Network Chemistr y Labs
Best Practices Guide for
Wireless Intrusion Prevention Systems
Deployment and Operations
RFprotect Wireless IPS
B E S T P R AC T I C E S G U I D E
TA B LE OF CON T ENTS
Wireless Threats and Business Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Assembling A Strong Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Developing An Effective, Efficient WIPS Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
1. Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
2. Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
3. Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
4. Contain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
5. Assess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
6. Mitigate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
7. Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Integrating Wireless and Wired Threat Management . . . . . . . . . . . . . . . . . . . . . . . . .16
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
2
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
PREFACE
This Best Practices guide was developed by Network Chemistry Labs, in association
with some of its larger enterprise customers and renowned security consultant, Lisa
Phifer. Lisa assembled the detailed WIPS operational process by these leading
enterprises in the retail, financial, and energy verticals along with her own wireless
security knowledge to deliver this practical and real-world guide. We hope you find
this of value as you plan your rollout of WLANs and WIPS. Please don’t hesitate to
contact us if you have further questions.
Dr. Chris Waters
Founder and CTO
Network Chemistry, Inc.
info@networkchemistry.com
A BO UT THE AUT HO R
Lisa A. Phifer, Vice President of Core Competence Inc., has been involved in the design,
implementation, and evaluation of open networking, security, and management products
for over 20 years. A Bellcore President's Recognition Award recipient for her
contributions to ATM operations systems, Lisa has hands-on experience with a wide
range of internetworking technologies, including ATM, caching, ISDN, 802.11 wireless,
and VPNs. Lisa publishes monthly columns at ISP-Planet and searchNetworking.com.
She has presented VPN and Wireless LAN security workshops and demonstrations at
several industry conferences, including 802.11-Planet, ISP Business Expo,
Networld+Interop, and TISC.
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
3
B E S T P R AC T I C E S G U I D E
Best Practices Guide:
Wireless Intrusion Prevention with RFprotect
In today's increasingly wireless world, nearly every organization must deal with the
positive potential and potential peril of 802.11 LANs. Wi-Fi Access Points, Clients, and
Ad Hoc Stations are popping up eve ry w h e re: inside and outside, authorized and
unauthorized, friend and foe. Whether you are considering wireless, enforcing a "no
wireless" policy, or launching a company-wide rollout, your company requires security
policies, practices, and tools to mitigate wireless threats.
This guide explains how a Wireless Intrusion Prevention System (WIPS) can be used
within a scalable operations process to mitigate wireless threats in multi-site business
networks. It identifies top business risks and the role of WIPS in neutralizing associated
threats. It illustrates how a state-of-the-art WIPS – specifically, Network Chemistry's
RFprotect System 4 – can be deployed as part of an integrated network security
operations workflow. By adopting the WIPS best practices outlined here, your
organization can manage wireless threats, proactively and reactively, to minimize
response time, business impact, resource consumption, and cost.
W IREL ESS TH REA TS AN D B USI N ES S R I SK S
Despite growth in WLAN deployment, surveys show that wireless security is a very
significant concern for most organizations. Whether your organization has already
deployed 802.11, is planning 802.11 rollout, or bans 802.11 use, related concerns can
be addressed by adopting countermeasures and practices that mitigate risk. To make
the most of your security budget, focus on threats that pose the greatest risk.
No matter what your organization's size or business objectives, you probably need to
stop wireless from being used for unauthorized access into private networks and data.
Today, every network's perimeter defense should include a "wireless umbrella" that
can detect and prevent these top 802.11 threats:
#1 Rogue Access Points. Unknown, unauthorized “rogue” APs are the most pressing
wireless threat facing any network. Organizations without authorized WLANs frequently
discover employee-installed APs, connected directly to private networks, providing
backdoor access to business assets. Firms with approved WLANs are not at all immune
to this threat – where 802.11 coverage is weak or restricted or not yet offered, employees
often install their own APs.
Self-installed APs typically use default settings, offering uncontrolled access to business
servers and data. Worse, employees are not the only source: Rogue APs can be planted
in your facility, letting intruders attack your network over a long time period. Small
footprint “travel” APs are easily hidden from view, in boxes or plants, tuned to channels
used in other countries or radio bands. AP software may be installed on any desktop,
laptop, or even PDA. Whether installed by an attacker or employee, Rogue APs serve
as wireless-to-wired bridges for intruders located upstairs, downstairs, in hallways or
stairwells, outside parking lots, or neighboring offices.
4
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
#2 Wireless Client Proliferation. Unauthorized Client connections pose a related
threat to most businesses. Today, wireless adapters are ubiquitous, embedded in field
terminals carried by delivery and utility staff, in handheld scanners used by manufacturing
and retail firms, and in laptops and PDAs used by mobile professionals. Nearly every
site, every day, gets visited by Rogue Clients – including sites that ban wireless.
Rogue Clients connecting to authorized APs, accidentally or intentionally, constitute a
backdoor threat. Employee Clients (permitted or not) connecting to unauthorized APs
can be just as worrisome. For example, employees may connect to a neighbor's WLAN
(accidentally, or to circumvent your Internet filters), exposing private data on their system
and your corporate LAN. Worse, they may automatically reconnect to "Hotspotter" APs
that use common home and hotspot ESSIDs, or "Evil Twin" APs that use your WLAN's
ESSID. These malicious APs can intercept traffic relayed through them – including
passwords and compromised SSH/SSL tunnels.
Whether using 802.11 campus-wide, in selected locations, or banning it altogether, your
organization is probably concerned with most of these threats. In addition, firms with
authorized 802.11 must protect the integrity of the WLAN itself – particularly when
mission critical applications ride over wireless. Further threats that many organizations
find very important include:
#3 Insecure Connections. Improper connections between Clients and Rogue APs
– whether Hotspotter, Evil Twin, or Neighbor APs – all deviate from defined policy. But
these are not the only policy violations that create risk. Most organizations need to
enforce policy compliance by watching for wireless misconfiguration and misuse.
For example, if your defined policy requires encryption – WEP, WPA, or some type of VPN
– then you'll want to spot a Client sending cleartext IM to another Ad Hoc Client, or an
AP using "open system" factory defaults. In some cases, the remedy is education; for
example, if you find Clients probing for "any" ESSID, you may counsel employees on
safe wireless practices.
#4 Exploitable Vulnerabilities. Serious attackers often spend considerable time
searching for and exploiting vulnerabilities. Long-running intrusions can destroy data,
steal intellectual property, violate privacy or financial regulations, and much more.
Ideally, intruders that penetrate your network using wireless should be detected long
before they do this damage.
Using signatures or heuristics, you can spot reconnaissance tools like NetStumbler,
WEP crackers like Airsnort, password crackers like ASLEAP, or more subtle attacks
like wireless cameras or MAC spoofing. Many companies focus mitigation efforts on
selected high-risk attacks or long-term patterns — for example, ignoring NetStumbler,
but responding quickly to ASLEAP or a flurry of alerts about the same device or location.
#5 Denial of Service. Finally, those using 802.11 to support mission critical
applications worry about attacks resulting in immediate-but-temporary Denial of Service.
DoS attacks are trivial to launch because 802.11 is inherently vulnerable to "storms" of
unauthenticated management frames (e.g., Associate, Deauthenticate, EAPoL). DoS
can also result through RF competition, interference, and jamming (intentional or
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
5
B E S T P R AC T I C E S G U I D E
otherwise). The faster a DoS source is found, the sooner WLAN service can return to
normal; doing so can require sophisticated RF tools.
Beyond these top five threats, every organization requires at least some visibility into
wireless activity. Those without formal 802.11 deployment need to learn about nearby
activity; just because you cannot see wireless, do not assume it isn't there. Organizations
with authorized WLANs need to know how these company resources are being used.
Finally, those faced with industry regulations like HIPAA, GLBA, and Sarbanes Oxley
require concrete documentation for compliance reporting and auditing purposes.
A SS E MBL I NG A STR ONG T OOLK IT
Most organizations adopt complementary measures to combat wireless threats and
meet business needs. APand Clients are chosen to support desired 802.11 encryption
and 802.1X authentication measures. Switches and element management systems are
used to provision APs and Clients, including security-related parameters. Authentication
servers and firewalls are deployed to authorize wireless access into wired networks.
Portable analyzers are used for as-needed trouble-shooting. Wireless Intrusion Detection
and Prevention is implemented for 24/7 surveillance for the entire WLAN.
Given diversity in wireless networking and security products, it is critical to select tools
that fulfill your organization's requirements. Some tools may share a few common
functions but are in fact very different. WIPS is a good case in point. Portable analyzers
and some wireless switches both discover previously-unseen APs. But only WIPS offers
full-time, dedicated, comprehensive wireless threat management, enabling efficient
reactive and proactive mitigation in large distributed WLANs.
To understand how a WIPS works, consider the RFprotect Distributed architecture
illustrated in Figure 1.
•
Distributed "ears" listen to authorized and unauthorized 802.11 activity at
remote sites. Network Chemistry's RFprotect Sensors are compact,
dedicated devices that enable continuous RF surveillance, efficient data
aggregation, and centrally-coordinated defensive actions.
•
A central Server consolidates and analyzes Sensor output, generating alerts
and maintaining a database for use by Clients. Network Chemistry's
RFprotect Server fills this role, using database replication to enable failover and/or load sharing for robustness and scalability.
•
Consoles present WIPS data to administrators, through real-time operations,
security, and performance displays and on-demand reports. Network
Chemistry's RFprotect Console offers convenient, secure access to WIPS
data from any WinXP/2000 PC.
Ideally, WIPS should work in concert with other tools. For example, to avoid redundant
set-up and consolidate results, the RFprotect Server synchronizes with RFprotect Mobile,
a portable Win32 program that lets you survey and audit sites where RFprotect Sensors
have not (yet) been deployed, and supports on-site incident investigation. Tight
integration makes RFprotect Mobile easy to use, improves workflow efficiency, and
results in a single consolidated WIPS database for analysis and reporting.
6
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
Figure 1: RFprotect Architecture
On the other hand, a WIPS should not be too tightly-coupled with the WLAN it is
monitoring. Some products use APs to monitor traffic, but independent Sensor-based
monitoring yields a more complete view, unlimited by AP location, band, or attention
span. Double-booking APs or Clients always impacts WLAN performance, particularly
during containment or drill-down capture. Independent Sensors also offer purchasing
flexibility for sites with existing APs and those enforcing "no wireless" policies.
In RFprotect Distributed, the Server communicates with Consoles to deliver critical WIPS
functions:
•
The Dashboard offers at-a-glance visibility into wireless network status;
•
The Network panel depicts relationships between APs, Clients, and Ad Hoc
stations and makes their details readily-accessible;
•
The Alerts panel warns of threats, attacks and vulnerabilities detected by
expert analysis;
•
RF Environment provides real-time analysis of radio signals detected by
Sensors;
•
RFlocate plots device location and maps signal strength, noise, and Sensor
coverage area;
•
RFshield enables automated or on-demand threat containment (wired and
wireless);
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
7
B E S T P R AC T I C E S G U I D E
Figure 2: Example WIPS Workflow
8
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
•
RogueCheck tests an 802.11 device's connection to a Sensor's local LAN;
and
•
A full suite of standard, customizable Reports can be generated as-needed
from the Server's database.
For a detailed description of RFprotect functions, consult www.networkchemistry.com.
The above list introduces these functions so that we can show their use within a scalable
operations workflow. Although our workflow focuses on intrusion prevention's on-going
role in cost-effective threat management, total cost of operation should also be
considered when selecting a WIPS.
D EV EL OP ING AN EF FECT IV E, EF FIC I EN T WI PS P ROC ESS
Just as building a home requires more than a toolbox, implementing an effective wireless
defense requires a "blueprint:" an integrated process that puts WIPS to work to meet
security goals.
Every organization is different, and WIPS processes vary, based on wireless security
needs, network environment, and existing IT practices. Many organizations start with
trial-and-error, using early deployments to learn about WIPS, refining ad hoc practices
into a formal process over time. Eventually, most implement an operations workflow
that incorporates many or all of the steps illustrated in Figure 2. The sections that follow
describe these steps and associated "best practices," drawing from the combined
experiences and recommendations of several RFprotect customers.
1. P LA N
To manage risk, start by extending your organization's network security policy to identify
wireless assets and threats, acceptable use of WLAN resources, required security
measures, and monitoring and enforcement needs, including the incident response plan
to be supported by WIPS.
Organizations enforcing a "no wireless" policy can focus incident response on rogue
detection, containment, and eradication. Others must develop a broader process that
(for example) prevents associations between authorized clients and Rogue APs, and
investigates attacks against authorized devices. Driving your WIPS configuration from
a defined policy is far more likely to create an effective defense than monitoring intrusions
without a concrete plan.
Security policies identify assets abstractly – for example, as departmental groups of
devices. During WLAN deployment, site surveys create concrete device inventories and
detailed floorplans that provide the starting point for WIPS planning.
Every organization – even those enforcing "no wireless" – must deploy WIPS Sensors
to monitor at-risk areas, including areas that could harbor rogues. For planning purposes,
assume that each Sensor hears traffic within a 20-25K square foot circle (150-175'
diameter) in a typical office environment. Position Sensors to cover the target area
without gaps. To maximize channel scanning efficiency and location-finding capabilities,
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
9
B E S T P R AC T I C E S G U I D E
cover target areas with multiple, overlapping Sensors. RFlocate can help you visualize
predicted coverage.
•
A single Sensor may cover a small branch office, but sacrifices location-finding
capability.
•
Several Sensors are usually needed to monitor the site’s interior and exterior.
•
Additional Sensors may be desired in strategic locations (e.g., dense
populations, critical systems).
•
Installation costs can be reduced by placing Sensors near APs, using Port
Saver to supply connectivity and power to both devices through one cable,
PoE injector, and switch port.
For best results, include Sensors in your WLAN design from the start. In WLANs deployed
incrementally, locations not (yet) covered by Sensors can be periodically audited with
portable tools. For example, use RFprotect Mobile to fill monitoring gaps with on-site
audits, synchronizing results with the RFprotect Server database to create one
consolidated view of your entire network.
2. I N STA LL
Putting WIPS infrastructure into place begins with central Server installation. To establish
a foundation for incident response, Server set-up should include Sensor and initial Alert
configuration:
•
For efficiency and consistency, create templates to auto-configure new
Sensors, identifying which bands and channels to monitor. To reliably spot
attackers, most organizations scan all worldwide channels in both 2.4 and 5
GHz bands, not just the channels actually assigned to local APs.
•
Implement your security policy by configuring parameters that dictate how
the WIPS responds to threats through alert notifications and automated
actions (see Step 3, below). Many organizations begin with default Alert
settings, revising them after some initial monitoring.
Over time, Server parameters may need modest tuning to reflect experience and policy
changes. For example, an organization that adopts WIPS for "no wireless" enforcement
may add more notifications when transitioning to authorized WLAN deployment. But,
in the long run, you will spend more time adding new sites during network rollout or
expansion. A well-defined activation process can reduce that effort and promote
consistency. For example, the WIPS administrator could:
1. Dispatch a technician to the site, using the site's plan to position Sensors
and connect them to switch ports. IP addresses may be obtained via
DHCP/DNS or configured to match the plan.
2. Notify the NOC to activate switch port(s) and verify Sensor connectivity.
3. Add the new location and floorplan to the WIPS Server.
4. Add the new Sensor(s) to the Server, identified by MAC or IP address, bound
to location.
10
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
5. Check the Server's reported Sensor status to confirm WIPS communication.
6. Make customizations (if any) to the Sensor's default / templated configuration.
Never assume that RF predictions reflect reality; always verify Sensor coverage.
Verification may require collaboration between the on-site technician and the WIPS
administrator. The technician walks through the site, carrying a laptop, transmitting
continuously, pausing at agreed locations on the floorplan. The administrator uses
RFlocate to monitor the laptop's current position and Sensor-reported RSSI. If coverage
gaps are found, Sensor(s) can be added or repositioned to fill them, updating the plan
to match.
3. DE TE CT
As each new Sensor comes on-line, traffic will be analyzed and forwarded to the Server.
There, aggregate data will be correlated and further analyzed to spot potential threats
– for example, discovering nearby APs. Over time, more threats are likely to be detected
(e.g., new clients, policy violations, occasional probing.)
Newly-detected threats may trigger policy-based notifications and actions. To tap your
WIPS's potential for minimizing IT effort and response time, configure notifications to
reflect your business risk and escalation policy. For example:
•
For time-ordered forensic analysis and reporting, log everything of interest
to your organization, periodically archiving older alerts from your database.
•
To focus alerts on previously unknown devices that pose real risk, import
device inventories and classify all newly-discovered devices. For example,
classify discovered APs as neighbors or malicious, designate clients as
employees or long-term guests, and ignore transient clients.
•
To direct human attention when and where it is needed the most, selectively
trigger notifications, based on alert type and severity. For example, send all
alerts to a SYSLOG for persistent storage; also forward medium and highrisk alerts to an upstream SNMP Manager; and page or e-mail on-call staff
only for high-risk alerts needing immediate attention.
PortSaver Drives RFprotect’s Low TCO
RFprotect Sensors are purpose-built for RF surveillance. They come with breakthrough PortSaver
technology to simplify system installation and reduce the total costs of ownership (TCO) of a
WIPS deployment. Available only from Network Chemistry, PortSaver eliminates the need to
install an overlay network to link sensors back to the WIPS central server.
RFprotect Sensors can share the existing Ethernet between an APand switch. Two Ethernet
ports on the sensors with PortSaver allow them to daisy-chain with an AP. The sensors may be
powered by 802.3af Power-Over-Ethernet (PoE) to eliminate need for AC power near sensor.
Designed for low power, the sensor can also pass the PoE to power the AP as well. As a result,
enterprises have realized a savings of $400-800 per sensor from not needing to pull another
Ethernet cable, and nor another switch port and PoE injector.
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
11
B E S T P R AC T I C E S G U I D E
•
Review available thresholds and tune where necessary to avoid over- or
under-reaction – for example, the number of packets per second that trigger
Deauth storm or possible Worm alerts.
•
Configure automatic actions (see Step 4) for high-risk alerts that warrant
immediate response without initial assessment. For example, auto-invoke
Rogue Check to learn whether discovered APs were connected to your network
at the time of detection.
Low-risk "informational" alerts may simply be logged for reporting purposes only.
For all other alerts, the process continues to containment and/or assessment.
•
In many organizations, the first responder to wireless and wired alerts is the
same: NOC staff tasked with 24/7 NMS surveillance. The NOC is often
responsible for initial assessment, gathering information required for
mitigation or assigning the alert for further investigation.
•
Immediately after a new site is activated, any number of new devices may
be discovered. To avoid overloading the NOC or raising undue concern,
the WIPS administrator can watch for alerts caused by newly-installed Sensors
and take responsibility for investigating them.
4. CO NT A IN
To stem attack damage during assessment, containment can be invoked, either upon
alert receipt or following human assessment. In wireless networks, intruders may lie
beyond your reach – e.g., outside your premises, in neighboring establishments. Even
when you cannot physically eliminate an intruder, you can deny wireless access by
preventing or disconnecting associations. Containment temporarily blocks an intruder’s
network use, while buying time to assess, locate, and remediate.
Some organizations don't use containment; others use it sparingly to defend ultrasensitive resources. Some invoke “safe” actions automatically, reserving high impact
measures for authorized personnel. No matter how your organization chooses to use
it, containment should be explicitly addressed by your incident response plan. To
implement that policy, it is critical to understand what these WIPS measures really do
and their potential side effects.
As shown in Figure 3, intruders can be blocked from communicating with others using
wireless or wired methods, invoked manually (e.g., using RFshield) or automatically
(e.g., by RFprotect engine options).
When a wireless shield is applied, the nearest Sensor generates 802.11 Deauthenticate
packets, stopping the target device from maintaining associations. Always specify
the target's MAC address, unless spoofing has been detected and disconnecting all
clients is really warranted.
802.11 is designed to be resilient; clients respond to degradation or failure by associating
with another AP on the same ESSID. During an attack, this leads to associations between
authorized and unauthorized devices (e.g., Hotspotter APs.) To avoid playing "cat
and mouse," configure RFprotect to automatically Deauthenticate authorized clients
12
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
Figure 3: Containment using RogueCheck and RFshield
from unknown APs, and vice versa. Using this option can greatly reduce response time
for high-risk Rogue alerts, while shielding only devices that you own.
Attackers may try to elude wireless blocking by moving from AP to AP. To counter this,
RFshield employs "tarpit" algorithms that make a nearby Sensor look like a target AP.
Given a good association to the Sensor, the attacker's client does not try to roam to the
real APs. But since the Sensor is not really an AP– it lacks code to bridge traffic to the
LAN – the ensnared client cannot actually communicate with the wired network. Similar
tarpit algorithms can be used to trap Ad Hoc intruders, or steer authorized clients away
from Rogue APs during an attack.
In many organizations, neutralizing Rogue APs actively connected to the wired network
is top priority. Depending upon network topology and IT practices, risk from a Rogue
can be significantly and immediately reduced by disabling the Ethernet port to which it
is connected. Some organizations have the WIPS automatically identify and disable the
port with SNMP commands; others have the NOC take action through a device
management system. Deciding whether and how to use a wired blocking tool like
RogueCheck is a matter of policy and (often) division of responsibility between
departments.
Note that threat verification plays a critical role in deciding whether to contain devices.
Alert fields offer quick insight into the threat posed. Although hardly foolproof, ESSID
may suggest ownership (e.g., neighboring business names, delivery companies). RSSI
is a coarse indication of distance from the Sensor. For example, a device with RSSI = 98 dBm is assumed to be external/low-risk; if RSSI = -30 dBm, the device is almost
certainly on the premises and internal breach may be imminent. For sites with multiple
Sensors, RFlocate can be used to better estimate a nearby AP's location (see Step 5).
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
13
B E S T P R AC T I C E S G U I D E
For Unauthorized APs thought to be on-site, wired and/or wireless checks can be invoked
to verify connectivity to the nearest Sensor's LAN.
5. A S SE SS
After you have decided on fast-but-temporary action, using readily available information,
the next step is to assess the threat by conducting a thorough investigation. Investigation
may cause containment to be revisited – for example, blocking an employee's AP that
is "hiding in plain sight" by using a neighbor's ESSID, or unblocking a new employee's
laptop once it has been added to the authorized device list.
During investigation, a WIPS can supply information far beyond RSSI, ESSID, and
connectivity.
•
Use your Console to review alert and device details like time/frequency,
location, class/severity, transmissions, and current alerts for the same device.
For example, this can help you differentiate between a benign guest and
an attacker using reconnaissance tools.
•
Use WIPS Reports to examine related alert and device history – for example,
pull up a Rogue AP detail report, using the subject's MAC address, or an Alert
report for the affected location during the past month. History can help you
spot “low and slow” attacks, conducted incrementally over long periods to
evade detection.
•
To assess whether a device is sending malicious traffic, use the nearest Sensor
as a platform to capture packets for drill-down traffic analysis and forensic
evidence-gathering. Sending a Sensor into capture mode interrupts
monitoring, but remote capture
is much faster and cheaper
than dispatching staff to the
site. Analyzing a capture to
identify
communication
partners and protocols is a
reliable way to determine what
a suspicious device is really
doing.
• Unless a device is very
distant, sending no discernable
traffic, precisely identifying its
location is imperative. RFlocate
can be used from a central
Console to narrow location
down to 4 or 5 cubicles (see
Figure 4). For the most precise
locationing, use RFprotect
Mobile to refine this projection
to an individual cubicle.
Figure 4: Using RFlocate to Find a Rogue AP
14
There are many location-finding
methods, ranging from coarse to
granular, labor-intensive to
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
efficient. RSSI is quick and easy and available in every site with at least one Sensor,
but measurements taken from just one position yield a large search area. Measurements
taken by three or more fixed Sensors can triangulate a smaller, more reliable search
area. As the number of observation points increase, the area shrinks, reducing labor
costs to isolate the device.
Best results can be achieved by using RFprotect Server and RFprotect Mobile in tandem.
Server data (including device lists, alerts, Sensor readings, and floorplans) are
synchronized to a laptop running Mobile. On-site technicians can then use Mobile to
hit the deck running, clicking on the RFlocate floorplan to take RSSI readings until a
device’s location is pin-pointed. Mobile results are synchronized into the Server database
to provide documentation for permanent mitigation. Integrated, automated tools like
this save time and money.
Ultimately, the investigation must determine who “owns” the alert subject, with
reasonable certainty. Most organizations – especially those with large, distributed
networks – prefer to verify ownership without a site visit, reducing cost and mitigation
time. For devices with weak RSSI, you might call the install technician or a neighboring
business to verify suspected ownership. Network-connected devices with strong RSSI
warrant escalation – for example, activate RFshield and order an RFprotect Mobile walkthrough. When blocked, a legitimate device owner will call your help desk, but an
attacker is likely to move on. Since “drive by” attackers may be long gone by the time
staff reaches the site, leverage nearby resources whenever possible.
6 . M ITI GA TE
The WIPS process isn't complete until permanent steps are taken to remediate the
threat. Investigation results must be documented so that appropriate parties can make
informed decisions. For example:
•
If an employee-installed Rogue AP is discovered, the employee might be
given a copy of the organization's Acceptable Use Policy and a deadline to
remove the device. Disciplinary action might be taken against the employee
if the Rogue is not removed, substantiated by WIPS reports.
•
If a malicious Rogue AP is found on company premises, the device may be
physically removed. If the Rogue is outside, on public property, physical
removal may not be practical, but the WIPS can be configured to persistently
shield all unauthorized associations.
•
If a Rogue Client is determined to belong to a visitor, the visitor can be asked
to disable wireless or leave company premises. For Rogue Clients belonging
to employees, adapters can be administratively disabled via desktop
management tools, and workers can be coached about wireless threats
and countermeasures.
•
If an authorized AP is found operating without required security measures,
a non-compliance report may be forwarded to the responsible Engineering
group to request reconfiguration. A WIPS can then be used to verify that
the AP has been brought back into compliance.
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
15
B E S T P R AC T I C E S G U I D E
•
For long-running intrusions, WIPS data can identify systems that may have
been compromised, so that appropriate steps can be taken. For example,
if repeated 802.1X login failures are seen, password strength may be checked
and weak passwords updated. If WEP cracking is detected, APs using WEP
may be taken out of service until keys are rotated in all authorized Clients.
•
When DoS attacks are encountered, immediate containment and location
may be enough to discourage the attacker, and reports can provide forensic
evidence to support legal or civil suits.
These represent actual mitigation decisions, made by RFprotect customers, but they
are only examples. Decision-making is perhaps the hardest part of developing an
organization's WIPS process. Whatever decisions your organization makes, they should
be driven by a written response policy so that actions are taken consistently and
predictably by authorized parties.
A WIPS can help you implement and enforce your decisions. In most cases, the device
should be added to RFprotect's Known Stations list, classified as Authorized (Internal
or Guest), Neighbor, or Rogue. You may choose to avoid future Rogue alerts about that
same device (particularly helpful for Neighbors). Stop shielding devices that have been
removed from your premises or determined to be harmless. Finally, acknowledge Alert(s)
when mitigation is complete. Acknowledged Alerts can be hidden on the Console, but
remain in the database for future reference (e.g., during other investigations, in
compliance reports).
7. REP OR T
A WIPS plays a critical role in documenting incidents, resolutions, and policy or regulatory
compliance. In large WLANs, built-in historical reports provide at-a-glance executive
summaries, as-needed or at regular intervals. For example, RFprotect Rogue and Threat
Summaries can offer quick insight into incidents and responses, while No-Wireless
Policy reports help an organization get a handle on unauthorized wireless activity. Those
subject to industry regulations can easily document their level of compliance using
HIPAA, GLBA, DoDD, or PCI reports.
Detailed reports can provide the foundation for external action -- for example, Weak
Security reports can be reviewed to re-assess vulnerabilities and perhaps revise defined
security policies. Use location, device, and date range filters to generate shorter, focused
reports, or export lengthy reports for external manipulation and post-processing. Custom
reports can also be generated through Crystal Reports or by extracting records directly
from RFprotect's open RDBMS. Once a WIPS has recorded wireless alerts, possible uses
for that data are infinite.
I NTEG RA T ING W IR ELE S S AN D WI RE D T HR EAT MAN AGE ME NT
Today, many organizations administer wireless and wired networks independently, using
separate management systems for device configuration and first-level event monitoring.
This separation may be both practical and political – wired and wireless networks may
be the responsibility of different groups, with different domain expertise.
16
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
B E S T P R AC T I C E S G U I D E
However, most organizations can benefit by integrating security monitoring streams.
SNMP traps and SYSLOG records and XML messages are commonly used to enable
upstream event integration – for example, relaying SNMP traps from APs and switches
and wired firewalls and wireless IPS to HP OpenView. Forwarding can be beneficial when
NOC staff is already assigned to watch an NMS console, 24/7. As mission-critical wireless
deployments grow, organizations with large, distributed networks are driven towards
integrated monitoring for scalability and cost-containment.
In fact, some large companies use Security Event Management Systems – consolidated
dashboards where events from many sources, wireless and wired, can be cross-correlated
and analyzed for root cause. Adopting a WIPS with published APIs and open interfaces
can facilitate this integration. For example, RFprotect stores all data in an open source
Firebird database, accessible via ODBC to any other authorized application. RFprotect
Third Party Integration SDK provides communication between RFprotect Sensors, the
RFprotect Server, and external systems used for security event, performance, and
enterprise network management.
CONCLUSION
In this paper, we have illustrated the critical role played by Wireless Intrusion Prevention
in managing wireless threats and associated business risk. We have shown why all
organizations must defend their networks from Rogue APs and Clients, and why those
with deployed WLANs require further vigilance against policy violations, DoS attacks,
and other airborne intrusions. No single tool can accomplish this, but selecting the right
set of complementary tools can help you implement and enforce your organization's
security policy in a cost-effective manner.
In particular, a WIPS can help you respond quickly to threats, no matter where they
might occur, even in large multi-site networks. Configurable notification forwarding,
automated RFshield response, centrally-administered investigative tools like RFlocate
and RogueCheck, and integrated remote diagnostic tools like Sensor-enabled packet
capture and RFprotect Mobile can all help your organization minimize response time,
resource consumption, business impact, and (ultimately) cost.
In the end, these tools must be employed as an integral part of a well-defined IT process
that starts with site planning, sensor installation, and coverage verification, creating
a foundation for monitoring. When suspicious events are detected, that process must
implement your organization's incident response plan, including remote investigation,
threat assessment and (in some cases) containment. Finally, steps must be taken to
permanently mitigate each threat, using WIPS to supply the requisite information and
verify and enforce your decisions.
The sample workflow and best practices illustrated herein are based on input from
RFprotect customers, at various stages of wireless deployment, supporting a variety of
objectives. Ultimately, there can be no "one size fits all" WIPS process. But we hope
this guidance proves helpful when defining an effective, efficient, scalable WIPS process
to meet your own organization's business needs.
Copyright © 2005 Network Chemistry Inc. All Rights Reserved.
17
A BO UT NE TW ORK C HEMI ST RY
Network Chemistry is the emerging leader of wireless intrusion prevention systems (WIPS)
for commercial and governmental organizations worldwide. With hundreds of network
deployments since 2002, Network Chemistry’s RFprotect has built the reputation of open
technology leadership, providing the most secure WIPS optimized around operational workflow
for mitigating wireless threats on networks and devices. Network Chemistry Labs is the
company’s think tank for pioneering research in wireless security, including discovery of new
exploits and development of best practices for protection across the enterprise. Based in Silicon
Valley, the company is privately funded by leading ventures capitalists, including In-Q-Tel, the
investment arm of the CIA and US Intelligence Agencies.
Ne t wor k Ch e mist r y, I nc.
1700 Seaport Boulevard
Redwood City, CA 94063 USA
Phone: (650) 249-4300
Fax: (253) 249-4301
Email: info@networkchemistry.com
www.networkchemistry.com
Copyright © 2005 Network Chemistry, Inc.
All rights reser ved. Network Chemistry, RFprotect Wireless Intrusion Protection System, RFprotect Mobile, RFprotect Distributed, and RFprotect Sensors are trademarks of
Network Chemistry, Inc. Any other marks are the property of their respective owners.