0
Surviving Two Years With a Large Scale Enterprise WLAN Joerg Fritsch, NATO C3 Agency RSA Conference 2007, 23 October 11:40...
What story am I going to tell? <ul><li>Design, Provisioning and Operations of a large scale NATO UNCLASSIFIED Wireless net...
What story am I going to tell (continued) <ul><li>What we currently have </li></ul><ul><li>What attacks we imagine and wha...
What we (currently) have <ul><li>Centralized Management of Access Points.  We get good enough roaming qualities for 802.11...
What we currently have (continued) <ul><li>WLAN collocated with existing LAN </li></ul><ul><li>Authentication </li></ul><u...
Meet the Access Point-Fairy <ul><li>By the way: “Rubber Duck” antennas work best when one wavelength apart </li></ul><ul><...
What “they” have and what we set against it
What “they” have and what we set against it (cont.) <ul><li>Attacks on </li></ul><ul><li>Confidentiality </li></ul><ul><li...
What attacks we observed <ul><li>No successful attacks (at least that we know of) </li></ul><ul><ul><li>In 2007  three sev...
What attacks we observed (continued) <ul><li>Known attacks require the attacker to get physically close to your infrastruc...
Voice over WLAN, VoWLAN <ul><li>Initial reports & press coverage in 2004 </li></ul><ul><li>It was predicted that by 2007 2...
VoWLAN: what we tested <ul><li>Cisco 7920 </li></ul><ul><ul><li>Up to now the best we have seen </li></ul></ul><ul><ul><li...
Wireless planning <ul><li>Contours </li></ul><ul><li>Year one: EKAHAU </li></ul><ul><ul><li>Good  results </li></ul></ul><...
Coverage Maps – impressive views #1 <ul><li>Site Surveys always confirmed the prediction from the RF propagation tools </l...
Coverage Maps – impressive views #2
Monitoring the Wireless Network <ul><li>Bins > Contours > Pokerchips </li></ul><ul><li>Simple “Heat” maps  </li></ul><ul><...
In conclusion: Lessons learned <ul><li>Security  isn’t the same for every network and every application </li></ul><ul><ul>...
Lessons learned (continued) <ul><li>Deployment of WLANs can be  controlled  and risk can be  managed </li></ul><ul><li>No ...
Key points for building your own network <ul><li>Don’t  think about a wireless network as a number of access points </li><...
Questions & Answers <ul><li>Thank you for your attention </li></ul><ul><li>[email_address] </li></ul>
Upcoming SlideShare
Loading in...5
×

Surviving two years with a large scale enterprise WLAN

445

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
445
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Surviving two years with a large scale enterprise WLAN"

  1. 1. Surviving Two Years With a Large Scale Enterprise WLAN Joerg Fritsch, NATO C3 Agency RSA Conference 2007, 23 October 11:40AM, London
  2. 2. What story am I going to tell? <ul><li>Design, Provisioning and Operations of a large scale NATO UNCLASSIFIED Wireless network two years ago </li></ul><ul><ul><li>Followed the NIST guidelines </li></ul></ul><ul><ul><li>In the meantime DOD “Wireless Security Policy 8100.2” and BSI “Technische Richtlinie Sicheres WLAN” were published </li></ul></ul><ul><li>Wanted to </li></ul><ul><ul><li>Mitigate known risks </li></ul></ul><ul><ul><li>Know who is on our network </li></ul></ul><ul><ul><li>Understand what we are doing and why </li></ul></ul><ul><ul><li>Visualize the network perimeter </li></ul></ul><ul><li>Did not want to run the risk that only we would be following these guidelines </li></ul>
  3. 3. What story am I going to tell (continued) <ul><li>What we currently have </li></ul><ul><li>What attacks we imagine and what we set against it </li></ul><ul><li>What attacks we observed </li></ul><ul><li>Voice over WLAN, VoWLAN </li></ul><ul><ul><li>Our vision, our homework & our test results </li></ul></ul><ul><li>Two “generations” of RF planning & prediction </li></ul><ul><ul><li>Contours vs Bins </li></ul></ul><ul><li>WLAN Monitoring </li></ul><ul><ul><li>Day-to-day operations </li></ul></ul><ul><li>Lessons learned </li></ul>
  4. 4. What we (currently) have <ul><li>Centralized Management of Access Points. We get good enough roaming qualities for 802.11g telephones </li></ul><ul><ul><li>Wireless Control System, WCS </li></ul></ul><ul><ul><li>Cisco Catalyst 6509 Wireless Service Module, WiSM </li></ul></ul><ul><ul><li>Channels 1 , 6 and 11 in use </li></ul></ul><ul><li>Access Points </li></ul><ul><ul><li>64 Cisco 1200 Light Weight Access Points, LWAPs supporting 802.11a/g </li></ul></ul><ul><ul><li>Dedicated ceiling mounted antennas for 802.11g and “rubber duck” antennas for 802.11a </li></ul></ul><ul><ul><li>No mesh deployment </li></ul></ul><ul><ul><li>SSID not broadcasted </li></ul></ul><ul><ul><li>Operational 24x7 </li></ul></ul>
  5. 5. What we currently have (continued) <ul><li>WLAN collocated with existing LAN </li></ul><ul><li>Authentication </li></ul><ul><ul><li>Migrated from Juniper/Funk Steel Belted Radius to Cisco Secure ACS </li></ul></ul><ul><ul><li>Use of LEAP as a legacy. Started Migration to PEAP </li></ul></ul><ul><li>Privacy </li></ul><ul><ul><li>WPA2/AES </li></ul></ul><ul><ul><li>Lowest common denominator WPA/TKIP “naturally” ageing out </li></ul></ul><ul><li>Open Guest Network </li></ul><ul><ul><li>Physically disconnected from our business WLAN </li></ul></ul><ul><ul><li>HTTP authentication , credentials handed out together with Visitor Badges </li></ul></ul><ul><ul><li>Currently searching a possibility for dynamic-registration </li></ul></ul>
  6. 6. Meet the Access Point-Fairy <ul><li>By the way: “Rubber Duck” antennas work best when one wavelength apart </li></ul><ul><ul><li>802.11g ~ 13 cm </li></ul></ul><ul><ul><li>802.11a ~ 5 cm </li></ul></ul>Day1 Day2 Day5 Day7 Day8
  7. 7. What “they” have and what we set against it
  8. 8. What “they” have and what we set against it (cont.) <ul><li>Attacks on </li></ul><ul><li>Confidentiality </li></ul><ul><li>Authentication </li></ul><ul><li>Availability </li></ul><ul><ul><li>Disassociation attacks </li></ul></ul><ul><ul><li>Jaming </li></ul></ul><ul><li>Man-in-the-middle </li></ul><ul><ul><li>Rogue devices </li></ul></ul><ul><ul><li>Impostors </li></ul></ul><ul><li>Mitigation strategy </li></ul><ul><li>802.11i (WPA2/ AES-CCMP ) </li></ul><ul><li>Compromise of manageability and security: Protected EAP, PEAP </li></ul><ul><ul><li>Server based certificate </li></ul></ul><ul><ul><li>AD client passwords </li></ul></ul><ul><li>802.11w , Management Frame Protection, MFP </li></ul><ul><ul><li>Mitigating attacks with bogus frames </li></ul></ul><ul><ul><li>Closing a gap in confidentiality </li></ul></ul><ul><li>IDS </li></ul><ul><ul><li>30 Patterns </li></ul></ul><ul><ul><li>Not every day a new exploit </li></ul></ul><ul><li>Physical Security </li></ul>Complete view of whole wireless network Geo-location of clients, hackers and impostors
  9. 9. What attacks we observed <ul><li>No successful attacks (at least that we know of) </li></ul><ul><ul><li>In 2007 three severe attacks so far, none was a DOS (Jamming) attack </li></ul></ul><ul><ul><ul><li>One disassociation attack </li></ul></ul></ul><ul><ul><ul><li>Two attempted impersonation of authorized access points </li></ul></ul></ul><ul><ul><li>Occasional MFP violations reported, does not seem severe </li></ul></ul><ul><li>Clients sometimes excluded (temporarily) </li></ul><ul><ul><li>because of repeatedly failed association/authentication </li></ul></ul><ul><ul><li>Because of possible attacks on the encryption (i.e. replay attacks) </li></ul></ul><ul><ul><li>This happens one to five times per day </li></ul></ul>
  10. 10. What attacks we observed (continued) <ul><li>Known attacks require the attacker to get physically close to your infrastructure </li></ul><ul><li>Most attackers are somewhat “shy” of close encounters </li></ul><ul><li>Users (clients, attackers & impostors) can be located +/- 5m. </li></ul><ul><ul><li>Using the Wireless Control Server (WCS) </li></ul></ul><ul><ul><li>If inside the defined perimeter </li></ul></ul><ul><ul><li>If antennas in three dimensions (multiple levels of office space) </li></ul></ul><ul><ul><li>This is easy to achieve </li></ul></ul>
  11. 11. Voice over WLAN, VoWLAN <ul><li>Initial reports & press coverage in 2004 </li></ul><ul><li>It was predicted that by 2007 27% of all commercial VoIP deployments will be WLAN based </li></ul><ul><li>Then there was a silence </li></ul><ul><li>More and more press coverage in early 2007 </li></ul><ul><li>Our vision: </li></ul><ul><ul><li>Seamless roaming between WLAN and GSM with eventually one device </li></ul></ul><ul><ul><li>Unified, controlled “airspace” for voice and data </li></ul></ul><ul><li>Our Homework: </li></ul><ul><ul><li>VoWLAN requires full blown VoIP call infrastructure </li></ul></ul><ul><ul><li>Perimeter must be extended </li></ul></ul><ul><ul><ul><li>to grant sufficient outside coverage for 1 st aid & fire brigade </li></ul></ul></ul><ul><ul><ul><li>into “impossible” locations (i.e. the toilet cubicles) </li></ul></ul></ul>
  12. 12. VoWLAN: what we tested <ul><li>Cisco 7920 </li></ul><ul><ul><li>Up to now the best we have seen </li></ul></ul><ul><ul><li>Cisco has announced the end of sale </li></ul></ul><ul><li>Mitel </li></ul><ul><li>Nokia E60 / E61 </li></ul><ul><ul><li>No support for STUN (SIP & NAT) although announced for Q1 2007 </li></ul></ul><ul><ul><li>Nokia does not talk to us directly </li></ul></ul><ul><li>Cisco 7921 </li></ul><ul><ul><li>Nice graphics </li></ul></ul><ul><ul><li>High costs </li></ul></ul><ul><ul><li>Significant longer battery life (now it is a real phone) </li></ul></ul><ul><ul><li>Required upgrade of WiSM to rev 4.1 in order to show good roaming </li></ul></ul>
  13. 13. Wireless planning <ul><li>Contours </li></ul><ul><li>Year one: EKAHAU </li></ul><ul><ul><li>Good results </li></ul></ul><ul><ul><li>Good for small sites </li></ul></ul><ul><ul><li>Very affordable </li></ul></ul><ul><ul><li>Requires a lot of time to draw up the plans </li></ul></ul><ul><ul><li>Works only in the two dimensional space </li></ul></ul><ul><li>Bins </li></ul><ul><li>Year two: Wireless Valley / Motorola LAN Planner </li></ul><ul><ul><li>Fast import of existing CAD drawings from every building </li></ul></ul><ul><ul><li>3D planning and visualizing </li></ul></ul><ul><ul><li>Saves a lot of time for large scale projects </li></ul></ul><ul><ul><li>Results / Accuracy not necessarily better </li></ul></ul>
  14. 14. Coverage Maps – impressive views #1 <ul><li>Site Surveys always confirmed the prediction from the RF propagation tools </li></ul>
  15. 15. Coverage Maps – impressive views #2
  16. 16. Monitoring the Wireless Network <ul><li>Bins > Contours > Pokerchips </li></ul><ul><li>Simple “Heat” maps </li></ul><ul><li>Dashboard style management of WLAN </li></ul><ul><li>Not all reported coverage problems really exist </li></ul><ul><li>Complete Inventory </li></ul><ul><ul><li>Alarms </li></ul></ul><ul><ul><li>Clients </li></ul></ul><ul><ul><li>Access points </li></ul></ul>
  17. 17. In conclusion: Lessons learned <ul><li>Security isn’t the same for every network and every application </li></ul><ul><ul><li>VPN security focus </li></ul></ul><ul><ul><ul><li>Remote access </li></ul></ul></ul><ul><ul><ul><li>Network Layer </li></ul></ul></ul><ul><ul><li>WLAN security focus </li></ul></ul><ul><ul><ul><li>Local access </li></ul></ul></ul><ul><ul><ul><li>Link Layer </li></ul></ul></ul><ul><ul><ul><li>better performance, less complexity </li></ul></ul></ul><ul><ul><li>Sometimes VPN security simply does not do the job (i.e. 802.11 phones) </li></ul></ul><ul><li>Governmental Policies (such as DOD 8100.2) seem to emphasize WLAN Security features </li></ul>
  18. 18. Lessons learned (continued) <ul><li>Deployment of WLANs can be controlled and risk can be managed </li></ul><ul><li>No internal Rogue/unauthorized access points for two years </li></ul><ul><li>Currently undergoing a transition from LEAP to PEAP but it’s not all easy </li></ul><ul><ul><li>Pro : Installing and maintaining a simple PKI to support PEAP is easy & painless </li></ul></ul><ul><ul><li>Con : The PEAP implementation is not as good as the current LEAP </li></ul></ul><ul><li>For best user experience deploy one frequency band only </li></ul><ul><ul><li>Either 802.11a or 802.11g </li></ul></ul><ul><li>WLANs are more comparable to DECT than to the internet </li></ul><ul><ul><li>Interesting question: DECT security not getting the same amount of attention in the media </li></ul></ul>
  19. 19. Key points for building your own network <ul><li>Don’t think about a wireless network as a number of access points </li></ul><ul><li>Think about a wireless network as a central controller with many antennas </li></ul><ul><ul><li>RF Management </li></ul></ul><ul><ul><li>Keeps Inventory </li></ul></ul><ul><ul><li>Keeps Records </li></ul></ul><ul><li>Geo-location of Clients, Access points, Hackers & Impostors lets no one get away “unseen” </li></ul><ul><li>Imagine RF propagation as a viscous fluid which can go through walls </li></ul><ul><li>Use Software with bins or contours for RF propagation planning </li></ul><ul><li>Deploy WPA2 </li></ul><ul><li>Deploy PEAP or EAP-TLS </li></ul><ul><li>Make use of an IDS </li></ul>
  20. 20. Questions & Answers <ul><li>Thank you for your attention </li></ul><ul><li>[email_address] </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×