19 Sep 2017 The ‘Unhackable’ Network is possible!
Securing the worlds most Hostile WiFi network
One of the world’s premiere hacking events, Black Hat attracts some 10,000 security super geeks who like to break stuff.
Wi-Fi has always been a prime security target for Black Hat, who describes the network “the most hostile Wi-Fi network in the world.”
Leaving many ‘big’ names in the digital world afraid to attend, the black hat wifi network is infamous as a playground for attendees to try out the latest hacking tools against not only the greater internet but each other. Black Hat faced two fundamental challenges – Providing high-speed, high-density WiFi connectivity to delegates while ensuring bullet-proof WiFi that could prevent attendees from using the WiFi to compromise the entire network and each other.
The real goal for RG Nets was not only to try and provide secure, high-speed Wi-Fi, but also find a way to automate an 802.1X framework that provides AES-level encryption and authentication while dynamically assigning each device or a group of devices to a discrete VLAN.
This would require a close interworking between a cluster of Ruckus WLAN controllers, Ruckus SCGs in this case, and the RG Nets rXg Wireless Application Gateway system.
RG Nets configured its system to act as a firewall in between the Ruckus SCG and rXg clusters. The wired network to which the Ruckus APs were connected was completely locked down. The MAC address OUIs of the Ruckus APs were programmed into the rXg system.
This ensured that only the Ruckus APs authorized could utilize the wired network and communicate with the rXg’s RADIUS server. Routing out the Internet was completely disabled on the wired network. This was particularly important for Black Hat because it was very easy to sit on the floor in the Mandalay Bay conference area, unplug an AP, and instead connect a laptop via Ethernet to the same wired fabric. Disconnected APs were actively monitored throughout the event. Any “missing” AP MAC addresses were blacklisted to prevent someone from spoofing the MAC address of an AP and gaining access to the management network.
How it all worked
When any Black Hat user associated with the Ruckus Wi-Fi network, a RADIUS 802.1X request would be sent from the Ruckus controller to the in-line rXg system that would then dynamically assign each user, or a small group of users, to a unique VLAN that would follow them wherever they roamed.
The rXg is able, among a myriad of sophisticated packet processing chores, to support thousands of dynamic VLAN assignments, allowing each user, if needed, to have their own logical network, while keeping track of each user and their VLAN assignment.
With 802.1X MAC authentication configured on the Ruckus WLAN controllers, when a client tried to access the Wi-Fi network using a pre-shared key, the rXg system would receive a RADIUS access request from the WLAN cluster.
That access request contains the client’s MAC address and some other information used by the rXg to assign a VLAN tag. The rXg then responded to the Ruckus controllers with a RADIUS Access-Accept response that contains the VLAN ID for each client or group of clients.
Using this information from the rXg, the Ruckus WLAN controllers accepted the connection from the client and each AP would then tag client traffic with the assigned VLAN ID.
With all the traffic trunked to the Ruckus WLAN cluster and rXg system, the architecture proved to be extremely secure and successful, drastically reducing the attack “surface area” at Black Hat.
Blocking the Hackers
Behavioral connection IPS, using fancy heuristics, was used to block all sorts of malicious activity. RG NETS’ rXg’s DPI engine was configured with emerging threat signatures to detect intrusion attempts, malware, etc. Before the event was over nearly 1000 instances of threat signatures occurred on the network, which is far more than other conference environments.
Secure high-density WiFi delivered
The AP network, consisting of some 80 Ruckus 802.11ac smart WiFi access points managed by a cluster of Ruckus SCG controllers, was never compromised, and no notable attacks or exploits were reported between WiFi end-users due to the implementation of VLAN client isolation.
Data use at Black Hat was higher than average for a typical conference. Over 3 terabytes of traffic was routed over the Ruckus Wi-Fi network during the event. SSL traffic made up over half of all data usage, as many of the delegates who were brave enough to connect to the Wi-Fi encrypted their connections through an external VPN.
During the conference, the network operations team saw concurrent Wi-Fi client connections peak to over 2300 with some APs able to take on 300 simultaneous users with no performance compromises.