copyright © 2002-2005 airdefense proprietary and confidential. name title contact information

Copyright © 2002-2005 AirDefense Proprietary and Confidential.

NameTitleContact information WWW.AIRDEFENSE.NET


About AirDefense

Pioneers in Anywhere, Anytime Wireless Protection for large Enterprises and Government organizations

Quickly growing & clear market leader in space with over 80% market share

Deep intellectual property portfolio with 15 patents pending

Selected by over 350 customers including leaders in all major industries and government sectors

Partnerships with recognized industry leaders e.g. Cisco, IBM, CSC among others

Seasoned management team with history of building successful businesses


Are Wireless Network Risks Real?

http://www.airdefense.net/education/video/

A News Clip on Wireless LAN Security

Minneapolis TV Station

http://www.airdefense.net/education/video/


What Makes Wireless Risky?

CORPORATE NETWORK

Server Server

1. We don’t control the medium (AIR)...

NEIGHBOR A

PARKING LOT

PROBES

PR

OB

ES

PROBESAccidental

Association

Malicious Association

Ad Hoc Network

2. We don’t control who we connect to

Intruder

Confidential Data

3. WLANs can be an easy launch pad to the network

Soft AP

Wired Network is Protected by Physical and Logical Barriers

Wireless Eliminates Traditional Security Barriers and Introduces New Challenges - Signal Bleeding

outside the Four Walls and the Firewall

Most Critical WLAN Risks • Rogue Devices & Associations• Documented & Day Zero Intrusions• Exposure to WIRED Network• Device Misconfigurations • Policy & Regulatory Compliance• Hot Spot Protection

Rogue Connected to Network


Risk Validation – Hacked Organizations

A California Public School District

School district’s unprotected WLAN allowed full unauthorized

access to sensitive files & enabled hackers to upload their

own files into servers

A County Court in TexasComputer security analyst accessed information filed by the clerk of

courts by using only a laptop computer and wireless card

A North Carolina Medical Consulting FirmBroke into the computer system of a local medical consulting firm & illegally accessed information of hundreds of patients, including checks and insurance forms


The AirDefense Product Family

AirDefense Sensor Smart Sensors scanning

802.11 a/ b/ g Selective processing,

Secured Communication

AirDefense Enterprise Server Real-time Monitoring Multiple Correlation, Analysis & IDS

Engines Integrated Reporting

Remote Secure Browser

Centralized Mgmt

AirDefense Mobile Real-time snapshot of

wireless infrastructure Vulnerability Assessment

Tool

AirDefense BlueWatch

Monitors air space for Bluetooth security vulnerabilities

AirDefense Personal

Personal agent monitoring for policy compliance & security risks & notifies user & enterprise

AirDefense provides a complete suite of products to secure your enterprise and all personnel, 24x7, anytime, anywhere


BRAZIL

ARGENTINA

IRELAND

MEXICO

JAPAN

HONG KONG

SOUTHAFRICA

HEADQUARTERS, USA

Example AirDefense Enterprise Deployment

26-STORY

20-STORY

11-STORY

22,000 sq. ft. per floor, 4 floors176 Devices (16 APs, 160 Stations)

Sensors = 2


AirDefense Technologies: A True IDS System

Accurate Detection, Proactive Protection & Actionable Intelligence = A System You Can Trust

Correlatio

n

Across

Sensors

AD SERVER APPLIANCE

AnomalousBehavior

Notification Engine

Active Defenses

Reporting & Analysis

Forensics

Cisco WLSECisco Switch

AD Sensors

Other Sensors

Compliance

AD Mobile

AD Personal

AccurateDetection

Protocol

Abuse

Policy

Manager

Co

rrel

atio

nA

cro

ss I

DS

Signature Analysis


Self-managing, Anywhere, Anytime Wireless Protection

Active Defenses

Protection Anywhere

Advanced Rogue

Management

Self-Managing Platform

Comprehensive IntrusionDetection

Forensic & IncidentAnalysis

Policy Compliance

NEW!NEW!

NEW!NEW!

NEW!NEW!NEW!NEW!

NEW!NEW!


Anywhere Protection – AirDefense Personal

AirDefense Personal

Policy Profiles

1. Policy Profiles are centrally defined & automatically downloaded each mobile user

2. Alert Logs automatically uploaded to AirDefense Enterprise and central reporting & notification

3. Policy Enforcement (automatic turn-off radio)

A small software agent that runs on Windows PCs and monitors for wireless exposures and threats, and notifies the user and AirDefense Enterprise.

AirDefense Enterprise Appliance

Alert Logs

Turn OFF Radio

Mobile workforce extending the edge of corporate network to a user’s laptop:• User laptop at airport/ hotel can be compromised and serve as a bridge to corporate backbone

• Via Accidental Association• Hard to determine if one is connected to a legitimate hotspot or diverted to a malicious counterfeit

• Identity-theft via Hot Spot phishing coming to mainstream e.g.: AirSnarf

Continuous anywhere monitoring for mobile users on the road or at their office Detects & notifies 50+ configuration, connectivity issues and attacks Protection by enforcing policy defined centrally at AirDefense Enterprise

NEW!NEW!


Most Advanced Rogue ManagementHundreds of neighboring wireless devices may bleed over in your premises especially in urban areas.

Finding risky rogues is like finding a needle in haystack. Enterprises either need to employ several “wireless rogue runners” to identify & chase each rogue or deploy an automated, & intelligent solution

from AirDefense

Detect Rogue Devices & Associations Hardware APs, Soft APs Wireless ready laptops Specialty Devices (barcode scanners) Ad-hoc networks, Accidental/ Malicious

Associations

Calculate Threat Index Smart Mgmt of Airwaves Partitioning of Friendly Neighboring Networks till they get malicious

Least Risk Highest Risk

Innocent Neighbor AP

Our Stn connected to neighbor AP

Rogue AP in my building

Our Stn connected to Rogue AP &

transferring data

Analyze Rogue Connections In-depth analysis of the activity level of each rogue

How long it existed Who was connected to the rogue What and how much data transmitted

Terminate Rogue Devices Terminates on-command and

automatically takes action to terminate connectivity

Wired and Wireless termination

1

2

3

4

Automated Rogue Mitigation

Locate Rogue Device

Rogue AP on my Network NEW!NEW!

NEW!NEW!

NEW!NEW!


Most Comprehensive & Accurate Intrusion DetectionWith new threats emerging everyday and hacking tools getting more sophisticated, comprehensive

intrusion detection requires advanced detection methods to detect these threats

Multiple Criteria & Correlation Engines ensure Accurate detection Minimum false positives

ACCURATE & RELIABLE DETECTION

200+ threats detected Documented threats (Signature-based) Day Zero threats (Anomalous Behavior) Wired-side vulnerabilities Sample Threats

Reconnaissance Activity Various DoS Attacks Identity Theft Accidental/Malicious Association Dictionary Attacks Security Policy Violations

MOST COMPREHENSIVE DETECTION

Most Advanced Wireless Intrusion Protection System 15 Patents Pending

Co

rre

lati

on

Co

rre

lati

on

Policy Engine

Sig

na

ture

B

as

ed

Pro

toc

ol

An

aly

sis

An

om

alo

us

B

eh

av

ior

Traffic

ACCURATE &

RELIABLE ALARMS

400 Alarms

FALSE POSITIVES

11,600 Alarms

NEW!NEW!

“First generation WLAN IDS solutions are often limited to signature-based detection. Just as

wired-side IDS could not reliably depend upon signatures, WLAN IDS will require multiple

detection technologies.”Gartner, July 2004


AirDefense Ensures Policy ComplianceAdopt proven security policies and procedures to address the security weaknesses of the wireless

environment

Monitor for Compliance

Compliance with Corporate, regulatory requirements?

Network performing correctly?

Enforce Turn off SSID broadcast Change channel of AP Terminate

Define Policy Security Configuration; VLANs Performance Vendor / Channel

Enterprise, Centralized, Template-based, Policy

Manager

DODDHS

SOX HIPAAGLBAFDIC OCC

AirDefense Enables Compliance with

Authentication Compliance

Daily: Policy Violations


Forensics & Incident AnalysisWLANs are Transient & Security Incidents happen often Important to collect critical device

communication & traffic information to analyze what went wrong

• Device Connectivity Logs• Device Activity Logs• Channel Activity Logs• Signal Strength• Data transferred by Direction

Min-by-Min Critical Data Store

• Were We Attacked?• What Entry Point was Used?• When Did the Breach Occur? • How Long Were We Exposed?• What Transfers Occurred?• Which Systems Were Compromised?

One-Click Investigation

Bytes per Minute

Large File downloaded

Min-by-Min View “Forensic analysis is critical to assess damage from a security breach

and take proactive steps for future.” – Meta Group

NEW!NEW!


Automated Active Defenses

X

Cisco WLSE

AirDefense Server

Switch

In addition to detection of threats, it is important to protect against intruders and rogues. Enterprise wireless networks need automated protection from security threats that can use multiple mitigation tactics

On-command Suppression Policy-Based Suppression Device Reconfiguration

Wired-side Mitigation

On-command Disconnect Policy-Based Disconnect Authorization Required Audit Trail Maintained Mitigation of the right target

due to accurate detection

Wireless Mitigation

Public AP

Laptop – Wired & Wireless Bridge

ALERT!Detected by AirDefense

Accidental Association

TERMINATED!By AirDefense

Accidental Association

ALERT!Detected by AirDefense

Rogue AP on Network

PORT SUPPRESSED!By Cisco WLSE

Rogue AP on Network

Accurate Detection and precise mitigation are very critical to ensure that only rogue devices, associations and intruders are terminated

NEW!NEW!


Self-Managing PlatformSource: AirDefense – Over 4000 WLANs analyzed

4. Active Troubleshooting Real-time device analysis & tracking Remote packet capture / sniffer capabilities Notification of lost devices Network Availability & Failure history Network Usage & Performance

5. Notification & Alarm Management Adjustable alarm priorities and views Flexible querying and filtering system Multiple notification options (email, pager, SMS,

SNMP, Syslog) Notifications by role, location, severity, frequency

of alarmSIG. STR. = 0

3. One-Click Analysis With a single click,

investigate security incidents across the enterprise

Analyze device connectivity and activity as the device roams through the network

View communication history to diagnose security or operational issues

2. Integration with Infrastructure

Instant network device synchronization

Integrated & automated security management

Integrated database management

Integrated data backup

1. Secure Platform Sensors

Plug-and-go sensors Firewalls on wireless &

wired interfaces for protection

Appliance Customized hardened OS

Communication SSL and digital certs Mutual authentication CiscoWorks

WLSE

NEW!NEW!

NEW!NEW!

NEW!NEW!


Remote Troubleshooting

Feature AD

Ongoing collection of performance statistics

Yes

Device connection history Yes

Built-in Channel reports for troubleshooting RF problems

Yes

Historical Reporting Real-time Analysis

In widely distributed wireless deployments, remote troubleshooting tools are critical to ensure administrators are able to diagnose and correct end-user issues centrally.

Feature AD

Real-time device analysis Yes

Real-time device tracking Yes

Real-time Layer 2 decoding Yes

Full, remote frame capture Yes

Network Utilization

Heavily Congested Channels Live Real-time Analysis


AirDefense Mobile

Device Count

Signal Strength by Channel

Frames & Bytes Transferred

Top Devices & Channels

Device Tree

NEW 2.0!NEW 2.0!


AirDefense BlueWatch

Identifies different types of Bluetooth devices, including laptops, PDAs, keyboards and cell phones

Provides key attributes, including device class, manufacturer and signal strength

Illustrates communication or connectivity among various devices

Identifies services available on each device, including network access, fax and audio gateway

Services by TypeDevice by Type

Detailed Device Info

NEW

PDA Version!NEW

PDA Version!


Customer Testimonials & Videos

“…only product that meets stringent HIPAA requirements”

“… exhaustive search…the only enterprise-class solution"

“… the only solution that met all our requirements.”

“… meets both these needs.”

“… provides the peace of mind .”

“…the clear market leader and the only viable choice”

“…maximize our wireless LAN's return on investment.”

University of UtahHealth Sciences Center

“…put security safeguards”

For Video Testimonials, click:


Expert Opinion on Wireless Monitoring

“Unmanaged WLANs can jeopardize entire enterprise network,

data and operations”

“New sophisticated security risks continue to emerge as wireless

matures”

“Wireless devices create backdoors for hackers and can

render millions of dollars invested in firewalls, IDS and VPNs

useless.”

“Through 2006, 70 % of successful WLAN attacks will be because of the misconfiguration

of APs or client software.”

“Incorrectly set-up WLANs put the wired LAN as risk as well”


SummarySummary

Detect Rogues,Associations &

Intrusions

AutomatedDefense,

Forensics

Health, Troubleshoot,Performance

Locate,Prioritize,

Notify

Anywhere, Anytime Wireless Protection Policy Compliance Protect Reputation & Information

1

2

3

4

Cisco Systems & AirDefense Partnership

Integrated Wireless Protection

November 2004

252525© 2004 Cisco Systems, Inc. All rights reserved.

Wireless IDS and Current Cisco Support

• Cisco and Cisco Compatible Clients

Terminated Rogue AP

Cisco Aironet AP

Network

Cisco Aironet AP in Sensor Mode gathers data

• Cisco SWAN detects, locates and mitigates against rogue APs.

Cisco Aironet AP

CiscoWorks WLSE

• Cisco also detects clients in ad hoc mode.

• In the future, CiscoWorks WLSE will detect, locate and mitigate against intruders and network attacks.


Cisco AirDefense Integration Background

Wireless is a transient medium and prone to attacks by rogues and hackers

Integrated WIDS offerings from wireless infrastructure providers do not have extensive capabilities to detect all rogues and intrusions

Signature-based detection is not enough

Need for Integrating

Best-in-Class Wireless and Wired Infrastructure management System Cisco with enterprise class wireless infrastructure, Wireless Mgmt System

Best-in-class Wireless Protection System Most Comprehensive and Accurate Detection; Active Defenses, Forensics &

Incident Analysis; Advanced Notification System

Multiple detection technologies and correlation engines eliminate false positives

Customers get the Best Wireless Infrastructure and Security


John Girard, Vice President , Gartner

Customer Drivers for Integration

"As a large customer of Cisco wireless infrastructure and AirDefense wireless IDS, we saw a

significant benefit in bringing together the two products to build a highly secure wireless

network.

The integration of these two major solutions should lower costs and improve security by

enabling flexible deployment of IDS capability and will reduce the cost of deployment and on-

going management as well as increase the level of security.”

JD Fluckiger, Computer Protection Program Manager, Pacific Northwest National Laboratory

"Enterprise-class wireless infrastructure must be properly configured and secured, and must

support strong encryption and authentication (802.11i recommended).

Wireless monitoring and IDS ensures that the infrastructure remains secure and in compliance

with corporate policy and regulatory requirements.

Integration of a comprehensive and reliable wireless IDS with a robust wireless infrastructure

provides customers the best of both worlds."


AirDefense/Cisco Integrated Wireless Protection

First Floor, 8 Cisco APs, 1 Sensor

Cisco AP in Sensor Mode

AirDefense Server Appliance

Switching Infrastructure

CiscoWorks WLSE

Integration Areas Integration of CiscoWorks WLSE & AirDefense Server Integration with Wired Side Infrastructure Cisco AP as a Sensor

Integ

rated W

ireless Pro

tection

BenefitsReduced Cost of Deployment & SupportComprehensive Detection & Effective Protection


1. Integrate CiscoWorks WLSE & AirDefense Server

Advanced Correlation for a Closed Loop System

CiscoWorks WLSE


AirDefense Draws Configuration and Policy Information from CiscoWorks WLSE CiscoWorks WLSE as a Correlation Source - Wired and Wireless information

Correlation Source of Information for AirDefense Detection Fault Database Used to Diagnose or Confirm Events

AirDefense Provides Alerts and Alarms to CiscoWorks WLSE Enables “Detect and Correct” functions

Reduce Administrative Overhead Synchronize Authorized APs and Stations Get Device Specifics Details e.g. DNS, IP Address, Wired MAC, Wireless Statistics


2. Integration with Wired Mgt. Infrastructure

Only effective and practical way for wired side protection!

AirDefense has multiple detection & correlation engines to accurately identify threatening APs or stations

Cisco dominates Ethernet switching infrastructure and is in the best position to locate and suppress the port a threatening device is connected to

To locate and block port of a threatening or rogue device: Using jointly developed APIs, AirDefense appliance

communicates several key parameters to CiscoWorks WLSE

CiscoWorks WLSE in turn works with Cisco switching infrastructure to locate it and block the device port

Found a rogue on my network? Can I do port suppression? It is easy to show a demo of port blocking but in the real-life it is a big challenge. Enterprises have hundreds of switches and thousands of Ethernet

ports across scores of locations that a rogue AP or station can connect to…


Switching Infrastructure

CiscoWorks WLSE


3. Cisco APs as Dedicated Sensors

Single Hardware Platform for Customers to Manage


Cisco AP as Dedicated Sensor

Cisco Sensor Feeds AirDefense Server Cisco AP Configured in Dedicated Sensor Mode Supports 802.11a/b/g Protocols Fully Configurable Operation for Channel Scanning and Locking

Supports all Detection and Alerts Leverages All AirDefense Centralized Intelligence Multi-Engine Detection & Correlation Provides Accurate Detection


AirDefense & Cisco Integration Benefits

A complete, comprehensive and correlated view improves detection

Correlation of wireless data from AirDefense and

wired-side data from CiscoWorks WLSE Protection for the wireless and wired network

AirDefense detects the rogue/ malicious devices and passes on information to CiscoWorks WLSE which carries out port suppression and also locates the rogues

Reduced cost of deployment & ongoing maintenance of network

Authorized device info, policies etc can be synchronized and data exchange facilitated

For customers with no wireless LAN deployed yet

Deploy AirDefense first for rogue protection and then follow up deployment of wireless by deploying Cisco WLANs

"Through product development and partnership with industry leaders like Intel and AirDefense, Cisco is expanding the SWAN framework to deliver the security and capacity enterprise wireless LAN customers demand. We'll continue to innovate and expand these partnerships over time to further the leadership we've established with our integrated approach to wired and wireless connectivity.”

Bill Rossi, Vice President & General Manager, Wireless Networking

Business Unit, Cisco

copyright © 2002-2005 airdefense proprietary and confidential. name title contact information

Documents

airdefense proprietary

airdefense pioneers

network slide

user enterprise airdefense

wireless network risks

wireless protection

wireless card

network soft ap wired