WatchGuard – Cloud Integration Point (CIP) and Wireless Intrusion Prevention System (WIPS)
Introduction
When your wireless environment is threatened and legacy systems are not securing your business like you thought they would, you must act fast and evaluate options to secure your wireless environment.
Sometimes securing your legacy systems is no small feat for SMBs and distributed enterprises. This is where WatchGuard comes in. Cloud Integration Point (CIP) enables the integration of WatchGuard Wi-Fi Cloud with on-premise wireless controllers and event log management services such as:
• Aruba Mobility Controller
• Cisco Wireless LAN Controller (WLC)
• HP Multi-Service Mobility (MSM) Controller
• ArcSight Enterprise Security Management (ESM)
• Syslog server
No Need to Rip and Replace, Just Add WIPS
Each WatchGuard access point can be installed as a dedicated WIPS sensor, which means that we work with your existing wireless access points by overlaying the appropriate number of WatchGuard access points. Although WatchGuard WIPS sensors can be installed into any brand of third-party access points, deployments of Cisco, Aruba, or HP access points receive additional management enhancements to support larger networks with direct integration (CIP) between WatchGuard’s Wi-Fi Cloud and their respective wireless LAN controllers. Although each deployment is unique,
we recommend one WatchGuard WIPS sensor to three access points. So instead of delivering Wi-Fi traffic to users, we deliver unprecedented WIPS security protection that is 100% dedicated to scanning the air and protecting your business from persistent wireless threats.
Simplified Management of WIPS Overlay Deployments
Supported on the AP420 access point model only, CIP makes managing larger WIPS sensor overlay deployments easier on administrators by integrating with Cisco, Aruba, and HP Wi-Fi controllers to enable the WatchGuard Wi-Fi Cloud to fetch information on devices managed by the third-party controller. The Wi-Fi Cloud can use this information for WIPS classification and location tracking of devices.
Integration with Enterprise Security Management (ESM) servers enables Wi-Fi Cloud to send events and audit logs to these servers, so administrators can use their existing infrastructure to manage the WatchGuard Wi-Fi Cloud events and logs. Integration of Wi-Fi Cloud with your on-premise systems allows you to leverage these key security advantages of the WatchGuard Wi-Fi Cloud while continuing to use your existing infrastructure:
• Automatic WIPS classification of authorised devices managed by the controller
• Additional inputs for location-tracking of Wi-Fi clients
• Sends events and audit logs to a central log server for a unified view of event monitoring and log analysis for troubleshooting
How CIP Works
A key challenge in integrating Wi-Fi Cloud with on-premise systems is that these systems typically reside on a private network behind a firewall. You can integrate multiple on-premise systems with Wi-Fi Cloud with a CIP device on your network. This ensures the messages remain confidential and cannot be intercepted.
The Wi-Fi Cloud solution uses an AP420 as a CIP in the on-premise network. The AP does not perform access point or WIPS sensor functions when configured in CIP mode. The CIP creates a secure OpenVPN tunnel to Wi-Fi Cloud on UDP port 3852. This port needs to be opened on the firewall to allow communications from the CIP to Wi-Fi Cloud to create the OpenVPN tunnel. All subsequent communications occur via the tunnel. All data transmitted between the CIP and Wi-Fi Cloud is sent over an OpenVPN tunnel and is secured with AES-256-CBC encryption. The CIP contains a firewall that only forwards traffic to the defined destinations and through the ports configured for the CIP. The CIP also uses network address translation (NAT) for traffic from the tunnel to the LAN. Connections originating from the LAN to Wi-Fi Cloud cannot be established. To learn more about CIP requirements and configuration steps, visit the WatchGuard Support Center.
Not All WIPS Is Created Equal
WatchGuard’s WIPS includes patented detection and prevention methods to:
• Detect and prevent common Wi-Fi threats including:
– Man-in-the-middle attack (MitM)
– Evil twin
– Misconfigured AP
– Rogue APs
– Inappropriate and illegal usage
– AP MAC address spoofing
– Karma attack
– WPA/WPA2 encryption cracking (KRACK)
• Enable accurate and automatic classification of APs and clients such as smartphones and tablets
– Authorised – Known access points that are connected to your network
– External – Nearby access points that are not connected to your network
– Rogue – Unknown access points that are connected to your network
• Control Wi-Fi client connections with configurable policy
• Run detailed reports for quick views of a network’s Wi-Fi compliance for known standards such as PCI and general Wi-Fi security posture
This advanced detection process, missing in other WIPS products on the market, ensures that ONLY unacceptable connections get shut down immediately, without illegally disrupting neighbouring Wi-Fi networks.
A hallmark of WatchGuard is to deliver secure networking resources, and our uniquely effective WIPS solution delivers the strongest security. In addition, our Wi-Fi Cloud management enables users to easily optimise radio settings and features, such as with self-healing meshing, and provides the marketing tools and location-based analytics for enhanced business insights.
Grow your business with secure, cloud-managed Wi-Fi solutions. Learn more at www.watchguard.com/wifi.
