection – AirDefense Personal
Mobile workforce extending the edge of corporate network to a user’s laptop:
• User laptop at airport/ hotel can be compromised and serve as a bridge to corporate backbone
•
Via Accidental Association
• Hard to determine if one is connected to a legitimate hotspot or diverted to a malicious counterfeit
•
Identity-theft via Hot Spot phishing coming to mainstream e.g.: AirSnarf
A small software agent that runs on Windows PCs and monitors for wireless
exposures and threats, and notifies the user and AirDefense Enterprise.
 Continuous anywhere monitoring for mobile users on the road or at their office
 Detects & notifies 50+ configuration, connectivity issues and attacks
 Protection by enforcing policy defined centrally at AirDefense Enterprise
AirDefense Personal
AirDefense
Enterprise Appliance
Alert Logs
Turn OFF
Radio
Policy
Profiles
1. Policy Profiles are centrally
defined & automatically
downloaded each mobile
user
2. Alert Logs automatically
uploaded to AirDefense
Enterprise and central
reporting & notification
3. Policy Enforcement
(automatic turn-off radio)
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Most Advanced Rogue Management
Hundreds of neighboring wireless devices may bleed over in your premises especially in urban areas.
Finding risky rogues is like finding a needle in haystack. Enterprises either need to employ several
“wireless rogue runners” to identify & chase each rogue or deploy an automated, & intelligent solution
from AirDefense
1
Detect Rogue Devices & Associations
3




Hardware APs, Soft APs
Wireless ready laptops
Specialty Devices (barcode scanners)
Ad-hoc networks, Accidental/ Malicious
Associations
 In-depth analysis of the activity level of each rogue
 How long it existed
 Who was connected to the rogue
 What and how much data transmitted
Analyze Rogue Connections
Locate Rogue
Device
Automated Rogue Mitigation
2
Calculate Threat Index
4
 Smart Mgmt of Airwaves
 Partitioning of Friendly Neighboring Networks till they get malicious
Least Risk
Innocent
Neighbor AP
Highest Risk
Our Stn
connected to
neighbor AP
Rogue AP in
my building
Our Stn
connected to
Rogue AP &
transferring data
Terminate Rogue Devices
 Terminates on-command and
automatically takes action to
terminate connectivity
 Wired and Wireless termination
Rogue AP on
my Network
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Most Comprehensive & Accurate Intrusion Detection
With new threats emerging everyday and hacking tools getting more sophisticated, comprehensive
intrusion detection requires advanced detection methods to detect these threats
Most Advanced Wireless Intrusion Protection System  15 Patents Pending
ACCURATE & RELIABLE DETECTION
Policy Engine
Correlation
Anomalous
Behavior
Protocol
Analysis
Signature
Based
Traffic
Correlation
 Multiple Criteria & Correlation Engines ensure
 Accurate detection
 Minimum false positives
ACCURATE
&
RELIABLE
ALARMS
400 Alarms
MOST COMPREHENSIVE DETECTION





200+ threats detected
Documented threats (Signature-based)
Day Zero threats (Anomalous Behavior)
Wired-side vulnerabilities
Sample Threats






Reconnaissance Activity
Various DoS Attacks
Identity Theft
Accidental/Malicious Association
Dictionary Attacks
Security Policy Violations
FALSE POSITIVES
11,600 Alarms
“First generation WLAN IDS solutions are often
limited to signature-based detection. Just as
wired-side IDS could not reliably depend upon
signatures, WLAN IDS will require multiple
detection technologies.”
Gartner, July 2004
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense Ensures Policy Compliance
Adopt proven security policies and procedures to address the security weaknesses of the wireless
environment
Define Policy
 Security
 Configuration; VLANs
 Performance
 Vendor / Channel
Enterprise, Centralized,
Template-based, Policy
Manager
Authentication
Compliance
Monitor for
Compliance
Enforce
 Turn off SSID broadcast
 Change channel of AP
 Terminate
 Compliance with
Corporate, regulatory
requirements?
 Network performing
correctly?
Daily: Policy Violations
AirDefense Enables Compliance with
SOX
DOD
DHS
GLBA
FDIC
HIPAA
OCC
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Forensics & Incident Analysis
WLANs are Transient & Security Incidents happen often  Important to collect critical device
communication & traffic information to analyze what went wrong
Min-by-Min Critical Data Store
•
•
•
•
•
Device Connectivity Logs
Device Activity Logs
Channel Activity Logs
Signal Strength
Data transferred by Direction
One-Click Investigation
•
•
•
•
•
•
Were We Attacked?
What Entry Point was Used?
When Did the Breach Occur?
How Long Were We Exposed?
What Transfers Occurred?
Which Systems Were Compromised?
Bytes per
Minute
Large File
downloaded
Min-by-Min
View
“Forensic analysis is critical to assess damage from a security breach
and take proactive steps for future.” – Meta Group
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Automated Active Defenses
In addition to detection of threats, it is important to protect against intruders and rogues. Enterprise
wireless networks need automated protection from security threats that can use multiple mitigation tactics
Cisco
WLSE
Wireless Mitigation





AirDefense
Server
Switch
On-command Disconnect
Policy-Based Disconnect
Authorization Required
Audit Trail Maintained
Mitigation of the right target
due to accurate detection
Wired-side Mitigation
Public AP
PORT ALERT!
SUPPRESSED!
By Cisco
WLSE
Detected
by AirDefense
Rogue AP on Network
Laptop – Wired &
Wireless Bridge
ALERT!
TERMINATED!
Detected
by AirDefense
By AirDefense
 On-command Suppression
 Policy-Based Suppression
 Device Reconfiguration
Accidental Association
Accurate Detection and precise mitigation are very critical to ensure
that only rogue devices, associations and intruders are terminated
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Self-Managing Platform
Source: AirDefense – Over 4000 WLANs analyzed
2. Integration with
Infrastructure
1. Secure Platform
 Sensors
 Plug-and-go sensors
 Firewalls on wireless &
wired interfaces for
protection
 Appliance
 Customized hardened OS
 Communication
 SSL and digital certs
 Mutual authentication
 Instant network device
synchronization
 Integrated & automated
security management
 Integrated database
management
 Integrated data backup
 With a single click,
investigate security incidents
across the enterprise
 Analyze device connectivity
and activity as the device
roams through the network
 View communication history
to diagnose security or
operational issues
CiscoWorks
WLSE
4. Active Troubleshooting





3. One-Click Analysis
Real-time device analysis & tracking
Remote packet capture / sniffer capabilities
Notification of lost devices
Network Availability & Failure history
Network Usage & Performance
5. Notification & Alarm Management
 Adjustable alarm priorities and views
 Flexible querying and filtering system
 Multiple notification options (email, pager, SMS,
SNMP, Syslog)
 Notifications by role, location, severity, frequency
of alarm
SIG. STR. = 0
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Remote Troubleshooting
In widely distributed wireless deployments, remote troubleshooting tools are critical to ensure
administrators are able to diagnose and correct end-user issues centrally.
Heavily Congested Channels
Live Real-time Analysis
Network Utilization
Real-time Analysis
Historical Reporting
Feature
AD
Ongoing collection of performance
statistics
Yes
Device connection history
Yes
Built-in Channel reports for
troubleshooting RF problems
Feature
AD
Real-time device analysis
Yes
Real-time device tracking
Yes
Real-time Layer 2 decoding
Yes
Full, remote frame capture
Yes
Yes
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense Mobile
Device Count
Device
Tree
Signal Strength by
Channel
Frames & Bytes
Transferred
Top Devices &
Channels
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense BlueWatch

Identifies different types of Bluetooth devices, including laptops, PDAs,
keyboards and cell phones

Provides key attributes, including device class, manufacturer and signal
strength

Illustrates communication or connectivity among various devices

Identifies services available on each device, including network access, fax
and audio gateway
Services by Type
Device by Type
Detailed Device Info
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Customer Testimonials & Videos
“… the only solution that
met all our requirements.”
“… provides the peace of
mind .”
“… meets both these
needs.”
“…only product that meets
stringent HIPAA requirements”
“…the clear market leader
and the only viable choice”
“… exhaustive search…the
only enterprise-class solution"
“…put security safeguards”
“…maximize our wireless
LAN's return on investment.”
For Video Testimonials, click:
University of Utah
Health Sciences Center
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Expert Opinion on Wireless Monitoring
“Through 2006, 70 % of
successful WLAN attacks will be
because of the misconfiguration
of APs or client software.”
“Incorrectly set-up
WLANs put the wired
LAN as risk as well”
“Wireless devices create
backdoors for hackers and can
render millions of dollars invested
in firewalls, IDS and VPNs
useless.”
“Unmanaged WLANs
can jeopardize entire
enterprise network,
data and operations”
“New sophisticated
security risks continue
to emerge as wireless
matures”
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Summary
1
Detect Rogues,
Associations &
Intrusions
4
Health,
Troubleshoot,
Performance
Anywhere, Anytime
Wireless Protection
 Policy Compliance
 Protect Reputation
& Information
Locate,
Prioritize,
Notify
2
Automated
Defense,
Forensics
3
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Cisco Systems & AirDefense Partnership
Integrated Wireless Protection
November 2004
Wireless IDS and Current Cisco Support
• Cisco SWAN
detects, locates
and mitigates
against rogue
APs.
CiscoWorks WLSE
Network
Terminated
Rogue AP
Cisco Aironet AP
Cisco Aironet AP in Sensor
Mode gathers data
• Cisco and Cisco
Compatible Clients
Cisco Aironet AP
© 2004 Cisco Systems, Inc. All rights reserved.
• Cisco also detects clients
in ad hoc mode.
• In the future, CiscoWorks
WLSE will detect, locate
and mitigate against
intruders and network
attacks.
25
Cisco AirDefense Integration Background
 Wireless is a transient medium and prone to attacks by rogues and hackers
 Integrated WIDS offerings from wireless infrastructure providers do not have
extensive capabilities to detect all rogues and intrusions
 Signature-based detection is not enough
 Need for Integrating
 Best-in-Class Wireless and Wired Infrastructure management System
 Cisco with enterprise class wireless infrastructure, Wireless Mgmt System
 Best-in-class Wireless Protection System
 Most Comprehensive and Accurate Detection; Active Defenses, Forensics &
Incident Analysis; Advanced Notification System
 Multiple detection technologies and correlation engines eliminate false
positives
 Customers get the Best Wireless Infrastructure and Security
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
Customer Drivers for Integration
"As a large customer of Cisco wireless infrastructure and AirDefense wireless IDS, we saw a
significant benefit in bringing together the two products to build a highly secure wireless
network.
The integration of these two major solutions should lower costs and improve security by
enabling flexible deployment of IDS capability and will reduce the cost of deployment and ongoing management as well as increase the level of security.”
JD Fluckiger, Computer Protection Program Manager, Pacific Northwest National Laboratory
"Enterprise-class wireless infrastructure must be properly configured and secured, and must
support strong encryption and authentication (802.11i recommended).
Wireless monitoring and IDS ensures that the infrastructure remains secure and in compliance
with corporate policy and regulatory requirements.
Integration of a comprehensive and reliable wireless IDS with a robust wireless infrastructure
provides customers the best of both worlds."
John Girard, Vice President , Gartner
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense/Cisco Integrated Wireless Protection
CiscoWorks WLSE
Cisco AP in
Sensor Mode
AirDefense Server
Appliance
First Floor, 8 Cisco APs, 1 Sensor
Integration Areas
 Integration of CiscoWorks WLSE & AirDefense Server
 Integration with Wired Side Infrastructure
 Cisco AP as a Sensor
Integrated Wireless Protection
Switching
Infrastructure
Benefits
Reduced Cost of Deployment &
Support
Comprehensive Detection &
Effective Protection
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
1. Integrate CiscoWorks WLSE & AirDefense Server
CiscoWorks
WLSE

AirDefense Draws Configuration and Policy Information from
CiscoWorks WLSE




CiscoWorks WLSE as a Correlation Source - Wired and Wireless information
Correlation
Source of Information for AirDefense Detection
Fault Database Used to Diagnose or Confirm Events
AirDefense Provides Alerts and Alarms to CiscoWorks WLSE


AirDefense
Server Appliance
Enables “Detect and Correct” functions
Reduce Administrative Overhead


Synchronize Authorized APs and Stations
Get Device Specifics Details e.g. DNS, IP Address, Wired MAC, Wireless Statistics
Advanced Correlation for a Closed Loop System
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
2. Integration with Wired Mgt. Infrastructure
Found a rogue on my network? Can I do port suppression? It is easy to show a demo of port blocking but
in the real-life it is a big challenge. Enterprises have hundreds of switches and thousands of Ethernet ports
across scores of locations that a rogue AP or station can connect to…



AirDefense has multiple detection & correlation
engines to accurately identify threatening APs
or stations
Cisco dominates Ethernet switching
infrastructure and is in the best position to
locate and suppress the port a threatening
device is connected to
Switching
Infrastructure
CiscoWorks WLSE
To locate and block port of a threatening or
rogue device:

Using jointly developed APIs, AirDefense
appliance communicates several key parameters
to CiscoWorks WLSE
 CiscoWorks WLSE in turn works with Cisco
switching infrastructure to locate it and block the
device port
AirDefense Server
Appliance
Only effective and practical way for wired side protection!
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
3. Cisco APs as Dedicated Sensors
Cisco AP as
Dedicated Sensor

Cisco Sensor Feeds AirDefense Server




AirDefense
Server Appliance
Cisco AP Configured in Dedicated Sensor Mode
Supports 802.11a/b/g Protocols
Fully Configurable Operation for Channel Scanning and Locking
Supports all Detection and Alerts


Leverages All AirDefense Centralized Intelligence
Multi-Engine Detection & Correlation Provides Accurate Detection
Single Hardware Platform for Customers to Manage
Copyright © 2002-2005 AirDefense Proprietary and Confidential.
AirDefense & Cisco Integration Benefits
 A complete, comprehensive and correlated
view improves detection
 Correlation of wireless data from AirDefense and
wired-side data from CiscoWorks WLSE
 Protection for the wireless and wired
network
 AirDefense detects the rogue/ malicious devices
and passes on information to CiscoWorks WLSE
which carries out port suppression and also locates
the rogues
 Reduced cost of deployment & ongoing
maintenance of network
 Authorized device info, policies etc can be
synchronized and data exchange facilitated
 For customers with no wireless LAN
deployed yet
 Deploy AirDefense first for rogue protection and
then follow up deployment of wireless by deploying
Cisco WLANs
"Through product development and
partnership with industry leaders like
Intel and AirDefense, Cisco is
expanding the SWAN framework to
deliver the security and capacity
enterprise wireless LAN customers
demand. We'll continue to innovate and
expand these partnerships over time to
further the leadership we've established
with our integrated approach to wired
and wireless connectivity.”
Bill Rossi, Vice President & General
Manager, Wireless Networking
Business Unit, Cisco
Copyright © 2002-2005 AirDefense Proprietary and Confidential.