As Wi-Fi deployments extend into large distributed environments, management of these Wi-Fi networks poses unique challenges. It could be the clinic-wide deployment for the medical facility running into 100’s of sites, branch-wide deployment for the bank running into 1000’s of sites, or store-wide deployment for the fast food restaurant running into 10,000’s sites. The network and security management needs for such deployments are very different from the traditional campus Wi-Fi. Accordingly, the network management console has to deliver on a number of fronts. Read more…
These are some recent stories of the IT organizations who brought in wireless intrusion prevention systems (WIPS) to secure their network environments against Wi-Fi vulnerabilities and attacks, and what they encountered was the incessant flow of security alerts that they could not keep up with. That is because, the systems constantly crunched signatures and thresholds from wireless traffic to generate volume of alerts for the security admins to consume. Admins could not grasp the enormity of problems that they would face in the production deployments based on the product previews done in the tiny lab setups and based on the marketing material they saw (hey look, we have Gazillion attack signatures, configuration settings, and thresholds in here!). Learn from their experiences, and avoid the destiny they faced by asking the right questions and making the right technology choices early on. AirTight Networks to date has helped thousands of customers avoid such misery by helping them with the strongest WIPS protection without the overhead of ongoing system management. Read more…
Barely two weeks after I posted my last blog discussing benefits of the true cloud Wi-Fi over the controller over WAN architecture using Cisco FlexConnect as example for the latter; news of Cisco acquiring Meraki broke out. I got a kick out of it since it showed that my inferences on Cisco FlexConnect and other controller centric offerings were dead on spot, that they can never become real cloud Wi-Fi by incremental touchups and jargon experimentation. I also got a kick out of its timing — 1.2B acquisition barely 2 weeks after I wrote that post! There are several takeaways for the future of cloud Wi-Fi from this big event. First and most obvious is that the cloud Wi-Fi market is expanding rapidly. Another takeaway is that for the vendors already committed to the controller centric WLAN architecture, migration to cloud architecture is not incremental, but it is disruptive. Cisco could not do the migration in-house even after trying for few years with incremental changes like REAP, H-REAP, ELM, and FlexConnect. As I said in my last blog, cloud Wi-Fi is not about throwing controller over WAN, but is needs to be architected differently from the bottoms up. Finally, it also shows that with the standardization of access point platforms, differentiation in mainstream enterprise Wi-Fi will come from innovations in the application space such as network management, security, and integration with other services.
AirTight envisioned value of the cloud managed Wi-Fi solutions way back in 2008; when it was the first to launch wireless intrusion prevention (WIPS) and wireless PCI compliance solutions from the cloud (cloud used to be called SaaS at that time). It saw wholehearted acceptance from customers for Wi-Fi security and compliance applications. Having seen the benefits of the cloud Wi-Fi security offering, those same customers then wanted Wi-Fi access bundled with security in the AirTight cloud offering and AirTight answered their call in 2010. AirTight’s cloud managed Wi-Fi access with built in PCI compliance, saw tremendous success in the market. Riding on this second wave of success in the cloud strategy, AirTight then launched cloud managed enterprise grade Wi-Fi access with its highly acclaimed, absolute best-in-class WIPS buit into it.
Due to strong security posture, extreme scalability, and unique management capabilities, AirTight Cloud Services™ are not just for the midmarket, but also fit very well into scale many times as big. No wonder, organizations even as large as multiple 10,000’s distributed locations have selected AirTight cloud Wi-Fi over all competing Wi-Fi solutions! I am excited to see the cloud Wi-Fi market ignited by Cisco right at the time when AirTight has reached great level of maturity on its cloud Wi-Fi offerings over all these years.
Take the BYOD survey and enter to win an 8GB iPod Touch.
The BYOD trend is causing new security concerns for enterprise network and data security. Corporate users (e.g. employees, contractors) are accessing enterprise network and data, and bypassing corporate security controls using their personal Wi-Fi devices. This uncontrolled access can open wireless backdoors into the enterprise network, malicious activity, leakage of sensitive data, and exposure to malware.
Click the link to take the BYOD survey and enter to win an 8GB iPod Touch.
Phones are increasingly becoming portals to the outside world, with their own networks that can bridge WiFi security and provide an unauthorized laptop access. AirTight would like a minute of your time to understand how pervasive these devices are in your organization and if they have affected the way you address network security.
As a thank you for helping AirTight with this short survey, two names will be drawn at random to win an 8GB iPod Touch. To be entered in the drawing please submit your contact information at the end of this survey.
BYOD (Bring Your Own Device) seems to be the dominant theme for 2012 in the Wi-Fi infrastructure and security space. As people increasingly bring in personal smartphone devices on the enterprise premises, the network/security administrators are grappling with the security implications. Given how engaging the new smartphone and tablet apps are, conflict arises between the users’ desire and the network/security administrators’ intentions. You need to ensure that this conflict does not turn BYOD into BYOR (Bring Your Own Rogue AP)! Read more…
As the BYOD (Bring Your Own Device) tide rises, the network and security admins wonder if their existing Wi-Fi infrastructure security will hold on. In particular, will WPA2 with PEAP, which is pretty much the norm for the Wi-Fi infrastructure security in the enterprise networks today, continue to be adequate? WPA2 with PEAP is simple enough, still strong enough, and has served the enterprise Wi-Fi security needs very well in the past several years. The forthcoming BYOD revolution however pops a new challenge for WPA2 and will require additional thinking on part of the network and security admins about how to complement PEAP to address some of the BYOD security issue. This new challenge comes from the ease with which people can bring in personal mobile devices on the enterprise premises and connect them to the WPA2 enterprise Wi-Fi network without administrator knowledge or help.
Shmoocon labs is a group of vendors and attendees who get together before Shmoocon begins for a learning experience. The task – build a stable and SECURE network infrastructure to meet the needs of the convention. The idea is to teach people how to use the hardware from various vendors and make it all work together as a network that remains secure, stable and functional throughout the conference, no matter what.
This year, AirTight’s® SpectraGuard® wireless intrusion prevention system (WIPS) was handed the responsibility to protect this network from wireless threats. As soon as I deployed the AirTight wireless Sensors in the convention center and fired up the SpectraGuard management console to give a demo at the AirTight booth, I noticed an unusual number of Rogue APs had popped up. More concerning was one Rogue AP that was unencrypted and on the main management network of the conference. Although AirTight’s WIPS had automatically detected and blocked the device immediately, a little detective work was in order. I used SpectraGuard’s location tracking to pinpoint the exact placement of the device.
A quick physical search revealed an Apple Airplay device plugged into the management network. These devices are small and look just like normal Apple power plugs, however, they can also connect to wired networks, create wireless networks, and stream music! The AP was quickly removed from the management network (and placed on the hacker’s playground network). However, the AP was on the management network for over 5 hours of the convention; who knows what would have happened if SpectraGuard was not around to take care of business – switches, firewalls, Wi-Fi, almost anything on the network could have been reconfigured.
I guess it can happen to the best of us, but, once again, it makes the case for layered security – having someone watching your back. As a security professional your job is never done.
Right when the Wi-Fi access and security management are moving towards the controller-less architecture, another interesting architecture seems to have evolved at the other extreme. This architecture seems to be advocating not one, but two WLAN controllers in tandem – and that too from two different vendors. And, some optional (additional?) security management servers on top of the tandem. You think I am kidding? Then check this announcement from Aruba Networks, which is a leading controller-based WLAN vendor: http://www.arubanetworks.com/solutions/by-application/byod-services-on-your-existing-wi-fi/. The stated business case seems to be to put a band-aid on the Cisco WLAN’s (another leading controller-based WLAN vendor) insufficient security features.
In this case, the tandem is only for BYOD security, but as a matter of fact there are many more security gaps that will still remain to be addressed even after the twin tandem controllers are deployed. Would we need a third WLAN controller in the tandem to fill the remaining security gap, and who might provide that? Or, is it just easier to deploy a controller-less comprehensive WIPS solution (and that too with the onsite or cloud option) and secure the Cisco WLAN once and for all. Just a practical thought.
This month, AirTight Networks’ flagship product, SpectraGuard® Enterprise, achieved FIPS 140-2 validation from the National Institute of Standards and Technology (NIST) of the United States and the Communications Security Establishment of Canada (CSEC).
These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions. See background information for more details.
Simultaneously, AirTight’s SpectraGuard Server passed TIC tests for inclusion on the DISA UC APL. The DISA UC APL is the single consolidate list of products that have completed interoperability (IO) and information assurance (IA) certification. Use of the DoD UC APL allows DoD Components to purchase and operate UC systems over all DoD network infrastructures.
AirTight’s products are deployed worldwide in many of the most security sensitive United States government and defense organizations to assure security and compliance with requirements such as DoD 8420.01, FISMA and guidelines from the National Institute of Standards and Technology (NIST). Because AirTight products are always kept up-to-date with certifications such as FIPS 140-2, Common Criteria and DISA; government and defense agencies can take advantage of the powerful wireless security technology provided by AirTight.
Recall “Skyjacking” vulnerability discovered with Cisco LAPs couple of years ago? It allowed hacker to transfer control of enterprise Cisco LAPs from enterprise WLC to hacker controlled WLC in the Internet with over-the-air attack. Once control is transferred, the hacker could change configuration on those LAPs in any way by adding, deleting and modifying SSIDs. The hacker could also tamper with Cisco monitor mode APs and take away the security layer. Cisco Skyjacking exploited vulnerability in Cisco’s over-the-air controller discovery protocol. Know more about it here.
Now a similar vulnerability seems to have been discovered in Aruba OS and AirWave console. The advisory states: “[a]n attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might trigger a XSS vulnerability in reporting section of the ArubaOS and AirWave WebUIs. This vulnerability could potentially be used to execute commands on the controller with admin credentials.” Though modus operandi is different from Cisco, the end result is similar – transferring the control of Wi-Fi controller to hacker by launching over-the-air attack.
No system is free from vulnerabilities and such things will continue to be discovered. But, you don’t have to give away “hack one, get one free”. You don’t have to give hackers control of Wi-Fi coverage and Wi-Fi security in a single shot. This can be achieved by ensuring that the Wi-Fi security layer operates independent of Wi-Fi infrastrucutre. Read more…