Upload
digitallibrary
View
1.152
Download
0
Embed Size (px)
DESCRIPTION
The most common cause of security vulnerabilities is improper adminstrative access and lack of centralized policy control. One way to help is to establish "need to know" administrative policies and define privileges by job role and by network segment. Misconfigured access points in your WLAN is another Achilles' heel of security. Combat this by automating your configuration audits against the entire configuration of each AP device. Maintain an accurate inventory of your WLAN infrastructure to guard against lost APs. Finally, track and locate lost and stolen devices.
Citation preview
The Relationship Between
Wireless Security &
Management
Greg Murphy
General Manager
AirWave Wireless
+1.650.286.6102
2
Addressing Common Security Vulnerabilities
Network Eng Helpdesk
WAN
Missing APs
x
5
Lack centralized policy control2
Misconfigured APs & controllers3
APs without current firmware &
security patches4
Rogue APs
6
Improper administrative access1
Stolen & lost devices7
Administrative Privileges
I was just
trying to help
Well-meaning IT employees who get “in over their
heads” cause a significant number of security
breaches
1. Establish “Need to Know” Administrative Policies
• Implement flexible administrative
roles:– “Read-Only” (Help Desk)
– “Read-Write” (Network Engineers)
– “Auditor” (Security Team)
– “Administrator” (Sys Admin)
– etc.
• Define privileges by network
segment– Geography (North America vs. EMEA)
– Group (Retail Stores vs Corporate HQ)
– Etc.
• Single sign-on for wired and
wireless (via TACACS, etc.)
All staff members should have access to the network
information they need to do their jobs…
… and nothing more.
Distribution
Center
Network
Distribution
Center
Network
Retail
Store
Network
Retail
Store
Network
“Read-
Only”
Monitoring
Access
“Read-Write”
Configuration
Privileges
Retail Help
DeskDistribution Center
Network Engineer
5
Diverse Devices Means Complex Security
Company Owned/Managed Personal Devices
WPA2
WPA
WEP
None
VPN
Security
Protocols
Supported(by device)
Company Laptop
Company-issued
Smartphone
Legacy scanner
Guest Laptop
Employee
Smartphone
Printer
Security Camera
PDA
PoS Device
2. Centralize Management of Multiple Security Policies
With multiple devices and classes of users, IT must administer complex
security policies uniformly…
SSID1SSID1
WPA2WPA2
Company Laptop
Company-issued
Smartphone(does not support WPA2)
Legacy scanner
Guest Laptop
Employee-owned
Smartphone
Trusted Data Network
Secure Voice Network
“Tolerated Network” (strict firewall policy)
IP PBX
Full
Network
Access
InternetInternet
Distrib. Center Network Partial
Access
SSID2SSID2
WPAWPA
SSID3SSID3
WPA PSKWPA PSK
SSID4SSID4
GuestGuest
SSID5SSID5
WEP with ACLWEP with ACL
Guest Network
Misconfigured Access Points
The Wireless “Needle in a Haystack”
• AirWave data show that more that 30% of wireless APs today do not comply with policy
• Analysts see misconfigured infrastructure and devices as the cause of up to 90% of security breaches
3. Automate Compliance Audits
• Manual configuration audits are too time-
consuming and do not get done
• Wireless IDS systems cannot detect non-
RF configuration errors and cannot ‘repair’
misconfigured devices
• All ‘mismatches’ are not created equal…
security related violations matter most
To guard against misconfigurations, you must automate
compliance auditing against the entire configuration of
each device
With thousands of APs and controllers, it is easy for a
significant configuration error to go undetected…
Keeping Up With Vendor
Security Patches
Oh good!
Another security patch!
4. Ensure that All Security Patches Are Applied
• Patch management becomes complex with:
– Thousands of APs & controllers
– Multiple generations of hardware
– Different hardware vendors
– Diverse wireless architectures
• Need centralized firmware distribution
– Specify ‘minimum acceptable’ firmware
– Detects and auto-updates devices
– Performs multi-phase ‘before-and-after’ validation
• Prove it to the auditors
– “Inventory Report” identifies the software running
on each AP and controller
Auditors demand prompt application of vendor-provided security
patches across the entire network…
…You need to be able to prove that it’s been done -- everywhere
Define Minimum Acceptable Versions
Reports to Demonstrate Compliance
11
Access Points are Easy to “Misplace”
I could have
sworn we installed an
AP in Toledo
“Lost APs” may still be on your network,
but you can’t reach them
5. Maintain an Accurate Infrastructure Inventory
• Automated device discovery
• Multiple discovery techniques
• Ongoing detection of new
infrastructure devices
• Automated alerts whenever an AP
cannot be reached
• Daily generation of a full inventory
report
Your wireless network cannot be secure unless you
know what infrastructure you have and where it is
located…
“Lost APs” may contain valuable information like SNMP strings, administrator ID, passwords, IP
addresses of other network devices (RADIUS servers, TACACS servers), etc.
Rogue Access Points
Who is More Likely to Install a Rogue AP on
Your Network?
14
6. Detect Rogue Access Points Anywhere
• Users typically install rogues where you do
not yet have wireless APs or sensors (or
where coverage is weak)
• Most organizations do not yet have wireless
802.11a/b/g coverage in 100% of facilities
• Without wall-to-wall coverage, wireless
scans via your authorized APs or sensors
cannot detect all rogues
• Good security combines detection via
wireless techniques with scans across the
wired network infrastructure
Wireless rogue AP detection is not enough…
… Use a combination of wired and wireless scans to
detect and locate rogue APs anywhere on your network
Detected?
No
Detected?
Yes
The problem with RF Detection
15
Lost Devices
Murphy’s Law, Part II:
Anything that can be lost, will be lost
16
7. Track and Locate Lost & Stolen Devices
Lost and stolen devices are valuable assets that may contain
critical security information… You need to find them
Search for the Device
on Your Network
Found?Found? Locate the Device
Track the 24 Hour Roaming History
YesNoDetermine Last Known Location
Location Date/Time
Use User Session Reports to See if Device Returns
1
2 2
3 3
17
If your wireless network is not
managed…
… It cannot be secure.
Greg MurphyGeneral Manager
AirWave Wireless
+1.650.286.6102