BYOD (Bring Your Own Device) seems to be the dominant theme for 2012 in the Wi-Fi infrastructure and security space. As people increasingly bring in personal smartphone devices on the enterprise premises, the network/security administrators are grappling with the security implications. Given how engaging the new smartphone and tablet apps are, conflict arises between the users’ desire and the network/security administrators’ intentions. You need to ensure that this conflict does not turn BYOD into BYOR (Bring Your Own Rogue AP)! Read more…
As the BYOD (Bring Your Own Device) tide rises, the network and security admins wonder if their existing Wi-Fi infrastructure security will hold on. In particular, will WPA2 with PEAP, which is pretty much the norm for the Wi-Fi infrastructure security in the enterprise networks today, continue to be adequate? WPA2 with PEAP is simple enough, still strong enough, and has served the enterprise Wi-Fi security needs very well in the past several years. The forthcoming BYOD revolution however pops a new challenge for WPA2 and will require additional thinking on part of the network and security admins about how to complement PEAP to address some of the BYOD security issue. This new challenge comes from the ease with which people can bring in personal mobile devices on the enterprise premises and connect them to the WPA2 enterprise Wi-Fi network without administrator knowledge or help.
Shmoocon labs is a group of vendors and attendees who get together before Shmoocon begins for a learning experience. The task – build a stable and SECURE network infrastructure to meet the needs of the convention. The idea is to teach people how to use the hardware from various vendors and make it all work together as a network that remains secure, stable and functional throughout the conference, no matter what.
This year, AirTight’s® wireless intrusion prevention system (WIPS) was handed the responsibility to protect this network from wireless threats. As soon as I deployed the AirTight wireless Sensors in the convention center and fired up the SpectraGuard management console to give a demo at the AirTight booth, I noticed an unusual number of Rogue APs had popped up. More concerning was one Rogue AP that was unencrypted and on the main management network of the conference. Although AirTight’s WIPS had automatically detected and blocked the device immediately, a little detective work was in order. I used SpectraGuard’s location tracking to pinpoint the exact placement of the device.
A quick physical search revealed an Apple Airplay device plugged into the management network. These devices are small and look just like normal Apple power plugs, however, they can also connect to wired networks, create wireless networks, and stream music! The AP was quickly removed from the management network (and placed on the hacker’s playground network). However, the AP was on the management network for over 5 hours of the convention; who knows what would have happened if SpectraGuard was not around to take care of business – switches, firewalls, Wi-Fi, almost anything on the network could have been reconfigured.
I guess it can happen to the best of us, but, once again, it makes the case for layered security – having someone watching your back. As a security professional your job is never done.