Fluke Networks
advertisement
ARE YOU READY FOR WIFI EXPLOSION? Reiner Hofmann EMEA Director Carrier Wireless Business Fluke Networks is the world-leading provider of network test and monitoring solutions to speed the deployment and improve the performance of networks and applications. Leading enterprises and service providers trust Fluke Networks’ products and expertise to help solve today’s toughest issues and emerging challenges in data centers, mobility, unified communications and WLAN security. Company Profile: • $350+ million company; distributes products in more than 50 countries • Over 800 employees worldwide with major facilities in: Everett, WA; Colorado Springs, CO; Santa Clara, CA; Duluth, GA; Rockville, MD; Beijing, China; Eindhoven, Netherlands 2 EXECUTIVE SUMMARY Fluke Networks AirMagnet Enterprise (AME) is NOT competing against AP-Infrastructure vendors. It is complementary and independant to any particular WLAN system. AirMagnet Enterprise provides: • • • • • • • • • • Additional layer of defense with focus on OSI layer 1 & 2 Dynamic threat update Active Blocking Forensic capture Threat correlation Smart device detection & classification 3rd party integration (SIM/NMS) Real time pro-active root cause anaylsis & troubleshooting Active Testing (automatic health check) Purpose build True Spectrum Analysis and classification of 2G/3G/4G (GSM/UMTS/LTE/PCS/AWS/SMR900/CDMA, Tetra (800 MHz), 900 Mhz ISM) 698 MHz & 2690 MHz SOLUTIONS FOR THE ENTIRE WIRELESS LIFECYCLE AirMagnet Planner Planning AirMapperTM AirMagnet Enterprise 24x7 Performance & Security Deployment & Verification AirMagnet Survey Wired/WLAN Analysis Troubleshooting & Interference WLAN Test & Analysis Spectrum Analysis OptiView® XG Network Analysis Tablet OneTouch™ AT Network Assistant AirMagnet Spectrum ES AirCheck ™ Wi-Fi Tester AirMagnet Spectrum XT AirMagnet WiFi Analyzer AirMagnet VoFi Analyzer –4 THE WIRELESS JUNGLE GETS WILDER… MOBILE DEVICES ARE EXPLODING • 96% of mobile employees carry >2 devices; almost 50 percent carry more than 3 • iPads and eReaders entering the enterprise • Most smart phones now mixed-use From: Lisa Phifer / Core Competence, Interop/Sep-2010 THE WIRELESS LANDSCAPE IS EVOLVING!!! Traffic & Revenue is shifting indoors Huge Mobile Data Explosion The race to LTE Increase in spectrum deficits THE SECURITY WORLD IS GETTING MORE CHALLENGING Threats are increasing The number of assets that need protection are growing Sources of threats are evolving Security solutions need to be more discrete WIRELESS SECURITY TRENDS FOR 2013 IT WILL BE MORE AND MORE CHALLENGING • Protecting and securing the air will become more important Protecting the device and AP is not sufficient • Mobile devices as the new target - With the explosion of BYOD in the marketplace, employees are bringing their mobile devices into work. With company data on these mobile devices, hackers have a much larger target. • Cellular impersonation and Jamming/DoS attacks - Small cells are gaining traction and can offer a way into the corporate network • Mobile devices as the attackers - Lately there has been a proliferation of wireless hacking tools for the Android platform. Gone are the days when you needed a laptop to perform the attacks. Hackers can now do this from their pockets. WIRELESS SECURITY TRENDS FOR 2013 IT WILL BE MORE AND MORE CHALLENGING • Impersonation attacks are always on the rise - • WPA-PSK brute force attacks will increase - • Whether its impersonating a valid client or impersonating a corporate Access Point the threat is always loss of sensitive company data Just because you are using WPA-PSK doesn’t mean you are safe. You need have a policy for using complex Pre Shared Keys. There are plenty of Online Services that a small fee will crack your network handshake in minutes. Malware will increase - With increasing proliferation of mobile devices, mobile adware will increase. WHAT ARE THE CHALLENGES? Need to detect unauthorized cellphones and traffic Need for a discrete security solution Top Needs Need to detect unauthorized RF Jammers Need for easy to use solution Need for a discrete security solution Need to ensure “no-wireless zones” Detect unauthorized cell phones and traffic Authentication & Encryption is not sufficient Need to secure Layer 1&2 Capture & retain forensic evidence Need for Affordable tools Mobil Client is weak point Some security basics –11 WIRELESS IS JUST LAYER 1 & 2 OSI MODELL Presentation Session Traditional IPS / FW does NOT cover layer1/2 Encryption is just „DATA-Frame“ Whole connection MUST be transparent Transport Network Data Link Logical Link Control LLC Media Access Control MAC Physical Physical OSI IEEE 802 Wireless LAN Perimeter/Application Security Application THE ROGUE ACCESS POINT PHYSICAL DEPLOYMENT OF AN UNAUTHORIZED AP INSIDE THE NETWORK • Malicious or accidental • Opens paths around wired security measures • Allows external access to the wired network • Rogues are the most well-known vulnerability • Symptomatic of the greater security challenge of wireless Rogue AP NAT IDS Firewall –13 INTERNAL TRAFFIC ALL INTERNAL CLIENT TRAFFIC CAN BE DIRECTLY MONITORED FROM THE OUTSIDE • Outsiders can see anything in the clear (email, web, etc) • Users and devices can be seen and targeted directly (circumvents NAT) • Clients can connect directly via Ad-hoc • Every device and all traffic must be secured • Creates massive new management challenges to ensure encryption and configuration for all devices Hacker listening to the airwaves Ad-hoc Clients Capture and break weak keys Capture traffic in the clear NAT IDS Firewall Approved AP –14 OUTBOUND CONNECTIONS LOSS OF VISIBILITY INTO OUTBOUND CONNECTIONS • Clients can make connections without ever touching the corporate infrastructure • Accidental associations are very common • Many wireless hacks target clients in order to retrieve login information Hacker listening to the airwaves Hacker captures traffic in the clear Neighbor hotspot NAT IDS Firewall –15 KARMA LEARNS ALL NETWORKS THAT ALL CLIENTS ARE PROBING FOR IN THE AREA • • Beacons back to all those networks as well as common default networks (FreeWiFi, Vendor Defaults, etc) Clients will respond to beacons it recognizes, even if the client did not probe for that network “Network A, are you there?” “I am Network A” “I am Network B” “I am FreeWiFi” “Network B, are you there?” –16 KARMASPLOIT EVEN MORE SOPHISITICATED main differences: • Karmetasploit does not have the limitation of only working on hardware configured with the patched Mad-wifi drivers • includes a DNS daemon that responds to all requests, a POP3 service, an IMAP4 service, a SMTP service, a FTP service, a couple of different SMB services, and most importantly, a web service. • comes with the powerful exploit framework that is metasploit. –17 BEACON AND PROBE FRAME TELLS YOU EVERYTHING IEEE 802.11 Type/Subtype: Data (32) Frame Control: 0x4108 (Normal) Version: 0 Type: Data frame (2) Subtype: 0 Flags: 0x41 DS status: Frame is entering DS (To DS: 1 From DS: 0) (0x01) .... .0.. = More Fragments: This is the last fragment .... 0... = Retry: Frame is not being retransmitted ...0 .... = PWR MGT: STA will stay up ..0. .... = More Data: No data buffered .1.. .... = WEP flag: WEP is enabled 0... .... = Order flag: Not strictly ordered Duration: 25818 BSS Id: 00:02:2d:1b:3e:58 (Agere_1b:3e:58) Source address: 00:02:2d:40:64:86 (Agere_40:64:86) Destination address: 00:06:25:ff:95:8e (LinksysG_ff:95:8e) Fragment number: 0 Sequence number: 67 WEP parameters Initialization Vector: 0x0b0931 Key: 0 WEP ICV: 0x975415b1 (not verified) Data (72 bytes) 0000 0010 0020 0030 0040 0050 0060 08 00 67 bc d9 e4 26 41 06 fb cf ef e1 36 02 25 bd 65 f6 86 ac 01 ff aa 40 92 84 02 00 95 88 2d 11 41 97 02 8e cf e7 28 5f 54 2d 30 bf 41 f4 69 15 1b 04 de f1 57 0b b1 3e 0b 92 77 d6 0f 58 09 ec b6 ee 9f 00 31 d7 7d 8f 4e 02 00 3a a7 99 e4 2d a3 3f 0f 5e 81 40 a4 74 7e bf b4 64 fd 26 01 a2 2a 86 36 83 1e ab 3e Can I use default key even strong encryption … Which OS? Is it a threat available? .A....-.>X..-@d. ..%...0...1....6 g..........:?t&. ..e@-.A.w.}..~.. .....(.W....^... ....A_i...N...*> &6...T.. –18 WIRELESS CLIENT ATTACKS IEEE 802.11 MANAGEMENT FRAMES ARE NOT AUTHENTICATED Denial of Service – RF or MAC based • Easy to spoof disassociation and deauthentication frames • Easy to inject broadcast and multicast traffic DoS a Station with WLAN-Jack Target (User) 1 AP MAC: 00 02 2D 50 D1 4E 1. User enjoying good connection 3 2. Impersonate AP 2 3. Send Disassoc & Deauth frames NEW MAC: 00 02 2D 50 D1 4E ORIGINAL MAC: 00 12 2D 50 43 1E Attacker Exploiting driver vulnerabilities to run remote code, inject malware, etc. –19 WiFi Pineapple 20 –20 WPA CRACKING –21 ENTERPRISE WLAN SECURITY THREAT TRENDS ATTACK ARE MORE SOPHISTICATED • • Easier to use Easier to get 22 –22 Security values –23 THE NEED FOR NEW TYPES OF OVERSIGHT WIRED NETWORKS ARE DESIGNED FOR A LINEAR ASSAULT • Traditional networks delivered security and control through centralization • Heavily secured entry and exit points • Multiple layers of security • Frequent Zero-day threat update are routine • Security Policy enforcement with active blocking • Threat correlation and mitigation • Internal devices benefit from umbrella coverage FOCUS OF THE NETWORK IS SHIFTING TO THE EDGE • Mobility breaks the centralized model by opening the door to outbound connections • Now internal-only traffic is also exposed • “Network traffic has moved to the suburbs” • All traffic in shared medium • Direct access to outside world • Internal traffic exposed LOSS OF SECURITY Layer 4-7 Firewall WIRELESS AP WITH RUDIMENTAL BUILD-IN SEC FEATURES WLC • Just one layer of security on the wireless side (layer2) • No threat /signature update • No Security Policy enforcement with active blocking • No Threat correlation and mitigation • If DDos or Layer 1 jamming attack, AP solutiuon will immediatly die Layer 2 traffic Layer 2 traffic AP build in Sec Rudimental Line of Defense If not in full monitor mode – AP‘s • are busy with more and services • can only do Part-time scanning • need to decide between scanning and signal provisioning Layer 2 traffic Static security cannot keep pace with new devices, new technologies, new protocols, new threats... AME ADDS ANOTHER LINE OF DEFENSE Layer 2 traffic Layer 4-7 Firewall WIRELESS AP WITH RUDIMENTAL BUILD-IN SEC FEATURES +AME + + + + Layer 2 traffic AP build in Sec Rudimental Line of Defense Layer 2 traffic AME Sensor 1st Line of Defense Layer 2- WIPS • Real time monitoring • Zero-Day Thread protection • Blocking • Policy enforcement • Attack IDS • Forensic Server downloads new signature module Flukenetworks.com + + + + + + + + Heavily secured entry and exit points Multiple layers of security Frequent Zero-day threat update Security Policy enforcement with active blocking Threat correlation and mitigation Real time monitoring NMS, SIEM integration Forensic analysis (file capturing) Full Rogue RF + wire trace and blocking Security system resilience … Internal devices benefit from umbrella coverage AírMagnet Enterprise is closing the major GAP‘s - 1st line of defense - Frequent Threat update - Active blocking Principle Architecture AIRMAGNET ENTERPRISE SYSTEM ARCHITECTURE FLEXIBLE AND SCALABLE Servers • Runs on virtual or dedicated Windows Server environments • Hot standby server can be in separate datacenter • Supports up to 1000 sensors per server Sensors • Sensors can be located anywhere in global network, uses secure SSL-based link • Hardware and Software Sensor Agents can be combined for optimal monitoring 28 WHAT IS SENSORS MECHANICAL DESIGN? • • • Distinctive look Blends visually into ceiling mount- unobtrusive in sensitive aesthetic environments like VIP areas or hospitals Internal and external antenna options Company Confidential 29 29 “AIRWISE” IS THE HEART OF AME PROVIDES PROACTIVE ALERTING The most comprehensive list of wIPS signatures in the industry AirWISE Encyclopedia. Every signature contains a detailed description about the attack and how to remediate the threat. Set threshold levels to trigger different notifications Airwise automatically checks for hundreds of potential problems around the clock Get Notified Trigger alerts via email, SNMP, instant message, page to specific targets Escalate Set multiple thresholds and responses for each policy “ …Just send a note when channel util hits 30%, but start paging staff when it his 40%” –30 DYNAMIC THREAT UPDATE - DTU QUICKLY UPDATE TO PROTECT AGAINST A NEW THREAT days 10 day to 2 weeks End-user Timeline Vulnerability Published ` Analyze & assess severity - Post response 1 day – 2 weeks Create and release new alarm Publish DTU file 1 day – 2 weeks Instant ` Automated DTU download & alarm is active Every hour AirMagnet Wireless Intrusion Research team can rapidly customize or create new signatures / rules for newly discovered vulnerabilities • Users have immediate protection from new threats • No disruption of WIPS protection or wireless service to update signature module • Automated updates require no IT staff cycles • Users , AirWise Community contribute to creation of new signatures • New threat signatures are automatically delivered to sensors across the organization for instant protection with no down time and no IT staff –31 DTU – JUST ONE EXAMPLE –32 EXAMPLE – HOW DOES AME WORK? AUTOMATED PROTECTION Wireless Termination Terminates target device only – minimal disruption to rest of network AirMagnet Server Automated or on-command disconnect Authorization required, audit trail maintained AirMagnet Sensor Neighboring AP Compliant with applicable laws & FCC regulations Switch Wired-side Port Shutdown Laptop Port look-up and suppression ALERT! PORT SUPPRESSED! ALERT! TERMINATED! Rogue Rogue AP AP on on Network Network Accidental AccidentalAssociation Association On-command shutdown –33 AUTOMATED PERIMETER DETECTION COUNTERMEASURES COUNTERMEASURES Specific Event Alarm Triggers when Rogue AP is found INSIDE Premise Boundary DETECT ROGUES 5 DIFFERENT METHODS FOR TRACING ROGUE ACCESS POINTS Wireless tracing The sensor when it detects an open Rogue or Unknown AP, will attempt to connect to it. Once connected, it will forward itself a frame to determine if its on the wire. Wired Listener Wired listener The sensor puts its wired interface into promiscuous mode and listens for broadcast frames trying to match against the Rogue and Unknown AP's that are seen. +2/-2 of the wireless MAC address Wireless Tracing eROW DHCP fingerprinting Sensor on the wired interface is listening for DHCP request packets to determine if the Unknown or Rogue device is on the wire. eROW Passive Rogue Detection Switch tracing via SNMP ARP sweep the subnet, compare the list of MAC addresses with the Unknown or Rogue list, +2/-2 of the wireless MAC address. Switch tracing Using SNMP, crawl switches looking for wireless MAC address from Rogue and Unknown AP's. +2/-2 of the wireless MAC address, if cant find via this method, we can also trace based on connected stations MAC address. 35 COMPLETE SECURITY VISIBILITY SCANNING ON ALL 200 EXTENDED CHANNELS FOR 5 GHZ –36 FORENSIC CAPTURE BETTER THAN BEING THERE • The Challenge – Security and performance event triggers often require post inspection to determine remediation • Solution with Forensics – Automatically capture Wi-Fi and Spectrum forensic data in the background – Review packet level capture at exact moment of trigger for deep forensic of threat source 37 –37 3G/4G/LTE spectrum analysis KEY FEATURES & BENEFITS ALL UNIQUE • Detect unauthorized cell phone traffic • Ensure “no-wireless” zones • Enables users with zero-day Interference Intelligence to detect/identify, classify & locate security threats due to RF interference sources • Instant detection of cellular data/voice events • Capture & save, maintain forensic evidence • Monitor public safety DAS networks INTERFERENCE INTELLIGENCE: COMPLETION LAYER1 VIEW • Detect unauthorized interference sources that pose a high security risk for the authorized defense/federal networks - 3 Prong response: Detect, Classify & Locate - Built-in classification of RF Jammers, CW devices that could render networks unusable - Classify any interference source with custom signature capability - Built-in locator tool to pin-point location Built-in classification database Automated classification • Detect unauthorized cell phones or cell phone data/voice traffic • Ensure “no-wireless zones” - Data/Voice Events Visualize data/voice sessions in the selected band Get details on technology, carrier, power levels, first/last seen time for every event - Visualize cellular band activity to verify nowireless violations Data/voice events FORENSIC EVIDENCE INFORMATION GATHERING Capture entire spectrum sessions for replay and analysis Retain as hard evidence for postcapture forensic investigation and analysis Recording Record capture sessions Root cause analysis and troubleshooting REAL-TIME REMOTE WI-FI ANALYSIS DIRECT CONNECT IN REAL-TIME Local Site Direct connect to Sensor for Live Remote AnalysisEssential for Problem Investigation AME Servers in Data Center HOT STANDBY PRIMARY Investigate WLAN behavior in Real-time Remote Site Console running in NOC / SOC or remotely 43 –43 REAL-TIME REMOTE TRUE SPECTRUM ANALYSIS FULL DEDICATED SPECTRUM RADIO • • • • for analysis and classification Remote Spectrum interface for live troubleshooting Covers 2.4GHz, 5GHz and 4.9GHz 19 classification alarms 44 –44 FULL PERFORMANCE ANALYSIS PROVIDES ROOT CAUSE AND DESCRIBES ALL DETAILS • Overloaded Channels and Devices – Bandwidth – Association capacity • Configuration Problems – Missing performance options – Not supporting higher speeds • Co-existence problems – 11n and a/b/g – b/g protection mechanisms – QoS • Traffic Problems – Fragmentation – Retries • RF and Interference –45 BYOD CLASSIFICATION VIEWING THE SMART DEVICES Wireless Assurance AUTOMATIC HEALTH CHECK BENEFITS IDEA – SIMULATE A WIRELESS CLIENT • • • • • • • Perform pre-defined tasks Collect metrics Automate Find out and react to the wireless problem before your users start calling Generate alarms when thresholds aren’t met Know exactly what the problem is before your users complain Get detailed statistics for every step of the test AUTOMATED HEALTH CHECK TRENDING CHARTS Trending Data for the following • Connection Time • Authentication Time • DHCP Time • Ping Time • FTP Speed • HTTPS Download speed • HTTP Download speed –49 AUTOMATED HEALTH CHECK EXPORT TO EXCEL • • • • Export your AHC trending data to excel Exports Daily, Weekly and Monthly data Automatically creates the excel charts Exports the Raw data –50 Reporting MULTIPLE REPORTS 52 REPORTING EVERYTHING IS AUTOMATED 53 REPORTING SMART DEVICE LIST 3rd Party Integration 3RD PARTY INTEGRATION MULTIPLE MECHANISMS TO PASS EVENT DATA TO EXISTING MONITORING PLATFORMS SNMP out (v1, v2 and v3) to popular NMS platforms. RDEP support for Cisco tools Integration with SIM products (Arcsight, etc.) Enterprises want wireless alerts integrated into existing NOC / SOC processes and tools AME Servers in Data Center PRIMARY HOT STANDBY SNMP Syslog Email Custom Issues if missing: No way to support existing NM operating procedures 56 COMPLEMENTARY VALUE OF AME SUMMARY • Real-time 24X7 pro-active troubleshooting AND security monitoring • • • • • • • solution complementary to AP vendor solutions Strong capability to secure mobil clients as well Closes all GAP’s (security & troubleshooting) smart device (mobile device) management with BYOD classification AHC – active testing Real end-user experience analysis Root cause analysis and troubleshooting with build-in AirWise intelligence FLUKE NETWORKS ONE-STOP SHOP FOR ALL NEEDS AND PAINS WLAN Infrastructure vendors Planning WLAN Infrastructure vendors 24x7 Performance & Security Deployment & Verification Troubleshooting & Interference –58 THANK YOU Reiner Hofmann EMEA Director Wireless/Airmagnet BU Fluke Networks Office: +49 7152 929 622 Mobil: +49 1520 9087448 Reiner.Hofmann@flukenetworks.com Your Fluke Networks partner in Belgium (Benelux-region): Heynen@Heynen.com for demo’s & more info.
