put wireless lan security monitoring in your budget. - gartner

COPYRIGHT © 2003 – 2004 AIRDEFENSE, INC. ALL RIGHTS RESERVED.

Put Wireless LAN Security Monitoring in your budget.

- Gartner

AirDefense Market Leader in Enabling Risk-Free Wireless LANs

Wireless Monitoring & Intrusion Protection

www.airdefense.net

Copyright © 2002 – 2004 AirDefense Proprietary and Confidential.

About AirDefense

BENEFITS

Enterprise Class Distributed Monitoring Architecture – 13 Patents Pending

Wireless Intrusion Detection & Protection System with Multiple Correlation & Analysis Engines

Control over air space Auto-Discovery of all Wireless

Assets & Threats Risk-free Wireless Deployments

WHAT WE DO OUR TECHNOLOGY

250+ Govt. Organizations & Blue-Chip Enterprises (over 80% market share)

Proven solution monitoring: Tens of thousands of Access Points Hundreds of thousands of Devices

CUSTOMER PROFILE

Proactive 24 x 7 Monitoring of Enterprise Airwaves against Rogues, Intruders, Hackers, Interference & Network Abuses

Ensures Regulatory & Enterprise Policy Compliances

Any Vendor, Any Protocol, Any Device


Wireless LAN Risks: Hype or Reality


Understanding SSID & Mac AddressUnderstanding SSID & Mac Address

SSID helps stations find APs around- 32 byte unique Service Set Identifier of AP

- Like your company name on the building

- Sent when AP receives a probe request from station

- Can be seen in the air

SSID

To deliver traffic, a unique Identifier must be available for each device – Media Access Control (MAC) Address

Example: 00-04-5a-03-3c-0f Vendor OUI

Cisco (Aironet) 00-04-96

Agere (Orinoco)

00-02-2D

Nokia 00-e0-03

Linksys 00-04-5a

OUI(Organizationally Unique

Identifier, first 3 characters)

Serial Number

Mac Address


Understanding Probes & BeaconsUnderstanding Probes & Beacons

PROBES: A Station sends a probe request frame when

it needs to obtain information from another station. (For example, a station would send a probe request to determine which access points are within range.)

Probes

User Station

BEACONS:

The Access point (AP) periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point

Access Point

Beacons


Problem: Uncontrolled MediumWireless LAN is extension of Wired LAN

e a k

t r

2

The walls of the facility provide a solid line of defense against intruders

Intruder

RF in the AIR is uncontrolled…

The walls of the facility provide a solid line of defense against intruders

With a single access point, walls come tumbling down Ethernet now extends to the parking lot!

AIRVs.

Intruder

Server Server Server Computer


Self-Deploying & Transient Networks

PARKING LOTCONFERENCE ROOM

SHIPPING DEPARTMENT

CORPORATE NETWORKNEIGHBOR A

PROBES

PR

OB

ES

PROBES

1. User Station transmits PROBES

2. APs transmit BEACONS

3. User Station connects to BEST ACCESS POINT

We Don’t Control who we connect to…

Accidental Association

Malicious Association

Ad Hoc Network


Increasing Sophistication of Attacks

Low

High

1980 2005

Attack Sophistication

Knowledge Required by Intruder

WiGLE.net

New & Easier Attack Tools

Easier to Attack: Growing Security Threats

New & Easier Tools make it very easy to attack the Network


WLAN – Real World Risks

46 % Of Companies Have Been Victim Of A Security Breach - PwC

61% Of Attacks Were From Hackers

10% Of Attacks Were From Former Employees/ Contractors

83% Of Companies Reported A Monetary LossDowntime Averaged 1.33 Days Per Employee

WLAN Facts: Top 8

Companies That Found A Rogue Device

90%

Found Devices With No Security 80%

$416K

Average Cost Of Loss Per Attack (UK Study) $220K

2M/Qtr

Current Growth of Stations 10M/Qtr

Average Cost Of Loss Per Attack (US Study)

Current Growth Of Access Points

60% 100Companies That Have Deployed Insecure WLANs

Avg. # Of Serious Attacks Per Month


Best Practices for Wireless LAN Security & Monitoring


Layered Approach to Security

Control the Uncontrollable


Gartner on WLAN Security Risks

3 “Must Have” WLAN Security Install a centrally managed personal firewall on laptops that are issued

wireless NICs

Perform wireless intrusion detection to discover rogue access points, foreign devices connecting to corporate access points and accidental associations to nearby access points in use by other companies.

Turn on some form of encryption and authentication for supported WLAN use.

July 31, 2003

3 “Must Have” WLAN Security Install a centrally managed personal firewall on laptops that are issued

wireless NICs

Perform wireless intrusion detection to discover rogue access points, foreign devices connecting to corporate access points and accidental associations to nearby access points in use by other companies.

Turn on some form of encryption and authentication for supported WLAN use.

July 31, 2003

© Giga Research, a wholly owned subsidiary of Forrester Research, Inc.

Best Practices for Securing Enterprise WLANs

Monitor &Root outRogueWLANs

WLAN POLICY

Use Strong Encryption & Authentication

& Authorization

Monitor your Air Space

Securing the perimeter

No WLANs Sanctioned WLANs

Lock down APs & User

Stations

Copyright © 2003 AirDefense Proprietary and Confidential.

802.11 Security Standards

WEP: Wired Equivalent Privacy, a wireless encryption standard, which was developed by the IEEE 802.11 standards committee.

802.1X: IEEE 802.1 standard for authentication, which supports multiple authentication modes, including RADIUS, that can be used in wireline and wireless networks.

LEAP: Lightweight Extensible Authentication Protocol , which includes Cisco’s proprietary extensions to 802.1X to share authentication data between Cisco WLAN access points and the Cisco Secure Access Control Server.

TKIP: Temporal Key Integrity Protocol, which was developed by the IEEE 802.11i standards committee as a WEP improvement.

TTLS: Tunneled Transport Layered Security, which was developed by Funk Software and Certicom, now is an IETF draft standard. It is an alternative to PEAP.

PEAP: Protected Extensible Authentication Protocol , which was developed by Microsoft, Cisco and RSA Security, is now an IETF draft standard. PEAP encrypts authentication data using a tunneling method.

WPA: Wi-Fi Protected Access – Announced by the Wi-Fi Alliance to describe 802.1x with TKIP and MIC. Subset of the 802.11i security standard expected in Q4 ‘03

802.11i: IEEE standards group effort that involves fixing perceived weaknesses in 802.1X and WEP and creating an umbrella standard for 802.11 security


AirDefense Solution: Plug & Protect

Real-time Monitoring Multiple Correlation,

Analysis & IDS Engines Integrated Reporting

ApplianceSmartSensorAccess

Points

Wireless Stations

Hacker

Rogue Access Point

Remote Secure Browser

SmartSensor

Smart Sensors scanning 802.11 a/ b/ g

Selective processing, Encryption

Centralized Management

Designed for Enterprise Scalability & Central Management


AirDefense Functionality

SECURITY

Rogue Detection, Analysis & Mitigation Intrusion Detection System Forensics & Incident Analysis

Active Defenses

1

COMPLIANCE

Enterprise Policy Monitoring

Regulatory Compliance DoD, HIPAA SOX, FDIC, OCC,

GLBA

2 TROUBLESHOOTING

Remote Troubleshooting Availability Network Usage &

Performance

3


26-STORY

20-STORY

11-STORY

3-STORY

ATRIUM

AIRPORT

BRAZIL

ARGENTINA

IRELAND

MEXICO

JAPAN

HONG KONG

SOUTHAFRICA

HEADQUARTERS, USA Centralized Management Console

Experience: Fortune 500 Consumer Goods Company


Customer Examples


Southeastern Hospital - Background

Main driver: point of care access to computerized care systems at the bedside:

Recent contract with McKesson and Siemens for wireless application deploymentReduction of errors on medications and physician’s ordersReduction of paper in all medical recordsImproved care through access to information at point of diagnosis and treatment


Southeastern Hospital - Background

Physical plant was saturated with cable, no room for real growth

Additional devices required additional equipment in the closetsMore personnel resources are needed to support additional linesWireless access will speed up application deployment


Southeastern Hospital Issues With Rogue Devices

Columbus is saturated with wireless deploymentsLocal universities are moving to wireless deployments in their classroomsAll students are now outfitted with laptops with WLAN cards for their class work

Two largest competitors share a property line with our campus

Fear of unauthorized access and HIPAA’s implicationsPhysicians and clinicians bringing in unauthorized devices with wireless access cards


Southeastern Hospital Rogue Incident #1 – Physician Unauthorized Access / Use

New PACS systems was installed in radiology

Contract radiologist connected WLAN device to viewing station

Was pulling images from other hospitals via this device to be manipulated by 3-D imaging systemHIPAA concerns, ownership of data, patient confidentiality

Solution – identified rogue device via air defense, removed device, contract was terminated


Southeastern Hospital Rogue Incident #2 – Vendor With Hacking Software

An unauthorized vendor came to sell to a department in hospital

Obtained temporary access to WLAN from ED nodes for email and internetIntercepted emails from materials management staff in a matter of minutes

Solution – identified rogue vendor as they passed through the hospital with AirDefense, had security meet them, and escorted off the building

Large Systems Integrator Large Systems Integrator Case #1: Probing Vendor Case #1: Probing Vendor

Vendor probing for WLAN within LM Aero Vendor probing for WLAN within LM Aero controlled facilitycontrolled facility

AirDefense alerted security officer via AirDefense alerted security officer via email.email.

Security resolved situation before any Security resolved situation before any damage was done.damage was done.

Large Systems Integrator Large Systems Integrator Case #2: Mis-configured WLAN Case #2: Mis-configured WLAN

Approved WLAN with several Approved WLAN with several configurations out of security specsconfigurations out of security specs

AirDefense alerted security and network AirDefense alerted security and network servicesservices

Security and network services resolved Security and network services resolved problem.problem.

Large Systems IntegratorLarge Systems IntegratorCase #3: Default ConfigurationCase #3: Default Configuration

Approved AP accidentally reset to factory Approved AP accidentally reset to factory defaults during construction in area of defaults during construction in area of buildingbuilding

AirDefense alerted security of default AirDefense alerted security of default configuration.configuration.

Security was able to shut AP down before Security was able to shut AP down before any intrusions.any intrusions.

As an educational institution we provide an open flexible network infrastructure

Many departments with network admins who want to install their own APs Must maintain a standard configuration policy

regardless of hardware used

Employees bringing in access points

Difficulty identifying WLAN performance issues

A Large University Issues:

Communication to staff, faculty, students –

difficult at bestCreate policy not allowing WLAN outside of ITS

control – not good, people usually want and

push for what they can’t haveWar-walking – time consuming, doesn’t monitor

24-7

A Large University How Can the Issues Be Addressed?

24/7 monitoring of airwaves

Security policy enforcement

A better view of our WLAN than EVER before

Time savings Network management Security

Product was purchased by security for security purposes – but the reality is that it’s been as much a WLAN performance & management tool

A Large University 24 X 7 Monitoring with AirDefense


Summary

1. WLAN risks made severe by: We don’t control the medium We don’t control who we connect to

2. Every organization has WLANs (rogue or sanctioned) Check out wigle.net

3. Detect and root out rogue WLANs NetStumbler > Kismet > 24 X 7 monitoring Lock down laptops (Probing, ad hoc)

4. WLAN policy is critical (Deployed or prohibited) Define > Monitor > Enforce

5. When deploying, use layered security approach Encryption > Authentication > 24 X 7 RF Monitoring

6. Have Control over your Air Space Assets > Relationships > Behavior


Contact us

Web: www.AirDefense.NET

HQs Phone: 770-663-8115

More info or demo? Darren Hamrick

Email: [email protected] Phone: 404-786-1440

put wireless lan security monitoring in your budget. - gartner

Documents