AirTight Networks WIPS at Wireless Field Day 6 WFD6

© 2014 AirTight Networks, Inc. All rights reserved. 1

@AirTight WIPS

#WFD6Jan 29, 2014

Part 1: WIPS Product Demo@RickLikesWIPSRick Farina

Part 2: Technology Deep Dive @CHemantCHemant Chaskar

© 2014 AirTight Networks, Inc. All rights reserved.

AirTight WIPS

2

§ Overlay WIPS or WIPS as part of AirTight APs

§ Best in the industry

§ Customer base of 1500+ enterprises including large/Fortune companies, Government & DoD

§ Extensive patent portfolio


WIPS Basics

3

§ WIPS addresses threat vectors orthogonal to WPA2

§ Offers protection for both

- Wired network (e.g. rogue APs), and

- Wireless clients/connections (e.g. Evil Twin)

§ Requires scanning all channels (not just managed AP channels)

- Dedicated & background scanning radios


WPA2 and WIPS

4

BYOD


Traditional Approach

5

§ User defined rules for classifying devices as managed, neighbor,

rogue

§ Signature matching on packet fields to detect attack tools

§ Packet statistics based anomaly detection

§ Lots of alerts

§ Manual intervention driven reactive workflow


User Defined Rules Are No Match For Wireless Environ

6

§ Requires cumbersome configuration of rules

§ Can’t keep up with dynamic wireless environment


User Defined Rules Are More Nuisance Than Help

7

§ Device alerts, false alarms, manual intervention to act on alerts

§ Fear of automatic prevention


Signature Matching On Packets Is False Alarm Prone

8

§ All attack tools don’t have

signatures

§ Signature fields in tools

are modifiable

§ Signatures lag attack tools

§ Result: Signatures

matching approach

creates abundant false

positives & negatives

Does anyone still think that (SSID) signatures is good idea?


Packet Anomaly Detection On Unknown Thresholds

9

§ Inaccurate stats based on

partial observation

- Scanning Sensor

- RSSI limitations

§ It doesn’t help to give threshold

comparators, when users don’t

know the right thresholds

- Right threshold to catch real

threats, while avoiding false

alarms


Changing the Status Quo

10

Traditional Approach AirTight Approach

WIPS Compass


Traditional vs AirTight

11

§ Out of box auto-classification into

intrinsic categories

§ Proactive blocking of risky

connections

§ Highly automated

§ Concise alerts

§ Reliable automatic prevention

§ Overhead of user defined rules

for device categorization

§ Signatures & threshold anomaly

detection

§ Constant manual intervention

§ Alert flood

§ Fear of automatic prevention


AP Auto-classification into Foundation Categories

12

§ No user configured rules (SSID, OUI, RSSI, …),

§ Runs 24x7

All APs visible

Managed APs (Static Part)

Authorized APs External APs Rogue APs

Unmanaged APs (Dynamic Part)


Marker Packets™ for Connectivity Detection

13

§ No reliance on managed

switch infra (CAM tables)

§ Prompt detection with

localized operation for any

network size

§ No false negatives: No

“suspects” in neighbor

category (like in wired &

wireless MAC co-relation)

§ No false positives: No “legal

disclaimers” in automatically

containing real rogues

AirTight Device

AirTight Device


Client Auto-classification

14

Newly discovered Client: Uncategorized

Connects to secureAuthorized AP: Authorized Client

Connects to External AP: External Client

Connects to Rogue AP: Rogue Client

Additional ways to auto-classify Clients:

Integration APIs with leading WLAN controllers to fetch Authorized Clients list.

Import MAC addresses of Authorized Clients from file.


AirTight WIPS Security Policy

15

DETECT AND BLOCK RED PATHS!

Neighborhood APs

Rogue APs (On Network)

Authorized APs

AP Classification

STOP

Client ClassificationPolicyBlock Mis-config

GO

STOP

IGNORE

Detect DoS

Neighborhood Clients

Authorized Clients

Rogue Clients


Reliable prevention

16

§ One size doesn’t fit all

• There are many permutations

& combinations on connection

type & Wi-Fi interface hw/sw

§ Bag of tricks for comprehensive

prevention

• Deauth, timed deauth, client

chasing, ARP manipulation, cell

splitting, wireless side, wired

side


Accurate Location Tracking

17

§ Stochastic triangulation –maximum likelihood estimation based technique

§ No need for RF site survey

§ No search squads to locate Wi-Fi devices

§ 15 ft accuracy in most environments


Why AirTight WIPS?

18

Automatic Device Classification

ReliableThreat Prevention

AccurateLocation Tracking

DetailedCompliance Reporting

Ease of Operation & Lowest TCO

Cloud Managed or Onsite