Professional Documents
Culture Documents
2
Some trends/statistics
Real
The Wireless Jungle Gets Wilder
MOBILE DEVICES ARE EXPLODING
96% of mobile employees carry >2 devices; almost 50 percent carry more
than 3
iPads and eReaders entering the enterprise
Most smart phones now mixed-use
CLASSROOMS
Critical Wi-Fi Users Expections
No hassle connection
Good Performance
Ubiquitous coverage
Quick resolution to any problems
Not At the Cost of SECURITY
Wireless Security Trends for 2013
IT WILL BE MORE AND MORE CHALLENGING
Starbucks
McDonal
ds
Borders
Airports
Sports
venues
Hospitals
Hotels
more
Or to this???
Wireless introduces new vulnerabilities
OTA data & identity thefts... From broadcast, unicast, auto-sync, notifications
Man in the middle attacks. Attacker intercepts & relays email, ftp, SSL, etc.
Session transparent
Transport
Wireless LAN
Media Access Control
Data Link
MAC
Physical Physical
0000 08 41 02 01 00 02 2d 1b 3e 58 00 02 2d 40 64 86 .A....-.>X..-@d.
0010 00 06 25 ff 95 8e 30 04 0b 09 31 00 a3 a4 fd 36 ..%...0...1....6
0020 67 fb bd aa 88 cf bf de 92 ec d7 3a 3f 74 26 83 g..........:?t&.
0030 bc cf 65 40 2d e7 41 f1 77 b6 7d a7 0f 7e 01 1e ..e@-.A.w.}..~..
0040 d9 ef f6 92 11 28 f4 57 d6 ee 8f 99 5e bf a2 ab .....(.W....^...
0050 e4 e1 86 84 41 5f 69 0b 0f 9f 4e e4 81 b4 2a 3e ....A_i...N...*>
0060 26 36 ac 02 97 54 15 b1 &6...T..
The Rogue Access Point
PHYSICAL DEPLOYMENT OF AN UNAUTHORIZED AP INSIDE THE NETWORK
Malicious or accidental
Opens paths around wired
security measures
Allows external
access to the
wired network
Rogues are the
most well-known
vulnerability Rogue AP NAT IDS Firewall
Symptomatic of
the greater
security challenge
of wireless
Soft / Virtual AP Threat - Just use your phone
AND TURN INTO (SOFT)AP MODE
+ =
End-user Soft AP
Laptop Software
Rogue Femto Cell
FANCY, CLEVER AND MOST PROBABLY ALWAYS SUCESSFUL
AP Coverage
(11b @ 1.0 Mbps
edge)
I see your
AP Coverage Beacon!
(11b @ 5.5
Mbps
service)
Outbound Connections
LOSS OF VISIBILITY INTO OUTBOUND CONNECTIONS
Fake DHCP
Wi-Fi Data Application
Sent / Rcvd Fake DNS Req / Rsp
Fake App
Svrs
MitM
Attacks
Wireless Client Attacks
IEEE 802.11 MANAGEMENT FRAMES ARE NOT AUTHENTICATED
Associate
Req / Rsp
38
Pwn Pad
Mini-pwner
40
WPA Cracking
IN A MORE LAZY WAY
Fact of Life #2 of 802.11 :
HACKER MUST BE IN WLAN RF FIELD
System-to-system
San Francisco notifications
Amsterdam
SSL/TLS SSL/TLS
London
Sydney London AP as
Sensor
Tokyo
remote drill-down
Scan, analyze Display,
all traffic manage
Store, correlate,
alert
AirMagnet Enterprise System Architecture
FLEXIBLE AND SCALABLE
Servers
Runs on virtual or
dedicated Windows
Server environments
Hot standby server can
be in separate
datacenter
Supports up to 1000
sensors per server
Sensors
Sensors can be located
anywhere in global
network, uses secure
SSL-based link
Hardware and Software
Sensor Agents can be
combined for optimal
monitoring
51
Dynamic Threat Update - DTU
0 days
1 day to 2 weeks
End-user Timeline
Analyze & Create and Publish Automated DTU
Vulnerability release new DTU download & alarm
` assess severity `
Published - Post response alarm file is active
AirMagnet Wireless Intrusion Research team can rapidly customize or create new
signatures / rules for newly discovered vulnerabilities
Users have immediate protection from new threats
No disruption of WIPS protection or wireless service to update signature module
Automated updates require no IT staff cycles
Users , AirWise Community contribute to creation of new signatures
New threat signatures are automatically delivered to sensors across the organization
for instant protection with no down time and no IT staff
Blocking/remediation
Blocking can be categorized as wireless or wired
Sensors use proven AirMagnet techniques to remediate Rogue devices via wired or
wireless
Very low channel utilization when blocking
X Rogue AP
Laptop
Rogue
Rogue AP
AP on
on Network
Network Accidental
AccidentalAssociation
Association
54
Automated Perimeter Detection
COUNTERMEASURES
Wireless tracing
The sensor when it detects an open Rogue or Unknown AP,
will attempt to connect to it. Once connected, it will forward Wired
itself a frame to determine if its on the wire. Listener
Wired listener
The sensor puts its wired interface into promiscuous mode and Wireless eROW
listens for broadcast frames trying to match against the Rogue Tracing
and Unknown AP's that are seen. +2/-2 of the wireless MAC
address
DHCP fingerprinting
Sensor on the wired interface is listening for DHCP request Passive Switch
packets to determine if the Unknown or Rogue device is on the Rogue tracing
wire.
Detection via SNMP
eROW
ARP sweep the subnet, compare the list of MAC addresses
with the Unknown or Rogue list, +2/-2 of the wireless MAC
address.
Switch tracing
Using SNMP, crawl switches looking for wireless MAC address
from Rogue and Unknown AP's. +2/-2 of the wireless MAC
address, if cant find via this method, we can also trace based
on connected stations MAC address.
56
Rogue Location Methods
COMPLETE SECURITY VISIBILITY
SCANNING ON ALL 200 EXTENDED CHANNELS FOR 5 GHZ
Forensic Capture
BETTER THAN BEING THERE
The Challenge
Security and performance event
triggers often require post inspection
to determine remediation
59
3G/4G/LTE spectrum analysis
Introducing AME Cellular Spectrum Security
61
Value Proposition and Key Features
Allows proactive IT pinpointing of the cellular spectrum security issues before they
happen
Value Prop
Spectrum visibility scans the entire cellular spectrum for security events such as
unauthorized calls and signal jamming
Unique Features
HOT STANDBY
PRIMARY
Investigate WLAN
behavior in Real-time
64
Real-Time Remote Spectrum Analysis
FULL DEDICATED SPECTRUM RADIO
for analysis and classification
Remote Spectrum interface for live troubleshooting
Covers 2.4GHz, 5GHz and 4.9GHz
19 classification alarms
65
Byod classification
VIEWING THE SMART DEVICES
Wireless Assurance
Automatic Health Check Benefits
IDEA SIMULATE A WIRELESS CLIENT
71
Reporting
EVERYTHING IS AUTOMATED
72
3rd Party Integration
3rd Party Integration
MULTIPLE MECHANISMS TO PASS EVENT DATA TO EXISTING MONITORING PLATFORMS
HOT
PRIMARY
STANDBY
SNMP
Syslog
Email
Custom
Server
+
Spectrum With this new solution, organizations can
Solve WLAN problems anywhere with central IT
staff; no remote staff involvement or truck
rolls required
SENSOR4-R2S1-I A5032 Enable complete 24x7 Wi-Fi and spectrum
802.11N analysis across enterprise or campus network to
remote areas or sites
A maximum of 10 sensors
may be ordered with this SKU.
Expand the reach and effectiveness of
overburdened IT staff
Upgrade to unlimited sensor
support (AM/A5508G-Ugd is Reduce tech support calls by resolving WLAN
AHC
available for future expansion problems before users are impacted
Reduce costs by reducing the need to send staff
or consultants onsite to resolve issues.
*1 choice between external and internal antennas
FLEXIBILE AND SCALABLE
AM/5510 + AM/A5508G-Ugd
= unlimited AME
RTK
Conclusion
WIFI is exploding
WIFI data is increasing
Wireless becomes critical (essential part of IT infrastructure)
Mobile devices as the new target
Protecting and securing the air will become more important
Real time monitoring with pro-active root cause analysis / troubleshooting will
be key
AME is a REAL 1st line of defense with pure focus on OSI layer 1&2
Automated security threat update will be critical for security defense &
detection
Fluke Networks has full cycle of products to support Wireless LAN
FLUKE NETWORKS
Planning
WLAN
Infrastructure 24x7 Performance Deployment
vendors
& Security & Verification
Troubleshooting
& Interference
Thank you
Reiner Hofmann