NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Design - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Design

Description:

NETW 05A: APPLIED WIRELESS SECURITY. Functional Policy: Design & Implementation ... Wireless VLANs are a relatively new function added to enterprise APs for the ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 21
Provided by: bccu6
Category:

less

Transcript and Presenter's Notes

Title: NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Design


1
NETW 05A APPLIED WIRELESS SECURITY Functional
PolicyDesign Implementation
  • By Mohammad Shanehsaz

2
Objectives
  • Given a set of business requirements, design a
    scalable and secure wireless LAN solution
    considering the following security tactics
  • Wireless LAN segmentation
  • Wireless DMZ configuration
  • Use of NAT/PAT
  • NAT/PAT impact on secure tunneling mechanism
  • redundancy

3
Objectives continue
  • Wireless LAN equipment staging deployment
  • Wireless LAN cell sizing and shaping
  • Scalability
  • Appropriate use of different antenna types
  • Operational verification
  • Secure equipment configuration and placement
  • Secure remote connections to WLAN infrastructure
    devices
  • Secure solution interoperability and layering

4
Design Implementation
  • Interoperability
  • Layering
  • Segmentation VLANS
  • Authentication Encryption

5
Interoperability
  • Network administrator should take into account
    interoperability between wireless LAN security
    solution before making purchases. for example
    many EAP types are proprietary, and not supported
    by all vendors
  • PPTP is widely used in small and medium-sized
    wireless networks for its authentication and
    encryption VPN features, it is a layer 3 protocol
    that can be used over the top of any layer 2
    solution such as WEP, TKIP, 802.1X/EAP
  • IPSec is a layer 3 VPN technology that supports
    many encryption ( DES, 3DES, AES ), and has fewer
    security holes than PPTP, and it can be use the
    same way as PPTP

6
Layering
  • Using multiple layers of security solution can
    provide very high levels of security, but it adds
    a significant amount of complexity to the
    implementation and administration

7
Layering
  • These four components should be addressed when
    layering is considered
  • OSI layer of each solution considered
  • Cost versus benefits
  • Management resources required
  • Throughput Latency

8
OSI layers
  • Layer 2 ( Data-Link Layer )
  • WEP ( and all variations such as TKIP )
  • 802.1X/EAP ( and all variations )
  • Enterprise Encryption Gateways
  • Layer 2 Tunneling Protocol ( L2TP )
  • Layer 3 ( Network Layer )
  • Point-to-Point Tunneling Protocol ( PPTP )
  • IP Security ( IPSec )
  • Layer 7 ( Application Layer )
  • Secure Shell ( SSH )
  • Secure Shell Version 2 ( SSH2 )
  • Novel Directory Services ( NDS or eDirectory )
  • Microsoft Active Directory ( AD )

9
Cost, Management, Throughput
  • Each layer of solution that is being considered
    should first be analyzed by itself to determine
    what costs will be involved in the purchase of
    any hardware and software because the cost may
    outweigh the benefits
  • Multiple solutions adds significant cost of
    administration, not counting user training
    expenses, and user-friendliness of the solution
  • RF noise and overhead of strong encryption and
    authentication will affect the overall throughput

10
Segmentation VLANs
  • All wireless segments should be separated from
    the network backbone by an access control devices
    such as
  • Firewalls
  • Enterprise Wireless Gateways
  • Enterprise Encryption Gateways
  • Routers
  • Layer3 Switch
  • VPN Concentrator
  • SSH2 Server
  • VLANs
  • Wireless VLANs

11
Wireless VLANS
  • Wireless VLANs are a relatively new function
    added to enterprise APs for the purpose of
    extending VLAN functionality to the mobile client
  • 802.1q VLAN tagging is the most commonly
    non-proprietary implementation

12
Standard Criteria for VLAN deployment
  • Common applications used by all wireless LAN end
    user. The WLAN admin should define
  • Wired network resources commonly accessed by WLAN
    users
  • QoS level needed by each application

13
Standard Criteria for VLAN deployment
  • Common devices used to access the wireless LAN
    .The WLAN admin should define
  • Security mechanisms (WEP,802.1x/EAP)
  • Wired network resources commonly accessed by WLAN
    device groups
  • QoS level needed by each device

14
VLAN deployment
  • Segmentation by user groups
  • Segmentation by device types

15
Best practices (According to Cisco)
  • Limit broadcast and multicast traffic to the APs
    and bridges by enabling VLAN filtering and
    Internet Group Management Protocol snooping on
    the switch ports
  • Map wireless security policies to the wired
    infrastructure with ACLs and other mechanisms
  • The AP does not support Virtual Terminal Protocol
    (VTP) or Generic Attribute Registration Protocol
    VLAN Registration Protocol (GVRP) for dynamic
    management of VLANs because the AP acts as a stub
    node.
  • Enforce network security policies via layer 3
    ACLs on the guest and management VLANs, admin
    force all guest traffic to the Internet gateway,
    and restrict user access to the native/default
    VLAN

16
RADIUS-based VLAN access control
  • RADIUS-based SSID access control, upon successful
    802.1x/EAP or MAC address authentication, the
    server passes back the allowed SSID list for the
    WLAN user to the access point or bridge
  • RADIUS-based VLAN assignment, upon successful
    802.1x/EAP or MAC address authentication, the
    server assigns the user to a predetermined
    VLAN-ID on the wired side

17
Authentication Encryption
  • Both are integral parts of any wireless LAN
    security solution because they specify who can
    access the network and how the data transmitted
    is protected
  • Deployment requires following consideration
  • Existing implementations
  • Data sensitivity
  • Scalability
  • Availability
  • budget

18
Summary
  • The design and implementation section of the
    Functional Policy covers interoperability,
    layering, segmentation and VLANs and
    authentication and encryption
  • Interoperability is the capability of different
    mechanisms or network processes from different
    vendors to be able to communicate

19
Summary
  • Layering is utilizing solutions from different
    layers of the OSI model
  • Segmentation is a method of implementing that
    divide the network into smaller, more manageable
    pieces
  • Authentication and encryption help alleviate
    security risks involved in implementing wireless
    solutions

20
Resources
  • CWSP certified wireless security professional,
    from McGrawHill
Write a Comment
User Comments (0)
About PowerShow.com