Functional Policy: Design & Implementation

Download Report

Transcript Functional Policy: Design & Implementation

NETW 05A: APPLIED
WIRELESS SECURITY
Functional Policy:
Design & Implementation
By Mohammad Shanehsaz
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Given a set of business requirements, design
a scalable and secure wireless LAN solution
considering the following security tactics:





Wireless LAN segmentation
Wireless DMZ configuration
Use of NAT/PAT
NAT/PAT impact on secure tunneling mechanism
redundancy
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives continue





Wireless LAN equipment staging & deployment
Wireless LAN cell sizing and shaping
Scalability
Appropriate use of different antenna types
Operational verification
Secure equipment configuration and
placement
Secure remote connections to WLAN
infrastructure devices
Secure solution interoperability and layering
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Design & Implementation
Interoperability
Layering
Segmentation & VLANS
Authentication & Encryption
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Interoperability
Network administrator should take into account
interoperability between wireless LAN security solution
before making purchases. for example many EAP types
are proprietary, and not supported by all vendors
PPTP is widely used in small and medium-sized wireless
networks for its authentication and encryption VPN
features, it is a layer 3 protocol that can be used over the
top of any layer 2 solution such as WEP, TKIP, 802.1X/EAP
IPSec is a layer 3 VPN technology that supports many
encryption ( DES, 3DES, AES ), and has fewer security
holes than PPTP, and it can be use the same way as PPTP
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Layering
Using multiple layers of security solution
can provide very high levels of security,
but it adds a significant amount of
complexity to the implementation and
administration
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Layering
These four components should be
addressed when layering is considered:




OSI layer of each solution considered
Cost versus benefits
Management resources required
Throughput & Latency
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
OSI layers
Layer 2 ( Data-Link Layer )




WEP ( and all variations such as TKIP )
802.1X/EAP ( and all variations )
Enterprise Encryption Gateways
Layer 2 Tunneling Protocol ( L2TP )
Layer 3 ( Network Layer )


Point-to-Point Tunneling Protocol ( PPTP )
IP Security ( IPSec )
Layer 7 ( Application Layer )




Secure Shell ( SSH )
Secure Shell Version 2 ( SSH2 )
Novel Directory Services ( NDS or eDirectory )
Microsoft Active Directory ( AD )
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Cost, Management, Throughput
Each layer of solution that is being considered
should first be analyzed by itself to determine
what costs will be involved in the purchase of
any hardware and software because the cost
may outweigh the benefits
Multiple solutions adds significant cost of
administration, not counting user training
expenses, and user-friendliness of the
solution
RF noise and overhead of strong encryption
and authentication will affect the overall
throughput
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Segmentation & VLANs
All wireless segments should be separated from the
network backbone by an access control devices such
as









Firewalls
Enterprise Wireless Gateways
Enterprise Encryption Gateways
Routers
Layer3 Switch
VPN Concentrator
SSH2 Server
VLANs
Wireless VLANs
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Wireless VLANS
Wireless VLANs are a relatively new
function added to enterprise APs for the
purpose of extending VLAN functionality
to the mobile client
802.1q VLAN tagging is the most
commonly non-proprietary
implementation
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Standard Criteria for VLAN
deployment
Common applications used by all
wireless LAN end user. The WLAN
admin should define:


Wired network resources commonly
accessed by WLAN users
QoS level needed by each application
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Standard Criteria for VLAN
deployment
Common devices used to access the
wireless LAN .The WLAN admin should
define:



Security mechanisms (WEP,802.1x/EAP)
Wired network resources commonly
accessed by WLAN device groups
QoS level needed by each device
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
VLAN deployment
Segmentation by user groups
Segmentation by device types
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Best practices (According to
Cisco)
Limit broadcast and multicast traffic to the APs and bridges
by enabling VLAN filtering and Internet Group Management
Protocol snooping on the switch ports
Map wireless security policies to the wired infrastructure with
ACLs and other mechanisms
The AP does not support Virtual Terminal Protocol (VTP) or
Generic Attribute Registration Protocol VLAN Registration
Protocol (GVRP) for dynamic management of VLANs because
the AP acts as a stub node.
Enforce network security policies via layer 3 ACLs on the
guest and management VLANs, admin force all guest traffic
to the Internet gateway, and restrict user access to the
native/default VLAN
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
RADIUS-based VLAN access control
RADIUS-based SSID access control, upon
successful 802.1x/EAP or MAC address
authentication, the server passes back the
allowed SSID list for the WLAN user to the
access point or bridge
RADIUS-based VLAN assignment, upon
successful 802.1x/EAP or MAC address
authentication, the server assigns the user to
a predetermined VLAN-ID on the wired side
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Authentication & Encryption
Both are integral parts of any wireless LAN
security solution because they specify who
can access the network and how the data
transmitted is protected
Deployment requires following
consideration:





Existing implementations
Data sensitivity
Scalability
Availability
budget
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Summary
The design and implementation section
of the Functional Policy covers
interoperability, layering, segmentation
and VLANs and authentication and
encryption
Interoperability is the capability of
different mechanisms or network
processes from different vendors to be
able to communicate
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Summary
Layering is utilizing solutions from
different layers of the OSI model
Segmentation is a method of
implementing that divide the network
into smaller, more manageable pieces
Authentication and encryption help
alleviate security risks involved in
implementing wireless solutions
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Resources
CWSP certified wireless security
professional, from McGrawHill
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.