Hosted by
IDS for WLANs
The Mansfield Group, LLC802.11 Security for Enterprise Networks
www.itvshop.com
Wireless LANSecurity WorkshopWash DC Honolulu
The Mansfield Group, LLC • http://www.itvshop.com
Brian MansfieldChief Security ConsultantThe Mansfield Group, LLC
Is your WLAN really protected?Is your WIRED network really protected?
Hosted by
The number of frequent WLAN
users in North America will grow
from 4.2 million in 2003 to ...
more than 31 million by 2007
Gartner Symposium/ITxpo 2003
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
Enterprise Market Drivers:
Wi-Fi client ubiquity• Centrino market penetration
• 95% of new laptops include Wi-Fi by 2004
WLAN “Switch” technology• Vendor neutral deployment options
• Effective network security & mgmt solutions
• Range of infrastructure investment options
Wi-Fi’s “Secret Weapon” - VoWLAN• Voice & data through single device
• One-number connectivity on campus
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
“…but our company has no plans to deploy a WLAN…”
Guess what?
You still need a WIDS strategy!
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
HostAP AirjackAirSnarf
ROGUE AP’sKismet
WallenreiterAirsnort
Netstumbler
YOUR EMPLOYEES!
Knoppix
File2air
cqure AP
Why?
Soft APs
The Mansfield Group, LLC • http://www.itvshop.com
Accidental associations
Malicious associations
Hosted by
Risk Points within the Enterprise
Employees install unauthorized APs
Employees share files via Ad-Hoc mode
Employees carry Wi-Fi enabled clients
Employees connect to WAN via home WLAN
Employees are vulnerable to attack APs
The Mansfield Group, LLC • http://www.itvshop.com
Employees connect to WAN via public Hotspots
Hosted by
Security Stragegy for Companies with NO WLAN
Draft WLAN Security Policy
Monitor Your Airspace
Enforce Security Policy, Update & Refine
The Mansfield Group, LLC • http://www.itvshop.com
Conduct WLAN Security Assessment
Hosted by
• Survey airspace inside your organization
What protocols/data is being transmitted?
Where are they located?
Are any connected to your LAN?
• Sweep airspace around perimeter
What protocols/data is being transmitted?
Where are they located?
How are they configured?
What external sources are penetrating environment?
What devices are broadcasting in your environment?
The Mansfield Group, LLC • http://www.itvshop.com
1. Conduct WLAN Security Assessment
Hosted by
2. Draft WLAN Security Policy
• Extension to Existing IT Security Policy
Protect assets that require integrity (financial, medical)
• Configuration, Systems Use & IRP Policy
Protect assets that need confidentiality (payroll, HIPPA)
Protect assets that need high availability (order, transact)
Prohibit unsanctioned APs / ad-hoc networking?
Incident response procedure (IRP)
Policy for public Hotspot & home WLAN use
Configuration standards - Wi-Fi enabled? XP, WEP, SSID
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
3. Monitor Your Airspace - Verify policy adherence
• Internal monitoring
• Perimeter monitoring
Unsanctioned APs / rogue AP detection
Machine/device configuration violations
External systems broadcasting availability?
Network intrusions or attacks
Use violations - ad hoc networking
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
4. Enforce Policy, Update & Refine
The Mansfield Group, LLC • http://www.itvshop.com
• Active response:
Reset device
Reconfigure device
Disconnect device
• Passive response:
SNMP
Syslog
• Audit trail / forensic database
Hosted by
Security Technologies Used CSI/FBI 2003 Computer Security Survey
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
MANUAL
DISTRIBUTED
INTEGRATED
MANAGED
WIDS Product Mix
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
MANUAL
Handheld/laptop scanner
“Snapshot” view
Rogue AP & client detection
Performance statistics
Security alarms
RF analysis & site survey
GPS logging
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
DISTRIBUTED
Radio sensors
24 x 7 monitoring
Policy enforcement
Stateful analysis
Centrally managed
Email & paging alerts
IPS capabilities (SNMP)
The Mansfield Group, LLC • http://www.itvshop.com
HQ - Washington DC
Sensor
Sensor
Chicago
SensorSensor
Boston
ManagementServer
Sensor
SensorRogue APDoS Attack
Unauthorized APUser SecurityViolation
Hosted by
INTEGRATED
“Wireless-aware” switch
IDS module in AP
Rogue AP location ID
Dynamic site surveys
Security policy monitoring
Radio resource mgmt
Enhanced IPS
The Mansfield Group, LLC • http://www.itvshop.com
L2/L3 Switch orMgmt Server
AP AP
APRogue AP
Hosted by
MANAGEDDedicated team of IDS experts
Maintain system access & control while outsourcing daily monitoring tasks
Customization of services - rogue AP, reporting,custom signature sets, forensics, etc.
Escalation procedure management - incident response, notification and mitigation actions
Long-term TCO benefits - Lease vs. buy option
Integrate & correlated w/wired IDS or IPS
The Mansfield Group, LLC • http://www.itvshop.com
Hosted by
WLAN Attack Scenarios
The Mansfield Group, LLC • http://www.itvshop.com
Layer 1 - Denial of Service
Layer 2 - Rogue AP
Layer 3 - IP Hi-jack
Hosted by
25%
75%
1 2
Hosted by
Do you telecommute or connect to your company network from home?
1. Yes2. No
Hosted by
IDS for WLANs
The Mansfield Group, LLC802.11 Security for Enterprise Networks
www.itvshop.com
Wireless LANSecurity WorkshopWash DC Honolulu
The Mansfield Group, LLC • http://www.itvshop.com
Brian MansfieldChief Security ConsultantThe Mansfield Group, LLC
Is your WIRED network really protected?