defining the requirements for third-generation wireless ...choose your sacrifice: trade-offs among...

A MULTI-LAYER SECURITY FRAMEWORK FOR WIRELESS LANS

Defining the Requirements for Third-GenerationWireless LAN Security from Location to Application

April 2004Wh

ite P

aper

Introduction

Security is the Foundation for Pervasive WirelessTo date, IT managers have been forced to sacrifice key requirements to confidently andsecurely deploy WLANs. Deploying a pervasive WLAN requires IT managers to considerthe unique requirements of securing the RF medium, controlling network access and protecting applications and data, all the while ensuring reliable wireless service with alow cost of ownership. Add to those challenges the complexity of managing thousandsof mobile clients and the resource drain on already-strapped IT departments becomes acost-conscious company’s worst nightmare. To date, IT managers have been forced tosacrifice key requirements to confidently and securely deploy WLANs.

Architecting a secure, pervasive WLAN has just gotten easier. Wi-Fi infrastructure designedby Meru Networks implements the industry’s most comprehensive wireless security—aunique multi-layered approach to wireless security from location to application.Additionally, Meru Networks’ fortified wireless security enables organizations to moreeasily comply with government privacy regulations.

A Triple Play of Wireless Security HurdlesA WLAN solution must overcome three critical security challenges before enterprise ITmanagers should consider it for pervasive deployment.

RF signals scatter everywhere. RF is not constrained by physical space. The signals bouncearound the building, penetrate walls and floors and spill into parking lots or neighboringbusinesses. In contrast, a wired network is neatly contained within the building wallsand access to it is secured by physical presence.

Every mobile client is a potential entry point into the WLAN. By the very nature of RadioFrequency (RF), wireless networks have a large perimeter with exponentially more entrypoints to protect than wired networks. To effectively protect an infinite number of entrypoints, the IT industry needs a new way of thinking about the security systems whenimplementing WLANs.

Choose your sacrifice: Trade-offs among wireless security and service reliability, performance orquality of service (QoS). Until now, strong security has meant sacrificing wireless servicereliability, predictable performance or the ability to support both data and real-timeapplications such as voice on the same WLAN infrastructure. Now, going mobile doesnot have to mean giving up security, reliability, performance or quality of service.

Removing Wireless Security Roadblocks To meet the challenges unique to WLANs, IT managers must thoroughly examine theirtotal security architecture and WLAN deployment goals. Once you establish a frameworkfor your WLAN security architecture, you can evaluate different approaches within theframework and assess whether they can deliver a cost-effective, easily manageable, highly reliable WLAN solution while providing comprehensive security.

2


The key questions to ask include:

Who’s inside your security perimeter? With RF, walls, doors, locks and physical guards nolonger define your physical security perimeter. Comprehensive protection is predicatedon controlling access by physical location as well as by traditional Layer 2 and Layer 3authentication and encryption mechanisms. You must define your security perimeterand authorize access by physical location.

Is the RF secured? Consider how you will protect the RF medium at Layer 1. Rogue accesspoints (APs) can insert security vulnerabilities. Rogue APs can be placed maliciously byhackers or innocently by unsuspecting employees for their personal use.

Is the WLAN protected from application-level attacks, such as worms, viruses and distributeddenial of service (DoS), before the attacks reach the corporate assets? IT must create a wirelessnetwork that can recognize and halt an attack that a user may not even be aware theircomputer is executing. Because worms and viruses cost businesses billions of dollars inlost productivity, IT must provide application and content security at Layers 4-7 withtools such as application-level firewalls, intrusion detection and prevention and anti-virus.

Can WLAN security mechanisms be efficiently implemented at large enterprises? A pervasiveWLAN must deliver enterprise scale with a low cost of ownership. If the IT departmentmust install new software on wireless clients or if users must change their behavior toaccess the WLAN, it will escalate training and administrative costs. The WLAN securitysolution choice has a fundamental impact on the cost of ownership from initial installation to ongoing operations.

Does the WLAN solution deliver reliable wireless service and maintain client connectivity?Can users reliably move from AP to AP and from subnet to subnet while maintainingtheir secure wireless service? Can multiple types of applications, including data andvoice with its associated QoS, be delivered over the same infrastructure to maximize ROI?

3

Meru Delivers Comprehensive Security Meru Networks’ security framework delivers comprehensive protection from physicallocation through to the applications and content. With Meru, strong security does notcompromise requirements for connectivity, service reliability or QoS on the WLANinfrastructure. Let’s examine the challenges for wireless security at each layer and Meru’sinnovative solution.

4


Meru's Multi-Layer Security

LayersEnterprise Assets

Layer 4-7: Protect the New PerimeterIntrusion, Virus; Content, Firewall,Apps

Layer 2: 802.1xWPA

Layer 0: PhysicalLocation Based Access

Layer 1: Rogue Detectionand Suppression

Layer 3: IPSec, VPN

0 1 2 3 4-7

Meru Network provides comprehensive protection from physical location through to applicationsand content. With Meru, strong security does not compromise requirements for connectivity,service reliability or quality of service on the WLAN infrastructure.

Layer 0: Physical LocationThe Challenge: The most basic physical security for a wired network is the building itself.With wireless, it is as if the WAN connections and Ethernet jacks have moved outsidethe building walls.

An infinite number of entry points exist. Users can access the RF if they are within thecoverage area. Doors, locks, cameras, walls, and physical guards no longer define "security." Non-employees’ wireless devices may associate with your corporate WLANand employees’ mobile devices may inadvertently associate with APs beyond your corporate boundaries. The ability to control users’ access to the WLAN by physical location is critical.

The Solution: Meru Networks uses innovative location-based access policies to governaccess to the WLAN. Meru has created a platform that provides the ability to defineaccess policies to the WLAN based on users’ physical locations and their identities.Access policies apply to all higher layers of Meru’s security framework, including accessto the RF spectrum, authentication and encryption, VPN and application and content.

5


With Meru’s location-based access policies, the IT manager sets up different "zones" andthen grants users access by these zones, such as "the first floor" or "finance department."With Meru, IT may refuse wireless access to any user outside the building perimeter,shutting down the concern that an attacker could sit in the company parking lot andsteal intellectual property.

No Access fromOutside Perimeter

MeruAP

MeruAP

MeruAP

Handheld

Denial ofServiceAttack

MeruAP

MeruController

Ad HocMode

RogueAP

UnknownAP

MACSpoofing

Location-Based Security

With wireless, an infinite number of entry points exist. Doors, locks, cameras, walls and physicalguards no longer define "security." Meru has created a platform that provides the ability todefine access policies to the WLAN based on users’ physical locations and their identities.

Layer 1: Detection and Protection of RF SpectrumThe Challenge: Don’t underestimate rogues. Rogues receive more than their share ofmedia attention, but you don’t want to be the company that has had a security breachbecause of a rogue attack.

A rogue is an unauthorized AP or user who has penetrated the RF space. An attackermay engage in surveillance, launch a man-in-the-middle attack, spoof MAC addresses orengage in other nefarious behavior. A rogue may be plugged into the wired side of thenetwork or it may exist within the RF environment.

While rogues are typically thought of as malicious attackers, employees can inadvertentlyopen up security holes simply by plugging in inexpensive, consumer-grade APs into theEthernet jacks in their cubicles. Even easier, they can set up their wireless laptops in ad-hoc mode, so they can communicate as peers with other wireless notebooks andhandhelds.

Today’s rogue detection and suppression solutions are inadequate. One proffered solutionis to install an overlay set of APs dedicated to detecting unapproved APs and users; however, this approach literally doubles your cost of ownership, as your company nowhas one set of APs for production traffic and a second set of APs for rogue detection.

A more cost-effective yet incomplete approach is for the APs to periodically scan the RFchannels to detect unapproved users or APs. However, rogues can "hide" if the APs don’tscan across all channels. If the APs do scan all channels, user communications with theAP will be interrupted for the duration of the scan. This approach forces you to trade offsecurity and service reliability, which is a no-win situation.

The Solution: Meru Networks delivers third-generation rogue detection and suppression.Meru’s WLAN Radar provides continuous monitoring and wireless service on the sameAP hardware, delivering a cost-effective and complete solution.

WLAN Radar leverages Meru’s Virtual AP architecture to provide continuous RF serviceeven during scans. With WLAN Radar, Meru APs rotate the task of monitoring forrogues. In turn, an AP transparently hands off its clients to a nearby AP, performs a scanacross all RF channels and then takes back its clients. With Meru’s Virtual AP architecture,there is no service disruption and even real-time applications like voice are not affected.With Meru, there are no tradeoffs between security and service delivery.

WLAN Radar correlates and compares the RF data against the deployment plan. It identifies known Meru and third-party APs so you can distinguish your APs from theneighboring businesses’ APs. If WLAN Radar detects an unknown or rogue AP or user,the Meru System Director alerts the IT manager via the central console. Under administrative control, the IT manager can suppress rogue APs, preventing them fromcreating a security breach.

Layer 2: 802.1x Authentication The Challenge: Authentication and encryption are fundamental forms of security, protecting network access and ensuring data privacy. Meru Networks supports the fullrange of industry-standard authentication and encryption options, enabling organizations to choose the most suitable methods for their business and risk profile.

The Solution: Meru Networks fully supports IEEE 802.1x with various ExtensibleAuthentication Protocol (EAP) types including Message Digest 5 (MD5), Transport LayerSecurity (TLS), Tunneled TLS (TTLS), Protected EAP (PEAP), MS-CHAP v2, andLightweight EAP (LEAP). Meru also supports MAC-based authentication, which is commonly used by VoIP phones and other lightweight clients. Whether you’re aMicrosoft shop and favor PEAP or you prefer two-factor authentication and want EAP-TLS or a different EAP method, Meru supports your authentication needs.

For encryption, Meru Networks supports dynamic Wired Equivalency Privacy (WEP)and Temporal Key Integrity Protocol (TKIP). Dynamic WEP does not require clientchanges and solves many of the well-known problems of static WEP. TKIP protectsagainst forgeries and provides stronger encryption. TKIP changes the encryption keywith every packet, eliminating the possibility that an attacker can decipher the encryption key. Meru has support for Advanced Encryption Standard (AES), thestrongest exportable encryption, built into the hardware. AES functionality will be available as the standards are adopted and clients become available.

6


Layer 3: Zero-Configuration VPNsThe Challenge: Customers adopt wireless VPNs for three primary reasons. First, becauseof security concerns, many companies do not want APs in the trusted domain, so theyestablish that trust via a VPN tunnel between the client and VPN server within theirnetwork infrastructure. Second, companies use IPSec VPNs to ensure data privacy andprotection to comply with privacy and security requirements such as the HealthInsurance Portability and Accountability Act (HIPAA) . Thirdly, not all client devicessupport 802.1x, so authentication and encryption are performed at Layer 3 instead of Layer 2.

Applying the wired VPN model to wireless VPNs requires overcoming a triad of additional hurdles: larger scale of VPN users, service reliability and the ability to supportmultiple classes of service. To date, enterprises adopting wireless VPNs have had toforego one or all three of these requirements.

Wired VPNs were never intended to support thousands of users roaming across a corporate campus; they were developed so a handful of remote users could dial back tocorporate headquarters. A central VPN server quickly becomes a performance bottleneckwhen there are hundreds or thousands of wireless clients. Additionally installing andmanaging VPN client software on a large number of clients incurs a significant IT cost.

Wireless VPNs must provide consistent, reliable service. Because of long hand-off timesas clients roam between APs in a WLAN, VPN connections can be terminated, causingunreliable service.

Using VPNs negates the use of QoS and thus VoIP and other real-time applications.Because VPN communications are encrypted, enforcing traffic priorities over the air isnot possible in today’s solutions.

The Solution: Meru’s Zero-Config Wireless VPN delivers enterprise scale, reliable serviceand multiple classes of service.

Meru’s wireless VPN solution addresses the key challenges of providing wireless VPNs.Meru does not require a pre-installed client, so organizations gain the protection ofIPSec VPNs without the additional burden of distributing and managing client software.Wireless clients dynamically download the Zero-Config VPN client from the MeruController. A hot-standby client automatically discovers Meru-based WLAN and launches a user login page. Meru uses Secure Sockets Layer (SSL) for the initial secure,per-user authentication and distribution of IPSec pre-shared keys before any user data istransmitted. This approach lowers the administrative burden and does not incur anyadditional user training costs.

7


Because VPNs are terminated in the Meru Controller, Meru Networks meets the scalabilityrequirement that most VPNs fail. Terminating the VPNs at the edge removes a centralizedVPN server’s chokehold on network performance. The Meru Controller provides hardwareacceleration for VPNs, ensuring scalability even with thousands of users. Meru Networksalso supports VPN pass-through for third-party VPNs between clients and a VPN server.

Meru delivers reliable wireless service. Meru’s Virtual AP architecture ensures zero-losshand-off so it does not drop connections as clients roam between APs or subnets. VPN tunnels are maintained and you don’t have to worry about re-associating and re-authenticating clients.

Meru is uniquely capable of differentiating between flows in an encrypted IPSec tunneland providing the appropriate QoS for different flows, thereby maintaining over-the-airQoS that is required to support multiple classes of service. A single WLAN infrastructurecan be used to deliver a full suite of applications including voice, video and data. With over-the-air QoS, Meru automatically detects traffic types to apply QoS policies by application, user, system or flow.

Layer 4-7: Unified Security The Challenge: Since mobile clients can travel and connect to hotspots and different networks, every mobile client becomes an entry point into the network.

With an infinite number of entry points, a WLAN solution must provide comprehensiveand adaptive protection against multiple types of security breaches and attacks at thewireless edge. Protecting networks and applications against viruses, worms, DDoS andother network attacks at one location in the enterprise is simply inadequate. However,placing multiple point products for different protection elements, including intrusiondetection and prevention systems (IDS/IPS), firewall, virus scanning and application-layersecurity, at many, many points in the wireless edge is too complex to be consideredcost-effective or scalable.

A unified security approach providing comprehensive Layer 4-7 security must be provided at wireless edge aggregation points, where the WLAN connects to the network core.

The Solution: Meru Networks delivers comprehensive content and application security.The Unified Security Module, which is integrated into the Meru Controller, delivers real-time application and content protection.

With single-pass inspection, Unified Security provides anti-virus, deep-inspection firewall, network IDS/IPS, DDoS protection and attack mitigation, protecting connections between the wireless and wired networks. Meru’s Unified Security sets up asecure sandbox from the WLAN, isolating it from the wired network.

8


Unified Security delivers a coordinated and correlated response to attacks. By capturingand correlating attack data, it accurately detects, evaluates and eliminates intrusions andother threats before they breach the WLAN. Single-pass inspection does not add latency,ensuring reliable service for VoIP. Unified Security constantly adapts to new threats,enabling IT staffs to mitigate the ever-changing threats that face networks today.

With Unified Security, IT managers gain centralized control over the enterprise wirelesssecurity, increasing operational efficiency. IT managers set all enterprise policies, useraccess controls, security controls and virus updates from a central console. Techniciansdo not have to be dispatched to troubleshoot problems or even update software inWLAN devices in remote locations.

9


CorporateNetwork

Meru Controller

Intrusion Detection/Prevention

Content Filtering

Anti-Virus

Firewall

IPSec VPNs + QoS

ProtectedWLAN

MeruAP

MeruAP

MeruAP

MeruAP

Layer 4 – 7 Security

Protecting applications and networks against viruses, worms, distributed DoS and other networkattacks at a single location in the enterprise is simply inadequate for wireless. ComprehensiveLayer 4-7 security must be provided at wireless edge aggregation points, where the WLAN connects to the network core..

Complying with Healthcare and Government Privacy RegulationsMeru Networks’ advanced security measures enable organizations to comply with privacy regulations such as HIPAA .

HIPAA: Electronic patient records on tablet PCs, wireless access to drug-interaction databases and VoIP communicators are becoming commonplace in healthcare. Wirelesskeeps healthcare workers connected to their information resources while increasing thequality of patient care.

Healthcare organizations must ensure that their WLANs follow HIPAA security guidelines. Although HIPAA does not specify particular technical standards, IT organizations must consider HIPAA’s requirements for administrative procedures, physical safeguards, technical security and electronic signatures.

Meru’s security framework enables IT organizations to rapidly address HIPAA compliance. Defining WLAN access policies and physical safeguards is a critical firststep. Meru Networks’ advanced location-based security and access controls enable IT toassign access permissions by user identity and physical location.

HIPAA mandates access, authorization and audit controls as well as protection of dataintegrity. These requirements can be met with Meru Networks’ 802.1x authenticationand encryption, Zero-Config VPN and reporting capabilities.

10


Conclusion

Meru Networks is Seriously SecureMeru Networks offers the industry’s most comprehensive multi-layer security, protectingthe WLAN from physical location to application and content. Meru meets the enterprise’s demands for strong wireless security without adding significant administrativeburden or user training, without compromising on connectivity, and without having IT having to tradeoff security with service reliability or the types of applications that canbe run over the WLAN. Comprehensive Security. No Compromises.

11

Air Traffic Control Technology:

Seven significant benefits.

Service, a.k.a. QoS—

Over-the-air QoS enables voice and

real-time applications.

Superior performance—

Contention management multiplies

aggregate throughput and client

density.

Seamless mobility—

Communication between APs

enables seamless mobility with

zero-handoff.

Simple management—Centralized

management simplifies configuration,

management, and upgrades.

Solid security—Authentication,

encryption and rogue device

detection secures data assets.

Scalability—WLAN deployment

scales to support growth as needed.

Savings—ATC architecture

integrates with existing LAN

infrastructures and does not require

multiple controllers.

Contact Meru Networks

Meru Networks, Inc.

1309 S. Mary Ave

Sunnyvale, CA 94087

+1.408.215.5300 Phone

+1.408.215.5301 Fax

Meru Networks Corporate Headquarters1309 South Mary AvenueSunnyvale, CA 94087-3029(408) 215-5300(408) 215-5301 (fax)[email protected]

Copyright and TrademarksCopyright ©2004, Meru Networks, Inc. This document is an unpublished work protected by the United States copyright laws and is proprietary to Meru Networks, Inc. Disclosure, copying, reproduction, or use of this document byanyone other than authorized employees, authorized users, or licensees of Meru Networks, Inc., without the prior written consent of Meru Networks, Inc., is prohibited. Lit. Security-040404

defining the requirements for third-generation wireless ...choose your sacrifice: trade-offs among...

Documents