wlan access zones karri huhtanen. wlan access network

WLAN Access Zones

Karri Huhtanen <karri.huhtanen@wnsonline.net>

WLAN Access Network

... threats• eavesdropping

– and recording radio traffic– and recording IP traffic / traffic on the MAC level (e.g. tcpdump)

• denial of service– IP DoS attacks– Radio DoS attacks– Interference from other devices on unlicensed 2.4GHz band (e.g

Bluetooth, microwave ovens, other links)• integrity / replay

– MAC address forging, IP hijacking– replay registration attacks against WLAN access point– IP replay / integrity / man-in-the-middle attacks (e.g. forging email,

capturing keys)

... solutions

• WEP (Wireless Equivalent Privacy) encryption

– unique and common shared secrets

– changing the shared secret often, key exchange secured by vendor specific solution

• IPSEC / VPN, encrypting traffic on IP level, the authentication of user to network and the network to user

• MAC address access filtering in WLAN access point (AP)

• Vendor specific solutions like Lucent’s ”closed network” setting.

• Legislation concerning deliberate interference of telecommunications

... problems• There are several known weaknesses in the structure of WEP encryption• WEP shared secret is useless when it’s common knowledge• WEP key exchange is not yet a defined standard, different vendors have

implemented their own solution that usually are not interoperable.• MAC address can be faked very easily => additional authentication is

required• Radio DoS attacks may only be prevented by legislation, radio

interference from other devices cannot be prevented, only avoided• The only methods to authenticate radio network on non-IP level to user

are network id (essid) and the possible shared secret • Replay attacks may be prevented to some extent with WEP but the

network is as vulnerable as every other IP network

Regional Access Zone

... network structure

operator x core network

operator x core network

InternetInternet

application serversand databases• security gw / firewall• authentication server(e.g. Radius)

regional access zone

regional access zone

regional access zone

regional access zone

Point ofPresence (PoP)

regional access zone

regional access zone

router / wireless router

IPSEC/VPN secured tunnelthrough regional access zone to operator network

... threats• Denial of service due to radio interference or malicious

user

• Unauthorized or unaccounted access to the network and Internet

• Eavesdropping and recording other users’ traffic

• Faked servers and networks, intercepting other users’ traffic

• Network performance loss due to extensive traffic using private network addresses and bypassing the security gateway

... solutions

• Network management that can determine overloaded access points and based on e.g. GPS coordinates of the access points also pinpoint the area where the disturbance is

• Some radio interference can be avoided by careful radio network planning, using licensed frequencies,

• VPN/IPSEC client and security gateway

• IPSEC protected traffic between routers

• Filters, firewall / class of service rules, traffic shaping in (wireless) routers

• The selection of secure management / dynamic routing protocol

• Filtering out routing/management protocols in routers that may be potentially dangerous

... problems

• Most of the vendor products available on market today do not have the features needed to handle the threats or implement the solutions => need for customized/homemade network elements

• VPN IPSEC implementations and their interoperability (key exchange and authentication)

• Faked servers and services can still cause trouble within one cell => need for network elements that can handle also this kind of problems, and also need of user education

• Double tunneling if two VPNs are used, one to secure access through radio way and other to connect for example company intranet

• What if some devices / users do / can not have an interoperable VPN client installed?

• How to create and combine public access to this scenario?

Public Access Zone

... network structure

operator x core network

operator x core network

InternetInternet

public accessservice

provider’s network

public accessservice

provider’s network

public accesszone

public accesszone

public accesszone

public accesszone

public accesszone

public accesszone

companyintranet

companyintranet

security gw /firewall

public accesscontroller /

firewall

IPSEC securedaccess to companyintranet with companycertified client

nonencryptedwebsurfingaccess to Internet

User DatabaseWEP ”personal key”

server

... threats

• Denial of service due to radio interference or malicious user

• Unauthorized and unaccounted access to the network and Internet

• Eavesdropping and recording other users’ traffic

• Faked servers and networks, intercepting/diverting other users’ traffic

• The lack of traceability if many-to-one NAT is used

• Possible access to IP-level without authentication => better possibilities to eavesdrop traffic

... solutions

• Denial of service attack sources are more easy to find as the average public access zone may be only one cell, network management also helps

• Public Access Controller (PAC) and related vendor solutions

• use WWW (https) secured authentication and MAC address based access filtering

• the usage of VPN client for corporate access after the PAC has opened the hole to Internet

• limit the access to Internet only to few ports (WWW, IMAP, etc.) => attacking hosts in Internet does not seem to be feasible

• use real IP addresses if possible

... problems• WEP cannot be used

• shared keys cannot be used• how to do the WEP key exchange with multiple vendor products

• Authentication• WWW authentication may be the only feasible method• MAC address by itself is not reliable nor does every card have a smart card reader

embedded into them => more authentication is needed

• Accounting• how to bill random users (paying with credit card for access)?• combined GSM/WLAN billing is a pretty good idea, how to do it with every vendor’s card?

• VPN trouble• with NAT• interoperability• key distribution is hard• for every terminal there’s not a client• users cannot be ”forced” to use just one single vendor solution

Corporate Access Zone

... network structure

operator x core network

operator x core network

InternetInternet

security gw /firewall

corporateaccess zone

corporateaccess zone

Access servers net (e.g. DHCP, possible WEP ”personal key”

server”)

Access servers net (e.g. DHCP, possible WEP ”personal key”

server”)

corporate visitor

access zone

corporate visitor

access zone

corporateaccess zone

corporateaccess zone

security gw

firewall

IPSEC/VPN securedaccess to companyintranet

companyintranet

companyintranet

Noncrypted access to Internet and possibility to useown VPN client

... threats

• Unauthorized and unaccounted access to the intranet

• Eavesdropping and recording intranet / users’ traffic

• Faked servers and networks, intercepting/diverting/modifying other users’ traffic

• Denial of service attack threat is not in author’s opinion very likely. However denial of service of network elements may cause losses depending on the company

... solutions• IPSEC/VPN client• Also WEP encryption (helps in authenticating network to

user and user to network)• Firewalls• Company policies / standards (client, software/hardware

configuration, security)• Personnel security training• Careful selection of software/hardware solutions to

minimize interoperability problems• Redundancy for high availability and load balancing

... problems• the different requirements of different users and business units (R&D

requires more flexibility, but also more security, production may not need only standard solution etc.)

• People and their attitudes towards security, company policies and standards. These must not feel like paper pushing because of the paper pushing.

• Questions like:• can the service provider be trusted to terminate company user’s

IPSEC tunnel and then create another one?• how can the user terminal be protected outside company network

so that it won’t serve as a host for trojan horses or reveal sensitive data to non-employes about the network?

• Creating the security policy and rules.

More Information

- (In)Security of the WEP algorithm by Nikita Borisov, Ian Goldberg, and David Wagner (http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html)

- Wireless LANs –course at Tampere University of Technology- http://www.cs.tut.fi/kurssit/83800/ and the seminar presentation there

- About Access Zones and WLAN, check Nokia’s Operator WLAN concept as well as Cisco’s and Lucent’s WLAN pages and solutions and of course the author’s seminar report

- About Wireless Network Services Oy (http://www.wnsonline.net/)

Mahdollisia koekysymyksiä• Esittele yksi WLAN-verkoissa käytettävän WEP-algoritmin heikkous ja sitä

vastaan toimiva hyökkäys sekä niiden periaatteet. Miksi heikkous on heikkous ja kuinka hyökkäys käyttää heikkoutta hyväkseen?

• Millä tavoin voit torjua WLAN-verkoissa radiotien salakuuntelun uhkaa?

• Sinulle on annettu tehtäväksi suunnitella WLAN-pääsyalue yhtiön työntekijöille yhtiön sisäiseen verkkoon, minkälainen on suunnittelemasi verkon rakenne ja mitä ratkaisuja käytät tietoturvallisuuden varmistamiseen. Torjutut uhat ja perustelut ratkaisuille mukaan.

• Julkisten pääsyalueiden suojaamisen IPSEC:llä ja muilla VPN-tekniikoilla liittyy useita ongelmia. Esittele näistä muutamia.

• Tehtävänäsi on suunnitella julkinen WLAN-pääsyalue Internet-palveluntarjoajan käyttöön. Piirrä pääsyalueen verkon rakenne laitteineen ja analysoi mitkä turvallisuusuhat olet pystynyt välttämään, mitä et ja miksi?