considerations for a secure enterprise wlan data connectors 2013
DESCRIPTION
Considerations for a Secure Enterprise WLAN - DataConnectors 2013 by Kaustubh PhanseTRANSCRIPT
© 2013 AirTight Networks, Inc. All rights reserved.
Considerations for a Secure Enterprise WLAN
Kaustubh Phanse, Ph.D. Chief Wireless Architect & Evangelist AirTight Networks
© 2013 AirTight Networks, Inc. All rights reserved.
(Re)Considering Wireless Security
2
We don’t have “that” problem because… A “No Wi-Fi” policy without enforcement
What does not work?
© 2013 AirTight Networks, Inc. All rights reserved.
Managing the “Unmanaged”
3
WPA2/802.1x cannot prevent unauthorized devices from accessing the enterprise network
© 2013 AirTight Networks, Inc. All rights reserved.
Managing the “Unmanaged”
4
© 2013 AirTight Networks, Inc. All rights reserved.
BYOD Survey Results
5
11%
20%
69% 16%
34%
50%
Do you see an increasing trend of employees bringing Rogue Wi-Fi APs?
Are you concerned about employees using mobile hotspots to bypass corporate policies?
© 2013 AirTight Networks, Inc. All rights reserved.
Wireless Intrusion Prevention System (WIPS)
6
Automatic Device Classification
Comprehensive Threat Coverage
Reliable Threat Prevention
Accurate Location Tracking
BYOD Policy Enforcement
© 2013 AirTight Networks, Inc. All rights reserved.
Automatic Device Classification
7
Rogue External
Authorized
Rogue AP? (High RSSI)
Rogue AP? (SSIDs)
Undetected Rogue APs
Rogue AP? (Vendor)
Rogue AP (on wire)
© 2013 AirTight Networks, Inc. All rights reserved.
Signature-based Approach = False Alarms!
8
© 2013 AirTight Networks, Inc. All rights reserved.
Blueprint for Reliable Threat Prevention
9
§ Surgical threat prevention without interfering with legitimate communication (yours or your neighbor’s)
§ Simultaneous prevention of multiple threats across multiple channels
External APs
Rogue APs (On Network)
Authorized APs
AP Classifica?on
STOP
Client Classifica?on Policy Mis-‐config
GO
STOP
IGNORE
DoS
External Clients
Authorized Clients
Rogue Clients
© 2013 AirTight Networks, Inc. All rights reserved.
What Good is a Feature that Cannot be Turned On?
10
Many WLAN vendors offering “so-called WIPS” recommend their customers to NOT turn on automatic threat prevention!
© 2013 AirTight Networks, Inc. All rights reserved.
Comprehensive Threat Coverage
11
True WIPS Approach Protects against the fundamental wireless threat building blocks
Prevalent WIDS Approach Cat and mouse chase of exploits, tools and signatures
© 2013 AirTight Networks, Inc. All rights reserved.
Signature-based Approach = False Alarms!
12
© 2013 AirTight Networks, Inc. All rights reserved.
Accurate Location Tracking
13
No need for RF site survey No search squads to locate Wi-Fi devices Definitive location tracking within 10-15 ft.
© 2013 AirTight Networks, Inc. All rights reserved.
BYOD Policy Enforcement
14
§ MDM and NAC unable to provide the first line of defense
§ WIPS complements these solutions to fully automate secure BYOD
© 2013 AirTight Networks, Inc. All rights reserved.
WIPS Architectures
15
§ Integrated • APs repurposed as sensors • Background scanning and minimal protection • Cannot co-exist with time-sensitive apps, e.g., VoIP
§ Overlay • Dedicated sensors on top of existing WLAN • 24/7 monitoring and protection
§ Combo • APs repurposed as sensors • 24/7 monitoring and protection • Able to support all types of apps, including VoIP
Wi-‐Fi AP with background scanning
2.4 GHZ
5 GHz
2.4 GHZ
5 GHz
2.4 GHZ
5 GHz
Wi-‐Fi AP WIPS Sensor
Wi-‐Fi AP with Concurrent WIPS sensor
2.4 / 5 GHZ
2.4 + 5 GHZ
© 2013 AirTight Networks, Inc. All rights reserved.
AT-C60: Industry’s Most Flexible Wi-Fi Platform
16
§ Software-defined, band-unlocked radios – an industry first
§ Concurrent Wi-Fi access and 24/7 WIPS – an industry first
© 2013 AirTight Networks, Inc. All rights reserved.
AirTight Wi-Fi – Key Features
17
Built-in WIPS, Content Filtering, Firewall and BYOD Onboarding
Support for Multiple SSIDs & VLANs, QoS and Traffic Shaping
High speed 802.11n access incl. 3x3:3 on 802.3af PoE
Guest Wi-Fi access with Captive Portal and Walled Garden
Centralized Management from single HTML5 console
Social Wi-Fi and Analytics for Business Intelligence
!
© 2013 AirTight Networks, Inc. All rights reserved.
AirTight WIPS – Key Features
18
Automatic Device Classification
Comprehensive Threat Coverage
Reliable Threat Prevention
Accurate Location Tracking
BYOD Policy Enforcement
© 2013 AirTight Networks, Inc. All rights reserved.
Secure Enterprise WLAN Checklist
19
ü Accurately detect all types of Rogue APs without you having to define any signatures?
ü Not flood you with false alerts?
ü Let you reliably turn on the P in WIPS?
ü Automate BYOD policy enforcement and onboarding?
ü Accurately track physical location of detected Wi-Fi devices?
ü Do all of the above without compromising on Wi-Fi access features and ripping off your IT budget?
Can your enterprise WLAN solution:
© 2013 AirTight Networks, Inc. All rights reserved.
Thank You!
20
Cloud Managed Secure Wi-Fi Solutions
www.airtightnetworks.com [email protected] @AirTight +1 877 424 7844
US DoD Approved