wlan enterprise security wp 00

8/10/2019 WLAN Enterprise Security WP 00

1/8

www.brocade.com

ENTERPRISE Enterprise WLAN Security

Challenges and Solutions

WHITE PAPER

Brocade Mobility products feature an end-to-

end architecture that integrates key security and

wireless solutions to deliver standards-based,

industry-leading wireless network protection.


2/8


3/8

Finally, 802.11 networks operate in the unlicensed frequencies of 2.4 GHz and 5 GHz. Unlike

cellular frequencies, which require licenses, these unlicensed frequencies are open for use

by anyone. While the FCC mandates certain rules of engagement, which prohibit aggressive

or malicious use, the difculty in enforcing such rules means that most unlawful use of the

frequency goes unpunished.

In response to the pervasive security threats faced by enterprise WLANs, Brocade Mobility

features a range of capabilities addressing multi-tiered enterprise data protection for

enterprise WLANs. Brocade Mobility WLAN controllers and Access Points (APs) include a

range of WLAN security mechanisms to meet (and exceed) the needs of expanding wireless

networks and provide administrators with additional options as their data protection needs

expand. Compared with other leading wireless network equipment providers, Brocade offers

the strongest and most efcient wireless security portfolio on the market. Brocade integrates

key security features directly into controllers and APs to provide superior access control and

network defense.

COMPREHENSIVE WIRELESS AP SECURITY OFFERING

Because threats really exist at the edge of the wireless network, Brocade Mobility products

support the strongest and most comprehensive wireless edge security offering. In fact, everyAP includes on-board Authentication, Authorization, and Accounting (AAA), stateful rewall,

and Virtual Private Network (VPN), which secures trafc without gaps. Combined with the

AirDefenseEnterprise Appliances for BrocadeMobility solutions described below, it is

the most secure wireless edge defense available. The entire security architecture can be

managed from a single console and offers regulatory compliance with the highest levels of

security validation in the wireless industry, from Federal Information Processing Standards

(FIPS) to Common Criteria Level 4.

For authentication and encryption, Brocade also has the industry-leading offerings on the

market, with four-factor access control in the AP, which allows companies to control access

based on the users ID or role in the company, policy compliance via Network Access Control

(NAC), and geofencing, which is a means to control access by a users location using the

systems Real-Time Locating System (RTLS) application.

All of the Brocade Mobility access points support the highest available levels of encryption,

including IEEE 802.11i (WPA and WPA2) and 3DES IPSec encryption. On Brocade Mobility

dual-radio APs (Brocade Mobility 5181, which supports 802.11 a/b/g, and Brocade Mobility

7131, which supports 802.11 a/b/g/n), one radio can be dedicated to network access and

the other can act as a sensor that monitors the airwaves for rogue devices 24 hours a day.

Brocade Mobility AP-based AAA features include:

Internal and external Remote Authentication Dial-In User Service (RADIUS) capabilities

that support Extensible Authentication Protocol (EAP), providing an extra layer of security

beyond Wi-Fi Protection Access Program 2 (WPA2) with a strong encrypted mutual

authentication to thwart man-in-the-middle attacks.

RADIUS accounting keeps a log of not only which users are authenticated by the network

but which access point authenticated them, whether they roamed from one AP to another,

and how long they remained connected to the network.

Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) integration provides

authentication against a common user database so as to ensure that those people who

gain secure access to the network are really authorized to be there.

Other capabilities specify not only who is authorized to use the WLAN, but when and how

and on which access point each individual user is allowed to be thereassigning specic

permission guidelines based on individual identity.

Sophisticated role-based rewall features dynamically apply admission rules to employees

and guests based on the Extended Service Set ID and which AP they are using,


4/8

The Wireless Intrusion Prevention System (WIPS) is the eyes and ears of the Radio Frequency

(RF) network. AirDefense WIPS can detect more than 200 current and lethal attacks and

threats in real- time. Furthermore, the AirDefense 24x7 WIPS can reside alongside a WLAN

radio on a single AP. The ability to transport packets and detect intruders on the same AP is

extremely cost-effective and extremely secure. WIPS sensors are solely dedicated to detecting

and preventing intruders. Note that many other WLAN systems on the market use a farless effective approach called time-slicing, in which the radio on an access point spends

some time broadcasting network trafc and some time scanning the network for intruders.

Unfortunately, these time-slicing solutions end up spending only about 4 minutes per day

scanning for intruders. In addition, the AirDefense WIPS is not band-lockedmeaning that it

can monitor both 2.4 and 5 GHz bands simultaneously. This is important for any network that

utilizes both the 802.11b/g and802.11a standards.

WLAN CONTROLLER-BASED SECURE RESOURCE AUTHORIZATION

Using Network Access Control (NAC), Brocade Mobility controllers grant access to specic

network resources. NAC performs a user and wireless device authorization check for

resources without a NAC agent. NAC veries a wireless devices compliance with the

controllers security policy. The Brocade Mobility family supports the EAP/802.1x type of NAC

In addition, the switches also provide a means to bypass NAC authentication for wireless

devices without NAC 802.1x support (for example, printers, phones, and PDAs). NAC protects

resources and data on your wireless infrastructure by:

Blocking or quarantining non-compliant devices from connecting to a WLAN

Providing 802.1x-based pre-admission control to block devices at the authentication stage

Working with any NAC solution conducting 802.1x and dynamic VLAN assignment

Providing qualied interoperability with Microsoft NAP and Symantec NAC solution

Historically, some enterprises have avoided ubiquitous Wi-Fi deployments, mainly because

network administrators had concerns about network security, performance, and reliability.

They deployed Wi-Fi grudgingly and cautiously and usually as an overlay. Traditionally, these

concerns were valid. Ten years ago, wireless LAN encryption standards were weak, data rates

were slow, and wireless APs and routers were relatively difcult to manage and maintain.

Today, however, technological advances have rendered those problems obsolete. In fact,

todays wireless LANs can be as secure, reliable, and as fast as wired networks.

BROCADE MOBILITY CONTROLLER-BASED WIRELESS FIREWALL

Brocade Mobility RFS6000 and RFS7000 controllers implement a next-generation rewall,

which provides a clean separation between wireless and wired networks as well as ne-

grained security within a wireless network. By leveraging Brocades vast knowledge as

an industry leader in the development and deployment of enterprise-grade wireless and

wired networks, Brocade provides a wireless rewall that offers the highest level of wireless

security available. Wireless-specic attributes are taken into accountincluding encryption,

authentication, and location and every wireless packet is inspected before it enters the

wired network.

Brocade Mobility controller-based wireless rewall provides unparalleled trafc inspection

at every network security layer, ensuring, for example, that sensitive information is

safeguarded at all times. Brocades wireless networking infrastructure is not only secure,

it is easy to deploy and manage especially critical for enterprises with large, distributed

deployments and limited, centralized networking IT staff. Brocade Mobility products include

a comprehensive suite of integrated tools that enable IT departments to quickly plan, deploy,

manage, and secure large distributed wireless network infrastructures.


5/8

WIRELESS FIREWALL FEATURES AND BENEFITS

Brocade Mobility wireless rewall offers enterprises a reliable, secure wireless network that

protects the enterprise against threats and ensures compliance with regulatory and industry

standards. Additional benets include:

Protection against the greatest set of wireless threats. Some Layer 2 attacks, such as

DHCP spoong or ARP cache poisoning, cannot be detected by current WLAN rewalls

that operate at Layer 3. The Brocade Mobility wireless rewall can seamlessly detect and

prevent such Layer 2 wireless threats.

Location-, user identity,- and role-based policy enforcement. Enterprises often need

to implement access and security policies that take into account a users identity, role,

and location. The Brocade Mobility wireless rewall integrates with leading enterprise

authentication systems (including LDAP and Active Directory) and can leverage a built-in

RTLS engine to enforce user identity-, role-, and location-based security policies.

Ease of deployment. The Brocade Mobility wireless rewall provides centralized policy

conguration with distributed policy enforcement at the point of business activity. It does

not require any redesign of existing network topology and offers complete protection by

inspecting bridged and routed trafc.

Gap-free security: The Brocade Mobility wireless rewall shares state with one or more

switches within the enterprise, maintaining stateful rewall protection as users roam

across the campus. At the same time, the rewall stops intruders right at the periphery of

the network, acting as a barrier for malicious wireless threats. When combined with the

Brocade AirDefense Wireless IPS and Spectrum Analyzer, the wireless rewall offers the

most comprehensive wireless security on the market.

ROGUE DEVICE DETECTIONWireless deployments afford network administrators freedom from the constraints of wired

environments. However, mobile devices may lack the data protection mechanisms of a

wired infrastructure. Consequently, an open door could be created for unauthorized (rogue)

devices to violate the poorly enforced laws of an immature security scheme, thus rendering

investments in wired security useless.

Brocades holistic approach to monitoring ensures WLAN policies are enforced and rogue

devices are promptly detected and removed. The following describes two of Brocades

enterprise class solutions designed to equip todays wireless trafc cops with the tools

they need to catch wireless rogue offenders and keep them from violating the privacy of your

wireless domain.

Wireless

Controller

CorporateWAN

CorporateWAN

Corporate

HQ

Branch 1 Branch 2

WWW

Figure 1.

A Brocade Mobility wireless rewall

provides a complete solution for user,

data, and network protection.


6/8

By converting the physical dimensions of a network segment into a representative site map,

AirDefense for Brocade Mobility Wireless Intrusion Protection Software (WIPS) can accurately

track the deployment of and operation of authorized devices and use their location to

triangulate the location of potentially hostile devices.

AIRDEFENSE FOR BROCADE MOBILITY INTRUSION PROTECTIONAirDefense is an industry-leading WIPS monitoring solution that enables network

administrators to proactively close network security holes and mitigate the risk of security

breaches. AirDefense WIPS uses distributed sensors and pre-positioned device radios to

detect the presence of 802.11 a/b/g/n rogue devices.

AirDefense WIPS sensors continuously monitor WLAN activity and report network events

to the centralized AirDefense appliance server. The AirDefense WIPS management server

correlates and analyzes the data to provide real-time rogue detection, policy enforcement,

and intrusion protection. If an unauthorized device is detected, AirDefense WIPS has the

means of interrogating the rouge to obtain valuable data to aid forensics by reporting and

recording the event.

AirDefense WIP converts the physical dimensions of a network segment into a representative

site map to accurately track the deployment and operation of authorized devices and use

their location to triangulate the location of potentially hostile devices.

MEETING AND EXCEEDING THE FIPS CRITERIA

The US Department of Defense (DoD) requires commercial WLAN systems to incorporate

extensive measures to protect the voice and data trafc proliferating a wireless network.

In standardizing their WLAN security requirements, the DoD dened Federal Information

Processing Standards (FIPS) 140-2 and Common Criteria, including WLAN Access System

Protection Prole requirements.

Like most typical DoD WLAN deployments (and their inherent data protection challenges),

healthcare, nancial, as well as and general enterprise businesses are under increasingpressure to ensure information is secure across their wireless networks. The majority of these

institutions are implementing the same standards mandated by the US government. For this

reason, FIPS certication has become central to demonstrating a WLAN security deployment

accepted by IT professionals for its maturity.

During FIPS 140-2 and Common Criteria certication, a wireless solution must pass a series

of comprehensive security tests, including a vulnerability and penetration analysis. The

wireless solutions design metaphor and its source code are scrutinized by experts to ensure

compliance with advanced cryptographic standards. The enterprise-class Brocade Mobility

RFS7000 and Brocade Mobility RFS6000 controllers have satised FIPS requirements and

have been placed on the FIPS 140-2 validation list.

Laptop

Neighboring AP

Terminated:

accidental

association

ACL enforced:

rogue station

Portsuppressed:

rogue APAP

APs

Sensor

WIPS

appliance

Switch

Figure 2.

AirDefense WIPS

provides comprehensive

rogue threat mitigation.

AirDefense WIPS Data Protection

Mechanisms

Air Lockdown. Enables network

administrators to terminate a connection

between a WLAN and an associated

access point or wireless client upon the

detection of a threat. If the connected

device is an access point, the AirDefense

WIPS appliance de-authenticates and

disassociates all clients associated with

it. If the device is a wireless client, the

server terminates the client connections

to the access point.

Wireless Termination. Allows an

administrator to terminate a connection

between a WLAN and any access point or

wireless client associated with it.

Wired Equivalent Privacy (WEP)

Cloaking. Enables a Brocade Mobility

300/5181/7131 access point to actively

transmit WEP cloaking frames for

protecting legacy devices.

Brocade Mobility 5181/7131 Sensor

Conversion. Allows a customer to deploy

a single Brocade Mobility 5181/7131

dual-radio model access point as both

a traditional infrastructure access point

and a WIPS sensor. Sensor conversion

on a Brocade Mobility 5181/7131

provides infrastructure support on one

radio while scanning on the other radio

and using the frames received by the

sensor to provide WIPS algorithms.


7/8

Brocabe Mobility RFS7000 and RFS6000 also fully satisfy the Common Criteria evaluation

at Evaluation Assurance Level 4 (EAL4). This represents the highest compliance level with

the US governments WLAN Authorization Server Protection Prole for Basic Robustness

Environments. This ensures that Brocades enterprise-class switch solutions are properly

certied to meet and exceed the FIPS requirement.

SUMMARY

Wireless networking is changing the way IT approaches network security. The physical

characteristics of wireless and the experience of mobility mean information moves more

freely, with little regard to physical boundaries. The optimum security approach for wireless

is a layered end-to-end approach consisting of encryption, authentication, network access

control, and wireless intrusion protection supported across enterprise wireless access point

and controller infrastructure.

In response to the pervasive security threats faced by enterprise WLANs, Brocade Mobility

features a range of capabilities addressing multi-tiered data protection for enterprise WLANs.

Brocade Mobility family supports the strongest and most comprehensive wireless edge

security offering, including encryption, rewall support, and authentication.

Brocade Mobility controllers implement a next-generation wireless rewall which supports

ne-grained security within an enterprise-level wireless network including location-, user

identity-, and role-based policy enforcement.

AirDefense for Brocade Mobility provides industry-leading intrusion protection capabilities

for small to very large enterprise.

Brocade Mobility products meet and exceed the US Department of Defense FIPS 140-2security criteria.

For more information about Brocade products, services, and solutions, visit

www.brocade.com.

Data Center 1

Branch

Office 1

WAN

1

2

Branch

Office 2

Mesh 3

4

Data Center 2

1

Rogue

AP

Figure 3.

Brocade Mobility products provide central

security policy management and control

with multiple points of enforcement:

1.Integrated wireless (Layer 2) rewall on

WLAN switch: stateful inspection of

WAN trafc

2. Integrated rewall on adaptive AP:

Layer 2 stateful inspection of local trafc

3. Adaptive AP simultaneously WIPS sensor

for 24x7 monitoring

4. Secure integrated VPN tunnel between

WLAN switch and APs


8/8

www.brocade.com

2009 Brocade Communications Systems, Inc. All Rights Reserved. 01/10 GA-WP-1440-00

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron,

SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and

SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.

All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify,

products or services of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied,

concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the

right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This

informational document describes features that may not be currently available. Contact a Brocade sales ofce for

information on feature and product availability. Export of technical data contained in this document may require an

export license from the United States government.

Corporate Headquarters

San Jose, CA USA

T: +1-408-333-8000

[email protected]

European Headquarters

Geneva, Switzerland

T: +41-22-799-56-40

[email protected]

Asia Pacifc Headquarters

Singapore

T: +65-6538-4700

[email protected]

WHITE PAPER

wlan enterprise security wp 00

Documents