1 / 19

Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments

Rodrigo Blanco. Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments. Supervisors: Prof. Dr.-Ing Adam Wolisz Dr.-Ing. Günter Schäfer. Contents – Project Steps. Initial study of the problem Definition of the project’s goals

yvonne
Download Presentation

Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rodrigo Blanco Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments Supervisors: Prof. Dr.-Ing Adam Wolisz Dr.-Ing. Günter Schäfer

  2. Contents – Project Steps • Initial study of the problem • Definition of the project’s goals • Technical analysis: choice of security technology • Design of an IPSec-based solution • Implementation of the configuration solution • Results, conclusions and open issues

  3. Initial Study: WLAN Scenarios Considered Office scenario Home scenario

  4. Problems Regarding WLAN Security • Wireless medium • Eavesdropping • Active attacks • Authorization violation • IEEE 802.11 limited security: • Shared Key • WEP • Difficulties of installation / configuration • Misconfiguration

  5. Definition of the project’s goals • Network security • Access control • Confidentiality • Data integrity / origin authentication • Replay Protection • Roaming capabilities • Nomadic users • Requirements imposed by the proposed scenarios • Protocols should be available for common operating systems • No special, expensive HW and SW requirements • Simplicity of use

  6. IEEE 802.11 (WEP) Security services Entity authentication (Shared Key) Confidentiality, data integrity / origin authentication, access control (Wired Equivalent Privacy) Limitations: No key management WEP vulnerabilities IEEE 802.1x Security services: Entity authentication Key distribution Solve the WEP key distribution problem Protocol strength Industry support Problems: WEP remains a weak protocol Upgrade of the already existing installations IEEE Technologies

  7. VPN Technologies IPSec PPTP L2TP/IPSec host-based user-based user & host Entity Authentication yes yes yes Confidentiality yes no yes Data integrity yes no yes Replay protection dynamic dynamic static Tunnel config. IP IP IP Sup. Lower Layers IP,IPX,etc. IP,IPX,etc. IP Sup. Payloads partly partly no Supports Broadcast small high medium Overhead high medium high Availability

  8. VPN Technologies (II) • PPTP: • No data origin authentication and replay protection • Vulnerabilities have been detected • L2TP (alone): • Not recommended without additional protection • L2TP/IPSec vs. IPSec • L2TP/IPSec introduces bigger overhead • L2TP/IPSec provides virtually no advantage over IPSec in the proposed scenarios • L2TP/IPSec is not available in all operating systems • IPSec is chosen to protect the WLAN scenarios.

  9. Design of the Solution: IPsec (I) • Protocol: • AH • ESP • Mode: • transport • tunnel • Authentication: • Kerberos • Certificates • Preshared Key

  10. New entities: SG Security Domain IP subnet ID Passwords Security services Roaming support: steps DHCP “IPSec tunnel negotiation” Protocol Random numbers Design of the Solution: IPsec (II)

  11. Security Gateway IPSec policy: Permitted: Allow DHCP traffic Allow IPSec policy negotiation traffic Allow normal encrypted traffic for each authorized, logged-in user (IPSec tunnels) Per default: BLOCK all traffic Design of the Solution: IPsec(III) Wireless LAN Wired LAN SG Block Require protection Allow

  12. Mobile Nodes (“logged-in”) IPSec policy: Permitted: Allow DHCP traffic Allow IPSec policy negotiation traffic Per default: allow only encrypted traffic from the Security Gateway (IPSec tunnel) Design of the Solution: IPsec(IV) Wireless LAN MN Require protection Allow

  13. Security Gateway (DHCP server) (NAT box) IP forwarding (EnableRouting.reg) Initial IPsec blocking rules (InitialIPsecConfigurator.exe) Security Domain Identifier (SGNameConfigurator.exe) Random initialization (RandomInit.exe) Mobile Nodes (DHCP Client) Random Initialization (RandomInit.exe) Step I: Basic Configuration

  14. (1) The user gives the WLAN administrator the Mobile Node’s name MNName (2) Assign a password to MN and add a new entry in the users’ “database”: <MNName,password(MNName, SGName)> SGName ; Password(MNName, SGName) Step II: Registration in a new Security Domain Mobile Node (client) Security Gateway (server) (3) Add a new entry in the Security Domains’ “database”: <SGName,password(MNName, SGName)>

  15. (0) Obtain IP settings (DHCP/manual) (0) WLANServer.exe is running (as a service) (1) Run WLANClient.exe (2) IPsec Policy Negotiation Protocol (4) The MN leaves the WLAN: run WLANDisconnect.exe Step III: Dynamic IPsec Policy Configuration Mobile Node (client) Security Gateway (server) (3) The MN has now: IP connectivity and IPSec Security on its traffic

  16. (code=1,A,IPA ,rA) (code=2,B,IPB,A,IPA,rB,rA,SgnB) SKA,B=HMAC(AKA,B,rA|rB|const) (code=3,A,IPA,B,IPB,rA,rB,SgnA) SKA,B=HMAC(AKA,B,rA|rB|const) (code=4,A,IPA,B,IPB,rA,rB) IPsec IPsec IPSec Policy Negotiation Protocol Mobile PC (A) Security Gateway (B) (Preshared: AKA,B) (Preshared: AKA,B) SgnB=HMAC(AKA,B,{2|B|IPB|A|IPA|rB|rA}) SgnA=HMAC(AKA,B,{3|A|IPA|B|IPB|rA|rB})

  17. Keystrokes CV0 fSHA-1 80 80 random bits Performance Y0 160 CV1 fSHA-1 80 80 random bits Y1=(Y0<<160)|SHA-1(Y0,CV1) 160 … … … CVi fSHA-1 80 random bits Yi=(Yi-1<<160)|SHA-1(Y0,CVi) … … … Pseudo Random Number Generator Random bit sequence NOTE: The fSHA-1 function cannot be inverted

  18. Implementation: prototype components

  19. Results, Conclusions and Open Issues • Results: • Nomadic roaming of users • Security goals fulfilled • HW / SW requirements • Facility of use • Simple architecture • Little impact on the network • Open issues • IPSec policy compatibility with user additional IPSec settings • Non-configured clients • IPsec limitations • Broadcast traffic • No user authentication • Possible applications of this project • Securing the TKN’s WLAN • Port to Unix / Linux

More Related