Wireless enterprise threatsThe latest threat to <strong>the</strong> <strong>wireless</strong> enterpriseby Chia-Chee Kuan, CTO and Co-Founder, AirMagnetThe <strong>wireless</strong> world today presents a unique set of challenges for businesses looking tomaintain a secure network. Attackers are turning <strong>the</strong>ir attention to client devices. Wirelessenabledclient devices, such as laptops, tablets and smartphones, ra<strong>the</strong>r than enterprise accesspoints, are now <strong>the</strong> focus of new threats. The only way to approach security issues efficientlyin an enterprise environment is to deploy <strong>wireless</strong> intrusion prevention technology.Chia-Chee Kuan is Co-Founder, CTO and Senior VP of Engineering at AirMagnet. Prior to co-founding AirMagnet in 2001 (now part ofFluke Networks), Mr Kuan served as advanced technical staff at Packet Design LLC since <strong>the</strong> company’s inception, where innovationswere incubated and focused on Internet routing and <strong>wireless</strong> security. Previously, he was <strong>the</strong> founding engineer at Precept Software,developing IP multicast and IP video streaming technologies. When Cisco acquired Precept, Mr Kuan led Cisco’s Video Internet ServiceUnit development team. His career has been devoted to computer networking, especially in TCP/IP in <strong>the</strong> infancy of <strong>the</strong> Internet whenARPANET was formed.Mr Kuan holds a B.S. in Information Engineering from National Taiwan University and a Master in Computer Science from StanfordUniversity, as well as 10 US patents in <strong>wireless</strong> security and performance management.Research continues to show mass growth andadoption of <strong>wireless</strong> and <strong>wireless</strong> local areanetwork (WLAN) technology. In fact, todayit’s more likely your employees connect toa <strong>wireless</strong> network, instead of plugging anE<strong>the</strong>rnet cable into <strong>the</strong>ir computers for access.Because of this growth, most organizationsnow understand <strong>the</strong> advantages <strong>wireless</strong>offers business (connectivity, productivity,critical apps, and <strong>so</strong> on), but as <strong>the</strong> connectedenterprises continue to grow, <strong>so</strong> do <strong>the</strong>challenges as<strong>so</strong>ciated with managing andsecuring <strong>the</strong>m.The <strong>wireless</strong> world today is much morecomplicated than <strong>the</strong> <strong>wireless</strong> world ofyesterday. There was a time when ITmanagers could be assured <strong>the</strong>ir <strong>wireless</strong>network consisted primarily of approvedaccess points (APs) and routers tied into <strong>the</strong>server infrastructure. However, with <strong>the</strong>proliferation of per<strong>so</strong>nal and mobile devices,<strong>the</strong>se same technicians have gone fromnetwork planner and manager to networkpolice officer, tracking and hunting downunapproved technologies.Today’s <strong>wireless</strong> networks (and <strong>the</strong> teamsresponsible for managing <strong>the</strong>m) are engagedin a constant power struggle. Wireless hasexpanded beyond <strong>the</strong> laptop and has becomeembedded in a growing number of mobile andlifestyle devices or clients. Now everyone thatwalks into your central business location (orremote sites) can attempt to connect to your<strong>wireless</strong> network. Will <strong>the</strong>y succeed? That’s<strong>the</strong> scary question. And, if <strong>the</strong>y do, will youknow about it? That’s even scarier!This new <strong>wireless</strong> world presents a uniqueset of challenges for businesses looking tomaintain a secure network. In this article,we’re going to focus primarily on <strong>the</strong> newthreats as<strong>so</strong>ciated with <strong>wireless</strong>-enabled clientdevices, like laptops, tablets and smartphones.If your team is not actively looking to secureagainst <strong>the</strong>se new threats and devices, it’s onlya matter of time before <strong>so</strong>meone else exploits<strong>the</strong>m (ei<strong>the</strong>r intentionally or unintentionally).So what exactly are we talking about when wesay <strong>the</strong> <strong>wireless</strong> network is at risk due to <strong>the</strong>proliferation of mobile and lifestyle devices?Basically, we’re referring to any device thatcan serve as a <strong>wireless</strong> client. Since <strong>the</strong>se type<strong>so</strong>f devices are exploding into every aspect ofour lives, <strong>the</strong> impact on enterprise <strong>wireless</strong>networks is huge. The ultimate goal is to stop22 • North America 2010
Wireless Mobile enterprise payment Mobile systemsaccess threatsunauthorized connections, but, if <strong>the</strong>y doconnect, you al<strong>so</strong> need to be able to recognizeand mitigate that connection immediately.Many of today’s organizations feel <strong>the</strong>y havea strong grip on <strong>wireless</strong> security because <strong>the</strong>ydetect and root out rogue APs. This has beena focal point for most organizations over <strong>the</strong>past several years - and perhaps, unfortunately,is still <strong>the</strong> focal point around discussions of<strong>wireless</strong> security today.It is true that tremendous effort has beenexpended to watch for, and root out, rogue APsin <strong>the</strong> enterprise, whe<strong>the</strong>r <strong>the</strong>y are maliciou<strong>so</strong>r inadvertently hooked into <strong>the</strong> wire networkby a well-intentioned employee. And, this isstill an important security activity. However,malicious attackers are always finding newways to circumvent even <strong>the</strong> strongestdefences as<strong>so</strong>ciated with rogue AP detection.While companies focus <strong>the</strong>ir security effort<strong>so</strong>n locking down and monitoring corporateAPs, attackers are now directly targeting <strong>the</strong>enterprise’s ubiquitous and most vulnerableassets - new client devices.Using new <strong>wireless</strong> client attack tools andtechniques, outsiders have <strong>the</strong> ability toga<strong>the</strong>r login and password data, or send trafficdirectly to an end-user, without ever touching<strong>the</strong> approved enterprise wired network.<strong>As</strong> a matter of fact, new trends in <strong>wireless</strong>functionality actually open up tunnels into <strong>the</strong>network, and <strong>the</strong>se tunnels (and <strong>the</strong> traffic <strong>the</strong>ybear) will appear completely au<strong>the</strong>ntic.Unfortunately, wired security systems do littleto protect against this over-<strong>the</strong>-air malicioustraffic. Airborne traffic requires <strong>the</strong> same levelof continuous monitoring and analysis aswire-bound traffic, <strong>so</strong> IT managers can detectcriminal activities that may threaten to exposecorporate data or users.It’s no wonder attackers are turning <strong>the</strong>irattention to client devices, exploiting <strong>the</strong>mfrom corporate parking lots, and in airports ando<strong>the</strong>r hotspots. They’re compromising bothmanaged corporate devices and unmanagedsmartphones, as well as unmanaged businessas<strong>so</strong>ciate devices. And yes, <strong>the</strong>y can attackMac OS, as well as Windows devices.The fact is that rogue AP detection is trivialcompared to managing client-side <strong>wireless</strong>exposures, and <strong>the</strong> client threat has becomefar more dangerous. Rogue APs are easy tofind because <strong>the</strong>re are few of <strong>the</strong>m and <strong>the</strong>yare relatively static. On <strong>the</strong> o<strong>the</strong>r hand, clientvulnerabilities and exploits are much harder todetect, and far more threatening because <strong>the</strong>yrequire stateful monitoring and analysis ofnetwork traffic in <strong>the</strong> air.Malicious hackers now have a vast number ofdevices to target (with exploits like KARMA,MDK3 and SkyJack), such as Wi-Fi-enabledlaptops in <strong>the</strong> office, at home and on <strong>the</strong>road; Wi-Fi-enabled smartphones, typicallyprivately owned and unmanaged, increasinglyused as important work tools; partner, vendor,contractor and service provider laptops -al<strong>so</strong> Wi-Fi enabled. All of <strong>the</strong>se devices arecoming onto <strong>the</strong> corporate network by <strong>the</strong>minute, but are not underneath <strong>the</strong> corporatesecurity umbrella.Attackers’ ability to gain access to <strong>wireless</strong>clients is largely a product of <strong>the</strong> way <strong>the</strong>se<strong>wireless</strong> connections work. Wireless technologyis designed to facilitate fast, easy connectivity ina variety of settings, to a broad range of trustedand untrusted APs - making it easy to spoof.Even worse, virtualization allows a device tosimultaneously operate as both a legitimateclient and an open access point, creating anunmanaged bridge (or tunnel) to <strong>the</strong> outsideworld. Moreover, this transparent connectivityand seamless virtualization are active trendswithin <strong>the</strong> industry; <strong>the</strong>y’re capabilities thatvendors throughout <strong>the</strong> industry are workingto expand and enhance every day. Thisfunctionality is considered a feature ra<strong>the</strong>r thana vulnerability - unfortunately this feature canbe exploited <strong>so</strong> an attacker can gain access to<strong>the</strong> corporate network.There are two important points to take from allof this: 1) <strong>the</strong> majority of Wi-Fi threats occur,and are only detectable, in <strong>the</strong> air, and 2) <strong>the</strong>majority of evolving hacks and vulnerabilitiesrevolve around end-user client devices, notenterprise APs.<strong>As</strong> <strong>wireless</strong> usage <strong>becomes</strong> pervasive andan integral part of <strong>the</strong> extended corporatenetwork, it’s time to adopt security policies,procedures and technologies that can meet <strong>the</strong>challenges of this dynamic environment.Rogue AP detection is simply not enoughanymore, as it assumes that you can ‘see’<strong>the</strong> unauthorized device. Unfortunately,<strong>the</strong> vast majority of new Wi-Fi threat<strong>so</strong>ccur in <strong>the</strong> air and focus on spoofing orhijacking or tunneling through authorizedclient devices. And <strong>the</strong>se client devices areliterally everywhere in <strong>the</strong> enterprise; with<strong>the</strong> proliferation of new devices, <strong>the</strong> volumeis growing every day. Add in <strong>the</strong> trend towardvirtualization, where potential holes are beingbaked right into chips, adapters and operatingsystems, and client-side security quickly<strong>becomes</strong> a losing game - it requires you toknow about and control every single device.Miss one device and <strong>the</strong> game could be over.The only way to effectively avoid this trapis to adopt <strong>the</strong> same approach that is used in<strong>the</strong> wired world: look at <strong>the</strong> network trafficitself. And just as in <strong>the</strong> wired world, detectinganomalous and illicit <strong>wireless</strong> traffic - includingattempts against client devices, devices holdingmultiple states, or compromised or spoofeddevices - requires stateful, continuous trafficmonitoring and analysis.But keep in mind that existing wired trafficmonitoring won’t cut it; by <strong>the</strong> time <strong>the</strong> hackerhas access to <strong>the</strong> network, <strong>the</strong> connection lookslegitimate. Rogue AP detection alone won’t cutit. These hacks avoid <strong>the</strong> legitimate APs andtarget client devices instead. The only way todo this <strong>wireless</strong> traffic monitoring efficiently inan enterprise environment is to deploy <strong>wireless</strong>intrusion prevention (WIPS) technology,which is unique among <strong>wireless</strong> security toolsbecause of its ability to look at all traffic in <strong>the</strong>air statefully.Wireless client devices are not going away. Itwill always be a challenge to keep <strong>the</strong>m off of<strong>the</strong> network - whe<strong>the</strong>r you establish corporatepolicies or not. If you’re looking to keep yourcorporate network secure, make sure youmonitor your air space <strong>so</strong> you can maintaina healthy, secure and connected enterprisenetwork. •North America 2010 • 23