The Relationship Between

Wireless Security &

Management

Greg Murphy

General Manager

AirWave Wireless

greg@airwave.com

+1.650.286.6102

2

Addressing Common Security Vulnerabilities

Network Eng Helpdesk

WAN

Missing APs

x

5

Lack centralized policy control2

Misconfigured APs & controllers3

APs without current firmware &

security patches4

Rogue APs

6

Improper administrative access1

Stolen & lost devices7

Administrative Privileges

I was just

trying to help

Well-meaning IT employees who get “in over their

heads” cause a significant number of security

breaches

1. Establish “Need to Know” Administrative Policies

• Implement flexible administrative

roles:– “Read-Only” (Help Desk)

– “Read-Write” (Network Engineers)

– “Auditor” (Security Team)

– “Administrator” (Sys Admin)

– etc.

• Define privileges by network

segment– Geography (North America vs. EMEA)

– Group (Retail Stores vs Corporate HQ)

– Etc.

• Single sign-on for wired and

wireless (via TACACS, etc.)

All staff members should have access to the network

information they need to do their jobs…

… and nothing more.

Distribution

Center

Network

Distribution

Center

Network

Retail

Store

Network

Retail

Store

Network

“Read-

Only”

Monitoring

Access

“Read-Write”

Configuration

Privileges

Retail Help

DeskDistribution Center

Network Engineer

5

Diverse Devices Means Complex Security

Company Owned/Managed Personal Devices

WPA2

WPA

WEP

None

VPN

Security

Protocols

Supported(by device)

Company Laptop

Company-issued

Smartphone

Legacy scanner

Guest Laptop

Employee

Smartphone

Printer

Security Camera

PDA

PoS Device

2. Centralize Management of Multiple Security Policies

With multiple devices and classes of users, IT must administer complex

security policies uniformly…

SSID1SSID1

WPA2WPA2

Company Laptop

Company-issued

Smartphone(does not support WPA2)

Legacy scanner

Guest Laptop

Employee-owned

Smartphone

Trusted Data Network

Secure Voice Network

“Tolerated Network” (strict firewall policy)

IP PBX

Full

Network

Access

InternetInternet

Distrib. Center Network Partial

Access

SSID2SSID2

WPAWPA

SSID3SSID3

WPA PSKWPA PSK

SSID4SSID4

GuestGuest

SSID5SSID5

WEP with ACLWEP with ACL

Guest Network

Misconfigured Access Points

The Wireless “Needle in a Haystack”

• AirWave data show that more that 30% of wireless APs today do not comply with policy

• Analysts see misconfigured infrastructure and devices as the cause of up to 90% of security breaches

3. Automate Compliance Audits

• Manual configuration audits are too time-

consuming and do not get done

• Wireless IDS systems cannot detect non-

RF configuration errors and cannot ‘repair’

misconfigured devices

• All ‘mismatches’ are not created equal…

security related violations matter most

To guard against misconfigurations, you must automate

compliance auditing against the entire configuration of

each device

With thousands of APs and controllers, it is easy for a

significant configuration error to go undetected…

Keeping Up With Vendor

Security Patches

Oh good!

Another security patch!

4. Ensure that All Security Patches Are Applied

• Patch management becomes complex with:

– Thousands of APs & controllers

– Multiple generations of hardware

– Different hardware vendors

– Diverse wireless architectures

• Need centralized firmware distribution

– Specify ‘minimum acceptable’ firmware

– Detects and auto-updates devices

– Performs multi-phase ‘before-and-after’ validation

• Prove it to the auditors

– “Inventory Report” identifies the software running

on each AP and controller

Auditors demand prompt application of vendor-provided security

patches across the entire network…

…You need to be able to prove that it’s been done -- everywhere

Define Minimum Acceptable Versions

Reports to Demonstrate Compliance

11

Access Points are Easy to “Misplace”

I could have

sworn we installed an

AP in Toledo

“Lost APs” may still be on your network,

but you can’t reach them

5. Maintain an Accurate Infrastructure Inventory

• Automated device discovery

• Multiple discovery techniques

• Ongoing detection of new

infrastructure devices

• Automated alerts whenever an AP

cannot be reached

• Daily generation of a full inventory

report

Your wireless network cannot be secure unless you

know what infrastructure you have and where it is

located…

“Lost APs” may contain valuable information like SNMP strings, administrator ID, passwords, IP

addresses of other network devices (RADIUS servers, TACACS servers), etc.

Rogue Access Points

Who is More Likely to Install a Rogue AP on

Your Network?

14

6. Detect Rogue Access Points Anywhere

• Users typically install rogues where you do

not yet have wireless APs or sensors (or

where coverage is weak)

• Most organizations do not yet have wireless

802.11a/b/g coverage in 100% of facilities

• Without wall-to-wall coverage, wireless

scans via your authorized APs or sensors

cannot detect all rogues

• Good security combines detection via

wireless techniques with scans across the

wired network infrastructure

Wireless rogue AP detection is not enough…

… Use a combination of wired and wireless scans to

detect and locate rogue APs anywhere on your network

Detected?

No

Detected?

Yes

The problem with RF Detection

15

Lost Devices

Murphy’s Law, Part II:

Anything that can be lost, will be lost

16

7. Track and Locate Lost & Stolen Devices

Lost and stolen devices are valuable assets that may contain

critical security information… You need to find them

Search for the Device

on Your Network

Found?Found? Locate the Device

Track the 24 Hour Roaming History

YesNoDetermine Last Known Location

Location Date/Time

Use User Session Reports to See if Device Returns

1

2 2

3 3

17

If your wireless network is not

managed…

… It cannot be secure.

Greg MurphyGeneral Manager

AirWave Wireless

greg@airwave.com

+1.650.286.6102