W&M 2009 – Defending your wireless networks.

“There is nothing more important than our

customers”

Defending Your Wireless Networks

Colin Corbett- Portfolio Manager FMC, Wireless & Data

Siemens Enterprise Communications Ltd

Best Practice

Wireless LAN Security Summary

Requirements Complexity

Authentication and Access Control

Data Confidentiality and Integrity

Protection Against "Common" RF Threats

Protection Against "Malicious" RF Threats

Mummert&Partner Study in Germany…..

60% of all company’s had been hacked.

10% didn’t know how,

85% had experienced financial losses,

25% of the vulnerabilities were based on mistakes of employees

66% of all attacks originated from inside the corporate network

2© 2009 Enterasys Networks, Inc. All rights reserved.

Best Practice Authentication and Access Control

3

LAN/WLANInfrastructure

Workstation

User

Network MgmtSystem

Authentication

Assessment

IT Apps& Services

Other End-System•IP Phone•HVAC Sensor•Security Camera•Diagnostic System•Printer•Etc.

•802.1X Authentication

•NAC detects connecting end-system Each user and device is

authenticated

The security (health) state of each end system is assessed

The user / end-system is then granted access, denied access or quarantined

The user /end-system is monitored for continuing compliance to security policy

•The enforcement mechanism is embedded in the network or inline appliance

•Monitoring and enforcement is continuous and persistent

© 2009 Enterasys Networks, Inc. All rights reserved.

Best Practice Data Confidentiality and Integrity

Availability of cracking tools

Security improvement

Open WEP WPA-PSK WPA-Ent WPA2-PSK WPA2-Ent


HiPath Wireless 5

802.11i Best Practice

• WPA2 Enterprise is based on the ratified 802.11i standard

• Provides a framework for the most sophisticated encryption and authentication:– Data confidentiality dramatically improved

through CCMP with AES encryption– CCMP also performs advanced hashing for

integrity– Continued use of 802.1X authentication

• Other features of 802.11i include:– Key Caching– Pre-authentication

• Managers and analysts agree that 802.11i finally provides an integrated packet-level WLAN security solution that addresses enterprise security needs

Importance of Wireless IDS/IPS

•Most enterprise WLAN vendors have standardized on 802.11i (WPA2) WLAN security

•However, industry standards focus on securing packets and validating users, but ignore securing the air

–No industry standard exists for securing the RF level

•Wireless Intrusion Detection and Prevention (IDS/IPS) complements frame-level mechanisms for complete WLAN security


WLAN RF Security Threat Categories

•Malicious RF Threats

• “Honeypot” Access Point

• MAC Spoofing Access Point

• Denial of Service / Distributed Denial of Service Attacks

•Common RF Threats

• Rogue Access Points

• Mis-configured Access Points

• Ad-Hoc Connections

• Client mis-association

• Unauthorized client associations


What 802.11i won’t cover

Ad Hoc

Denial of Service Attack

Rogue AP

Mis-Configured

AP

Unauthorized Association

Mis-association

Honeypot

Enterprise Network

Neighboring Network

AP MAC Spoofing

1. Multi-tasking Access Points– Any or all Access Points can scan for threats at

configured intervals while also providing network access to users

– Provides a suitable degree of RF security for many environments, but with trade-offs:• Time-slice limitations may limit

comprehensiveness of scans• Potential performance impact on real-time user

applications

2. Dedicated Access Point IDS scanners– Selected Access Points scan for threats full-

time, allowing the other Access Points to focus solely on network access

3. Integration of advanced IPS sensors– Provides advanced threat prevention– Sophisticated graphical management and

location services– Access Points should devote their attention to

delivering the highest network performance

Best Practice-- RF Security


Automated Compliance Reports

•Audits conducted at defined intervals based on event history and compared with regulatory compliance specifications

•Available pre-defined reports:

– Gramm-Leach-Bliley

– Sarbanes-Oxley

– HIPAA

– PCI

•Custom report tool enables definition of test criteria specific to your own company or industry


Transparency & Cost-Effectiveness

• Packet and RF security needs to optimized within the context of broader business considerations

• For a security solution to be cost-effective:– Functionality should be integrated into the

wireless equipment and/or leverage existing wired infrastructure to minimize capital investments

– To minimize TCO, WLAN security should be easy to set up, configure, and monitor

• Transparency means minimal complexity and performance degradation for the end-user

Cos

t

Security

Sec

urity

/ C

ompl

exity

Useability


WLAN Security

• Flexible:– Incorporate the right level of security for

your environment, and integrate with virtually any network topology

• Non-Disruptive:– Focuses on securing the wireless domain

and seamlessly integrates into the wired domain security

– Integrated solution with no added hardware or client software makes adding security transparent

• Easy to Manage:– Quick and intuitive deployment,

configuration, and monitoring capabilities minimize complexity and TCO


Choosing the Right Level of Security

Packet Level

None WEP

CRC-32 (RC4) Encryption

Pre-shared Key Authentication

WPA

TKIP (RC4) Encryption

802.1X Authentication

WPA2 (802.11i)

CCMP (AES) Encryption

802.1X Authentication

Degree of Security

Corporate Guest AccessHotelsPublic Hot Spots

HospitalsUniversitiesManufacturing

Enterprises using Voice over WLAN or real-time multimedia applications

GovernmentFinancial Institutions

RF Level

None Multi-tasking access points scan network & provide access

“Dedicated IDS” access points

Integration of IPS Sensors & Management

© 2009 Enterasys Networks, Inc. All rights reserved. 13

Providing Complete Protection


Reporting (Internal audit and compliance to local regulation)

Encryption & Authentication

2.4 GHz & 5 GHzAll channels association activity

Position Rogue Access Points and Clients on the floor-plan for permanent removal

Visualize measured coverage for service, detection and prevention

Auto-matically block threats through dedicated sensors to prevent any impact on the service level

Limit user intervention to maximize the protection of all devices from all threats

Locate

Detect all Wi-Fi activity and correlate information from multiple sensors

IdentifyAuto-classify

PreventVisualize

Monitor

14

Comprehensive Integrated WLAN Security

•Enterasys Wireless lets enterprises achieve the benefits of WLAN without the security risks:

– 802.11i / WPA2 standard support for Authentication and Data Confidentiality

– Proactive Intrusion Detection and Prevention via HiPath Wireless Manager HiGuard

– Captive Portal and Guest Services

– Seamless integration with wired network VPN, NAC and authentication infrastructure

RF Level Security(Wireless IDS/IPS)

RF Level Security(Wireless IDS/IPS)

Frame Level Security

(802.11i/WPA2)

Frame Level Security

(802.11i/WPA2)

DataConfidentiality

and Integrity

AuthenticationAnd Access Control

Intrusion Detection and

Prevention

Session Level Security

(802.1X), NAC

Session Level Security

(802.1X), NAC


Conclusion

• Enterasys provides a powerful and flexible security solution that can easily meet the security needs of any enterprise:– Open standards-based solution meets

enterprises’ packet level security needs today and in the future

– Range of intrusion detection and prevention options addresses the RF space and provides a complete security offering

– Intuitive management tools creates a cost-effective solution that is easy to use and transparent to end-users

• The absence of a complete WLAN security solution is no longer an excuse to delay enterprise-wide deployments

• Enterasys Wireless delivers security today



“There is nothing more important than our

customers”

17

THANK YOU

W&M 2009 – Defending your wireless networks.

Technology

wpa2 wlan security

security policy

end system

enterasys networks

user endsystem

best practice authentication

multitasking access

security health state