The majority of today’s workforce uses multiple devices such as laptops, tablets and smartphones (IE brings their own device or BYOD). Leadership from most industries is being asked to permit these devices on the network in some limited or full fashion. Common BYOD questions are “how do I support growth for users with multiple devices?”, “what type of access should guest and employees use for mobile devices?”, “how do I provision corporate mobile devices?”, and “what security vulnerabilities am I exposed to by permitting mobile devices?”. All are good questions and can be addressed by focusing on three core BYOD concepts: Infrastructure, Access Control and Device Management.
The first thing to consider for BYOD is if your wireless network can support growing from one device per user to potentially 2-4 devices. The best way to find out is by performing a wireless assessment to verify capabilities and potential risks caused by obstacles and nearby rouge networks (IE Starbucks using a similar RFID channel). Security features such as wireless intrusion detection and prevention (WIDS /WIPS) as well as controlling the number of permitted associated devices per user should be considered for BYOD to guarantee scalability and service.
Another common area of concern for BYOD is provisioning access to employees and guests. The first BYOD question typically asked is “should all mobile devices be handled by a separate network or should employee owned mobile devices share the same core network while guest devices use another network?”. However you plan to permit mobile devices, best practice for BYOD is to automate the process based on multiple factors such as device type, user authentication and risk status. Policies permitting employee access using personal devices should have a process to register and track those devices (IE web registration page like in hotels) rather than an “employee wireless password” that could get compromised and not associated to a device. Many solutions such as Cisco Identity Services Engine (ISE) offer self-registration to eliminate the need for employee or guest users to deal with an IT member to gain network access. Solutions that leverage profiling technologies can automatically assigned specific access types based operating system, device type and other details (IE provide different access for iPhones and Androids) so you know who and what is on your network. “Knowing is half the battle”, GI JOE
The final piece to the BYOD puzzle is device management. Most mobile hardware vendors give power to device owners meaning Apple, Android, etc. device users can take themselves out of compliance at anytime (blackberry is the only exception). Solutions such as Mobile Iron and AirWatch provide methods to assess devices for high risk factors such as jailbreaking or using unapproved applications which is crucial for BYOD. Application based endpoint management solutions verify devices and either permit or deny corporate services such as providing email based on policy status (IE no email service while angry birds is installed). Common BYOD policies are enforcing the use of passwords, remote locking devices, denying hacked devices, provisioning specific applications and having the ability to remote wipe only corporate data. The mobile security market leaders offer a breath of operating systems and hardware options as well as easy methods to communicate when end users fall out of compliance.
Industry leaders for security are focusing on BYOD by developing solutions for mobile devices. RSA and Symantec recently released data loss prevention (DLP) for mobile devices to deny sensitive information such as social security numbers from moving to or from mobile devices. Network vendors such as Cisco are partnering with mobile manufactures to address BYOD by offering VPN technology that encrypt traffic from mobile devices while off the corporate network. There are many options for endpoint security when looking at BYOD, which the investment for mobile security should match protecting laptops and desktops regardless if the employee owns the asset.
Detecting rouge wireless devices can be a headache if not performed properly. I’ve asked customers “How do you ENFORCE your zero wireless policy?” and received many answers. Example one is “We have random sweeps with wireless detectors” which are only good at the time of the sweep and range of the detector. Example two is “We use network access control (NAC) so plugging in rouge wireless devices will be denied” which can be bypassed by having an approved laptop act as a wireless bridge. Example three is “We have wireless scanners in our building” however are they certified for all frequencies or are you missing devices on other frequencies? Here are some tips for properly detecting rouge wireless devices.
It’s extremely important to automate access control to any part of your network. Regarding the LAN, see my blog on Network Admission Control HERE. For wireless, walking the halls with a scanner such as a Fluke appliance or laptop detection software is not a reliable practice. I’ve heard stories of users powering down devices to avoid detection or rouge wireless devices on the edge of a campus being out of range or hidden behind a wall. Plus manual methods are time consuming and leave vulnerability gaps between scans.
Relying on LAN access control technologies such as port security or Network Admission Control (NAC) may stop rouge wireless devices plugged into the network however will not detect approved devices such as laptops becoming wireless bridges. Some examples could be a nearby Starbucks offering wireless near your campus, which a user could be connected to the cooperate LAN and Starbucks wireless network simultaneously. A common virus known as “Free WIFI” could turn your endpoints into open wireless bridges that permit anybody in range of your campus free WIFI access to your network.
One solution to prevent endpoint wireless bridges is locking down endpoints with software that disables wireless use when physically connected to the LAN. This may work for trusted endpoints however fails if guest or contactors are permitted on the network without security software enforcing the zero wireless policy. A better solution is developing a wireless detection solution using WIDS WIPS (Wireless Intrusion Detection / Prevention) even if you do not plan to provide wireless access. See my blog on defining WIDS WIPS HERE. Using a wireless detection solution with WIDS WIPS can detect all forms of wireless including approved LAN devices exposing rouge wireless access. It’s also wise to include data security using Data Loss Prevention (DLP) and encryption to provide defense in depth in the event your access layer is bypassed.
When developing a rouge wireless detection solution with WIDS WIPS, its best practice to deploy one dedicated WIDS WIPS sensor for every five service providing access points. When enforcing WIPS prevention, your design should be capable of leveraging multiple access points near a identified rouge device to ensure your access points are close enough to drown out the rouge signal. Hardware should be capable of detecting all channels or some rouge devices may be missed.
It’s highly recommended to treat a wireless detection solution with WIDS WIPS to detect rouge wireless devices the same way as designing a solution to provide wireless access. Site surveys are critical to how effective your detection will be. Not planning for obstacles or proper access point placement may leave you with vulnerable areas. The bonus of a rouge wireless detection system delivered properly is the capability to enable wireless using the same hardware if wireless access is desired in the future.
Many security professionals understand the concepts behind Intrusion Detection and Prevention solutions IPS IDS for LAN and WAN however not Wireless WIDS WIPS. If you plan to provide network and wireless access, you need to equally secure all access avenues or you are not securing access to your network properly. Many security professionals see IDS IPS as key technology for their network so it’s important to understand the fundamentals behind wireless IDS IPS aka WIDS WIPS as well.
According to Wiki, “Intrusion Prevention Systems (IPS) are network security appliances that monitor network and/or system activities for malicious activity. The main functions of IPS is to identify malicious activity, log information, attempt to block/stop activity, and report activity.”. Wireless detection/prevention WIDS WIPS is similar however focuses on reacting to rouge wireless devices rather the security events. WIDS are wireless access points detecting and alerting when a wireless device is detected. WIPS do the same and can prevent use of the device using things like overflowing the rouge access point with 802.11 de-authentication frames. Best practice is to manually review discovered rouge devices rather than automatically killing them. You may knock down Starbuck’s network or an emergency wireless setup for FIMA.
By default, wireless is a whitelist technology meaning rouge access points are not auto added to the network. Regardless it’s important to detect rouge devices or they may end up on the network exposing you to attack. For most vendors, WIDS WIPS functions can be enforced in two ways. The first method is having access points service users and scan for rouge devices (sensor and service mode). The WIDS access point sits on one RFID channel and switches from accepting users to scanning for rouge devices every few milliseconds. The pro is you get both services however con is you only scan the RFID channel assigned to that access point. Some customers have multiple WIDS access points on different channels, which can cover the majority of channels however doesn’t mean other channels are covered. Method 2 for setting up an WIPS access point in senor only mode (dedicated WIDS WIPS access point), which scans all RFID channels for rouge devices. Best practice is to have one dedicated senor for every 5 servicing access points.
The final WIDS WIPS concept to understand is wireless channels. The common commercial channel is BGN (2.4 range), which is used by devices such as best buy routers. Best practice to avoid signal bleeding is to separate BGN by 5 channels, meaning standard BGN channels used are 1,6 and 11. Newer wireless technology uses AN (5.0 range) channels, which offer 20+ options. If you use a laptop or older access point scanning BGN for WIDS WIPS, you are only scanning that channel range meaning AN or other range access points are completely bypassing your security. Another point to note is channels are unlicensed by FTC meaning there really isn’t a way to enforce misuse of channels. This means if you kill Starbuck’s wireless network, all they can do is kill your network. So its expected that we all get along meaning being ethical about using WIDS WIPS to kill a rouge signal.
This is just a glimpse at understanding securing wireless networks using WIDS WIPS. Shout out to Bart Robinson at World Wide Technology for his input for this piece.