TABLE OF CONTENTS
- Zero Trust Features
- Zero Trust Advantages
- Alert when a client connects to a disallowed network (i.e. Trusted client connects to a non-trusted or Rogue Network)
- How Does AIRSHIELD Provide Zero Trust?
- Real World Examples
The idea of Zero Trust has been discussed for around a decade in the Information Security industry, however recently the core concepts have begun to appear in more and more products. At its core it can be summarized as:
Zero trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. No single specific technology is associated with zero trust; it is a holistic approach to network security that incorporates several different principles and technologies.
LOCH, as a method to bridge the Cyber Physical Gaps, brings together the Zero Trust with our comprehensive AirShield solution to create Zero Trust Wireless Monitoring.
Zero Trust Features
Trust Levels provide definition and risk level of known networks
Every client network connection is monitored in real-time relative to Trust Levels
Clients are assigned to Client Groups upon initial connection to the network
Unknown clients are automatically classified and assigned to Client Groups based on their risk to the environment
Zero Trust Advantages
Alert when a client connects to a disallowed network (i.e. Trusted client connects to a non-trusted or Rogue Network)
Escalate events based on Risk multipliers defined by your organization
De-emphasize or even suppress events that are not relevant (i.e. Guests connecting to WiFi hotspots)
Report on clients that have connected to specific networks (i.e. show all clients that have ever connected to the Trusted Network)
Terminate violating client connections to trusted Access Points, if available.
How Does AirShield Provide Zero Trust?
A core tenet of Zero Trust is only allowing those who have provided valid credentials through the access gate. This concept only works as a gatekeeper to a provided network boundary - the Wi-Fi Access Point, the Switch Port, the VPN Gateway, the Cloud, etc. A difficulty in protecting Wireless networks is that the client stations generally must trust their access provider making the idea of Zero Trust rather difficult to apply.
LOCH’s AirShield listens the nearby radio environment and provides a foundational level of Zero Trust Monitoring through the application of Trust Policies and Client Groups.
Trust Policies and Client Groups
WiFi is everywhere now. At the office, at home, at the library, in the airplane, in the lobby of your physician's office -- just about everywhere now. When deployed in a location AIRShield continuously monitors the radio spectrum. New systems are interrogated and observed for risks and threats. The behavior between stations and access points are observed and comprehended.
As these activities are observed, levels of trust are created and tracked. When a station deviates from its normal interaction its risk level score is raised and an event is generated notifying administrators of this change.
Stations with high risk scores can be identified and actions taken to prevent this behavior from reoccurring.
AP Trust Levels and Client Groups
Air Termination for Policy Violations
A strong feature of AirShield is its ability to enforce Trust Policy by terminating clients that violate it by sending IEEE 802.11 deauthentication frames. This can be automatically enforced by enabling Air Termination on specific Client Groups:
Any violation will generate an Air Termination request that is sent to all AirShields. The maximum time per violation is 60 minutes (1 hour) as the action is only triggered when a Trust Policy Violation is generated, which only occurs once per hour per infraction.
Note that this is a service impacting solution and the AirShield will send 802.11 frames into the airspace. It is designed to impact the service and operation of a client device. Use Air Termination where approved and after analyzing your risk profile.
Air Termination will only work on networks that do not negotiate or require 802.11w Protected Management Frames. This includes configured WPA2 with 802.11w support and WPA3 networks.
Manual Client Air Termination Request
Air Termination for a specific client may be requested through different locations:
From the AP Connection History page on the Client Detail page
From the Recently Connected Clients from the Network Detail page
Air Termination of Client to ESSID
To request the Air Termination of a Client to a specific network name, in the manual request dialog remove the BSSID from the request:
Interrogating The Air Space
In addition to behavior monitoring, AIRSHIELD will connect to and interrogate open and EAP-enabled WiFi networks to both understand the network and to ensure compliance to security standards.
For example a network team may deploy EAP-enabled access points with the highest security principles. Should an Evil Twin AP appear that is not on the wired network most current WIDS/WIPS will simply ignore it or report it as being suspicious leaving the incident response team with very little information.
802 Secure’s AIRShield your team will now have:
Information on when the new AP appeared and what it was advertising, even if it changed:
Encryption methods
X.509 certificate changes
EAP type allowance
An alert about its presence
The ability to isolate it from allowing any further connections
A detailed list of all the stations who connected to it
Real World Examples
Some real world examples of risky behaviors identified by AIRSHIELD’s Zero Trust Wireless Monitoring:
A station connects to a newly purchased IoT device that is not on the network
A user connects a corporate resource to another networks that bypasses network security controls (firewalls, HTTPS interception proxies, bandwidth limitations, etc)
An IoT networked device, which should only communicate to one network, is reset and connects to an available open network
A centrally-configured Access Point is unable to reach its controller and configures its ESSID to be a vendor-determined name
A system, newly installed by a third party or unassuming group, also provides WiFi networking yet its default configuration has not been changed
Connecting to a recently installed XFINITY network over the preferred IT network because of network list priority and pre-existing credentials for home/on-the-road use
Connecting to an Evil Twin or Rogue Wi-Fi Access Point
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article