NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Design

1
NETW 05A APPLIED WIRELESS SECURITY Functional
PolicyDesign Implementation

• By Mohammad Shanehsaz

2
Objectives

• Given a set of business requirements, design a
  scalable and secure wireless LAN solution
  considering the following security tactics
• Wireless LAN segmentation
• Wireless DMZ configuration
• Use of NAT/PAT
• NAT/PAT impact on secure tunneling mechanism
• redundancy

3
Objectives continue

• Wireless LAN equipment staging deployment
• Wireless LAN cell sizing and shaping
• Scalability
• Appropriate use of different antenna types
• Operational verification
• Secure equipment configuration and placement
• Secure remote connections to WLAN infrastructure
  devices
• Secure solution interoperability and layering

4
Design Implementation

• Interoperability
• Layering
• Segmentation VLANS
• Authentication Encryption

5
Interoperability

• Network administrator should take into account
  interoperability between wireless LAN security
  solution before making purchases. for example
  many EAP types are proprietary, and not supported
  by all vendors
• PPTP is widely used in small and medium-sized
  wireless networks for its authentication and
  encryption VPN features, it is a layer 3 protocol
  that can be used over the top of any layer 2
  solution such as WEP, TKIP, 802.1X/EAP
• IPSec is a layer 3 VPN technology that supports
  many encryption ( DES, 3DES, AES ), and has fewer
  security holes than PPTP, and it can be use the
  same way as PPTP

6
Layering

• Using multiple layers of security solution can
  provide very high levels of security, but it adds
  a significant amount of complexity to the
  implementation and administration

7
Layering

• These four components should be addressed when
  layering is considered
• OSI layer of each solution considered
• Cost versus benefits
• Management resources required
• Throughput Latency

8
OSI layers

• Layer 2 ( Data-Link Layer )
• WEP ( and all variations such as TKIP )
• 802.1X/EAP ( and all variations )
• Enterprise Encryption Gateways
• Layer 2 Tunneling Protocol ( L2TP )
• Layer 3 ( Network Layer )
• Point-to-Point Tunneling Protocol ( PPTP )
• IP Security ( IPSec )
• Layer 7 ( Application Layer )
• Secure Shell ( SSH )
• Secure Shell Version 2 ( SSH2 )
• Novel Directory Services ( NDS or eDirectory )
• Microsoft Active Directory ( AD )

9
Cost, Management, Throughput

• Each layer of solution that is being considered
  should first be analyzed by itself to determine
  what costs will be involved in the purchase of
  any hardware and software because the cost may
  outweigh the benefits
• Multiple solutions adds significant cost of
  administration, not counting user training
  expenses, and user-friendliness of the solution
• RF noise and overhead of strong encryption and
  authentication will affect the overall throughput

10
Segmentation VLANs

• All wireless segments should be separated from
  the network backbone by an access control devices
  such as
• Firewalls
• Enterprise Wireless Gateways
• Enterprise Encryption Gateways
• Routers
• Layer3 Switch
• VPN Concentrator
• SSH2 Server
• VLANs
• Wireless VLANs

11
Wireless VLANS

• Wireless VLANs are a relatively new function
  added to enterprise APs for the purpose of
  extending VLAN functionality to the mobile client
  
• 802.1q VLAN tagging is the most commonly
  non-proprietary implementation

12
Standard Criteria for VLAN deployment

• Common applications used by all wireless LAN end
  user. The WLAN admin should define
• Wired network resources commonly accessed by WLAN
  users
• QoS level needed by each application

13
Standard Criteria for VLAN deployment

• Common devices used to access the wireless LAN
  .The WLAN admin should define
• Security mechanisms (WEP,802.1x/EAP)
• Wired network resources commonly accessed by WLAN
  device groups
• QoS level needed by each device

14
VLAN deployment

• Segmentation by user groups
• Segmentation by device types

15
Best practices (According to Cisco)

• Limit broadcast and multicast traffic to the APs
  and bridges by enabling VLAN filtering and
  Internet Group Management Protocol snooping on
  the switch ports
• Map wireless security policies to the wired
  infrastructure with ACLs and other mechanisms
• The AP does not support Virtual Terminal Protocol
  (VTP) or Generic Attribute Registration Protocol
  VLAN Registration Protocol (GVRP) for dynamic
  management of VLANs because the AP acts as a stub
  node.
• Enforce network security policies via layer 3
  ACLs on the guest and management VLANs, admin
  force all guest traffic to the Internet gateway,
  and restrict user access to the native/default
  VLAN

16
RADIUS-based VLAN access control

• RADIUS-based SSID access control, upon successful
  802.1x/EAP or MAC address authentication, the
  server passes back the allowed SSID list for the
  WLAN user to the access point or bridge
• RADIUS-based VLAN assignment, upon successful
  802.1x/EAP or MAC address authentication, the
  server assigns the user to a predetermined
  VLAN-ID on the wired side

17
Authentication Encryption

• Both are integral parts of any wireless LAN
  security solution because they specify who can
  access the network and how the data transmitted
  is protected
• Deployment requires following consideration
• Existing implementations
• Data sensitivity
• Scalability
• Availability
• budget

18
Summary

• The design and implementation section of the
  Functional Policy covers interoperability,
  layering, segmentation and VLANs and
  authentication and encryption
• Interoperability is the capability of different
  mechanisms or network processes from different
  vendors to be able to communicate

19
Summary

• Layering is utilizing solutions from different
  layers of the OSI model
• Segmentation is a method of implementing that
  divide the network into smaller, more manageable
  pieces
• Authentication and encryption help alleviate
  security risks involved in implementing wireless
  solutions

20
Resources

• CWSP certified wireless security professional,
  from McGrawHill