Embed Size (px)
Citation preview
Wireless Explosion
New threats are envolvingOperations getting more challenging
Reiner HofmannEMEA Director Wireless BU
Fluke Networks
2
Agenda
• About Fluke Networks …• Some statistics/trends• Wireless is changing excisting paradigm - New threats are evolving• Why dedicated system to monitor and protect wireless? • AirMagnet Enterprise – remote security monitoring & troubleshooting
3
Fluke Networks is the world‐leading provider of network test and monitoring solutions to speed the deployment and improve the performance of networks and applications. Leading enterprises and service providers trust Fluke Networks’ products and expertise to help solve today’s toughest issues and emerging challenges in data centers, mobility, unified communications and WLAN security.
Company Profile:• $300+ million company; distributes products in more than
50 countries• Over 800 employees worldwide with major facilities in:
Everett, WA; Colorado Springs, CO; Santa Clara, CA; Duluth, GA; Rockville, MD;Beijing, China; Eindhoven, Netherlands
PlanningPlanning
Deployment & VerificationDeployment & Verification
Troubleshooting& InterferenceTroubleshooting& Interference
24x7 Performance& Security
24x7 Performance& Security
INDUSTRY’S ONLY “SINGLE‐VENDOR SOLUTION”
Full Life‐Cycle
Some trends/statisticsSome trends/statistics
Wireless Security Trends for 2013
• Protecting and securing the air will become more important Protecting the device and AP is not sufficient
• Mobile devices as the new target– With the explosion of BYOD in the marketplace, employees are bringing their
mobile devices into work. With company data on these mobile devices, hackers have a much larger target.
• Cellular impersonation and Jamming/DoS attacks – Small cells are gaining traction and can offer a way into the corporate network
• Mobile devices as the attackers– Lately there has been a proliferation of wireless hacking tools for the Android
platform. Gone are the days when you needed a laptop to perform the attacks. Hackers can now do this from their pockets.
IT WILL BE MORE AND MORE CHALLENGING
Wireless Security Trends for 2013 (concluded)
• Impersonation attacks are always on the rise – Whether its impersonating a valid client or impersonating a corporate Access Point the threat
is always loss of sensitive company data
• WPA‐PSK brute force attacks will increase– Just because you are using WPA‐PSK doesn’t mean you are safe. You need have a policy for
using complex Pre Shared Keys. There are plenty of Online Services that a small fee will crack your network handshake in minutes.
• Malware will increase– With increasing proliferation of mobile devices, mobile adware will increase.
IT WILL BE MORE AND MORE CHALLENGING
MOBILE DEVICES ARE EXPLODING
• 96% of mobile employees carry >2 devices; almost 50 percent carry more than 3
• iPads and eReaders entering the enterprise• Most smart phones now mixed‐use
From: Lisa Phifer / Core Competence, Interop/Sep-2010
The Wireless Jungle Gets Wilder…
WI‐FI DATA > ETHERNET DATA BY 2015
(Source: Cisco)
Acceleration of Wi-Fi as primary edge connection for all info based workers = higher support requirements
Data intensity of Wi-Fi apps (voice, video) will increase, stressing networks revealing optimization and configuration problems
Wifi Data is increasing
customer survey on BYOD
More than 500 responses from multiple vertical segments worldwide. Key Findings:
• 82% of organizations allow personal mobile device usage (BYOD) on the corporate WLAN
• 51% of organizations are concerned with how BYOD effects bandwidth consumption
• 52% or organizations get several complaints a day from employees having trouble connecting to the corporate WLAN with a personal device
• 71% of the complaints are around Wi‐Fi network connectivity and performance
• Almost 50% of organizations are planning a network redesign to accommodate for the growth of BYOD
*According to an internal survey of Fluke Networks customers/prospects
Wireless is changing excisting paradigm ‐ New threats are evolving
Wireless is changing excisting paradigm ‐ New threats are evolving
Are you connecting to the real Hotspot?
•Starbucks•McDonalds•Borders•Airports• Sports venues
•Hospitals•Hotels•more…
Or to this???
OSI MODELL
Application
Network
Transport
Session
Presentation
Physical
Data Link
Logical Link ControlLLCMedia Access ControlMAC
Physical
OSI IEEE 802
Wire
less LAN
Perim
eter/App
lication
Security
Traditional IPS / FW does NOTcover layer1/2 Encryption is just „DATA-Frame“Whole connection MUST be
transparent
Wireless is just layer 1 & 2
The Rogue Access Point
• Malicious or accidental• Opens paths around wired
security measures• Allows external
access to the wired network
• Rogues are the most well-knownvulnerability
• Symptomatic ofthe greater security challenge of wireless
• Malicious or accidental• Opens paths around wired
security measures• Allows external
access to the wired network
• Rogues are the most well-knownvulnerability
• Symptomatic ofthe greater security challenge of wireless
FirewallNAT IDSRogue AP
PHYSICAL DEPLOYMENT OF AN UNAUTHORIZED AP INSIDE THE NETWORK
Internal Traffic
• Outsiders can see anything in the clear (email, web, etc)
• Users and devices can be seen and targeted directly (circumvents NAT)
• Clients can connect directly via Ad-hoc
• Every device and all traffic must be secured
• Creates massivenew managementchallenges toensure encryptionand configurationfor all devices
• Outsiders can see anything in the clear (email, web, etc)
• Users and devices can be seen and targeted directly (circumvents NAT)
• Clients can connect directly via Ad-hoc
• Every device and all traffic must be secured
• Creates massivenew managementchallenges toensure encryptionand configurationfor all devices
FirewallNAT IDS
Hacker listening to the airwaves
Capture and break weak keys Capture traffic in the clear
Approved AP
Ad-hoc Clients
ALL INTERNAL CLIENT TRAFFIC CAN BE DIRECTLY MONITORED FROM THE OUTSIDE
Outbound Connections
• Clients can make connections without ever touching the corporate infrastructure
• Accidental associationsare very common
• Many wirelesshacks targetclients in orderto retrievelogin information
• Clients can make connections without ever touching the corporate infrastructure
• Accidental associationsare very common
• Many wirelesshacks targetclients in orderto retrievelogin information
FirewallNAT IDS
Hacker listening to the airwaves
Neighbor hotspot
Hacker captures traffic in the clear
LOSS OF VISIBILITY INTO OUTBOUND CONNECTIONS
Karmasploit
• Beacons back to all those networks as well as common default networks (FreeWiFi, Vendor Defaults, etc)
• Clients will respondto beacons it recognizes, evenif the client did notprobe for that network
“Network B, are you there?”
“I am Network A”“I am Network B”“I am FreeWiFi”
“Network A, are you there?”
LEARNS ALL NETWORKS THAT ALL CLIENTS ARE PROBING FOR IN THE AREA
TELLS YOU EVERYTHING
IEEE 802.11Type/Subtype: Data (32)Frame Control: 0x4108 (Normal)
Version: 0Type: Data frame (2)Subtype: 0Flags: 0x41
DS status: Frame is entering DS (To DS: 1 From DS: 0) (0x01).... .0.. = More Fragments: This is the last fragment.... 0... = Retry: Frame is not being retransmitted...0 .... = PWR MGT: STA will stay up..0. .... = More Data: No data buffered.1.. .... = WEP flag: WEP is enabled0... .... = Order flag: Not strictly ordered
Duration: 25819BSS Id: 00:02:2d:1b:3e:58 (Agere_1b:3e:58)Source address: 00:02:2d:40:64:86 (Agere_40:64:86)Destination address: 00:06:25:ff:95:8e (LinksysG_ff:95:8e)Fragment number: 0Sequence number: 67WEP parameters
Initialization Vector: 0x0b0931Key: 0WEP ICV: 0x975415b1 (not verified)
Data (72 bytes)
0000 08 41 02 01 00 02 2d 1b 3e 58 00 02 2d 40 64 86 .A....-.>[email protected] 00 06 25 ff 95 8e 30 04 0b 09 31 00 a3 a4 fd 36 ..%...0...1....60020 67 fb bd aa 88 cf bf de 92 ec d7 3a 3f 74 26 83 g..........:?t&.0030 bc cf 65 40 2d e7 41 f1 77 b6 7d a7 0f 7e 01 1e [email protected].}..~..0040 d9 ef f6 92 11 28 f4 57 d6 ee 8f 99 5e bf a2 ab .....(.W....^...0050 e4 e1 86 84 41 5f 69 0b 0f 9f 4e e4 81 b4 2a 3e ....A_i...N...*>0060 26 36 ac 02 97 54 15 b1 &6...T..
Beacon and Probe Frame
Which OS? Is it a threat available?
Can I use default key even strong encryption …
Wireless Client Attacks
Denial of Service – RF or MAC based • Easy to spoof disassociation and deauthentication frames• Easy to inject broadcast and multicast traffic
DoS a Station with WLAN‐JackTarget (User) AP
Attacker
1
2
ORIGINAL MAC: 00 12 2D 50 43 1E
NEW MAC: 00 02 2D 50 D1 4E
MAC: 00 02 2D 50 D1 4E
3
3. Send Disassoc & Deauth frames
2. Impersonate AP
1. User enjoying good connection
3. Send Disassoc & Deauth frames
2. Impersonate AP
1. User enjoying good connection
Exploiting driver vulnerabilities to run remote code, inject malware, etc.Exploiting driver vulnerabilities to run remote code, inject malware, etc.
IEEE 802.11 MANAGEMENT FRAMES ARE NOT AUTHENTICATED
Android as a Hacking Platform
22
WiFi Pineapple
WPA Cracking
Principle ArchitecturePrinciple Architecture
What is a Wireless LAN Assurance System?
• A network of sensors and management software that implements assurance functions
• Independent of any particular WLAN system• Perfect for large installations, mixed‐vendor installations• Provides continuity during upgrades
• A broad range of services that complements and completesWLAN system functionality and enhances system performance, security, and integrity
26
Servers• Runs on virtual or
dedicated Windows Server environments
• Hot standby server can be in separate datacenter
• Supports up to 1000 sensors per server
Sensors• Sensors can be located
anywhere in global network, uses secure SSL‐based link
• Hardware and Software Sensor Agents can be combined for optimal monitoring
Servers• Runs on virtual or
dedicated Windows Server environments
• Hot standby server can be in separate datacenter
• Supports up to 1000 sensors per server
Sensors• Sensors can be located
anywhere in global network, uses secure SSL‐based link
• Hardware and Software Sensor Agents can be combined for optimal monitoring
AirMagnet Enterprise System Architecture
FLEXIBLE AND SCALABLE
Security valuesSecurity values
WIRED NETWORKS ARE DESIGNED FOR A LINEAR ASSAULT
FOCUS OF THE NETWORK IS SHIFTING TO THE EDGE
• Traditional networks delivered security and control through centralization
• Heavily secured entry and exit points• Multiple layers of security• Frequent Zero‐day threat update are routine• Security Policy enforcement with active blocking• Threat correlation and mitigation• Internal devices benefit from umbrella coverage
• Traditional networks delivered security and control through centralization
• Heavily secured entry and exit points• Multiple layers of security• Frequent Zero‐day threat update are routine• Security Policy enforcement with active blocking• Threat correlation and mitigation• Internal devices benefit from umbrella coverage
The need for New Types of Oversight
• Mobility breaks the centralized model by opening the door to outbound connections
• Now internal‐only traffic is also exposed• “Network traffic has moved to the suburbs”• All traffic in shared medium• Direct access to outside world• Internal traffic exposed
• Mobility breaks the centralized model by opening the door to outbound connections
• Now internal‐only traffic is also exposed• “Network traffic has moved to the suburbs”• All traffic in shared medium• Direct access to outside world• Internal traffic exposed
Loss of Security
WLC
AP build in Sec Rudimental Line of Defense
Laye
r 4-7
Fire
wal
l
Layer 2 traffic
Layer 2 traffic
Layer 2 traffic
WIRELESS AP WITH RUDIMENTAL BUILD‐IN SEC FEATURES
• Just one layer of security on the wireless side (layer2)
• No threat /signature update• No Security Policy enforcement with activeblocking
• No Threat correlation and mitigation
• Just one layer of security on the wireless side (layer2)
• No threat /signature update• No Security Policy enforcement with activeblocking
• No Threat correlation and mitigation
Static security cannot keep pace with new devices, new technologies, new protocols, new threats...
Static security cannot keep pace with new devices, new technologies, new protocols, new threats...
If not in full monitor mode – AP‘s• are busy with more and services• can only do Part-time scanning• need to decide between scanning and
signal provisioning
If not in full monitor mode – AP‘s• are busy with more and services• can only do Part-time scanning• need to decide between scanning and
signal provisioning
AME adds another line of defense
AP build in Sec Rudimental Line of Defense
Laye
r 4-7
Fire
wal
l
Layer 2 traffic
Layer 2 traffic
Layer 2 traffic
1st Line of Defense Layer 2- WIPS
AME Sensor
• Real time monitoring
• Zero‐Day Thread protection
• Blocking• Policyenforcement
• Attack IDS• Forensic
Server downloads new signature module
Flukenetworks.com
WIRELESS AP WITH RUDIMENTAL BUILD‐IN SEC FEATURES +AME
+ Heavily secured entry and exit points+ Multiple layers of security+ Frequent Zero‐day threat update+ Security Policy enforcement with active blocking+ Threat correlation and mitigation+ Real time monitoring+ NMS, SIEM integration+ Forensic analysis (file capturing)+ Full Rogue RF + wire trace and blocking+ Security system resilience+ …+ Internal devices benefit from umbrella coverage
+ Heavily secured entry and exit points+ Multiple layers of security+ Frequent Zero‐day threat update+ Security Policy enforcement with active blocking+ Threat correlation and mitigation+ Real time monitoring+ NMS, SIEM integration+ Forensic analysis (file capturing)+ Full Rogue RF + wire trace and blocking+ Security system resilience+ …+ Internal devices benefit from umbrella coverage
AírMagnet Enterprise is closingthe major GAP‘s‐ 1st line of defense‐ Frequent Threat update‐ Active blocking
QUICKLY UPDATE TO PROTECT AGAINST A NEW THREAT
Analyze & assess severity - Post response
Create and release new
alarm
Publish DTU file
VulnerabilityPublished
1 day – 2 weeks 1 day – 2 weeks
` `
Automated DTU download & alarm
is active
Automated DTU download & alarm
is active
Instant
End‐user Timeline
Every hour
• AirMagnet Wireless Intrusion Research team can rapidly customize or create new signatures / rules for newly discovered vulnerabilities
• Users have immediate protection from new threats• No disruption of WIPS protection or wireless service to update signature module• Automated updates require no IT staff cycles• Users , AirWise Community contribute to creation of new signatures
• AirMagnet Wireless Intrusion Research team can rapidly customize or create new signatures / rules for newly discovered vulnerabilities
• Users have immediate protection from new threats• No disruption of WIPS protection or wireless service to update signature module• Automated updates require no IT staff cycles• Users , AirWise Community contribute to creation of new signatures
0 days1 day to 2 weeks
Dynamic Threat Update ‐ DTU
New threat signatures are automatically delivered to sensors across the organization for instant protection with no down time and no IT staffNew threat signatures are automatically delivered to sensors across the organization for instant protection with no down time and no IT staff
• Sensors use proven AirMagnet techniques to remediate Rogue devices via wired or wireless
• Very low channel utilization when blocking
• Sensors use proven AirMagnet techniques to remediate Rogue devices via wired or wireless
• Very low channel utilization when blocking
32
Blocking/remediation
Blocking can be categorized as wireless or wired
Rogue AP
X
Rogue AP
snmppo
rt sh
utdo
wn
XWireless blocking Wired Port blocking
Wireless tracing The sensor when it detects an open Rogue or Unknown AP, will attempt to connect to it. Once connected, it will forward itself a frame to determine if its on the wire.
Wired listener The sensor puts its wired interface into promiscuous mode and listens for broadcast frames trying to match against the Rogue and Unknown AP's that are seen. +2/-2 of the wireless MAC address
DHCP fingerprintingSensor on the wired interface is listening for DHCP request packets to determine if the Unknown or Rogue device is on the wire.
eROWARP sweep the subnet, compare the list of MAC addresses with the Unknown or Rogue list, +2/-2 of the wireless MAC address.
Switch tracing Using SNMP, crawl switches looking for wireless MAC address from Rogue and Unknown AP's. +2/-2 of the wireless MAC address, if cant find via this method, we can also trace based on connected stations MAC address.
Wireless tracing The sensor when it detects an open Rogue or Unknown AP, will attempt to connect to it. Once connected, it will forward itself a frame to determine if its on the wire.
Wired listener The sensor puts its wired interface into promiscuous mode and listens for broadcast frames trying to match against the Rogue and Unknown AP's that are seen. +2/-2 of the wireless MAC address
DHCP fingerprintingSensor on the wired interface is listening for DHCP request packets to determine if the Unknown or Rogue device is on the wire.
eROWARP sweep the subnet, compare the list of MAC addresses with the Unknown or Rogue list, +2/-2 of the wireless MAC address.
Switch tracing Using SNMP, crawl switches looking for wireless MAC address from Rogue and Unknown AP's. +2/-2 of the wireless MAC address, if cant find via this method, we can also trace based on connected stations MAC address.
5 DIFFERENT METHODS FOR TRACING ROGUE ACCESS POINTS
33
Rogue detection
Wireless Tracing
Wired Listener
eROW
Passive Rogue
Detection
Switch tracing
via SNMP
The Challenge– Security and performance event
triggers often require post inspection to determine remediation
Solution with Forensics
– Automatically capture Wi‐Fi and Spectrum forensic data in the background
– Review packet level capture at exact moment of trigger for deep forensic of threat source
The Challenge– Security and performance event
triggers often require post inspection to determine remediation
Solution with Forensics
– Automatically capture Wi‐Fi and Spectrum forensic data in the background
– Review packet level capture at exact moment of trigger for deep forensic of threat source
BETTER THAN BEING THERE
34
Forensic Capture
Root cause analysis andtroubleshooting
Root cause analysis andtroubleshooting
Real‐time Remote Wi‐Fi Analysis
AME Servers in Data Center
Console running in NOC / SOC or remotely
PRIMARYHOT STANDBY
Direct connect to Sensor for Live Remote Analysis‐ Essential for Problem Investigation
Remote Site
Local Site
Investigate WLAN behavior in Real‐time
36
DIRECT CONNECT IN REAL‐TIME
37
• for analysis and classification• Remote Spectrum interface for live troubleshooting• Covers 2.4GHz, 5GHz and 4.9GHz• 19 classification alarms
• for analysis and classification• Remote Spectrum interface for live troubleshooting• Covers 2.4GHz, 5GHz and 4.9GHz• 19 classification alarms
Real‐Time Remote Spectrum Analysis
FULL DEDICATED SPECTRUM RADIO
Full Performance Analysis
• Overloaded Channels and Devices– Bandwidth – Association capacity
• Configuration Problems– Missing performance options– Not supporting higher speeds
• Co‐existence problems– 11n and a/b/g– b/g protection mechanisms– QoS
• Traffic Problems– Fragmentation– Retries
• RF and Interference
• Overloaded Channels and Devices– Bandwidth – Association capacity
• Configuration Problems– Missing performance options– Not supporting higher speeds
• Co‐existence problems– 11n and a/b/g– b/g protection mechanisms– QoS
• Traffic Problems– Fragmentation– Retries
• RF and Interference
PROVIDES ROOT CAUSE AND DESCRIBES ALL DETAILS
Troubleshooting Connectivity Issues
• Basic End‐User Connectivity– One of the most common sources of WiFi complaints
• Basic End‐User Connectivity– One of the most common sources of WiFi complaints
- Select station MAC address of the end-user with the problem and the AP they are trying to connect to.
- Have user attempt to connect
- Provides step by step analysis of association process.
- Provides automatic answers to problems
- Select station MAC address of the end-user with the problem and the AP they are trying to connect to.
- Have user attempt to connect
- Provides step by step analysis of association process.
- Provides automatic answers to problems
WITH CONNECTION DIAGNOSTIC BUILT‐IN TO EACH SENSOR
VIEWING THE SMART DEVICES
Byod classification
• Zero Configuration required• Devices are automatically classified and grouped• Detailed information including OS and Model name• Smart Device list reports
• Zero Configuration required• Devices are automatically classified and grouped• Detailed information including OS and Model name• Smart Device list reports
• Accurate breakdownof all devices
• Reporting for allBYOD devices
• Understand what areapproved companyowned smart devices andwhich are employee BYOD
• Accurate breakdownof all devices
• Reporting for allBYOD devices
• Understand what areapproved companyowned smart devices andwhich are employee BYOD
Benefits to the wireless administrator
EASE OF MANAGEMENT
• Perform pre-defined tasks• Collect metrics• Automate• Find out and react to the wireless problem before your users start calling• Generate alarms when thresholds aren’t met• Know exactly what the problem is before your users complain• Get detailed statistics for every step of the test
• Perform pre-defined tasks• Collect metrics• Automate• Find out and react to the wireless problem before your users start calling• Generate alarms when thresholds aren’t met• Know exactly what the problem is before your users complain• Get detailed statistics for every step of the test
Automatic Health Check Benefits
IDEA – SIMULATE A WIRELESS CLIENT
Automated health check
Trending Data for the following• Connection Time• Authentication Time• DHCP Time• Ping Time• FTP Speed• HTTPS Download speed• HTTP Download speed
Trending Data for the following• Connection Time• Authentication Time• DHCP Time• Ping Time• FTP Speed• HTTPS Download speed• HTTP Download speed
TRENDING CHARTS
ReportingReporting
Multiple Reports
45
Reporting
46
EVERYTHING IS AUTOMATED
Reporting
SMART DEVICE LIST
3rd Party Integration3rd Party Integration
49
3rd Party Integration
SNMP out (v1, v2 and v3) to popular NMS platforms.
RDEP support for Cisco tools Integration with SIM products (Arcsight, etc.)
SNMP out (v1, v2 and v3) to popular NMS platforms.
RDEP support for Cisco tools Integration with SIM products (Arcsight, etc.)
Enterprises want wireless alerts integrated into existing NOC / SOC processes and tools
MULTIPLE MECHANISMS TO PASS EVENT DATA TO EXISTING MONITORING PLATFORMS
Issues if missing: No way to support existing NM operating procedures
AME Servers in Data Center
PRIMARY HOT STANDBY
SNMPSyslogEmailCustom
• WIFI is exploding• WIFI data is increasing• Wireless becomes critical (essential part of IT infrastructure)• Mobile devices as the new target• Protecting and securing the air will become more important • Real time monitoring with pro‐active root cause analysis / troubleshooting will
be key • AME is a REAL 1st line of defense with pure focus on OSI layer 1&2 • Automated security threat update will be critical for security defense &
detection• Fluke Networks has full cycle of products to support Wireless LAN
• WIFI is exploding• WIFI data is increasing• Wireless becomes critical (essential part of IT infrastructure)• Mobile devices as the new target• Protecting and securing the air will become more important • Real time monitoring with pro‐active root cause analysis / troubleshooting will
be key • AME is a REAL 1st line of defense with pure focus on OSI layer 1&2 • Automated security threat update will be critical for security defense &
detection• Fluke Networks has full cycle of products to support Wireless LAN
Conclusion
PlanningPlanning
Deployment & VerificationDeployment & Verification
Troubleshooting& InterferenceTroubleshooting& Interference
24x7 Performance& Security
24x7 Performance& Security
FLUKE NETWORKS
WLAN Infrastructure vendors
WLAN Infrastructure vendors
ONE‐STOP SHOP FOR ALL NEEDS AND PAINS
Reiner Hofmann
EMEA Director Wireless/Airmagnet BUFluke NetworksOffice: +49 7152 929 622Mobil: +49 1520 [email protected]
Thank you
