ProActive Defense with Mauricio Sanchez

Wireless security brings, challenges, opportunities

Securing your network while maintaining appropriate access is tough, and adding mobility to the mix amplifies the challenges. If balancing security and access in a wired network is like walking a tightrope, then extending to a wireless environment is like walking on a flimsier tightrope, strung much higher off the ground, with a brisk wind pummeling you – you get the picture.

As I see it, the top issues unique to mobile security are the following:

In the past, networking vendors approached wired and wireless networks, and their security, as if they were separate, distinct beasts.  But from the beginning, ProCurve Networking by HP has taken a holistic approach to the network infrastructure – an approach that continues to reap benefits.

Unified wired and wireless networking
Because our ProActive Defense security solutions arise from ProCurve’s holistic, Adaptive EDGE Architecture (AEA) foundation, they are able to deal with the issues of security comprehensively and uniformly – regardless of whether it’s a wired or wireless network.

This means that network administrators do not have to deal with two separate sets of security capabilities and policies, one for wired and one for wireless.  Instead, they can focus on achieving that delicate balance between good security and good access for users.

Extra challenges of mobile security
Having said that, it’s still true that mobile security presents some special challenges, as outlined above.  ProCurve ProActive Defense has answers to each of these challenges:

Rogue access points:
Unified, cohesive management across wired and wireless networks makes a real difference here – as does the foundation of ProActive Defense, a trusted network infrastructure.  The trusted network infrastructure secures the network, both wired and wireless, from unauthorized extension or attacks.

ProActive Defense’s trusted network infrastructure protects network components and prevents unauthorized overriding of security provisions.  Specifically, this includes making sure that people don’t extend the network through the addition of unauthorized access points.

ProCurve products that help establish a trusted network infrastructure include ProCurve Manager Plus 2.2 (ProCurve Manager Plus 2.3 will be available January 1, 2008) and the new ProCurve Mobility Manager 2.0 plug-in.  ProCurve Mobility Manager 2.0 provides an integrated, single-screen dashboard for managing wireless networks at the device level or network-wide.  It could certainly alert you to anyone trying to set up an unapproved access point.

In addition, the ProCurve Wireless Edge Services zl Module works with the ProCurve Switch 5400zl edge and Switch 8212zl core switches, and in conjunction with ProCurve radio ports, to provide centralized wireless LAN (WLAN) configuration and management of advanced wireless services.  The ProCurve Wireless Edge Services zl Module includes rogue AP detection capability to provide a system-wide view of all access points detected in the wireless LAN coverage area.

Access control and data security:
Access control is the second of the three main aspects of the ProActive Defense strategy (along with trusted network infrastructure and network immunity).  ProActive Defense proactively prevents security breaches by controlling which users and devices have access to network resources, and how they connect in a wired and wireless network.  And if you control who has access to your network and its resources, you go a long way toward ensuring the security of your valuable data.

Another plug-in to ProCurve Manager Plus, ProCurve Identity Driven Manager (IDM) 2.2, dynamically configures security and performance settings based on user, device, location, time and client system state.  Using IDM, you can centrally define and apply policy-based network access rights that enable the network to automatically adapt to the needs of users and devices as they connect – wherever and whenever that might be.  Clearly, IDM is a powerful tool for managing access control in a network with a few or many mobile users.

Access control capabilities also are built into many ProCurve switches and are provided by the new ProCurve Network Access Controller 800.

Wireless threat management:
The third aspect of ProActive Defense – network immunity – monitors behavior and applies security information intelligence to assure uninterrupted network service.  Network immunity is crucial for repelling potential DoS attacks on your wireless network.

ProCurve Network Immunity Manager, a plug-in for ProCurve Manager Plus, detects and automatically responds to threats, such as virus attacks, inside the network.  It also performs Network Behavior Anomaly Detection (NBAD) to detect attacks.  You can use Network Immunity Manager to monitor devices across the network for internal network attacks, and you can set security policies for both detection and response.

Also important for network immunity are the security and traffic-monitoring features built into many ProCurve products – including the ProCurve 5400zl and 8212zl switches, as well the ProCurve Wireless Edge Services Module zl– such as sFlow, Virus Throttle and remote mirroring technologies.

Unhealthy mobile clients:
Laptops and other mobile devices represent an enormous security challenge for network administrators, simply because admins have no way to know where the laptops go when they’re not connected to their networks.  Your laptop users can unknowingly pick up viruses and other malware when outside of your control, potentially infecting your network when they plug back in.

Preventing this situation requires a combination of access control and network immunity:  taking pains to ensure that all devices connecting to your network are “clean” and approved, while also establishing defensive measures to deal with any viruses or worms that might slip in unnoticed.

The ProCurve Network Access Controller 800 is particularly useful in ensuring that only “healthy” mobile devices are allowed access to the network.  It combines a RADIUS-based authentication server with the ability to validate the integrity of the systems connecting to the network.  And because the Network Access Controller 800 is managed by the ProCurve Manager network management platform, it further enhances the unified device and security management across your wired and wireless networks.

A philosophy, not a product
While specific products and features must be part of your mobile security strategy, it’s important to remember that network security is more than a product or set of products.  Security must be woven into your entire network infrastructure, from the ground up.

I believe strongly that ProActive Defense is the most comprehensive and effective approach to network security overall, and in particular to the special challenges presented by mobile security.  Mobility is not just a fact of life, it’s increasingly prevalent in today’s more on-the-go world.

Network security presents a constantly moving target.  And like any good security policy or practice, ProActive Defense – and the ProCurve AEA infrastructure on which it is based – is designed to adapt to whatever changes you face in the future, whether they happen in your wired or wireless environments, or both.

Mauricio Sanchez, MSEE, CISSP, is the Chief Network Security Architect for ProCurve Networking by HP. He is responsible for specifying ProCurve’s ProActive Defense security technology strategy across all product lines.