Airheads vail 2011 pci 2.0 compliance

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Wireless Security for PCI Compliance
Aruba AIRHEADS, Mar 2011

- PCI DSS 2.0
- Why the need for PCI DSS
- What’s new with PCI DSS v2.0
- WLAN Threat Landscape
- Rogue Management
- Client Protection
- Intrusion prevention
- Mitigation Strategies
- No Wireless in your network
- No Wireless in Cardholder Data Environment (CDE)
- Wireless in Cardholder Data Environment
- Aruba Solution
- Integrated WIPS Approach
- User, Device and Application aware Policy Enforcement
Agenda

Wireless Threat Evolution
2000 2002 2004 2006 2008 2010
ThreatSophistication
WPA2-AES Hole 196
WPA-TKIP Cracked
Tablets Invade Network
PSK Brute force : 400K/sec
TJX Wireless Hack
Aircrack - PTW
WEP Crack
LEAP Cracked
BackTrack Toolkit
Wireless Security is a journey not a destination
Time line

Who is Getting Hacked?
285 MILLION Records were Compromised in 2008
Source: 2010 Verizon Data Breach Report
Internal Access Control is key

Cost of Compliance
- Firewall separation
- Data Encryption
- Intrusion prevention
- Audit Logging
- Security audits
- = $16 / record
What is the cost of Compliance
Partial steps can help mitigate probability of hack
- Key question for CIO – How much is enough
Cost of Breach
- Scope analysis
- Cleanup/Recovery
- Client notifications
- Lawsuits
- Regulatory Fines
- Brand recovery
- = $300 / record
Source : Gartner

PCI Security Standards Council
> 510 million records stolen since 2005 - Privacyrights.org

Evolution of PCI DSS Standard
Jan 2005: PCI v1.0
- 12 Major requirements
- Defined process
- Enforced by card brands
Jan 2007: PCI v1.1
- Updates and clarifications
- Added requirements for
wireless LAN security
TJX Wireless breach
Visa’s Compliance
Acceleration Program
Wireless Guidelines
Supplement
Jan 2011: PCI 2.0
- Released Oct, 2010
- Impacts 2011 audits
Jan 2009: PCI v1.2
- Process clarifications
- Strict requirements for
WLAN security
Tier 1/2 Merchants need annual audits using QSA, rest use SAQ

PCI Data Security Standard v2.0
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Goal PCI DSS Requirement

Category Requirement PCI DSS
Section
No WLAN
Identify Unauthorized Wireless devices Quarterly 11.1
Implement incident response plan 12.9
No WLAN
in CDE
Install Firewall between WLAN and CDE 1.2.3
Restrict access to WLAN devices 9.1.3
WLAN in CDE
Change Wireless vendor default settings 2.1.1
Use strong WLAN Encryption (No WEP) 4.1.1
Install patches against security vulnerabilities 6.1
Write Audit logs for Wireless devices 10.5.4
Develop and monitor usage policies for WLAN 12.3
PCI DSS v2.0 and Wireless LAN

• No major changes, builds on earlier version
• Focus on Guidance and Clarifications
• Version 1.2 good through 2011
• 3yr ratification cycle going forward
Whats new in PCI DSS v2.0
11.1 – Added NAC as a
compensating control
https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf

Manage Unauthorized Access
X
X
X
Hacker
WAN /
LAN
Store
Data Center
90% breaches go undetected
2010 Verizon data breach report
Detect
Scan all Channels, Segments
Classify
Rogue vs Neighbor
Mitigate
Wireless or Wired suppression
Locate
Locate and physically remediate
X
XX

Phish users into
giving up credentials
Station Phishing : On-ramps into network
Hacker
Authorized Device looking for Connection1
Hacker responds with SSID2
Authorized Device gets DHCP Address3
Hacker scans for vulnerabilities
Hacks and gains admin rights
4
Yes, please connectIs attwireless out there ?
Confidential
Data
Here is your DHCP
Login into your portal
Credentials
Metasploit Hack
Protect Wireless devices from
unauthorized connections

Breaking WPA2 Personal
WPA Cracking…
2006 80 Keys/sec
2007 130 Keys/sec
2007 30,000 Keys/sec
2008 100,000 Keys/sec
New Attacks Emerging
WPA Pre-Shared Key is Not Very Secure
Use of Parallel Processing (Graphics Cards & FPGA Accelerators) to
Speedup Brute Force PSK Cracking
WPA TKIP Compromised - Subject to Small Frame Decodes and Slow
Injection of Arbitrary Frames
http://www.techradar.com/news/internet/amazon-cloud-helps-wi-fi-hack-920221
2010 400,000 Keys/sec
Hardware Crackers
Cowpatty
Avoid PSK – Its still a static shared key
Pyrit

WPA2-PSK stealing via WKV
http://www.youtube.com/watch?v=F8SoKrJoA5M
Run FakeAP using airbase-ng
DNSPoison to redirect to captive portal
Fake page to trigger download of exe
Metasploit reverse_tcp loads payload
executes wkv.exe and grabs output
Here is the PSK Key !!!!

Hacking Password Hashes
Target LEAP and PEAP
MiTM using tinyPEAP
Rainbow tables (indexed lists)
– Indexed lookup for password hashes
– tables exist for up to14 chars passwords
http://rainbowtables.shmoo.com/
Avoid password based Authentication
- use 2-factor schemes : Certs, Tokens, machine auth

TKIP Cracking
Aug 2009
• Who is Impacted
– WPA/WPA2 using TKIP Encryption
– Regardless of PSK or 802.1x/EAP authentication
• Impact
– Attacker can decrypt packets
– Does not require WMM unlike Beck-Tews TKIP attack
– Crack temporal key in 60secs
• How is it done
– MiTM Attack augmentation to Beck-Tews
– TKIP ChopChop ICV attack
• Detection/Mitigation
– WIPS solutions can detect Replay Injection attacks
– Transition to AES Encryption
TKIP was a stop gap, Migrate to AES/CCMP
http://airheads.arubanetworks.com/article/tkip-vulnerabilities

WPA2 Hole 196 Attack
Jul 2010
• Who is Impacted
– All WPA/WPA2 deployments
– Attacker has to be an Authenticated User
• Impact
– Attacker can inject Multicast/Broadcast Data Packets
– Attacker can create DoS effect on wired/Wireless
• How is it done
– MiTM Attack through ARP Spoofing
– GTK common key exploitation
• Detection/Mitigation
– Client Isolation
– WIPS system detects MAC Spoofing
– Wireless Firewall to drop certain type of Multicasts coming from Clients
http://airheads.arubanetworks.com/article/aruba-analysis-hole-196-wpa2-attack
Vulnerability assessment is a key component of security

Mitigation Strategies

Step 1 - Secure the Environment
•Know what’s on your network: Wired or Wireless
•Wireless extends the network in an uncontrolled manner
•Continuously monitor and protect your devices
•PCI requires at least quarterly scans for wireless devices
Physically
secure devices
•Restrict access to network ports
•Lock down devices, ensure they contain no sensitive data
•Prevent tampering with devices
•When using wireless, monitor and protect
Allow only
Authorized
Devices

Protect the Air
Secure your L2 Perimeter against threats/attacks
Hotel
Home
Create L2 Virtual Fence (Wireless IPS)
Protect Remote
devices

Multiple Options
Tackling Requirement 11.1
Rogue
Devices
Accidental
Connections
WEP
Policy
Violations
Sensor
At every site
LAN/WAN
Server
In Data Center
Walk-around
every site,
once a quarter
WirelessIDS
HandheldAnalyzer
Authenticate
every wired
connection
before it is
allowed
NAC

Unauthorized Device Management
Scan Network
Correlate
Scanning Results
Classify ThreatsAlert and Report
Contain
Suspect
Rogue
Neighbor
Valid
Rogue•Wired-wireless correlation
•Wireline “fingerprint” scans
•Wireless scans using AP/AM
•Router & switch polling
•Laptop client
•Rule based Classification
Hybrid Integrated monitoring for Intrusions
Aruba Best Practice

Step 2 - Protect the Data
Strongly
authenticate
devices
• Know your
wireless clients
• Prevent bogus
clients from
getting online
• Machine
Authentication
Strongly
authenticate
users
• Devices should
be unusable for
business without
a valid user
• Use 802.1x
where possible
Encrypt all
wireless
traffic
• 802.11i – AES
• Rotate PTK often
• Make sure the
data between the
AP and controller
is secure

• Use strong encryption (802.11i) for WLAN
• Starting Jun 2010, CDE can’t use WEP
• Replace, upgrade Hardware
• WEP Cloaking, protection no longer valid
Requirement 4.1.1: Authenticate & Encrypt
WEP
Option 1
Replace Every WEP Device
Replace all legacy
hardware in use
Upgrade new
hardware in use
Option 2
Make Every WEP Device Out-of-Scope
Data Center
Stateful-Firewall
sits between WEP
devices & CDE
Firewall Blacklists
Unauthorized
Users & Intruders

Machine Authentication
• Machine authentication performed before user authentication
• If the device cannot be authenticated, Infrastructure denies access
• Ideal for protecting against weak passwords or to prevent
non-corporate devices from accessing the network
• Caveat : May not work for all types of machines
Ensures Only Authorized Devices Can Be Used to Access Network
Corporate
Laptop
Personal
Laptop
RADIUS
Domain
Controller
PASSFAIL
Same Username
and Password

Authenticate Devices – 802.1x everywhere
• Attacker cannot unplug PoS and insert proxy without detection
• Utilize Aruba S3500 for wired ports
Prevent unauthorized device or Man in the Middle attacks
• Detect who and when is accessing the network via AirWave User Tracking
Help maintain device inventory
• AirMonitors can prevent authorized device mis-association.
Prevent wireless device mis-configuration or mis-association
• Use a dynamic firewall like Aruba PEF to put authenticated devices outside the
CDE until a user logs in
Devices must have logged in user to access to CDE (DSS 7.2)

Encrypt ALL
Wireless Traffic
Use WPA2 Enterprise with AES
where possible
• TKIP has at least one known vulnerability that
could expose data
• There are no known key vulnerabilities when
using AES-CCMP
If is not feasible use PSK
• Make passphrase at least 14 characters from
the full set of printable ASCII
• Change the key regularly
• Isolate traffic via PEF firewall, or VLAN
Encrypt Across
Unsecured Wired Links
Option 1 – Aruba’s centralized
encryption maintains AES back to
central controller
Option 2 – Use a VPN or Aruba’s
RAP to encrypt data
Strongly Encrypt Data
802.1x/AES, End-to-end Client to Controller encryption
Aruba Best Practice

Step 3 - Securely Segment the Network
Minimize user access to CDE
Restrict the CDE to a small set of resources
• Use physical separation where possible
• Use firewalls everywhere else
• Keep CDE traffic encrypted as much as possible
• Keep firewalls close to decryption points
• Role-based access is best
• Ensure terminated users lose network access
• 802.1x authenticated user info should be available to the firewall

• Wireless LAN must be segmented with a Firewall
• Firewall must do “stateful” inspection
• Firewall must deny all traffic from wireless LAN
– Unless required for business purposes
Requirement 1.2.3: Firewall For WLAN
Cardholder Data
Environment
Wireless
LAN
External
Sources
?

Physical Segmentation
No shared wires –
VLANs are not
sufficient
• VLAN tagging does
not prevent a tap
from capturing data
• VLAN tags can be
spoofed
• If CDE traffic must
cross untrusted
segments make it
strongly encrypted
No shared switches
or routers without
built-in firewalls
• Overloaded
switches can be
fooled into
mishandling traffic
• Routing protocols
can be spoofed
No shared APs
• Unless the AP
has a built-in
firewall
• Make sure CDE
SSID and non-
CDE SSID traffic
remains
separated
physically or by a
firewall at all
times
Policy Enforcement Firewall in every data path
Aruba Best Practice

• Use strong Authentication and Encryption schemes
• Protect WLAN for vulnerabilities and Intrusions
• Centralized Policy definition, end-to-end enforcement
• Role based access to network resources
• User, Device and Application aware infrastructure
• Cost effective solution
Aruba’s Solution approach

Port and VLAN Aware
⊗ Limited policy enforcement
⊗ Hard to scale at large sites
⊗ Too costly to manage
Mobile Device Access Control (MDAC)
Legacy Access
User Aware
 Role based access
 Per user visibility
 Easy to scale
Device Aware
 Device enrollment
 Per device policies
 Device inventory
Next-Gen Access
App Aware
 Per application QoS
 Stateful QoS for UC
 Supports high density

Corporate
Services
Guest
Data
Voice
Signage
mPOS
Virtual AP 1
SSID: Store
Virtual AP 2
SSID: GUEST
DMZ
AAA
FastConnect
Captive Portal
Role-Based
Access Control
Access Rights
Secure Tunnel
To DMZ
SSID-Based
Access ControlmPOS
Data
Voice
Signage
Guest
Role-Based Security Architecture
RADIUS
LDAP
AD
Assign appropriate role to user/device – Isolate and Protect
Aruba Best Practice

Aruba Solutions for PCI v2.0 compliance
2.1.1: Don’t Use Defaults
2.2: Standard Config
4.1.1: Better Than WEP
6.1: Get latest patches
7.2: Role-based Access
10: Monitor Access
Category 1
No WLAN
Category 2
No CDE
over WLAN
Category 3
CDE
over WLAN
1.1.2: Inventory WLAN
1.2.3: Firewall WLAN
9.1.3: Physical Security
11.1: Wireless Scanning/NAC11.1: Wireless Scanning/NAC 11.1: Wireless Scanning/NAC
1.1.2: Inventory WLAN
1.2.3: Firewall WLAN
9.1.3: Physical Security
- APs for scanning only
- AirWave to log/report
- APs in hybrid mode
- Built-in Firewall
segments WLAN
- AirWave to log/report
- APs in hybrid mode
- Supplement with AMs
- WPA2 Enterprise
- Built-in Firewall
segments WLAN
- AirWave to mitigate
rogues, log & report
- S3500 802.1x secured
wired ports

Aruba WIPS Architecture
- APs/AMs
- 802.11 a/b/g/n scanning
- TotalWatch and IPS
- Spectrum Analysis
- Controller
- Centralized WIPS Analysis
- Create custom Signatures
- Wired/WLAN threat correlation
- Airwave
- Central Monitoring, Reporting
- RF/Threat Visualizations
- Rule based Analytics

Hybrid Scanning Approach
Higher visibility across Space, Channel, Time
APs - Complete visibility on AP Channels
– APs service and perform IDS concurrently
– Off-Channel opportunistic scanning
AMs - Configurable Off-Channel Scanning
– 4.9GHz, Rogues in-between channels
– 1:5 AMs for finding Rogue devices Off-channels quickly
In-line threat inspection
– No need to escalate packets to IDS appliance
Ability to perform deep packet inspection
– Over the air approach cannot decrypt packets
Threats are detected much faster compared to sensor-only approach
Reference : NetworkTest Wireless Pen Test study

TotalWatch Intelligent Scanning
Complete Coverage
– 2.4-GHz and 5-GHz scanning
– 4.9-GHz public safety band
5-MHz increment scanning
– Rogue detection in-between channels
Adjust Scanning Dwell times
– Channel with Traffic : 500ms
– Channel in Regulatory Domain : 250ms
– Channel outside Regulatory Domain : 100ms
4.9 GHz 5.0 GHz
2.4 GHz
Maximize visibility across entire spectrum

Detect over 14 different type of Rogue devices
– MAC adjacency, Fingerprinting, Traffic correlation, SSID/RSSI, OUI
Detect Reconnaissance tools
– NetStumbler, DStumbler, Wellenreiter, etc.
Detect malicious and innocuous intrusions
– Man-in-the-middle attacks
– HoneyPot attacks
– Denial of service (DoS) attacks
– MAC Spoofing
– Encryption breaches
– Ad hoc network formations
– Wireless Bridging Detection
Protect against Intrusions
– Deauths, Tarpit, Blacklisting clients, Wired port suppression
React to new attack patterns in real-time
– Programmable signatures as new attacks emerge
Aruba Integrated WIPS
Wizard based WIPS policy Setup

RF Interference in ISM Bands
– Microwaves, Bluetooth, DecT headsets etc
High Duty Cycles = No WLAN bandwidth
– packets get corrupted, retries eat airtime
Interference aware RF Management
– APs get moved to uncongested channels
Integrated using existing AP chipsets
– Reduce cost of ownership
Integrated GUI – 14 Views
– Classifies 12 different class of interferrers
Integrated Spectrum Analysis
High Duty Cycle
High Noise Floor
Culprit – Wireless Video cameraDetect Malicious non-Wi-Fi devices

RAPIDS – Integrated Threat Management
• Rule based Rogue detection and escalation
• Wired correlation for Rogue AP detection
• Integrated IDS Event Management
Escalate Events
Define Rules
Create Triggers

VisualRF – Locate Rogue devices
Drill down
Folders
Visualize Rogue
Location

Compliance Reporting
Define
Reports
Schedule
Reports
View Reports

Q & A

Airheads vail 2011 pci 2.0 compliance

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Airheads vail 2011 pci 2.0 compliance

Ähnlich wie Airheads vail 2011 pci 2.0 compliance (20)

Mehr von Aruba, a Hewlett Packard Enterprise company

Mehr von Aruba, a Hewlett Packard Enterprise company (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Airheads vail 2011 pci 2.0 compliance