Meru Security
Perimeter Threat Defense - Meru RF Barrier™
Some of the most intrusive and damaging attacks publicly known to have been perpetrated against wireless networks have not come from inside the building, but from outside: in the parking lot. The transition to wireless local area networks of mission-critical information – from billions of dollars of transactions daily to emergency room medical information to credit card and Social Security numbers – has attracted a new breed of attacker. "Wardrivers" snoop around the perimeter of the buildings of vulnerable organizations, looking for open or incompletely secured networks. Originally done for sport, or by people desperate for internet access, wardriving has been adopted by criminals and identity thieves to mount "parking lot attacks" against unwitting enterprises. Major retailers have already been subject to these attacks. Over 45 million credit card numbers were stolen by attackers using a high-gain antenna from the parking lot of a major retailer. Even large technology firms have not been able to avoid being targeted.
Meru Networks provides zero-day protection against these passive outdoor attacks through its unique RF physical security technology. By preventing wireless traffic from crossing the secure perimeter, it limits an attacker's ability to record data and analyze wireless networks. Protection is provided for legacy networks, clear or captive portal networks, secure networks using public credential passing and networks with undetected or unknown vulnerabilities.
Using advanced RF-based security technology, Meru Networks is able to provide strong protection against eavesdroppers and passive attacks.
Meru Networks RF Barrier™ uses patent-pending RF physical security to selectively block sensitive transmissions as they cross the enterprise perimeter. By placing a Meru Networks access point and the external RF Barrier™ antenna at the network edge, internal traffic is confined within the perimeter, making the network invisible to parking lot attackers and wardrivers.
RF Barrier™ provides the following features:
- Zero-day defense against parking-lot and drive-by attacks
- Proactive: blocks traffic from being seen by attackers, including passive attacks that cannot be electronically detected
- Selective: does not disrupt neighboring WLAN deployments, yet blocks their access to sensitive data
- Flexible: blocks captive portal and guest traffic from exiting the perimeter
- Manageable: Does not require reducing power levels or other manipulation of internal wireless network
- Cost effective: requires installations only along the perimeter
Connection Threat Defense - AirFirewall™ ; Rogue Prevention; FIPS 140-2 Specified Encryption (AES); Wireless Intrusion Prevention
Attackers must connect to the network if they want to go beyond passive listening. This is where protection of the connection comes in: preventing unwanted users from getting on to the network at all. Constant security scanning is required to detect illicit users and other threats. "Evil twins" masquerade as enterprise-sanctioned access points, attempting to trick unsuspecting users into connecting and exposing critical information. Rogue access points allow unauthorized connections into the heart of the corporate network.
Meru Networks provides a comprehensive solution for securing the connection from rogues, evil twins and takeover attempts. It supports industry-standard encryption and security technologies, including NIST-approved wireless security algorithms. Meru's wireless IPS and rogue prevention features lead the industry, with unique AirFirewall technology that can make unwanted networks disappear.
AirFirewall™ - True Wireless Intrusion Prevention: A traditional Wireless Intrusion Prevention System (WIPS) doesn't begin to detect intruders or unauthorized devices until they are already on the network. There is no actual "prevention", as intruders must connect to a network before a counterattack is launched. Rogue mitigation or containment, the methods used by most WIPS products, amount to nothing more than a denial of service attack (DoS) against the intruder or unauthorized network.
Unfortunately, modern clients are able to quickly re-form the connection, letting the unauthorized network resume where it left off. Furthermore, launching a DoS attack against the foreign network may deny service to legitimate users as well. This is because the DoS attack makes use of 802.11's connection-termination protocol, sending Deauthentication or Disassociation messages to break the connection. The network is flooded with these termination messages, meaning air time is quickly expended.
Meru Networks AirFirewall™ uses patent-pending RF physical security to selectively block unauthorized network connections from proceeding, while leaving more air time free for legitimate users. The unauthorized network appears to vanish from the air, while both authorized and neighboring networks continue unabated.
AirFirewall™ provides the following features:
- Proactive: prevents unauthorized connections from establishing a connection, rather than reactively attempting to disconnect already-connected intruders
- Selective: only stops unauthorized traffic; authorized services continue unaffected
- Effective: Works for devices that do not respect Deauthentication messages (including numerous major consumer and enterprise clients, modified attack tools, and 802.11w-protected networks)
- Targeted: Can allow neighboring networks to exist without disruption
- Complete: Allows for no-wireless lockdown policy enforcement
- Flexible: May be turned on or off to allow for time-of-day policy enforcement
Rogue Prevention - Effective Classification: Rogue networks are usually set up by employees who bring in access points from home and are not aware of the dangers caused by improperly administered wireless. It is critical for enterprises to detect these rogues, so that they can be shut down before attackers find them.
However, not all unknown access points are rogues. Neighboring networks are common in urban areas, high-rises, multi-tenant units, and from adjacent buildings across free space. Administrators cannot afford to waste time investigating these legitimate networks that belong to others.
Meru Networks Rogue Prevention solves this by giving administrators the ability to enable a two-network connectivity requirement for rogue classification. When this is activated, an unknown access point is only classified as a rogue if connects to a known enterprise network. Once the correlation is made, Meru's AirFirewall prevents connections to the rogue while staff are alerted to its location.
Additionally, non-network access points can be manually excluded or designated as a rogue, giving administrators precise control over the security of their wireless environment.
FIPS 140-2 Specification - Government-Grade Security:United States Government wireless installations are required to pass certification tests for the Federal Information Processing Standard 140-2 requirements. Established by the National Institute of Standards and Technology (NIST), these stringent requirements demand that all cryptographic processing within the certified product use only approved algorithms and meet strict standards for self-testing and tamper resistance.
Among the requirements are:
- 802.11i, based on FIPS Pub 147 (Advanced Encryption Standard) using cipher block chaining
- Approved EAP operations with a secure, approved RADIUS server
- Certificate-based authentication for both clients and the network using PKI
- Power-on self testing of all cipher operations, including ensuring randomness of PRNGs, known-answer validation of encryption algorithms and secure hash validation of code and configuration
- Role-based authentication of users
- Separate roles for crypto security officers and administrators
- Two-factor authentication for key installation
- Detailed code inspection, helping ensure proper implementation and strict separation of functions, to prevent attackers from gaining knowledge of key material
- Physical tamper-resistance, ensuring that the network is no longer able to function should an attacker attempt to physically gain access to the circuitry by smashing or prying
The Meru SG-1000 FIPS 140-2 gateway has been designed to provide strong protection for government wireless installations.
The Meru SG-1000 FIPS 140-2 Gateway
Meru Wireless Intrusion Prevention - Zero Downtime Detection: The wireless connection presents a unique avenue for disruption. Not only are rogue networks an issue, but intruders can launch a variety of wireless attacks on the network and its users. Even innocent employees can be threat, as malware installed accidentally can attempt to commandeer or disrupt the wireless network for the distant pleasure of its authors. Continuous monitoring is needed to protect wireless networks from these forms of attacks.
Meru Networks' comprehensive Wireless Intrusion Prevention System uses existing Meru infrastructure. It does not require the added expense, complexity of overlay security. The WIPS maximizes detection of attacks by leveraging Meru's efficient layered channel architecture. In concert with the dual-band radio in most Meru access points, the layered channel architecture eliminates the tradeoff between security and performance.
Wireless threats detected include:
- Connection Teardown/DoS attacks
- Evil twin, MAC spoofing, and insertion (Man-in-the-Middle)
- EAP attacks
- Weak security attacks (such as ASLEAP)
Effective rogue elimination is performed by AirFirewall™.
Network Threat Defense - Strong RADIUS Authentication; Per-User Policies and Role-based Access Control; Application and Signature Firewall
Once users have connected to a wireless network, the network must be able to protect itself against threats from insiders and outsiders alike. Policy enforcement must be integrated tightly into strong authentication and role-based partitioning of services. Without it, the network is unprotected from wayward users, as well as from theft of credentials or inadvertent exposure by unauthorised applications or malware.
Meru defends the network with a powerful array of role-based and application-based protection, all driven by central policy enforcement. This helps to avoid the threat of blended attacks, blocking or rate-limiting unwanted types of traffic even when encrypted.
Authentication Services - RADIUS: The proliferation of 802.11 radios in devices that previously lacked Wi-Fi capability gives users multiple opportunities to connect to the enterprise network. Alongside laptops are tablets, smartphones, handhelds, and scanners. However, with each opportunity for a device to connect comes another opportunity for a device that does not belong on the network to join in the conversation. The solution is to enforce strong authentication policies for all clients.
Meru Networks makes the authentication process more powerful by offering a complete array of authentication methods. For 802.1X enabled WPA and WPA2 Enterprise networks, the Meru controller connects to a centralized RADIUS server and establishes strong cryptographic keys. Client verification ca n use certificates, passwords, or pass-through logins to secure keycard systems. Among the EAP types supported are:
- EAP-TLS, based on public key certificates for each client,
- EAP-TTLS, allowing for tunneled authentication that provides greater protection for credentials and identities
- PEAPv0/MSCHAPv2, allowing Active Directory usernames and passwords to be used, simplifying installations on Microsoft-based networks,
- PEAPv1/EAP-GTC, allowing arbitrary challenge-response authentication services over a secure tunnel
- EAP-SIM, for smart card authentication
For networks where devices are not yet sophisticated enough to support 802.1X, preshared keys are supported. But preshared key networks have a number of problems. What happens when an employee leaves? Or if the preshared key is accidentally discovered? For these cases, the Meru captive portal can be used with encrypted networks and unencrypted networks alike, to ensure that only users that belong on the network gain access.
Per-User Policies and Role-based Access Control: Security practices require restricting a user's access to network resources to the minimum needed.
Not every user associated to a network has identical access requirements. Users may have anywhere from subtle to widely different limits in which network services they can access, based on the user's role as well as the network to which the user is attached.
The Meru Networks Per-User Firewall provides strong policy enforcement based on the appropriate policy set for each user, as determined by the corporate authentication infrastructure (RADIUS). Users accessing the network are able to be restricted based on the policies appropriate to their role.
Signature-based Firewalls - Stop Unwanted Peer-to-Peer Traffic: Stateful firewalls are able to track applications, providing per-user policies to allow, deny, throttle, or apply quality of service to each application. The Meru Networks firewall uses deep packet inspection to classify applications, and apply the appropriate policies. It is integrated with the advanced wireless quality-of-service features of Meru access points to protect voice calls and provide the necessary quality, especially when mixed with intensive video and data traffic.
The rise of encrypted peer-to-peer applications such as Skype, however, means that a stateful firewall is no longer enough. Meru Networks offers a signature-based firewall that can go further than deep packet inspection by detecting and applying policies based on behavior. These policies can be enforced across all kinds of applications, applying even to encrypted traffic.
The signature-based firewall is particularly useful to enterprises that face strict regulatory compliance requirements, such as external communication monitoring and recording. These can block unauthorized peer-to-peer voice calls while enabling and prioritizing SIP-based calls to authorized voice services.
Organizations that have strict end-to-end VPN requirements can also use the signature-based firewall to provide wireless quality of service directly to encrypted voice traffic.
In all cases, signature-based rules act as first-class citizens within the Meru firewall, able to enforce the same policies with the same priority as rules using direct-match and deep-inspection.
Remote Threat Defense - Telecommuter AP
The greatest benefit of wireless access is mobility, but this can become its greatest risk once users stray beyond the enterprise boundaries. Away from the secure enterprise network, staff may be forced to connect though unknown hotel connections or using insecure home access points. Even if an employee's home network is thought to be secure, configuring clients to connect through multiple SSIDs consumes support time and increases the chance of accidental connections to an insecure network. Software VPNs are one solution, but they also increase the support burden while doing nothing for Wi-Fi phones and other devices.
Meru Networks eliminates the need for remote staff to use consumer-grade access points with inadequate security or insecure hotel Wi-Fi links. Its Telecommuter AP acts just like an extension of the enterprise LAN, offering remote users all the same services and resources available within the office while allowing security managers to configure and enforce enterprise wide security policies centrally. Instead of a disconnected island, the remote user is truly part of the enterprise network.
Secure Telecommuter AP - Protect Remote Users : Enterprises must invest time and effort into securing the corporate network. From network-based authentication and firewalling to wireless threat detection, Meru Networks installations are protected against attacks launched from within or around the campus. However, once users leave for the day or for a business trip, they leave the confines of the protected network and enter the wild. There, they and their laptops or other devices may be exposed to an onslaught of attacks.
Remote users must be connected to be productive. Unfortunately, that connectivity often comes from public wireless networks at coffee houses, airports, hotels, and convention centers. These networks do not, and cannot, require secure, per-user encryption for most tasks, thus allowing multiple opportunities for interception of traffic and insertion of malware.
The same applies to users' home networks, which are often left open or reliant on outdated security technologies. The prevalence of valid and invalid public networks – such as the infamous "Free Public WiFi" – puts the security of remote wireless clients at great risk.
The Meru Networks Secure Telecommuter Access Point removes that avenue of exposure. The Secure Telecommuter AP provides remote users with the same level of security and protection that exists in the corporate network. Enterprise-mandated security policies are enforced identically, regardless of whether the user is remote or on the corporate campus. Additional security measures may also be provided to the remote users, to ensure a higher level of thoroughness for posture detection appropriate for remote users. Traffic from the Secure Telecommuter AP is sent via an encrypted tunnel directly to the enterprise, removing risks of exposure even on remote wired networks.
By extending the enterprise wireless network directly to the remote user, security officers are able to leverage wireless network lockdown procedures on laptops and other remote clients. Remote users are prevented from accidentally connecting to insecure networks that could expose sensitive data or give attackers a route to the user's machine. And unlike laptop-based VPNs, the Telecommuter AP extends protection to Wi-Fi enabled phones and other devices.
