These are some recent stories of the IT organizations who brought in wireless intrusion prevention systems (WIPS) to secure their network environments against Wi-Fi vulnerabilities and attacks, and what they encountered was the incessant flow of security alerts that they could not keep up with. That is because, the systems constantly crunched signatures and thresholds from wireless traffic to generate volume of alerts for the security admins to consume. Admins could not grasp the enormity of problems that they would face in the production deployments based on the product previews done in the tiny lab setups and based on the marketing material they saw (hey look, we have Gazillion attack signatures, configuration settings, and thresholds in here!). Learn from their experiences, and avoid the destiny they faced by asking the right questions and making the right technology choices early on. AirTight Networks to date has helped thousands of customers avoid such misery by helping them with the strongest WIPS protection without the overhead of ongoing system management. Read more…
BYOD (Bring Your Own Device) seems to be the dominant theme for 2012 in the Wi-Fi infrastructure and security space. As people increasingly bring in personal smartphone devices on the enterprise premises, the network/security administrators are grappling with the security implications. Given how engaging the new smartphone and tablet apps are, conflict arises between the users’ desire and the network/security administrators’ intentions. You need to ensure that this conflict does not turn BYOD into BYOR (Bring Your Own Rogue AP)! Read more…
Shmoocon labs is a group of vendors and attendees who get together before Shmoocon begins for a learning experience. The task – build a stable and SECURE network infrastructure to meet the needs of the convention. The idea is to teach people how to use the hardware from various vendors and make it all work together as a network that remains secure, stable and functional throughout the conference, no matter what.
This year, AirTight’s® wireless intrusion prevention system (WIPS) was handed the responsibility to protect this network from wireless threats. As soon as I deployed the AirTight wireless Sensors in the convention center and fired up the SpectraGuard management console to give a demo at the AirTight booth, I noticed an unusual number of Rogue APs had popped up. More concerning was one Rogue AP that was unencrypted and on the main management network of the conference. Although AirTight’s WIPS had automatically detected and blocked the device immediately, a little detective work was in order. I used SpectraGuard’s location tracking to pinpoint the exact placement of the device.
A quick physical search revealed an Apple Airplay device plugged into the management network. These devices are small and look just like normal Apple power plugs, however, they can also connect to wired networks, create wireless networks, and stream music! The AP was quickly removed from the management network (and placed on the hacker’s playground network). However, the AP was on the management network for over 5 hours of the convention; who knows what would have happened if SpectraGuard was not around to take care of business – switches, firewalls, Wi-Fi, almost anything on the network could have been reconfigured.
I guess it can happen to the best of us, but, once again, it makes the case for layered security – having someone watching your back. As a security professional your job is never done.
The year 2010 witnessed continued growth in the enterprise WiFi deployments. The growth was fueled by the latest 802.11n revision to WiFi technology in the late 2009 and ready availability of WiFi in most consumer electronic devices launched in 2010, including the smart phones, printers, scanners, cameras, tablets, TVs, etc. The year 2010 also witnessed popularity of the specialized WiFi centric devices, such as MiFi.
However, the year 2010 also has some major WiFi security revelations/incidents in its kitty, which re-emphasize the continued need for adoption of the best practices for secure Wi-Fi deployment/usage. Here is the run-down on significant WiFi insecurity events which we witnessed in 2010:
- Windows 7 virtual WiFi can turn a machine into a soft Rogue, which took Rogue AP thinking to a new level beyond the commercially available AP hardware.
- Insecurity exposed due to MiFi like devices after the WiFi malfunction was experienced at two major trade shows in 2010 due to these devices – the first one was Google’s first public demo of Google TV and second was iPhone 4 launch at Apple Worldwide Developers Conference. Though this manifested as performance problem, it did show how easy it had become to set up personal HoneyPot AP or Hotspot AP on enterprise premises. Read more…
Wi-Fi Alliance has (finally) decided to take some giant steps in improving the state of wireless security. Starting Jan 2011, TKIP will be disallowed on new APs and from 2012, it will be disallowed on all Wi-Fi devices. Come Jan 2013, WEP will not be allowed on new APs and from 2014, WEP will be disallowed on all Wi-Fi devices. This is the good news. But, let us also get to the “bad” news.
Windows7 Virtual AP – Why is it a big deal now?
Ever since WiFi radios were available, there have been open source and priced software that allowed users to convert their client cards into APs. While these were available only on Linux based operating systems to start with; ‘Soft AP’ drivers and software has been available for most operating systems for at least a few years now. Also available were USB devices that operate as an AP. In addition; the WiFi interface could always have been put into ad-hoc mode, allowing other clients to connect to it, effectively creating the same vulnerability as a soft AP
So, why is soft AP suddenly a big deal when Windows7 provides this as a built in option in the OS? Read more…
When talking about wired security, enterprise IT administrators talk about multiple layers of defense such as internet firewalls, VPNs, admission control, email filtering, content filtering, web application scanning and many others. It is like a hacker has to peel multiple layers of an onion before getting to the core. Each layer of security is independent and is preferably sourced from different vendors. Each layer compounds the amount of work that a hacker has to perform to get in.
When considering the security of a wireless network, the same enterprise IT administrators are content with the basic security mechanisms integrated into the wireless LAN infrastructure by vendors such as Cisco Systems and Aruba Networks. IT departments have a hard time understanding why an inner layer of defense for wireless network security is needed in the form of an advanced wireless intrusion prevention system (WIPS). The wireless network security posture of an organization is the weakest when the security integrated into wireless LAN infrastructure is the only layer protecting the core network. Without an inner WIPS layer, the core network is open to rogue APs, unauthorized client connections, ad-hoc networks, MAC spoofing and many other attacks that the wireless LAN infrastructure security cannot protect against.
“The notion of a hard, crunchy exterior with a soft, chewy interior [Cheswick, 1990], only provides security if there is no way to get to the interior. Today, that may be unrealistic.” – What Firewalls Cannot Do, Firewalls and Internet security
Rogue APs are Access Points (APs) that are deployed in an enterprise network without the consent of the network administrator. In certain cases, the intent behind a Rogue AP may be benign – for example, an employee who wants to access the network from his favorite corner of the office. While in other cases, a Rogue AP can be deployed with a malicious intent – say, by an attacker or his accomplice.
Sneaking in Rogue APs into an enterprise may not be difficult. Pocket size WiFi APs for less than $50 are readily available in retail stores. Due to spillage of RF signal, a Rogue AP enables an attacker sitting in the parking lot to directly access your enterprise wired network. After interacting with some of our customers and prospects, I have realized that they are familiar with Rogue APs but, lack a complete picture of what all damages one can inflict via a Rogue AP. Hence, I thought of compiling this list of “uses” for a Rogue AP (yes, “use” from the perspective of an attacker or an unauthorized user).
- Data Leakage One of the most basic uses of a Rogue AP is the wealth of information it can expose through leakage of enterprise data. Just by passive sniffing of the leaked data, an attacker can gain information about the users in the network and their communication. Packets may be leaking network related information such as host names & IP addresses (All of us know about tons of broadcast packets that network devices transmit). Or, worse, in some poorly configured networks, sensitive information such as user names, passwords, email and data communication may also leak out.
If you own an enterprise grade local area network (LAN), you need to be aware that wireless (WiFi) based intrusions can potentially be exploited to create security backdoors into your network. This is true even if you have not rolled out your wireless LAN (WLAN) or have rolled out a WLAN that adopts the best-in-breed cryptographic security.
Today, Chief Security Officers (CSOs), Chief Information Officers (CIOs) and network security administrators have different perceptions on the extent of WiFi based intrusions. Hence, they have adopted different solutions to secure their enterprise network from WiFi intrusions.
- At the one end of the spectrum, there are users that believe that wired IDS/IPS and Networks Access Control (NAC) solutions are adequate to thwart this threat.
- Next, there is a class of user who are believe in “moderate security”. They have adopted part time wireless intrusion detection capabilities in their networks.
- At the other end of the spectrum, there are users that believe in dedicated & specialized wireless intrusion detection and prevention (WIPS) systems to defend against this threat.
Independent of which of the above groups you may belong to, here is my list of 5 intrusion detection questions that you need to worry about. If you don’t agree, I would love to hear your views. Read more…