Embed Size (px)
Citation preview
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 1
WLAN SECURITY FUNDAMENTALS
Presented by Neil Bhave Channel Enablement Manager
2 2 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Better visibility, better control, seamless mobility
“Thin” Access Points
Centralized Mobility Controller
802.11a/b/g
Antennas
Policy
Mobility
Forwarding
Encryption
Authentication
Management
“Fat” Access Points
Centralized Architecture = More Secure
3 3 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Controlling Rogue APs
1. AP detection!• See all APs"
2. AP classification!• Are they neighbors?"• Or are they a threat?"
3. Rogue containment!• Stop users from
accessing rogue APs over the wire & over wireless "
• Leave neighbors alone"
4. Locate Rogue !• Find where it is and
disconnect"
4 4 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Aruba Air Monitor
Client
Client Tarpit Containment
• Does not waste air-time during threat mitigation • Works against any brand and type of wireless device
Aruba Air Monitor
�
�
�Client is trying to
associate to rogue AP Air Monitor creates
tarpit with fake channel or fake BSSID
�Client associates to Air Monitor tarpit in preference to rogue
�Client stops
association attempts to rogue
�
� �
Interfering Access Point
Interfering Access Point
Client
5 5 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Controlling Uncontrolled Wireless
Windows XP Laptop
Internal Network
Public Network
Bridge
6 6 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Wireless Intrusion Prevention - RFProtect
• Uncontrolled wireless devices – Rogue APs – Laptops acting as bridges – Misconfigured laptops – Ad-Hoc networks
• Attacks against the WLAN – Denial of Service/flooding – Forged de-authenticate/disassociate – Man-in-the-Middle – WEP cracking – WPA-PSK cracking
7 7 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
TotalWatch Full Spectrum Monitoring
• Complete Coverage – 2.4-GHz and 5-GHz scanning – 4.9-GHz public safety band
• 5-MHz channel increment scanning – Rogue detection in-between channels
2.4 GHz 4.9 GHz 5.0 GHz
5-MHz channel scanning
8 8 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Authentication
• 802.1X is best for Wi-Fi. Works with all modern client operating systems
• Makes use of EAP (Extensible Authentication Protocol)
• 802.1X authentication happens at L2 – users will be authenticated before an IP address is assigned
9 9 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Authentication with 802.1X: PEAP
EAPOL (EAP over LAN) RADIUS
Encrypted Tunnel
Authentication Server AP/Controller
STA
10 10 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Encrypt the Data
• If intruders can’t read the data, there’s no need to worry where it goes – WEP • Simple to do, easy to crack • No key management • Don’t do it
– TKIP (Temporal Key Integrity Protocol) • Works on legacy hardware (pre-2003) • First major flaw published in November 2008 • Flaw is getting worse with more research • Not currently recommended
– CCMP/AES • Encryption using AES • Considered state-of-the-art • Government approved (FIPS, CESG, etc.) • Works on all modern hardware
11 11 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Combining Authentication & Encryption: WPA
• WPA == Wi-Fi Protected Access • WPA – Wi-Fi Alliance “standard” based on pre-802.11i – Includes TKIP for encryption
• WPA2 – Wi-Fi Alliance “standard” based on ratified 802.11i – Includes TKIP and CCMP for encryption
• For both: – WPA-Enterprise == 802.1X for authentication, dynamic
encryption keys – WPA-Personal == pre-shared authentication key – careful!
12 12 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
WPA-Personal? Be careful..
• WPA Personal does not use 802.1X • Pre-shared key • Easier • But less secure
• Problem 1: Scalability • Need to re-key any time an employee/user leaves the
organization
• Problem 2: Using weak keys • WPA-PSK keys that are weak can be cracked (dictionary attack)
13 13 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Configure WPA Properly
• Configure the Common Name of your RADIUS server (matches CN in server certificate)
• Configure trusted CAs (an in-house CA is better than a public CA)
• ALWAYS validate the server certificate
• Do not allow users to add new CAs or trust new servers
• Enforce with group policy
14 14 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Authorize the Data
• Most organizations do a decent job of authentication (who the user is), but a poor job of authorization (what the user is allowed to do)
• Mobile networks are typically multi-use • Authentication provides you with user identity – now use
it! Identity-aware firewall policies can restrict what a user can do, based on that user’s needs
Virtual AP 1SSID: CORP
Virtual AP 2SSID: GUEST
Guest user
Employee
VoIP Device
Contractor
Default VLAN
Layer 2 Switch
RouterFirewall Captive
Portal
Radius Server
DHCPPool
Firewall
Virtual AP 1SSID: CORP
Virtual AP 2SSID: GUEST
Guest user
Employee
VoIP Device
Contractor
Default VLAN
Layer 2 Switch
RouterFirewall Captive
Portal
Radius Server
DHCPPool
Firewall
15 15 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Why Worry About Authorization? Where is the “network perimeter” today?
§ Mobility brings us: § Disappearance of physical
security § New mobile users, devices
appearing everyday § Increased exposure to
malware
§ Assuming that “the bad guys are outside the firewall, the good guys are inside” is a recipe for disaster
We meet again, 007!
16 16 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
PEF to Control Wireless Performance
Multicast/ Broadcast
Chatty Protocols
Power Users Stealing B/W
Malicious or Misconfigured Clients
Lack of Policy Impacts Network Reliability & Performance!
• What are Multicast and Broadcast currently being used for?"• What problems am I creating by using large VLANs to solve
mobility issues?"• What non-critical applications are consuming bandwidth?"• Should users be connecting to 3rd party WLANs?"• Should users be setting up their own WLANs?"• Should users be connected to wireless while wired?"• How are “Power” Users affecting others?"• How are unauthorized users affecting network availability"
Bonjour!
17 17 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Network Access Control (NAC)
• Identity-Based Policy Control – Assess user role, device, location, time,
application. – Policies follow users throughout network – (Aruba PEF)
• Health-Based Assessment – Client health validation – Remediation – Ongoing compliance – (ClearPass OnGuard)
• Network-Based Protection – Stateful firewalls to enforce policies
and quarantine – User/device blacklisting based
on Policy Validation – (Integration with ESI)
Network-Based Protection
Identity-Based Policy Control
Health-Based Assessment
18 18 CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved
Today’s Wireless Gold Standard
• Centralized wireless • Keep clients updated – drivers too! • Wireless intrusion detection – Control uncontrolled wireless – Locate and protect against rogue APs
• WPA-2 – Authentication using 802.1X and EAP-TLS – AES for link-layer encryption
• Strong passwords – SecureID or other token-card products – Strong password policies
• Authorization with identity-aware firewalls – Enforce principle of least privilege – Provide separation of user/device classes
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc. All rights reserved 19 19
