NETW 05A: APPLIED WIRELESS SECURITY Segmentation Devices By Mohammad Shanehsaz Spring 2005 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Enterprise Wireless Gateways Understand the functionality of enterprise wireless gateways (EWG) Recognize strengths, weaknesses, and appropriate applications for an enterprise wireless gateway Describe common security features, tools, and configuration techniques for enterprise wireless gateway products Install and configure an enterprise wireless gateway, including profiles and VPNs Manage and recognize scalability limitations of an enterprise wireless gateway This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Firewalls and Routers Given a wireless LAN topology, explain where firewalls can be added for security Describe the wireless security benefits of routers Explain the benefits of implementing access control lists Given a wireless LAN design, demonstrate how to implement a wireless DMZ Explain the benefits of network segmentation in a wireless network Implement segmentation of a wireless LAN on a network This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Segmentation Devices Considerations Routers Layer3 switches VPN Concentrators Firewalls Enterprise Encryption Gateways (EEG) Enterprise Wireless Gateways (EWG) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Considerations Segmentation means placing the wireless APs on a network segment that is separated from the backbone network by some type of security device To avoid a single point of failure for the entire wireless LAN, redundancy should be considered (failover or clustering) Redundancy can be built using traditional backup router protocols such as VRRP , HSRP or new devices such as enterprise wireless gateways, firewalls and others Use of NAT/PAT at the border between the backbone and the wireless segment (NAPT, Network Address Port Translation, commonly used with wireless network ) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Consideration (continued) Impact of NAT or NAPT on VPN protocols Impact of NAPT on management of APs from a management workstation on the wired LAN (solution will be static NAT) Impact on 802.1x/EAP traffic through an EWG between access points and authentication server (APs must have a gateway address) Connectivity problems associated with clients roaming across different layer3 devices This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Routers Routers are intelligent yet slow devices The strongest supported security is firewall feature set Access Control List security mechanism Some router software such as Cisco’s IOS supports Mobile IP Most routers allow no authentication This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Layer 3 Switches Layer3 switches have many names : route switches, switch routers,layer3 switches, network switches They are routers that perform traffic switching between physical interfaces and route network traffic through virtual interfaces Layer3 switches are very fast Expensive Access Control List security mechanism Rarely support Mobile IP They don’t provide any means of authentication This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. VPN Concentrators VPN concentrators support RADIUS or TACACS+ authentication Very expensive to scale for large roll-outs They have two purposes First to block layer3 traffic from entering the backbone without authentication Second to provide an encrypted point-to-point connection between client and concentrator Client and server must use the same VPN protocol, and settings must match on each end Security depends on protocol used This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Firewalls It is mostly too slow to support wireless LAN speeds The all-purpose group added VPN concentrator functionality followed by RADIUS support The purpose-built group segmented it into several different types (Internet, WLAN) When used in conjunction with other solutions firewalls offer great security (example: client uses SSH2 to connect to a SSH2 server through a firewall) Firewalls have one distinct advantages - already supported as integral part of the enterprise security solution This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Enterprise Encryption Gateways EEG are layer2 encryption devices that take Ethernet frames originating from or destined to WLAN segment and place them in proprietary frame formats that traverse both the wireless and wired segments (layer2 VPN design in which each link is an encrypted point-to-point tunnel between the client and gateways) Encrypted and unencrypted segments EEG have an IP address for management purposes only (do not perform routing) Data compression for increased throughput Access point management is part of the configuration of an EEG EEG offer support for RADIUS authentication or authentication via a proprietary Access Control Server This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Enterprise Wireless Gateways There are two main types: EWG appliances (stand-alone boxes) Software EWG which is installed on a typical Intel PC with 2 internet interfaces The EWG has features common to routers, layer3 switches, firewalls, and VPN concentrators plus more The principle weakness among EWGs is lack of protection for access point This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Network Positioning EWGs are positioned between the wireless network segment and the network backbone If VLANs are used then EWG will reside between VLANs EWGs act as a router with two fast, gigabit interfaces (one for WLAN, and another for wired side) each with its own IP address NAT can be performed in both directions This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Firewall Functionality EWGs have integrated firewall features When complex firewall filtering is done the number of simultaneously supported APs and supported wireless clients goes down This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. VPN Concentrator Functionality The main security feature of EWGs The most common VPN types such as PPTP, L2TP, and IPSec are usually supported Local user database, LDAP, and RADIUS authentication This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Wireless-Oriented Features Rate Limiting (may defeat DoS attacks) Role-based access control (RBAC) Creating “role” based on job description (network security) or network use requirements (bandwidth) Proprietary methods of subnet roaming for seamless mobility (802.11f standard addresses seamless mobility through the Inter Access Point Protocol (IAPP), and IETF RFC2002 addresses the mobileIP protocol ) This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Performance Performance is a key consideration when comparing EWGs, Consider the following factors when purchasing EWGs: Number of simultaneous users Unencrypted throughput Encrypted throughput This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Resources CWSP certified wireless security professional, from McGraw-Hill This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.