www.brocade.

com

WHITE PAPER

ENTERPRISE

Enterprise WLAN Security

Challenges and Solutions

Brocade Mobility products feature an end-toend architecture that integrates key security and
wireless solutions to deliver standards-based,
industry-leading wireless network protection.

The Brocade Mobility product family combines Wireless LAN (WLAN)

access point and controller-based security services with wireless
intrusion prevention to offer a unified suite of security capabilities,
which not only deliver a more robust threat defense but also lower
the total cost of implementing and maintaining a secure wireless
network.
What are the greatest threats to WLANs today? There is no one
answer to that question, since hackers take a multi-layered approach
to infiltrating wireless networks. To that end, protecting the wireless
network requires a multi-faceted approach, as well. This paper
describes the range of security capabilities supported by the Brocade
Mobility product family for a multi-layered approach to protecting the
wireless LANprotecting and monitoring the network from both the
outside and the inside and managing it at the center.

WLANs Drive New Security Paradigm

Wireless networking completely changes the network security paradigm. Radio waves
cannot be stopped by walls and doors. As soon as you connect a wireless access point to
an organizations intranet, any traffic sent wirelessly is visible in the parking lot outside the
building. This introduces several vulnerabilities that do not exist in the wired world.
In addition, the pervasive nature of wireless LANs makes it easy for hackers to spoof wireless
networks in order to trick users into believing that they are connecting to and transmitting
data on a secure network. Because wireless LAN signals can propagate through walls,
these wireless phishing attacks can be launched from beyond the secure premises of an
organization, increasing the challenges of detection and prevention.
The most common WLAN security problem is rogue wireless access. An employee or
contractor might bring in an unauthorized access point and connect it to the intranet without
enabling security. Similarly, authorized wireless access points might have weak security that
can allow similar behind the firewall access to sensitive internal networks.
Wireless also aggravates the insider threat. Users can connect their laptops to external
wireless networks and bypass Internet filters and enterprise proxies even when they are still
within the perimeter. An emerging type of WLAN security challenge is wireless phishing in
which a malicious user sets up a fake WLAN with a commonly used identifier to trick clients
into connecting to it.
2

Finally, 802.11 networks operate in the unlicensed frequencies of 2.4 GHz and 5 GHz. Unlike
cellular frequencies, which require licenses, these unlicensed frequencies are open for use
by anyone. While the FCC mandates certain rules of engagement, which prohibit aggressive
or malicious use, the difficulty in enforcing such rules means that most unlawful use of the
frequency goes unpunished.
In response to the pervasive security threats faced by enterprise WLANs, Brocade Mobility
features a range of capabilities addressing multi-tiered enterprise data protection for
enterprise WLANs. Brocade Mobility WLAN controllers and Access Points (APs) include a
range of WLAN security mechanisms to meet (and exceed) the needs of expanding wireless
networks and provide administrators with additional options as their data protection needs
expand. Compared with other leading wireless network equipment providers, Brocade offers
the strongest and most efficient wireless security portfolio on the market. Brocade integrates
key security features directly into controllers and APs to provide superior access control and
network defense.

Comprehensive Wireless AP Security Offering

Because threats really exist at the edge of the wireless network, Brocade Mobility products
support the strongest and most comprehensive wireless edge security offering. In fact, every
AP includes on-board Authentication, Authorization, and Accounting (AAA), stateful firewall,
and Virtual Private Network (VPN), which secures traffic without gaps. Combined with the
AirDefense Enterprise Appliances for Brocade Mobility solutions described below, it is
the most secure wireless edge defense available. The entire security architecture can be
managed from a single console and offers regulatory compliance with the highest levels of
security validation in the wireless industry, from Federal Information Processing Standards
(FIPS) to Common Criteria Level 4.
For authentication and encryption, Brocade also has the industry-leading offerings on the
market, with four-factor access control in the AP, which allows companies to control access
based on the users ID or role in the company, policy compliance via Network Access Control
(NAC), and geofencing, which is a means to control access by a users location using the
systems Real-Time Locating System (RTLS) application.
All of the Brocade Mobility access points support the highest available levels of encryption,
including IEEE 802.11i (WPA and WPA2) and 3DES IPSec encryption. On Brocade Mobility
dual-radio APs (Brocade Mobility 5181, which supports 802.11 a/b/g, and Brocade Mobility
7131, which supports 802.11 a/b/g/n), one radio can be dedicated to network access and
the other can act as a sensor that monitors the airwaves for rogue devices 24 hours a day.
Brocade Mobility AP-based AAA features include:
Internal and external Remote Authentication Dial-In User Service (RADIUS) capabilities
that support Extensible Authentication Protocol (EAP), providing an extra layer of security
beyond Wi-Fi Protection Access Program 2 (WPA2) with a strong encrypted mutual
authentication to thwart man-in-the-middle attacks.
RADIUS accounting keeps a log of not only which users are authenticated by the network
but which access point authenticated them, whether they roamed from one AP to another,
and how long they remained connected to the network.
Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) integration provides
authentication against a common user database so as to ensure that those people who
gain secure access to the network are really authorized to be there.
Other capabilities specify not only who is authorized to use the WLAN, but when and how
and on which access point each individual user is allowed to be thereassigning specific
permission guidelines based on individual identity.
Sophisticated role-based firewall features dynamically apply admission rules to employees
and guests based on the Extended Service Set ID and which AP they are using,
3

The Wireless Intrusion Prevention System (WIPS) is the eyes and ears of the Radio Frequency
(RF) network. AirDefense WIPS can detect more than 200 current and lethal attacks and
threats in real- time. Furthermore, the AirDefense 24x7 WIPS can reside alongside a WLAN
radio on a single AP. The ability to transport packets and detect intruders on the same AP is
extremely cost-effective and extremely secure. WIPS sensors are solely dedicated to detecting
and preventing intruders. Note that many other WLAN systems on the market use a far
less effective approach called time-slicing, in which the radio on an access point spends
some time broadcasting network traffic and some time scanning the network for intruders.
Unfortunately, these time-slicing solutions end up spending only about 4 minutes per day
scanning for intruders. In addition, the AirDefense WIPS is not band-lockedmeaning that it
can monitor both 2.4 and 5 GHz bands simultaneously. This is important for any network that
utilizes both the 802.11b/g and802.11a standards.

WLAN Controller-based Secure Resource Authorization

Using Network Access Control (NAC), Brocade Mobility controllers grant access to specific
network resources. NAC performs a user and wireless device authorization check for
resources without a NAC agent. NAC verifies a wireless devices compliance with the
controllers security policy. The Brocade Mobility family supports the EAP/802.1x type of NAC.
In addition, the switches also provide a means to bypass NAC authentication for wireless
devices without NAC 802.1x support (for example, printers, phones, and PDAs). NAC protects
resources and data on your wireless infrastructure by:
Blocking or quarantining non-compliant devices from connecting to a WLAN
Providing 802.1x-based pre-admission control to block devices at the authentication stage
Working with any NAC solution conducting 802.1x and dynamic VLAN assignment
Providing qualified interoperability with Microsoft NAP and Symantec NAC solution
Historically, some enterprises have avoided ubiquitous Wi-Fi deployments, mainly because
network administrators had concerns about network security, performance, and reliability.
They deployed Wi-Fi grudgingly and cautiously and usually as an overlay. Traditionally, these
concerns were valid. Ten years ago, wireless LAN encryption standards were weak, data rates
were slow, and wireless APs and routers were relatively difficult to manage and maintain.
Today, however, technological advances have rendered those problems obsolete. In fact,
todays wireless LANs can be as secure, reliable, and as fast as wired networks.

Brocade Mobility Controller-based Wireless Firewall

Brocade Mobility RFS6000 and RFS7000 controllers implement a next-generation firewall,
which provides a clean separation between wireless and wired networks as well as finegrained security within a wireless network. By leveraging Brocades vast knowledge as
an industry leader in the development and deployment of enterprise-grade wireless and
wired networks, Brocade provides a wireless firewall that offers the highest level of wireless
security available. Wireless-specific attributes are taken into accountincluding encryption,
authentication, and location and every wireless packet is inspected before it enters the
wired network.
Brocade Mobility controller-based wireless firewall provides unparalleled traffic inspection
at every network security layer, ensuring, for example, that sensitive information is
safeguarded at all times. Brocades wireless networking infrastructure is not only secure,
it is easy to deploy and manage especially critical for enterprises with large, distributed
deployments and limited, centralized networking IT staff. Brocade Mobility products include
a comprehensive suite of integrated tools that enable IT departments to quickly plan, deploy,
manage, and secure large distributed wireless network infrastructures.

WWW

Corporate
HQ

Figure 1.
A Brocade Mobility wireless firewall
provides a complete solution for user,
data, and network protection.

Branch 1

Branch 2
Corporate
WAN

Corporate
WAN
Wireless
Controller

Wireless Firewall Features and Benefits

Brocade Mobility wireless firewall offers enterprises a reliable, secure wireless network that
protects the enterprise against threats and ensures compliance with regulatory and industry
standards. Additional benefits include:
Protection against the greatest set of wireless threats. Some Layer 2 attacks, such as
DHCP spoofing or ARP cache poisoning, cannot be detected by current WLAN firewalls
that operate at Layer 3. The Brocade Mobility wireless firewall can seamlessly detect and
prevent such Layer 2 wireless threats.
Location-, user identity,- and role-based policy enforcement. Enterprises often need
to implement access and security policies that take into account a users identity, role,
and location. The Brocade Mobility wireless firewall integrates with leading enterprise
authentication systems (including LDAP and Active Directory) and can leverage a built-in
RTLS engine to enforce user identity-, role-, and location-based security policies.
Ease of deployment. The Brocade Mobility wireless firewall provides centralized policy
configuration with distributed policy enforcement at the point of business activity. It does
not require any redesign of existing network topology and offers complete protection by
inspecting bridged and routed traffic.
Gap-free security: The Brocade Mobility wireless firewall shares state with one or more
switches within the enterprise, maintaining stateful firewall protection as users roam
across the campus. At the same time, the firewall stops intruders right at the periphery of
the network, acting as a barrier for malicious wireless threats. When combined with the
Brocade AirDefense Wireless IPS and Spectrum Analyzer, the wireless firewall offers the
most comprehensive wireless security on the market.

Rogue Device Detection

Wireless deployments afford network administrators freedom from the constraints of wired
environments. However, mobile devices may lack the data protection mechanisms of a
wired infrastructure. Consequently, an open door could be created for unauthorized (rogue)
devices to violate the poorly enforced laws of an immature security scheme, thus rendering
investments in wired security useless.
Brocades holistic approach to monitoring ensures WLAN policies are enforced and rogue
devices are promptly detected and removed. The following describes two of Brocades
enterprise class solutions designed to equip todays wireless traffic cops with the tools
they need to catch wireless rogue offenders and keep them from violating the privacy of your
wireless domain.

By converting the physical dimensions of a network segment into a representative site map,
AirDefense for Brocade Mobility Wireless Intrusion Protection Software (WIPS) can accurately
track the deployment of and operation of authorized devices and use their location to
triangulate the location of potentially hostile devices.

AirDefense for Brocade Mobility Intrusion Protection

AirDefense is an industry-leading WIPS monitoring solution that enables network
administrators to proactively close network security holes and mitigate the risk of security
breaches. AirDefense WIPS uses distributed sensors and pre-positioned device radios to
detect the presence of 802.11 a/b/g/n rogue devices.

Figure 2.
AirDefense WIPS
provides comprehensive
rogue threat mitigation.

WIPS
appliance

Laptop

Terminated:
accidental
association

Sensor
Neighboring AP
Switch
APs

AirDefense WIPS Data Protection

Mechanisms
Air Lockdown. Enables network
administrators to terminate a connection
between a WLAN and an associated
access point or wireless client upon the
detection of a threat. If the connected
device is an access point, the AirDefense
WIPS appliance de-authenticates and
disassociates all clients associated with
it. If the device is a wireless client, the
server terminates the client connections
to the access point.
Wireless Termination. Allows an
administrator to terminate a connection
between a WLAN and any access point or
wireless client associated with it.
Wired Equivalent Privacy (WEP)
Cloaking. Enables a Brocade Mobility
300/5181/7131 access point to actively
transmit WEP cloaking frames for
protecting legacy devices.
Brocade Mobility 5181/7131 Sensor
Conversion. Allows a customer to deploy
a single Brocade Mobility 5181/7131
dual-radio model access point as both
a traditional infrastructure access point
and a WIPS sensor. Sensor conversion
on a Brocade Mobility 5181/7131
provides infrastructure support on one
radio while scanning on the other radio
and using the frames received by the
sensor to provide WIPS algorithms.
6

AP

ACL enforced:
rogue station

Port
suppressed:
rogue AP

AirDefense WIPS sensors continuously monitor WLAN activity and report network events
to the centralized AirDefense appliance server. The AirDefense WIPS management server
correlates and analyzes the data to provide real-time rogue detection, policy enforcement,
and intrusion protection. If an unauthorized device is detected, AirDefense WIPS has the
means of interrogating the rouge to obtain valuable data to aid forensics by reporting and
recording the event.
AirDefense WIP converts the physical dimensions of a network segment into a representative
site map to accurately track the deployment and operation of authorized devices and use
their location to triangulate the location of potentially hostile devices.

Meeting and Exceeding the FIPS Criteria

The US Department of Defense (DoD) requires commercial WLAN systems to incorporate
extensive measures to protect the voice and data traffic proliferating a wireless network.
In standardizing their WLAN security requirements, the DoD defined Federal Information
Processing Standards (FIPS) 140-2 and Common Criteria, including WLAN Access System
Protection Profile requirements.
Like most typical DoD WLAN deployments (and their inherent data protection challenges),
healthcare, financial, as well as and general enterprise businesses are under increasing
pressure to ensure information is secure across their wireless networks. The majority of these
institutions are implementing the same standards mandated by the US government. For this
reason, FIPS certification has become central to demonstrating a WLAN security deployment
accepted by IT professionals for its maturity.
During FIPS 140-2 and Common Criteria certification, a wireless solution must pass a series
of comprehensive security tests, including a vulnerability and penetration analysis. The
wireless solutions design metaphor and its source code are scrutinized by experts to ensure
compliance with advanced cryptographic standards. The enterprise-class Brocade Mobility
RFS7000 and Brocade Mobility RFS6000 controllers have satisfied FIPS requirements and
have been placed on the FIPS 140-2 validation list.

Data Center 1

Data Center 2
WAN

1. Integrated wireless (Layer 2) firewall on

WLAN switch: stateful inspection of
WAN traffic

4
Branch
Office 1

Branch
Office 2

Figure 3.
Brocade Mobility products provide central
security policy management and control
with multiple points of enforcement:

Mesh

2. Integrated firewall on adaptive AP:

Layer 2 stateful inspection of local traffic
3. Adaptive AP simultaneously WIPS sensor
for 24x7 monitoring

Rogue
AP

4. Secure integrated VPN tunnel between

WLAN switch and APs

Brocabe Mobility RFS7000 and RFS6000 also fully satisfy the Common Criteria evaluation
at Evaluation Assurance Level 4 (EAL4). This represents the highest compliance level with
the US governments WLAN Authorization Server Protection Profile for Basic Robustness
Environments. This ensures that Brocades enterprise-class switch solutions are properly
certified to meet and exceed the FIPS requirement.

Summary
Wireless networking is changing the way IT approaches network security. The physical
characteristics of wireless and the experience of mobility mean information moves more
freely, with little regard to physical boundaries. The optimum security approach for wireless
is a layered end-to-end approach consisting of encryption, authentication, network access
control, and wireless intrusion protection supported across enterprise wireless access point
and controller infrastructure.
In response to the pervasive security threats faced by enterprise WLANs, Brocade Mobility
features a range of capabilities addressing multi-tiered data protection for enterprise WLANs.
Brocade Mobility family supports the strongest and most comprehensive wireless edge
security offering, including encryption, firewall support, and authentication.
Brocade Mobility controllers implement a next-generation wireless firewall which supports
fine-grained security within an enterprise-level wireless network including location-, user
identity-, and role-based policy enforcement.
AirDefense for Brocade Mobility provides industry-leading intrusion protection capabilities
for small to very large enterprise.
Brocade Mobility products meet and exceed the US Department of Defense FIPS 140-2
security criteria.
For more information about Brocade products, services, and solutions, visit
www.brocade.com.

WHITE PAPER

Corporate Headquarters
San Jose, CA USA
T: +1-408-333-8000
info@brocade.com

www.brocade.com

European Headquarters
Geneva, Switzerland
T: +41-22-799-56-40
emea-info@brocade.com

Asia Pacific Headquarters

Singapore
T: +65-6538-4700
apac-info@brocade.com

2009 Brocade Communications Systems, Inc. All Rights Reserved. 01/10 GA-WP-1440-00
Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron,
SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and
SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify,
products or services of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied,
concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the
right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This
informational document describes features that may not be currently available. Contact a Brocade sales office for
information on feature and product availability. Export of technical data contained in this document may require an
export license from the United States government.