wireless security for pci compliance - airheads...

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Wireless Security for PCI Compliance

Aruba AIRHEADS, Mar 2011


- PCI DSS 2.0 - Why the need for PCI DSS

- What’s new with PCI DSS v2.0

- WLAN Threat Landscape

- Rogue Management

- Client Protection

- Intrusion prevention

- Mitigation Strategies

- No Wireless in your network

- No Wireless in Cardholder Data Environment (CDE)

- Wireless in Cardholder Data Environment

- Aruba Solution

- Integrated WIPS Approach

- User, Device and Application aware Policy Enforcement

Agenda


Wireless Threat Evolution

2000 2002 2004 2006 2008 2010

Thre

at

Soph

istication

WPA2-AES Hole 196

WPA-TKIP Cracked

Tablets Invade Network

PSK Brute force : 400K/sec

TJX Wireless Hack

Aircrack - PTW

WEP Crack

LEAP Cracked

BackTrack Toolkit

Wireless Security is a journey not a destination

Time line


Who is Getting Hacked?

285 MILLION Records were Compromised in 2008

Source: 2010 Verizon Data Breach Report

Internal Access Control is key


Cost of Compliance

- Firewall separation

- Data Encryption

- Intrusion prevention

- Audit Logging

- Security audits

- = $16 / record

What is the cost of Compliance

Partial steps can help mitigate probability of hack

- Key question for CIO – How much is enough

Cost of Breach

- Scope analysis

- Cleanup/Recovery

- Client notifications

- Lawsuits

- Regulatory Fines

- Brand recovery

- = $300 / record

Source : Gartner


PCI Security Standards Council

> 510 million records stolen since 2005 - Privacyrights.org


Evolution of PCI DSS Standard

Jan 2005: PCI v1.0

- 12 Major requirements

- Defined process

- Enforced by card brands

Jan 2007: PCI v1.1

- Updates and clarifications

- Added requirements for

wireless LAN security

TJX Wireless breach

Visa’s Compliance

Acceleration Program Wireless Guidelines

Supplement

Jan 2011: PCI 2.0

- Released Oct, 2010

- Impacts 2011 audits

Jan 2009: PCI v1.2

- Process clarifications

- Strict requirements for

WLAN security

Tier 1/2 Merchants need annual audits using QSA, rest use SAQ


PCI Data Security Standard v2.0

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Goal PCI DSS Requirement


Category Requirement PCI DSS

Section

No WLAN Identify Unauthorized Wireless devices Quarterly 11.1

Implement incident response plan 12.9

No WLAN

in CDE

Install Firewall between WLAN and CDE 1.2.3

Restrict access to WLAN devices 9.1.3

WLAN in CDE

Change Wireless vendor default settings 2.1.1

Use strong WLAN Encryption (No WEP) 4.1.1

Install patches against security vulnerabilities 6.1

Write Audit logs for Wireless devices 10.5.4

Develop and monitor usage policies for WLAN 12.3

PCI DSS v2.0 and Wireless LAN


• No major changes, builds on earlier version

• Focus on Guidance and Clarifications

• Version 1.2 good through 2011

• 3yr ratification cycle going forward

Whats new in PCI DSS v2.0

11.1 – Added NAC as a

compensating control

https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf


Manage Unauthorized Access

X

X

X

Hacker

WAN /

LAN

Store

Data Center

90% breaches go undetected 2010 Verizon data breach report

Detect Scan all Channels, Segments

Classify Rogue vs Neighbor

Mitigate Wireless or Wired suppression

Locate Locate and physically remediate

X

X X

ftp://symstore.longisland.com/Symstore/productlibrary/pdt_6800.jpg


Phish users into

giving up credentials

Station Phishing : On-ramps into network

Hacker

Authorized Device looking for Connection 1 Hacker responds with SSID 2 Authorized Device gets DHCP Address 3 Hacker scans for vulnerabilities

Hacks and gains admin rights 4

Yes, please connect Is attwireless out there ?

Confidential

Data

Here is your DHCP

Login into your portal Credentials

Metasploit Hack

Protect Wireless devices from

unauthorized connections


Breaking WPA2 Personal

WPA Cracking…

2006 80 Keys/sec

2007 130 Keys/sec

2007 30,000 Keys/sec

2008 100,000 Keys/sec

New Attacks Emerging WPA Pre-Shared Key is Not Very Secure

Use of Parallel Processing (Graphics Cards & FPGA Accelerators) to

Speedup Brute Force PSK Cracking

WPA TKIP Compromised - Subject to Small Frame Decodes and Slow

Injection of Arbitrary Frames

http://www.techradar.com/news/internet/amazon-cloud-helps-wi-fi-hack-920221

2010 400,000 Keys/sec

Hardware Crackers

Cowpatty

Avoid PSK – Its still a static shared key

Pyrit


WPA2-PSK stealing via WKV http://www.youtube.com/watch?v=F8SoKrJoA5M

Run FakeAP using airbase-ng

DNSPoison to redirect to captive portal

Fake page to trigger download of exe

Metasploit reverse_tcp loads payload

executes wkv.exe and grabs output

Here is the PSK Key !!!!


Hacking Password Hashes

Target LEAP and PEAP

MiTM using tinyPEAP

Rainbow tables (indexed lists) – Indexed lookup for password hashes

– tables exist for up to14 chars passwords http://rainbowtables.shmoo.com/

Avoid password based Authentication

- use 2-factor schemes : Certs, Tokens, machine auth

http://rainbowtables.shmoo.com/




TKIP Cracking Aug 2009

• Who is Impacted – WPA/WPA2 using TKIP Encryption

– Regardless of PSK or 802.1x/EAP authentication

• Impact – Attacker can decrypt packets

– Does not require WMM unlike Beck-Tews TKIP attack

– Crack temporal key in 60secs

• How is it done – MiTM Attack augmentation to Beck-Tews

– TKIP ChopChop ICV attack

• Detection/Mitigation – WIPS solutions can detect Replay Injection attacks

– Transition to AES Encryption

TKIP was a stop gap, Migrate to AES/CCMP

http://airheads.arubanetworks.com/article/tkip-vulnerabilities


WPA2 Hole 196 Attack Jul 2010

• Who is Impacted – All WPA/WPA2 deployments

– Attacker has to be an Authenticated User

• Impact – Attacker can inject Multicast/Broadcast Data Packets

– Attacker can create DoS effect on wired/Wireless

• How is it done – MiTM Attack through ARP Spoofing

– GTK common key exploitation

• Detection/Mitigation – Client Isolation

– WIPS system detects MAC Spoofing

– Wireless Firewall to drop certain type of Multicasts coming from Clients

http://airheads.arubanetworks.com/article/aruba-analysis-hole-196-wpa2-attack

Vulnerability assessment is a key component of security


Mitigation Strategies


Step 1 - Secure the Environment

•Know what’s on your network: Wired or Wireless

•Wireless extends the network in an uncontrolled manner

•Continuously monitor and protect your devices

•PCI requires at least quarterly scans for wireless devices

Physically secure devices

•Restrict access to network ports

•Lock down devices, ensure they contain no sensitive data

•Prevent tampering with devices

•When using wireless, monitor and protect

Allow only Authorized

Devices


Protect the Air

Secure your L2 Perimeter against threats/attacks

Hotel

Home

Create L2 Virtual Fence (Wireless IPS)

Protect Remote

devices


Multiple Options

Tackling Requirement 11.1

Rogue

Devices

Accidental

Connections

WEP

Policy

Violations

Sensor

At every site LAN/WAN

Server

In Data Center

Walk-around every site,

once a quarter

Wir

ele

ss I

DS

Han

dh

eld

An

aly

zer

Authenticate every wired connection before it is

allowed

NA

C


Unauthorized Device Management

Scan Network

Correlate Scanning Results

Classify Threats Alert and Report

Contain

Suspect Rogue

Neighbor

Valid

Rogue •Wired-wireless correlation

•Wireline “fingerprint” scans

•Wireless scans using AP/AM

•Router & switch polling

•Laptop client

•Rule based Classification

Hybrid Integrated monitoring for Intrusions

Aruba Best Practice


Step 2 - Protect the Data

Strongly authenticate devices

• Know your wireless clients

• Prevent bogus clients from getting online

• Machine Authentication

Strongly authenticate users

• Devices should be unusable for business without a valid user

• Use 802.1x where possible

Encrypt all wireless traffic

• 802.11i – AES

• Rotate PTK often

• Make sure the data between the AP and controller is secure


• Use strong encryption (802.11i) for WLAN

• Starting Jun 2010, CDE can’t use WEP

• Replace, upgrade Hardware

• WEP Cloaking, protection no longer valid

Requirement 4.1.1: Authenticate & Encrypt

WEP

Option 1

Replace Every WEP Device

Replace all legacy

hardware in use

Upgrade new

hardware in use

Option 2

Make Every WEP Device Out-of-Scope

Data Center Stateful-Firewall

sits between WEP

devices & CDE

Firewall Blacklists

Unauthorized

Users & Intruders



Machine Authentication

• Machine authentication performed before user authentication

• If the device cannot be authenticated, Infrastructure denies access

• Ideal for protecting against weak passwords or to prevent non-corporate devices from accessing the network

• Caveat : May not work for all types of machines

Ensures Only Authorized Devices Can Be Used to Access Network

Corporate Laptop

Personal Laptop

RADIUS

Domain Controller

PASS FAIL

Same Username and Password


Authenticate Devices – 802.1x everywhere

• Attacker cannot unplug PoS and insert proxy without detection

• Utilize Aruba S3500 for wired ports

Prevent unauthorized device or Man in the Middle attacks

• Detect who and when is accessing the network via AirWave User Tracking

Help maintain device inventory

• AirMonitors can prevent authorized device mis-association.

Prevent wireless device mis-configuration or mis-association

• Use a dynamic firewall like Aruba PEF to put authenticated devices outside the CDE until a user logs in

Devices must have logged in user to access to CDE (DSS 7.2)


Encrypt ALL

Wireless Traffic

Use WPA2 Enterprise with AES where possible

• TKIP has at least one known vulnerability that could expose data

• There are no known key vulnerabilities when using AES-CCMP

If is not feasible use PSK

• Make passphrase at least 14 characters from the full set of printable ASCII

• Change the key regularly

• Isolate traffic via PEF firewall, or VLAN

Encrypt Across

Unsecured Wired Links

Option 1 – Aruba’s centralized encryption maintains AES back to

central controller

Option 2 – Use a VPN or Aruba’s RAP to encrypt data

Strongly Encrypt Data

802.1x/AES, End-to-end Client to Controller encryption

Aruba Best Practice


Step 3 - Securely Segment the Network

Minimize user access to CDE

Restrict the CDE to a small set of resources

• Use physical separation where possible

• Use firewalls everywhere else

• Keep CDE traffic encrypted as much as possible

• Keep firewalls close to decryption points

• Role-based access is best

• Ensure terminated users lose network access

• 802.1x authenticated user info should be available to the firewall


• Wireless LAN must be segmented with a Firewall

• Firewall must do “stateful” inspection

• Firewall must deny all traffic from wireless LAN – Unless required for business purposes

Requirement 1.2.3: Firewall For WLAN

Cardholder Data

Environment Wireless

LAN

External

Sources

?

http://www.merchantamerica.com/creditcardterminals/index.php?ba=product_enlarge&product=36592



Physical Segmentation

No shared wires – VLANs are not

sufficient

• VLAN tagging does not prevent a tap from capturing data

• VLAN tags can be spoofed

• If CDE traffic must cross untrusted segments make it strongly encrypted

No shared switches or routers without built-in firewalls

• Overloaded switches can be fooled into mishandling traffic

• Routing protocols can be spoofed

No shared APs

• Unless the AP has a built-in firewall

• Make sure CDE SSID and non-CDE SSID traffic remains separated physically or by a firewall at all times

Policy Enforcement Firewall in every data path

Aruba Best Practice

http://go2.wordpress.com/?id=725X1342&site=todayeye.wordpress.com&url=http://todayeye.files.wordpress.com/2008/03/barbed-wire-751-small-2.jpg


• Use strong Authentication and Encryption schemes

• Protect WLAN for vulnerabilities and Intrusions

• Centralized Policy definition, end-to-end enforcement

• Role based access to network resources

• User, Device and Application aware infrastructure

• Cost effective solution

Aruba’s Solution approach


Port and VLAN Aware

⊗ Limited policy enforcement

⊗ Hard to scale at large sites

⊗ Too costly to manage

Mobile Device Access Control (MDAC)

Legacy Access

User Aware

Role based access

Per user visibility

Easy to scale

Device Aware

Device enrollment

Per device policies

Device inventory

Next-Gen Access

App Aware

Per application QoS

Stateful QoS for UC

Supports high density


Corporate Services

Guest

Data

Voice

Signage

mPOS

Virtual AP 1 SSID: Store

Virtual AP 2 SSID: GUEST

DMZ

AAA FastConnect

Captive Portal

Role-Based Access Control

Access Rights

Secure Tunnel To DMZ

SSID-Based Access Control mPOS

Data

Voice

Signage

Guest

Role-Based Security Architecture

RADIUS LDAP AD

Assign appropriate role to user/device – Isolate and Protect

Aruba Best Practice


Aruba Solutions for PCI v2.0 compliance

2.1.1: Don’t Use Defaults

2.2: Standard Config

4.1.1: Better Than WEP

6.1: Get latest patches

7.2: Role-based Access

10: Monitor Access

Category 1

No WLAN

Category 2

No CDE

over WLAN

Category 3

CDE

over WLAN

1.1.2: Inventory WLAN

1.2.3: Firewall WLAN

9.1.3: Physical Security

11.1: Wireless Scanning/NAC 11.1: Wireless Scanning/NAC 11.1: Wireless Scanning/NAC

1.1.2: Inventory WLAN

1.2.3: Firewall WLAN

9.1.3: Physical Security

- APs for scanning only

- AirWave to log/report

- APs in hybrid mode

- Built-in Firewall segments WLAN

- AirWave to log/report

- APs in hybrid mode

- Supplement with AMs

- WPA2 Enterprise

- Built-in Firewall segments WLAN

- AirWave to mitigate rogues, log & report

- S3500 802.1x secured wired ports


Aruba WIPS Architecture

- APs/AMs - 802.11 a/b/g/n scanning

- TotalWatch and IPS

- Spectrum Analysis

- Controller - Centralized WIPS Analysis

- Create custom Signatures

- Wired/WLAN threat correlation

- Airwave - Central Monitoring, Reporting

- RF/Threat Visualizations

- Rule based Analytics


Hybrid Scanning Approach Higher visibility across Space, Channel, Time

APs - Complete visibility on AP Channels – APs service and perform IDS concurrently

– Off-Channel opportunistic scanning

AMs - Configurable Off-Channel Scanning – 4.9GHz, Rogues in-between channels

– 1:5 AMs for finding Rogue devices Off-channels quickly

In-line threat inspection – No need to escalate packets to IDS appliance

Ability to perform deep packet inspection – Over the air approach cannot decrypt packets

Threats are detected much faster compared to sensor-only approach

Reference : NetworkTest Wireless Pen Test study


TotalWatch Intelligent Scanning

Complete Coverage

– 2.4-GHz and 5-GHz scanning

– 4.9-GHz public safety band

5-MHz increment scanning

– Rogue detection in-between channels

Adjust Scanning Dwell times

– Channel with Traffic : 500ms

– Channel in Regulatory Domain : 250ms

– Channel outside Regulatory Domain : 100ms

4.9 GHz 5.0 GHz

2.4 GHz

Maximize visibility across entire spectrum


Detect over 14 different type of Rogue devices – MAC adjacency, Fingerprinting, Traffic correlation, SSID/RSSI, OUI

Detect Reconnaissance tools – NetStumbler, DStumbler, Wellenreiter, etc.

Detect malicious and innocuous intrusions – Man-in-the-middle attacks – HoneyPot attacks – Denial of service (DoS) attacks – MAC Spoofing – Encryption breaches – Ad hoc network formations – Wireless Bridging Detection

Protect against Intrusions – Deauths, Tarpit, Blacklisting clients, Wired port suppression

React to new attack patterns in real-time – Programmable signatures as new attacks emerge

Aruba Integrated WIPS

Wizard based WIPS policy Setup


RF Interference in ISM Bands – Microwaves, Bluetooth, DecT headsets etc

High Duty Cycles = No WLAN bandwidth – packets get corrupted, retries eat airtime

Interference aware RF Management – APs get moved to uncongested channels

Integrated using existing AP chipsets – Reduce cost of ownership

Integrated GUI – 14 Views – Classifies 12 different class of interferrers

Integrated Spectrum Analysis

High Duty Cycle

High Noise Floor

Culprit – Wireless Video camera Detect Malicious non-Wi-Fi devices


RAPIDS – Integrated Threat Management

• Rule based Rogue detection and escalation

• Wired correlation for Rogue AP detection

• Integrated IDS Event Management

Escalate Events Define Rules

Create Triggers


VisualRF – Locate Rogue devices

Drill down

Folders

Visualize Rogue

Location


Compliance Reporting

Define

Reports

Schedule

Reports

View Reports


Q & A

wireless security for pci compliance - airheads...

Documents