![Page 1: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/1.jpg)
© 2014 AirTight Networks, Inc. All rights reserved. 1
@AirTight WIPS
#WFD6Jan 29, 2014
Part 1: WIPS Product Demo@RickLikesWIPSRick Farina
Part 2: Technology Deep Dive @CHemantCHemant Chaskar
![Page 2: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/2.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
AirTight WIPS
2
§ Overlay WIPS or WIPS as part of AirTight APs
§ Best in the industry
§ Customer base of 1500+ enterprises including large/Fortune companies, Government & DoD
§ Extensive patent portfolio
![Page 3: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/3.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
WIPS Basics
3
§ WIPS addresses threat vectors orthogonal to WPA2
§ Offers protection for both
- Wired network (e.g. rogue APs), and
- Wireless clients/connections (e.g. Evil Twin)
§ Requires scanning all channels (not just managed AP channels)
- Dedicated & background scanning radios
![Page 4: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/4.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
WPA2 and WIPS
4
BYOD
![Page 5: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/5.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Traditional Approach
5
§ User defined rules for classifying devices as managed, neighbor,
rogue
§ Signature matching on packet fields to detect attack tools
§ Packet statistics based anomaly detection
§ Lots of alerts
§ Manual intervention driven reactive workflow
![Page 6: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/6.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
User Defined Rules Are No Match For Wireless Environ
6
§ Requires cumbersome configuration of rules
§ Can’t keep up with dynamic wireless environment
![Page 7: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/7.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
User Defined Rules Are More Nuisance Than Help
7
§ Device alerts, false alarms, manual intervention to act on alerts
§ Fear of automatic prevention
![Page 8: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/8.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Signature Matching On Packets Is False Alarm Prone
8
§ All attack tools don’t have
signatures
§ Signature fields in tools
are modifiable
§ Signatures lag attack tools
§ Result: Signatures
matching approach
creates abundant false
positives & negatives
Does anyone still think that (SSID) signatures is good idea?
![Page 9: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/9.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Packet Anomaly Detection On Unknown Thresholds
9
§ Inaccurate stats based on
partial observation
- Scanning Sensor
- RSSI limitations
§ It doesn’t help to give threshold
comparators, when users don’t
know the right thresholds
- Right threshold to catch real
threats, while avoiding false
alarms
![Page 10: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/10.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Changing the Status Quo
10
Traditional Approach AirTight Approach
WIPS Compass
![Page 11: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/11.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Traditional vs AirTight
11
§ Out of box auto-classification into
intrinsic categories
§ Proactive blocking of risky
connections
§ Highly automated
§ Concise alerts
§ Reliable automatic prevention
§ Overhead of user defined rules
for device categorization
§ Signatures & threshold anomaly
detection
§ Constant manual intervention
§ Alert flood
§ Fear of automatic prevention
![Page 12: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/12.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
AP Auto-classification into Foundation Categories
12
§ No user configured rules (SSID, OUI, RSSI, …),
§ Runs 24x7
All APs visible
Managed APs (Static Part)
Authorized APs External APs Rogue APs
Unmanaged APs (Dynamic Part)
![Page 13: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/13.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Marker Packets™ for Connectivity Detection
13
§ No reliance on managed
switch infra (CAM tables)
§ Prompt detection with
localized operation for any
network size
§ No false negatives: No
“suspects” in neighbor
category (like in wired &
wireless MAC co-relation)
§ No false positives: No “legal
disclaimers” in automatically
containing real rogues
AirTight Device
AirTight Device
![Page 14: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/14.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Client Auto-classification
14
Newly discovered Client: Uncategorized
Connects to secureAuthorized AP: Authorized Client
Connects to External AP: External Client
Connects to Rogue AP: Rogue Client
Additional ways to auto-classify Clients:
Integration APIs with leading WLAN controllers to fetch Authorized Clients list.
Import MAC addresses of Authorized Clients from file.
![Page 15: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/15.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
AirTight WIPS Security Policy
15
DETECT AND BLOCK RED PATHS!
Neighborhood APs
Rogue APs (On Network)
Authorized APs
AP Classification
STOP
Client ClassificationPolicyBlock Mis-config
GO
STOP
IGNORE
Detect DoS
Neighborhood Clients
Authorized Clients
Rogue Clients
![Page 16: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/16.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Reliable prevention
16
§ One size doesn’t fit all
• There are many permutations
& combinations on connection
type & Wi-Fi interface hw/sw
§ Bag of tricks for comprehensive
prevention
• Deauth, timed deauth, client
chasing, ARP manipulation, cell
splitting, wireless side, wired
side
![Page 17: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/17.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Accurate Location Tracking
17
§ Stochastic triangulation –maximum likelihood estimation based technique
§ No need for RF site survey
§ No search squads to locate Wi-Fi devices
§ 15 ft accuracy in most environments
![Page 18: AirTight Networks WIPS at Wireless Field Day 6 WFD6](https://reader033.vdocuments.site/reader033/viewer/2022042714/5564681ed8b42ae57c8b4875/html5/thumbnails/18.jpg)
© 2014 AirTight Networks, Inc. All rights reserved.
Why AirTight WIPS?
18
Automatic Device Classification
ReliableThreat Prevention
AccurateLocation Tracking
DetailedCompliance Reporting
Ease of Operation & Lowest TCO
Cloud Managed or Onsite