airtight networks wips at wireless field day 6 wfd6
DESCRIPTION
AirTight Networks WIPS at Wireless Field Day 6 WFD6 by Hemant ChaskarTRANSCRIPT
© 2014 AirTight Networks, Inc. All rights reserved. 1
@AirTight WIPS
#WFD6Jan 29, 2014
Part 1: WIPS Product Demo@RickLikesWIPSRick Farina
Part 2: Technology Deep Dive @CHemantCHemant Chaskar
© 2014 AirTight Networks, Inc. All rights reserved.
AirTight WIPS
2
§ Overlay WIPS or WIPS as part of AirTight APs
§ Best in the industry
§ Customer base of 1500+ enterprises including large/Fortune companies, Government & DoD
§ Extensive patent portfolio
© 2014 AirTight Networks, Inc. All rights reserved.
WIPS Basics
3
§ WIPS addresses threat vectors orthogonal to WPA2
§ Offers protection for both
- Wired network (e.g. rogue APs), and
- Wireless clients/connections (e.g. Evil Twin)
§ Requires scanning all channels (not just managed AP channels)
- Dedicated & background scanning radios
© 2014 AirTight Networks, Inc. All rights reserved.
WPA2 and WIPS
4
BYOD
© 2014 AirTight Networks, Inc. All rights reserved.
Traditional Approach
5
§ User defined rules for classifying devices as managed, neighbor,
rogue
§ Signature matching on packet fields to detect attack tools
§ Packet statistics based anomaly detection
§ Lots of alerts
§ Manual intervention driven reactive workflow
© 2014 AirTight Networks, Inc. All rights reserved.
User Defined Rules Are No Match For Wireless Environ
6
§ Requires cumbersome configuration of rules
§ Can’t keep up with dynamic wireless environment
© 2014 AirTight Networks, Inc. All rights reserved.
User Defined Rules Are More Nuisance Than Help
7
§ Device alerts, false alarms, manual intervention to act on alerts
§ Fear of automatic prevention
© 2014 AirTight Networks, Inc. All rights reserved.
Signature Matching On Packets Is False Alarm Prone
8
§ All attack tools don’t have
signatures
§ Signature fields in tools
are modifiable
§ Signatures lag attack tools
§ Result: Signatures
matching approach
creates abundant false
positives & negatives
Does anyone still think that (SSID) signatures is good idea?
© 2014 AirTight Networks, Inc. All rights reserved.
Packet Anomaly Detection On Unknown Thresholds
9
§ Inaccurate stats based on
partial observation
- Scanning Sensor
- RSSI limitations
§ It doesn’t help to give threshold
comparators, when users don’t
know the right thresholds
- Right threshold to catch real
threats, while avoiding false
alarms
© 2014 AirTight Networks, Inc. All rights reserved.
Changing the Status Quo
10
Traditional Approach AirTight Approach
WIPS Compass
© 2014 AirTight Networks, Inc. All rights reserved.
Traditional vs AirTight
11
§ Out of box auto-classification into
intrinsic categories
§ Proactive blocking of risky
connections
§ Highly automated
§ Concise alerts
§ Reliable automatic prevention
§ Overhead of user defined rules
for device categorization
§ Signatures & threshold anomaly
detection
§ Constant manual intervention
§ Alert flood
§ Fear of automatic prevention
© 2014 AirTight Networks, Inc. All rights reserved.
AP Auto-classification into Foundation Categories
12
§ No user configured rules (SSID, OUI, RSSI, …),
§ Runs 24x7
All APs visible
Managed APs (Static Part)
Authorized APs External APs Rogue APs
Unmanaged APs (Dynamic Part)
© 2014 AirTight Networks, Inc. All rights reserved.
Marker Packets™ for Connectivity Detection
13
§ No reliance on managed
switch infra (CAM tables)
§ Prompt detection with
localized operation for any
network size
§ No false negatives: No
“suspects” in neighbor
category (like in wired &
wireless MAC co-relation)
§ No false positives: No “legal
disclaimers” in automatically
containing real rogues
AirTight Device
AirTight Device
© 2014 AirTight Networks, Inc. All rights reserved.
Client Auto-classification
14
Newly discovered Client: Uncategorized
Connects to secureAuthorized AP: Authorized Client
Connects to External AP: External Client
Connects to Rogue AP: Rogue Client
Additional ways to auto-classify Clients:
Integration APIs with leading WLAN controllers to fetch Authorized Clients list.
Import MAC addresses of Authorized Clients from file.
© 2014 AirTight Networks, Inc. All rights reserved.
AirTight WIPS Security Policy
15
DETECT AND BLOCK RED PATHS!
Neighborhood APs
Rogue APs (On Network)
Authorized APs
AP Classification
STOP
Client ClassificationPolicyBlock Mis-config
GO
STOP
IGNORE
Detect DoS
Neighborhood Clients
Authorized Clients
Rogue Clients
© 2014 AirTight Networks, Inc. All rights reserved.
Reliable prevention
16
§ One size doesn’t fit all
• There are many permutations
& combinations on connection
type & Wi-Fi interface hw/sw
§ Bag of tricks for comprehensive
prevention
• Deauth, timed deauth, client
chasing, ARP manipulation, cell
splitting, wireless side, wired
side
© 2014 AirTight Networks, Inc. All rights reserved.
Accurate Location Tracking
17
§ Stochastic triangulation –maximum likelihood estimation based technique
§ No need for RF site survey
§ No search squads to locate Wi-Fi devices
§ 15 ft accuracy in most environments
© 2014 AirTight Networks, Inc. All rights reserved.
Why AirTight WIPS?
18
Automatic Device Classification
ReliableThreat Prevention
AccurateLocation Tracking
DetailedCompliance Reporting
Ease of Operation & Lowest TCO
Cloud Managed or Onsite