Fluke Networks

Download Report

Transcript Fluke Networks

ARE YOU READY FOR WIFI
EXPLOSION?
Reiner Hofmann
EMEA Director Carrier Wireless Business
Fluke Networks is the world-leading provider of network test and monitoring
solutions to speed the deployment and improve the performance of networks
and applications. Leading enterprises and service providers trust Fluke Networks’
products and expertise to help solve today’s toughest issues and emerging
challenges in data centers, mobility, unified communications and WLAN security.
Company Profile:
• $350+ million company; distributes products in more than
50 countries
• Over 800 employees worldwide with major facilities in:
Everett, WA;
Colorado Springs, CO; Santa Clara, CA; Duluth, GA;
Rockville, MD;
Beijing, China; Eindhoven, Netherlands
2
EXECUTIVE SUMMARY
Fluke Networks AirMagnet Enterprise (AME) is NOT competing
against AP-Infrastructure vendors. It is complementary and
independant to any particular WLAN system.
AirMagnet Enterprise provides:
•
•
•
•
•
•
•
•
•
•
Additional layer of defense with focus on OSI layer 1 & 2
Dynamic threat update
Active Blocking
Forensic capture
Threat correlation
Smart device detection & classification
3rd party integration (SIM/NMS)
Real time pro-active root cause anaylsis & troubleshooting
Active Testing (automatic health check)
Purpose build True Spectrum Analysis and classification of 2G/3G/4G
(GSM/UMTS/LTE/PCS/AWS/SMR900/CDMA, Tetra (800 MHz), 900 Mhz ISM) 698
MHz & 2690 MHz
SOLUTIONS FOR THE ENTIRE WIRELESS LIFECYCLE
AirMagnet
Planner
Planning
AirMapperTM
AirMagnet
Enterprise
24x7 Performance
& Security
Deployment
& Verification
AirMagnet
Survey
Wired/WLAN Analysis
Troubleshooting
& Interference
WLAN Test & Analysis
Spectrum Analysis
OptiView® XG
Network Analysis
Tablet
OneTouch™
AT Network Assistant
AirMagnet
Spectrum ES
AirCheck ™
Wi-Fi Tester
AirMagnet
Spectrum XT
AirMagnet
WiFi
Analyzer
AirMagnet
VoFi Analyzer
–4
THE WIRELESS JUNGLE GETS WILDER…
MOBILE DEVICES ARE EXPLODING
• 96% of mobile employees carry >2 devices; almost 50 percent carry more
than 3
• iPads and eReaders entering the enterprise
• Most smart phones now mixed-use
From: Lisa Phifer / Core Competence, Interop/Sep-2010
THE WIRELESS LANDSCAPE IS EVOLVING!!!
Traffic &
Revenue
is shifting
indoors
Huge
Mobile
Data
Explosion
The race
to LTE
Increase
in
spectrum
deficits
THE SECURITY WORLD IS GETTING MORE
CHALLENGING
Threats
are
increasing
The
number of
assets that
need
protection
are
growing
Sources of
threats are
evolving
Security
solutions
need to be
more
discrete
WIRELESS SECURITY TRENDS FOR 2013
IT WILL BE MORE AND MORE CHALLENGING
•
Protecting and securing the air will become more important
Protecting the device and AP is not sufficient
•
Mobile devices as the new target
- With the explosion of BYOD in the marketplace, employees are bringing their
mobile devices into work. With company data on these mobile devices,
hackers have a much larger target.
•
Cellular impersonation and Jamming/DoS attacks
- Small cells are gaining traction and can offer a way into the corporate network
•
Mobile devices as the attackers
- Lately there has been a proliferation of wireless hacking tools for the Android
platform. Gone are the days when you needed a laptop to perform the
attacks. Hackers can now do this from their pockets.
WIRELESS SECURITY TRENDS FOR 2013
IT WILL BE MORE AND MORE CHALLENGING
•
Impersonation attacks are always on the rise
-
•
WPA-PSK brute force attacks will increase
-
•
Whether its impersonating a valid client or impersonating a corporate Access Point the threat
is always loss of sensitive company data
Just because you are using WPA-PSK doesn’t mean you are safe. You need have a policy for
using complex Pre Shared Keys. There are plenty of Online Services that a small fee will crack
your network handshake in minutes.
Malware will increase
-
With increasing proliferation of mobile devices, mobile adware will increase.
WHAT ARE THE CHALLENGES?
Need to detect
unauthorized
cellphones and
traffic
Need for a
discrete security
solution
Top Needs
Need to detect
unauthorized RF
Jammers
Need for easy to
use solution
Need for a
discrete security
solution
Need to ensure
“no-wireless
zones”
Detect
unauthorized cell
phones and
traffic
Authentication &
Encryption is not
sufficient
Need to secure
Layer 1&2
Capture & retain
forensic evidence
Need for
Affordable tools
Mobil Client is
weak point
Some security basics
–11
WIRELESS IS JUST LAYER 1 & 2
OSI MODELL
Presentation
Session
 Traditional IPS / FW does NOT
cover layer1/2
 Encryption is just „DATA-Frame“
 Whole connection MUST be
transparent
Transport
Network
Data Link
Logical Link Control
LLC
Media Access Control
MAC
Physical
Physical
OSI
IEEE 802
Wireless LAN
Perimeter/Application
Security
Application
THE ROGUE ACCESS POINT
PHYSICAL DEPLOYMENT OF AN UNAUTHORIZED AP INSIDE THE NETWORK
• Malicious or accidental
• Opens paths around wired
security measures
• Allows external
access to the
wired network
• Rogues are the
most well-known
vulnerability
• Symptomatic of
the greater
security challenge
of wireless
Rogue AP
NAT IDS Firewall
–13
INTERNAL TRAFFIC
ALL INTERNAL CLIENT TRAFFIC CAN BE DIRECTLY MONITORED FROM THE
OUTSIDE
• Outsiders can see anything in
the clear (email, web, etc)
• Users and devices can be
seen and targeted directly
(circumvents NAT)
• Clients can connect
directly via Ad-hoc
• Every device and
all traffic must
be secured
• Creates massive
new management
challenges to
ensure encryption
and configuration
for all devices
Hacker listening
to the airwaves
Ad-hoc Clients
Capture and break weak keys
Capture traffic in the clear
NAT IDS Firewall
Approved AP
–14
OUTBOUND CONNECTIONS
LOSS OF VISIBILITY INTO OUTBOUND CONNECTIONS
• Clients can make connections
without ever touching the
corporate infrastructure
• Accidental associations
are very common
• Many wireless
hacks target
clients in order
to retrieve
login information
Hacker listening
to the airwaves
Hacker captures
traffic in the clear
Neighbor
hotspot
NAT IDS Firewall
–15
KARMA
LEARNS ALL NETWORKS THAT ALL CLIENTS ARE PROBING FOR IN THE
AREA
•
•
Beacons back to all those
networks as well as common
default networks (FreeWiFi,
Vendor Defaults, etc)
Clients will respond
to beacons it
recognizes, even
if the client did not
probe for that
network
“Network A,
are you
there?”
“I am Network A”
“I am Network B”
“I am FreeWiFi”
“Network B, are
you there?”
–16
KARMASPLOIT
EVEN MORE SOPHISITICATED
main differences:
• Karmetasploit does not have the limitation of only working on hardware configured with the
patched Mad-wifi drivers
• includes a DNS daemon that responds to all requests, a POP3 service, an IMAP4 service, a
SMTP service, a FTP service, a couple of different SMB services, and most importantly, a
web service.
• comes with the powerful exploit framework that is metasploit.
–17
BEACON AND PROBE FRAME
TELLS YOU EVERYTHING
IEEE 802.11
Type/Subtype: Data (32)
Frame Control: 0x4108 (Normal)
Version: 0
Type: Data frame (2)
Subtype: 0
Flags: 0x41
DS status: Frame is entering DS (To DS: 1 From DS: 0) (0x01)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
.1.. .... = WEP flag: WEP is enabled
0... .... = Order flag: Not strictly ordered
Duration: 25818
BSS Id: 00:02:2d:1b:3e:58 (Agere_1b:3e:58)
Source address: 00:02:2d:40:64:86 (Agere_40:64:86)
Destination address: 00:06:25:ff:95:8e (LinksysG_ff:95:8e)
Fragment number: 0
Sequence number: 67
WEP parameters
Initialization Vector: 0x0b0931
Key: 0
WEP ICV: 0x975415b1 (not verified)
Data (72 bytes)
0000
0010
0020
0030
0040
0050
0060
08
00
67
bc
d9
e4
26
41
06
fb
cf
ef
e1
36
02
25
bd
65
f6
86
ac
01
ff
aa
40
92
84
02
00
95
88
2d
11
41
97
02
8e
cf
e7
28
5f
54
2d
30
bf
41
f4
69
15
1b
04
de
f1
57
0b
b1
3e
0b
92
77
d6
0f
58
09
ec
b6
ee
9f
00
31
d7
7d
8f
4e
02
00
3a
a7
99
e4
2d
a3
3f
0f
5e
81
40
a4
74
7e
bf
b4
64
fd
26
01
a2
2a
86
36
83
1e
ab
3e
Can I use default key even
strong encryption …
Which OS? Is it a threat
available?
.A....-.>X..-@d.
..%...0...1....6
g..........:?t&.
[email protected].}..~..
.....(.W....^...
....A_i...N...*>
&6...T..
–18
WIRELESS CLIENT ATTACKS
IEEE 802.11 MANAGEMENT FRAMES ARE NOT AUTHENTICATED
Denial of Service – RF or MAC based
• Easy to spoof disassociation and deauthentication frames
• Easy to inject broadcast and multicast traffic
DoS a Station with WLAN-Jack
Target
(User)
1
AP
MAC: 00 02 2D 50 D1 4E
1. User enjoying good connection
3
2. Impersonate AP
2
3. Send Disassoc & Deauth frames
NEW MAC: 00 02 2D 50 D1 4E
ORIGINAL MAC: 00 12 2D 50 43 1E
Attacker
Exploiting driver vulnerabilities to run remote code, inject malware, etc.
–19
WiFi Pineapple
20
–20
WPA CRACKING
–21
ENTERPRISE WLAN SECURITY THREAT TRENDS
ATTACK ARE MORE SOPHISTICATED
•
•
Easier to use
Easier to get
22
–22
Security values
–23
THE NEED FOR NEW TYPES OF OVERSIGHT
WIRED NETWORKS ARE DESIGNED
FOR A LINEAR ASSAULT
• Traditional networks delivered security and
control through centralization
• Heavily secured entry and exit points
• Multiple layers of security
• Frequent Zero-day threat update are routine
• Security Policy enforcement with active blocking
• Threat correlation and mitigation
• Internal devices benefit from umbrella coverage
FOCUS OF THE NETWORK IS
SHIFTING TO THE EDGE
• Mobility breaks the centralized model by opening
the door to outbound connections
• Now internal-only traffic is also exposed
• “Network traffic has moved to the suburbs”
• All traffic in shared medium
• Direct access to outside world
• Internal traffic exposed
LOSS OF SECURITY
Layer 4-7 Firewall
WIRELESS AP WITH RUDIMENTAL BUILD-IN SEC FEATURES
WLC
• Just one layer of security on the wireless
side (layer2)
• No threat /signature update
• No Security Policy enforcement with active
blocking
• No Threat correlation and mitigation
• If DDos or Layer 1 jamming attack, AP
solutiuon will immediatly die
Layer 2 traffic
Layer 2 traffic
AP build in Sec
Rudimental Line of Defense
If not in full monitor mode – AP‘s
• are busy with more and services
• can only do Part-time scanning
• need to decide between scanning and
signal provisioning
Layer 2 traffic
Static security cannot keep pace with
new devices, new technologies, new
protocols, new threats...
AME ADDS ANOTHER LINE OF DEFENSE
Layer 2 traffic
Layer 4-7 Firewall
WIRELESS AP WITH RUDIMENTAL BUILD-IN SEC FEATURES +AME
+
+
+
+
Layer 2 traffic
AP build in Sec
Rudimental Line of Defense
Layer 2 traffic
AME
Sensor
1st Line of Defense
Layer 2- WIPS
• Real time
monitoring
• Zero-Day Thread
protection
• Blocking
• Policy
enforcement
• Attack IDS
• Forensic
Server downloads
new signature
module
Flukenetworks.com
+
+
+
+
+
+
+
+
Heavily secured entry and exit points
Multiple layers of security
Frequent Zero-day threat update
Security Policy enforcement with active
blocking
Threat correlation and mitigation
Real time monitoring
NMS, SIEM integration
Forensic analysis (file capturing)
Full Rogue RF + wire trace and blocking
Security system resilience
…
Internal devices benefit from umbrella
coverage
AírMagnet Enterprise is closing
the major GAP‘s
- 1st line of defense
- Frequent Threat update
- Active blocking
Principle Architecture
AIRMAGNET ENTERPRISE SYSTEM ARCHITECTURE
FLEXIBLE AND SCALABLE
Servers
• Runs on virtual or
dedicated Windows
Server environments
• Hot standby server can
be in separate
datacenter
• Supports up to 1000
sensors per server
Sensors
• Sensors can be located
anywhere in global
network, uses secure
SSL-based link
• Hardware and Software
Sensor Agents can be
combined for optimal
monitoring
28
WHAT IS SENSORS MECHANICAL DESIGN?
•
•
•
Distinctive look
Blends visually into ceiling
mount- unobtrusive in
sensitive aesthetic
environments like VIP areas
or hospitals
Internal and external
antenna options
Company Confidential
29
29
“AIRWISE” IS THE HEART OF AME
PROVIDES PROACTIVE ALERTING

The most comprehensive list of wIPS signatures in the industry
 AirWISE Encyclopedia. Every signature contains a detailed description about the attack and
how to remediate the threat.
 Set threshold levels to trigger different notifications
 Airwise automatically checks for hundreds of potential problems around the clock
 Get Notified
Trigger alerts via email, SNMP, instant
message, page to specific targets
 Escalate
Set multiple thresholds and responses for
each policy
“ …Just send a note when channel util hits
30%, but start paging staff when it his
40%”
–30
DYNAMIC THREAT UPDATE - DTU
QUICKLY UPDATE TO PROTECT AGAINST A NEW THREAT
days
10
day
to 2 weeks
End-user Timeline
Vulnerability
Published
`
Analyze &
assess severity
- Post response
1 day – 2 weeks
Create and
release new
alarm
Publish
DTU
file
1 day – 2 weeks Instant
`
Automated DTU
download &
alarm is active
Every hour
AirMagnet Wireless Intrusion Research team can rapidly customize or create new
signatures / rules for newly discovered vulnerabilities
• Users have immediate protection from new threats
• No disruption of WIPS protection or wireless service to update signature module
• Automated updates require no IT staff cycles
• Users , AirWise Community contribute to creation of new signatures
•
New threat signatures are automatically delivered to sensors across the
organization for instant protection with no down time and no IT staff
–31
DTU – JUST ONE EXAMPLE
–32
EXAMPLE – HOW DOES AME WORK?
AUTOMATED PROTECTION
Wireless Termination
 Terminates target device only – minimal
disruption to rest of network
AirMagnet Server
 Automated or on-command disconnect
 Authorization required, audit trail
maintained
AirMagnet
Sensor
Neighboring
AP
 Compliant with applicable laws & FCC
regulations
Switch
Wired-side Port Shutdown
Laptop
 Port look-up and suppression
ALERT!
PORT SUPPRESSED!
ALERT!
TERMINATED!
Rogue
Rogue AP
AP on
on Network
Network
Accidental
AccidentalAssociation
Association
 On-command shutdown
–33
AUTOMATED PERIMETER DETECTION
COUNTERMEASURES
COUNTERMEASURES
Specific Event Alarm
Triggers when Rogue
AP is found INSIDE
Premise Boundary
DETECT ROGUES
5 DIFFERENT METHODS FOR TRACING ROGUE ACCESS POINTS
 Wireless tracing
The sensor when it detects an open Rogue or Unknown AP,
will attempt to connect to it. Once connected, it will forward
itself a frame to determine if its on the wire.
Wired
Listener
 Wired listener
The sensor puts its wired interface into promiscuous mode and
listens for broadcast frames trying to match against the Rogue
and Unknown AP's that are seen. +2/-2 of the wireless MAC
address
Wireless
Tracing
eROW
 DHCP fingerprinting
Sensor on the wired interface is listening for DHCP request
packets to determine if the Unknown or Rogue device is on the
wire.
 eROW
Passive
Rogue
Detection
Switch
tracing
via SNMP
ARP sweep the subnet, compare the list of MAC addresses
with the Unknown or Rogue list, +2/-2 of the wireless MAC
address.
 Switch tracing
Using SNMP, crawl switches looking for wireless MAC address
from Rogue and Unknown AP's. +2/-2 of the wireless MAC
address, if cant find via this method, we can also trace based
on connected stations MAC address.
35
COMPLETE SECURITY VISIBILITY
SCANNING ON ALL 200 EXTENDED CHANNELS FOR 5 GHZ
–36
FORENSIC CAPTURE
BETTER THAN BEING THERE
• The Challenge
– Security and performance event triggers
often require post inspection to
determine remediation
• Solution with Forensics
– Automatically capture Wi-Fi and
Spectrum forensic data in the
background
– Review packet level capture at exact
moment of trigger for deep forensic of
threat source
37
–37
3G/4G/LTE spectrum analysis
KEY FEATURES & BENEFITS
ALL UNIQUE
•
Detect unauthorized cell phone traffic
•
Ensure “no-wireless” zones
•
Enables users with zero-day Interference Intelligence to
detect/identify, classify & locate security threats due to
RF interference sources
•
Instant detection of cellular data/voice events
•
Capture & save, maintain forensic evidence
•
Monitor public safety DAS networks
INTERFERENCE INTELLIGENCE:
COMPLETION LAYER1 VIEW
• Detect unauthorized interference sources
that pose a high security risk for the
authorized defense/federal networks
- 3 Prong response: Detect, Classify & Locate
- Built-in classification of RF Jammers, CW devices
that could render networks unusable
- Classify any interference source with custom
signature capability
- Built-in locator tool to pin-point location
Built-in classification
database
Automated classification
• Detect unauthorized cell phones or cell
phone data/voice traffic
• Ensure “no-wireless zones”
- Data/Voice Events
 Visualize data/voice sessions in the selected band
 Get details on technology, carrier, power levels,
first/last seen time for every event
- Visualize cellular band activity to verify nowireless violations
Data/voice events
FORENSIC EVIDENCE
INFORMATION GATHERING
 Capture entire spectrum sessions
for replay and analysis
 Retain as hard evidence for postcapture forensic investigation and
analysis
Recording
Record capture sessions
Root cause analysis and
troubleshooting
REAL-TIME REMOTE WI-FI ANALYSIS
DIRECT CONNECT IN REAL-TIME
Local Site
Direct connect to
Sensor for Live
Remote AnalysisEssential for
Problem
Investigation
AME Servers in Data Center
HOT STANDBY
PRIMARY
Investigate WLAN
behavior in Real-time
Remote Site
Console running in NOC /
SOC or remotely
43
–43
REAL-TIME REMOTE TRUE SPECTRUM ANALYSIS
FULL DEDICATED SPECTRUM RADIO
•
•
•
•
for analysis and classification
Remote Spectrum interface for live troubleshooting
Covers 2.4GHz, 5GHz and 4.9GHz
19 classification alarms
44
–44
FULL PERFORMANCE ANALYSIS
PROVIDES ROOT CAUSE AND DESCRIBES ALL DETAILS
•
Overloaded Channels and Devices
– Bandwidth
– Association capacity
•
Configuration Problems
– Missing performance options
– Not supporting higher speeds
•
Co-existence problems
– 11n and a/b/g
– b/g protection mechanisms
– QoS
•
Traffic Problems
– Fragmentation
– Retries
•
RF and Interference
–45
BYOD CLASSIFICATION
VIEWING THE SMART DEVICES
Wireless Assurance
AUTOMATIC HEALTH CHECK BENEFITS
IDEA – SIMULATE A WIRELESS CLIENT
•
•
•
•
•
•
•
Perform pre-defined tasks
Collect metrics
Automate
Find out and react to the wireless problem before your users start calling
Generate alarms when thresholds aren’t met
Know exactly what the problem is before your users complain
Get detailed statistics for every step of the test
AUTOMATED HEALTH CHECK
TRENDING CHARTS
Trending Data for the following
• Connection Time
• Authentication Time
• DHCP Time
• Ping Time
• FTP Speed
• HTTPS Download speed
• HTTP Download speed
–49
AUTOMATED HEALTH CHECK
EXPORT TO EXCEL
•
•
•
•
Export your AHC trending data to excel
Exports Daily, Weekly and Monthly data
Automatically creates the excel charts
Exports the Raw data
–50
Reporting
MULTIPLE REPORTS
52
REPORTING
EVERYTHING IS AUTOMATED
53
REPORTING
SMART DEVICE LIST
3rd Party Integration
3RD PARTY INTEGRATION
MULTIPLE MECHANISMS TO PASS EVENT DATA TO EXISTING MONITORING
PLATFORMS



SNMP out (v1, v2 and v3) to popular NMS
platforms.
RDEP support for Cisco tools
Integration with SIM products (Arcsight, etc.)
Enterprises want wireless alerts integrated
into existing NOC / SOC processes and tools
AME Servers in Data Center
PRIMARY
HOT
STANDBY
SNMP
Syslog
Email
Custom
Issues if missing: No way to support existing NM operating procedures
56
COMPLEMENTARY VALUE OF AME
SUMMARY
• Real-time 24X7 pro-active troubleshooting AND security monitoring
•
•
•
•
•
•
•
solution
complementary to AP vendor solutions
Strong capability to secure mobil clients as well
Closes all GAP’s (security & troubleshooting)
smart device (mobile device) management with BYOD classification
AHC – active testing
Real end-user experience analysis
Root cause analysis and troubleshooting with build-in AirWise
intelligence
FLUKE NETWORKS
ONE-STOP SHOP FOR ALL NEEDS AND PAINS
WLAN
Infrastructure
vendors
Planning
WLAN
Infrastructure
vendors
24x7 Performance
& Security
Deployment
& Verification
Troubleshooting
& Interference
–58
THANK YOU 
Reiner Hofmann
EMEA Director Wireless/Airmagnet BU
Fluke Networks
Office: +49 7152 929 622
Mobil: +49 1520 9087448
[email protected]
Your Fluke Networks partner in Belgium (Benelux-region):
[email protected] for demo’s & more info.