Cloud Infrastructure Wireless Security:

Data Centers

The Data Center contains the crown jewels for an organization. In addition to the IT equipment we think about, Data Centers are loaded with Industrial equipment (chillers, lighting, power and others) and are often frequented by contractors. Many vectors expose a Data Center to risk, and as a result, Data Center security has long been the recipient of significant budget and attention from both physical and cyber security organizations.  

Bob Baxley, co-founder at Bastille Networks discusses "Data Center" security.

Data Centers have the highest physical security for any organization, often employing mantraps, biometrics, and expanded video coverage. On the cyber side, large budgets are deployed for endpoint security and intrusion prevention for the wired infrastructure. However, there is an attack vector capable of penetrating Data Center walls and bypassing the firewalls, namely radio frequency (RF) based attacks.

THE PROBLEM

Data Centers consist of many computers, industrial equipment, and personnel, all having components that may communicate wirelessly. These wireless devices operate on a variety of wireless protocols, which are susceptible to a variety of attacks.

Security professionals need to lock down threat vectors in Data Centers. Rogue devices, data exfiltration, misconfigured equipment, personnel accountability, and insider threats are all possible via nefarious devices.

Company controlled Wi-Fi networks may be protected to some extent by existing products, but other wireless traffic is largely a blind spot. In a Data Center environment, an attacker exfiltrating data over a cellular channel could easily go undetected because no traffic is going over the Data Center’s network. 

Data Center operators are not always aware of the wireless transceivers in the equipment they control. More equipment today is being shipped with a “radio ready” control system in addition to the Ethernet or Console control system that the Data Center intends to employ. However, we have found that the radio control system, Zigbee or Z-Wave for example, is usually default “ON” when it is shipped. In addition, default passwords (0000) are used that are simple to find from a Google search. As a result, without the knowledge of Data Center personnel who aren’t using it, the Radio Ready client is constantly beaconing for a radio controller to pair with it and give it instructions. For instance, a misconfigured ZigBee interface on a chiller could enable an attacker to interrupt Data Center operations. Knowledge of all wireless transmitters in a Data Center makes it possible to minimize the wireless attack surface. 

Data Center Security Vulnerabilities Include: 

  • Rogue Wireless Devices and Networks being used for Data Exfiltration

    • Typical exfiltration prevention techniques involve monitoring corporate networks and preventing the use of USB ports for storage. However, by utilizing cellular or other “hard to see” protocols, attackers can bypass these controls.

    • Nefarious devices such as pwn plugs and pineapples are left in Data Centers to specifically steal data and backhaul that data out over cellular.

  • Improperly Configured Devices

    • Network infrastructure, e.g. a laptop connected to the network, has an open Bluetooth stack beaconing for a keyboard.

    • Data Center equipment can employ proprietary or industry ICS protocols for managing aspects of the equipment or environment. Security professionals have no visibility into these devices and protocols and if they are properly configured.

    • Employees and contractors may unknowingly carry a compromised cell phone which, once attached to an internal Wi-Fi network, can open a cellular channel and begin beaconing out packets to the attackers abroad.

Typical security solutions have no visibility into what devices exist and operate within the radio frequency, let alone if they are doing something nefarious.

THE REQUIREMENTS FOR A DATA CENTER RADIO SECURITY SOLUTION

A Data Center radio security solution needs to:

  1. Provide visibility into the wireless networks, traffic, and devices operating in your environment

  2. Inform you of the attack surface for each of these devices

  3. Alert on active wireless attacks on those devices through your existing SIEM systems

  4. Suggest best practices for minimizing the attack surface and mitigating an attack in action

Specifically, a solution must:

  • Detect all devices operating in the wireless spectrum, to include but not limited to, Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet of Things (IoT)

  • Provide awareness of any wireless threats including active attacks, rogue networks, and misconfigured devices.

  • Have the ability to track the movement of devices, which include radios, to augment existing security measures.

  • Show the movements of devices to help enforce access policies.

  • Detect unauthorized access

  • Detect data exfiltration via wireless devices (large volume of wireless data leaving the Data Center premises over the cellular network)

  • Allow the Data Center operator to quickly detect and localize any malicious cellular modems

  • Include geofencing capabilities to understand and protect the location(s) of a customer’s servers within a colocation facility

  • Be always on

  • Detect unauthorized devices entering the Data Center

  • Detect vulnerable devices being installed

  • Detect anomalous wireless activity originating from the Data Center (independently from the protocol)

  • Detect misconfigured devices

  • Enforce company BYOD/IoT policy

  • Alert on a wireless attack surface introduced by the installation of new equipment in the Data Center, e.g. an HVAC system with Zigbee or a MouseJack vulnerable keyboard

  • Detect rogue cell towers which can send signals into your facility

What kind of organizations need this solution?

  • Fortune 2000, financial services, technology, and other companies that manage their own Data Centers

  • Data Center companies (hosting providers, etc.)

  • Cloud infrastructure providers

Bastille Solution

Bastille provides intelligent and comprehensive, continuous monitoring for wireless threats within cloud infrastructure locations. The Bastille solution is a combination of Sensor Arrays deployed throughout your facility, Concentrators to aggregate and process sensor data, and the Fusion Center platform which collects and analyzes wireless data and is the central integration point which can be connected to, and augment, your security monitoring system with Bastille’s wireless threat data. This tiered architecture allows the Bastille solution to scale from monitoring a single room to many campuses across the world with a single management interface.

Figure: Bastille’s solution for Data Centers.

Sensors

Comprehensive monitoring is achieved through deployment of Bastille’s sensor arrays throughout your facility. Bastille sensor arrays detect wireless activity from 25 MHz to 6 GHz and this RF traffic is decoded, processed and sent to the Bastille Concentrator for further event correlation. The sensor arrays are 100% passive, which means they never transmit and do not have any moving parts to reduce component failure and perform silently. The sensor arrays are plenum rated and are available for indoor or outdoor use.

The sensors capture all available attributes of the wireless devices including dozens of identifiers such as vendor name, Bluetooth network definitions, Wi-Fi device characteristics, and Cellular network information. Bastille’s Sensor Arrays are based on Software Defined Radio (SDR) technology which allows them to receive in-place upgrades ensuring future protocol support and decoding.

Concentrator

The Bastille Concentrator receives data from all of the sensor arrays in a facility, refines and consolidates the data into events, and sends them to the Fusion Center. The Premium Concentrator is used to gather additional data from cellular device transmissions.

Fusion Center

Bastille’s Fusion Center platform receives wireless data from the sensor arrays, compiles and analyzes the data, and displays all data on current and historical wireless device activity. Bastille’s Fusion Center is the only Common Criteria / NIAP certified product in this industry and provides you additional assurance on the quality and security of the Bastille solution. Any detected wireless device is clearly overlayed on your facility floor plan, including current device location to within 3m accuracy and a playback capability to show the historical location of each wireless device as it moved through your space. This playback functionality allows correlation with other systems to determine who brought the device in, along with when and where they traveled in the facility.

Bastille’s Fusion Center automatically detects known wireless threats from its curated database of threats discovered by Bastille’s Threat Research team and industry disclosed vulnerabilities. The Fusion Center platform offers highly customizable reports, provides rich API capabilities for integration with SIEM/SOAR systems, and is fully maintained and supported by Bastille along with the sensor arrays for the life of the subscription.

Figure: Device locations plotted on your floor plan

Examples of Bastille’s Differentiation

Bastille has 30 patents in the wireless detection field and maintains significant advantage in detecting wireless threats.

Threat Signatures & Event Intelligence

Bastille’s Threat Signatures filter through all detected devices and apply categorizations to them so you can focus your resources on the critical threats. Bastille’s solution brings wireless data to your security policy enabling you to evolve your policy to match the reality of your environment.

Advanced Bluetooth Device Detection

Bastille’s unique approach simultaneously monitors all 79 Bluetooth channels and 40 Bluetooth Low Energy channels. This approach identifies Bluetooth paired devices, explicitly noting the paired network endpoints, attributes of both ends of the pairing, and Bluetooth devices performing inquiries or scans. Other vendors only show when Bluetooth devices are looking to pair; after they’ve paired they become invisible. After a device is paired is when it has the capability to exfiltrate data and cause disruption; you need this visibility to protect against Bluetooth surveillance threats.

Individual Cellular Device Detection

Bastille provides comprehensive data on all individual cellular devices which transmit in the monitored space. With Bastille’s technology, you can track the location, carrier, and specific attributes of each cellular device as it moves through the monitored facility, all while adhering to data privacy concerns.