More Related Content
Similar to AirTight Networks WIPS at Wireless Field Day 6 WFD6 (20)
More from AirTight Networks (20)
AirTight Networks WIPS at Wireless Field Day 6 WFD6
- 1. @AirTight WIPS
#WFD6
Jan 29, 2014
Part 1: WIPS Product Demo
@RickLikesWIPS
Rick Farina
Part 2: Technology Deep Dive
@CHemantC
Hemant Chaskar
© 2014 AirTight Networks, Inc. All rights reserved.
1
- 2. AirTight WIPS
§ Overlay WIPS or WIPS as part of AirTight APs
§ Best in the industry
§ Customer base of 1500+ enterprises including large/Fortune
companies, Government & DoD
§ Extensive patent portfolio
© 2014 AirTight Networks, Inc. All rights reserved.
2
- 3. WIPS Basics
§ WIPS addresses threat vectors orthogonal to WPA2
§ Offers protection for both
- Wired network (e.g. rogue APs), and
- Wireless clients/connections (e.g. Evil Twin)
§ Requires scanning all channels (not just managed AP channels)
- Dedicated & background scanning radios
3
© 2014 AirTight Networks, Inc. All rights reserved.
- 5. Traditional Approach
§ User defined rules for classifying devices as managed, neighbor,
rogue
§ Signature matching on packet fields to detect attack tools
§ Packet statistics based anomaly detection
§ Lots of alerts
§ Manual intervention driven reactive workflow
© 2014 AirTight Networks, Inc. All rights reserved.
5
- 6. User Defined Rules Are No Match For Wireless Environ
§ Requires cumbersome configuration of rules
§ Can’t keep up with dynamic wireless environment
© 2014 AirTight Networks, Inc. All rights reserved.
6
- 7. User Defined Rules Are More Nuisance Than Help
§ Device alerts, false alarms, manual intervention to act on alerts
§ Fear of automatic prevention
© 2014 AirTight Networks, Inc. All rights reserved.
7
- 8. Signature Matching On Packets Is False Alarm Prone
§ All attack tools don’t have
signatures
§ Signature fields in tools
are modifiable
§ Signatures lag attack tools
§ Result: Signatures
matching approach
creates abundant false
positives & negatives
Does anyone still think that
(SSID) signatures is good idea?
© 2014 AirTight Networks, Inc. All rights reserved.
8
- 9. Packet Anomaly Detection On Unknown Thresholds
§ Inaccurate stats based on
partial observation
- Scanning Sensor
- RSSI limitations
§ It doesn’t help to give threshold
comparators, when users don’t
know the right thresholds
- Right threshold to catch real
threats, while avoiding false
alarms
© 2014 AirTight Networks, Inc. All rights reserved.
9
- 10. Changing the Status Quo
Traditional Approach
AirTight Approach
WIPS Compass
© 2014 AirTight Networks, Inc. All rights reserved.
10
- 11. Traditional vs AirTight
§ Overhead of user defined rules
for device categorization
§ Signatures & threshold anomaly
detection
§ Out of box auto-classification into
intrinsic categories
§ Proactive blocking of risky
connections
§ Constant manual intervention
§ Highly automated
§ Alert flood
§ Concise alerts
§ Fear of automatic prevention
§ Reliable automatic prevention
© 2014 AirTight Networks, Inc. All rights reserved.
11
- 12. AP Auto-classification into Foundation Categories
§ No user configured rules (SSID, OUI, RSSI, …),
§ Runs 24x7
Unmanaged APs
(Dynamic Part)
All APs
visible
Managed APs
(Static Part)
Authorized APs
External APs
© 2014 AirTight Networks, Inc. All rights reserved.
Rogue APs
12
- 13. Marker Packets™ for Connectivity Detection
§ No reliance on managed
switch infra (CAM tables)
§ Prompt detection with
localized operation for any
network size
AirTight Device
§ No false negatives: No
“suspects” in neighbor
category (like in wired &
wireless MAC co-relation)
§ No false positives: No “legal
disclaimers” in automatically
AirTight Device
containing real rogues
© 2014 AirTight Networks, Inc. All rights reserved.
13
- 14. Client Auto-classification
Connects to secure
Authorized AP:
Authorized Client
Additional ways to autoclassify Clients:
Newly discovered
Client:
Uncategorized
Connects to
External AP:
External Client
Integration APIs with
leading WLAN
controllers to fetch
Authorized Clients list.
Import MAC addresses
of Authorized Clients
from file.
Connects to Rogue
AP: Rogue Client
© 2014 AirTight Networks, Inc. All rights reserved.
14
- 15. AirTight WIPS Security Policy
AP Classification
Authorized
APs
Block Misconfig
Policy
GO
Detect
DoS
Client Classification
Authorized
Clients
STOP
Rogue APs
(On Network)
Neighborhood
APs
Rogue
Clients
STOP
IGNORE
Neighborhood
Clients
DETECT AND BLOCK RED PATHS!
© 2014 AirTight Networks, Inc. All rights reserved.
15
- 16. Reliable prevention
§ One size doesn’t fit all
• There are many permutations
& combinations on connection
type & Wi-Fi interface hw/sw
§ Bag of tricks for comprehensive
prevention
• Deauth, timed deauth, client
chasing, ARP manipulation, cell
splitting, wireless side, wired
side
© 2014 AirTight Networks, Inc. All rights reserved.
16
- 17. Accurate Location Tracking
§ Stochastic triangulation –
maximum likelihood
estimation based
technique
§ No need for RF site
survey
§ No search squads to
locate Wi-Fi devices
§ 15 ft accuracy in most
environments
© 2014 AirTight Networks, Inc. All rights reserved.
17
- 18. Why AirTight WIPS?
Automatic
Device Classification
Cloud Managed
or Onsite
Reliable
Threat Prevention
Detailed
Compliance Reporting
© 2014 AirTight Networks, Inc. All rights reserved.
Ease of Operation &
Lowest TCO
Accurate
Location Tracking
18