White Paper Airespace Framework for Wireless Security [PDF]

White Paper Airespace Framework for Wireless Security October 30, 2003

White Paper Airespace Framework for Wireless Security

Table of Contents

2

3

The Airespace Framework for Wireless Security

3

Making Wireless LANs Ready for Business-Critical Applications

4

Securing Your Air Space: The Bad News and the Good News

6

The Airespace Security Framework

6

1. Enjoin Security Policies, Not Security Pieces

7

2. Wireless VPNs Done Right

8

3. RF Media is a Shared Media, But It Doesn’t Have to be Insecure

9

4. Security Policies, Not Security Pieces

10

5. Think Globally, Act Locally

11

Putting It All Together: Securing Your Air Space

©2003 Airespace, Inc. All rights reserved

White Paper Airespace Framework for Wireless Security

The Airespace Framework for Wireless Security:

Making Wireless LANs Ready for Business-Critical Applications Since the industry ratified the 802.11b standard in early 1999, one issue has consistently stood out as a primary impediment to the widespread deployment of Wireless LANs (WLANs) in enterprise networks, security. While most network administrators and end-users clearly understand the productivity benefits of cutting the ethernet cord, few IT managers have felt comfortable with sending critical data through the air space, which is inherently unprotected. The industry’s first attempt at securing wireless networks, the Wired Equivalency Protocol (WEP), did little to quell these fears. Instead, after being promptly broken by several clever Berkeley engineering students, many corporations decided that wireless networking was not ready for prime time deployment. Simply put, original WLAN solutions left a lot to be desired when it came to security. For enterprises to become wireless, and take advantage of all of the benefits that radio technology has to offer, a new approach to security is required. This approach must be flexible enough to adapt to the security requirements IT managers have for their heterogeneous classes of users and the many different kinds of client devices in use. Furthermore, it must be robust enough to protect sensitive corporate data. Airespace provides all of this functionality with its framework for wireless security.

©2003 Airespace, Inc. All rights reserved

3

White Paper Airespace Framework for Wireless Security

Securing Your Air Space: The Bad News and the Good News

First the bad news: when compared to wire-line networks, WLAN security is difficult to manage and not particularly secure. In frustration, many IT departments are issuing “termination” mandates for employees that bring unauthorized (“rogue”) access points into the workplace. Many administrators that are deploying (or have deployed) wireless are relying on existing virtual private network (VPN) technologies to provide some level of security to their networks. Unfortunately, this type of overlay approach is inadequate when used in large Wireless LAN environments for the following reasons: • Most existing VPN solutions were designed to support a limited number of remote users at low connection speeds, and thus are ill equipped to handle the volume of traffic that would be required by an entirely wireless enterprise. • This “outside-in” approach requires IT managers to rethink traffic flow on their networks since more data will be flowing through the VPN gateway to the backbone network. • Additional security and management network elements are required in the network, including appliances and software packages. • Existing IP VPN solutions do not address radio-specific security issues, such as rogue access points and intentional frequency jamming. • Remote access solutions do not offer system-wide policy coordination and enforcement, as is required for an enterprise-wide solution. • Existing VPN solutions were not designed to support heterogeneous operating environments and clients.

Figure 1 WLAN Security is disjointed in traditional WLAN approaches,

VPN

requiring separate appliances for rogue detection, VPN and other security functions.

4

©2003 Airespace, Inc. All rights reserved

Appliance

Appliance

White Paper Airespace Framework for Wireless Security

Now the good news: Airespace offers a security framework that provides a systematic approach to wireless security, treating Wireless LANs as business critical networks instead of best-effort remote access service. The Airespace solution includes management tools that unify security approaches across Layers 1-3 of a network infrastructure, instead of treating them like separate components or network elements. By taking a holistic, topological view of the wireless enterprise, the Airespace security framework helps network administrators rollout business-critical wireless infrastructures in a fast and simple manner. Figure 2 Airespace provides a unified framework for wireless security. -

Rouge Containment IDS Interference Avoidance VPN

©2003 Airespace, Inc. All rights reserved

5

White Paper Airespace Framework for Wireless Security

The Airespace Security Framework

Airespace offers a five-part framework that simplifies the complexities of managing rapidly changing, heterogeneous WLAN security and meets the comprehensive security needs of even the most paranoid wireless enterprise. It includes an integrated series of tools and capabilities to meet the most rigid security needs of the largest corporations and service providers. The five areas associated with the Airespace security framework include: 1. Hardware Certificates – All communication between access points, switches, and management is encrypted. All hardware ships with X.509 certificates. 2. On-board VPN Termination – Airespace switches securely terminate VPN traffic from industry-leading IPsec clients, alleviating remote access VPN gateway exhaustion and improving performance over conventional remote access solutions. 3. Radio Subsystem Control and Management – The Airespace solution constantly monitors the RF domain for interference and potential security breaches. 4. Unified Security Policies - The Airespace security framework comes equipped with a comprehensive policy engine that allows network administrators to rapidly provision a variety of security policies from Layers 1-3 across a network, taking into account different user groups and heterogeneous, changing environments. 5. Advanced Policy Enforcement – The Airespace security framework supports multiple security policies on a single AP, avoiding expensive additional access points which can cause network performance degradation. All policies are centrally administered and locally enforced, and do not require the addition of proprietary client software.

1. Enjoin Security Policies, Not Security Pieces Security does not begin once a system is deployed - it begins when a solution is manufactured. To meet stringent security requirements, Airespace’s manufacturing process inserts X.509 certificates into every product the company ships. As a result, all communication between Airespace components - either in the air or over the wire - is secured. Along with other internal security mechanisms, this prevents the system from being subjected to various denial of service (DoS) and breaching attacks, even when the system is first turned on.

6

©2003 Airespace, Inc. All rights reserved

White Paper Airespace Framework for Wireless Security

Since every Airespace system component ships with a certificate, the Airespace solution automatically detects authorized and unauthorized access points in the network. Not only does this ensure maximum security, but it prevents administrators from having to manually add access points into a network database. In this respect, the Airespace solution not only provides security, but it helps to reduce the operational burdens associated with deploying a wireless network.

2. Wireless VPNs Done Right Conventional VPN architectures were designed to provide secure remote access over relatively low-speed links. To that end, VPN gateways are typically deployed at the edge of the network and support limited number of users simultaneously. While this approach has proven effective for small deployments (and the Airespace platform supports pass-through VPN for ease of integration into these deployed environments), it will not scale for significant wireless enterprise networks for several reasons: • Using existing VPN technology to support wireless users places additional strain on VPN concentrators. In most instances, these devices were not designed to handle hundreds or thousands of simultaneous network users. • VPN concentrators are located at the edge of a corporate network. Backbone congestion could easily become a problem as IPsec traffic is required to traverse the corporate network on its way to an edge concentrator. • Client administration becomes more burdensome as each individual corporate user requires VPN software for both the wireless network and the remote access network. • When VPN traffic is back hauled to an edge contractor, a delay exists that can cause ill-fated time-outs or require constant re-authentication. In addition to being a nuisance, this could prevent the deployment of time-sensitive applications, such as voice, video, and real-time data. The Airespace solution resolves these issues by terminating VPN sessions directly within the wireless network. This enables distinct VPN infrastructures to be deployed for wireless and remote access. IPsec traffic no longer has to be back hauled to the edge of the network, ensuring maximum network performance (i.e. less congestion and reduced latency) with minimal effort. Airespace recognizes that many of the leading new security approaches, such as WPA, require specialized hardware acceleration to run effectively. The Airespace platform uses dedicated hardware throughout the system not only to accelerate security at Layer 2, but to ensure the delivery of time-sensitive applications like voice over IP, multicast, and video.

©2003 Airespace, Inc. All rights reserved

7

White Paper Airespace Framework for Wireless Security

Furthermore, only Airespace’s VPN solution was designed exclusively with wireless users in mind, which are inherently mobile in nature. Therefore, unlike traditional VPN approaches, Airespace offers a “Follow-Me VPN” solution that enables users to roam within a network – even across subnets – and still maintain VPN connectivity. Secure user roaming ensures maximum network flexibility and to meeting wireless requirements. As the “Follow-Me-VPN” solution works with clients from leading IPsec vendors, no additional management (or cost) is required.

3. RF Media is a Shared Media, But It Doesn’t Have to be Insecure Being a shared media, radio is inherently less secure than a wired infrastructure. Airespace addresses this issue with its AireWave Director™ Software, a comprehensive set of management tools that are used to ensure security within a radio environment.

Figure 3 The Airespace solution provides complete RF-layer security, including rogue detection/ containment and interference avoidance.

AireWave Director Software constantly monitors the air space for unauthorized users. In addition to determining the location of rogues, AireWave Director lets administrators enforce policies that deny users access to these devices, and generates alarms if appropriate. The AireWave Director Software also actively monitors the wireless network for interference. When interference is detected, the Airespace solution helps to identify the source, and to take corrective action. As interference from a leaky microwave oven or Bluetooth phone, for example, requires different response measures than interference from a malignant client initiating a DoS attack, the management system enables network administrators to deal with individual events accordingly. 8

©2003 Airespace, Inc. All rights reserved

White Paper Airespace Framework for Wireless Security

A third example of a potential security breach is an unauthorized client trying to attach to the system by attempting to spoof an SSID or password. The Airespace system automatically tracks unauthorized user attempting to enter the network and blacklists them from attaching. A persistent intruder is not allowed to connect to the nearby access points, or to any access point or switch located throughout an entire Airespace domain. Network administrators can determine how long such users remain on the blacklist and re-associate them onto the network when desired.

4. Security Policies, Not Security Pieces Key to the Airespace security framework is recognition of the fact that different clients have different security requirements - and capabilities to support security schemes. As a result, the Airespace solution was designed to support truly heterogeneous environments from a security standpoint. To illustrate, a Voice over IP (VoIP) client may require WEP support so it can access certain network resources; a mobile PC may require IPsec and TKIP/WPA; a PDA, which lacks the processing resources of a PC, may only be able to support a IPsec client. The Airespace security framework was designed to accommodate all of these different client devices in a seamless manner. The Airespace security framework is unique in its ability to integrate and manage security policies across Layers 1-3 of a network infrastructure. By marrying radio, data link, and network security technologies into a unified architecture, a comprehensive solution can be deployed. Specifically, the Airespace security framework supports the following layers of security protocols and technologies: • Layer 1 (Radio Frequency) – Actively monitors air space for rogue access points and interference sources and takes appropriate corrective action • Layer 2 – WEP, WPA, 802.1x • Layer 3 – VPN/IPsec, DES, 3DES,AES, Authentication support for 802.1x, RADIUS, and TLS. • Secure management via SSL, SSH, SNMP V2/V3 and X.509 certificates

©2003 Airespace, Inc. All rights reserved

9

White Paper Airespace Framework for Wireless Security

5. Think Globally, Act Locally Using the security policy engine within the Airespace security framework, network administrators can quickly push security policies down to individual or groups of access points, avoiding the current problem in the marketplace of having to assign security policies to individual access points (through SSIDs). With Airespace’s unique patent pending architecture, a single access point can support up to 16 security policies simultaneously. This maximizes flexibility while reducing the costs associated with equipment deployment. To illustrate, the Airespace software framework implemented on a single Airespace 1200 Access Point can simultaneously support 128 bit WEP, 802.1x, and WPA. Administrators can select different security policies for different user groups, and have all of those user groups active on a single access point. Another access point might support only open Internet access and 64 bit WEP. Future technologies can be added on Airespace Access Points via software upgrades, no forklift upgrades are required. This helps network administrators prepare for both today and tomorrow’s business requirements in a cost effective manner. The value of Airspace’s approach to policy enforcement is two-fold. • Simplification and Control of Security Policy Process – Unlike current access points approaches, the Network administrator can rapidly assign or reassign user policies to the equipment in the plenum without having to configure each one individually. • Elimination of Additional and Conflicting Access Points – Today’s access point infrastructure is both costly and expensive to manage and maintain. To assign three different policies to a section of a wireless network, for example, an administrator would have to place several different access points within close proximity of one another. This is costly, plus it could cause interference among the different access points, which ultimately might degrade network performance. Figure 4 In an Airespace network, enterprise-wide security policies can be centrally configured and managed.

10

©2003 Airespace, Inc. All rights reserved

White Paper Airespace Framework for Wireless Security

Putting it All Together: Securing Your Air Space

As noted earlier, today’s rudimentary point security approaches are too complicated and “underpowered” to support large scale enterprise deployments of wireless enterprises. The Airespace security framework is the first system that allows network administrators to make their wireless networks as secure as their wired networks. This allows enterprises to move wireless technology out of the lab and into the LAN, supporting all business critical voice, video, and data applications. With Airespace’s secure wireless solution, enterprises of all types and sizes can put their air space to work.

©2003 Airespace, Inc. All rights reserved

11

Worldwide Headquarters 110 Nortech Parkway San Jose, CA 95134 Tel: 408.635.2000 Fax: 408.635.2020 EMEA Headquarters 3000 Cathedral Hill Guildford, Surrey GU2 7YB United Kingdom Tel: +44 (0) 01483.243632 Fax: +44 (0) 01483.243501 www.airespace.com

© 2003 Airespace, Inc. All rights reserved. AireWave Director, Airespace and the Airespace logo are trademarks of Airespace, Inc. All other trademarks belong to their respective owners. LIT 10-03-2-2-WPFWS