Hosted by IDS for WLANs The Mansfield Group, LLC 802.11 Security for Enterprise Networks Wireless...

Hosted by

IDS for WLANs

The Mansfield Group, LLC802.11 Security for Enterprise Networks

www.itvshop.com

Wireless LANSecurity WorkshopWash DC Honolulu

The Mansfield Group, LLC • http://www.itvshop.com

Brian MansfieldChief Security ConsultantThe Mansfield Group, LLC

Is your WLAN really protected?Is your WIRED network really protected?

Hosted by

Should you care?


Hosted by

The number of frequent WLAN

users in North America will grow

from 4.2 million in 2003 to ...

more than 31 million by 2007

Gartner Symposium/ITxpo 2003


Hosted by

Enterprise Market Drivers:

Wi-Fi client ubiquity• Centrino market penetration

• 95% of new laptops include Wi-Fi by 2004

WLAN “Switch” technology• Vendor neutral deployment options

• Effective network security & mgmt solutions

• Range of infrastructure investment options

Wi-Fi’s “Secret Weapon” - VoWLAN• Voice & data through single device

• One-number connectivity on campus


Hosted by

Infonetics Research - www.infonetics.com

Worldwide WLAN Hardware Forecast

Hosted by

“…but our company has no plans to deploy a WLAN…”

Guess what?

You still need a WIDS strategy!


Hosted by

HostAP AirjackAirSnarf

ROGUE AP’sKismet

WallenreiterAirsnort

Netstumbler

YOUR EMPLOYEES!

Knoppix

File2air

cqure AP

Why?

Soft APs


Accidental associations

Malicious associations

Hosted by

Risk Points within the Enterprise

Employees install unauthorized APs

Employees share files via Ad-Hoc mode

Employees carry Wi-Fi enabled clients

Employees connect to WAN via home WLAN

Employees are vulnerable to attack APs


Employees connect to WAN via public Hotspots

Hosted by

Likely Sources of Attack CSI/FBI 2003 Computer Security Survey

Hosted by

Security Stragegy for Companies with NO WLAN

Draft WLAN Security Policy

Monitor Your Airspace

Enforce Security Policy, Update & Refine


Conduct WLAN Security Assessment

Hosted by

RF BROADCAST OVERFLOW

Hosted by

• Survey airspace inside your organization

What protocols/data is being transmitted?

Where are they located?

Are any connected to your LAN?

• Sweep airspace around perimeter

What protocols/data is being transmitted?

Where are they located?

How are they configured?

What external sources are penetrating environment?

What devices are broadcasting in your environment?


1. Conduct WLAN Security Assessment

Hosted by

2. Draft WLAN Security Policy

• Extension to Existing IT Security Policy

Protect assets that require integrity (financial, medical)

• Configuration, Systems Use & IRP Policy

Protect assets that need confidentiality (payroll, HIPPA)

Protect assets that need high availability (order, transact)

Prohibit unsanctioned APs / ad-hoc networking?

Incident response procedure (IRP)

Policy for public Hotspot & home WLAN use

Configuration standards - Wi-Fi enabled? XP, WEP, SSID


Hosted by

3. Monitor Your Airspace - Verify policy adherence

• Internal monitoring

• Perimeter monitoring

Unsanctioned APs / rogue AP detection

Machine/device configuration violations

External systems broadcasting availability?

Network intrusions or attacks

Use violations - ad hoc networking


Hosted by

4. Enforce Policy, Update & Refine


• Active response:

Reset device

Reconfigure device

Disconnect device

• Passive response:

SNMP

Syslog

• Audit trail / forensic database

Hosted by

Security Technologies Used CSI/FBI 2003 Computer Security Survey


Hosted by

MANUAL

DISTRIBUTED

INTEGRATED

MANAGED

WIDS Product Mix


Hosted by

MANUAL

Handheld/laptop scanner

“Snapshot” view

Rogue AP & client detection

Performance statistics

Security alarms

RF analysis & site survey

GPS logging


Hosted by

DISTRIBUTED

Radio sensors

24 x 7 monitoring

Policy enforcement

Stateful analysis

Centrally managed

Email & paging alerts

IPS capabilities (SNMP)


HQ - Washington DC

Sensor

Sensor

Chicago

SensorSensor

Boston

ManagementServer

Sensor

SensorRogue APDoS Attack

Unauthorized APUser SecurityViolation

Hosted by

INTEGRATED

“Wireless-aware” switch

IDS module in AP

Rogue AP location ID

Dynamic site surveys

Security policy monitoring

Radio resource mgmt

Enhanced IPS


L2/L3 Switch orMgmt Server

AP AP

APRogue AP

Hosted by

MANAGEDDedicated team of IDS experts

Maintain system access & control while outsourcing daily monitoring tasks

Customization of services - rogue AP, reporting,custom signature sets, forensics, etc.

Escalation procedure management - incident response, notification and mitigation actions

Long-term TCO benefits - Lease vs. buy option

Integrate & correlated w/wired IDS or IPS


Hosted by

WLAN Attack Scenarios


Layer 1 - Denial of Service

Layer 2 - Rogue AP

Layer 3 - IP Hi-jack

Hosted by

Hosted by

Airsnort

SAME SSID CH1 & CH3The Mansfield Group, LLC • http://www.itvshop.com

Hosted by

DIFFERENT SUBNETS

Kismet


Hosted by

CRC DoS ALARMThe Mansfield Group, LLC • http://www.itvshop.com

Hosted by


Hosted by

AiroPeek


Rogue AP

Hosted by

NEW IP SUBNET

Hosted by

25%

75%

1 2

Hosted by

Do you telecommute or connect to your company network from home?

1. Yes2. No

Hosted by

75%

25%

1 2

Hosted by

Do you use a Wi-Fi network at home?

1. Yes2. No

Hosted by

IDS for WLANs

The Mansfield Group, LLC802.11 Security for Enterprise Networks

www.itvshop.com

Wireless LANSecurity WorkshopWash DC Honolulu


Brian MansfieldChief Security ConsultantThe Mansfield Group, LLC

Is your WIRED network really protected?

Hosted by IDS for WLANs The Mansfield Group, LLC 802.11 Security for Enterprise Networks Wireless...

Documents

Transcript of Hosted by IDS for WLANs The Mansfield Group, LLC 802.11 Security for Enterprise Networks Wireless...