Best Practice Wireless Security
Roger Hockaday
[email protected]
© Copyright 2009. Aruba Networks, Inc. All rights reserved
Aruba at a glance
• #2 worldwide in Enterprise WLAN
• Positioned as a Leader in Gartner’s WLAN Magic Quadrant
• Russell® 2000/3000 Index Company
• >7,500 customers across 130 countries
© Copyright 2009. Aruba Networks, Inc. All rights reserved
Copyright © Gartner, Inc. "Magic Quadrant for Wireless LAN Infrastructure, 2008" by Michael J. King and Timothy Zimmerman, 26 November 2008 . The Magic Quadrant is copyrighted 2008 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the “Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all
warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Does this represent wireless security ?
“One of my objectives
is to provide a level
of security on our
wired network that
matches the
security of my
wireless network”
Denis Corée, CIO,
Conservatoire National des
Arts et Métiers
© Copyright 2009. Aruba Networks, Inc. All rights reserved
Multi-tenant
BSSID
Ad-hoc &
Bridging
g g
Exploration
Misconfigured
AP
Evil Twin
Signature
Man in the
Middle
DOS
Threat (increasing)
© Copyright 2009. Aruba Networks, Inc. All rights reserved
“Userr Error”
RF
Interference
“Maliciious”
Pro
obabilityy (increasing)
Security challenges to WLAN users
Security myths
Ban wireless
RF Engineering
SSID Cloaking
Open wireless
© Copyright 2009. Aruba Networks, Inc. All rights reserved
Realities
Encrypt Your Data
Don’t
• WEP is simple to break
© Copyright 2009. Aruba Networks, Inc. All rights reserved
Realities
Encrypt Your Data
• If iintruders
t d
can’t’t read
d the
th data,
d t
there’s no need to worry where it
g
goes
• WPA-PSK (and WPA2-PSK)
• Non-dictionary based passphrases improve
security
• WPA (or WPA-2) with TKIP
• Not recommended
• WPA-2 with CCMP/AES
• State of the Art
• Authenticate
• With or without PKI
© Copyright 2009. Aruba Networks, Inc. All rights reserved
Role Based Separation
Multiple classes of users on same infrastructure are kept separate
Wireless
Mobilityy Controller
AAA Services
S
i
Radius, LDAP, AD
Faculty
Rights,
QoS, VLAN
Student
Student
Rights,
QoS, VLAN
VoIP Device
Rights,
QoS, VLAN
Switch
Guest user
Rights,
QoS, VLAN
Captive Portal
Policy Enforcement Stateful Per-user Firewall
© Copyright 2009. Aruba Networks, Inc. All rights reserved
8
Router
Don’t forget to secure 802.11n
• Authentication, Encryption, Access control remain
unchanged
h
d ffrom 802.11a/b/g
802 11 /b/
• Major implications for WIDS/WIPS
© Copyright 2009. Aruba Networks, Inc. All rights reserved
“A basic principle is that complexity is the enemy of good security.” “By delivering secure systems that follow the path of least resistance, you are more likely to succeed … But bake security in; don’tt bolt it on.
don
bolt it on ”
Paul Simmonds, global information security director at ICI © Copyright 2009. Aruba Networks, Inc. All rights reserved
Thank you
© Copyright 2009. Aruba Networks, Inc. All rights reserved