Storage Decisions 2003

1
Wireless LAN Security Workshop
The Mansfield Group, LLC 802.11 Security for
Enterprise Networks www.itvshop.com
Wash DC Honolulu
IDS for WLANs
Is your WIRED network really protected?
Is your WLAN really protected?
Brian Mansfield Chief Security Consultant The
Mansfield Group, LLC
The Mansfield Group, LLC http//www.itvshop.co
m
2
Should you care?
The Mansfield Group, LLC http//www.itvshop.co
m
3

• The number of frequent WLAN users in North
  America will grow from 4.2 million in 2003 to ...
  

more than 31 million by 2007 Gartner
Symposium/ITxpo 2003
The Mansfield Group, LLC http//www.itvshop.co
m
4
Enterprise Market Drivers

• WLAN Switch technology
• Vendor neutral deployment options
• Effective network security mgmt solutions
• Range of infrastructure investment options

• Wi-Fi client ubiquity
• Centrino market penetration
• 95 of new laptops include Wi-Fi by 2004

• Wi-Fis Secret Weapon - VoWLAN
• Voice data through single device
• One-number connectivity on campus

The Mansfield Group, LLC http//www.itvshop.co
m
5
Worldwide WLAN Hardware Forecast
Infonetics Research - www.infonetics.com
6
but our company has no plans to deploy a WLAN
Guess what?
You still need a WIDS strategy!
The Mansfield Group, LLC http//www.itvshop.co
m
7
Why?
HostAP
Malicious associations
Airjack
AirSnarf
ROGUE APs
Kismet
Knoppix
YOUR EMPLOYEES!
Airsnort
Wallenreiter
File2air
Soft APs
Accidental associations
Netstumbler
cqure AP
The Mansfield Group, LLC http//www.itvshop.co
m
8
Risk Points within the Enterprise

• Employees install unauthorized APs

• Employees carry Wi-Fi enabled clients

• Employees share files via Ad-Hoc mode

• Employees are vulnerable to attack APs

• Employees connect to WAN via home WLAN

• Employees connect to WAN via public Hotspots

The Mansfield Group, LLC http//www.itvshop.co
m
9
Likely Sources of Attack CSI/FBI 2003 Computer
Security Survey
10
Security Stragegy for Companies with NO WLAN
Conduct WLAN Security Assessment
Draft WLAN Security Policy
Monitor Your Airspace
Enforce Security Policy, Update Refine
The Mansfield Group, LLC http//www.itvshop.co
m
11
RF BROADCAST OVERFLOW
12
1. Conduct WLAN Security Assessment

• Survey airspace inside your organization

What devices are broadcasting in your
environment?
What protocols/data is being transmitted?
Where are they located?
Are any connected to your LAN?

• Sweep airspace around perimeter

What external sources are penetrating
environment?
Where are they located?
What protocols/data is being transmitted?
How are they configured?
The Mansfield Group, LLC http//www.itvshop.co
m
13
2. Draft WLAN Security Policy

• Extension to Existing IT Security Policy

Protect assets that need confidentiality
(payroll, HIPPA)
Protect assets that need high availability
(order, transact)
Protect assets that require integrity (financial,
medical)

• Configuration, Systems Use IRP Policy

Configuration standards - Wi-Fi enabled? XP, WEP,
SSID
Prohibit unsanctioned APs / ad-hoc networking?
Policy for public Hotspot home WLAN use
Incident response procedure (IRP)
The Mansfield Group, LLC http//www.itvshop.co
m
14
3. Monitor Your Airspace - Verify policy
adherence

• Internal monitoring

Unsanctioned APs / rogue AP detection
Machine/device configuration violations
Use violations - ad hoc networking

• Perimeter monitoring

External systems broadcasting availability?
Network intrusions or attacks
The Mansfield Group, LLC http//www.itvshop.co
m
15
4. Enforce Policy, Update Refine

• Active response

Reset device
Reconfigure device
Disconnect device

• Passive response

SNMP
Syslog

• Audit trail / forensic database

The Mansfield Group, LLC http//www.itvshop.co
m
16
Security Technologies Used CSI/FBI 2003
Computer Security Survey
The Mansfield Group, LLC http//www.itvshop.co
m
17
WIDS Product Mix
MANAGED
INTEGRATED
DISTRIBUTED

• MANUAL

The Mansfield Group, LLC http//www.itvshop.co
m
18
MANUAL

• Handheld/laptop scanner
• Snapshot view
• Rogue AP client detection
• Performance statistics
• Security alarms
• RF analysis site survey
• GPS logging

The Mansfield Group, LLC http//www.itvshop.co
m
19
DISTRIBUTED

• Radio sensors
• 24 x 7 monitoring
• Policy enforcement
• Stateful analysis
• Centrally managed
• Email paging alerts
• IPS capabilities (SNMP)

HQ - Washington DC
The Mansfield Group, LLC http//www.itvshop.co
m
20
INTEGRATED
Rogue AP
AP

• Wireless-aware switch
• IDS module in AP
• Rogue AP location ID
• Dynamic site surveys
• Security policy monitoring
• Radio resource mgmt
• Enhanced IPS

AP
AP
L2/L3 Switch or Mgmt Server
The Mansfield Group, LLC http//www.itvshop.co
m
21
MANAGED
Dedicated team of IDS experts
Maintain system access control while
outsourcing daily monitoring tasks
Customization of services - rogue AP,
reporting, custom signature sets, forensics, etc.
Escalation procedure management - incident
response, notification and mitigation actions
Integrate correlated w/wired IDS or IPS
Long-term TCO benefits - Lease vs. buy option
The Mansfield Group, LLC http//www.itvshop.co
m
22
WLAN Attack Scenarios
Layer 1 - Denial of Service
Layer 2 - Rogue AP
Layer 3 - IP Hi-jack
The Mansfield Group, LLC http//www.itvshop.co
m
23
(No Transcript)
24
Airsnort
SAME SSID CH1 CH3
The Mansfield Group, LLC http//www.itvshop.co
m
25
Kismet
DIFFERENT SUBNETS
The Mansfield Group, LLC http//www.itvshop.co
m
26
CRC DoS ALARM
The Mansfield Group, LLC http//www.itvshop.co
m
27
The Mansfield Group, LLC http//www.itvshop.co
m
28
AiroPeek
Rogue AP
The Mansfield Group, LLC http//www.itvshop.co
m
29
NEW IP SUBNET
30
Do you telecommute or connect to your company
network from home?
Hosted by

• Yes
• No

Cross-Tab Label
0 / 500
31
Do you use a Wi-Fi network at home?
Hosted by

• Yes
• No

Cross-Tab Label
0 / 500
32
Wireless LAN Security Workshop
The Mansfield Group, LLC 802.11 Security for
Enterprise Networks www.itvshop.com
Wash DC Honolulu
IDS for WLANs
Is your WIRED network really protected?
Brian Mansfield Chief Security Consultant The
Mansfield Group, LLC
The Mansfield Group, LLC http//www.itvshop.co
m