Considerations for a secure enterprise wlan data connectors 2013
1 like618 views
The document discusses considerations for securing enterprise wireless local area networks (WLANs). It notes that while WPA2/802.1x authentication cannot prevent unauthorized devices from accessing the network, a wireless intrusion prevention system (WIPS) can provide automatic device classification, comprehensive threat coverage, reliable threat prevention, accurate location tracking, and BYOD policy enforcement. An effective WIPS solution is able to detect rogue access points and threats without false alarms, allow threat prevention to be turned on, and automate BYOD onboarding without compromising wireless access features or budgets.
Considerations for a secure enterprise wlan data connectors 2013
- 1. © 2013 AirTight Networks, Inc. All rights reserved. Considerations for a Secure Enterprise WLAN Kaustubh Phanse, Ph.D. Chief Wireless Architect & Evangelist AirTight Networks
- 2. © 2013 AirTight Networks, Inc. All rights reserved. (Re)Considering Wireless Security 2 We don’t have “that” problem because…A “No Wi-Fi” policy without enforcement What does not work?
- 3. © 2013 AirTight Networks, Inc. All rights reserved. Managing the “Unmanaged” 3 WPA2/802.1x cannot prevent unauthorized devices from accessing the enterprise network
- 4. © 2013 AirTight Networks, Inc. All rights reserved. Managing the “Unmanaged” 4
- 5. © 2013 AirTight Networks, Inc. All rights reserved. BYOD Survey Results 5 11% 20% 69% 16% 34% 50% Do you see an increasing trend of employees bringing Rogue Wi-Fi APs? Are you concerned about employees using mobile hotspots to bypass corporate policies?
- 6. © 2013 AirTight Networks, Inc. All rights reserved. Wireless Intrusion Prevention System (WIPS) 6 Automatic Device Classification Comprehensive Threat Coverage Reliable Threat Prevention Accurate Location Tracking BYOD Policy Enforcement
- 7. © 2013 AirTight Networks, Inc. All rights reserved. Automatic Device Classification 7 Rogue External Authorized Rogue AP? (High RSSI) Rogue AP? (SSIDs) Undetected Rogue APs Rogue AP? (Vendor) Rogue AP (on wire)
- 8. © 2013 AirTight Networks, Inc. All rights reserved. Signature-based Approach = False Alarms! 8
- 9. © 2013 AirTight Networks, Inc. All rights reserved. Blueprint for Reliable Threat Prevention 9 § Surgical threat prevention without interfering with legitimate communication (yours or your neighbor’s) § Simultaneous prevention of multiple threats across multiple channels External APs Rogue APs (On Network) Authorized APs AP Classifica?on STOP Client Classifica?on Policy Mis-‐config GO STOP IGNORE DoS External Clients Authorized Clients Rogue Clients
- 10. © 2013 AirTight Networks, Inc. All rights reserved. What Good is a Feature that Cannot be Turned On? 10 Many WLAN vendors offering “so-called WIPS” recommend their customers to NOT turn on automatic threat prevention!
- 11. © 2013 AirTight Networks, Inc. All rights reserved. Comprehensive Threat Coverage 11 True WIPS Approach Protects against the fundamental wireless threat building blocks Prevalent WIDS Approach Cat and mouse chase of exploits, tools and signatures
- 12. © 2013 AirTight Networks, Inc. All rights reserved. Signature-based Approach = False Alarms! 12
- 13. © 2013 AirTight Networks, Inc. All rights reserved. Accurate Location Tracking 13 No need for RF site survey No search squads to locate Wi-Fi devices Definitive location tracking within 10-15 ft.
- 14. © 2013 AirTight Networks, Inc. All rights reserved. BYOD Policy Enforcement 14 § MDM and NAC unable to provide the first line of defense § WIPS complements these solutions to fully automate secure BYOD
- 15. © 2013 AirTight Networks, Inc. All rights reserved. WIPS Architectures 15 § Integrated • APs repurposed as sensors • Background scanning and minimal protection • Cannot co-exist with time-sensitive apps, e.g., VoIP § Overlay • Dedicated sensors on top of existing WLAN • 24/7 monitoring and protection § Combo • APs repurposed as sensors • 24/7 monitoring and protection • Able to support all types of apps, including VoIP Wi-‐Fi AP with background scanning 2.4 GHZ 5 GHz 2.4 GHZ 5 GHz 2.4 GHZ 5 GHz Wi-‐Fi AP WIPS Sensor Wi-‐Fi AP with Concurrent WIPS sensor 2.4 / 5 GHZ 2.4 + 5 GHZ
- 16. © 2013 AirTight Networks, Inc. All rights reserved. AT-C60: Industry’s Most Flexible Wi-Fi Platform 16 § Software-defined, band-unlocked radios – an industry first § Concurrent Wi-Fi access and 24/7 WIPS – an industry first
- 17. © 2013 AirTight Networks, Inc. All rights reserved. AirTight Wi-Fi – Key Features 17 Built-in WIPS, Content Filtering, Firewall and BYOD Onboarding Support for Multiple SSIDs & VLANs, QoS and Traffic Shaping High speed 802.11n access incl. 3x3:3 on 802.3af PoE Guest Wi-Fi access with Captive Portal and Walled Garden Centralized Management from single HTML5 console Social Wi-Fi and Analytics for Business Intelligence !
- 18. © 2013 AirTight Networks, Inc. All rights reserved. AirTight WIPS – Key Features 18 Automatic Device Classification Comprehensive Threat Coverage Reliable Threat Prevention Accurate Location Tracking BYOD Policy Enforcement
- 19. © 2013 AirTight Networks, Inc. All rights reserved. Secure Enterprise WLAN Checklist 19 ü Accurately detect all types of Rogue APs without you having to define any signatures? ü Not flood you with false alerts? ü Let you reliably turn on the P in WIPS? ü Automate BYOD policy enforcement and onboarding? ü Accurately track physical location of detected Wi-Fi devices? ü Do all of the above without compromising on Wi-Fi access features and ripping off your IT budget? Can your enterprise WLAN solution:
- 20. © 2013 AirTight Networks, Inc. All rights reserved. Thank You! 20 Cloud Managed Secure Wi-Fi Solutions www.airtightnetworks.com info@airtightnetworks.com @AirTight +1 877 424 7844 US DoD Approved