Traditionally, talking of wireless security in the enterprises we talked about embedded Centrio Wi-Fi, Linksys rogue APs, open source DoS tools, and compliance requirements (PCI, DoD, HIPAA). While these topics continue to be important today, the upcoming proliferation of the smart mobile devices is the new frontier for the enterprise wireless security to address. The inundation of smart mobile devices will result into new monitoring requirements, not hitherto discussed. These requirements would amount to "stress test" for the WIPS and only the best of the breed can hold up. While the new monitoring requirements will be many and varied ranging from unauthorized BYOD to heightened rogue AP risk, in this post I wish to discuss some interesting and unique scenarios (numerous soft mobile hotspots, Nintendo chat blocking, wireless geo-fencing) I already encountered this year working with the customers.
Soft mobile hotspots in hundreds and thousands:
If the GoogleWiFi in the neighborhood of your office bothered you before as a network/security administrator because your employees could connect to it to bypass the Internet access policies; then there will be hundreds and thousands of GoogleWiFi's soon on your premises. These are all the iPhones and Androids carried by your employees, which have mobile hotspot features in them. They can act as Wi-Fi access points and backhaul the traffic directly into 3G/4G network bypassing your enterprise firewall controls. To deal with them, your security system will need to have the following capabilities:
- The WIPS now needs to support mobile hotspot detection on multiple platforms. Earlier it used to be mostly the Window 7 laptops, which included the first consumer grade virtual AP capability. Now Apple iOS and Androids also provide this capability. And in the future, Windows 7.5 and Blackberry will have it too.
- The WIPS infrastructure will need to have capacity to address many simultaneous policy violations. This is simply the effect of numbers, because order of magnitude increase in the triggers which catalyze policy violation means similar increase in the actual policy violations on a day to day basis.
Zero day scenarios requiring fast, automated response:
As Wi-Fi gets embedded in quite a variety of gadgets, some new and unique monitoring requirements will continuously emerge. I recently worked with an account which had such unique requirement: This was a rehabilitation and correctional facility, which wanted the WIPS to be able to block Nintendo chat. Nintendo devices support chatting application over Wi-Fi, with the proprietary modifications and optimizations to the 802.11 protocol to provide instant chatting. This was almost like a "zero day" policy enforcement requirement when I first examined it, because I realized Nintendo chat is not the standard .11 ad hoc network. Also, the chat uses just some bursts of packets, so quick blocking response was necessary (quite different from traditional connection blocking measures like "ping loss"). We put the AirTight SpectraGuard Enterprise WIPS up for this stress test. See the accompanying video to see for yourself how it fared in the test. While this may not be the mainstream or relevant monitoring requirement in many networks, it points to the real possibility of the emergence of the hitherto unknown ("zero day") monitoring requirements in the future. To be future proof against the zero day scenarios, the security system will need to have strong foundations on the following fronts:
- Strong behavioral analysis logic, since signatures and thresholds can't catch up with the evolving monitoring scenarios.
- Fast response time to threats, to tackle the new and optimized attack and policy violation triggers.
Empowered with Wi-Fi in the tablets and smart phones, people connect to networks from anywhere and everywhere. This presents a challenge in location based wireless policy enforcements. Earlier, it was as easy as turning off wireless on the machines which permanently resided in the no-wireless areas. Now smart mobile devices come in and go out. Recently, I worked with couple of customers intending to implement what they called "Wi-Fi geo fencing" (I like the term!). At the very basic, it means enforcing diverse Wi-Fi policies on the same wireless client depending on where the client is located. For example in one room, the client is allowed to connect to the guest AP, but the room next door can be strict no-Wi-Fi policy. So as the client moves from the first room to the second room, its Wi-Fi communication needs to block; but when it returns to the first room, it should be able to communicate over Wi-Fi. There are more scenarios like this, depending on the exact application. Faced with this application, I appreciated some unique strengths the security systems needs to exhibit to support such scenarios:
- Strong foundation for auto-location tagging for devices and ability to quickly detect change of location is necessary to determine the governing policy at any instant.
- Rich options for location based policy enforcement -- in terms of device auto-classification and automatic prevention -- are required to fine tune the Wi-Fi behavior to be enforced at each location.
- Finally, a thorough predictive RF planning complemented with some on-site surveys can help tighten the location zone boundaries.
Above scenarios are simply some examples pointing to the fact that wireless monitoring scenarios will continue to evolve and change in the future, particularly driven by the commoditization of Wi-Fi and proliferation of the smart mobile devices. If the WIPS you choose today has solid foundations for detection, prevention and location; you can be future proof against the new requirements that will prop up in your own network settings. With these foundations in place you can be secure today, and also tomorrow!