airheads vail 2011 pci 2.0 compliance
DESCRIPTION
TRANSCRIPT
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Wireless Security for PCI Compliance
Aruba AIRHEADS, Mar 2011
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
- PCI DSS 2.0 - Why the need for PCI DSS
- What’s new with PCI DSS v2.0
- WLAN Threat Landscape
- Rogue Management
- Client Protection
- Intrusion prevention
- Mitigation Strategies
- No Wireless in your network
- No Wireless in Cardholder Data Environment (CDE)
- Wireless in Cardholder Data Environment
- Aruba Solution
- Integrated WIPS Approach
- User, Device and Application aware Policy Enforcement
Agenda
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Wireless Threat Evolution
2000 2002 2004 2006 2008 2010
Thre
at
Soph
istication
WPA2-AES Hole 196
WPA-TKIP Cracked
Tablets Invade Network
PSK Brute force : 400K/sec
TJX Wireless Hack
Aircrack - PTW
WEP Crack
LEAP Cracked
BackTrack Toolkit
Wireless Security is a journey not a destination
Time line
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Who is Getting Hacked?
285 MILLION Records were Compromised in 2008
Source: 2010 Verizon Data Breach Report
Internal Access Control is key
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Cost of Compliance
- Firewall separation
- Data Encryption
- Intrusion prevention
- Audit Logging
- Security audits
- = $16 / record
What is the cost of Compliance
Partial steps can help mitigate probability of hack
- Key question for CIO – How much is enough
Cost of Breach
- Scope analysis
- Cleanup/Recovery
- Client notifications
- Lawsuits
- Regulatory Fines
- Brand recovery
- = $300 / record
Source : Gartner
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
PCI Security Standards Council
> 510 million records stolen since 2005 - Privacyrights.org
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Evolution of PCI DSS Standard
Jan 2005: PCI v1.0
- 12 Major requirements
- Defined process
- Enforced by card brands
Jan 2007: PCI v1.1
- Updates and clarifications
- Added requirements for
wireless LAN security
TJX Wireless breach
Visa’s Compliance
Acceleration Program Wireless Guidelines
Supplement
Jan 2011: PCI 2.0
- Released Oct, 2010
- Impacts 2011 audits
Jan 2009: PCI v1.2
- Process clarifications
- Strict requirements for
WLAN security
Tier 1/2 Merchants need annual audits using QSA, rest use SAQ
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
PCI Data Security Standard v2.0
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Goal PCI DSS Requirement
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Category Requirement PCI DSS
Section
No WLAN Identify Unauthorized Wireless devices Quarterly 11.1
Implement incident response plan 12.9
No WLAN
in CDE
Install Firewall between WLAN and CDE 1.2.3
Restrict access to WLAN devices 9.1.3
WLAN in CDE
Change Wireless vendor default settings 2.1.1
Use strong WLAN Encryption (No WEP) 4.1.1
Install patches against security vulnerabilities 6.1
Write Audit logs for Wireless devices 10.5.4
Develop and monitor usage policies for WLAN 12.3
PCI DSS v2.0 and Wireless LAN
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
• No major changes, builds on earlier version
• Focus on Guidance and Clarifications
• Version 1.2 good through 2011
• 3yr ratification cycle going forward
Whats new in PCI DSS v2.0
11.1 – Added NAC as a
compensating control
https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Manage Unauthorized Access
X
X
X
Hacker
WAN /
LAN
Store
Data Center
90% breaches go undetected 2010 Verizon data breach report
Detect Scan all Channels, Segments
Classify Rogue vs Neighbor
Mitigate Wireless or Wired suppression
Locate Locate and physically remediate
X
X X
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Phish users into
giving up credentials
Station Phishing : On-ramps into network
Hacker
Authorized Device looking for Connection 1 Hacker responds with SSID 2 Authorized Device gets DHCP Address 3 Hacker scans for vulnerabilities
Hacks and gains admin rights 4
Yes, please connect Is attwireless out there ?
Confidential
Data
Here is your DHCP
Login into your portal Credentials
Metasploit Hack
Protect Wireless devices from
unauthorized connections
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Breaking WPA2 Personal
WPA Cracking…
2006 80 Keys/sec
2007 130 Keys/sec
2007 30,000 Keys/sec
2008 100,000 Keys/sec
New Attacks Emerging WPA Pre-Shared Key is Not Very Secure
Use of Parallel Processing (Graphics Cards & FPGA Accelerators) to
Speedup Brute Force PSK Cracking
WPA TKIP Compromised - Subject to Small Frame Decodes and Slow
Injection of Arbitrary Frames
http://www.techradar.com/news/internet/amazon-cloud-helps-wi-fi-hack-920221
2010 400,000 Keys/sec
Hardware Crackers
Cowpatty
Avoid PSK – Its still a static shared key
Pyrit
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
WPA2-PSK stealing via WKV http://www.youtube.com/watch?v=F8SoKrJoA5M
Run FakeAP using airbase-ng
DNSPoison to redirect to captive portal
Fake page to trigger download of exe
Metasploit reverse_tcp loads payload
executes wkv.exe and grabs output
Here is the PSK Key !!!!
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Hacking Password Hashes
Target LEAP and PEAP
MiTM using tinyPEAP
Rainbow tables (indexed lists) – Indexed lookup for password hashes
– tables exist for up to14 chars passwords http://rainbowtables.shmoo.com/
Avoid password based Authentication
- use 2-factor schemes : Certs, Tokens, machine auth
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
TKIP Cracking Aug 2009
• Who is Impacted – WPA/WPA2 using TKIP Encryption
– Regardless of PSK or 802.1x/EAP authentication
• Impact – Attacker can decrypt packets
– Does not require WMM unlike Beck-Tews TKIP attack
– Crack temporal key in 60secs
• How is it done – MiTM Attack augmentation to Beck-Tews
– TKIP ChopChop ICV attack
• Detection/Mitigation – WIPS solutions can detect Replay Injection attacks
– Transition to AES Encryption
TKIP was a stop gap, Migrate to AES/CCMP
http://airheads.arubanetworks.com/article/tkip-vulnerabilities
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
WPA2 Hole 196 Attack Jul 2010
• Who is Impacted – All WPA/WPA2 deployments
– Attacker has to be an Authenticated User
• Impact – Attacker can inject Multicast/Broadcast Data Packets
– Attacker can create DoS effect on wired/Wireless
• How is it done – MiTM Attack through ARP Spoofing
– GTK common key exploitation
• Detection/Mitigation – Client Isolation
– WIPS system detects MAC Spoofing
– Wireless Firewall to drop certain type of Multicasts coming from Clients
http://airheads.arubanetworks.com/article/aruba-analysis-hole-196-wpa2-attack
Vulnerability assessment is a key component of security
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Mitigation Strategies
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Step 1 - Secure the Environment
•Know what’s on your network: Wired or Wireless
•Wireless extends the network in an uncontrolled manner
•Continuously monitor and protect your devices
•PCI requires at least quarterly scans for wireless devices
Physically secure devices
•Restrict access to network ports
•Lock down devices, ensure they contain no sensitive data
•Prevent tampering with devices
•When using wireless, monitor and protect
Allow only Authorized
Devices
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Protect the Air
Secure your L2 Perimeter against threats/attacks
Hotel
Home
Create L2 Virtual Fence (Wireless IPS)
Protect Remote
devices
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Multiple Options
Tackling Requirement 11.1
Rogue
Devices
Accidental
Connections
WEP
Policy
Violations
Sensor
At every site LAN/WAN
Server
In Data Center
Walk-around every site,
once a quarter
Wir
ele
ss I
DS
Han
dh
eld
An
aly
zer
Authenticate every wired connection before it is
allowed
NA
C
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Unauthorized Device Management
Scan Network
Correlate Scanning Results
Classify Threats Alert and Report
Contain
Suspect Rogue
Neighbor
Valid
Rogue •Wired-wireless correlation
•Wireline “fingerprint” scans
•Wireless scans using AP/AM
•Router & switch polling
•Laptop client
•Rule based Classification
Hybrid Integrated monitoring for Intrusions
Aruba Best Practice
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Step 2 - Protect the Data
Strongly authenticate devices
• Know your wireless clients
• Prevent bogus clients from getting online
• Machine Authentication
Strongly authenticate users
• Devices should be unusable for business without a valid user
• Use 802.1x where possible
Encrypt all wireless traffic
• 802.11i – AES
• Rotate PTK often
• Make sure the data between the AP and controller is secure
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
• Use strong encryption (802.11i) for WLAN
• Starting Jun 2010, CDE can’t use WEP
• Replace, upgrade Hardware
• WEP Cloaking, protection no longer valid
Requirement 4.1.1: Authenticate & Encrypt
WEP
Option 1
Replace Every WEP Device
Replace all legacy
hardware in use
Upgrade new
hardware in use
Option 2
Make Every WEP Device Out-of-Scope
Data Center Stateful-Firewall
sits between WEP
devices & CDE
Firewall Blacklists
Unauthorized
Users & Intruders
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Machine Authentication
• Machine authentication performed before user authentication
• If the device cannot be authenticated, Infrastructure denies access
• Ideal for protecting against weak passwords or to prevent non-corporate devices from accessing the network
• Caveat : May not work for all types of machines
Ensures Only Authorized Devices Can Be Used to Access Network
Corporate Laptop
Personal Laptop
RADIUS
Domain Controller
PASS FAIL
Same Username and Password
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Authenticate Devices – 802.1x everywhere
• Attacker cannot unplug PoS and insert proxy without detection
• Utilize Aruba S3500 for wired ports
Prevent unauthorized device or Man in the Middle attacks
• Detect who and when is accessing the network via AirWave User Tracking
Help maintain device inventory
• AirMonitors can prevent authorized device mis-association.
Prevent wireless device mis-configuration or mis-association
• Use a dynamic firewall like Aruba PEF to put authenticated devices outside the CDE until a user logs in
Devices must have logged in user to access to CDE (DSS 7.2)
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Encrypt ALL
Wireless Traffic
Use WPA2 Enterprise with AES where possible
• TKIP has at least one known vulnerability that could expose data
• There are no known key vulnerabilities when using AES-CCMP
If is not feasible use PSK
• Make passphrase at least 14 characters from the full set of printable ASCII
• Change the key regularly
• Isolate traffic via PEF firewall, or VLAN
Encrypt Across
Unsecured Wired Links
Option 1 – Aruba’s centralized encryption maintains AES back to
central controller
Option 2 – Use a VPN or Aruba’s RAP to encrypt data
Strongly Encrypt Data
802.1x/AES, End-to-end Client to Controller encryption
Aruba Best Practice
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Step 3 - Securely Segment the Network
Minimize user access to CDE
Restrict the CDE to a small set of resources
• Use physical separation where possible
• Use firewalls everywhere else
• Keep CDE traffic encrypted as much as possible
• Keep firewalls close to decryption points
• Role-based access is best
• Ensure terminated users lose network access
• 802.1x authenticated user info should be available to the firewall
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
• Wireless LAN must be segmented with a Firewall
• Firewall must do “stateful” inspection
• Firewall must deny all traffic from wireless LAN – Unless required for business purposes
Requirement 1.2.3: Firewall For WLAN
Cardholder Data
Environment Wireless
LAN
External
Sources
?
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Physical Segmentation
No shared wires – VLANs are not
sufficient
• VLAN tagging does not prevent a tap from capturing data
• VLAN tags can be spoofed
• If CDE traffic must cross untrusted segments make it strongly encrypted
No shared switches or routers without built-in firewalls
• Overloaded switches can be fooled into mishandling traffic
• Routing protocols can be spoofed
No shared APs
• Unless the AP has a built-in firewall
• Make sure CDE SSID and non-CDE SSID traffic remains separated physically or by a firewall at all times
Policy Enforcement Firewall in every data path
Aruba Best Practice
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
• Use strong Authentication and Encryption schemes
• Protect WLAN for vulnerabilities and Intrusions
• Centralized Policy definition, end-to-end enforcement
• Role based access to network resources
• User, Device and Application aware infrastructure
• Cost effective solution
Aruba’s Solution approach
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Port and VLAN Aware
⊗ Limited policy enforcement
⊗ Hard to scale at large sites
⊗ Too costly to manage
Mobile Device Access Control (MDAC)
Legacy Access
User Aware
Role based access
Per user visibility
Easy to scale
Device Aware
Device enrollment
Per device policies
Device inventory
Next-Gen Access
App Aware
Per application QoS
Stateful QoS for UC
Supports high density
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Corporate Services
Guest
Data
Voice
Signage
mPOS
Virtual AP 1 SSID: Store
Virtual AP 2 SSID: GUEST
DMZ
AAA FastConnect
Captive Portal
Role-Based Access Control
Access Rights
Secure Tunnel To DMZ
SSID-Based Access Control mPOS
Data
Voice
Signage
Guest
Role-Based Security Architecture
RADIUS LDAP AD
Assign appropriate role to user/device – Isolate and Protect
Aruba Best Practice
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Aruba Solutions for PCI v2.0 compliance
2.1.1: Don’t Use Defaults
2.2: Standard Config
4.1.1: Better Than WEP
6.1: Get latest patches
7.2: Role-based Access
10: Monitor Access
Category 1
No WLAN
Category 2
No CDE
over WLAN
Category 3
CDE
over WLAN
1.1.2: Inventory WLAN
1.2.3: Firewall WLAN
9.1.3: Physical Security
11.1: Wireless Scanning/NAC 11.1: Wireless Scanning/NAC 11.1: Wireless Scanning/NAC
1.1.2: Inventory WLAN
1.2.3: Firewall WLAN
9.1.3: Physical Security
- APs for scanning only
- AirWave to log/report
- APs in hybrid mode
- Built-in Firewall segments WLAN
- AirWave to log/report
- APs in hybrid mode
- Supplement with AMs
- WPA2 Enterprise
- Built-in Firewall segments WLAN
- AirWave to mitigate rogues, log & report
- S3500 802.1x secured wired ports
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Aruba WIPS Architecture
- APs/AMs - 802.11 a/b/g/n scanning
- TotalWatch and IPS
- Spectrum Analysis
- Controller - Centralized WIPS Analysis
- Create custom Signatures
- Wired/WLAN threat correlation
- Airwave - Central Monitoring, Reporting
- RF/Threat Visualizations
- Rule based Analytics
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Hybrid Scanning Approach Higher visibility across Space, Channel, Time
APs - Complete visibility on AP Channels – APs service and perform IDS concurrently
– Off-Channel opportunistic scanning
AMs - Configurable Off-Channel Scanning – 4.9GHz, Rogues in-between channels
– 1:5 AMs for finding Rogue devices Off-channels quickly
In-line threat inspection – No need to escalate packets to IDS appliance
Ability to perform deep packet inspection – Over the air approach cannot decrypt packets
Threats are detected much faster compared to sensor-only approach
Reference : NetworkTest Wireless Pen Test study
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
TotalWatch Intelligent Scanning
Complete Coverage
– 2.4-GHz and 5-GHz scanning
– 4.9-GHz public safety band
5-MHz increment scanning
– Rogue detection in-between channels
Adjust Scanning Dwell times
– Channel with Traffic : 500ms
– Channel in Regulatory Domain : 250ms
– Channel outside Regulatory Domain : 100ms
4.9 GHz 5.0 GHz
2.4 GHz
Maximize visibility across entire spectrum
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Detect over 14 different type of Rogue devices – MAC adjacency, Fingerprinting, Traffic correlation, SSID/RSSI, OUI
Detect Reconnaissance tools – NetStumbler, DStumbler, Wellenreiter, etc.
Detect malicious and innocuous intrusions – Man-in-the-middle attacks – HoneyPot attacks – Denial of service (DoS) attacks – MAC Spoofing – Encryption breaches – Ad hoc network formations – Wireless Bridging Detection
Protect against Intrusions – Deauths, Tarpit, Blacklisting clients, Wired port suppression
React to new attack patterns in real-time – Programmable signatures as new attacks emerge
Aruba Integrated WIPS
Wizard based WIPS policy Setup
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
RF Interference in ISM Bands – Microwaves, Bluetooth, DecT headsets etc
High Duty Cycles = No WLAN bandwidth – packets get corrupted, retries eat airtime
Interference aware RF Management – APs get moved to uncongested channels
Integrated using existing AP chipsets – Reduce cost of ownership
Integrated GUI – 14 Views – Classifies 12 different class of interferrers
Integrated Spectrum Analysis
High Duty Cycle
High Noise Floor
Culprit – Wireless Video camera Detect Malicious non-Wi-Fi devices
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
RAPIDS – Integrated Threat Management
• Rule based Rogue detection and escalation
• Wired correlation for Rogue AP detection
• Integrated IDS Event Management
Escalate Events Define Rules
Create Triggers
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
VisualRF – Locate Rogue devices
Drill down
Folders
Visualize Rogue
Location
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Compliance Reporting
Define
Reports
Schedule
Reports
View Reports
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Q & A