icc networking data security

1

ICC Security Philosophy

There's no such thing as 100% security. Nefarious persons with enough resources, time, and emotional incentive caneventually penetrate any network ecosystem. We've see breaches occur in every market segment, venue, military, orconsumer ecosystem. ICC's theory on IP data security is based on creating layers of security that make it financiallyunsound for hackers to attempt to access our networks. As a software-driven IP data networking vendor, ICC's goal is todeliver feature-rich wired and wireless networking solutions primed with the ability to create a dis-incentive within theconnectivity elements, thereby making hacking activities not worth the cost of breaking our systems.

Core Objective

ICC agrees with E&Y's cost benefit review of looking at Security.

Linking security and business—Tie security programs to business goals and engagestakeholders in the security conversation.

Thinking outside the compliance (check) box—Go beyond control- or audit-centeredapproaches and align with two key elements: the business itself and the nature of the threatsthe enterprise faces.

Governing the extended enterprise—Establish appropriate frameworks, policies and controlsto protect extended IT environments.

Keeping pace with persistent threats—Adopt a dynamic approach including intelligence,analytics and response to deal with a widening variety of attacks.

Addressing the security supply & demand imbalance—Develop and retain staffexperienced in security architecture planning and design, tools and integration to increaselikelihood of successful outcomes.

These layers ensure full integration of data security with all parts of abusiness model as well as marrying it to the top risks facingtelecommunications with security.

The ICC icXchange® Solution Security ReviewIP Data Security in an Internet of Things ecosystem

1



Core Objective









1



Core Objective









2

Therefore, ICC's deployment strategy affixes various types of security technologies at every level of connectivity fromthe edge to the aggregation and to the distributed core.

Edge networking devices: Unified Access Device (UAD)

UADs are for managed access APs for an all wireless network. Designed with security in mind each device contains theUAD Operating System (UADOS) that includes Firewall, Routing, MAC Filtering, Wireless Intrusion Detection, VLANHidden SSID, Captive Portal among other features. The UAD is the first line of defense with a variety of security rules toprevent or allow initial user access based on policies set by an administrator.

ICC's approach to a simple network ecosystem is demonstrated in these devices because they are self contained and canbe completely separated from a network by being its own NAT router without the need to re-flash the unit. Theadministrator simply needs to enable AP mode or Router mode without updating firmware as with other vendors.

Security Features

Authentication and Security Security Standards

Multiple authentication methods Wi-Fi Protected Access (WPA)

WPA(PSK), WPA2(PSK), WEP IEEE 802.11i

WPA Enterprise, WPA2 Enterprise RFC 1321 MD5 Message-Digest Algorithm

RFC 2104 HMAC: Keyed Hashing for Message Authentication

Multiple encryption algorithms RFC 2246 TLS Protocol Version 1.0

CCMP (AES) RFC 2401 Security Architecture for the Internet Protocol

TKIP RFC 2407 Interpretation for ISAKMP

CCMP and TKIP both RFC 2408 ISAKMP

Hidden SSID support RFC 2409 IKE

Wireless client isolation RFC 3280 Internet X.509 PKI Certificate and CRL ProfileRemote Radius authentication and accounting

support RFC 4347 Datagram Transport Layer Security

Local authentication (Mac passing) RFC 4346 TLS Protocol Version 1.1

3

Authentication, Authorization and Accounting

MAC Filter IEEE 802.1XAllow all except listed MAC addresses RFC 2548 Microsoft Vendor-Specific RADIUS AttributesAllow only listed MAC addresses RFC 2865 RADIUS Authentication

RFC 2866 RADIUS AccountingShows all clients connected to each radio (if morethan one) RFC 2867 RADIUS Tunnel Accounting

Sets the minimum connection/transmission rate auser can connect (Multicast Tx rate) RFC 2869 RADIUS extensions

Ability to limit/exclude certain channels RFC 3579 RADIUS Support for EAPTransmit power control to change the output of

the radio RFC 3580 IEEE 802.1X RADIUS Guidelines

RFC 3748 Extensible Authentication Protocol

Web-based authentication

The UADOS is also enhanced with ICC's patented icXengine that inspects and control IP data content flows.

Deployments for either indoor or outdoor applications are complimented in these all wireless networks by the cloudAAA and Radius systems from icXcloud and icXmanager.

4

Enterprise networking devices: Link and activeARC Series Controller-based Solution

The aggregation layer of the ICC solution consist of a unified switched controller system designed to ensure connectivitywhile increasing performance up to 10G for various distributed or centralized functions. The advanced security featuresinclude:

802.11 security BSSIDs (Up to 32 for dual band AP, 16for single band AP)802.11i (802.1x Authentication and PSK Authentication)Hidden SSID WEP (WEP64/WEP128)WPA, WPA2, TKIP, AES11 different WIDS methodsRogue AP detectionRogue DHCP Server detectionDoS attack preventionDDoSPassword guessing protectionRate limitingAccess Lists (ACLs)

Layer-2 (MAC address based ACL)Layer-3 (IP address based ACL)Authentication MAC Filtering802.1x Authentication (EAP-TLS, EAP- TTLS, EAP-PEAP,EAP-MD5)Captive PortalAAARADIUS ClientLDAP Local Authentication (5000 user entries)Accounting server

IPv6 Support

IPv6 ISATAP, 6to4 Tunnel, DHCPv6, DNSv6,ICMPv6,ACLv6, TCP/UDP for IPv6, SNMP v6,Ping /Trace, Route v6, RADIUS, Telnet/ SSHv6, NTP v6, IPv6 MIB support for SNMP,VRRP for IPv6, IPv6 QoS, Static Routing,OSPFv3, IPV6 Security RA Data forwardingDistributed forwarding architecture(CAPWAP) Centralized architecture(CAPWAP)

Security is also enhanced by the system'sability to route data in a variety of methods.Administrators can more frequently change IP data routing measures to keep the system ever evolving so data trafficroutes are harder to guess or set up for. Possessing the ability for central, distributed, encrypted, Q-in-Q, AP to AP or APto Switch forwarding options, ICC's icXchange network architectures can evolve based on business demands and / orbased on security concerns for data flows. Organizations can set up different routing measure allowing the controllersystems to be in the data path, outside the data path, off or onsite, or a variety of other simple to change systemabilities that enhance security.

5

Broadband Connectivity: Super Wi-Fi

The WAN connectivity points are also very important and require a higher level of security to ensure data integrity andsecurity. ICC's joint solution provides military level encryption that either starts with the system or can be added overtime based on requirements and business needs.

The backbone system consists of different security measures within the below four segments.

Wireless Broadband: Whitespace (Super Wi-Fi) - VHF/UHF

SECURITY

Payload Encryption 128/256 bit Advanced Encryption Standard (AES)

System Access/AuthenticationCapabilities

Multifactor Authentication. Remote Access Token Based Authentication

Authorization and AccountingProtects Against Non-Authorized Administration/ Maintenance and Over-the-Air Access

Information Assurance Tools Integrated Firewall and Suite of Information Assurance Tools

The ICC solution is a single integrated solution but with various types of security measures based on the type ofrequirements at each level.

6

Example: PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) compliance is central to a vibrant and expandingeconomy that continues to utilize credit cards as a means or medium for payments.Credit card transactions are in the billions each year with the value being in the trillionsof dollars. Network intruders continue to be a threat and could siphon off a variety ofcustomer data including credit card numbers, PIN, account and personal information,and a variety of details to allow them to utilize the pilfered cards.

The standards set both the technical and operational requirements for handling cardholder data. It provides guidancefor everything from software, security, networking, applications,and anything that might come into contact, store, transmit, ortouch in any way cardholder details. The standards are enforcedby the founding members American Express, Discover FinancialService, JCB International, MasterCard Worldwide, and Visa Inc.

Implementation

PCI DSS was implemented as a way to provide security guidance to anyone conducting a credit card transaction. Toadequately outline the requirements, a Wireless Operation Guide was implemented which identified two categories.The first requirement dealt with 'general applicable wireless requirements' which constituted such requirements asrogue or unknown device detection. The second requirement dealt with in-scope wireless equipment and the generalprotection against any non-authorized users to any system regardless of its proximity to the Cardholder DataEnvironment (CDE). The PCI DSS Wireless Guide outlines those requirements while utilizing a wireless local areanetwork environment and how to segment credit card data, keep inventory statistics, detect Rogue access points orconnections, enforce usage, and physical monitoring.

The four main areas for concern

1. Inventory2. Scanning and dealing with Rogue access points and devices3. Wireless enforcement4. Segmentation

The ICC icXchange® solution helps various market segments as they strive to keep their PCI compliance as simple aspossible. The true target audience for PCI DSS includes organizations that store, process, or transmit cardholder dataand who may or may not have deployed wireless technology, as well as assessors performing PCI DSS assessmentspertaining to wireless. As further support to these groups, the ICC icXchange® solution helps ensure the highest level oftechnology, flexibility, and features that aide in the protection of CDE.

The US Census Bureau: The Federal Reserve

PCI DSS Quick Reference Guide: Understanding the Payment Card Industry DataSecurity Standard version 2.0. Published by the PCI Security Standard Council 2010.

7

Inventory

The PCI DSS group makes the recommendation that inventory of all items connected to the network is maintained andupdated frequently by the organization. The recommendation hinges on the fact that if you don't know what'sconnected to your network, how can you determine a 'friend or foe' on your securely managed network? They alsosuggest keeping up-to-date logs and educating employees to look for unauthorized devices connected to the network.

Scanning and handling Rogue Access Points

The PCI DSS standard requires mechanisms foridentifying unauthorized devices on the network.Many of these particularly heinous devices moreoften strike wireless networks and are known asRogue Access Points. Therefore, scanning andhandling requirements were central to the PCIstandards in section 11.1.

The ICC icXchange® solution provides various security options including a Wireless Intrusion Detection System to provideadvanced scanning, detection and mitigation of unauthorized access points. The standard requires ongoing scans forrogue access points and the ICC icXchange® solution provides up to 11 different methods to initiate, scan, monitor, andmitigate various attacks not only for rogue APs but DoS and DDos attacks. Moreover, the solution is a unifiedwired/wireless platform to ensure consistent protection while increasing segmentation with an advanced Layer 3feature set.

Constant Scanning and full manageability ensure proactive detection and mitigation of non-authorized access. Based onthe administrator's local requirement, threats can be reported for further action or they can proactively eliminate thethreat to the network. This means that part of the ongoing and most effective means of deterring threats is the activeinvolvement of owners to think in advance of how they'd like threats to be handled. Once a decision is made they can,through the ICC icXchange® solution, automate and immediately handle that threat.

Wireless enforcement and usage

The ICC icXchange® solution employs variety of standards-based security protocols (802.1x, WPA2, TKIP, MAC Filtering,etc.), as well as Password Guessing Protection to ensure no 'lucky' access is gained to the network. It's important for theuser to change the default password, enable higher level security features, and deploy the included security features.The system simplifies management of the ecosystem by providing the ability to 'group' access points into namedsections to more easily push similar configuration, security, and requirements to deployments of any size.

Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG) Implementation Team; July 2009.

7

Inventory









7

Inventory









8

Segmentation

One of the core requirements from PCI DSS requirements is thesegmentation of CDE (Cardholder Data Environments) traffic from therest of the network. The ICC icXchange® solution sits within thenetwork and can be connected separately to a designated firewall andgateway for external access. This is the most direct method forhandling compliance however, it might not always be possible in allcases.

In the event that the ICC icXchange® solution and CDE traffic must exist on the same network, then the ICC icXchange®solution has a variety of advanced segmentation features to separate and maintain data security while it traverses thenetwork. PCI DSS recommends placing a firewall between the CDE and ICC icXchange® solution. This is demonstrated inthe image to the right.

The primary function of the firewall is to separate the traffic toensure there's no possibility of CDE traffic being visible to, ormixed with other data traffic. The ICC icXchange® solution is aunified wired and wireless system with full Layer 3 routing. Thisadditional feature provides the industry with several options foradditional security. The solution supports a variety of routingprotocols including RIP, OSPF, VRRP, IGMP, as well as otheradvanced features designed to keep IP data traffic contained andsecure.

While VLANs can be used, it's not the best method for separating the data from CDE traffic. Experienced hackers couldfilter between VLANs as a means to gather data. Keeping a completely separate segment is vital to enhancing networksecurity.

Beyond PCI Compliance

The ICC icXchange® solution is a unified solution built for a multi-user data environment. The ability to control IP trafficis central to our system and is a ground up feature set supported at each level of the solution. Starting with full Layer 2and Layer 3 MAC-based ACLs, the solution can route traffic separately via true Layer 3 segmentation or via various IPForwarding methods. Distributed and Local forwarding with CAPWAP secure encryption add another layer of separationof data, as well as the ability to route separate data traffic to different locations. Therefore, whether the user needs tosecurely control guest traffic and segment it from the CDE traffic, or vice versa, the solution is able to keep those datapaths completely separated.

Client traffic can also be limited to the specific routable, controlled, and secure areas of the network based on PCIrequirements. The solution’s various authentication methods (MAC Filtering 802.1x Authentication (EAP-TLS, EAP-TTLS,EAP-PEAP, EAP-MD5) Captive Portal, AAA RADIUS, Client LDAP Local Authentication(5000 user entries), and Accountingserver) direct non-corporate IP traffic to a specific secure part of the network. Combined with the embedded WirelessIntrusion Detection System (WIDS) utilizing 11 different modes (Blacklist, Whitelist, Rogue AP, Fake AP, etc.) forprotecting against hackers, the network can be kept secure.

Information Supplement: PCI DSS Wireless Guideline' prepared by the PCI SSC Wireless Special Interest Grou (SIG)Implementation Team; July 2009.

9

The following is a list of compliance features and how they can be supported within the ICC icXchange® solution. Sincethe solution supports multiple methods per requirements, we maintain several technical labs and configuration detailsfor each feature at http://www.iccnetworking.com.

10

The ICC icXchange® solution expands PCI DSS compliance with the addition of extensive IP control measures that reachbeyond standard vendor requirements. The ICC icXchange® solution expands its unified approach to add advancedfeatures to secure data. Those measures include such features as:

Access Management Configuration Access List Control SSL Wireless Intrusion Detection Wireless Security Syslog and SNMP

Access Management Configuration

Access Management is a policy configuration option within the active500EM designed to only allow approved hardwareto send messages into the network. The solution can refuse to allow data communication to start prior to the approvalprocess. This is a vital part of the system because ill-intentioned individuals gain access by being able to have an IPdialogue with the network; however, the active500EM does not allow such a conversation to even commence if thehardware isn't included on the approvedlist. When the active500EM receives an IPor ARP message, it will compare theinformation extracted from the message(such as source IP address or source MAC-IP address) with the configured hardwareaddress pool. If there is an entry in theaddress pool matching the information(source IP address or source MAC-IPaddress), the message will be forwarded.However, if the message does not matchthe approved list, the request andinformation is dumped, preventingpossible intrusion.

The ICC icXchange®

Solution overviewOptional solution design recommendationsto meet or exceed PCI DSS requirements

11

Access Control Lists (ACL)

ACL is a complex method for IP packet filtering deployed by Ethernet switching technology to protect against nefarioususers from communicating with the rest of the network. The ICC icXchange® solution value can once again be seen asthe unified wired/wireless capabilities allow for protection on both sides of the network. While highly publicized databreaches focus on the external threat to a network and customer data, the less frequently public breach occurs internalto the organization. The threat also occurs via different foreign devices installed by 'known' individuals (employees).According to a global study by InsightExpress of some 2000 IT professionals, 39% were more concerned with internalthreats from their own employees and another 33% were concerned about lost data from foreign USB devices.Therefore, no longer can retailers dealing with cardholder data only be concerned with foreign threats over apredominantly wireless ecosystem. The threats are real and varied in nature which means that the ability to handlemultiple threats from various directions, in different modes is the new requirement. The active500EM and its unifiedarchitecture does just that.

Secure Socket Layer (SSL)

SSL is an industry standard on how to establish a secure and encrypted link between a web browser and a web server.This technology can be enabled within the active500EM as a means for maintaining that secure link while the userpasses through the Ethernet switch protocols on its way to the web server. While often discussed as sitting betweenLayer 4 Transport and Layer 7 Application support, SSL has clearly been the next necessary requirement in encryptionand protection over the internet.

Wireless Intrusion Detection Systems (WIDS)

A wireless intrusion detection system (WIDS) monitors the radio spectrum for the presence of unauthorized, Rogueaccess points and the use of wireless attack tools. The active500EM is the central intelligence solution monitoring,calculating, and protecting the wireless environment. This would not be possible without the ARC Series access pointsto provide Wireless Intrusion Prevention System (WIPS). WIPS is a network device that monitors the radio spectrum forthe presence of unauthorized access points (intrusion detection). The system monitors the radio spectrum used bywireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected.Conventionally this is achieved by comparing the MAC address of the participating wireless devices.

The ICC icXchange® solution recognizes that Rogue devices can spoof MAC address of an authorized network device astheir own. New methods now include a fingerprinting approach to weed out devices with spoofed MAC addresses. Theidea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the knownsignatures of pre-authorized, known wireless devices. This is a heuristic and more intelligent method supported by theactive500EM and allows for a more dynamic and evolving method of security.

12

Wireless Security

Wireless networks are generally not as secure as wired networks. Wired networks, at their most basic level, send databetween two points, A and B, which are connected by a network cable. While not impervious to attack, it is a moredifficult task. IEEE802.11 networks, by their very nature, send user data in every direction and to every device thathappens to be 'listening', within a limited range.

Following are descriptions of the WEP, WPA, and WPA2 wireless security protocols:

Wired Equivalent Privacy (WEP): The original encryption protocol developed for wireless networks. As its nameimplies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well-known security flaws, is difficult to configure, and is easily breached.

Wi-Fi® Protected Access (WPA): Introduced as an interim security enhancement over WEP while the 802.11iwireless security standard was being developed. Most current WPA implementations use a pre-shared key (PSK),commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) forencryption. WPA Enterprise uses an authentication server to generate keys or certificates.

Wi-Fi Protected Access version 2 (WPA2): Based on the 802.11i wireless security standard, which was finalized in2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES)for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encryptinformation classified as top secret.

WPA-Enterprise: The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a userlogs in with their username and password or provides a valid digital certificate. Users never see the actualencryption keys and they aren't stored on the device. This protects you against rogue or terminated employees andlost or stolen devices.

The active500EM supports multiple wireless securities that includes WPA, WPA2, WPA-Enterprise and WEP 128 & 64bitencryptions.

13

Syslog and SNMP

The final stage in support of your PCI DSS compliance is the ability to track all data, be alerted to the various possibilitiesof an attack, and be provided ongoing reporting to ensure there is a dynamic means for evolving your security standardsand policies. Two methods that the active500EM uses to help with this are Syslogs and SNMP management.

Syslogs provide the ability to see all data running within a specific device including all traffic details. This informationcan be sent from the active500EM to a central Syslog server to aggregate data from all locations of logs and alerts. Thisoption can be used in conjunction with a Syslog service, automated, and then provide detailed printed reporting of alldata traffic. This form of logging is the best available for devices because it can provide protected long-term storage forlogs. Since security methods must evolve, this reporting can build trends for both routine troubleshooting and inincident handling or reporting.

The ICC icXchange® solution fully supports advanced SNMP standards-based TCP/IP protocols for network management.Featuring Management Information Base (MIB), the ICC icXchange® solution can be integrated into the managementdesigns of any network administrator. The ability of the active500EM to integrate into the already existing managementand monitoring infrastructure allows for a reduced cost structure while ensuring complete visibility of the network,content flowing over the network, and any possible threats to the environment.

Summary

The objective of PCI DSS compliance it to ensure complete protection of card holder data. The more sophisticatedhackers, both internal and external, continue to be innovative in their approach. The only complete way of ensuringsecurity is to have a strategic plan for both wired and wireless sides of your network ecosystem. The ICC icXchange®solution is a unified solution designed to keep separate data, prevent unauthorized devices from speaking to thenetwork, and ensure proper reporting and routing of content.

© 2015 International Communications Corporation, Inc. All Rights Reserved. Printed in USA. Issue 1.0 ICC 10/1012015. Wi-Fi® is the Trademark of Wi-FiAlliance. icXchange® , icXchange® , icXengine, icXcloud, and icXmanager are the Trademark of International Communications Corporation, Inc.

Contact:Phone: 888-209-0067Email: [email protected]

[email protected]: www.iccnetworking.com

icc networking data security

Technology