For example, how do each of you perform wireless containment/quarantine, and how many devices can you block simultaneously?
Prevention Capabilities?
For example, how do each of you perform wireless containment/quarantine, and how many devices can you block simultaneously?
4 Comments
Over the air blocking is required to address all wireless threats. Over the wire blocking (i.e. Switch port shutdown) is limited to addressing rogue APs only and do not address threats like Adhoc (peer-to-peer) connectivity, authorized client misassociation to external (i.e. neighbor APs), etc. AirTight uses comprehensive set of over-the-air techniques to provide robust prevention against all wireless threats. This includes rogue APs, client misassociation, adhoc connections, DoS attacks, and Man-in-the-Middle attacks (including honeypot attack).
Deauth/disassoc is one of the over the air techniques we use, however it does not work across the board. Deauth/disassoc will work for rogue AP prevention where as it will not work for adhoc connectivity prevention. We use a layer-3 prevention technique for effective ad hoc prevention as well as association hopping prevention (example: when an unauthorized user hops between authorized APs). There are several other techniques we use such as selective virtual jamming for DoS attack prevention. Multi channel prevention poses the most demanding scenario for the sensor. AirTight sensors are able to simultaneously prevent threats on multiple channels while continuing to detect newer threats. AirTight holds several patents on prevention technology including patents on multi channel prevention, layer-3 prevention techniques, and DoS attack prevention.
Lastly, one of the key features AirTight provides is the ability to automate prevention for all the wireless threats. This is important because some of the wireless threats tend to be instantaneous in nature (example: authorized client associating to a neighbor AP) and the administrator will not able to respond timely to prevent such threats.
Good question, Lisa. Just to explicitly note an important point with respect to the prevention capabilities of WIPS - effectiveness of prevention can actually depend on the actual threat and the type of device that is being prevented.
A technique that works for Rogue AP (e.g., deauthentication flood, switch port blocking) may not work for unauthorized adhoc connections. Similarly, a technique that works for honeypots may not work for Multipots (an advanced variant of evil-twin, AirTight was the first to discover and provide protection against Multipots).
Although all of us focus on Wi-Fi certfied devices, experiments performed at the AirTight R&D lab confirm that there can be subtle differences in the behavior of devices from different vendors.
Hence, the intrusion prevention capabilities of WIPS needs to be carefully designed to defend against the various threat and device combinations.
AirTight has patents related to multiple layer-2 and layer-3 techniques to block/mitigate threats such as Multipot and unauthorized adhocs. Further, Selective Virutal Jamming can reclaim bandwith partially from a DoS attacker, thus, enabling some communication in spite of a DoS attack.
In case there is interest, I request this group to check out the following references which provide additional details:
- An AirTight research paper that analyzes some popular (over the air) Intrusion prevention techniques - http://bit.ly/aZnJTq
- An AirTight Whitepaper/presentation on Mutipot at Defcon http://www.defcon.org/images/defcon-15/dc15-presentations/Gopinath/Whitepaper/dc-15-gopinath-WP.pdf
- An article on Multipots http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1274396,00.html
Hope I have added my 2 cents to this discussion (:) ) & would love to hear your comments.
Thanks,
Gopi
Motorola AirDefense uses the following prevention/containment mechanism. While mechanisms 1 & 2 below are common to WIPS vendors, 3 & 4 are unique Motorola offerings.
1. Wireless Termination: AirDefense sensors can terminate wireless sessions between authorized and unauthorized devices. This includes rogues APs, ad-hoc connections, valid clients connecting to neighbors, etc. Termination can be one of the several “automated actions” in response to a detected threat/alarm. A single sensor can support multiple concurrent termination sessions. The tri-radio AP7131N sensor design allows customers to have up to 3 dedicated 802.11n WIPS radios, capable of operating simultaneously in the 2.4 and 5 GHz bands, in one sensor. This allows customers to have multiple terminations sessions, without sacrificing WIPS scanning on other channels.
2. Wired Termination: AirDefense Enterprise can interface with managed switches and block ports through which a rogue AP or station is communicating with the wired infrastructure.
3. Dynamic ACLs: AirDefense can integrate with WLAN infrastructure and setup dynamic Access Control Lists to block authorized clients that are misbehaving, a unique WIPS offering. AirDefense WIPS information (e.g., location) for a device can be leveraged by Motorola WLAN as an authentication variable as well. We can also integrate with NAC vendors to help quarantine wireless clients that do not meet the policy settings of the enterprise.
4. Dynamic WLAN Re-Configuration: Unique to AirDefense, is the capability to reconfigure WLANs that that are violating policy, facing an impending threat or performing sub-optimally. The recently announced AirDefense Services Platform allows us to run WIPS and multi-vendor WLAN management on the same appliance. The WIPS portion can detect attacks or policy violations (e.g. a corporate user connecting to the guest WLAN, a hacker attempting to break into the WLAN, etc.), the multi-vendor management system can then reconfigure the WLAN dynamically (e.g. disable guest access for the user, disable a legacy portion of the WLAN that has a higher risk of compromise, etc.). This is the first time a WIPS system is working in a closed loop with the WLAN management system in a vendor agnostic fashion.
http://mediacenter.motorola.com/content/detail.aspx?ReleaseID=12506&NewsAreaId=2
Containment is performed with a combination of both wired and wireless blocking techniques. On the wireless containment side, we send targeted messages to both ends of an unapproved wireless connection using deauthentication and disassociation techniques. For example, if there were a rogue device in your network, we would not only break any connections at the rogue AP itself, but we also break the connection at the laptop for any devices that are connected to that AP. These blocking messages are targeted down to the MAC address, so that wireless blocking does not affect the performance of the rest of the network. We also, constantly research changes in client WiFi technology to keep our blocking on the cutting edge of technology and effective no matter what type of WiFi device is targeted.
We also block threats that we trace into the wired network, where we will automatically or manually close wired switch ports where we have located the rogue.
AirMagnet can block multiple devices simultaneously and limitations are measured more in terms of how many channels can we block simultaneously as opposed to the number of devices. A single AirMagnet sensor can reliably block multiple devices on two channels simultaneously.