Session: 23/10/07WIR-150

Surviving Two Years With a Large Scale Enterprise WLAN

Joerg Fritsch, NATO C3 Agency

RSA Conference 2007, 23 October 11:40AM, London

What story am I going to tell?

• Design, Provisioning and Operations of a large scale NATO UNCLASSIFIED Wireless network two years ago– Followed the NIST guidelines– In the meantime DOD “Wireless Security Policy 8100.2” and

BSI “Technische Richtlinie Sicheres WLAN” were published

• Wanted to– Mitigate known risks– Know who is on our network– Understand what we are doing and why– Visualize the network perimeter

• Did not want to run the risk that only we would be following these guidelines

What story am I going to tell (continued)

• What we currently have

• What attacks we imagine and what we set against it

• What attacks we observed

• Voice over WLAN, VoWLAN– Our vision, our homework & our test results

• Two “generations” of RF planning & prediction– Contours vs Bins

• WLAN Monitoring– Day-to-day operations

• Lessons learned

What we (currently) have

• Centralized Management of Access Points. We get good enough roaming qualities for 802.11g telephones– Wireless Control System, WCS

– Cisco Catalyst 6509 Wireless Service Module, WiSM

– Channels 1,6 and 11 in use

• Access Points– 64 Cisco 1200 Light Weight Access Points, LWAPs supporting

802.11a/g

– Dedicated ceiling mounted antennas for 802.11g and “rubber duck” antennas for 802.11a

– No mesh deployment

– SSID not broadcasted

– Operational 24x7

What we currently have (continued)

• WLAN collocated with existing LAN

• Authentication– Migrated from Juniper/Funk Steel Belted Radius to Cisco Secure ACS

– Use of LEAP as a legacy. Started Migration to PEAP

• Privacy– WPA2/AES

– Lowest common denominator WPA/TKIP “naturally” ageing out

• Open Guest Network– Physically disconnected from our business WLAN

– HTTP authentication, credentials handed out together with Visitor Badges

– Currently searching a possibility for dynamic-registration

Meet the Access Point-Fairy

Day1 Day2 Day5 Day7 Day8

• By the way: “Rubber Duck” antennas work best when one wavelength apart

– 802.11g ~ 13 cm– 802.11a ~ 5 cm

What “they” have and what we set against it

What “they” have and what we set against it (cont.)

Attacks on• Confidentiality• Authentication

• Availability– Disassociation attacks– Jaming

• Man-in-the-middle– Rogue devices– Impostors

Mitigation strategy• 802.11i (WPA2/AES-CCMP)• Compromise of manageability

and security: Protected EAP, PEAP

– Server based certificate– AD client passwords

• 802.11w, Management Frame Protection, MFP

– Mitigating attacks with bogus frames

– Closing a gap in confidentiality

• IDS– 30 Patterns– Not every day a new exploit

• Physical Security

Com

plete view of w

hole wireless netw

ork

Geo-location of clients, hackers and

impostors

What attacks we observed

• No successful attacks (at least that we know of)– In 2007 three severe attacks so far, none was a DOS (Jamming) attack

• One disassociation attack• Two attempted impersonation of authorized access points

– Occasional MFP violations reported, does not seem severe

• Clients sometimes excluded (temporarily) – because of repeatedly failed association/authentication– Because of possible attacks on the encryption (i.e. replay attacks)– This happens one to five times per day

What attacks we observed (continued)

• Known attacks require the attacker to get physically close to your infrastructure

• Most attackers are somewhat “shy” of close encounters

• Users (clients, attackers & impostors) can be located +/- 5m. – Using the Wireless Control Server (WCS)

– If inside the defined perimeter

– If antennas in three dimensions (multiple levels of office space)

– This is easy to achieve

Voice over WLAN, VoWLAN

• Initial reports & press coverage in 2004• It was predicted that by 2007 27% of all commercial VoIP

deployments will be WLAN based• Then there was a silence• More and more press coverage in early 2007• Our vision:

– Seamless roaming between WLAN and GSM with eventually one device

– Unified, controlled “airspace” for voice and data

• Our Homework:– VoWLAN requires full blown VoIP call infrastructure– Perimeter must be extended

• to grant sufficient outside coverage for 1st aid & fire brigade• into “impossible” locations (i.e. the toilet cubicles)

VoWLAN: what we tested

• Cisco 7920– Up to now the best we have

seen

– Cisco has announced the end of sale

• Mitel

• Nokia E60 / E61– No support for STUN (SIP &

NAT) although announced for Q1 2007

– Nokia does not talk to us directly

• Cisco 7921– Nice graphics

– High costs

– Significant longer battery life (now it is a real phone)

– Required upgrade of WiSM to rev 4.1 in order to show good roaming

Wireless planning

• Contours

• Year one: EKAHAU– Good results

– Good for small sites

– Very affordable

– Requires a lot of time to draw up the plans

– Works only in the two dimensional space

• Bins

• Year two: Wireless Valley / Motorola LAN Planner– Fast import of existing CAD

drawings from every building

– 3D planning and visualizing

– Saves a lot of time for large scale projects

– Results / Accuracy not necessarily better

Coverage Maps – impressive views #1

• Site Surveys always confirmed the prediction from the RF propagation tools

Coverage Maps – impressive views #2

Monitoring the Wireless Network

• Bins > Contours > Pokerchips

• Simple “Heat” maps

• Dashboard style management of WLAN

• Not all reported coverage problems really exist

• Complete Inventory– Alarms

– Clients

– Access points

In conclusion: Lessons learned

• Security isn’t the same for every network and every application– VPN security focus

• Remote access

• Network Layer

– WLAN security focus

• Local access

• Link Layer

• better performance, less complexity

– Sometimes VPN security simply does not do the job (i.e. 802.11 phones)

• Governmental Policies (such as DOD 8100.2) seem to emphasize WLAN Security features

Lessons learned (continued)

• Deployment of WLANs can be controlled and risk can be managed

• No internal Rogue/unauthorized access points for two years

• Currently undergoing a transition from LEAP to PEAP but it’s not all easy– Pro: Installing and maintaining a simple PKI to support PEAP is easy

& painless

– Con: The PEAP implementation is not as good as the current LEAP

• For best user experience deploy one frequency band only– Either 802.11a or 802.11g

• WLANs are more comparable to DECT than to the internet– Interesting question: DECT security not getting the same amount of

attention in the media

Key points for building your own network

• Don’t think about a wireless network as a number of access points• Think about a wireless network as a central controller with many

antennas– RF Management– Keeps Inventory– Keeps Records

• Geo-location of Clients, Access points, Hackers & Impostors lets no one get away “unseen”

• Imagine RF propagation as a viscous fluid which can go through walls

• Use Software with bins or contours for RF propagation planning• Deploy WPA2• Deploy PEAP or EAP-TLS• Make use of an IDS

Questions & Answers

Thank you for your attention

joerg.fritsch@nc3a.nato.int