Hosted by IDS for WLANs The Mansfield Group, LLC Security for Enterprise Networks Wireless LAN Security Workshop Wash DC Honolulu The Mansfield Group, LLC Brian Mansfield Chief Security Consultant The Mansfield Group, LLC Is your WLAN really protected? Is your WIRED network really protected?
Hosted by Should you care? The Mansfield Group, LLC
Hosted by The number of frequent WLAN users in North America will grow from 4.2 million in 2003 to... more than 31 million by 2007 Gartner Symposium/ITxpo 2003 The Mansfield Group, LLC
Hosted by Enterprise Market Drivers: Wi-Fi client ubiquity Centrino market penetration 95% of new laptops include Wi-Fi by 2004 WLAN “Switch” technology Vendor neutral deployment options Effective network security & mgmt solutions Range of infrastructure investment options Wi-Fi’s “Secret Weapon” - VoWLAN Voice & data through single device One-number connectivity on campus The Mansfield Group, LLC
Hosted by Infonetics Research - Worldwide WLAN Hardware Forecast
Hosted by “…but our company has no plans to deploy a WLAN…” Guess what? You still need a WIDS strategy! The Mansfield Group, LLC
Hosted by HostAP Airjack AirSnarf ROGUE AP’s Kismet Wallenreiter Airsnort Netstumbler YOUR EMPLOYEES! Knoppix File2air cqure AP Why? Soft APs The Mansfield Group, LLC Accidental associations Malicious associations
Hosted by Risk Points within the Enterprise Employees install unauthorized APs Employees share files via Ad-Hoc mode Employees carry Wi-Fi enabled clients Employees connect to WAN via home WLAN Employees are vulnerable to attack APs The Mansfield Group, LLC Employees connect to WAN via public Hotspots
Hosted by Likely Sources of Attack CSI/FBI 2003 Computer Security Survey
Hosted by Security Stragegy for Companies with NO WLAN Draft WLAN Security Policy Monitor Your Airspace Enforce Security Policy, Update & Refine The Mansfield Group, LLC Conduct WLAN Security Assessment
Hosted by RF BROADCAST OVERFLOW
Hosted by Survey airspace inside your organization What protocols/data is being transmitted? Where are they located? Are any connected to your LAN? Sweep airspace around perimeter What protocols/data is being transmitted? Where are they located? How are they configured? What external sources are penetrating environment? What devices are broadcasting in your environment? The Mansfield Group, LLC 1. Conduct WLAN Security Assessment
Hosted by 2. Draft WLAN Security Policy Extension to Existing IT Security Policy Protect assets that require integrity (financial, medical) Configuration, Systems Use & IRP Policy Protect assets that need confidentiality (payroll, HIPPA) Protect assets that need high availability (order, transact) Prohibit unsanctioned APs / ad-hoc networking? Incident response procedure (IRP) Policy for public Hotspot & home WLAN use Configuration standards - Wi-Fi enabled? XP, WEP, SSID The Mansfield Group, LLC
Hosted by 3. Monitor Your Airspace - Verify policy adherence Internal monitoring Perimeter monitoring Unsanctioned APs / rogue AP detection Machine/device configuration violations External systems broadcasting availability? Network intrusions or attacks Use violations - ad hoc networking The Mansfield Group, LLC
Hosted by 4. Enforce Policy, Update & Refine The Mansfield Group, LLC Active response: Reset device Reconfigure device Disconnect device Passive response: SNMP Syslog Audit trail / forensic database
Hosted by Security Technologies Used CSI/FBI 2003 Computer Security Survey The Mansfield Group, LLC
Hosted by MANUAL DISTRIBUTED INTEGRATED MANAGED WIDS Product Mix The Mansfield Group, LLC
Hosted by MANUAL Handheld/laptop scanner “Snapshot” view Rogue AP & client detection Performance statistics Security alarms RF analysis & site survey GPS logging The Mansfield Group, LLC
Hosted by DISTRIBUTED Radio sensors 24 x 7 monitoring Policy enforcement Stateful analysis Centrally managed & paging alerts IPS capabilities (SNMP) The Mansfield Group, LLC HQ - Washington DC Sensor Chicago Sensor Boston Management Server Sensor Rogue AP DoS Attack Unauthorized AP User Security Violation
Hosted by INTEGRATED “Wireless-aware” switch IDS module in AP Rogue AP location ID Dynamic site surveys Security policy monitoring Radio resource mgmt Enhanced IPS The Mansfield Group, LLC L2/L3 Switch or Mgmt Server AP Rogue AP
Hosted by MANAGED Dedicated team of IDS experts Maintain system access & control while outsourcing daily monitoring tasks Customization of services - rogue AP, reporting, custom signature sets, forensics, etc. Escalation procedure management - incident response, notification and mitigation actions Long-term TCO benefits - Lease vs. buy option Integrate & correlated w/wired IDS or IPS The Mansfield Group, LLC
Hosted by WLAN Attack Scenarios The Mansfield Group, LLC Layer 1 - Denial of Service Layer 2 - Rogue AP Layer 3 - IP Hi-jack
Hosted by
Airsnort SAME SSID CH1 & CH3 The Mansfield Group, LLC
Hosted by DIFFERENT SUBNETS Kismet The Mansfield Group, LLC
Hosted by CRC DoS ALARM The Mansfield Group, LLC
Hosted by The Mansfield Group, LLC
Hosted by AiroPeek The Mansfield Group, LLC Rogue AP
Hosted by NEW IP SUBNET
Hosted by Do you telecommute or connect to your company network from home? 1. Yes 2. No
Hosted by Do you use a Wi-Fi network at home? 1. Yes 2. No
Hosted by IDS for WLANs The Mansfield Group, LLC Security for Enterprise Networks Wireless LAN Security Workshop Wash DC Honolulu The Mansfield Group, LLC Brian Mansfield Chief Security Consultant The Mansfield Group, LLC Is your WIRED network really protected?