surviving two years with a large scale enterprise wlan
TRANSCRIPT
Session: 23/10/07WIR-150
Surviving Two Years With a Large Scale Enterprise WLAN
Joerg Fritsch, NATO C3 Agency
RSA Conference 2007, 23 October 11:40AM, London
What story am I going to tell?
• Design, Provisioning and Operations of a large scale NATO UNCLASSIFIED Wireless network two years ago– Followed the NIST guidelines– In the meantime DOD “Wireless Security Policy 8100.2” and
BSI “Technische Richtlinie Sicheres WLAN” were published
• Wanted to– Mitigate known risks– Know who is on our network– Understand what we are doing and why– Visualize the network perimeter
• Did not want to run the risk that only we would be following these guidelines
What story am I going to tell (continued)
• What we currently have
• What attacks we imagine and what we set against it
• What attacks we observed
• Voice over WLAN, VoWLAN– Our vision, our homework & our test results
• Two “generations” of RF planning & prediction– Contours vs Bins
• WLAN Monitoring– Day-to-day operations
• Lessons learned
What we (currently) have
• Centralized Management of Access Points. We get good enough roaming qualities for 802.11g telephones– Wireless Control System, WCS
– Cisco Catalyst 6509 Wireless Service Module, WiSM
– Channels 1,6 and 11 in use
• Access Points– 64 Cisco 1200 Light Weight Access Points, LWAPs supporting
802.11a/g
– Dedicated ceiling mounted antennas for 802.11g and “rubber duck” antennas for 802.11a
– No mesh deployment
– SSID not broadcasted
– Operational 24x7
What we currently have (continued)
• WLAN collocated with existing LAN
• Authentication– Migrated from Juniper/Funk Steel Belted Radius to Cisco Secure ACS
– Use of LEAP as a legacy. Started Migration to PEAP
• Privacy– WPA2/AES
– Lowest common denominator WPA/TKIP “naturally” ageing out
• Open Guest Network– Physically disconnected from our business WLAN
– HTTP authentication, credentials handed out together with Visitor Badges
– Currently searching a possibility for dynamic-registration
Meet the Access Point-Fairy
Day1 Day2 Day5 Day7 Day8
• By the way: “Rubber Duck” antennas work best when one wavelength apart
– 802.11g ~ 13 cm– 802.11a ~ 5 cm
What “they” have and what we set against it
What “they” have and what we set against it (cont.)
Attacks on• Confidentiality• Authentication
• Availability– Disassociation attacks– Jaming
• Man-in-the-middle– Rogue devices– Impostors
Mitigation strategy• 802.11i (WPA2/AES-CCMP)• Compromise of manageability
and security: Protected EAP, PEAP
– Server based certificate– AD client passwords
• 802.11w, Management Frame Protection, MFP
– Mitigating attacks with bogus frames
– Closing a gap in confidentiality
• IDS– 30 Patterns– Not every day a new exploit
• Physical Security
Com
plete view of w
hole wireless netw
ork
Geo-location of clients, hackers and
impostors
What attacks we observed
• No successful attacks (at least that we know of)– In 2007 three severe attacks so far, none was a DOS (Jamming) attack
• One disassociation attack• Two attempted impersonation of authorized access points
– Occasional MFP violations reported, does not seem severe
• Clients sometimes excluded (temporarily) – because of repeatedly failed association/authentication– Because of possible attacks on the encryption (i.e. replay attacks)– This happens one to five times per day
What attacks we observed (continued)
• Known attacks require the attacker to get physically close to your infrastructure
• Most attackers are somewhat “shy” of close encounters
• Users (clients, attackers & impostors) can be located +/- 5m. – Using the Wireless Control Server (WCS)
– If inside the defined perimeter
– If antennas in three dimensions (multiple levels of office space)
– This is easy to achieve
Voice over WLAN, VoWLAN
• Initial reports & press coverage in 2004• It was predicted that by 2007 27% of all commercial VoIP
deployments will be WLAN based• Then there was a silence• More and more press coverage in early 2007• Our vision:
– Seamless roaming between WLAN and GSM with eventually one device
– Unified, controlled “airspace” for voice and data
• Our Homework:– VoWLAN requires full blown VoIP call infrastructure– Perimeter must be extended
• to grant sufficient outside coverage for 1st aid & fire brigade• into “impossible” locations (i.e. the toilet cubicles)
VoWLAN: what we tested
• Cisco 7920– Up to now the best we have
seen
– Cisco has announced the end of sale
• Mitel
• Nokia E60 / E61– No support for STUN (SIP &
NAT) although announced for Q1 2007
– Nokia does not talk to us directly
• Cisco 7921– Nice graphics
– High costs
– Significant longer battery life (now it is a real phone)
– Required upgrade of WiSM to rev 4.1 in order to show good roaming
Wireless planning
• Contours
• Year one: EKAHAU– Good results
– Good for small sites
– Very affordable
– Requires a lot of time to draw up the plans
– Works only in the two dimensional space
• Bins
• Year two: Wireless Valley / Motorola LAN Planner– Fast import of existing CAD
drawings from every building
– 3D planning and visualizing
– Saves a lot of time for large scale projects
– Results / Accuracy not necessarily better
Coverage Maps – impressive views #1
• Site Surveys always confirmed the prediction from the RF propagation tools
Coverage Maps – impressive views #2
Monitoring the Wireless Network
• Bins > Contours > Pokerchips
• Simple “Heat” maps
• Dashboard style management of WLAN
• Not all reported coverage problems really exist
• Complete Inventory– Alarms
– Clients
– Access points
In conclusion: Lessons learned
• Security isn’t the same for every network and every application– VPN security focus
• Remote access
• Network Layer
– WLAN security focus
• Local access
• Link Layer
• better performance, less complexity
– Sometimes VPN security simply does not do the job (i.e. 802.11 phones)
• Governmental Policies (such as DOD 8100.2) seem to emphasize WLAN Security features
Lessons learned (continued)
• Deployment of WLANs can be controlled and risk can be managed
• No internal Rogue/unauthorized access points for two years
• Currently undergoing a transition from LEAP to PEAP but it’s not all easy– Pro: Installing and maintaining a simple PKI to support PEAP is easy
& painless
– Con: The PEAP implementation is not as good as the current LEAP
• For best user experience deploy one frequency band only– Either 802.11a or 802.11g
• WLANs are more comparable to DECT than to the internet– Interesting question: DECT security not getting the same amount of
attention in the media
Key points for building your own network
• Don’t think about a wireless network as a number of access points• Think about a wireless network as a central controller with many
antennas– RF Management– Keeps Inventory– Keeps Records
• Geo-location of Clients, Access points, Hackers & Impostors lets no one get away “unseen”
• Imagine RF propagation as a viscous fluid which can go through walls
• Use Software with bins or contours for RF propagation planning• Deploy WPA2• Deploy PEAP or EAP-TLS• Make use of an IDS