Fun With Wireless And Firewalls
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Fun With Wireless And Firewalls

on

  • 567 views

 

Statistics

Views

Total Views
567
Views on SlideShare
565
Embed Views
2

Actions

Likes
0
Downloads
4
Comments
0

1 Embed 2

http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Fun With Wireless And Firewalls Presentation Transcript

  • 1. Fun With Wireless And Firewalls Paul Asadoorian IT Security Engineer Don Wright Senior Network Engineer Brown University August 19, 2003
  • 2. Outline Wireless Requirements Wireless: Hot or Not Technologies Wireless Architecture Captive Portal Firewalls Access Points Wireless Challenges Netscreen Firewall Overview 9/25/2003 Paul Asadoorian - Brown University 2
  • 3. Background Wireless was a requirement for Spring Semester 2003 We set forth on the wireless path over the 2002-2003 Winter break It was, and continues to be, great fun! Many are new to Netscreen technologies 9/25/2003 Paul Asadoorian - Brown University 3
  • 4. Wireless Project Requirements 9/25/2003 Paul Asadoorian - Brown University 4
  • 5. Wireless Project Requirements Support wide variety of clients Linux, MAC, Windows, Palm/Handheld Make it easy for the end user Security, Security, Security 9/25/2003 Paul Asadoorian - Brown University 5
  • 6. Wireless Project Requirements Scalable Maintainable Integrates with our current network The requirement du jour 9/25/2003 Paul Asadoorian - Brown University 6
  • 7. Hot or Not Technologies 802.11 Alphabet Soup 802.1x and EAP types LEAP, TTLS, PEAP… Captive Portals (Bluesocket, NoCat) 9/25/2003 Paul Asadoorian - Brown University 7
  • 8. Hot or Not Technologies 802.11 Alphabet Soup 802.11A More expensive, didn’t require throughput 802.11B popular, most people have it already 802.11G Not a standard at the time 802.11i and WPA just not there yet 9/25/2003 Paul Asadoorian - Brown University 8
  • 9. Hot or Not Technologies WEP is right out 9/25/2003 Paul Asadoorian - Brown University 9
  • 10. Hot or Not Technologies Bluesocket (Captive Portal) Only validates IP and MAC address Expensive Has more features than we required Performed well Very few client problems Had to reboot/restart to make changes 9/25/2003 Paul Asadoorian - Brown University 10
  • 11. NoCat vs. Bluesocket NoCat has essentially the same functionality And does it cheaply ! 9/25/2003 Paul Asadoorian - Brown University 11
  • 12. Hot or Not: Update Newer technologies are interesting: http://www.verniernetworks.com/ http://www.arubanetworks.com/ Cisco Structured Wireless-Aware Network (SWAN) http://www.cisco.com/en/US/products/hw/wireless/ps430/ prod_brochure09186a0080184925.html NoCat Specific: http://www.sputnik.com/ 9/25/2003 Paul Asadoorian - Brown University 12
  • 13. Wireless Architecture Cisco 1100 Series Access Points NoCat Captive Portal Running on Linux Netscreen-500 Firewall 9/25/2003 Paul Asadoorian - Brown University 13
  • 14. 1.) Wireless client associates to 802.11b enabled an Access Point. clients 2.) Client issued a 10.x.x.x network DHCP address by Access Gateway 3.) User opens a web browser Access Point 4.) Access Gateway intercepts user traffic and redirects to its login page. LDAP 5.) ShortID and password are authenticated via RADIUS to external database. Access Gateway RADIUS (NoCat) Kerberos 6.) Authenticated user is redirected to their browser configured home page and are now able to use the network. Firewall (NS500) Brown Campus Network and Internet Brown Campus Wireless Access 9/25/2003 Paul Asadoorian - Brown University 14 3/5/2003 - Don Wright
  • 15. Cisco Access Points Orinoco Enterasys We chose Cisco because…. 9/25/2003 Paul Asadoorian - Brown University 15
  • 16. Cisco Access Points 802.11b (upgradeable to 11g ~ Q403) Supports 802.1Q trunking IOS and web interface PSPF (Publicly Secure Packet Forwarding) Can be set from the CLI TACACS+ SSH IOS upgrades 9/25/2003 Paul Asadoorian - Brown University 16
  • 17. NoCat Captive Portal Albert Einstein, when asked to describe radio, replied: "You see, wire telegraph is a kind of a very, very long cat. You pull his tail in New York and his head is meowing in Los Angeles. Do you understand this? And radio operates exactly the same way: you send signals here, they receive them there. The only difference is that there is no cat." 9/25/2003 Paul Asadoorian - Brown University 17
  • 18. NoCat Captive Portal Policies Only allow HTTP, HTTPS, and SSH VPN is also allowed Any Brown Community member can use it 9/25/2003 Paul Asadoorian - Brown University 18
  • 19. NoCat Captive Portal Open Source (Free its for me!) Uses open and proven technologies Apache, iptables, perl, Linux Does exactly what we need Authenticate user and only allow out on certain ports 9/25/2003 Paul Asadoorian - Brown University 19
  • 20. NoCat Captive Portal Connects to all VLAN’s using 802.1Q Services provided by NoCat DHCP HTTPS Web Server RADIUS Authentication Plugin iptables firewall Perl script to glue it all together 9/25/2003 Paul Asadoorian - Brown University 20
  • 21. NoCat Captive Portal Step 1 – DHCP address given Step 2 – User goes to web page Step 3 – NoCat intecepts and redirects them to a login page 9/25/2003 Paul Asadoorian - Brown University 21
  • 22. NoCat Captive Portal Step 4 – User enters id and password over HTTPS Step 5 – User’s credentials are verified Step 6 – If authentication is successful a firewall rule is added, and token sent to client 9/25/2003 Paul Asadoorian - Brown University 22
  • 23. NoCat Captive Portal Step 7 – Every 10 minutes authentication is verified IP address MAC Address Token Step 8 – A new token is issued, timer reset 9/25/2003 Paul Asadoorian - Brown University 23
  • 24. Netscreen Firewall Does all of the NAT Protects the NoCat server (Two firewalls are better than one) Controls where wireless users can go 9/25/2003 Paul Asadoorian - Brown University 24
  • 25. Challenges – Access Points Code not up to date Not all features available Features that sorta work 9/25/2003 Paul Asadoorian - Brown University 25
  • 26. Challenges - NoCat Pop-up window poses problems for certain browsers Storing passwords in the clear This problem has been fixed and will be released next week Usability (Login button) 9/25/2003 Paul Asadoorian - Brown University 26
  • 27. Challenges - Clients I wrote my own web browser Centrino issues (MTU Sizes) I want to use SMTP Timeouts of various sorts 9/25/2003 Paul Asadoorian - Brown University 27
  • 28. Netscreen The most common questions are usually surrounding Netscreen technologies Relatively new to the market Has many Netscreen specific terms and technologies 9/25/2003 Paul Asadoorian - Brown University 28
  • 29. Netscreen Overview Terms and Concepts Examples Dos and Don’ts 9/25/2003 Paul Asadoorian - Brown University 29
  • 30. Netscreen: Overview ASIC-based hardware firewall (ScreenOS) Very similar to Cisco IOS Very fast, stable platform Stateful inspection and some attack mitigation built-in Support for 802.1q, OSPF, and BGP 9/25/2003 Paul Asadoorian - Brown University 30
  • 31. Netscreen: Overview Both Client and Gateway-To-Gateway VPN Support (AES-128, 3DES-128) Wide range of products (from 10mb/s to multi-gigabit) “Central Management” (Global Pro) Slowly replacing our Checkpoint installations 9/25/2003 Paul Asadoorian - Brown University 31
  • 32. Virtual Interfaces Firewall has one physical connection Uses 802.1q to firewall the VLANs you assign, each called a sub-interface Interfaces can be placed in zones or virtual systems (Explained next) 9/25/2003 Paul Asadoorian - Brown University 32
  • 33. Netscreen Concepts: Virtual Systems Contain one or more interfaces (Subnets) Netscreen moving away from VSYS Allows for multiple virtual firewalls on the same device Distributes administrative control Default Netscreen firewall device configuration features a single “root” VSYS 9/25/2003 Paul Asadoorian - Brown University 33
  • 34. Netscreen Concepts: Virtual Systems Limitations on use of objects and groups Adding VSYSes splits device resources Can contain zones (explained later) and/or subnets 9/25/2003 Paul Asadoorian - Brown University 34
  • 35. Netscreen Concepts: Zones Evolve out of operational limitations of VSYS model Allows for multiple virtual firewalls on the same device Does not distribute administrative control Resources are not restricted on the same firewall Introduce intra-zone policy where policy can be set to manage traffic within subnets within the zone Excellent for DMZ! 9/25/2003 Paul Asadoorian - Brown University 35
  • 36. Zone Example Internet Campus 9/25/2003 Paul Asadoorian - Brown University 36
  • 37. Netscreen Concepts: Virtual Routers Virtual Routing table Allows for separation of routing protocols Always assigned one per VSYS 9/25/2003 Paul Asadoorian - Brown University 37
  • 38. Netscreen In Action Netscreen 5XP 20mb/s of throughput Little Firewall, Big Benefit! Always keep a few extra P O S WT A ET RU S LINK STATUS T R U S T EUNTRUSTED D Examples on campus: Point-To-Point VPNs (from 10 to 100 users) Single Machines Entire Subnets 9/25/2003 Paul Asadoorian - Brown University 38
  • 39. Netscreen In Action Netscreen 25 100mb/s of throughput C O N S O L E T R U S T E D D M Z UNTRUSTED S T A T U S PCMCIA MEMORY P O W E R Examples on Campus: Remote sites with 200+ users Multiple VPN connections 9/25/2003 Paul Asadoorian - Brown University 39
  • 40. Netscreen In Action Netscreen 500 L I N K / A C T I V I T Y L I N K / A C T I V I T Y S T A T U S A L A R M P W R 1 P W R 2 700mb/s of throughput F A N T E M P L I N K / A C T I V I T Y H A F W V P N S E S S I O N P C M C I A S H A P E C O N S O L E M O D E M 10/100 MGT H A - 1 H A - 2 P C M C I A TOP = LINK/ACTIVITY  BOTTOM = 10/1 0Mbps 0 1 3 2 4 Examples on Campus: Firewalls all central services Plans to split into more zones 9/25/2003 Paul Asadoorian - Brown University 40
  • 41. Netscreen In Action Netscreen 5400 5 0 0 0 - M G T C O M P CA OC T N S F O LM A L SO E HT D X 1E / LM I X N R K A L S A T R A M H TA S U E SF S LS A I S O H N 5400 1 0 / 1 0 0 5 0 0 0 - 8 G 12Gb/s of throughput 5 0 0 0 - 8 G 5 0 0 0 - 8 G Examples on Campus: Firewall all dorms Firewall all departments Firewall all other workstations 9/25/2003 Paul Asadoorian - Brown University 41
  • 42. Netscreen: Dos and Don’ts Do use 5XP’s for temporary firewalls Don’t forget to update the license to unlimited Do use Netscreen for site-site VPN Don’t use the Netscreen Client VPN on a large scale (Supposedly its better now) Do use Netscreen’s attack mitigation features Don’t depend on them to block all attacks 9/25/2003 Paul Asadoorian - Brown University 42
  • 43. Netscreen: Dos and Don’ts Do use the web interface for management Don’t use HTTP, configure a certificate and use HTTPS Do create your own objects and use custom timeout values Don’t use the default Netscreen objects Do use Netscreen’s Web Auth feature Don’t allow HTTP to the web auth IP address 9/25/2003 Paul Asadoorian - Brown University 43
  • 44. ? Questions ? Paul Asadoorian Paul_Asadoorian@brown.edu Don Wright Don_Wright@brown.edu 9/25/2003 Paul Asadoorian - Brown University 44