Lately I've been wondering if there is really a secure way to get uncontrolled mobile devices onto the wireless network. I have no problem extolling the security virtues of wireless networks once clients are properly configured, but there is an increasing need to examine that short period of time starting when end-users decide they want to access the WLAN, and the moment when they are actually authenticated.

I don't really have deep concerns with wireless clients that are already under the control of IT. For these devices, there are tools like MDM and GPO that can make sure that supplicants get configured consistantly and securely. What about those uncontrolled devices though?

Captive Portals

The use of captive portals is already a point of contention with wireless engineers. Some people see a real use for them and other dislike them because of the negative impact they tend to have on user experience. I'm still on the fence with regards to that discussion, but lately I've really started to dislike them for security reasons.

In 2009, Moxie Marlinspike spoke about the underlying issues with having a web that supports both HTTP and HTTPS. He went further and released a tool called sslstrip which demonstrated the problem. Essentially, and I'm really paraphrasing here, because web servers and browsers accept HTTP as a valid channel, it is possible to intercept client traffic and rewrite all of the HTTPS links and locations and present HTTP versions to the client. The end result is the attacker gets to see all of the usernames and passwords in cleartext.

It is now 2013, that's 4 years later for those of you keeping score, and we are still in the same boat. In fact, I would argue that we are worse off because the wireless industry has adopted captive portals as both a means for user authentication and as a method for provisioning credentials. Let's pause for a demonstration of this attack:

These are all tools that I would normally run directly on a BT image but I was recently loaned a WiFi Pineapple Mark IV so I figured I would see how well it worked. I honestly had no idea how much the Pineapple had evolved (I used to have a Mark II) and just how easy it was for anyone with just over $100 to launch these attacks. With only a basic level of skill, anyone can easily harvest credentials from people authenticating to a captive portal.

Worse still, the industry has started to use captive portals as a method to securely provision credentials to end-users. It is quite possible to strip SSL out the provisioning session and record the provision procedure. This is my main concern with captive portals. Given how easily any kid can strip out all of the security, do we really want to use them as our secure channel for provisioning credentials?

What's the Solution?

This is the part I've been struggling with and I'm hoping that someone can show me the light. I'm not really sure what the solution is. We could start by ensuring that the captive portal provisioning only occurs after you've authenticated to a EAP-PEAP protected network. That would at least ensure that all data is encrypted at layer 2 instead of cleartext by default. However, as I mentioned in my previous blog post, there are risks that come along with expecting end-users to properly configure a supplicant for EAP-PEAP. Thus, the viability of this as a solution rests in the hands of the end-user; that's not a good thing.

Beyond PEAP, we could ensure that we have proper rouge detection and alerting in place. This should, at least, give us that heads up when this type of attack is occuring. Unfortunately, this is not a preventative measure since you are only notified once the attack has already taken place. Also, I don't see single-AP coffee shops deploying and configuring WIDS all the time. 

Like I said at the beginning of this section, I am not really sure what the answer is. As an industry, we have done our best to adapt existing authentication methods to cope with the BYOD onslaught. Is the answer that we need a new authentication method that is design with BYOD in mind? If so, what does that solution look like? Or, is there an easy solution to this that I'm just not seeing?

Daniel

What are your thoughts on the subject? I'm really interested in hearing different approaches to tackling this issue so please leave your comments below and be sure to share this post with others.

Lately, a lot of people have been asking me if wireless intrusion detection (WID) and prevention (WIP) systems are still relevent. My answer is yes, it's just not sexy anymore so nobody is talking about it.

First, I want to make a quick distinction. When I say WIPS I am referring to more than just rogue AP detection. That is to say, rogue AP detection is a necessary element of a WIPS but not sufficient to constitute a WIPS on its own.

This distinction is important because I find people often confuse the two. In fact, I was at a vendor presentation a few months back where I asked how a certain vendor-specific feature would affect WIPS functionality. To my surprise, the vendor replied that WIPS was a joke and that he didn't believe in the technology. He went so far as to declare that he could drop an AP on any LAN he wanted without it being detected. I was shocked, to say the least, to hear a vendor's technical representive confuse rogue AP detection for a complete WIPS. The two terms are not synonyms.

A working definition of WIPS

From this point forward I'm just going to refer to wireless intrusion detection and prevention systems by using the WIPS acronym.  

The terms WIPS is pretty well-defined by the actual words: wireless intrusion prevention. We can go a step further and look at an excerpt from the Certified Wireless Security Professional Official Study Guide: 

A WIDS detects and notifies about potential attacks, whereas a WIPS functions as a WIDS while additionally protecting the WLAN using various methods beyond simple detection and notification. (Coleman, Westcott, Harkins, & Jackman, 2010, p.372)

The important take-away here, is that a WIPS monitors and prevent more than just rogue APs. There are other type of attacks which it should also be protecting against.

Why are people asking if WIPS is dead?

When I first started dabbling in wireless, there were several pure WIPS vendors. I remember getting lost driving from Altanta to Alfaretta because I didn't want to pay a 50 cent toll-charge on my way to the AirDefense Headquarters. At that time, they were locked in some pretty fierce battles with AirTight Networks. Both of these companies were WIPS companies. Alas, times have changed. AirDefense got gobbled up, and umm...altered, by Motorola and AirTight decided to jump into the access game. 

Looking at WLAN vendors, almost all of them, if not all, have built-in WIPS to some degree. Some offer it for free and some offer it as a licensed feature. WIPS is still around it's just hidden in plain sight. For a non-wireless person looking at the industry, I can see how someone could come to the conclusion that WIPS was not important anymore. It's not talked about a heck of a lot because it has essentially become table-stakes. That doesn't mean it's not relevent though. If anything, it became table-stakes because of its relevance.

Why do we still need WIPS?

The requirement for WIPS functionality can be broken down into two groups:

1. Compliance
2. Security

Most of the compliance components really focus on the rogue AP detection and configuration auditing capabilities of a WIPS, while the attack monitoring, alerting, and prevention really fall under sound security practices. I'd like to glaze over the compliance components and dig just a bit deeper into the security aspects of a WIPS.

Beyond simple rogue AP detection, a well-designed WIPS will also monitor for, alert on, and possibly attempt to mitigate a wide range of wireless attacks. A few examples would be DoS attacks, brute-force authentication attempts, evil-twin attacks (which could arguably be lumped in with rogue APs), and so on and so forth. The point I'm trying to make is, given the unbound nature of wireless communications, a WIPS is pretty much essential to effectively and proactively protect your WLAN. Without these capabilities, it becomes very easy for someone to attempt to gain access to your network or, at a minimum, disrupt its proper functioning without ever being noticed.

I believe this is why WIPS is essentially being baked into WLAN vendor solutions and the WIPS-only players are either disappearing or refocusing.

Final Thoughts

So, to give my official answer: WIPS is currently, and will always be, an important component in a properly secured WLAN. Just because it isn't sexy anymore, doesn't mean that it's job doesn't need to be done. (Yeah, I'm looking at you, Lester in accounting.)

Daniel

Self-provisioning of networking services is something often discussed in a BYOD world, and it was certainly mentioned by several vendors at Wireless Field Day 3. In this post I want to examine the potential clash between user self-provisioning and learned helplessness.  

My stance: Self-provisioning will not be graciously accepted by a large demographic of end-users suffering from learned helplessness.

First, a few quick definitions to make sure we're all on the same page:

Learned Helplessness (source: Wikipedia)

a technical term that refers to the condition of a human or animal that has learned to behave helplessly, failing to respond even though there are opportunities for it to help itself by avoiding unpleasant circumstances or by gaining positive rewards.

Self-Provisioning (source: modified from TechTarget)

a system that allows end-users to set up and launch applications and services without the direct intervention of an IT organization or a service provider.

Since WFD3, I have talked to quite a few people who are ready to jump head first into a bold new self-provisioned world; admittedly, I'm one of those people. As a technically-capable individual, I don't want to have to wait for IT to come and setup my gear. I'd rather just do it myself and go about my business.

There is, however, an entire group of people suffering from learned helplessness that might not be so quick to embrace a self-provisioned world. These are the end-users who will routinely go to the helpdesk for assistance on something that they could have done themselves. These are the people who freak out everytime you upgrade to a new version of MS Office, or slightly change the look and feel of a system they use. Lastly, these are the people who can frequently be heard saying "Can't you just come do it for me quickly? I don't want to mess it up." For these people, self-provisioning is at best a major inconvenience and at worst a terrifying ordeal.

Can we unlearn helplessness?

In my mind, the real challenge in a self-provisioned world will not only be in trying to help people unlearn helplessness but also in knowing when to give up the fight and just do it for them. There will certainly be those individuals who, despite wanting IT to do it for them, will begrudgingly adapt and eventually embrace self-provisioning. These are the unlearners and they should be applauded for moving outside their comfort zones.

On the opposite end of the spectrum, it is very likely that we will encounter some life-long learners during this transition. These people will fight, complain, argue, and plea for help the entire time. For these people, I say they shouldn't be forced into the new self-provisioned world. Instead, it will be far more cost-effective financially and emotionally to just let them continue to live in the IT-provisioned world. As the old saying goes: You can lead a horse to water but you can't make him self-provision his tablet for secure access to the corporate WLAN.

The Way Forward

I guess the real message I'm trying to get across is there probably won't be a 100% self-provisioned environment in your future; at least not your near future. The key to maintaining your sanity during this transition will be to focus on developing efficient workflows. Specifically, your onboarding and provisioning workflows should try to adhere to these two guidelines: 

1. Follow the same process regardless of device type. That means, aim to have the onboarding and provisioning process look and feel the same for laptops, tablets, and smartphones. Yes, the underlying procedures might need to be different but the visible user experience shouldn't need to be.
2. Follow the same process regardless of the person holding the device. Your goal should be to have a single, unified procedure that is the same for end-users and IT staff alike. Yes, IT will need to understand what is happening under-the-hood but there is no reason to have seperate procedures.  

By adhering to these two guidelines, you can help maintain your sanity in a self-provisioned world. IT staff will find it easier to learn the process because it is the same across the board. End-users will be able to either do it themselves or just watch IT do it once and then repeat the same steps on their own the next time they want to get a device on the network. Self-provisioners will gain their much demanded autonomy while IT will benefit from a streamlined workflow for assisting the life-long learners.

Closing Thoughts

I've been quoted in the past as complaining about a self-provisioned world. While I don't deny making certain statements, I do think they have been misunderstood. I like the idea of self-provision autonomy for the end-user. My statements, and this blog post, are just my way of reminding everyone that learned helplessness is a real thing and to be ready for some pushback when going down this road. It doesn't need to be an unpleasant experience; especially if you put some effort into designing proper workflows.

Daniel 

What are your thoughts on end-user self-provisioning? Have you deployed this type of solution before? I'd be interested to hear about your experience.

Have you ever stopped to think about what your WLAN is saying about you and your organization? I just finished watching a TEDx Talk called 'What your designs say about you' by Sebastian Deterding, and I completely agree that our values and morals are continually commmunicated to others by the way we design things. So I ask again, what is your WLAN saying about you?

What are your company values?

Almost every business/organization I have encountered has had a list of values splashed on the company website or physically posted somewhere in the office. Think about your organization. What are your stated values? (Here are a few common examples: respect, innovation, honesty, connectedness, empowerment, security...)

Have you found your corporate values yet? Good. Now, if you offer some form of amenity/guest wireless access, I want you to ask yourself if the design of that network actually follows the values you've claimed to hold dear. Does the end-user experience communicate that you are a company that cares about innovation, security, respect, etc?

For example, if you claim to value security, do you offer secure guest access or just cleartext (unencrypted) access and tell guests they need to worry about their own security? If that's the case, then your guest WLAN is communicating that you don't actually care about security; you care about your own security. There's a difference and it is noticable.

Another example: If you claim to value innovation or connectedness, do you offer guest access that is actually fast and stable enough to use? Or do you offer an end-user experience that is slower than dial-up with major coverage/capacity issues just so you can publicly advertise that you have 'guest wireless access'? If that's the case, then your WLAN is really saying that you either do not understand what innovation or connectness are, or that you are really just too cheap to extend that value to non-employees. Either way, it's not a good message to be sending.

I could go on but I think that's enough bad examples.

Now Is Your Time To Shine

I'm sorry to say, but most guest networks I come across have severely betrayed the image that the company offering them has tried to foster for itself. They are usually slow, unstable, insecure, and require extraordinary hoop-jumping abilities just to get connected. Imagine what it would be like if your WLAN reflected just how awesome you really were!

If your corporation claims to value 

• security, then offer guests a secure solution. Don't tell them they are on their own. Show them that you care about more than just your own security; you care about their security as well. There are many ways to provide at least some kind of secure connection: PSK, PPSK, DPSK, captive portal provisioning of credentials just to name a few. 
• innovation or connectedness, then offer a guests access solution that allows them to actually accomplish something while connected to your network. Dial-up speeds are not innovative. If anything, dial-up speeds are a slap in the face.
• respect, then offer access that shows how much you respect their patronage. That means creating an end-user experience that doesn't require twenty clicks, and a reboot just to get connected. (Yes, I'm exaggerating here but you get the point.) Offer an easy-to-connect-to service that is stable and available in the areas where your guests actually want to use the service. 

With the current state of most amenity/guest networks, it is really easy for you to stand out. Your company is awesome. Why not be known for sharing an awesome wireless access solution and extending your corporate values beyond just your executives and employees. Be the company that offers a guest access service that says "We offer this service because we respect you and genuinely want you to have a good experience" instead the one that says "We want your money and we offer this cheap service because all of our competitors do".

Your WLAN is saying something about you. It's up to you to shape and guide that conversation in a way that benefits everyone.

Daniel 

Recently I had the opportunity to visit the Enterasys Wireless Centre of Excellence in Thornhill, ON and take a tour of their WLAN solution compliments of @mikeleibovitz. I haven't really had a chance to do my own independent lab testing yet, but the visit itself was pretty interesting. Here are a few of the interesting points I was able to take away without actually doing any hands-on lab work:

OneFabric = Interesting

The wireless solution fits pretty well into the Enterasys OneFabric concept. Administrators can easily manage wired and wireless users from a single NMS administration console. By adding in the Mobile Identity and Access Manager (IAM), which is the Enterasys response to BYOD, you've got a pretty comprehensive mobility solution. 

Pro - You don't need wall-to-wall Enterasys. They have tried to remain standards based (ie. RFC 3576) so most enterprise solutions should fit nicely into this type of setup. Obviously, the solution is more fully-functional if you do happen to run all Enterasys however.

Con - From what I saw, there are a lot of different boxes involved. You've got a box for NMS, a box for Mobile IAM, a controller, and possibly something that I've missed. I'm not sure if these are all easy to deploy or if the deployment can go south fairly quickly.

Mobile IAM

As stated above, this is the Enterasys response to BYOD. It is essentially a RADIUS proxy on steroids that is able to make use of additional contextual information to provide role-based access to wired and wireless devices. I was pretty impressed with the number of reportable attributes visible to Mobile IAM (something like 50 if my notes are right). This gives the solution a lot of choices when making contextual decisions regarding authorization.

Pro - Contextual awareness for wired and wireless devices, all controlled from a single management interface.

Con - It's still a RADIUS proxy which means it doesn't have the ability to create and manage credentials like Aruba's ClearPass solution does. Instead, it relies on existing backend RADIUS or LDAP to a somewhat larger extent.

Palo Alto Integration

Back in December of 2011, I created a video demonstration of Amigopod sharing username data with a Palo Alto Networks (PAN) firewall. It looks like Enterasys has built that functionality into their NMS product and have started expanding on that integration. For example, an administrator can see information regarding top application usage matched to users right from the NMS console, in real-time, and take action on that information immediately.  I'm not sure how much more I'm allowed to share, so I'll just say that, if successful, Enterasys and PAN will have a much more robust, two-way integration with one another than mere username sharing. Very cool.

Random Bits

I'll close out my take-aways with a bullet list of random stuff that doesn't warrant a full write-up (at least not until I can actually test the gear out): 

• No additional feature licensing on the controllers. Sweet!
• They offer a lifetime warranty on both the controller and the access points.
• The controllers have HA licensing and capacity built-in. So, if you by a box that supports 128 APs, it can, and will, actually support 256 APs in an HA failover situation. 
• The newer 3x3:3 tri-radio access points will require 802.3at (The dual-radio 3x3:3 APs will use 802.3af.). I'm not sure if this is going to be an issue for them or not. Personally, I think the explosion of mobile phones and tablets makes 3x3:3 less important, but to each his own.

Closing Thoughts

This is just a brief, high-level overview of what was discussed during my visit and should not be interpreted as a personal endorsement. Once I get my hands on some gear I hope to do a more technical write-up on some of the other topics discussed, such as: spectrum analysis capabilities, over-the-air packet capture, and other wireless networking table-stakes.

Overall, the solution and concept presented looked pretty promising. The integration between wired and wireless networks is, on the surface, impressive. I must admit, I hadn't really spent a lot of time looking at Enterasys in the past and I think it's their past lack of marketing initiative that has made them fall off people's radars. It'll be interesting to watch and see if Enterasys can become more visible in this highly-competive market.

Daniel

Disclosure: I currently work for an Enterasys partner. That being said, I don't have any hands-on experience with Enterasys gear (wired or wireless).