• No results found

Wireless Security with Cyberoam

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Wireless Security with Cyberoam"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Cyberoam UTM

White paper

www.cyberoam.com

Robust, Fault-tolerant security is a must for companies sporting wireless networks. Cyberoam UTM strengthens the existing Wireless Security Architecture of these companies and overcomes most challenges of securing their legacy IEEE 802.11 wireless local area networks (WLAN).

(2)

Contents

Need For Wireless Security

Challenges of Securing Wireless LANs Existing Wireless LAN Security Architectures The Cyberoam Edge

Conclusion References

... 3

... 3

... 5

... 7

... 8

(3)

Need For Wireless Security

Challenges of Securing Wireless LANs

While security is important for all networks, wireless LANs deserve special consideration since they are subject to a much heightened level of risk. First, since wireless networks extend beyond the walls of an organization, physical security is far less effective than with wired networks. Secondly, wireless network abuse has become more common with tools that assist wireless hacking being widely available, resulting in companies increasingly falling at risk from targeted attacks. Finally, 802.11 protocols operating on unlicensed spectrum use well-understood protocols, resulting in a proliferation of devices that are able to access corporate networks.

Wireless networks are also subject to several regulations that mandate high security networks including PCI, HIPAA, and SOX. The credit card industry requires those processing credit card transactions to comply with PCI standards in order to mitigate the chances of card

number theft and fraud. All merchants using payment cards must build and maintain a secure network to protect and encrypt cardholder data, and regularly monitor and test their networks including wireless networks.

The Health Insurance Portability and Accountability Act (HIPAA), was enacted by the U.S. Congress in 1996. Many health care institutions are covered by it and required to maintain administrative, technical and physical safeguards to ensure integrity and confidentiality of patient data. Wireless networks are potentially vulnerable and must be secured in order to comply.

Finally, public companies are subject to the Sarbanes-Oxley act (SOX) and similar measures outside the U.S. SOX requires companies to maintain and assess internal control structures and procedures for financial reporting and to assess the effectiveness of these internal control structures. Network security is typically part of the control review. Thus, a combination of regulatory requirements as well as common sense make wireless security an important consideration.

In this section, we would look at the “Security Objectives” of Wireless LAN along with some of the challenges in achieving them.

Like every other Information system, Wireless LAN needs to support the basic “security objectives”. They are:

• Confidentiality : Ensures that communication cannot be read by unauthorized parties

• Integrity: Detect any intentional or unintentional changes to data that occur in transit

• Availability: Ensure that devices and individuals can access WLAN and its resources whenever needed.

Wireless networks are subjected to a much heightened level of risk than their wired counterparts what with wireless hacking tools becoming more commonplace.

(4)

Wireless LANs also face all major high level threat categories like every other information system. The threats are summarized below:

Most threats against wireless networks involve an attacker with access to the radio link between wireless devices. Several threats listed in the table above rely on an attacker's ability to intercept and inject network communications. This highlights the most significant difference between protecting wireless and wired networks: the relative ease of intercepting wireless network transmissions and inserting new or altered transmissions from what is presumed to be the authentic source. To breach a wired network, an attacker would need to gain physical access to the network or remotely compromise systems in there; for a wireless network, an attacker simply needs to be within the range of the wireless transmissions, making eavesdropping a particularly prevalent threat. (Some attackers use highly sensitive directional antennas, which can greatly extend the effective range of attack on wireless networks beyond the standard range.) Another consideration in threats against wireless networks is that in many cases, a wireless network is logically connected to a wired network, so the wireless network should be secured against both threats that wired networks typically face and the threats that are specific to wireless networks.

In addition to eavesdropping, another common threat against wireless networks is the deployment of rogue wireless devices. For example, an attacker could deploy a wireless access point (AP) that has been configured to appear as part of the organization's wireless network infrastructure. This provides a backdoor into the wired network, bypassing perimeter security mechanisms such as firewalls. In addition, if clients inadvertently connect to the rogue device, the attacker can view and manipulate the clients' communications.

Threat Category Description

Denial of Service Attacker prevents or limits the normal use or management of networks or network devices. Eavesdropping Attacker passively monitors network

communications for data, including authentication credentials.

Man-in-the-Middle Attacker actively impersonates multiple legitimate parties, such as appearing as a client to an AP and appearing as an AP to a client. Allows attacker to intercept communications between an AP and a client, thereby obtaining authentication

credentials and data.

Masquerading Attacker impersonates an authorized user and gains certain unauthorized privileges.

Message Modification Attacker alters a legitimate message by deleting, adding to, changing, or reordering it.

Message Replay Attacker passively monitors transmissions and retransmits messages, acting as if the attacker were a legitimate user.

Misappropriation Attacker steals or makes unauthorized use of a service.

Traffic Analysis Attacker passively monitors transmissions to identify communication patterns and participants. The most significant difference

b et we e n w i re l e s s a n d w i re d networks is the relative ease of intercepting wireless network transmissions and inserting new or altered transmissions from what is presumed to be the authentic source.

(5)

Denial of service (DoS) situations are another threat against wireless networks. Examples are flooding (an attacker sends large numbers of messages at a high rate to prevent the wireless network from processing legitimate traffic) and jamming (a device emits electromagnetic energy on the wireless network's frequency to make it unusable). Jamming often occurs unintentionally; for example, microwave ovens, cordless telephones, and other devices share bandwidth with certain wireless technologies and the devices' operation can inadvertently make wireless networks in proximity unusable. Denial of service conditions can also be caused through protocol manipulation such as improper requests or responses that cause devices to enter abnormal states.

In this section, we will look at the existing security architectures for Wireless LAN and their limitations. This section described WEP and WPA which are designed to protect link-level data during wireless transmission between clients and APs. As figure below shows, WLAN standards cannot provide end-to-end security because they are only used for the wireless link between the AP and STA.

Designed for Wireless Local Area Networks (WLANs), WEP provides wireless security equivalent to that of a wired LAN. While it is still considered to be a basic deterrent, it has several known flaws that any moderately skilled hacker could exploit with just a little time and a few tools.

At the March 2005 meeting of the Information Systems Security Association (ISSA) in Los Angeles, a team of FBI agents were easily able to hack into a WEP-protected network in approximately three minutes.

Wired Equivalent Privacy (WEP)

Existing Wireless LAN Security Architectures

At the March 2005 meeting of the

Information Systems Security Association (ISSA) in Los Angeles, a team of FBI agents were easily able to hack into a WEP-protected network in approximately three minutes.

Security is Provided Through Other Means

IEEE 802.11 Security

Printer

Work Stastion

Switch

Server

STA AP

(6)

While WEP is regarded as the baseline from which subsequent, WEP has several significant security problems, most of them cannot be solved by reconfiguration of WEP itself. For example, increasing the length of the WEP key would only marginally increase the time needed to decrypt packets. WEP does not provide an acceptable level of wireless transmission security, so it should not be the sole security mechanism used in legacy IEEE 802.11 WLAN deployments.

Built upon the foundation of WEP, WPA was created in 2002 to bring enhanced LAN security to the wireless market. WPA uses Temporal Key Integrity Protocol (TKIP) encryption using the same RC4 algorithm as WEP for encryption, but adding sophisticated key management and effective message integrity checking. Developed in conjunction with the IEEE 802.11 Standards Working Group for WLANs, WPA effectively replaced WEP and the other security features of the original 802.11 standard.

WPA offers dynamic key encryption and mutual authentication. It secures both email packet headers and their payloads, and provides a deterrent to replay attacks. WPA's enhanced encryption is an ideal solution for wireless networks that deal with many different types of 802.11 radio Message Integrity Checks (MICs) such as public hotspots. Most leading wireless access point and chip set vendors have lent their support to WPA.

WPA is not a miracle cure however, and as with any new solution that addresses existing issues, new issues have emerged as a result. Like its predecessor WEP, WPA has been found to have weaknesses that can be used to bring down a network. Two attack techniques adept at exploiting WPA vulnerabilities are dictionary attacks and Denial of Service (DoS) attacks. Though Wi-Fi protected access (WPA) is currently the most commonly used mechanism for protecting users of wireless networks, protection is afforded by authenticating users of the network and encrypting communication which travels through the wireless medium. However, WPA is limited in the amount of protection offered in networks which use a pre-shared key (WPA-PSK) for authentication, as anyone holding the PSK may eavesdrop on other authorized users. Hence,

The second generation of WPA, known as WPA2, replaced TKIP encryption with 128-bit Advanced Encryption Standard (AES) encryption for compliance with FIPS140-2 government security requirements.

With each successive generation of standards, there are new issues to address. WPA2 requires a dedicated chip to handle the encryption and decryption which for many will mean a hardware upgrade in order to take advantage of the benefits.

To summarize it all, the existing wireless security architectures are either expensive or do not provide security in a real sense. The Wireless Administrator is not able to create a roaming profile for a wireless user. Also, none of the existing technologies take rogue access point into consideration and protect the wireless users' data from being compromised.

Wi-Fi Protected Access (WPA)

WPA is most effective when supplemented with other wireless security precautions.

Wi-Fi Protected Access 2 (WPA2)

WPA uses Temporal Key Integrity Protocol (TKIP) encryption using the same RC4 algorithm as WEP for encryption, but adding sophisticated key management and effective message integrity checking.

(7)

The Cyberoam Edge

We discussed the challenges of securing Wireless LANs and along with the existing Wireless LAN security architectures. Cyberoam does include each and every security architecture discussed in the previous section. In this section though, we would concentrate on how Cyberoam's Layer-8 “Identity Based Firewall” helps fortify existing Wireless LAN security architectures. Cyberoam's Layer-8 “Identity based firewall” technology was developed out of the need for a more robust technology to secure LANs. This functionality is extended to Wireless LANs as well. Cyberoam provides user identity as a matching criteria within the firewall rules. This takes organizations a step ahead of conventional security appliances which bind security to IP addresses. This is depicted below:

Cyberoam's “Identity Based Firewall” acts as the functional core of the appliance ensuring that you can segment the wireless network for employees and guest. Using this technology, the administrator is able to create a “roaming profile” for every user in the Wireless LAN. Also, he can define access to the wired LANs and extranet servers/DMZ based on user identity. Cyberoam incorporates integration with various directory services like the Active Directory, LDAP and RADIUS to ensure that its “identity based firewall” does not hamper the flexibility with which businesses are run. Moreover, it includes flexible modes of authentication like the “Single Sign On” to have users identify themselves to the appliance transparently.

Cyberoam has a Wireless IDS/IPS system which can identify rogue Access points on the LAN and prevent “man in the middle” attacks. This can also detect ad hoc networks and other possible violators of the enterprise Wireless security policy. With an integrated IPS system, identity-based alerts and reports are generated every time DoS/DDoS attack, malicious code transmission, backdoor activity or blended threats occur due to the wireless user activities.

Cyberoam's identity based content filter ensures that the Wireless users are compliant with the organization's Internet Access Policy. It also takes application filtering into consideration. The “application filter” can recognize various bandwidth hungry applications and prevent the users from accessing that.

User Identity-based Security Policy Controls

Cyberoam UTM offers security across Layer 2-Layer 8 using Identity-based policies

Cyberoam's Layer 8 Technology treats “User Identity” as the 8th Layer in the protocol stack Application Presentation Session Transport Network Data Link Physical USER L7 L8 L6 L5 L4 L3 L2 L1 00-17-BB-8C-E3-E7 192.168.1.1 TCP, UDP L2TP, PPTP ASCII, EBCDIC, ICA Cyberoam's Layer-8 “Identity based

firewall” technology, developed out of the need for a more robust technology to secure LANs, helps fortify existing Wireless LAN security architectures.

(8)

Conclusion

Cyberoam UTM offers high performance, layer 8 based security over WLAN networks in order to secure wireless network to the same extent as wired networks. Cyberoam offers strong user authentication, Internet access controls and reports with an identity approach and offers a separate Guest and Employee Network Access. With this, it has the ability to trace user specific activities while reducing the risk of information theft and liability of Cyberoam terrorism attacks.

Toll Free Numbers

USA : | India : APAC/MEA : | Europe :

+1-800-686-2360 1-800-301-00013 +1-877-777-0368 +44-808-120-3958

C o p y r i g h t © 1999-2011 E l i t e c o r e Te c h n o l o g i e s Pvt. L t d. A l l R i g h t s R e s e r v e d . Cyberoam & Cyberoam logo are registered trademarks of Elitecore Technologies Ltd. ®/TM: Registered trade marks of Elitecore Technologies or of the owners of the Respective Products/Technologies.

Although Elitecore attempted to provide accurate information, Elitecore assumes no responsibility for accuracy or completeness of information neither is this a legally binding representation. Elitecore has the right to change, modify, transfer or otherwise revise the publication without notice.

Cyberoam Product Portfolio

Data Protection & Encryption

Device Management

Application

Control AssetManagement

Cyberoam Endpoint Data Protection

References

NIST: Guide to securing Legacy IEEE 802.11 Wireless Networks

Unified Threat Management(UTM)

C y b e r o a m U T M o f f e r s h i g h performance, layer 8 based security over WLAN networks in order to secure wireless network to the same extent as wired networks.

References

Download now ( PDF - 8 Page - 1.12 MB )

Related documents

A critique of pure public reason

the most reasonable terms of fair co-operation, those proposing them must also think it at least reasonable for others to accept them, as free and equal citizens, and not as

Tumor-stroma interactions influence the response to PI3K targeted agents in preclinical models of colorectal cancer (CRC)

Overall, the work conducted so far demonstrates that in a preclinical model of CRC: 1) sensitivity to MAPKi is dictated mostly by the tumor genetic background

WNT signalling in prostate cancer

sFRPs do not always inhibit WNT signalling; for example, sFRP2 potentiates WNT-16B signalling to promote PC3 prostate cancer cell resistance to mitoxantrone, a

Improving investment decisions with simulated experience

We find that simulated experience considerably improves participants’ understanding of the underlying risk -return profile and prompts them to reconsider their investment

newtons laws of motion

Newton’s Laws of Motion  1 1 st st Law Law – An object at rest will stay at – An object at rest will stay at.. rest, and an object in motion

Filed oct. 1, ,035,594

operating the called and calling line relays to connect the common trunk line through their associated contacts to the calling and called lines, a common cut-oiî

Using Rural Household Income Survey Data to Inform Poverty Analysis: An Example from Mozambique

Official poverty estimates are based on the IAF (MPF, 2004). The analytical steps we apply to these data are 1) measurement of household income; 2) estimation of poverty incidence

Louis Wirth - The Ghetto

however, in the thirteenth century.• There still remains in the Jewish prayer books a special prayer for the sovereign which is based upon this medieval institution.