Segmentation Devices NETW 05A: APPLIED WIRELESS SECURITY By Mohammad Shanehsaz

advertisement
NETW 05A: APPLIED WIRELESS
SECURITY
Segmentation Devices
By Mohammad Shanehsaz
Spring 2005
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Enterprise Wireless Gateways





Understand the functionality of enterprise wireless
gateways (EWG)
Recognize strengths, weaknesses, and appropriate
applications for an enterprise wireless gateway
Describe common security features, tools, and
configuration techniques for enterprise wireless
gateway products
Install and configure an enterprise wireless
gateway, including profiles and VPNs
Manage and recognize scalability limitations of an
enterprise wireless gateway
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Firewalls and Routers






Given a wireless LAN topology, explain where
firewalls can be added for security
Describe the wireless security benefits of routers
Explain the benefits of implementing access
control lists
Given a wireless LAN design, demonstrate how to
implement a wireless DMZ
Explain the benefits of network segmentation in a
wireless network
Implement segmentation of a wireless LAN on a
network
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Segmentation Devices
Considerations
Routers
Layer3 switches
VPN Concentrators
Firewalls
Enterprise Encryption Gateways (EEG)
Enterprise Wireless Gateways (EWG)
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Considerations
Segmentation means placing the wireless APs on a
network segment that is separated from the
backbone network by some type of security device
To avoid a single point of failure for the entire
wireless LAN, redundancy should be considered
(failover or clustering)
Redundancy can be built using traditional backup
router protocols such as VRRP , HSRP or new devices
such as enterprise wireless gateways, firewalls and
others
Use of NAT/PAT at the border between the backbone
and the wireless segment (NAPT, Network Address
Port Translation, commonly used with wireless
network )
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Consideration (continued)
Impact of NAT or NAPT on VPN protocols
Impact of NAPT on management of APs from
a management workstation on the wired LAN
(solution will be static NAT)
Impact on 802.1x/EAP traffic through an EWG
between access points and authentication
server (APs must have a gateway address)
Connectivity problems associated with clients
roaming across different layer3 devices
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Routers
Routers are intelligent yet slow devices
The strongest supported security is
firewall feature set
Access Control List security mechanism
Some router software such as Cisco’s
IOS supports Mobile IP
Most routers allow no authentication
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Layer 3 Switches
Layer3 switches have many names :
route
switches, switch routers,layer3 switches, network
switches
They are routers that perform traffic switching
between physical interfaces and route network traffic
through virtual interfaces
Layer3 switches are very fast
Expensive
Access Control List security mechanism
Rarely support Mobile IP
They don’t provide any means of authentication
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
VPN Concentrators
VPN concentrators support RADIUS or TACACS+
authentication
Very expensive to scale for large roll-outs
They have two purposes


First to block layer3 traffic from entering the backbone
without authentication
Second to provide an encrypted point-to-point
connection between client and concentrator
Client and server must use the same VPN
protocol, and settings must match on each end
Security depends on protocol used
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Firewalls
It is mostly too slow to support wireless LAN speeds
The all-purpose group added VPN concentrator
functionality followed by RADIUS support
The purpose-built group segmented it into several
different types (Internet, WLAN)
When used in conjunction with other solutions
firewalls offer great security (example: client uses
SSH2 to connect to a SSH2 server through a firewall)
Firewalls have one distinct advantages - already
supported as integral part of the enterprise security
solution
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Enterprise Encryption Gateways
EEG are layer2 encryption devices that take Ethernet
frames originating from or destined to WLAN segment and
place them in proprietary frame formats that traverse both
the wireless and wired segments (layer2 VPN design in
which each link is an encrypted point-to-point tunnel
between the client and gateways)
Encrypted and unencrypted segments
EEG have an IP address for management purposes only
(do not perform routing)
Data compression for increased throughput
Access point management is part of the configuration of an
EEG
EEG offer support for RADIUS authentication or
authentication via a proprietary Access Control Server
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Enterprise Wireless Gateways
There are two main types:


EWG appliances (stand-alone boxes)
Software EWG which is installed on a
typical Intel PC with 2 internet interfaces
The EWG has features common to
routers, layer3 switches, firewalls, and
VPN concentrators plus more
The principle weakness among EWGs is
lack of protection for access point
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Network Positioning
EWGs are positioned between the wireless
network segment and the network
backbone
If VLANs are used then EWG will reside
between VLANs
EWGs act as a router with two fast, gigabit
interfaces (one for WLAN, and another for
wired side) each with its own IP address
NAT can be performed in both directions
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Firewall Functionality
EWGs have integrated firewall features
When complex firewall filtering is done
the number of simultaneously
supported APs and supported wireless
clients goes down
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
VPN Concentrator Functionality
The main security feature of EWGs
The most common VPN types such as
PPTP, L2TP, and IPSec are usually
supported
Local user database, LDAP, and RADIUS
authentication
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless-Oriented Features
Rate Limiting (may defeat DoS attacks)
Role-based access control (RBAC)

Creating “role” based on job description
(network security) or network use
requirements (bandwidth)
Proprietary methods of subnet roaming for
seamless mobility (802.11f standard
addresses seamless mobility through the
Inter Access Point Protocol (IAPP), and
IETF RFC2002 addresses the mobileIP
protocol )
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Performance
Performance is a key consideration
when comparing EWGs, Consider the
following factors when purchasing
EWGs:



Number of simultaneous users
Unencrypted throughput
Encrypted throughput
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Resources
CWSP certified wireless security
professional, from McGraw-Hill
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Download