Chia-Chee Kuan is Co-Founder, CTO and Senior VP of Engineering at AirMagnet. Prior to co-founding AirMagnet in 2001 (now part of Fluke Networks), Mr. Kuan served as advanced technical staff at Packet Design LLC since the company’s inception, where innovations were incubated and focused on Internet routing and wireless security. Previously, he was the founding engineer at Precept Software, developing IP multicast and IP video streaming technologies. When Cisco acquired Precept, Mr. Kuan led Cisco’s Video Internet Service Unit development team. His career has been devoted to computer networking, especially in TCP/IP in the infancy of the Internet when ARPANET was formed. Mr. Kuan holds a B.S. in Information Engineering from National Taiwan University and a Master in Computer Science from Stanford University, as well as 10 U.S. patents in wireless security and performance management.
The wireless world today presents a unique set of challenges for businesses looking to maintain a secure network. Attackers are turning their attention to client devices. Wireless-enabled client devices, such as laptops, tablets and smartphones, rather than enterprise access points, are now the focus of new threats. The only way to approach security issues efficiently in an enterprise environment is to deploy wireless intrusion prevention technology.
Research continues to show mass growth and adoption of wireless and wireless local area network (WLAN) technology. In fact, today it’s more likely your employees connect to a wireless network, instead of plugging an Ethernet cable into their computers for access. Because of this growth, most organizations now understand the advantages wireless offers business (connectivity, productivity, critical apps, and so on), but as the connected enterprises continue to grow, so do the challenges associated with managing and securing them. The wireless world today is much more complicated than the wireless world of yesterday. There was a time when IT managers could be assured their wireless network consisted primarily of approved access points (APs) and routers tied into the server infrastructure. However, with the proliferation of personal and mobile devices, these same technicians have gone from network planner and manager to network police officer, tracking and hunting down unapproved technologies. Today’s wireless networks (and the teams responsible for managing them) are engaged in a constant power struggle. Wireless has expanded beyond the laptop and has become embedded in a growing number of mobile and lifestyle devices or clients. Now everyone that walks into your central business location (or remote sites) can attempt to connect to your wireless network. Will they succeed? That’s the scary question. And, if they do, will you know about it? That’s even scarier! This new wireless world presents a unique set of challenges for businesses looking to maintain a secure network. In this article, we’re going to focus primarily on the new threats associated with wireless-enabled client devices, like laptops, tablets and smartphones. If your team is not actively looking to secure against these new threats and devices, it’s only a matter of time before someone else exploits them (either intentionally or unintentionally). So what exactly are we talking about when we say the wireless network is at risk due to the proliferation of mobile and lifestyle devices? Basically, we’re referring to any device that can serve as a wireless client. Since these types of devices are exploding into every aspect of our lives, the impact on enterprise wireless networks is huge. The ultimate goal is to stop unauthorized connections, but, if they do connect, you also need to be able to recognize and mitigate that connection immediately. Many of today’s organizations feel they have a strong grip on wireless security because they detect and root out rogue APs. This has been a focal point for most organizations over the past several years – and perhaps, unfortunately, is still the focal point around discussions of wireless security today. It is true that tremendous effort has been expended to watch for, and root out, rogue APs in the enterprise, whether they are malicious or inadvertently hooked into the wire network by a well-intentioned employee. And, this is still an important security activity. However, malicious attackers are always finding new ways to circumvent even the strongest defenses associated with rogue AP detection. While companies focus their security efforts on locking down and monitoring corporate APs, attackers are now directly targeting the enterprise’s ubiquitous and most vulnerable assets – new client devices. Using new wireless client attack tools and techniques, outsiders have the ability to gather login and password data, or send traffic directly to an end-user, without ever touching the approved enterprise wired network. As a matter of fact, new trends in wireless functionality actually open up tunnels into the network, and these tunnels (and the traffic they bear) will appear completely authentic. Unfortunately, wired security systems do little to protect against this over-the-air malicious traffic. Airborne traffic requires the same level of continuous monitoring and analysis as wire-bound traffic, so IT managers can detect criminal activities that may threaten to expose corporate data or users. It’s no wonder attackers are turning their attention to client devices, exploiting them from corporate parking lots, and in airports and other hotspots. They’re compromising both managed corporate devices and unmanaged smartphones, as well as unmanaged business associate devices. And yes, they can attack Mac OS, as well as Windows devices. The fact is that rogue AP detection is trivial compared to managing client-side wireless exposures, and the client threat has become far more dangerous. Rogue APs are easy to find because there are few of them and they are relatively static. On the other hand, client vulnerabilities and exploits are much harder to detect, and far more threatening because they require stateful monitoring and analysis of network traffic in the air. Malicious hackers now have a vast number of devices to target (with exploits like KARMA, MDK3 and SkyJack), such as Wi-Fi-enabled laptops in the office, at home and on the road; Wi-Fi-enabled smartphones, typically privately owned and unmanaged, increasingly used as important work tools; partner, vendor, contractor and service provider laptops – also Wi-Fi enabled. All of these devices are coming onto the corporate network by the minute, but are not underneath the corporate security umbrella. Attackers’ ability to gain access to wireless clients is largely a product of the way these wireless connections work. Wireless technology is designed to facilitate fast, easy connectivity in a variety of settings, to a broad range of trusted and untrusted APs – making it easy to spoof. Even worse, virtualization allows a device to simultaneously operate as both a legitimate client and an open access point, creating an unmanaged bridge (or tunnel) to the outside world. Moreover, this transparent connectivity and seamless virtualization are active trends within the industry; they’re capabilities that vendors throughout the industry are working to expand and enhance every day. This functionality is considered a feature rather than a vulnerability – unfortunately this feature can be exploited so an attacker can gain access to the corporate network. There are two important points to take from all of this: 1) the majority of Wi-Fi threats occur, and are only detectable, in the air, and 2) the majority of evolving hacks and vulnerabilities revolve around end-user client devices, not enterprise APs. As wireless usage becomes pervasive and an integral part of the extended corporate network, it’s time to adopt security policies, procedures and technologies that can meet the challenges of this dynamic environment. Rogue AP detection is simply not enough anymore, as it assumes that you can ‘see’ the unauthorized device. Unfortunately, the vast majority of new Wi-Fi threats occur in the air and focus on spoofing or hijacking or tunneling through authorized client devices. And these client devices are literally everywhere in the enterprise; with the proliferation of new devices, the volume is growing every day. Add in the trend toward virtualization, where potential holes are being baked right into chips, adapters and operating systems, and client-side security quickly becomes a losing game – it requires you to know about and control every single device. Miss one device and the game could be over. The only way to effectively avoid this trap is to adopt the same approach that is used in the wired world: look at the network traffic itself. And just as in the wired world, detecting anomalous and illicit wireless traffic – including attempts against client devices, devices holding multiple states, or compromised or spoofed devices – requires stateful, continuous traffic monitoring and analysis. But keep in mind that existing wired traffic monitoring won’t cut it; by the time the hacker has access to the network, the connection looks legitimate. Rogue AP detection alone won’t cut it. These hacks avoid the legitimate APs and target client devices instead. The only way to do this wireless traffic monitoring efficiently in an enterprise environment is to deploy wireless intrusion prevention (WIPS) technology, which is unique among wireless security tools because of its ability to look at all traffic in the air statefully. Wireless client devices are not going away. It will always be a challenge to keep them off of the network – whether you establish corporate policies or not. If you’re looking to keep your corporate network secure, make sure you monitor your air space so you can maintain a healthy, secure and connected enterprise network.