wlan access zones karri huhtanen. wlan access network

22
WLAN Access Zones Karri Huhtanen <karri.huhtanen@wnsonline .net>

Upload: juniper-cummings

Post on 17-Dec-2015

240 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: WLAN Access Zones Karri Huhtanen. WLAN Access Network

WLAN Access Zones

Karri Huhtanen <[email protected]>

Page 2: WLAN Access Zones Karri Huhtanen. WLAN Access Network

WLAN Access Network

Page 3: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... threats• eavesdropping

– and recording radio traffic– and recording IP traffic / traffic on the MAC level (e.g. tcpdump)

• denial of service– IP DoS attacks– Radio DoS attacks– Interference from other devices on unlicensed 2.4GHz band (e.g

Bluetooth, microwave ovens, other links)• integrity / replay

– MAC address forging, IP hijacking– replay registration attacks against WLAN access point– IP replay / integrity / man-in-the-middle attacks (e.g. forging email,

capturing keys)

Page 4: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... solutions

• WEP (Wireless Equivalent Privacy) encryption

– unique and common shared secrets

– changing the shared secret often, key exchange secured by vendor specific solution

• IPSEC / VPN, encrypting traffic on IP level, the authentication of user to network and the network to user

• MAC address access filtering in WLAN access point (AP)

• Vendor specific solutions like Lucent’s ”closed network” setting.

• Legislation concerning deliberate interference of telecommunications

Page 5: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... problems• There are several known weaknesses in the structure of WEP encryption• WEP shared secret is useless when it’s common knowledge• WEP key exchange is not yet a defined standard, different vendors have

implemented their own solution that usually are not interoperable.• MAC address can be faked very easily => additional authentication is

required• Radio DoS attacks may only be prevented by legislation, radio

interference from other devices cannot be prevented, only avoided• The only methods to authenticate radio network on non-IP level to user

are network id (essid) and the possible shared secret • Replay attacks may be prevented to some extent with WEP but the

network is as vulnerable as every other IP network

Page 6: WLAN Access Zones Karri Huhtanen. WLAN Access Network

Regional Access Zone

Page 7: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... network structure

operator x core network

operator x core network

InternetInternet

application serversand databases• security gw / firewall• authentication server(e.g. Radius)

regional access zone

regional access zone

regional access zone

regional access zone

Point ofPresence (PoP)

regional access zone

regional access zone

router / wireless router

IPSEC/VPN secured tunnelthrough regional access zone to operator network

Page 8: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... threats• Denial of service due to radio interference or malicious

user

• Unauthorized or unaccounted access to the network and Internet

• Eavesdropping and recording other users’ traffic

• Faked servers and networks, intercepting other users’ traffic

• Network performance loss due to extensive traffic using private network addresses and bypassing the security gateway

Page 9: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... solutions

• Network management that can determine overloaded access points and based on e.g. GPS coordinates of the access points also pinpoint the area where the disturbance is

• Some radio interference can be avoided by careful radio network planning, using licensed frequencies,

• VPN/IPSEC client and security gateway

• IPSEC protected traffic between routers

• Filters, firewall / class of service rules, traffic shaping in (wireless) routers

• The selection of secure management / dynamic routing protocol

• Filtering out routing/management protocols in routers that may be potentially dangerous

Page 10: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... problems

• Most of the vendor products available on market today do not have the features needed to handle the threats or implement the solutions => need for customized/homemade network elements

• VPN IPSEC implementations and their interoperability (key exchange and authentication)

• Faked servers and services can still cause trouble within one cell => need for network elements that can handle also this kind of problems, and also need of user education

• Double tunneling if two VPNs are used, one to secure access through radio way and other to connect for example company intranet

• What if some devices / users do / can not have an interoperable VPN client installed?

• How to create and combine public access to this scenario?

Page 11: WLAN Access Zones Karri Huhtanen. WLAN Access Network

Public Access Zone

Page 12: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... network structure

operator x core network

operator x core network

InternetInternet

public accessservice

provider’s network

public accessservice

provider’s network

public accesszone

public accesszone

public accesszone

public accesszone

public accesszone

public accesszone

companyintranet

companyintranet

security gw /firewall

public accesscontroller /

firewall

IPSEC securedaccess to companyintranet with companycertified client

nonencryptedwebsurfingaccess to Internet

User DatabaseWEP ”personal key”

server

Page 13: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... threats

• Denial of service due to radio interference or malicious user

• Unauthorized and unaccounted access to the network and Internet

• Eavesdropping and recording other users’ traffic

• Faked servers and networks, intercepting/diverting other users’ traffic

• The lack of traceability if many-to-one NAT is used

• Possible access to IP-level without authentication => better possibilities to eavesdrop traffic

Page 14: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... solutions

• Denial of service attack sources are more easy to find as the average public access zone may be only one cell, network management also helps

• Public Access Controller (PAC) and related vendor solutions

• use WWW (https) secured authentication and MAC address based access filtering

• the usage of VPN client for corporate access after the PAC has opened the hole to Internet

• limit the access to Internet only to few ports (WWW, IMAP, etc.) => attacking hosts in Internet does not seem to be feasible

• use real IP addresses if possible

Page 15: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... problems• WEP cannot be used

• shared keys cannot be used• how to do the WEP key exchange with multiple vendor products

• Authentication• WWW authentication may be the only feasible method• MAC address by itself is not reliable nor does every card have a smart card reader

embedded into them => more authentication is needed

• Accounting• how to bill random users (paying with credit card for access)?• combined GSM/WLAN billing is a pretty good idea, how to do it with every vendor’s card?

• VPN trouble• with NAT• interoperability• key distribution is hard• for every terminal there’s not a client• users cannot be ”forced” to use just one single vendor solution

Page 16: WLAN Access Zones Karri Huhtanen. WLAN Access Network

Corporate Access Zone

Page 17: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... network structure

operator x core network

operator x core network

InternetInternet

security gw /firewall

corporateaccess zone

corporateaccess zone

Access servers net (e.g. DHCP, possible WEP ”personal key”

server”)

Access servers net (e.g. DHCP, possible WEP ”personal key”

server”)

corporate visitor

access zone

corporate visitor

access zone

corporateaccess zone

corporateaccess zone

security gw

firewall

IPSEC/VPN securedaccess to companyintranet

companyintranet

companyintranet

Noncrypted access to Internet and possibility to useown VPN client

Page 18: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... threats

• Unauthorized and unaccounted access to the intranet

• Eavesdropping and recording intranet / users’ traffic

• Faked servers and networks, intercepting/diverting/modifying other users’ traffic

• Denial of service attack threat is not in author’s opinion very likely. However denial of service of network elements may cause losses depending on the company

Page 19: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... solutions• IPSEC/VPN client• Also WEP encryption (helps in authenticating network to

user and user to network)• Firewalls• Company policies / standards (client, software/hardware

configuration, security)• Personnel security training• Careful selection of software/hardware solutions to

minimize interoperability problems• Redundancy for high availability and load balancing

Page 20: WLAN Access Zones Karri Huhtanen. WLAN Access Network

... problems• the different requirements of different users and business units (R&D

requires more flexibility, but also more security, production may not need only standard solution etc.)

• People and their attitudes towards security, company policies and standards. These must not feel like paper pushing because of the paper pushing.

• Questions like:• can the service provider be trusted to terminate company user’s

IPSEC tunnel and then create another one?• how can the user terminal be protected outside company network

so that it won’t serve as a host for trojan horses or reveal sensitive data to non-employes about the network?

• Creating the security policy and rules.

Page 21: WLAN Access Zones Karri Huhtanen. WLAN Access Network

More Information

- (In)Security of the WEP algorithm by Nikita Borisov, Ian Goldberg, and David Wagner (http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html)

- Wireless LANs –course at Tampere University of Technology- http://www.cs.tut.fi/kurssit/83800/ and the seminar presentation there

- About Access Zones and WLAN, check Nokia’s Operator WLAN concept as well as Cisco’s and Lucent’s WLAN pages and solutions and of course the author’s seminar report

- About Wireless Network Services Oy (http://www.wnsonline.net/)

Page 22: WLAN Access Zones Karri Huhtanen. WLAN Access Network

Mahdollisia koekysymyksiä• Esittele yksi WLAN-verkoissa käytettävän WEP-algoritmin heikkous ja sitä

vastaan toimiva hyökkäys sekä niiden periaatteet. Miksi heikkous on heikkous ja kuinka hyökkäys käyttää heikkoutta hyväkseen?

• Millä tavoin voit torjua WLAN-verkoissa radiotien salakuuntelun uhkaa?

• Sinulle on annettu tehtäväksi suunnitella WLAN-pääsyalue yhtiön työntekijöille yhtiön sisäiseen verkkoon, minkälainen on suunnittelemasi verkon rakenne ja mitä ratkaisuja käytät tietoturvallisuuden varmistamiseen. Torjutut uhat ja perustelut ratkaisuille mukaan.

• Julkisten pääsyalueiden suojaamisen IPSEC:llä ja muilla VPN-tekniikoilla liittyy useita ongelmia. Esittele näistä muutamia.

• Tehtävänäsi on suunnitella julkinen WLAN-pääsyalue Internet-palveluntarjoajan käyttöön. Piirrä pääsyalueen verkon rakenne laitteineen ja analysoi mitkä turvallisuusuhat olet pystynyt välttämään, mitä et ja miksi?