Wireless LAN Solutions - Security, Management

1
Wireless LAN Solutions- Security, Management

• Jukka Saarenmaa
• Nortel Networks Oy

2
New Ways of Connecting

• Anywhere, Anytime
• Business changes
• Partner relationships

3
Security Issues and Options with WLANs

• Security Issues
• WEP
• Rogue Access Points
• IP Mobility
• Lack of employee education
• Security Options
• Wired and wireless DMZs
• IPSec or SSL VPN encryption
• Reuse existing IPSec infrastructure or use
  dedicated wireless security switch
• Future New protocols with better security
  added security

4
Different Challenges

• Customers who want centralized
• security PLUS
• Automation of the WLAN network
• More wireless protection

Customers who want a scalable centralized security
solution
Expansion to RF Domain
One Solution Does NOT Fit ALL!
5
StandaloneThe Traditional Distributed
Architecture

• Typical Customer Profile
• Wireless small branch/remote office
• Requires only limited Hot Zone capability
• Few users
• Customer Benefits
• Low Startup cost
• Easy install / LAN add-on
• Simple but effective security
• Investment protection

VPN Gateway
Internet
Corporate
Quick and Easy Network Connectivity
6
Secure Your WLAN IPsec Security for Wired and
Wireless LANs
Clear text wired 10/100 network
Desktop
Contivity
Hacker
Secure Content
Clear text building/campus open air waves or WEP
Contivity
Wireless Laptop
802.11 AP

• Strong end to end IPsec Security
• Common User Experience (VPN)

• Centralize Security/Policy provisioning
• Multi OS VPN Client and low cost CPE devices

7
Nortel Networks Solution

• Existing AP and Adapter 2201 2220
• More Flexibility QoS, VLAN, L3 tunneling
• More Security WPA, closed system
• More Manageability Failover protection, Bulk
  configuration, Statistics

WLAN Mobile Adapter 2201 WLAN Access Point 2220

• New a/b/g products 2202 2225
• Plus external antennas
• Plus 802.11g radio
• Plus Multiple SSID
• Modular AP (a only, b/g only, a/b/g)
• 802.11i ready
• WME (emerging industry QoS standard)

WLAN Mobile Adapter 2202 WLAN Access Point 2225
8
HybridCentralized Security and Management for
Existing WLANs

• Typical Customer Profile
• Multi-vendor environment
• Larger Deployments
• Intelligent Overlay requirement
• Wireless upgrade or extension
• Customer Benefits
• Low incremental cost
• Minimal disruption
• Centralized security
• Centralized management
• Introduction of Enterprise roaming
• Unauthorized AP detection
• Wireless VPN capability

Security Switch
Corporate
?
9
WLAN Security Implementation
Security
10
Mobile Authentication, Authorisation Auditing
(AAA)
Subnet B Building 2
Subnet A Building 1
Log once
WLANAccess Point 2200
Credentials
WLANSecurity Switch 2250
Contivit IP Services Gateway
MS Networking 802.1x SSL / IPSec Applications
RADIUS LDAP Active Directory
AAA Proxy
11
Clear Access Method

• Non encrypted, non-secure access to
  Intranet/Internet
• If no L2 encryption is used (i.e. WEP, TKIP,
  AES), the traffic is completely unprotected!
• Example Open new browser window and go to
  http//web.us.nortel.com
• Clear access should be carefully controlled in
  terms of what Intranet resources (if any!) are
  allowed.
• Default configuration allows clear access to all
  but Intranet networksInternet access available
• Useful for PC-based IP Telephony applications
  i2050, SIP,...

Clear
Web Server
Access Point
WLAN Security Switch
12
SSL Access Method
DNS sslportal.nortel.com VIP 192.168.10.10
SSL Encrypted
Clear
Web Server
Access Point
WLAN Security Switch

• Client logs into Portal website via SSL
  connection
• This is the Home WSS (determined by WLAN subnet)
• Encrypted session between VIP and Client IP
• Unencrypted on Intranet
• Intranet/Internet access is virtually the same as
  SSL VPN
• Client IP can be proxied with IIP to solve
  routing issues
• Support for SSL VPN client (SOCKS)

13
PPTP Access Method
PPTP Tunnel (Encrypted)
47.18.1.5
47.18.1.1
Clear
VIP 192.168.10.10
172.16.5.82
IIP 47.1.1.1
Server
Access Point
WLAN Security Switch

• Client logs into Portal website via SSL
  connection
• Get One-time password from Portal website
• Solves PPTP dictionary attack weakness
• PPTP tunnel between Client IP and VIP
• WSS assigns tunnel IPs from local scope
• Scope must be routed by WSS
• Scope is local to each WSS
• Compatible with MS VPN client

14
IPSec (Passthrough) Access Method
IPSec Tunnel (Encrypted)
Contivity
47.45.1.1
47.45.1.28
Clear
172.16.5.82
47.3.1.1
WLAN Security Switch
Server
Access Point

• No client login on WSS AAA is bypassed on WSS
• IPSec tunnel between Client IP and Contivity
• WLAN subnet is not routable on Intranet by
  default
• Static routes on Intranet and/or redistribution
  into IGP
• Static routes plus NAT on Intranet router
• Requires NAT Traversal
• IPSec tunnel could also be non-Contivity solution

15
Nortel Networks SolutionNortel Wireless Security
Switch 2250
Mobile Adaptive Tunneling
Load Balancing
Distributing Traffic Bandwidth Management

• Privilege-based access
• Priority level
• Access rights
• Security level
• Passwords
• Personal info

Unauthorized AP detection
Roaming
Across Campus True Enterprise roaming
Detecting and Isolating Rogue Free Agent APs
A Secure Wireless Platform
16
Adaptive Non-Stop Convergence-Ready WLAN for New
Deployments

• Typical Customer Profile
• Large number of users
• Ubiquitous building coverage
• Green field deployments
• Recommended for Wireless IP Telephony
• Customer Benefits
• Ease of deployment
• Adjusts to changing environment
• Automatic load balancing
• Active security including over the air
• Voice roaming capability
• Dynamic RF management
• Plug n Play and Plug n Grow
• Self healing

Managed wireless domain
Wireless DMZ
Corporate
Security Switch
Corporate Resources
17
WLAN Adaptive Solution
Same centralized architecture for an easier
management and a stronger security
WLAN Access Port 2230

• More RF functions implemented on both
• Access Port 2230
• Embedded continuous air monitoring
• Security Switch 2270
• Processing of the RF info
• Decisions and Adaptation

LWAPP
Lightweight Access Point Protocol
(LWAPP) Internet Engineering Task Force (IETF)
draft standard
WLAN Security Switch 2270
18
Split MAC
RF
RF
RF
RF
Switching
Switching

• The concept is to decouple timing critical
  elements of MAC from timing sensitive elements of
  MAC
• ACKs vs. Probe Responses
• Decoupling switching from RF
• WSS 2270 is sort of like a traditional L2 switch
  except with radios instead of 10/100 ports

19
Nortel Access Point

• Plenum-ratable cast aluminum-case
• Standard Ethernet (802.3) cabling
• Multi-band support (802.11 a/b/g)
• Powerful dual-dispatch directional antenna
• Various mounting options
• Power over Ethernet(802.3af)
• 802.11i and 802.11e ready
• WPA/TKIP
• SNMPv3
• SSH v2.0
• Multiple SSIDs
• Monitor mode available
• 100 mw radio power

Nortel 2230/2231 Access Point
20
Nortel 2270 Wireless Switch

• Compact design conserves wiring closet space
• two 1000Base-SX with LC connector- one logical
  path(Failover Protection)
• On-board VPN capability using Enhanced Security
  Module crypto processor
• Configurable Distribution System Port (GigE)
• 10/100 Mbps-TX Ethernet Service Port
• 9 pin Serial Connector for Console Port
• n1 redundancy
• Crypto H/W accelerator
• IPSEC termination

Nortel 2270
21
APs use encrypted control traffic
Control traffic between radios and switches is
encrypted with an SSL-like protocol.
X.509 Certificates

X
A unknown AP (Nortel or not) will not have access
to your network.
22
Data Paths with WSS 2270
Normal 802.3
LWAPP

• LWAPP transports control messages to/from AP
• LWAPP transports data packets to/from AP
• L2 or L3 tunneling

23
Overlaying 2270/2230 on LAN
VLAN1
VLAN1
Normal 802.3
Switching
LWAPP
Logical Equivalent

• All ports untagged in VLAN 1
• LWAPP is in VLAN 1
• User devices are mapped back to VLAN 1 too
• All data is tunneled to 2270
• BayStack will see MAC of clients on the port
  connecting to 2270, not the port connecting to
  2230
• Right hand side represents what the WLAN looks
  like to the rest of the data network

24
2270/2230 with Multiple VLANs
VLAN3
VLAN3
VLAN2
VLAN2
VLAN1
VLAN3
Switching
VLAN2
LWAPP (VLAN1)
VLAN1
Logical Equivalent

• L2 Switch
• All ports are members of VLAN1
• Link to 2270 has VLANs 1, 2, 3 (all tagged)
• Link to router has VLANs 1, 2, 3 (all tagged)
• Access link to 2230 is only member of VLAN 1
  (untagged)
• Right hand side represents what the WLAN looks
  like to the rest of the data network

25
L3 Mode with Multiple VLANs
VLAN3
VLAN3
VLAN2
VLAN2
VLAN1
VLAN3
Switching
VLAN2
LWAPP (VLAN1)
VLAN1
Logical Equivalent

• Layer 3 mode of LWAPP is essentially the same
  logically
• Physically APs are placed anywhere in the network
  though

26
Per-SSID Security Features

• Layer 2
• Static WEP
• Shared or Open authentication
• MAC-based authentication
• WPA
• 802.1x
• Cranite
• Fortress
• Layer 3
• IPsec
• Up to 1 Gbps bulk encryption
• Web Authorization
• VPN Passthrough

27
Where is Encryption Done (L2)
LWAPP (Clear)
Clear
WEP (Encrypted)
Server
2230
2270

• L2 Encryption based methods are
  encrypted/decrypted on 2230
• WEP, dynamic WEP, WPA, AES (future)

28
Where is Encryption Done (L3)
IPsec Tunnel (Encrypted)
virtual 1.1.1.1
47.18.1.5
47.18.1.1
Clear
172.16.5.82
SSID IPSEC
Server
2230
2270

• IPsec terminated on 2270
• Tested clients SSH, Sentinel, Movian, Cisco,
  Netscreen
• Per-SSID

29
VPN Passthrough
PPTP Tunnel (Encrypted)
PPTP Server
47.45.1.1
47.45.1.28
Clear
172.16.5.82
47.3.1.1
SSID VPN
Server
2230
2270

• VPN Passthrough leverages an external VPN server
• Configure IP address of server
• Applies traffic filter so only traffic to the
  server can get through
• Per-SSID

30
How to Implement VoIP

• Multiple SSIDs (i.e. two WLANs)
• No Active Load Balancing
• QoS
• SSID VOIP Gold
• SSID DATA Bronze
• Security
• SSID VOIP MAC based and/or WEP (only on b/g
  radio)
• SSID DATA 802.1x or whatever is desired
• Adjust Queue depth
• Prioritize LWAPP on switches between 2270 and 2230

802.1p 6
VLAN 2
VLAN 1
SSID DATA
A
B/G
SSID DATA
SSID VOIP
31
How to Implement VoIP (cont.)
32
WLAN Management System
WMS Server Apache
IE6 Browser

• User interface to WMS is a web browser
• Running locally
• Running remotely
• Database and control reside on WMS server

33

• Accurate RF prediction for AP placement and RF
  topology mapping
• Detailed heat maps for easy analysis
• Ekahau Site Survey (ESS) tool to verify RF
  prediction and perform ongoing analysis (if
  needed)

34
The 1st WLAN system with Integrated Location
Tracking

• Nortel WLAN Control Software uses advanced
  fingerprinting for lt10 meter accuracy

35
Nortel Location Positioning

• Closest AP
• How Identify the AP to which a client is
  associated
• Pro Easy to do Nothing new required
• Con Limited accuracy an AP can easily cover
  several thousand square feet.
• RF Triangulation
• How All APs identify the strength with which
  they hear a client. Intelligent algorithms
  triangulate responses to pinpoint probable
  location.
• Pro More accurate than closest AP
• Con Does not account for effects of building
  material on signal (e.g., reflection,
  attenuation, multi-path)
• RF Fingerprinting
• How RF prediction creates grid that identifies
  how every single part of a floor plan looks to
  all access points. Real-world info gathered from
  APs is compared to these fingerprints to
  determine precise location
• Pro GPS-like accuracy
• Con More comprehensive (requires RF prediction
  tools)

36
Understanding RF Fingerprinting

• RF Fingerprinting traces rays from every access
  point in the network
• Accounts for reflection
• Accounts for multi-path to a destination
• At the conclusion of the prediction a
  fingerprint is left for ever point on the
• Coverage map for every AP that can reach that
  point.

37
Nortels WLAN Adaptive Solution

• FLEXIBILITY
• User Load Management
• Enhance user distribution among Access Ports to
  enhance their WLAN experience
• QoS
• Traffic prioritization

• SECURITY
• Unauthorized AP detection based on interference
  detection
• Unauthorized AP containment based on interference
  avoidance
• High accuracy location for unauthorized AP
  location, E911 enabler, healthcare or stock
  inventory applications

• MANAGEMENT
• Plug-n-Play / Plug-n-Grow
• Auto-Detection and Auto Configuration for
  initial deployment and network extensions
• Dynamic Coverage
• Interference detection and avoidance thanks to
  dynamic channel assignment
• Hole detection and correction thanks to automatic
  power adjustment

38
Nortels WLAN Adaptive Solution

• Nortel Networks WLAN - Management System
• Configuration, Performance, Fault and RF
  management
• Full WLAN Network-wide view
• Management of all the features available on 2230
  2270
• Includes standard location and prediction tool

• Nortel Networks WLAN - Location Services
  Software
• Software upgrade only
• High accuracy (lt10m)
• E911 enabler
• Unauthorized AP exact location
• User location for Healthcare, Warehouses,
  Inventory Mgt

• Nortel Networks WLAN - Site Survey Tool
• Flexible and powerful floor map support
• Full-color graphics (coverage map, bandwidth
  mapping)
• On-site planning
• Site- survey reports

39
Mesh Minimize Backhaul Costs in Open Environments
Wireless access points attached to utility pole

• Typical Customer Profile
• Open spaces (depot, campus)
• No existing wired infrastructure
• Constantly changing environment (e.g. convention
  center)
• Customer Benefits
• Minimize backhaul costs
• Rapid deployment
• Auto-configuration
• Resilient

Wired Network
Wireless Gateway
Begins where the LAN ends
40
Nortel Networks Solutions
WLAN IP Telephony
The right solution for each customer environment
41
Security Issues and Options with WLANs

• Security Is An Issue with WLANs
• But.
• Problems can be addressed

42
Applying the Unified Security Architecture to
Wireless LANs
Secure wireless communications using IPSec or SSL
Nortels portfolio gives you choices
Update your security policy to include wireless
LAN
Separate wireless traffic on your network with a
DMZ
Productivity
Mobility
Internet
Hire a consultant who specializes in WLAN
deployments for wireless survey
Establish Employee Wireless Education program
Ensure regular security audits include searches
for Rogue Access Points
43
(No Transcript)