wireless lan, wlan security, and vpn 麟瑞科技 台南辦事處 技術經理 張晃崚
Post on 22-Dec-2015
240 views
TRANSCRIPT
Wireless LAN,WLAN Security,
and VPN
麟瑞科技 台南辦事處技術經理張晃崚
WLAN & VPN FAQ
• What is WLAN?802.11a?802.11b?802.11g?• Which standard (product) should we use?• How to deploy WLAN?• How to block intruders?• How to authenticate users?• How to keep data secure?• What is roaming?• How to provide a fast path for some VIP users?• How to exchange data securely between offices?
Agenda
• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions
Agenda
• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions
What is Wireless Network
• Wireless Network:– 802.11x standards (Wi-Fi)– Cell phones– Bluetooth– HomeRF– Fixed Broadband wireless, IEEE 802.16– Mobile broadband– Optical point-to-point wireless
What is Wireless LAN
• IEEE 802.11-based networks• Bluetooth is regarded as a PAN (Personal
Area Network)• Need Wireless NIC and Access Point(AP)
Wireless LAN vs. Wired LAN
Wireless LAN Wired LAN
Media Access CSMA/CA CSMA/CD
Bit error rate 0.1% 10-10
Duplex half half/full
Speed slow fast
Throughput Reduce 50-60% N/A
Wireless LAN vs. Wired LAN
• All 802 WLANs employ handshaked transmission to compensate
• WLAN just like PUSH-to-TALK radio• WLAN will be a step backward: slower spe
ed, half duplex, shared media.• BUT, gain FREEDOM• AP usually is a Layer 2 bridge (between wi
red LAN and wireless LAN)• Spanning Tree Protocol issue
Wireless LAN Standards
802.11b 802.11a 802.11g
Frequency 2.4 GHz 2.4 GHz5 GHz
Channel 3 38
Max speed 11Mbps 54Mbps 54Mbps
Real throughput 4-6 Mbps 22-27 Mbps 22-27 Mbps
Interference Yes YesNo
Distance for max speed
Distance for half speed
120-140 ft. 120-140 ft.
120-140 ft.
1-2 ft.
60 ft. ??? ft.
Maturity Very mature Early No product
802.11b+
• IEEE 802.11g will be finalized in May 2003• Not a formal IEEE specification• Texas Instruments (TI) applied PBCC to
enable 22Mbps data rate• Interoperable with 802.11b device at
11Mbps• Must use TI’s chip to enable 22Mbps
Other 802.11x standard
• 802.11d: Multiple regulatory domains• 802.11e: QoS• 802.11f: Inter-Access Point Protocol (IAPP)• 802.11h: Dynamic Frequency Selection(DFS)
and Transmit Power Control (TPC)• 802.11i: Security
Which Technology should you use?
• Decision should be based on requirements of system/users• User bandwidth requirements• User density• Overall implementation cost• Upgrade requirements• Client availability• Client platform features
Agenda
• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions
Access Point
Wireless “Cell”
Channel 6
Wireless Clients
LAN Backbone
Channel 1
Access Point
Wireless “Cell”
Wireless Clients
Typical WLAN Topologies
Wireless Repeater Topology
Channel 1
Access Point
Wireless Clients
Channel 1
Access Point
Wireless Repeater “Cell”
LAN Backbone
Hot Standby
Wireless Clients
LAN Backbone Monitored AP Standby AP
Multi-rate Implementations
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
Vendor Offering
• Higher and variable transmission power• External antennas• Little throughput degradation with encryption• Line-power via the wired Ethernet cable• Dual-band: 802.11b + 802.11a• AP load balancing• Roaming between IP subnets• Hot Standby AP• VLAN support• Lockable case• Enhanced security features: 802.1x, 802.11i draft,
etc.
Agenda
• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions
WLAN Security Issues
• Wireless is like having an RJ45 jack in the parking lot
• Need to deny access to intruders• Need to secure message with good
encryption technology
• Managing the security side of you networks requires several things
–Protecting the ‘network’ from intruders•Requires authentication for users
–Protecting the Wireless DATA from sniffers•Requires some type of encryption
–Protecting you RF networks from being detected
–The ability to MANAGE you users credentials•Includes WEP keys, users names, passwords, etc.
–Protecting your wireless infrastructure from improper configuration
•Required a good user manager interface on APs
WLAN Security Issues
• Managing the security side of you networks requires several things
–To dynamically assign user’s IP address, gateway, etc.
•Deploy DHCP server
–To let roaming users be authenticated by their original account and passwords
•Requires authentication roaming features for authentication servers
WLAN Security Issues
Agenda
• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions
Authentication Techniques
• Open System Authentication• No security
• SSID Authentication• SSID is broadcast in clear text form• Can be obtained by snooping on traffic
• Shared key Authentication (WEP)• Key stolen• Employee leaves
Authentication Techniques
• MAC address Authentication• MAC is sent in clear form• Can be obtained be snooping• Attackers may change their MAC to match• Not flexible and scalable
• 802.1x and Extensible Authentication Protocol (EAP)• Secure not only client but also devices• Only Windows XP and few vendors support
this technique
Authentication Techniques
• VPN client Authentication• Does good authentication and encryption• Variable authentication and encryption method
to choose • Need VPN client software installed
• Wireless Gateway Authentication• No need to install any client software• Pop up authentication window when initiating
connection (use web browser)• Easy to install and configure• One wireless gateway for a subnet
Wireless Gateway Topology
Blocking Inter-client communication
• PSPF—Publicly Secure Packet Forwarding
• Prevents WLAN inter-client communication
• Relies on MAC address • Same subnet devices
only
Encryption Techniques
• Key Management• Can be painful• Requires a power tool to manage keys• Easy to hack with well-know single key
• Key Rotation• Changing the user’s key periodically
• Broadcast Key Rotation• WEP Encryption• 128 bit WEP• IPsec
Encryption Techniques
• IEEE 802.11i• TKIP (Data Integrity)• MIC (Data Integrity)• AES (Encryption)
• Not yet complete
WLAN Security Solution Product
• Wireless Gateway• Bluesocket• Vernier• ReefEdge
• VPN• Cisco VPN concentrator/router/client• NetScreen
• Authentication Server• Cisco ACS (RADIUS, TACACS, LEAP)• RADIUS
DHCP&AAAServer
Campus switch
Wireless Gateway (Bluesocket)OrVPN Gateway (Cisco/NetScreen)
Cisco Aironet 1200(802.11a,802.11b,802.11g)
External Antenna
Cisco Aironet 1100(802.11b,802.11g)Mobile IP
VLAN
WLAN Security Solution Product
• Modular platform for single or dual band operation
• Field upgradeable radios• Modular design enhances futu
re upgrade ability• Simultaneous dual radio oper
ation• 10/100 Ethernet LAN uplink
Cisco Aironet 1200 AP
Cisco Aironet 1100 AP
•VLAN support•802.11b, 802.11g (2.4 GHz)
Bluesocket Wireless Gateway
Agenda
• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions
Type Application As Alternative To
Site-to-Site Site-to-Site VPNVPN
ExtranetExtranetVPNVPN
Benefits
Site-to-SiteSite-to-Site
InternalInternal
ConnectivityConnectivity
Extend ConnectivityExtend ConnectivityIncreased BandwidthIncreased Bandwidth
Lower CostLower Cost
Leased LineLeased Line
Frame RelayFrame Relay
ATMATM
RemoteRemoteAccess Access
VPNVPN
Remote Dial Remote Dial
ConnectivityConnectivity
Dedicated Dedicated Dial Dial
ISDNISDN
Ubiquitous AccessUbiquitous AccessLower CostLower Cost
Biz-to-BizBiz-to-Biz
External External
ConnectivityConnectivity
FaxFax
MailMail
EDIEDI
FacilitatesFacilitates E-CommerceE-Commerce
VPN Type and Applications
Central Site
Site-to-SiteRemote Office
ExtranetBusiness Partner
POP
DSLCable
Mobile User
Home Telecommuter
VPNInternet
VPN Type and Applications
Internet VPN
Central Site
Mobile Customer
Telecommuter
POP
Cisco VPN ClientsMicrosoft Win 2000 (IPSec)Microsoft Win 9x/NT (PPTP)
WAN RouterPIX Firewall
Cisco VPN 3000 ConcentratorCisco Secure ACS (AAA)
Remote Access VPN
Main Campus
Small Office/Home Office
RemoteCampus
InternetRemotelCampus
Site-to-Site VPN
Corporate Intranet
SecurityServer
Firewall
DMZ
Remote Office
ISP Network
ISP Gateway
Supplier
Supplier
Extranet VPN