“There is nothing more important than our customers” Defending Your Wireless Networks Colin Corbett- Portfolio Manager FMC, Wireless & Data Siemens Enterprise Communications Ltd Best Practice
Aug 20, 2015
“There is nothing more important than our
customers”
Defending Your Wireless Networks
Colin Corbett- Portfolio Manager FMC, Wireless & Data
Siemens Enterprise Communications Ltd
Best Practice
Wireless LAN Security Summary
Requirements Complexity
Authentication and Access Control
Data Confidentiality and Integrity
Protection Against "Common" RF Threats
Protection Against "Malicious" RF Threats
Mummert&Partner Study in Germany…..
60% of all company’s had been hacked.
10% didn’t know how,
85% had experienced financial losses,
25% of the vulnerabilities were based on mistakes of employees
66% of all attacks originated from inside the corporate network
2© 2009 Enterasys Networks, Inc. All rights reserved.
Best Practice Authentication and Access Control
3
LAN/WLANInfrastructure
Workstation
User
Network MgmtSystem
Authentication
Assessment
IT Apps& Services
Other End-System•IP Phone•HVAC Sensor•Security Camera•Diagnostic System•Printer•Etc.
•802.1X Authentication
•NAC detects connecting end-system Each user and device is
authenticated
The security (health) state of each end system is assessed
The user / end-system is then granted access, denied access or quarantined
The user /end-system is monitored for continuing compliance to security policy
•The enforcement mechanism is embedded in the network or inline appliance
•Monitoring and enforcement is continuous and persistent
© 2009 Enterasys Networks, Inc. All rights reserved.
Best Practice Data Confidentiality and Integrity
Availability of cracking tools
Security improvement
Open WEP WPA-PSK WPA-Ent WPA2-PSK WPA2-Ent
4© 2009 Enterasys Networks, Inc. All rights reserved.
HiPath Wireless 5
802.11i Best Practice
• WPA2 Enterprise is based on the ratified 802.11i standard
• Provides a framework for the most sophisticated encryption and authentication:– Data confidentiality dramatically improved
through CCMP with AES encryption– CCMP also performs advanced hashing for
integrity– Continued use of 802.1X authentication
• Other features of 802.11i include:– Key Caching– Pre-authentication
• Managers and analysts agree that 802.11i finally provides an integrated packet-level WLAN security solution that addresses enterprise security needs
Importance of Wireless IDS/IPS
•Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security
•However, industry standards focus on securing packets and validating users, but ignore securing the air
–No industry standard exists for securing the RF level
•Wireless Intrusion Detection and Prevention (IDS/IPS) complements frame-level mechanisms for complete WLAN security
6© 2009 Enterasys Networks, Inc. All rights reserved.
WLAN RF Security Threat Categories
•Malicious RF Threats
• “Honeypot” Access Point
• MAC Spoofing Access Point
• Denial of Service / Distributed Denial of Service Attacks
•Common RF Threats
• Rogue Access Points
• Mis-configured Access Points
• Ad-Hoc Connections
• Client mis-association
• Unauthorized client associations
7© 2009 Enterasys Networks, Inc. All rights reserved.
What 802.11i won’t cover
Ad Hoc
Denial of Service Attack
Rogue AP
Mis-Configured
AP
Unauthorized Association
Mis-association
Honeypot
Enterprise Network
Neighboring Network
AP MAC Spoofing
1. Multi-tasking Access Points– Any or all Access Points can scan for threats at
configured intervals while also providing network access to users
– Provides a suitable degree of RF security for many environments, but with trade-offs:• Time-slice limitations may limit
comprehensiveness of scans• Potential performance impact on real-time user
applications
2. Dedicated Access Point IDS scanners– Selected Access Points scan for threats full-
time, allowing the other Access Points to focus solely on network access
3. Integration of advanced IPS sensors– Provides advanced threat prevention– Sophisticated graphical management and
location services– Access Points should devote their attention to
delivering the highest network performance
Best Practice-- RF Security
9© 2009 Enterasys Networks, Inc. All rights reserved.
Automated Compliance Reports
•Audits conducted at defined intervals based on event history and compared with regulatory compliance specifications
•Available pre-defined reports:
– Gramm-Leach-Bliley
– Sarbanes-Oxley
– HIPAA
– PCI
•Custom report tool enables definition of test criteria specific to your own company or industry
10© 2009 Enterasys Networks, Inc. All rights reserved.
Transparency & Cost-Effectiveness
• Packet and RF security needs to optimized within the context of broader business considerations
• For a security solution to be cost-effective:– Functionality should be integrated into the
wireless equipment and/or leverage existing wired infrastructure to minimize capital investments
– To minimize TCO, WLAN security should be easy to set up, configure, and monitor
• Transparency means minimal complexity and performance degradation for the end-user
Cos
t
Security
Sec
urity
/ C
ompl
exity
Useability
11© 2009 Enterasys Networks, Inc. All rights reserved.
WLAN Security
• Flexible:– Incorporate the right level of security for
your environment, and integrate with virtually any network topology
• Non-Disruptive:– Focuses on securing the wireless domain
and seamlessly integrates into the wired domain security
– Integrated solution with no added hardware or client software makes adding security transparent
• Easy to Manage:– Quick and intuitive deployment,
configuration, and monitoring capabilities minimize complexity and TCO
12© 2009 Enterasys Networks, Inc. All rights reserved.
Choosing the Right Level of Security
Packet Level
None WEP
CRC-32 (RC4) Encryption
Pre-shared Key Authentication
WPA
TKIP (RC4) Encryption
802.1X Authentication
WPA2 (802.11i)
CCMP (AES) Encryption
802.1X Authentication
Degree of Security
Corporate Guest AccessHotelsPublic Hot Spots
HospitalsUniversitiesManufacturing
Enterprises using Voice over WLAN or real-time multimedia applications
GovernmentFinancial Institutions
RF Level
None Multi-tasking access points scan network & provide access
“Dedicated IDS” access points
Integration of IPS Sensors & Management
© 2009 Enterasys Networks, Inc. All rights reserved. 13
Providing Complete Protection
© 2009 Enterasys Networks, Inc. All rights reserved.
Reporting (Internal audit and compliance to local regulation)
Encryption & Authentication
2.4 GHz & 5 GHzAll channels association activity
Position Rogue Access Points and Clients on the floor-plan for permanent removal
Visualize measured coverage for service, detection and prevention
Auto-matically block threats through dedicated sensors to prevent any impact on the service level
Limit user intervention to maximize the protection of all devices from all threats
Locate
Detect all Wi-Fi activity and correlate information from multiple sensors
IdentifyAuto-classify
PreventVisualize
Monitor
14
Comprehensive Integrated WLAN Security
•Enterasys Wireless lets enterprises achieve the benefits of WLAN without the security risks:
– 802.11i / WPA2 standard support for Authentication and Data Confidentiality
– Proactive Intrusion Detection and Prevention via HiPath Wireless Manager HiGuard
– Captive Portal and Guest Services
– Seamless integration with wired network VPN, NAC and authentication infrastructure
RF Level Security(Wireless IDS/IPS)
RF Level Security(Wireless IDS/IPS)
Frame Level Security
(802.11i/WPA2)
Frame Level Security
(802.11i/WPA2)
DataConfidentiality
and Integrity
AuthenticationAnd Access Control
Intrusion Detection and
Prevention
Session Level Security
(802.1X), NAC
Session Level Security
(802.1X), NAC
15© 2009 Enterasys Networks, Inc. All rights reserved.
Conclusion
• Enterasys provides a powerful and flexible security solution that can easily meet the security needs of any enterprise:– Open standards-based solution meets
enterprises’ packet level security needs today and in the future
– Range of intrusion detection and prevention options addresses the RF space and provides a complete security offering
– Intuitive management tools creates a cost-effective solution that is easy to use and transparent to end-users
• The absence of a complete WLAN security solution is no longer an excuse to delay enterprise-wide deployments
• Enterasys Wireless delivers security today
16© 2009 Enterasys Networks, Inc. All rights reserved.