When agility counts
As enterprise wireless networks have matured, effective threat detection and prevention have grown indispensible. But wireless networks are constantly changing in composition and location, requiring nimble defenses that can rapidly recognize and prevent emerging threats. Dynamic security updates have long been a best practice in wired networks. To enable mission-critical wireless deployments while maintaining acceptable security posture, wireless intrusion prevention systems (WIPS) must follow suit, delivering fast, flexible response to zero-day threats, without business disruption.
- TABLE OF CONTENTS
- Wireless threat evolution
- Next-generation wireless threat protection
- AirMagnet Enterprise Dynamic Threat Update
- Benefits of dynamic threat protection
Enterprise wireless LANs have matured into critical network infrastructure, vital to every-day operation. As a result, effective wireless threat detection and prevention have become indispensable. Service outages and security holes, once accepted as a trade-off for mobility, are no longer tolerable.
However, unlike their wired counterparts, wireless networks are highly dynamic, continually changing in client composition and location. A moving target such as this requires a nimble defense that can rapidly recognize and prevent new threats. But a static and increasingly stale Intrusion Prevention System (IPS) could leave an otherwise secure WLAN vulnerable to emerging attacks and exploits for quite a long time.
Dynamic threat updates have long been a best practice in wired networks. In fact, very few enterprises would consider a Unified Threat Management firewall or Network IPS appliance which lacked this agility. To enable mission-critical wireless deployments while maintaining acceptable security posture, Wireless IPS (WIPS) must follow suit. Specifically, a robust WIPS must be flexible enough to incorporate dynamic updates whenever needed to mitigate zero-day threats, without business disruption.Wireless threat evolution
Contemporary enterprise WLANs bear little resemblance to their predecessors. Long gone are the days when wireless was a casual amenity in isolated areas such as conference rooms and cafeterias, or a point-solution used in warehouses or stores by purpose-built devices. Instead, wireless has become the dominant method of network access, expected to reliably and securely connect a plethora of business and consumer electronic devices, no matter who owns them or where they might roam throughout any kind of workplace.
This evolution from limited casual use to mission-critical ubiquitous adoption has raised the stakes with respect to performance, availability, and security. Businesses cannot rely on WLANs to deliver workforce and application connectivity unless IT can secure them at least as well as Ethernet. Some industry advances have narrowed this gap – for example, robust AES encryption has been required in every Wi-Fi device certified since 2006. But other changes have made securing WLANs more difficult – mostly notably the consumerization of IT.
According to ABI Research, 9.98 billion Wi-Fi devices had been sold worldwide by the end of 2014, with 4.5 billion Wi-Fi products in use today1. In 2014 alone, more than 2.3 billion Wi-Fi devices were sold; 64 percent of those were mobile phones, tablets, and e-readers. Not only does the average worker now carry three or more Wi-Fi devices, but the Internet of Things (IoT) is expected to spike from 15 billion devices. This explosive transformation means that security can no longer realistically rely on restricting device type or ownership. In fact, many IT organizations are now being challenged to enroll and enable rather than detect and block Bring Your Own Devices (BYODs) carried by contractors, customers, and guests who routinely appear and then disappear just as quickly. Increasingly, these BYODs are more than Wi-Fi clients. From portable personal APs like Mi-Fi's and smartphone hotspots to Wi-Fi-driven innovations like Wi-Fi Direct and Wi-Fi Aware, wireless device populations and inter-relationships are evolving. Any WIPS that cannot recognize such devices for what they really are will either flood IT with false positive alerts or turn a blind eye to potentially risky leaks.
Back when WLANs first hit the enterprise, vulnerabilities and exploits were relatively well-known and static. Attack tools like WEP crackers and Deauth frame generators took advantage of documented 802.11 protocol weaknesses. The most pervasive "wireless backdoor" threats resulted from informal deployments and risky practices, such as rogue or mis-configured APs installed by careless workers, or promiscuous clients silently reconnecting to any previously-used network name (SSID).
Today, every enterprise WIPS – and even a few WLAN controllers – can spot a number of these legacy attacks and typical policy violations. But that's no longer good enough. Emerging wireless threats are more likely to focus on new devices, naïve users, and related mistakes, popping up when and where you least expect, at an ever-faster pace. For example:
- The Common Vulnerabilities and Exposures (CVE) database contains hundreds of examples of new IP-enabled consumer electronics rushed to market with code flaws and unsecured interfaces that left them vulnerable to attack.
- Many wireless adapters and drivers have fallen victim to fuzzing attempts to identify and exploit faulty frame handling, including buffer overflows that can permit hacker execution of arbitrary code on Wi-Fi client devices.
- Popular BYODs such as iPhones, iPads and Androids make it easy to access the Internet through any available Wi-Fi network – but in doing so, automate connections to previously-used SSIDs, leaving users open to Evil Twins and related man-in-the-middle attacks (e.g., Karmetasploit, Firesheep).
- Criminals are now exploiting Internet-connected machines and smart devices that often fly under IT radar. For example, sales of smart eyewear, smart watches, health and fitness trackers, and other “wearable” consumer electronics are booming. However, an worker wearing Google Glass is recording video of everything in sight – creating a lucrative attack target.
- Perhaps even more daunting is the fast-growing Internet of Things, now using wireless to interconnect just about everything, from smart TVs to wireless drones. Security and privacy risks associated with IoT are great, with unsecured wireless traffic and open ports creating significant potential for eavesdropping, hacking, or worse.
- While most smart devices expand the attack surface, some can also be used to launch new kinds of attacks. For example, inexpensive unmanned wireless aircraft such as the AR.Drone Quadricopter can carry attack tools right into enterprise airspace. Using a remote-controlled drone with a WiFi Pineapple on board, criminals can now launch man-in-the-middle attacks from afar.
These are but a few of the emerging threats now facing enterprise WLANs. New attacks and exploits will no doubt continue to be discovered; criminals are always drawn to popular technologies that create large, lucrative targets. However, given enterprise wireless adoption, such threats are too potentially impactful to ignore and too dynamic to thoroughly detect or prevent based solely on yesterday's knowledge.
Next-generation wireless threat protection
Intrusion prevention is widely-recognized as an essential best practice for any business network. Unmitigated intrusions have triggered hefty losses, such as the Heartland Payment Systems breach that compromised 130M records to the tune of $60M.2 To encourage use, some regulations (e.g., PCI-DSS, FISMA) mandate intrusion monitoring.
A wired IPS monitors traffic over Ethernet by running on an in-line firewall/appliance or by gathering packets from passive sensors that are tethered to span ports or taps. A wireless IPS extends this by capturing over-the-air transmissions, using Wi-Fi sensors that scan RF channels. In both cases, an IPS not only detects threats – it classifies, locates, and contains them to prevent loss or damage.
But there's a difference between monitoring traffic and determining if it poses a threat. Threat detection methods are often combined to complement each other and offset weaknesses inherent to each.
- Signature-based detection searches traffic (IP packets, 802.11 frames) for pre-defined patterns that match known threats. These signatures are developed using traffic samples from past incidents. Well-written signatures excel at detecting precisely the same threat, over and over. However, signatures can be evaded by variants with even small differences.
- Protocol anomaly detection watches for traffic that doesn't follow the rules, like out-of-order packets and nonsensical requests. This can be effective against fuzzing attacks that try permutations until a code flaw is found.
- Rate-based detection blocks many denial-of-service (DoS) attacks that send traffic at high rates to disrupt network and business operation. However, poorly chosen rates can also mistakenly block non-malicious usage spikes.
- Behavioral analysis searches for deviations from "normal" behavior. For example, behavior analysis might detect a device that has always been a client suddenly acting like an AP. This can be useful to spot "zero day" threats but requires establishing a very good "normal" baseline.
- Fingerprinting analyzes and categorizes previously unseen devices – for example, to automatically quarantine new kinds of BYODs and smart devices and provide input to new policy development processes.
- Finally, policy-based detection can be used to warn IT about non-compliant devices and traffic. For example, an IPS may check all detected APs against a policy that specifies security settings for each permitted SSIDs. If the IPS overhears an allowed SSID with the wrong security, it may trigger a compliance alert. Policy-based detection adds value by using context to spot risky behavior.
Each IPS product employs unique methods; detection engines are closely-guarded intellectual property. But, for any IPS, signatures are important for efficient, accurate operation. Signature detection is a first line of defense, reliably filtering out many recognized threats so that other methods can better focus on what's left.
However, without proper maintenance, this foundation can grow weak. Frequent, non-disruptive signature updates are required for an IPS to recognize new threats, variants, and exploits. This is why every wired IPS product has long supported this capability.
Surprisingly, the same cannot be said for wireless IPS. Historically, every WIPS has relied on static signatures, embedded in detection engines, updated by installing new software. With WIPS releases coming up to a year apart, Wi-Fi threat detection now lags behind protocol advances, threat research, and attack tools. To be truly effective against rapidly-evolving wireless threats, WIPS must become more agile.
NetScout's AirMagnet Enterprise Dynamic Threat Update
NETSCOUT AirMagnet Enterprise addresses this need through Dynamic Threat Update (DTU). AirMagnet Enterprise is a full-time WIPS that provides dedicated airspace monitoring to enable the security, performance and compliance of wireless LANs. AirMagnet Enterprise is used by organizations for the most complete detection and prevention of wireless threats, enforcing no-wireless zones, and proving compliance. To accomplish this, the security research team at NetScout constantly investigates the latest hacking techniques, trends and potential vulnerabilities. To keep enterprises one step ahead of evolving threats, DTU lets AirMagnet customers import new threat signatures at any time, without installing new software.
With DTU, customers can easily maintain an up-to-date enterprise WLAN security posture. New signature files can be loaded manually, or loaded automatically upon download from NetScout. Similar to auto-update controls commonly offered by enterprise anti-malware and wired IPS products, IT administrators can opt to download new AirMagnet Enterprise signature files on demand or automatically by querying for updates.
Figure 1. AirMagnet Enterprise DTU Configuration
Server settings (right) let organizations take advantage of DTU while conforming to their own IT practices. Some will prefer to download and activate new signatures as soon as they are published to minimize zero-day attacks. Others will routinely test all new signatures before production roll-out. Those with air-gapped servers can load signature files offline. DTU is compatible with all of these practices.
To learn about the threats that each new signature file can detect, administrators can view loaded signatures before activating them. Activating a signature file causes it to be added to all existing AirMagnet Enterprise Policy Profiles; all contained alarms are enabled by default. Updated Policy Profiles are pushed to all AirMagnet Enterprise Sensors (local or remote) in the usual fully-automated fashion, without requiring any IT effort or Server restart/reboot.
Once activated, new threat signatures are enforced by AirMagnet Enterprise in exactly the same way as those supplied with any software release. For example, new alarm types will be reflected in charts, roll-up counts, and statistics displayed by Consoles, and new threat descriptions will supplied through the AirWISE screen. Finally, activated signatures can be deleted in the unlikely event that roll-back is ever desired.
Figure 2. AirMagnet DTU Deployment
DTU makes AirMagnet Enterprise a more agile and flexible WIPS. New signature files are developed, tested, and published by NetScout, based on threat research and customer requests. The NETSCOUT AirMagnet Intrusion Research Team continually monitors emerging threats, using DTU to quickly to deliver enhanced threat protection. While low severity threats may be bundled into quarterly updates, high severity threat updates are published immediately after QA verification.
DTU technology can also be used to develop new signature files that reflect each organization's policies, devices, and sensitivities. To request unique custom signature files, customers may contact NetScout. To suggest new signature files of potential interest to many enterprises, visit AirWISE Community Security Center.
Figure 3. AirMagnet Enterprise DTU accellerates vulnerability response timeline
For AirMagnet Enterprise customers, DTU offers several key benefits. First, this technology can deploy threat updates without disruption, at lower cost. As shown below, industry response to a newly-discovered Wi-Fi vulnerability or attack tool can easily take 6 months without DTU. For example, consider a newly-discovered Wi-Fi vulnerability that is submitted to CERT and published in the CVE database.
In the past, each WIPS vendor would analyze the vulnerability, assess impact, and develop new signature(s) and alarm(s) for inclusion in their next WIPS patch or regularly-scheduled release. Upon receiving updated WIPS software, IT would comply with their organization's processes for software change control and scheduled Server, Sensor, and/or WLAN updates. Given the sensitive nature of WIPS and the potential for downtime or failure to impact mission-critical network services, most enterprises test all updates first in a non-production environment. Only after the WIPS patch or release is verified and installed can that emerging threat be mitigated in a live WLAN. This timeline can be further extended in deployments where APs are used as part-time or full-time WIPS Sensors, due to required collaboration between security and network teams.
DTU substantially abbreviates this process, reduces risk, eliminates downtime, and alleviates the burden otherwise imposed on IT. While the back-end of the process remains the same, new threat definitions and alarms can now be bundled into downloadable signature files, deployed in a fully-automated fashion if the organization so chooses. Time-to-mitigate can be reduced to days or weeks rather than months. While major WIPS releases must continue to follow the longer timeline, a network's security posture is no longer held hostage to that far-less-frequent upgrade process.
Additionally, when updating any security system to mitigate an emerging threat, it is critically important to avoid gaps in surveillance. Taking a production WIPS offline to install a software update could temporarily blind an organization to the very threat it is trying to address. There are no such gaps when pushing new Policy Profiles to SmartEdge Sensors. Furthermore, lower cost-to-deploy means that organizations can easily afford broader, deeper threat protection. Not only are published signature files freely available for download by all AirMagnet Enterprise customers, but little or no incremental effort may be required to activate them.
Ultimately, the biggest benefit afforded by DTU is the ability to expand efficient, reliable detection of both security threats and performance events. Over time, DTU is expected to enrich AirMagnet Enterprise by making it easier to address concerns that face the community at large as well as individual companies. For example:
- Many enterprises are grappling with IoT and how to best deal with a deluge of new smart devices. The first step is to identify what is (trying to) use your WLAN. For example, new signatures were developed to recognize Google Glass and AR.Drone and DJI Phantom Vision Quadricopter devices, alerting IT to their presence and providing tools to automatically block banned devices.
- As new Wi-Fi devices are adopted, they draw attention from criminals. Signature files can be developed to spot nearly any bit or frame sequence generated by new vulnerability exploits. For example, new signatures were deployed through DTU to detect TLS/DTLS Heartbeat read overflow and Cupid attacks which exploit vulnerabilities in products that use OpenSSL code.
- In some cases, newly-detected Wi-Fi devices are actually tools that make it easy for anyone – even Wi-Fi novices – to launch common attacks. For example, new signatures can detect WiFi Pineapple and Raspberry Pi devices.
- Ordinary Wi-Fi devices may also be used to run new kinds of attacks – for example, a WPA2 Pre Shared Key (PSK) dictionary attacks which slowly crawls its way through an enormous key list, attempting to guess the PSK.
- It is not uncommon for WLAN infrastructure vendors to offer proprietary extensions for competitive advantage. However, those extensions can result in mis-configurations that cannot be detected by existing signatures, but that could be detected by custom signatures which search for vendor-specific Information Elements (e.g., Cisco WPA Migration Mode) or vendor-specific exploits (e.g., Broadcom RSN Out of Bounds Attack).
- As new “wearables” and other consumer electronics find their way into the workplace, enterprises must establish policies for acceptable use. For example, new signatures were developed to spot Wi-Fi Direct peer-to-peer technology which many new consumer electronics use for short-duration connections – thereby circumventing WLAN infrastructure security.
- DTU goes beyond single frame pattern matching; it can also be used to extend rate-based detection to spot emerging DoS attacks that take advantage of new Wi-Fi products or protocol extensions. For example, new signatures were created to detect RTS frame and virtual carrier flood attacks, generated by readily-available hacker tools like Scapy and Zulu.
- The extremely diverse and often unexpected behavior of new Wi-Fi clients is a common cause of performance complaints. In some instances, misbehaving clients may even be mistaken for attackers. New signature files can be used to specifically identify errant clients, enabling more effective trouble-shooting
- Finally, as enterprises expand Wi-Fi use, they may impose more stringent requirements on device configurations – for example, requiring EAP types to enable seamless roaming between Wi-Fi and cellular networks. New signature files can be developed to detect use/non-use of options and settings, helping to enforce policy compliance and mitigate violations.
These examples represent just a few of the security threats and performance events that can potentially be detected and then prevented through Dynamic Threat Updates.
With DTU, AirMagnet Enterprise takes WLAN threat protection to a whole new level. No longer must WIPS be less responsive or agile than its wired network counterpart. By breaking the traditional WIPS dependency between signature and software updates and enabling fully-automated signature file download and activation, AirMagnet Enterprise enables rapid, non-disruptive, dynamic wireless threat protection.
To learn more, visit www.enterprise.netscout.com