Connect802 is a nationwide wireless network equipment reseller providing system design consulting, equipment configuration, and installation services.


CSS Mega Menu Css3Menu.com

 

 

Wireless LAN Security with Rogue Access Point Detection and Active Countermeasures

802.11 Wi-Fi Wireless LAN Intrusion Detection, Rogue Blocking, Security Active Countermeasures, Network Analysis and Packet Capture, Performance and Security Monitoring, Expert System Alerting for Your Wi-Fi WLAN wireless network.

Basic wireless LAN security is provided through Connect EZ Suite Shield encryption and authentication. EZ Suite Guard provides protection against security vulnerabilities with features like rogue access point detection, unauthorized access attempt detection and reporting, and Denial-of-Service (DoS) attacks. EZ Suite Guard takes your wireless LAN beyond simple, consumer-grade security into the commercial, enterprise-class security realm.

Some security features under the Connect EZ Suite Guard umbrella are implemented with software configuration or add-on upgrades to your wireless controllers. For example, adding and configuring the Aruba Networks Wireless Intrusion Prevention (WIP) software module provides advanced intrusion prevention and rogue detection capabilities to the Aruba Mobility Controller's existing security features.

There are features that may require additional hardware. An example of Connect EZ Suite Guard level features and capabilities the require additional hardware would be the deployment of Air Monitors or Sensors. These would be used to constantly scan and monitor the environment for unauthorized user activities, rogue devices or for RF spectrum analysis.

Many manufacturers provide advanced security features by selling a dedicated appliance (like a firewall router or centralized wireless LAN management device). In this case it both software and hardware that's being deployed to implement a Connect EZ Suite Guard feature set.

 

Regulations that Demand the Highest Degree of Connect EZ Suite Guard Features and Capabilities

GLBA
Gramm-Leach-Bliely Act (1999) requires networks used in the finance and banking industry to safeguard customer information. These markets include any organization that is involved with consumer loans, tax return preparation, or that provide financial advice.
HIPAA
The Health Insurance Portability and Accountability Act requires hospitals, doctors, and healthcare industry providers (including insurance companies) to safeguard patient personal or health history information against deliberate or inadvertent misuse or disclosure. HIPAA also affects any employer (including government agencies) that stores, manages, or communicates protected health information.
PCI
In 2004, the Payment Card Industry group was formed and developed the Data Security Standards (DSS) which define how credit card holder and card authentication data must be stored, managed and processed to keep it secure. There are 12 core PCI requirements. Violating any one triggers overall PCI non-compliance which can result in a penalty as high as $500,000 per incident as well as loss of interchange discounts.
SOX
The Sarbanes-Oxley Act Section 404 (effective November, 2004) established requirements for financial data confidentiality. All public companies trading in U.S. securities markets are required to establish comprehensive data protection strategies which must include on-going reporting with full audit trails and controls. SOX also covers intellectual property data security related to potential revenue loss that could result from proprietary information being compromised during an IP data breach.
FERC/NERC
The Federal Energy Regulatory Commission and North American Electric Reliability Corporation are regulating bodies that ensure industry compliance with the Critical Infrastructure Protection (CIP) standards related to the delivery of electricity in North America. Wireless networks are considered a "cyber asset" under FERC/NERC guidelines and must be continuously monitored with a secure "electronic security perimeter." Incidents and security breaches must be documented.
CA 1386
State data privacy laws (like California 1386) have been passed in most states across the country. These laws require compliance related to risk assessment, privacy policies, continuous monitoring of the wireless network, and notification when a security breach creates a "reasonable likelihood" of harm. State laws require wireless network regulatory compliance for organizations that store social security numbers, driver's licence numbers, state identification card numbers or credit/debit card numbers.
FIPS 140-1 The Federal Information Processing Standard 140-1 and 104-2 are U.S. government standards for cryptographic software. FIPS compliance embraces support for IPSec and Layer Two Tunneling Protocol (L2TP) VPNs and the encryption verification for end-to-end data transfer. Any cryptography product sold to the government must be certified. In the wireless realm this specifically applies to encryption algorithms used to implement WPA and WPA2 data encryption, access-point-to-controller tunneling, and VPN capabilities. FIPS standards apply to what the government defines as "sensitive but unclassified" (SBU) data.
 
  • WLAN Network Management, Identification of Security Exposures, and Problem Resolution
  • Distributed monitoring sensors detect problems and threats using expert system analysis
  • Alarms and alerts are reported and email, log, or pager notification is provided
  • Rogue devices can be blocked through active countermeasures
  • Protocol-level behavior can be analyzed for detailed problem isolation and resolution
 

ROGUE AP PREVENTION
• Rogue AP detection, classification, location and automatic containment
DENIAL OF SERVICE (DoS) ATTACK DETECTION
• Management frame floods
• Deauthentication attacks
• Authentication floods
• Probe request floods
• Fake AP floods
• Null probe responses
• EAP handshake floods
PROBING AND NETWORK DISCOVERY
• Detection of NetStumbler and broadcast probes
CLIENT INTRUSION PREVENTION
• Honeypot AP protection
• Valid station protection
NETWORK INTRUSION DETECTION
• Wireless bridges
• ASLEAP attacks
SURVEILLANCE
• Detection of weak encryption implementation
IMPERSONATION DETECTION AND PREVENTION
• MAC address spoofing
• AP impersonations
• Man-in-the-middle attacks
• Sequence number anomaly detection

 
 

Important Considerations For Your Suite Guard Capabilities

The Connect802 sales and engineering team will want to understand your requirements for data encryption and user authentication. The following encryption and authentication questions should be considered.

If you are implementing a Wi-Fi wireless network in K-12 education, hospitals or medical environments, banking and finance,
Do you have regulatory compliance requirements (HIPAA, SOX, FIPS, etc). that make it mandatory that a particular level of security be enforced and monitored to protect data traversing your network?
Are your tech support engineers responsible for troubleshooting at remote sites? If so, the remote packet capture, RF and packet-level performance monitoring, and the alarm/alert features may be as important as the enhanced security itself.