Press around the DDoS attack Operation Ababil has caught the attention of many of our customers. This sophisticated cyber strike used a combination of three separate rootkits targeting webservers, which produced a very high upstream attack method on multiple companies simultaneously. The scary part about Operation Ababil was it was designed to bypass standard DDoS defense methods. This clearly demonstrates there isn’t a silver bullet for addressing advanced DDoS attacks. Distributed Denial of Service DDoS, web application and DNS infrastructure attacks represent some of the most critical threats to enterprises today. Here is some suggestions for a reference architecture to defend against these an other advanced threats.
The best approach for defending against advanced DDoS as well as other cyber attacks is having multiple security solutions using different methods to detect malicious activity for both internal and external threats. For internal threats, it’s critical to have a well-designed and mature security infrastructure that includes components such as firewalls, IPS/IDS, email and content / application security solutions. Similar security standards need to be applied to endpoints as well as in the datacenter such as proper patch management, anti-virus and anti-malware. It’s important to enable DDoS defense features for these tools. For example, some best practices are leveraging ACLs for ingress and egress filtering, rate limiting ICMP and SYN packets as well as verifying if the source IP of packets have a route from where they arrived.
Standard internal security solutions are important however will not completely protect you from advanced DDoS and other cyber threats. Security administrators need full network visibility to quickly identify anomalies regardless of their location or form of communication. Best practice to identify malicious activity inside your network is monitoring the wire using a NetFlow or Packet capture approach (more can be found HERE and HERE). It’s also important to match identity to devices found. An example is how Cisco offers integration with its flagship access control solution, Identity Services Engine ISE, to network forensic tools such as Lancope, NetWitness and most major SIEMs. Having a tuned monitoring solution will dramatically improve reaction time to internal cyber threats.
Detecting rouge wireless devices can be a headache if not performed properly. I’ve asked customers “How do you ENFORCE your zero wireless policy?” and received many answers. Example one is “We have random sweeps with wireless detectors” which are only good at the time of the sweep and range of the detector. Example two is “We use network access control (NAC) so plugging in rouge wireless devices will be denied” which can be bypassed by having an approved laptop act as a wireless bridge. Example three is “We have wireless scanners in our building” however are they certified for all frequencies or are you missing devices on other frequencies? Here are some tips for properly detecting rouge wireless devices.
It’s extremely important to automate access control to any part of your network. Regarding the LAN, see my blog on Network Admission Control HERE. For wireless, walking the halls with a scanner such as a Fluke appliance or laptop detection software is not a reliable practice. I’ve heard stories of users powering down devices to avoid detection or rouge wireless devices on the edge of a campus being out of range or hidden behind a wall. Plus manual methods are time consuming and leave vulnerability gaps between scans.
Relying on LAN access control technologies such as port security or Network Admission Control (NAC) may stop rouge wireless devices plugged into the network however will not detect approved devices such as laptops becoming wireless bridges. Some examples could be a nearby Starbucks offering wireless near your campus, which a user could be connected to the cooperate LAN and Starbucks wireless network simultaneously. A common virus known as “Free WIFI” could turn your endpoints into open wireless bridges that permit anybody in range of your campus free WIFI access to your network.
One solution to prevent endpoint wireless bridges is locking down endpoints with software that disables wireless use when physically connected to the LAN. This may work for trusted endpoints however fails if guest or contactors are permitted on the network without security software enforcing the zero wireless policy. A better solution is developing a wireless detection solution using WIDS WIPS (Wireless Intrusion Detection / Prevention) even if you do not plan to provide wireless access. See my blog on defining WIDS WIPS HERE. Using a wireless detection solution with WIDS WIPS can detect all forms of wireless including approved LAN devices exposing rouge wireless access. It’s also wise to include data security using Data Loss Prevention (DLP) and encryption to provide defense in depth in the event your access layer is bypassed.
When developing a rouge wireless detection solution with WIDS WIPS, its best practice to deploy one dedicated WIDS WIPS sensor for every five service providing access points. When enforcing WIPS prevention, your design should be capable of leveraging multiple access points near a identified rouge device to ensure your access points are close enough to drown out the rouge signal. Hardware should be capable of detecting all channels or some rouge devices may be missed.
It’s highly recommended to treat a wireless detection solution with WIDS WIPS to detect rouge wireless devices the same way as designing a solution to provide wireless access. Site surveys are critical to how effective your detection will be. Not planning for obstacles or proper access point placement may leave you with vulnerable areas. The bonus of a rouge wireless detection system delivered properly is the capability to enable wireless using the same hardware if wireless access is desired in the future.
Many security professionals understand the concepts behind Intrusion Detection and Prevention solutions IPS IDS for LAN and WAN however not Wireless WIDS WIPS. If you plan to provide network and wireless access, you need to equally secure all access avenues or you are not securing access to your network properly. Many security professionals see IDS IPS as key technology for their network so it’s important to understand the fundamentals behind wireless IDS IPS aka WIDS WIPS as well.
According to Wiki, “Intrusion Prevention Systems (IPS) are network security appliances that monitor network and/or system activities for malicious activity. The main functions of IPS is to identify malicious activity, log information, attempt to block/stop activity, and report activity.”. Wireless detection/prevention WIDS WIPS is similar however focuses on reacting to rouge wireless devices rather the security events. WIDS are wireless access points detecting and alerting when a wireless device is detected. WIPS do the same and can prevent use of the device using things like overflowing the rouge access point with 802.11 de-authentication frames. Best practice is to manually review discovered rouge devices rather than automatically killing them. You may knock down Starbuck’s network or an emergency wireless setup for FIMA.
By default, wireless is a whitelist technology meaning rouge access points are not auto added to the network. Regardless it’s important to detect rouge devices or they may end up on the network exposing you to attack. For most vendors, WIDS WIPS functions can be enforced in two ways. The first method is having access points service users and scan for rouge devices (sensor and service mode). The WIDS access point sits on one RFID channel and switches from accepting users to scanning for rouge devices every few milliseconds. The pro is you get both services however con is you only scan the RFID channel assigned to that access point. Some customers have multiple WIDS access points on different channels, which can cover the majority of channels however doesn’t mean other channels are covered. Method 2 for setting up an WIPS access point in senor only mode (dedicated WIDS WIPS access point), which scans all RFID channels for rouge devices. Best practice is to have one dedicated senor for every 5 servicing access points.
The final WIDS WIPS concept to understand is wireless channels. The common commercial channel is BGN (2.4 range), which is used by devices such as best buy routers. Best practice to avoid signal bleeding is to separate BGN by 5 channels, meaning standard BGN channels used are 1,6 and 11. Newer wireless technology uses AN (5.0 range) channels, which offer 20+ options. If you use a laptop or older access point scanning BGN for WIDS WIPS, you are only scanning that channel range meaning AN or other range access points are completely bypassing your security. Another point to note is channels are unlicensed by FTC meaning there really isn’t a way to enforce misuse of channels. This means if you kill Starbuck’s wireless network, all they can do is kill your network. So its expected that we all get along meaning being ethical about using WIDS WIPS to kill a rouge signal.
This is just a glimpse at understanding securing wireless networks using WIDS WIPS. Shout out to Bart Robinson at World Wide Technology for his input for this piece.