WLAN Security Preparing For BYOD and IoT

Transcription

1 Next Presentation Begins at 13:00 WLAN Security Preparing For BYOD and IoT Mathew Edwards, Product Marketing Manager & Gregor Vucajnk, Global Training Manager

2 Your Past and possibly present

3 ANYTIME ANYWHERE WORKING EFFICIENT & AWARE SYSTEMS IMPROVE WORKER FLEXIBILITY COMMUNICATION & COLLABORATION BUSINESS INTELLIGENCE GREAT VISITOR EXPERIENCE Your Potential

4 SEAMLESS MOBILITY INTERNET OF THINGS BYOD APPLICATION INTELLIGENCE ANALYTICS GUEST WI-FI Your Platform

5 At the end of 2013 there were more mobile devices than people on earth - SAP

6 By 2020, it is predicted that 24 Billion devices will be connected to the Internet. The vast majority will use some form of wireless for access - GIGACOM

7 Connected Everything 6/17/2015 Aerohive Networks, Proprietary & Confidential 7

8 Connected Everything 6/17/2015 Aerohive Networks, Proprietary & Confidential 8

9 Connected Everything 6/17/2015 Aerohive Networks, Proprietary & Confidential 9

10 Hi I m Barbie, I m ac enabled, let s talk binary.. Connected Everything 6/17/2015 Aerohive Networks, Proprietary & Confidential 10

11

12

13

14 Balancing Security &Flexibility 6/17/2015 Aerohive Networks, Proprietary & Confidential 14

15 Quality of WiFi Security WiFi signal strength Ease of integration with existing systems Policies for using company-provided devices Ease of management Scalability Application visibility Secure guest access Control features Brand name of vendor Supports BYOD (Bring Your Own Device) usage Ease of instalment Cost 73% 73% 67% 60% 47% 27% 40% 27% 40% 20% 13% 13% 40% 13% 53% 7% 13% 7% 20% 7% 47% 7% 40% 47% 13% 27% 20% 20% Critical 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very Important

16 One of the key problems that we have, is to make it FLEXIBLE enough so it is usable but SECURE enough so only authorised people can get into it WE NEED BOTH those things. I think we probably at the moment come down on the side of security

17 Is 802.1X the Answer? (347)IEEE802.1X auth is starting (at if=wifi0.1) (348)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (349)Receive message from RADIUS Server: code=11 (Access-Challen (350)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (351)Receive message from RADIUS Server: code=11 (Access-Challen (352)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (353)Receive message from RADIUS Server: code=11 (Access-Challen (354)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (355)Receive message from RADIUS Server: code=11 (Access-Challen (356)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (357)Receive message from RADIUS Server: code=11 (Access-Challen (358)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (359)Receive message from RADIUS Server: code=11 (Access-Challen (360)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (16)RADIUS: PEAP Tunneled authentication was rejected. NTLM_au (17)RADIUS: rejected user 'AD\JHC7294' through the NAS at (361)Receive message from RADIUS Server: code=11 (Access-Challen (362)Send message to RADIUS Server( ): code=1 (Access-R NAS-IP-Address= Called-Station-Id=E0-1C-41-DE-A6-74:PC (363)Authentication is terminated (at if=wifi0.1) because it is rejected by

18 Personalized Access

19 EMMA DAVE BRIAN Connected Users

20 CONTRACTOR GUEST EMPLOYEE Connected Users

21 Connected Users CONTRACTOR POLICY Limited server access Business apps only Medium bandwidth Extended working hours Access in office areas GUEST POLICY Internet only Limited apps Low bandwidth Access in office hours Access in meeting areas STAFF POLICY Access restricted areas Limited BYOD access High bandwidth 24 hour access Access in all areas

22 CORPORATE ISSUED LAPTOP PERSONAL CONSUMER TABLET CORPORATE ISSUED TABLET Connected Devices CORPORATE ISSUED SMARTPHONE PERSONAL SMARTPHONE

23 Connected Apps

24 Connected Everything

25 WIPS Complianc e Reporting Application Visibility External AUTH AD/MD M Policy Enforcement Auth Type Unique Identity Time of Day Access VLAN assignmen t Layer 7 DPI firewall PPSK IoT device 24 Hr 1 Specific server only Social Login Sarah - Guest 9-5 DMZ Limited Web ID Manage r Emma - BYOD No Torrents Active Directory Stephen Corp Device 24 Hr 3 Corp Apps Bandwidth Low Very Low Medium High

26 Layer2/3 VPN Home SSID TPM Encryption Remote Web Filtering Virtualized Mgmt & VPN Termination Data Center Remote Auth Type PPSK PPSK PPSK Active Directory Accessibility Unique Identity Time of Day Access VLAN assignmen t Layer 7 firewall Corp Phone 24 Hr VPN HQ Phone Server Jane s phone Wife 24Hr Local Limited Web Claire s ipad - Daughter 7am- 9pm Local No Torrents Stephen Corp Device 24 Hr VPN HQ Corp Apps Bandwidth Low Very Low Medium High

27 Add an oops slide - andy Why We Need Context 6/17/2015 Aerohive Networks, Proprietary & Confidential 27

28 Obtaining Identity HOW DO YOU KNOW WHO S WHO? 6/17/ Aerohive Networks, Proprietary & Confidential

29 Key: Unknown Person Key: Unknown Person Key: Unknown Person Unknown & Invisible Key: Unknown Person

30 PSK Explained (347)Rx auth <open> (frame 1, rssi -50dB) (348)Tx auth <open> (frame 2, status 0, pwr 19dBm) (349)Rx assoc req (rssi -50dB) (350)Tx assoc resp <accept> (status 0, pwr 19dBm) (351)WPA-PSK auth is starting (at if=wifi1.4) (352)Sending 1/4 msg of 4-Way Handshake (at if=wifi1.4) (353)Received 2/4 msg of 4-Way Handshake (at if=wifi1.4) (354)Sending 3/4 msg of 4-Way Handshake (at if=wifi1.4) (355)Received 4/4 msg of 4-Way Handshake (at if=wifi1.4) (356)PTK is set (at if=wifi1.4) (357)Authentication is successfully finished (at if=wifi1.4) (358)station sent out DHCP REQUEST message

31 4-way What? PMK is known Generate SNonce Message 1: EAPOL-Key (ANonce) PMK is known Generate ANonce Derive PTK Message 2: EAPOL-Key (Snonce, MIC) Message 3: EAPOL-Key (Install PTK, MIC, Encrypted GTK) Message 4: EAPOL-Key (MIC) Derive PTK Generate GTK Install PTK and GTK Install PTK and GTK

32 6/17/2015 Aerohive Networks, Proprietary & Confidential 32

33 Key: d5g7aa! Brian - Sales Key: $d45g56n Dave - Finance Key: 6Fhm7&9? Sarah - Operations Known & Visible Key: 6n&@13x$ Rita - Marketing

34 Private PSK Explained (347)Rx auth <open> (frame 1, rssi -50dB) (348)Tx auth <open> (frame 2, status 0, pwr 19dBm) (349)Rx assoc req (rssi -50dB) (350)Tx assoc resp <accept> (status 0, pwr 19dBm) (351)WPA-PSK auth is starting (at if=wifi1.4) (352)Sending 1/4 msg of 4-Way Handshake (at if=wifi1.4) (353)Received 2/4 msg of 4-Way Handshake (at if=wifi1.4) (354)Sending 3/4 msg of 4-Way Handshake (at if=wifi1.4) (355)Received 4/4 msg of 4-Way Handshake (at if=wifi1.4) (356)(P)PTK is set (at if=wifi1.4) (357)Authentication is successfully finished (at if=wifi1.4) (358)station sent out DHCP REQUEST message

35 PSK Explained (347)Rx auth <open> (frame 1, rssi -50dB) (348)Tx auth <open> (frame 2, status 0, pwr 19dBm) (349)Rx assoc req (rssi -50dB) (350)Tx assoc resp <accept> (status 0, pwr 19dBm) (351)WPA-PSK auth is starting (at if=wifi1.4) (352)Sending 1/4 msg of 4-Way Handshake (at if=wifi1.4) (353)Received 2/4 msg of 4-Way Handshake (at if=wifi1.4) (354)Sending 3/4 msg of 4-Way Handshake (at if=wifi1.4) (355)Received 4/4 msg of 4-Way Handshake (at if=wifi1.4) (356)PTK is set (at if=wifi1.4) (357)Authentication is successfully finished (at if=wifi1.4) (358)station sent out DHCP REQUEST message

36 4-way What? PMK is known Generate SNonce Message 1: EAPOL-Key (ANonce) PMK is known Generate ANonce Derive PTK Message 2: EAPOL-Key (Snonce, MIC) Message 3: EAPOL-Key (Install PTK, MIC, Encrypted GTK) Message 4: EAPOL-Key (MIC) Derive PTK Generate GTK Install PTK and GTK Install PTK and GTK

37 Guests & BYO BYOD Welcomed

38 Increase Visibility 6/17/2015 Aerohive Networks, Proprietary & Confidential 38

39 Increase Support 6/17/2015 Aerohive Networks, Proprietary & Confidential 39

40 Thank You Mathew Edwards, Product Marketing Manager & Gregor Vucajnk, Global Training Manager