180 likes | 404 Views
Wireless Enterprise Wireless Firewall. January 9, 2009. Account Manager Messaging. Business Problem. Wireless Networks are Exposing Enterprises to a Different Set of Threats Wireless networks can be exploited from outside the premises by hackers
E N D
Wireless Enterprise Wireless Firewall January 9, 2009
Business Problem • Wireless Networks are Exposing Enterprises to a Different Set of Threats • Wireless networks can be exploited from outside the premises by hackers • Wireless traffic is not inspected by traditional firewalls • Physical security is a significant deterrence for wired network, not wireless • Traditional Wireless Firewalls do not Provide Complete Protection • Do not inspect all traffic leaving the door open for lower level wireless threats • Require significant redesign of the network • Recent compromise of WPA security under certain circumstances makes wireless protection against lower level threats more critical • PCI 1.2 Compliance • Requires clean separation between wireless and wired traffic - often lacking in current firewalls
Wireless Firewall Solution • Stateful firewall for wireless threats • Inspects all wireless traffic (Layer 2-7) • Provides clean separation between wireless and wired traffic required for PCI 1.2 compliance • Security at the edge • Offer protection across the distributed deployment • Identity and Location-based access control • Adds new dimension to Policy Enforcement • Unmatched protection in the Industry • Unprecedented Protection in Conjunction with Wireless IPS • Easy Operations • Easy to deploy and manage with minimal architecture impact • Central management integrated into RFMS
Dependent (Centralized) Wireless Enterprise: Technology Vision Adaptive (Distributed) • Best of both worlds and more… • Performance/Scalability for 11n • Resilient • Eliminate central choke point • VoIP and Video reliability • Secure Independent (Standalone) • Challenges • Scalability for 11n • Resilient Mesh support • Security at the edge • Challenges • Limited Mobility • Difficult to manage • Limited security
Problems with Existing Firewall Deployments • Traditionally firewalls are deployed to protect corporate network resources from threats originating over the internet • Most firewalls are designed to operate at IP layer – Layer 3 and above. • Most firewalls require significant changes to the network topology to offer basic firewall protection • 802.11 wireless operates below the IP layer at the MAC layer – Layer 2 and above. • Most firewalls do not offer adequate protection to legitimate wireless users
www Corp WAN Corp WAN Internet Facing Firewall Branch 1 Corporate HQ Branch 2 Wireless Switch Problems: Firewall is not deployed to prevent attacks from the wireless network
Firewall Inspection at IP Layer Only Store Wireless Switch Problems: Firewall does not inspect ‘bridged’ MAC layer (Layer 2) traffic
Firewall Does not Protect Valid Wireless User Store Wireless Switch Problems: Firewall and offers inadequate protection to valid wireless users
Solution – Wireless Firewall Stateful Layer 2-7 traffic Inspection Clean separation between wired and wireless traffic Wireless firewall protects legitimate wireless users at the edge Defends against Layer 2 attacks such as IP spoofing and ARP Poisoning Enables Identity and Location-based Security Policy Enforcement Reduced Hassle: no network redesign plus Integrated Management
Campus LAN DHCP Snooping MAC ADD: 44 : 45 : 53 : 54 : 42 : 00 IP ADD: 172.10.1.100 Lease Obtained: 10/01/08 2:30:47 PM Lease Expires: 10/02/08 3:30:47 PM Wireless Firewall Application: DHCP Enforcement Wireless Switch L2 Firewall DHCPRequest Static IP ADD: 172.10.1.100 Assigned IP ADD: 172.10.1.100 • Benefits • Enforce DHCP policies & prevent IP conflicts as wireless clients are added
Campus LAN ARP Cache MAC ADD: 42:00:0F:12:EF:0D IP ADD: 172.10.1.1 ARP Request Wireless Firewall Application: ARP Cache Protection Wireless Switch Default Gateway: 172.10.1.1 MAC ADD: 42 : 00 : 0F : 12 : EF : 0D Static IP ADD: 172.10.1.54 / 24 MAC ADD: 10 : 00 : 0 : 00 : 10 : F0 Default Gateway: 172.10.1.1 L2 Firewall DHCPRequest Assigned IP ADD: 172.10.1.100 / 24 Default Gateway: 172.10.1.1 • Benefits • Protection from ARP Cache Poisoning for Wireless Clients
Front Desk Conference Room Cubicles Wireless Firewall Application: Location Based Access Control 802.11n WIPS/LocationClient Access Sensor Visitor Outdoors: Group: Public Device: Any State: Compliant Auth: Any Encp: Any Location: Outdoors Policy: Access Denied Visitor Conf Rm#1: Group: Public Device: Any State: Compliant Auth: Any Encp: Any Location: Indoor Policy: Access Granted • Advantages • Simplifies Guest Access Provisioning • Protects wireless medium from unwarranted probes, association requests • Improves security • Location Based Access Control • AirDefense Sensors / Location Sensors report real time location to WiNG switch • Access Points report Authentication, Encryption, Device information • Wireless Firewall assigns/ updates User Role and applies Location based Policies
Wireless Firewall Application: Location Based Access Control Conference Room Front Desk Employee Outdoor: Group: Corp Device: Any State: Compliant Auth: Any Encp: Any Location: Outdoors Policy: Remote Access Employee Indoor: Group: Corp Device: Any State: Compliant Auth: Any Encp: Any Location: Indoor Policy: Intranet Access Cubicles • Advantages • Granular Location based Access Control • Location information can be used for other business applications • Location Based Access Control • AirDefense Sensors / Location Sensors report real time location to WiNG switch • Access Points report Authentication, Encryption, Device information • Wireless Firewall assigns/ updates User Role and applies Location based Policies
Wireless Firewall Solution • Stateful firewall for wireless threats • Inspects all wireless traffic (Layer 2-7) • Provides clean separation between wireless and wired traffic required for PCI 1.2 compliance • Security at the edge • Offer protection across the distributed deployment • Identity and Location-based access control • Adds new dimension to Policy Enforcement • Unmatched protection in the Industry • Unprecedented Protection in Conjunction with Wireless IPS • Easy Operations • Easy to deploy and manage with minimal architecture impact • Central management integrated into RFMS