Preview only show first 10 pages with watermark. For full document please download

Similar Pages

   EMBED

Share

Transcript

Veilige indoor wireless oplossingen 12 november 2007 2 Agenda – Wie is Newtel – Evolutie in Wireless LAN – Wireless Security – De standaarden 1 3 Newtel • Newtel is telefonie en data integrator • Omzetcijfer Newtel Operationele winst Newtel 2004: 4 Meuro 2005: 6,5 Meuro 2006 forecast: 7,7 Meuro 2004: 350 Keuro 2005: 400 Keuro 2006 forecast: 500 Keuro • 50 personen • Onderhoud van 3.000 installaties • 24/24 service voor alle producten • Aktief over heel België, aanwezigheid in elke provincie • Projectaanpak of totaaloplossingen 4 Newtel Oplossingen I N F R A S T R U C T U U R Klassieke Telefonie IP- Telefonie LAN switching Draadloze oplossingen Netwerk Beveiliging D I E N S T E N Kostenanalyse operatoren 2 5 Zij zijn tevreden over ons … • Telefonie klanten: Dexia, CBC Banque, Ziekenhuis AZ Halle, Clinique Malmédy, Neckermann, BBL Ticket, Brico, De Lijn, AMP, Facq, Jungheinrich, Syntra West, … • LAN switching klanten: Ziekenhuis St Elisabeth Zottegem, Ministère des Equipements et Transport, CHU Brugmann, Banca Monte Paschi, Provincie Vlaams Brabant, … • Security klanten: Provincie Vlaams Brabant, Lanier, OPZ Rekem, Miele, CBF, CHU Brugmann, Stad St.-Truiden, … • En vele honderden KMO’s vanaf 15 werknemers waaronder vele overheidsinstellingen, rusthuizen en familiale hotels 6 Agenda – Wie is Newtel – Evolutie in Wireless LAN – Wireless Security – De standaarden 3 7 Wireless LAN : Fat vs Thin AP’s FAT access points: - ‘Old’ way of WLAN - Wireless infrastructure = Access Point: - Radio +Antenna - Intelligence (Access Control) - Connection to wired network - Used for ‘simple’ setup like Soho 8 Wireless LAN : Fat vs Thin AP’s Thin access points: - Wireless infrastructure = Access Point(s) + Wireless switch - Access Point = Radio + Antenna - All intelligence in wireless switch - Wired connection - Access Control - Management of the whole Mobility domain 4 9 Wireless LAN : Thin AP’s AP AP AP Authentication Data Authorisation Wireless Switch AP Wireless LAN : Thin AP’s, switch redundancy 1 0 ? 5 1 1 Wireless LAN : VLAN support User A VLAN A AP VLAN B User B User A ~ VLAN A User B ~ VLAN B AP Wireless LAN : VLAN support (2) Wireless Switch 1 2 User UserBA 6 Wireless LAN : Thin AP’s, autotune 1 3 - The wireless system knows the RF topology - Total coverage -> every AP sees its neighbours - Signal strengths from neighbouring AP’s are passed to wireless switch The wireless system can automatically re-tune itself to avoid influence from interfering devices Wireless LAN : Thin AP’s 1 4 Advantages of Thin access points: - Total Infrastructure management - Easy deployment of new AP’s - No network re-engineering - Security - VLAN support - Extended redundancy - Extra functionality - Auto-tune - Rogue detection - … 7 1 5 Agenda – Wie is Newtel – Evolutie in Wireless LAN – Wireless Security – De standaarden Security and WLAN 1 6 Secure networks aren’t mobile Mobile networks aren’t secure 8 1 7 Security and WLAN : Securing the wireless communication Wired Equivalent Privacy (WEP) - Provide comparable confidentiality to a traditional wired network - part of the IEEE 802.11 standard - stream cipher RC4 with 40 bit or 128 bit key for encryption - CRC-32 checksum for integrity 1 8 Security and WLAN : Securing the wireless communication, WEP • Airsnort needs only 5 minutes (550K packets) to crack a WEP key 9 Security and WLAN : Securing the wireless communication, MAC authentication 1 9 Is MAC address authentication safe? - MAC addresses are not encrypted (L2) MAC addresses can easely be spoofed No safe form of authentication 2 0 Security and WLAN : Securing the wireless communication, WPA & WPA2 WiFi Protected Access - Created in response to several serious weaknesses found in WEP - Data is encrypted using the RC4 (WPA) or AES (WPA2) - Temporal Key Integrity Protocol (TKIP) dynamically changes keys - Message Integrity ensured by ‘Michael’ <-> ‘CRC4’ (WEP) - WPA ‘personal’ uses Pre-shared Key authentication (pass phrase) - WPA ‘enterprise’ uses 802.1x authentication server 10 2 1 Security and WLAN : Securing the wireless communication, WPA & WPA2 WPA2 PSK: - Pre-shared Key (pass phrase) stored on AP - User enters PSK to gain access to network - TKIP dynamically changes encryption keys - Payload encryption with AES WPA2 enterprise: - User needs username/password - Credentials checked with 802.1x server 2 2 Security and WLAN : Securing the wireless communication, 802.1x - IEEE standard for port-based network access control - Provides a means of authenticating and autorizing devices to attach to a LAN port - Defines the Extensible Authentication Protocol (EAP) - Can make use of various types of authentication servers like RADIUS 11 Security and WLAN : Securing the wireless communication, EAP 2 3 Extensible Authentication Protocol EAP has a number of variants (40) backed by different vendors - EAP MD5 : basic security, several vulnerabilities - EAP TLS : one of the most secure EAP standards, uses PKI for secured RADIUS communication. Complex setup - EAP TTLS : using PKI certificates only on the authentication server. Less complex setup. - LEAP : Lightweight EAP : Cisco proprietary - PEAP : Joint proposal by Cisco Systems, Microsoft and RSA Security Similar in design to EAP-TTLS Native support in Microsoft, Cisco, Apple, Linux, open source … 2 4 Security and WLAN : Securing the wireless communication, 802.1x How it works, client configuration 12 2 5 Security and WLAN : Securing the wireless communication, 802.1x How it works, server configuration: - Radius server based - 802.1x uses certificates for server authentication - Server returns autorisation information: VLAN - IAS (free with MS server 200x) can be configured as a 802.1x radius server AND integrates with AD - Other 802.1x servers like Steelbelted Radius add functionality like end-point integrity check - Machine hardware authentication 2 6 Security and WLAN : Securing the wireless communication, 802.1x How it works: Radius PEAP EAPoL 13 Security and WLAN : 2 7 Security issue: ‘All in one’ (soho) wifi solutions are cheap and plug-and-play BUT: - Often installed without telling administrator - Very often badly configured - Important security threat - Difficult to detect Need to secure the waves ! Security and WLAN : Securing the waves 2 8 Wireless security = preventing ‘unmanaged’ access-points (rogues) from offering a backdoor to the network 14 Security and WLAN : Securing the waves, how it works • RF-fingerprint is known to wireless system • Changes in RF signaling are immediatelly detected • Countermessures can be launched through nearest AP’s Security and WLAN : Securing the waves, how it works 2 9 3 0 Rogue detection - All AP’s can scan for unknown wireless traffic parallel to normal operation - Passive: listen for beacons & probes - Active: send ‘Probe Any’ - Classification : Rogue / interfering device - Once a rogue is detected, the closest AP can launch countermeasures 15 Security and WLAN : Securing the waves 3 1 Rogue detection - Countermeasures - Disturb normal operation of the Rogue - Closest legitimate AP will spoof various 802.11 control messages to Rogue - Clients are prevented from communicating, associating and authenticating with the Rogue ! Not all Rogues are hostile 3 2 Security and WLAN What if you’re really paranoid? 16 Security and WLAN • The signals measured from the different antenna’s can be used to locate the wireless LAN users Security and WLAN • 3 3 3 4 Access-rights can depend on the physical location of where the user is located 17 Security and WLAN : RF firewall 3 5 3 6 Agenda – Wie is Newtel – Evolutie in Wireless LAN – Wireless Security – De standaarden 18 3 7 WLAN PHY standards : IEEE 802.11b Taskgroup b produced 802.11b standard on 16th september 1999 – Uses Complementary Code Keying (CCK) Modulation to achieve a ‘High Rate’ extention to original standard – Rates: 11, 5.5, 2, 1 – Uses DSSS in the 2,4 Ghz ISM band – Range ~ 100m 11Mbps 5.5Mbp s 2Mbps 1Mbps 3 8 WLAN PHY standards : IEEE 802.11b Disadvantages: – 2,4 Ghz ISM band is overcrowded (Bluetooth – Microwave ovens) – DSSS channels are 30Mhz wide providing only 3 non-overlapping channels in the 2,4 Ghz band 2.417 2.427 2.437 2.447 2.457 2.467 1 2 3 4 5 6 7 8 9 10 13 12 11 2.412 2.422 2.432 2.442 2.452 2.462 2.472 2.484 19 WLAN PHY standards : IEEE 802.11a 3 9 Taskgroup a produced 802.11a standard on 12th september 1999 Products came available late 2001 (US), first certified products in januari 2003 – Uses Orthogonal Freqency Division Multiplexing (OFDM) to offer significantly higher bitrates – Rates: 54, 48, 36, 24, 18, 12, 9 or 6 Mbps – Uses less crowded 5 Ghz ISM band – 8 non-overlapping 20Mhz channels can be used in same location WLAN PHY standards : IEEE 802.11a 4 0 Disadvantages: – Reduced range owing to higher operating frequency (~ 50m) – No backward compatibility with 802.11 and 802.11b products -> vendors have created dual radio solutions – Many regulatory issues with its deployment • 802.11d (power attenuation - channel selection); 802.11h (Europe) ; 802.11j (Japan) 20 WLAN PHY standards : IEEE 802.11g 4 1 Taskgroup g produced 802.11g standard on 12th june 2003 – Offers 54Mb in the 2,4Ghz band – Backward compatible with 802.11b – Uses CCK for compatibility with 802.11b – Uses OFDM for 802.11a rates in the 2,4Ghz band – Rates: 54, 22, 11, 5.5, 2 or 1 Mbps – Range: 30% more than 802.11a – Power consumption: lower than 802.11a – 802.11 a/b/g equipment available WLAN PHY standards roadmap : IEEE 802.11n 4 2 “Standard for Enhancements for Higher Throughput” Taskgroup n first proposals: august 2004 Goal: improve WLAN performance to challenge ethernet -> real TCP/IP troughput of 100Mb or more Uses MIMO 21 4 3 WLAN PHY standards : Spatial Multiplexing MIMO Spatial multiplexing concept: – However, there are cross-paths between antennas – The correlation must be decoupled by digital signal processing algorithms Bits Bit Split DSP Radio Radio DSP DSP Radio Radio DSP TX WLAN PHY standards roadmap : IEEE 802.11n Bit Merge Bits RX 4 4 Constraints – Pre-n standard equipment available but consumer-oriented and propriarty – Timeline for ratification (draft1 – draft2) : Q1 2008 ? WiFi plans pre-n standard ratification mid 2007 – Will 802.3af (15,4W) be sufficient? -> new 802.3at high power PoE in development – Wireless to Wired bandwith used will grow -> Centrallised controller may become bottleneck 22 WLAN PHY standards roadmap : IEEE 802.11n 4 5 Known developments: - New types of Access Points (multiple antena’s) backward compatible - More intelligence in the access points - Traffic will selectively be switched on AP - Probably no implications on wireless switch WLAN PHY standards roadmap : IEEE 802.11n 4 6 Example Trapeze: Smart Mobile - Application driven switching 23 WLAN PHY standards roadmap : IEEE 802.11n 4 7 Example Trapeze: Smart Mobile - Application driven switching WLAN PHY standards roadmap : IEEE 802.11n 4 8 Example Trapeze: Smart Mobile - Application driven switching 24 4 9 WLAN PHY standards roadmap : IEEE 802.11n Conclusion: - IEEE is not ready - WiFi is getting ready - Industry is ready ! ! 5 0 Overview 802.11 PHY WLAN Standards 802.11b 802.11a 802.11g 802.11n Standard Approved Sept. 1999 Sept. 1999 June 2003 ? Available Bandwidth 83.5 MHz 580 MHz 83.5 MHz 83.5/580 MHz Frequency Band of Operation 2.4 GHz 5 GHz 2.4 GHz 2.4/5 GHz # Non-Overlapping Channels 3 8 3 3/8 1 – 11 Mbps 6 – 54 Mbps 1 – 54 Mbps 1 – 600 Mbps 100m 50m 100m 100m / 50m Data Rate per Channel Range 25 WLAN netto data troughput 5 1 - Data rate (11Mb – 54Mb) = radio data rate ! - Important overhead due to radio communication - Wlan = half duplex <-> Ethernet = full duplex - Radio waves = shared medium (cfr hub) - 802.11b netto data rate ~ 2.5 Mb Full duplex - 802.11a/g netto data rate ~ 12 Mb Full duplex - Ex. 20 users in one 802.11b cell ~ 125 Kb per user Scaling of WLAN implementation not only for Wireless coverage but also for concurrent users The Trapeze productline 5 2 26 5 3 The Mobility Exchange™ 5 4 Mobility Exchange Comparison Model MXR-2 MX-8 Ports Power # MPs active 2 • • 1 x 10/100 1 x uplink 1 x PoE x Console External A/C converter 3 8 • • 1 x 10/100 2 x uplink 6 x PoE x Console Single or dual internal power supplies 12 MX-200 2 x GigE (SFP) 1 x 10/100 management 1 x Console Single or dual internal power supplies 32, 64, 96, 128 16 x 10/100 PoE 1 x 10/100 management 2 x GigE (SFP) 1 x Console Single or dual internal power supplies MX-216 32, 64, 96, 128 4 x GigE (GBIC or RJ45) 1 x Console 1 x Flash card slot Dual internal hotswappable power supplies MX-400 40, 80, 120 27 Mobility Point™ Q&A 5 5 5 6 28