1 a vpn based approach to secure wlan access john floroiu [email protected]
TRANSCRIPT
1
A VPN based approach to A VPN based approach to secure WLAN accesssecure WLAN access
A VPN based approach to A VPN based approach to secure WLAN accesssecure WLAN access
John [email protected]
2
GoalGoal
• Design and implementation of a protocol enabling mobile users visiting foreign WLAN domains to securely access network resources in Internet– Authenticating mobile users– Protecting the data traffic of the clients
3
ReasonReason
• Various attacks (passive, active, man-in-the-middle) are easier to mount in a WLANs because potential attackers may be located on the same link
• Initial message exchange between visiting nodes and a foreign WLAN domain is unprotected
4
ReasonReason
Access Point Access Router
Nomadic Nodes
Campus Network
5
Possible approachesPossible approaches
• EAP-based protocols– Compound authentication methods aimed at
securing legacy authentication protocols
• VPN-based methods– Provide an IPsec overlay to WLANs– More flexibility in negotiating cryptographic
material (protocols, transforms, SPI)
6
Outline of the protocolOutline of the protocol
• High level requirements– Authenticate users in an inter-domain
environment– Provide strong security mechanisms to support
per-user encryption and cryptographic material to other potential applications/protocols (Mobile IP)
– Exhibit robustness to DoS (resource depletion, reply attacks, computational DoS)
7
Outline of the protocolOutline of the protocol
• Sets up an IPsec tunnel over the wireless link• Uses AAA for inter-domain authentication
– Based on shared secrets, timestamps (similar to MIPv4)
• ISAKMP for key exchange– Phase 1 exchange piggybacked into the AAA
authentication request/answer– Phase 2 takes place between the client and the
access router
8
Future workFuture work
• Local mobility – a nomadic node moves between different access routers within the same administrative domain– Dynamic „update“ of the ends of an IPsec
connection– Multihoming
9
Future workFuture work
Access Point Access Router +Local Home Agent
Nomadic Node
Campus Network
Access Point
Access Router +Local Home Agent
10
Open issuesOpen issues
• Authentication of 802.11 management messages (beacon, association/re-association/disassociation request/reply)
11
Thank you!