Slide Master Layout: Title Text: Arial Plain, 36 pt'

1
Virtual Private Networks for Wireless LAN Security
Robert Pitton April 10,2003
2
Agenda

• Why Is Wireless Security Important
• Firewall Basics
• VPN Basics

3
Why Is Wireless Security Important?

• As organizations integrate wireless LANs with
  wired LANs, concerns over wireless access control
  and privacy continue to mount
• Everyone is becoming wireless
• Need to extend your security policies to the WLAN
• The ANY SSID
• Connect Anywhere

4
Why Is Wireless Security Important?
Protections needed against attacks, such as
YourCorporation
5
Top WLAN Security Mistakes

• Users are so excited about using their cool new
  technology that they poorly implement the
  security approaches provided, or FAIL TO TURN ON
  WEP, or change the default password settings
• A rogue network is set up
• Access point is set up inside of a firewall
• Default WEP key is used
• Encryption key is not changed periodically
• VPN or IPSec is not used
• People share their WEP key
• Assumption that all 802.11b products operate in
  the same way

6
Wi-Fi Security Background

• The wireless link between the AP and client is
  only one small part of a secure overall network
• Network security is typically an end to end,
  multi-layered approach
• All Wi-Fi certified products have WEP
• WEP Wired Equivalent Privacy
• RC4, 40-bit shared key encryption
• Meant to be baseline security, not end to end
• Prevents casual eavesdropping
• In 2001, several papers published regarding
  issues with WEP (e.g. Papers by UC Berkeley, U
  of Maryland, etc.)
• Tools are available on the web
• WEPCrack
• AirSnort

7
Comparison between types of wireless LAN buyers
Enterprise
Consumer
Part of a system and fits into the network
infrastructure
Stand alone device that sits on a desk
Lower security requirements
Integrated security requirements
Needs to be managed as a device on the network
Does not need any management
Robust feature set with security, management,
roaming, installation, etc.
Basic SOHO functionality with firewall
Driven by enterprise mobility and wire-free
networking
Driven by broadband penetration and multiple PC
households

• The product offering and business drivers are
  distinctly separate between the two markets

8
Virtual Private Networks (VPNs)
9
VPN IntroductionThe VPN Definition

• A Secure extension of a business private
  network across a public network

Anne
Bob
10
VPN IntroductionCustomer Needs

• Why do customers need VPNs?
• Economy
• Cheaper access costs
• Versatility
• Increased access for mobile workforce
• Controlled Access
• Propriety access for partners / suppliers /
  customers
• Manageability
• Monitoring and control
• Secure Exchanges
• Safe data transmissions

11
VPN IntroductionCurrent Issues and Concerns

• What are the customer concerns when implementing
  VPNs?
• Interoperability
• Many different protocols are used
• Bottlenecks
• Encryption/Decryption may lead to low throughput
• Address Management
• How do you handle Private and Public addresses?
• Reliability
• Subject to normal Internet problems!
• Multi-protocol support
• Limited support for legacy protocols i.e. IPX

12
VPN IntroductionInternet VPN Typical Deployment

• Tunnels are created between a Corporate LAN and
• Branch Offices
• Other companies LAN s
• Remote Users
• Branch Office Connect Solutions
• VPNs provide 24-hour real-time communication via
  inexpensive Internet Links.
• Extranet Connection Solutions
• VPNs provide global, secure, cost effective, end
  to end communication
• Remote User Connection Solutions
• VPNs exploit world-wide ISP reach with lower
  connectivity and administration and costs.
• Faster Access Vs Dial-up

13
When to use a VPN For Wireless Security

• VPNs already in use and infrastructure already in
  place in many IT organizations
• Use encryption and tunneling to establish a
  secure end-to-end tunnel
• Authentication and full encryption over the
  wireless network is provided through the VPN
  servers that also act as gateways to the private
  network
• Scalable to a large number of 802.11 clients
• IPSec VPNs permit secure communications over an
  unsecured network such as public airwaves or
  wireless networks

14
Virtual Private Networks (VPNs)Firewall Basics
15
VPN Hardware

• Firewall

16
The Firewall ConceptWhy Firewalls
What can the Firewall Do?

• Restricts people from entering a controlled area

Firewall
Secure Local Area Network
Clients
17
The Firewall ConceptWhy Firewalls
What can the Firewall Do?

• Restricts people from entering a controlled area

• Restricts people leaving at a controlled point

• Focuses Security Decision at one point

Access Attempt
18
The Firewall ConceptTypical Features

• Security gateway
• Single point for Intranet Internet protection
• Protection against hackers on the Internet
• Denial of Service (DoS) attacks
• Enforce Security Policies Allow or Deny Access
• URL Filtering
• Can filter inappropriate materials on the
  Internet
• Protection from active content
• ActiveX, Cookies and Java
• Event Logging, Intrusion Reporting, Traffic Logs
• Set up VPN Tunnels IPSec, PPTP, L2TP

19
The Firewall ConceptTypes of Firewalls

• Packet Filtering / Network Level

• Uses Rules to Allow or Deny access according to
  IP Address

• ?
• Application Independence
• High Performance
• ?
• Has Lowest Security Susceptible to IP Spoofing

20
The Firewall ConceptTypes of Firewalls

• Application-Level Proxy Server

• Examines the Application Layer in the IP Packet
  as well as IP Address.
• Can verify Authenticity of the Packets

• ?
• Good Security
• Application-layer awareness
• ?
• Poor Performance
• Limited Application Support
• Very Complex

21
The Firewall ConceptTypes of Firewalls

• Stateful Packet Inspection

• Examines all parts of the IP Packet
• Keeps a track of all the requests for information
  originating from your network. Any un-requested
  information is rejected
• The Firewall then proceeds to next level of
  scanning

22
The Firewall ConceptSPI in more Detail

• Stateful Packet Inspection Firewall
• Third Generation Firewall Technology
• Most advanced and secure firewall technology
• Inspects all layers of the OSI model 3Com has
  circuit level gateways for some protocols
• Tracks full communication session (state) from
  originating source
• Provides Network Address Translation
• Recognizes DoS attacks and DDoS attacks
• Protects from Man-in-the-Middle attacks
• 3Com Firewalls use Stateful Packet Inspection

23
The Firewall ConceptSPI in more Detail

• TCP Security

• Firewall uses State information embedded in TCP
  packets

WAN
LAN
Firewall looks at TCP Initiation packet in TCP
stream
SYN Flag Set ACK Flag Cleared
LAN
WAN
A Cache TCP State Entry is stored in the
Firewall, includes IP Address, TCP Port, Sequence
Numbers
Any Subsequent packet that comes back is checked
against this cache
24
The Firewall ConceptSPI in more Detail

• UDP/ICMP Security

• UDP and ICMP information is Analysed by the
  Firewall to build virtual Connections in the
  cache.

WAN
LAN
UDP IP Address and Port Pairs are stored in
Firewall for short periods.
LAN
WAN
UDP Packets from the WAN which have matching IP
and UDP information will be allowed back in.

• ICMP is even more restrictive!
• Only Outgoing Echo's will allow incoming echo
  replies
• Only Outgoing address mask requests will allow
  incoming address mask replies
• ICMP Redirect packets are never allowed into the
  Firewall

25
The Firewall ConceptSPI in more Detail

• Upper Layer Protocol Security

• Higher Layer protocols (FTP / Real Audio)
  utilise multiple network connections
  simultaneously

FTP Example
Control Connection
WAN FTP Server
LAN FTP Client
Data Connection
Data Connection is allowed back

• Firewall Inspects application-level FTP data
• Searches for outgoing PORT commands and caches
  this information. This can be used to uniquely
  ID the Remote Party.

26
Virtual Private Networks (VPNs)VPN Tunnelling
Protocols
27
VPN TunnellingEncapsulation

• VPNs are created by establishing virtual circuits
  between endpoints across the Internet
• Three types of VPN Protocols used for tunnelling
• PPTP (Point-to-Point Tunnelling Protocol)
• L2TP (Layer 2 tunnelling Protocol)
• IPSec (Internet Protocol Security)

Nothing to do with Encryption!
28
VPN TunnellingProtocols - PPTP

• PPTP tunnelling uses two packet types
• Control Packets
• Strictly for status enquiry and signalling
  information
• Uses TCP (Connection-oriented)
• Data Packets
• Uses PPP with GREv2
• GRE gives PPTP the flexibility of handling
  protocols other than IP, such as NetBEUI and IPX.
• Developed by Microsoft, 3Com, US Robotics
  Ascend Communications, ECI Telematics
• Standard with Win95, Win98, Me, WinNT and Win2K

29
VPN TunnellingProtocols L2TP

• Like PPTP, L2TP is strictly a tunnelling Protocol
• L2TP is a standards based combination of two
  proprietary Layer 2 tunnel protocols
• Ciscos Layer 2 Forwarding (L2F)
• PPTP
• L2TP combines the control and data channels.
• L2TP runs over UDP
• Faster and Leaner
• L2TP is more Firewall Friendly than PPTP since
  you do not have to support GRE.
• Vendors not implementing Encryption or
  Authentication with L2TP
• Why not combine protocols???

30
VPN TunnellingProtocols IPSec

• Open, Standards based, Network layer security
  protocol.
• Aimed at protecting IP Datagrams
• Robust mechanisms for Authentication and
  Encryption
• Can protect whole datagram or just Upper-layer
  protocol (Transport or Tunnel Mode)

Transport protocols
Transport layer
(TCP, UDP)
Routing through network
IPSec
Network layer
(IP)
Link layer
L2TP/ PPTP
Link protocols, physical
Infrastructure
Physical layer
31
VPN TunnellingL2TP with IPSec

• Integrate L2TP with IPSec
• L2TP provides User Authentication
• Requirement for Client-to-LAN scenario
• IPSec provides machine Authentication
• IPSec provides robust Encryption mechanisms
• IPSec provides Packet Authentication
• L2TP provides Multi-protocol support
• L2TP provides Tunnel IP Address support by
  default
• Integrating the two protocols allows for better
  interoperability between vendors.
• Vendors will not go away and deviate from the
  standard if the protocol does everything
  customers require.

32
RADIUS (Remote Authentication Dial-In User
Service)

• Mature technology which provides Authentication,
  Authorization and Accounting (AAA) over an IP
  network
• Rather than having to manage a multiple login
  databases, RADIUS provides a more efficient,
  scalable and centralized management solution.

33
Native Windows L2TP/IPSec VPN Client Support
34
VPN Tunneling in a University Campus Environment
SuperStack3 Firewall
Campus WLAN on Firewall DMZ
Server

• IPSec, L2TP/IPSec VPN tunneling capability over
  the current WLAN network
• Wireless Client gets authenticated through a
  server (RAS, RADIUS, VPN termination box)
• Support for campus-wide Layer 3 RADIUS
  authentication for controlling network access
• Support for WEP as well as VPN pass-through,
  based on the customers requirements

35
Enterprise VPNWireless Security
Internet
SuperStack 3 Firewall (Internet Security)
Secured Wired LAN (Employees Only)

• SuperStack 3 Firewall can
• Offer secure wireless connectivity
• Allow secure access to authorized wireless
  clients
• Guest services for visiting wireless users

36
For more information, please visit www.3com.com/