wireless (in)security & wireless intrusion prevention ... wips wifi knowledge summit blr.pdf ·...
TRANSCRIPT
Confidential. Copyright © Arista 2019. All rights reserved.Confidential. Copyright © Arista 2019. All rights reserved.1
Wireless (In)Security &
Wireless Intrusion Prevention Technology for
Complete Security
Kiran Deshpande, Co-Founder – Mojo Networks
Confidential. Copyright © Arista 2019. All rights reserved.
WEP, WPA, WPA2
Rogue AP
Misconfigured
AP
Re-establish your network security perimeter
Guest
Access
Firewall
Wired IPS
SPAM/AV
URL filtering
Protect mobile wireless user
External APs
Ad hoc
connections
Wi-Phishing
Honeypots
Other network
interfaces: Bluetooth,
Infrared, 1394 etc.Detachable
interfaces:
2.5G/3G data-
cards, WiFi
adapters
Eavesdropping
Unauthorized
Access
Cracking Exploits
MAC spoofing attacks
Denial of Service
Wi-Phishing
Honeypots
External
Users
External
APs
Confidential. Copyright © Arista 2019. All rights reserved.
Poorly secured
enterprise WiFiRogue Client
Rogue AP
Unauthorized WiFi
on enterprise LAN
3G
External AP
Evil Twin
Mobile Hotspot
Internal users bypassing
enterprise security
WiFi can compromise enterprise security in
unforeseen ways
Confidential. Copyright © Arista 2019. All rights reserved.
AuthorizedConnected to the network
Following the security policy
ExternalNot connected to the network
Visible in the air
RogueConnected to the network Violating the security policy
AuthorizedConnected to an authorized AP
ExternalConnected to an external AP
Access Points ClientsConnections
GuestConnected to the guest network
Following the Guest security policyGuest
Connected to a Guest AP
Ignore
Block
Allow
Confidential. Copyright © Arista 2019. All rights reserved.
WiF i c an c r e ate a b ac k d o o r to an en te rp r i s e
n e tw o rk m ak in g th e en ti r e n e tw o rk an d d e v i c e s
v u ln e rab le . P r e v a le n t IT S e c u r i ty S ta te -o f -T h e -
A r t d o e s n o t p ro te c t n e tw o rk s fr o m WiF i b as ed
attac k s as ai r b e c o m e s m ed iu m o f
c o m m u n ic atio n an d WiF i n e tw o rk s in te r s p e r s e
o n e an o th e r . It re q u i r e s a d i f fe r e n t s e t o f
te c h n iq u e s an d te c h n o lo g ie s
Confidential. Copyright © Arista 2019. All rights reserved.
WEP, WPA, WPA2
Rogue AP
Misconfigured
AP
Re-establish your network security perimeter
Guest
Access
Firewall
Wired IPS
SPAM/AV
URL filtering
Eavesdropping
Unauthorized
Access
Cracking Exploits
MAC spoofing attacks
Denial of Service
Wi-Phishing
Honeypots
External
Users
External
APs
• NAC can block hard-wired rogue APs
• NAC cant - block soft rogue APs
- block an ad-hoc connections
- block users connecting to external WiFi
- block Smartphone tethering
Confidential. Copyright © Arista 2019. All rights reserved.
Confidential. Copyright © Arista 2019. All rights reserved.
Building - A Building - BNo WiFi Premise
Internet Corporate Firewall
WIPS/WiFi Console
• Core WIPS Capabilities
– Accurate classification of devices & threats
– Reliable prevention of all WiFi threats
– Precise location tracking of WiFi users
– Auto detection & control of smart devices
– Location based policy manager
– Compliance reporting
– Combo (WIPS + WiFi) device
• Enterprise deployment– Scalable tenant architecture
– Central console
– Ease of use
WIPS Sensors / WiFi Devices
Overlay ArchitectureFunctionality
Confidential. Copyright © Arista 2019. All rights reserved.
Confidential. Copyright © Arista 2019. All rights reserved.
Patented WiFi Classification
Sensor radios
Rogue AP
Wired Marker
Wired Marker
Wireless MarkerTrunk port on
the switch
Wireless Marker
Arista Secure WiFi
Management Console
Confidential. Copyright © Arista 2019. All rights reserved.
Auto-classification
Competition
RogueExternal
Authorized
Rogue (?)
Rogue (?)
Undetected
Rogues
False alarms
Automatic, quick
&“Out of the box”
Complex rules &
false alarms
Classification – Identifying Bad Guys Quickly & Decisively
Confidential. Copyright © Arista 2019. All rights reserved.
Confidential. Copyright © Arista 2019. All rights reserved.
•
•
•
•
•
Confidential. Copyright © Arista 2019. All rights reserved.
Confidential. Copyright © Arista 2019. All rights reserved.
Planning Input• Site Information
• Devices Make & Model
17
RSSI
Planning Input• Site Information
• Devices Make & Model
WiFi Access Planning• Device Redundancy• Minimum Signal Strength• User Density• WiFi Client XMT Power
Deliverables
• Bill of Materials• RF Maps• Statistics• Planning Report• Site Model• Site Calibration
17
Network Planning• Coverage• Throughput
Security Planning• Intrusion Detection• Intrusion Prevention
Planning Input• Site Information
• Devices Make & Model
Planning Input• Site Information
• Devices Make & Model
WiFi Sensor Planning• Device Redundancy• External Coverage• WiFi Client XMT Power
Confidential. Copyright © Arista 2019. All rights reserved.
• Quarantine APs if connected to enterprise network• Prevent WiFi connections to / from WiFi clients
• Secure entire network from WiFi based attacks• Secure WiFi devices from untrusted nearby WiFi devices• Detect & prevent DoS attacks on enterprise WiFi
• Establish RF visibility throughout the enterprise• WiFi vendor agnostic monitoring and forensics
No WiFi
Secure WiFi
• RBI, MCIT, MHA, PCI, ISO 27000 and others….
Monitoring
Compliance
Confidential. Copyright © Arista 2019. All rights reserved.Confidential. Copyright © Arista 2019. All rights reserved.19
Thank You
Kiran Deshpande