Considerations for a secure enterprise wlan data connectors 2013

© 2013 AirTight Networks, Inc. All rights reserved.

Considerations for a Secure Enterprise WLAN

Kaustubh Phanse, Ph.D. Chief Wireless Architect & Evangelist AirTight Networks


(Re)Considering Wireless Security

2

We don’t have “that” problem because… A “No Wi-Fi” policy without enforcement

What does not work?


Managing the “Unmanaged”

3

WPA2/802.1x cannot prevent unauthorized devices from accessing the enterprise network


Managing the “Unmanaged”

4


BYOD Survey Results

5

11%

20%

69% 16%

34%

50%

Do you see an increasing trend of employees bringing Rogue Wi-Fi APs?

Are you concerned about employees using mobile hotspots to bypass corporate policies?


Wireless Intrusion Prevention System (WIPS)

6

Automatic Device Classification

Comprehensive Threat Coverage

Reliable Threat Prevention

Accurate Location Tracking

BYOD Policy Enforcement



7

Rogue External

Authorized

Rogue AP? (High RSSI)

Rogue AP? (SSIDs)

Undetected Rogue APs

Rogue AP? (Vendor)

Rogue AP (on wire)


Signature-based Approach = False Alarms!

8


Blueprint for Reliable Threat Prevention

9

§  Surgical threat prevention without interfering with legitimate communication (yours or your neighbor’s)

§  Simultaneous prevention of multiple threats across multiple channels

External APs

Rogue APs (On Network)

Authorized APs

AP Classifica?on

STOP

Client Classifica?on Policy Mis-‐config

GO

STOP

IGNORE

DoS

External Clients

Authorized Clients

Rogue Clients


What Good is a Feature that Cannot be Turned On?

10

Many WLAN vendors offering “so-called WIPS” recommend their customers to NOT turn on automatic threat prevention!



11

True WIPS Approach Protects against the fundamental wireless threat building blocks

Prevalent WIDS Approach Cat and mouse chase of exploits, tools and signatures


Signature-based Approach = False Alarms!

12



13

No need for RF site survey No search squads to locate Wi-Fi devices Definitive location tracking within 10-15 ft.



14

§  MDM and NAC unable to provide the first line of defense

§  WIPS complements these solutions to fully automate secure BYOD


WIPS Architectures

15

§  Integrated •  APs repurposed as sensors •  Background scanning and minimal protection •  Cannot co-exist with time-sensitive apps, e.g., VoIP

§  Overlay •  Dedicated sensors on top of existing WLAN •  24/7 monitoring and protection

§  Combo •  APs repurposed as sensors •  24/7 monitoring and protection •  Able to support all types of apps, including VoIP

Wi-‐Fi AP with background scanning

2.4 GHZ

5 GHz

2.4 GHZ

5 GHz

2.4 GHZ

5 GHz

Wi-‐Fi AP WIPS Sensor

Wi-‐Fi AP with Concurrent WIPS sensor

2.4 / 5 GHZ

2.4 + 5 GHZ


AT-C60: Industry’s Most Flexible Wi-Fi Platform

16

§  Software-defined, band-unlocked radios – an industry first

§  Concurrent Wi-Fi access and 24/7 WIPS – an industry first


AirTight Wi-Fi – Key Features

17

Built-in WIPS, Content Filtering, Firewall and BYOD Onboarding

Support for Multiple SSIDs & VLANs, QoS and Traffic Shaping

High speed 802.11n access incl. 3x3:3 on 802.3af PoE

Guest Wi-Fi access with Captive Portal and Walled Garden

Centralized Management from single HTML5 console

Social Wi-Fi and Analytics for Business Intelligence

!


AirTight WIPS – Key Features

18



Reliable Threat Prevention




Secure Enterprise WLAN Checklist

19

ü  Accurately detect all types of Rogue APs without you having to define any signatures?

ü  Not flood you with false alerts?

ü  Let you reliably turn on the P in WIPS?

ü  Automate BYOD policy enforcement and onboarding?

ü  Accurately track physical location of detected Wi-Fi devices?

ü  Do all of the above without compromising on Wi-Fi access features and ripping off your IT budget?

Can your enterprise WLAN solution:


Thank You!

20

Cloud Managed Secure Wi-Fi Solutions

www.airtightnetworks.com [email protected] @AirTight +1 877 424 7844

US DoD Approved

Technology

Considerations for a secure enterprise wlan data connectors 2013