WLAN Security Today-Siemens Whitepaper_EN

White Paper

Communication for the open minded

Siemens Enterprise Communications www.siemens.com/open

Siemens Enterprise Communications July 2008

WLAN Security Today: Wireless more Secure than Wired

WLAN Security Today: Wireless more Secure than Wired July 2008 I 2

Executive Summary Wireless LAN security has come a long way since the early days and the negative publicity around the shortcomings of WEP. Recent advances in WLAN technology and the ratification of key wireless security standards are giving CIOs and network administrators the high level of confidence in WLAN security that they have always needed. This whitepaper will explain the key requirements of wireless security and how the CIO can make sure their enterprise network is protected. To be effective, WLAN security must address three critical areas;

Data Confidentiality and Integrity, Authentication and Access Control, and Intrusion Detection and Prevention

Today’s WLAN systems incorporating WPA/WPA2 with AES encryption, in conjunction with 802.1x authentication, can provide a level of security for WLANs that can exceed the security of a wired LAN. At the same time wireless intrusion detection and prevention systems are becoming more capable and easier to manage. Even if you don’t have a WLAN in place, if you do not have a wireless security solution in place you are vulnerable to malicious attacks. Siemens’ HiPath Wireless Manager provides a complete WLAN security solution. It is WPA/WPA certified to provide AES encryption for data confidentiality and 802.1x for network authentication. In addition, HiPath Wireless Manager HiGuard provides an innovative and adaptive solution for wireless intrusion detection and prevention. HiGuard provides three different operational modes; sensor-less, mixed and dedicated sensor modes to enable the wireless infrastructure to adapt to the organization’s needs. By incorporating 802.11i-based solutions as part of a multilayered approach, enterprise network managers can reasonably ensure WLAN security. Although threat mitigation is an ongoing process, 802.11i and Advanced Encryption Standard (AES) provide WLANs with security as good as that available for wired LANs.

Source: William Terrill, the Burton Group - December 2004


Table of Contents

Executive Summary 2

1.0 The Current State of WLAN Security 4 1.1 WLAN Security Threats 4

2.0 What Makes a WLAN Secure 7 Data Confidentiality and Integrity 7 Authentication and Access Control 7 Intrusion Detection and Prevention 7 The WLAN Security Policy 8 2.1 Data Confidentiality and Integrity 8 WiFi Protected Access (WPA & WPA2) 9 2.2 Authentication and Access Control 10 How 802.1x Authentication Works 10 2.4 802.11i - Bringing it all Together 11 802.11n Implications for WIDS/WIPS 12 2.3 Intrusion Detection and Prevention 12 WLAN that is more Secure than Wired LAN 14

3.0 Siemens HiPath Wireless Security 15 802.11i Security Made Easy 15 State-of-the-Art Integrated Intrusion Detection and Prevention 15

4.0 Conclusion 17


1.0 The Current State of WLAN Security

Even after a decade of availability and promising commercial successes, security remains the number

one concern for enterprise WLAN deployments. According to Joanie Wexler’s 2007 WLAN State-of-the

Market report, just over half (53%) of the global respondents identified security issues as their primary

concern. The good news is that this is a significant decrease from the 2006 study where over 70% of

respondents were concerned about WLAN security. Is the anxiety over WLAN security fact or fiction,

perception or reality? And what recent developments account for the growing comfort with WLAN

security?

Much of the trepidation over WLAN security was due to the nature of WiFi. The 802.11 standard – also

known as Wireless Ethernet – is based on the principle of a shared medium. While most managers have

felt comfortable enough with the fact that they can physically secure their wired networking medium,

their LAN, they were less comfortable when the network medium is the open air. There was a general

perception that WLANs are inherently insecure, and early implementations reinforced this notion

through well-publicized vulnerabilities and attacks. This perception has been a major problem that has

kept some network managers from implementing wireless LANs altogether.

In spite of network managers’ reservations, the demand for enterprise wireless connectivity is continu-

ally growing as early adopters demonstrate increased productivity and responsiveness, and managers

take notice of the significant TCO savings. As a result, IT organizations are coming under increasing

pressure to ensure that the wireless network is secure. Fortunately, this can be achieved today with a

minimal investment of time and effort.

There are a number of considerations that must be taken into account when deploying a secure

wireless network, but the recent evolution of the technology has done a great deal to simplify this task.

The 802.11i specification introduced by the IEEE has specifically addressed the problems found in the

industry’s earlier security initiatives. Furthermore, WLAN infrastructure vendors have designed product

portfolios with enterprise-grade security as one of the core tenets in order to distinguish themselves

from consumer-grade offerings. Siemens is one such vendor, and its HiPath Wireless Portfolio delivers a

robust, standards-based security solution that can assure managers that they can finally take

advantage of all the benefits enterprise WLAN has to offer without exposure to security risks.

1.1 WLAN Security Threats The very nature of networking means that users can exchange information across a distance and over a

shared medium. The security implication of this is that a hacker does not need to actually walk up to a

server or a user’s computer in order to gain access to critical files or communications. With wireless

LAN, this threat is especially pronounced, because a hacker doesn’t even need to reside in the same

physical location.

Threats to the wireless network initially stem from providing openings like those described below:


Wireless Security Threats

Mis-Configured Access Points

Just as dangerous as an unauthorized “rogue” access point is an access point that has been legitimately connected to the wired network, but improperly or insufficiently config-ured. For instance, if no security settings were configured, then such an access point would provide open network access to anyone.

Ad Hoc Wireless Networks Operating systems like Windows allow the creation of networks consisting of multiple wireless clients, without an access point in between. If one of these computers is configured to participate in an ad hoc network as well as connect to the corporate WLAN via an access point, they could be inadvertently creating an opening for a hacker to exploit.

Client Mis-associations In cases where companies are physically near one another, it is very possible for two wireless networks to have the same network information. In such a case, a wireless client will associate with the first access point that it contacts, and if it belongs to the neighboring WLAN, a security threat can exist.

Malicious users can often take advantage of the openings presented above, but the following examples

also represent circumstances in which they can create their own openings:


Rogue access points An unauthorized access point that has been connected to the wired network, which can provide malicious or unau-thorized users with open access to the LAN.

Honeypot APs Some hackers will be able to determine the configuration settings of the wireless LAN, and will plant an access point with the same settings within range of the network. Through mis-association, clients can connect to these honeypots assuming that they are legitimate. Clever hack-ers can then exploit this by connecting decoy network resources to the AP so that users login, after which the hacker can steal passwords or even confidential documents.

AP MAC Spoofing Wireless client computers can be configured to behave like legitimate participants in the network. In this manner, a hacker can mimic an authorized user or even act as a honeypot AP.

Once a hacker has been able to find a way onto the network – whether through an existing opening or

one that they created – there are a number of techniques that can be used to actually affect the corpo-

rate network:

Unauthorized Client Access

Hackers continually probe areas for open wireless networks. If a network has a weak user authentication scheme – or none at all – it is very easy for a hacker to obtain access to the corporate network and take information or launch attacks on resources in order to cause disruptions.

Denial of Service (DoS) Because of the way networking devices work, they need to respond to any client requests. Hackers are able to exploit this by inundating a network resource with more requests than it is able to handle. Distributed DoS attacks magnify this problem by enlisting a number of unknowing com-puters through hidden code to simultaneously launch denial of service attacks on a potentially massive scale.

Man in the Middle If data is unprotected, hackers can intercept messages and change the content to mislead parties that are communicat-ing, making it seem as if the hacker is actually one of the parties.

IP Spoofing By modifying the source IP address contained in the packet header, a hacker can intercept traffic coming from a legiti-mately authenticated user and make it appear that the user is actually using the hacker’s computer. As a result, all data and messages coming from a server would go back to the hacker.

Hijacking Using software that is secretly installed on the PC of a corporate user, a hacker can gain control of the computer to gain access to resources the user is able to see, or to cause damage to servers and other computers.

90% of WLAN security incidents until 2010 will be the result of misconfigured systems.

Source: Gartner, November 2006


2.0 What Makes a WLAN Secure

Wireless network security is a big topic. Even more importantly, it is extremely dynamic. New tech-

nologies, threats and solutions appear almost every day. This complexity is the reason that many

companies invest heavily in dedicated security infrastructure and highly trained specialists. Every

network application and infrastructure component has a distinct set of security requirements that must

be addressed before managers feel comfortable entrusting it with the enterprise’s mission critical

information. For wireless LAN, security takes place on two levels: the frame level and the radio

frequency (RF) level. Within this context, enterprise WLAN security requirements essentially fall into

three broad categories, with the first two referring to frame-level security and the third dealing with

RF-level security.

Data Confidentiality and Integrity The protection of data as it moves across the shared medium is the most familiar aspect of WLAN security. Confidentiality is delivered through the use of encryption algorithms used to encode informa-tion in a manner that can only be decoded and read by the parties for which it is intended. Going hand-in-hand with encryption are the concepts of data integrity and non-repudiation, which help to prevent hackers from altering data. Non-repudiation is achieved through the use of a hashing algorithm which takes a snapshot of each frame’s content before it is encrypted. Even if a frame were to be decrypted, it would not be possible for a hacker to alter data contained within and fraudulently re-send the data – a process known as spoofing. Strong data confidentiality and integrity are especially critical for wireless traffic, as frames can be more easily intercepted – and potentially compromised – by virtually anyone in vicinity of the network. Authentication and Access Control The mechanisms used to grant authorized users access to the wireless network and the resources residing on the broader enterprise network are just as important as encryption and integrity. Sophisti-cated implementations also allow for the definition of access control policies that grant different users or groups unique security settings and access to different network resources. Robust authentication and access control measures are especially vital to WLANs because there is little available in the way of physical separation of unauthorized users from the network. A user can potentially have a laptop outside of the office premises, and without an authentication mechanism to keep them out, they could gain full access to the corporate network. Intrusion Detection and Prevention Wireless intrusion detection and prevention services (Wireless IDS/IPS) must be able to identify and remove threats, but still allow neighboring WLANs to co-exist while preventing clients from accessing each other’s resources. Intrusion detection and prevention focuses on the radio frequency (RF) level. It involves radio scanning to detect rogue access points or ad hoc networks to regulate network access.


Advanced implementations are able to visually represent the network area along with potential threats, and have automatic classification capabilities so that threats can be easily identified.

Enterprise WLAN security is not one-size-fits-all. While it is desirable to have the most sophisticated

frame-level and RF-level security available, wider considerations mean that this may not always be

possible. Each enterprise must weigh the level of security required against the overall costs. The

solution must be cost-effective, leverage and integrate with existing security technology where

possible, require little administrative maintenance and interaction, and represent an overall implemen-

tation cost that is commensurate with the initial capital expenditure. End-users will resist any

implementation that is not transparent. They will expect full access to applications and network

resources, and will not tolerate excessive complexity and/or performance degradation resulting from

the security infrastructure. Even enterprises that have decided not to install WLANs must be concerned

about WLAN security, because rogue APs and ad hoc networks between wireless-enabled laptop

computers can open gaping security holes in an otherwise secure network by allowing access to the

wired LAN from remote locations. Companies that are pursuing enterprise mobility and deploying

WLAN should consider an enterprise wireless security policy (See sidebar – The WLAN Security Policy).

The WLAN Security Policy It is important that organizations develop, educate and enforce an enterprise-wide WLAN security policy. The policy should outline a framework for the development of installation, protection, management, and usage procedures. A WLAN security policy must be flexible in terms of the tech-nologies it can support. WLANs enable access by laptops, PDAs, smart phones and more, each with different features, capabilities and security requirements. This diverse set of clients cannot be secured with a “one size fits all” policy. In addition, most WLANs are designed with end-user mobility and productivity in mind. The challenge for IT staff is to develop security options that support end-user requirements. Finally, WLAN security policies must integrate with the organization’s wired network security scheme to ensure seamless protection across the organization. While WLANs present unique security challenges, security is still dependent on controlling who has access to specific information. Understanding WLAN-specific vulnerabilities and deploying a suite of tools to minimize them enables organizations to enjoy the mobility and productivity benefits of WLANs without putting business-critical applications at risk. An effective WLAN security policy should:

• Identify who may use WLAN technology and what type of access is required; • Describe who can install access points and other wireless infrastructure equipment; • Describe the type of information that can and cannot be sent over wireless links; • Describe conditions under which wireless devices are allowed and how they may be used; • Describe the hardware and software configuration for any access device; • Provide guidelines on reporting losses of wireless devices and security incidents; • Provide guidelines on the use of encryption and other security software; and, • Define the frequency and scope of security assessments, audits and report generation.

2.1 Data Confidentiality and Integrity Until recently, WEP was the IEEE’s standard for securing 802.11 traffic. The objectives of WEP were to

provide data confidentiality through the use of RC4 encryption and to prevent unauthorized access to

the wireless network through basic pre-shared key authentication – where a common “password” was


hard-coded into the access point and the client. RC4 encryption was originally available with a 40-bit

key, but the IEEE later introduced a more robust 128-bit key to enhance data confidentiality. Unfortu-

nately, there were a number of flaws found in the way that WEP addressed confidentiality and

integrity.

• To start, encryption keys were statically configured, meaning that if a WEP key were cracked, someone would be able to decrypt the information until the user reconfigured it, which rarely happened.

• The increased protection of 128-bit RC4 turned out to be misleading, as an exploit was reported whereby effective encryption strength could easily be brought back down to 40-bit.

• Data integrity was poorly addressed with the simplistic CRC-32 algorithm. Therefore, if a user could crack the WEP key, they could easily modify the data, re-encrypt it, and then send it to an unknowing user.

• The simplistic pre-shared key authentication method used by WEP was not particularly robust or scalable, requiring separate configuration of each individual wireless device, with no lever-aging of existing enterprise user directories or security applications.

WEP remained sufficient to stop casual eavesdroppers from illicitly accessing the network or compro-

mising data – ideal for small offices or home use. However, the findings mentioned above – as well as

a number of subsequent well-publicized attacks – forced the conclusion that WEP did not provide the

level of security necessary for enterprise-wide WLAN deployment.

WiFi Protected Access (WPA & WPA2)

The 802.11i specification was conceived to resolve the issues found in WEP and to expedite the intro-

duction of a more adequate WLAN security scheme for the enterprise market. However, it took a long

time to be approved. The WiFi Alliance (WFA, http://www.WiFi.org) introduced the WPA in late 2002 as

an interim solution to ensure vendor interoperability. WPA was based on a subset of the 802.11i draft.

It improved on WEP by introducing Temporal Key Integrity Protocol (TKIP). While still utilizing RC4

encryption, TKIP utilizes a temporal encryption key that is regularly renewed, making it more difficult

for a key to be stolen and then used to decipher a useful amount of information. In addition, data

integrity was improved through the use of the more robust hashing mechanism, the Michael Message

Integrity Check (MMIC).

WPA did a great deal to address the concerns associated with WLAN security, and can be hailed as an

important step in increasing acceptance of WLAN as an enterprise-ready technology. However,

concerns still existed. To start, TKIP still used the RC4 encryption algorithm, and while the use of

temporal keys mitigated the problem, many felt uncomfortable entrusting their critical data to an

algorithm viewed as less powerful than what was commonly used for wired networks. Because of this,

many companies viewed WPA as a temporary measure meant to bridge the gap between WEP and the

soon-to-be ratified 802.11i standard, and therefore insisted on postponing their deployments. In 2004,

the WiFi Alliance updated the WPA specification by replacing the RC4 encryption algorithm with AES

(Advanced Encryption Standard), calling the new standard WPA2.


2.2 Authentication and Access Control Access Control Lists (ACLs) often provided authentication for early wireless LANs. ACLs permit associa-

tions by known Media Access Control (MAC) addresses while rejecting connections from all others. This

technique, commonly called MAC Address Filtering, is easily spoofed and became difficult to manage

as networks got larger. When the WFA introduced WPA it included 802.1x authentication, a more

sophisticated mechanism for user authorization and access control by leveraging open standards

authentication tools such as RADIUS (Remote Authentication Dial In User Service, RFC 3597). RADIUS is

a widely deployed protocol for network access authentication, authorization and accounting (AAA).

How 802.1x Authentication Works

802.1x acts as a gate that prevents a wireless client (supplicant) that has associated to an access point (authenticator) from accessing the corporate network until it has permission. It uses the EAP (Extensible Authentication Protocol) to authenticate and negotiate keys between the supplicant and a RADIUS server (authentication server). EAP runs over layer 2 (EAPoL) without requiring IP and therefore includes its own support for in-order delivery and retransmission. EAP is not so much a messaging protocol as it is a framework that can supports multiple authentication mechanisms – challenge/response, passwords, digital certificates, etc, depending on the EAP type being used. The current WPA/WPA2 certified EAP standards are; EAP-TLS, EAP-TTLS, EAP-SIM and PEAP.

EAP-TLS EAP with Transport Layer Security (EAP-TLS) is the recommended option for wireless. It is based on the Transport Layer Security (TLS) protocol, which uses public key cryptography for authentication and negotiation of keys that can be used to encrypt data. EAP-TLS requires the supplicant and the authentication server to both verify their identities via public key cryptography (i.e., digital certifi-cates or smart cards). Despite the excellent security, requiring a client certificate for each supplicant makes the protocol expensive and unpopular.

EAP-TTLS

EAP-TTLS is designed as an extension to EAP-TLS. It uses TLS for server authentica-tion and encryption, but avoids the need for expensive client certificates by negotiating a second authentication protocol between the supplicant and the authentication server that is protected by the TLS encryption. The second authen-tication protocol can be PAP, CHAP, MSCHAP or even another EAP type.

EAP-SIM

EAP-SIM was created for the GSM mobile telecom industry and doesn't really have a place in WLAN authentication.

PEAP

There are actually two Protected Extensible Authentication Protocol (PEAP) proto-cols, PEAPv0/EAP-MSCHAPv2 from Microsoft and PEAPv1/EAP-GTC from Cisco. How-ever, for a variety of reasons, the PEAPv0/EAP-MSCHAPv2 protocol is by far more popular and is often referred to as the PEAP standard. PEAP is similar to EAP-TTLS in that it creates a TLS tunnel to protect the inner authentication protocol such as EAP-MSCHAPv2. PEAP provides the second strongest security next to EAP-TLS, but because it does not require client-side certificates it is easier to use and more popular.


RADIUS mediated Authentication Process using EAP

2.4 802.11i - Bringing it all Together The IEEE ratified the final 802.11i WLAN security standard in June 2004. The standard is backward

compatible with WPA and includes the TKIP and 802.1x protocols. Additionally, a stronger frame

encryption and authentication alternative was added that could be incorporated into new hardware

from vendors. The new cryptography was based on the AES (Advanced Encryption Standard) algorithm

that was selected by the U.S. National Institute of Standards and Technology (NIST) in 2000 as the

winner of a competition to find the most secure encryption algorithm. AES is required by U.S. govern-

mental agencies and is considered secure enough that it is used in military applications.

802.11i uses two different authentication methods, and these are available in WPA2 as different

“modes,” Personal Mode and Enterprise Mode. WPA2 “Personal Mode” offers a simple solution suitable

for the home and small office environments. It only requires the use of a pre-shared key for user

authentication. Whereas WPA2 “Enterprise Mode” draws on the same RADIUS-based 802.1x mecha-

nism used in the WPA standard.

Other features of 802.11i are key caching – which quickly reconnects users who have temporarily gone

offline – and pre-authentication, which allows seamless roaming between access points. Key caching

stores information about the client on the network so that if a station leaves an access point and

returns within the configured timeout, credentials for re-authentication do not have to be entered

again. Pre-authentication refers to the ability of a network to send authentication data between access

points and back to a central controller so that a roaming user does not need to authenticate to each

access point. Both of these features are essential for advanced mobile applications such as Voice over

Wireless LAN (VoWLAN).

Altogether, the enhancements provided by 802.11i finally deliver the level of data confidentiality and

user authentication that enterprises have been demanding. In conjunction with a strong intrusion

detection and prevention solution, 802.11i presents the enterprise-grade security required by enter-

prises in order to deploy WLAN.


802.11n Implications for WIDS/WIPS

802.11n is an enhancement to the IEEE 802.11 wireless network standard that includes many new

features to increase transmission speeds, range and reliability compared to 802.11a/b/g. The

enhancements translate to 300 Mbps of raw data throughput and/or double the range compared to

current 802.11a/g technology. Full ratification of the 802.11n standard is expected in early 2009, but

in the interim the WiFi Alliance (WFA) has announced a certification program for products based on the

Draft 2.0 standard. This move by the WFA has allowed wireless infrastructure vendors to move forward

with their 802.11n plans and release 802.11n Draft 2.0 certified wireless infrastructure and a broad

assortment of end-points including laptops, handhelds and smartphones. The growing market avail-

ability of 802.11n Draft 2.0 equipment makes it extremely important for CIOs and network administra-

tors to expand the scope of their WLAN security policy to include considerations for the new equip-

ment. The relative newness of 802.11n infrastructure means that many enterprise WIDS/WIPS solutions

are not yet able to detect and mitigate 802.11n based threats. Until comprehensive WIPS/WIDS

solutions are available, it is extremely important that existing intrusion detection systems can at the

very least detect rogue 802.11n APs.

2.3 Intrusion Detection and Prevention Data confidentiality and authentication are addressed through industry standards, but no standards

exist for wireless intrusion detection and prevention (WIDS/WIPS). Instead, WLAN equipment vendors

and/or specialty wireless security vendors provide enterprise WIDS/WIPS solutions. Different vendors

implement WIDS in their own way, but the basic principles and required equipment are the same. All

WIDS systems need; remote sensors distributed throughout the monitored network, and management

software often called an IDS server. When the system is initially deployed, a detailed description of the

network is programmed into the IDS server as a baseline. In a WIDS solution sensors passively observe

wireless activity and network configuration, reporting any exception back to the central IDS server.

That IDS server is responsible for analyzing reported activity, generating intrusion alarms and an event

log. WIPS solutions take this information and act upon it directly, without requiring manual interven-

tion, by sending disassociation commands to the client, they effectively disconnecting any access to

identified threats such as rogue or honey-pot APs. A WIPS solution needs to be chosen with care. Many

solutions not only fail to detect many types of threats, but can also deliver false positive detections.

This false positive, can cause unnecessary effort for the IT security team but can also lead to a general

distrust of the identification of real threats and thus complacency.


WIDS/WIPS solutions can function in one of two different modes – time slicing or always on. These two

modes offer varying degrees of security for the enterprise. In a time slicing mode the WIPS solution

does not require dedicated sensors distributed throughout the enterprise, but rather “borrows” slices of

time from existing access points to take a snap shot listen of the environment. This mode offers the

advantage of lower cost security to the enterprise but also offers a lower level of security. Sophisticated

hacking routines have been known to identify listening patterns and intersplice their activities between

the listening slots, effectively going undetected. This is similar to the escaping prisoner avoiding the

searchlight and thus going undetected.

The more costly, but more effective mode, is to use dedicated sensors on full time listening mode to

detect (and with WIPS prevent) threats. This is the equivalent of leaving all the lights on, so no matter

when the prisoner attempts to escape, he will be seen. Both modes offer their benefits and can even

be used at the same time in different physical parts of the enterprise (depending on risks of say visitor

or customer traffic). A well thought out plan and risk assessment is needed when deciding how to best

implement WIPS for an enterprise.

Enterprises generally have two alternatives when deploying intrusion detection and prevention

solutions. The first is to deploy an “overlay” solution, which is a specialized network of dedicated equip-

ment completely separate from the WLAN. These solutions tend to provide the most comprehensive

security and the best performance. However, overlay solutions have the disadvantages of adding

operational complexity and cost, forcing the deployment of two wireless networks with no manage-

ment integration or hardware economies. The other alternative is to accept the integrated IDS/IPS

functionality which most WLAN infrastructure vendors offer with their solution. The problem with this

alternative is that what the IDS solution vendors offer is generally inferior to over-lay products, if not in

features then certainly in performance. WLAN Vendors are now starting to address this discrepancy.

For example, Siemens has fully integrated the industry leading Airtight WIPS solution into its HiGuard

product, deliver world-class WIPS security along with the benefit of reduced overhead and mainte-

nance associated with an overlay solution.

Dedicated WIDS/WIPS sensors provide the best wireless security


For an enterprise to protect itself from abuse of its information, it must monitor the events occurring in its computer system or network and analyze them for signs of intrusion. To do this, the enterprise must install an Intrusion Detection System (IDS).

Source: Gartner, September 2004 WLAN that is more Secure than Wired LAN

WLAN systems incorporating WPA/WPA2 with AES encryption, in conjunction with 802.1x authentica-

tion, can provide a level of security for WLANs that can exceed the security of a wired LAN. Although

there are still exploits possible that can disrupt the communications on the WLAN, the security of the

network and the integrity of the data becomes very difficult to compromise. There are always potential

holes in the system. Most are attributable to human error; an unreported lost laptop, a laptop infected

with a virus, or a compromised username/password combination, can all cause a security breach

despite the integrity of the WLAN.

Wireless Networks do offer an additional physical layer of security when deployed in an all wireless

office environment. By effectively eliminating employee or guest physical access to the network

elements – jacks and cables – the hidden network becomes more physically secure. Employees can no

longer plug in access points from home, guests can’t erroneously misconnect LAN connections in a

boardroom while trying to secure external access. The securing of the WLAN has become an enabler of

the all-wireless future.


3.0 Siemens HiPath Wireless Security

Siemens has architected its wireless portfolio for enterprise-grade security, with a strong standards-

based approach to data confidentiality and authentication, as well as a unique, powerful intrusion

detection and prevention implementation. The HiPath Wireless portfolio delivers these elements as an

integrated solution, making it cost-effective and transparent.

802.11i Security Made Easy

By implementing the 802.11i standard, Siemens has addressed the security issues pertaining to data

confidentiality and authentication. The fact that this standard is integral to wireless infrastructure and

leverages existing wired security technologies like RADIUS makes the standards-based approach cost

effective and transparent to both end-users and network managers. Beyond this, Siemens has also

taken measures to make it easy to integrate with existing wired LAN security mechanisms like RADIUS

authentication or IPSec VPNs.

State-of-the-Art Integrated Intrusion Detection and Prevention

The HiPath Wireless Manager architecture helps to deliver the most sophisticated RF security, location,

performance optimization, and management capabilities. A unique integrated framework provides

real-time coverage and allows services to leverage one another in a way that separate applications

cannot. HiPath Wireless Manager HiGuard can be deployed in a phased approach. System Administra-

tors can initially deploy HWM HiGuard in a ‘sensor-less’ configuration, and then gradually introduce

sensors into high-risk areas to run in ‘mixed mode,’ until the entire enterprise is protected using ‘dedi-

cated sensors’ for maximum security. HWM enables the wireless infrastructure’s capabilities to adapt to

the organization’s needs.

The HiPath Wireless Manager Server derives information about the WLAN’s access points, users, and

VNS groups from the HiPath Wireless Controller through its Design Interface. Managers can also

integrate floor plans of the office environment and other data from site planning tools to create a

visual model of the network. The Policy Manager is used to define what behaviors are acceptable for

the network model. Both the network model and the policy are then fed into the HWMA Analysis

Engine. The HWMA Analysis Engine then employs Sensors to monitor the network in real-time. During

Real-time Sensing, information is fed back into the HWMA Analysis Engine for inspection. Devices and

events are evaluated using sophisticated heuristics and are automatically classified. The results feed

into the following applications:

• Location Services. HiPath Wireless Manager maintains an up-to-date visual perspective of the network. This greatly aids the intrusion prevention process by making it possible to physically find threats. It is also possible for the organization to track mobile corporate resources.

• Performance Optimization. The variety of “heat maps” actually showing the physical makeup of the RF environment can be used by managers to ensure the greatest coverage area and elimi-nate potential bottlenecks.

• Network Monitoring and Control. All of the events and information generated by the three ap-plications feed into the management interface. The Server’s dashboard provides a consolidated view of the network, and a variety of rich charts, reports, and statistics are available to aid in


network monitoring and troubleshooting.

The portfolio’s intrusion detection and prevention capabilities are dramatically extended by the addi-

tion of HiPath Wireless Manager HiGuard. It provides the best-in-breed security protection seen in over-

lay IDS/IPS solutions as well as significant integration with existing WLAN infrastructure and manage-

ment tools. The HWM HiGuard solution depends on HiPath Wireless Access Points that have been

deployed in dedicated sensor mode, where they focus solely on scanning all channels and frequencies

on the 802.11a, b, and g radios. The information gathered by the Sensors is then sent to the central

HWM Server, which consolidates and analyzes it using sophisticated heuristics. Sensors can then use

precise RF countermeasures to proactively neutralize threats while the rest of the network remains

unaffected. HWM HiGuard is one of the only WLAN security solutions that can detect Rogue 802.11n

APs to prevent unauthorized access to the wireless network.

HiPath Wireless Manager and HiGuard

The benefits provided by HiPath Wireless Manager include:

• Optimized performance as HiPath Wireless Access Points can devote their attention to deliver-ing consistent network access to users – key for voice and other real-time applications.

• Enhanced security as sensors can proactively scan all WiFi radio bands and channels to identify and neutralize the most sophisticated attacks.

• Intrusion information is forwarded to a management server that provides robust reporting capabilities.

• Automatic threat classification (member, neighbor, rogue, etc.) and the flexibility to locate rogues or even deny them access to the network.

• Visual representation of signal coverage and device locations through mapped-over floor plans that can allow staff to find and physically remove suspect devices.

HiPath Wireless Manager not only gives recognized industry-leading intrusion detection and prevention

for a complete wireless security solution, but also sets a new standard in the industry for integrating

IDS/IPS with existing infrastructure and management systems, and is a key step in creating a single

wireless network that supports all mobility applications across the enterprise cost-effectively and easily.

In 2006, the Tolly Group declared that the security features of HiPath Wireless products were proven

best-in-class for performance among both standalone and integrated IDS/IPS solutions (100% success

vs. 65%-75% from competitors).


4.0 Conclusion

Secure wireless communication is at long last a reality. Industry standards have matured to provide a

comprehensive solution to the WLAN security dilemma, but as with any form of security, wireless

security will have to continually evolve to keep up with the newest and most sophisticated attacks.

Furthermore, WLAN vendors are now looking beyond the IEEE standards for authentication and encryp-

tion to ensure that appropriate intrusion detection and prevention capabilities are in place to provide a

complete and layered security solution.

Siemens has developed a security solution that not only addresses the data confidentiality and authen-

tication needs of today, but has also created an open standards-based solution that has the flexibility to

adapt in the future. In conjunction with the sophisticated intrusion detection and prevention capabili-

ties delivered by HiPath Wireless Manager, the HiPath Wireless Portfolio provides a complete, future-

ready solution that addresses the core tenets of wireless security. Management demands for a cost

effective approach are being met through an integrated security solution that leverages existing

network infrastructure. At the same time, end-users will be satisfied that they have no need to compli-

cate their computing experience in the least. In fact, features like secure fast roaming may actually

simplify user experience.

Many enterprise network managers have resisted the introduction of wireless LAN technology, delay-

ing the opportunity to reap the numerous benefits to be had in terms of productivity, responsiveness,

and TCO reductions. While the absence of an acceptable security standard served as the chief justifica-

tion for this decision, Siemens HiPath Wireless delivers a secure solution that resolves this problem and

makes the enterprise ready for wireless LAN today. More information about Siemens HiPath Wireless

security solutions is available at http://www.siemens.com/hipath.

Siemens Enterprise Communications is a thought leader and innovator in the enterprise communica-

tions industry. We are one of the leading players in the market with full coverage of all the relevant

markets from a strong European base with global reach. Our people have the passion, commitment,

skills and know-how to deliver a broad range of cutting-edge technologies, outstanding products and

professional services. All with the support of an enterprise that has the financial strength to outper-

form the rest in this competitive and consolidating market.

A properly engineered WiFi security system can not only provide robust security for your wireless users, it can also act as a platform to better secure wired network segments that have, for too long, relied on nothing more than physical security to combat abuse.

Source: Network Computing, June 2005

Communication for the open minded

Siemens Enterprise Communications www.siemens.com/open

©Siemens Enterprise Communications GmbH & Co. KG Hofmannstr. 51, D-81359 München, Germany The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice. The trade-marks used are owned by Siemens Enterprise Communications GmbH & Co. KG or their respective owners.

Munich-based Siemens Enterprise Communications GmbH & Co. KG, a wholly owned subsidiary of Siemens with more than 15,000 employees, is one of the world’s leading vendors of Open Communications solutions for enterprises of all sizes. Our products, solutions and services make business processes more productive, faster and more secure - with any device, network or IT infrastructure.

Documents

WLAN Security Today-Siemens Whitepaper_EN