surviving two years with a large scale enterprise wlan
TRANSCRIPT
![Page 1: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/1.jpg)
Session: 23/10/07WIR-150
Surviving Two Years With a Large Scale Enterprise WLAN
Joerg Fritsch, NATO C3 Agency
RSA Conference 2007, 23 October 11:40AM, London
![Page 2: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/2.jpg)
What story am I going to tell?
• Design, Provisioning and Operations of a large scale NATO UNCLASSIFIED Wireless network two years ago– Followed the NIST guidelines– In the meantime DOD “Wireless Security Policy 8100.2” and
BSI “Technische Richtlinie Sicheres WLAN” were published
• Wanted to– Mitigate known risks– Know who is on our network– Understand what we are doing and why– Visualize the network perimeter
• Did not want to run the risk that only we would be following these guidelines
![Page 3: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/3.jpg)
What story am I going to tell (continued)
• What we currently have
• What attacks we imagine and what we set against it
• What attacks we observed
• Voice over WLAN, VoWLAN– Our vision, our homework & our test results
• Two “generations” of RF planning & prediction– Contours vs Bins
• WLAN Monitoring– Day-to-day operations
• Lessons learned
![Page 4: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/4.jpg)
What we (currently) have
• Centralized Management of Access Points. We get good enough roaming qualities for 802.11g telephones– Wireless Control System, WCS
– Cisco Catalyst 6509 Wireless Service Module, WiSM
– Channels 1,6 and 11 in use
• Access Points– 64 Cisco 1200 Light Weight Access Points, LWAPs supporting
802.11a/g
– Dedicated ceiling mounted antennas for 802.11g and “rubber duck” antennas for 802.11a
– No mesh deployment
– SSID not broadcasted
– Operational 24x7
![Page 5: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/5.jpg)
What we currently have (continued)
• WLAN collocated with existing LAN
• Authentication– Migrated from Juniper/Funk Steel Belted Radius to Cisco Secure ACS
– Use of LEAP as a legacy. Started Migration to PEAP
• Privacy– WPA2/AES
– Lowest common denominator WPA/TKIP “naturally” ageing out
• Open Guest Network– Physically disconnected from our business WLAN
– HTTP authentication, credentials handed out together with Visitor Badges
– Currently searching a possibility for dynamic-registration
![Page 6: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/6.jpg)
Meet the Access Point-Fairy
Day1 Day2 Day5 Day7 Day8
• By the way: “Rubber Duck” antennas work best when one wavelength apart
– 802.11g ~ 13 cm– 802.11a ~ 5 cm
![Page 7: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/7.jpg)
What “they” have and what we set against it
![Page 8: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/8.jpg)
What “they” have and what we set against it (cont.)
Attacks on• Confidentiality• Authentication
• Availability– Disassociation attacks– Jaming
• Man-in-the-middle– Rogue devices– Impostors
Mitigation strategy• 802.11i (WPA2/AES-CCMP)• Compromise of manageability
and security: Protected EAP, PEAP
– Server based certificate– AD client passwords
• 802.11w, Management Frame Protection, MFP
– Mitigating attacks with bogus frames
– Closing a gap in confidentiality
• IDS– 30 Patterns– Not every day a new exploit
• Physical Security
Com
plete view of w
hole wireless netw
ork
Geo-location of clients, hackers and
impostors
![Page 9: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/9.jpg)
What attacks we observed
• No successful attacks (at least that we know of)– In 2007 three severe attacks so far, none was a DOS (Jamming) attack
• One disassociation attack• Two attempted impersonation of authorized access points
– Occasional MFP violations reported, does not seem severe
• Clients sometimes excluded (temporarily) – because of repeatedly failed association/authentication– Because of possible attacks on the encryption (i.e. replay attacks)– This happens one to five times per day
![Page 10: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/10.jpg)
What attacks we observed (continued)
• Known attacks require the attacker to get physically close to your infrastructure
• Most attackers are somewhat “shy” of close encounters
• Users (clients, attackers & impostors) can be located +/- 5m. – Using the Wireless Control Server (WCS)
– If inside the defined perimeter
– If antennas in three dimensions (multiple levels of office space)
– This is easy to achieve
![Page 11: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/11.jpg)
Voice over WLAN, VoWLAN
• Initial reports & press coverage in 2004• It was predicted that by 2007 27% of all commercial VoIP
deployments will be WLAN based• Then there was a silence• More and more press coverage in early 2007• Our vision:
– Seamless roaming between WLAN and GSM with eventually one device
– Unified, controlled “airspace” for voice and data
• Our Homework:– VoWLAN requires full blown VoIP call infrastructure– Perimeter must be extended
• to grant sufficient outside coverage for 1st aid & fire brigade• into “impossible” locations (i.e. the toilet cubicles)
![Page 12: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/12.jpg)
VoWLAN: what we tested
• Cisco 7920– Up to now the best we have
seen
– Cisco has announced the end of sale
• Mitel
• Nokia E60 / E61– No support for STUN (SIP &
NAT) although announced for Q1 2007
– Nokia does not talk to us directly
• Cisco 7921– Nice graphics
– High costs
– Significant longer battery life (now it is a real phone)
– Required upgrade of WiSM to rev 4.1 in order to show good roaming
![Page 13: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/13.jpg)
Wireless planning
• Contours
• Year one: EKAHAU– Good results
– Good for small sites
– Very affordable
– Requires a lot of time to draw up the plans
– Works only in the two dimensional space
• Bins
• Year two: Wireless Valley / Motorola LAN Planner– Fast import of existing CAD
drawings from every building
– 3D planning and visualizing
– Saves a lot of time for large scale projects
– Results / Accuracy not necessarily better
![Page 14: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/14.jpg)
Coverage Maps – impressive views #1
• Site Surveys always confirmed the prediction from the RF propagation tools
![Page 15: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/15.jpg)
Coverage Maps – impressive views #2
![Page 16: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/16.jpg)
Monitoring the Wireless Network
• Bins > Contours > Pokerchips
• Simple “Heat” maps
• Dashboard style management of WLAN
• Not all reported coverage problems really exist
• Complete Inventory– Alarms
– Clients
– Access points
![Page 17: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/17.jpg)
In conclusion: Lessons learned
• Security isn’t the same for every network and every application– VPN security focus
• Remote access
• Network Layer
– WLAN security focus
• Local access
• Link Layer
• better performance, less complexity
– Sometimes VPN security simply does not do the job (i.e. 802.11 phones)
• Governmental Policies (such as DOD 8100.2) seem to emphasize WLAN Security features
![Page 18: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/18.jpg)
Lessons learned (continued)
• Deployment of WLANs can be controlled and risk can be managed
• No internal Rogue/unauthorized access points for two years
• Currently undergoing a transition from LEAP to PEAP but it’s not all easy– Pro: Installing and maintaining a simple PKI to support PEAP is easy
& painless
– Con: The PEAP implementation is not as good as the current LEAP
• For best user experience deploy one frequency band only– Either 802.11a or 802.11g
• WLANs are more comparable to DECT than to the internet– Interesting question: DECT security not getting the same amount of
attention in the media
![Page 19: Surviving two years with a large scale enterprise WLAN](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c2957d8b42a09438b4e7a/html5/thumbnails/19.jpg)
Key points for building your own network
• Don’t think about a wireless network as a number of access points• Think about a wireless network as a central controller with many
antennas– RF Management– Keeps Inventory– Keeps Records
• Geo-location of Clients, Access points, Hackers & Impostors lets no one get away “unseen”
• Imagine RF propagation as a viscous fluid which can go through walls
• Use Software with bins or contours for RF propagation planning• Deploy WPA2• Deploy PEAP or EAP-TLS• Make use of an IDS