1 / 17

Wireless Enterprise Wireless Firewall

Wireless Enterprise Wireless Firewall. January 9, 2009. Account Manager Messaging. Business Problem. Wireless Networks are Exposing Enterprises to a Different Set of Threats Wireless networks can be exploited from outside the premises by hackers

oriana
Télécharger la présentation

Wireless Enterprise Wireless Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Enterprise Wireless Firewall January 9, 2009

  2. Account Manager Messaging

  3. Business Problem • Wireless Networks are Exposing Enterprises to a Different Set of Threats • Wireless networks can be exploited from outside the premises by hackers • Wireless traffic is not inspected by traditional firewalls • Physical security is a significant deterrence for wired network, not wireless • Traditional Wireless Firewalls do not Provide Complete Protection • Do not inspect all traffic leaving the door open for lower level wireless threats • Require significant redesign of the network • Recent compromise of WPA security under certain circumstances makes wireless protection against lower level threats more critical • PCI 1.2 Compliance • Requires clean separation between wireless and wired traffic - often lacking in current firewalls

  4. Wireless Firewall Solution • Stateful firewall for wireless threats • Inspects all wireless traffic (Layer 2-7) • Provides clean separation between wireless and wired traffic required for PCI 1.2 compliance • Security at the edge • Offer protection across the distributed deployment • Identity and Location-based access control • Adds new dimension to Policy Enforcement • Unmatched protection in the Industry • Unprecedented Protection in Conjunction with Wireless IPS • Easy Operations • Easy to deploy and manage with minimal architecture impact • Central management integrated into RFMS

  5. Overlay Sales Messaging

  6. Dependent (Centralized) Wireless Enterprise: Technology Vision Adaptive (Distributed) • Best of both worlds and more… • Performance/Scalability for 11n • Resilient • Eliminate central choke point • VoIP and Video reliability • Secure Independent (Standalone) • Challenges • Scalability for 11n • Resilient Mesh support • Security at the edge • Challenges • Limited Mobility • Difficult to manage • Limited security

  7. Problems with Existing Firewall Deployments • Traditionally firewalls are deployed to protect corporate network resources from threats originating over the internet • Most firewalls are designed to operate at IP layer – Layer 3 and above. • Most firewalls require significant changes to the network topology to offer basic firewall protection • 802.11 wireless operates below the IP layer at the MAC layer – Layer 2 and above. • Most firewalls do not offer adequate protection to legitimate wireless users

  8. www Corp WAN Corp WAN Internet Facing Firewall Branch 1 Corporate HQ Branch 2 Wireless Switch Problems: Firewall is not deployed to prevent attacks from the wireless network

  9. Firewall Inspection at IP Layer Only Store Wireless Switch Problems: Firewall does not inspect ‘bridged’ MAC layer (Layer 2) traffic

  10. Firewall Does not Protect Valid Wireless User Store Wireless Switch Problems: Firewall and offers inadequate protection to valid wireless users

  11. Solution – Wireless Firewall Stateful Layer 2-7 traffic Inspection Clean separation between wired and wireless traffic Wireless firewall protects legitimate wireless users at the edge Defends against Layer 2 attacks such as IP spoofing and ARP Poisoning Enables Identity and Location-based Security Policy Enforcement Reduced Hassle: no network redesign plus Integrated Management

  12. Campus LAN DHCP Snooping MAC ADD: 44 : 45 : 53 : 54 : 42 : 00 IP ADD: 172.10.1.100 Lease Obtained: 10/01/08 2:30:47 PM Lease Expires: 10/02/08 3:30:47 PM Wireless Firewall Application: DHCP Enforcement Wireless Switch L2 Firewall DHCPRequest Static IP ADD: 172.10.1.100 Assigned IP ADD: 172.10.1.100 • Benefits • Enforce DHCP policies & prevent IP conflicts as wireless clients are added

  13. Campus LAN ARP Cache MAC ADD: 42:00:0F:12:EF:0D IP ADD: 172.10.1.1 ARP Request Wireless Firewall Application: ARP Cache Protection Wireless Switch Default Gateway: 172.10.1.1 MAC ADD: 42 : 00 : 0F : 12 : EF : 0D Static IP ADD: 172.10.1.54 / 24 MAC ADD: 10 : 00 : 0 : 00 : 10 : F0 Default Gateway: 172.10.1.1 L2 Firewall DHCPRequest Assigned IP ADD: 172.10.1.100 / 24 Default Gateway: 172.10.1.1 • Benefits • Protection from ARP Cache Poisoning for Wireless Clients

  14. Front Desk Conference Room Cubicles Wireless Firewall Application: Location Based Access Control 802.11n WIPS/LocationClient Access Sensor Visitor Outdoors: Group: Public Device: Any State: Compliant Auth: Any Encp: Any Location: Outdoors Policy: Access Denied Visitor Conf Rm#1: Group: Public Device: Any State: Compliant Auth: Any Encp: Any Location: Indoor Policy: Access Granted • Advantages • Simplifies Guest Access Provisioning • Protects wireless medium from unwarranted probes, association requests • Improves security • Location Based Access Control • AirDefense Sensors / Location Sensors report real time location to WiNG switch • Access Points report Authentication, Encryption, Device information • Wireless Firewall assigns/ updates User Role and applies Location based Policies

  15. Wireless Firewall Application: Location Based Access Control Conference Room Front Desk Employee Outdoor: Group: Corp Device: Any State: Compliant Auth: Any Encp: Any Location: Outdoors Policy: Remote Access Employee Indoor: Group: Corp Device: Any State: Compliant Auth: Any Encp: Any Location: Indoor Policy: Intranet Access Cubicles • Advantages • Granular Location based Access Control • Location information can be used for other business applications • Location Based Access Control • AirDefense Sensors / Location Sensors report real time location to WiNG switch • Access Points report Authentication, Encryption, Device information • Wireless Firewall assigns/ updates User Role and applies Location based Policies

  16. Wireless Firewall Solution • Stateful firewall for wireless threats • Inspects all wireless traffic (Layer 2-7) • Provides clean separation between wireless and wired traffic required for PCI 1.2 compliance • Security at the edge • Offer protection across the distributed deployment • Identity and Location-based access control • Adds new dimension to Policy Enforcement • Unmatched protection in the Industry • Unprecedented Protection in Conjunction with Wireless IPS • Easy Operations • Easy to deploy and manage with minimal architecture impact • Central management integrated into RFMS

  17. Questions

More Related