Upload
nsrajasekar
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 1/32
Secure Campus Wireless
Architectures
Secure Campus Wireless
Architectures
Kevin Miller ± Duke University
Chris Misra ± University of Massachusetts, Amherst
September 2005 ± Philadelphia, PA
Kevin Miller ± Duke University
Chris Misra ± University of Massachusetts, Amherst
September 2005 ± Philadelphia, PA
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 2/32
ContextContext
Targeted at enterprise campus wireless
network deployments
Obvious scaling issues Managing 100 ± 10,000 APs
Substantial bandwidth requirements
Moderate to high rate of client connection churn
Heterogenous environments Various client machines & OSs
Multiple AP generations with different
capabilities
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 3/32
Options to secure wireless netsOptions to secure wireless nets
Open wireless edge
Open DHCP (³free love´)
DHCP with MAC registration (³netreg´)
VPN-only access (³vpn´)
Web middlebox (³portal´)
Cisco Clean Access, Bluesocket, AP portals,
etc«
Static WEP (³doesn¶t scale´)
802.1x w/ Dynamic WEP, WPA, WPA2
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 4/32
Open WiFi Edge :
Common Features
Open WiFi Edge :
Common Features
No encryption between client and AP
Application encryption encouraged,
naturally But ± can¶t guarantee this for all sites
Some information disclosure anyway (src,
dest IP)
Lowest Common Denominator ± Nearly
any device/user can connect
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 5/32
Unrestricted WiFi :
Challenges
Unrestricted WiFi :
Challenges
Isolating systems requires DHCP
configuration changes or AP MAC filters
Difficult to notify isolated users if you can¶t
identify them
Notifying help desk/support also a challenge
Legal, security, and resource usage
implications Of course, wireless authn should not be the sole
factor in granting application privileges
YMMV«
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 6/32
DHCP/MAC Registration :
Common Features
DHCP/MAC Registration :
Common Features
Can limit access to valid users
Via authenticated registration interface
Web browser not necessarily required
Infrequent registration
e.g. once per semester
Users are identified e.g. for isolation, notification, etc
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 7/32
DHCP/MAC Registration:
Challenges
DHCP/MAC Registration:
Challenges
Devices (not users) are identified
Associated to a given user at time of
registration Subject to MAC address spoofing
NetAuth: active/passive scanning
required
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 8/32
Mandatory VPN :
Common Features
Mandatory VPN :
Common Features
Provides network-layer encryption and
authentication
Can use ACLs to require VPN for access outside of wireless network
Not necessary to track/filter MAC
address Each session is authenticated
Limited to authorized users
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 9/32
Mandatory VPN :
Challenges
Mandatory VPN :
Challenges
Client software install often required
Not all systems supported
Linux/MacOS clients may be limited
Client support = Help Desk Hell
If you think email was difficult«
Increased overhead
No easy access for guests
NetAuth: active/passive scanning required
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 10/32
Web Middlebox (portal):
Common Features
Web Middlebox (portal):
Common Features
Middlebox often required to be inline
Many support 802.1q termination
Web-based authentication interface Per-session authentication
MAC address filter bypass
Devices may be r egister ed to bypass
authentication NetAuth scans may be triggered from
reg page (assuming portal support)
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 11/32
Web Middlebox (portal):
Challenges
Web Middlebox (portal):
Challenges
Physical infrastructure constraints
Parallel backbone or distributed
middleboxes Requires web browser on client
Possible spoofing
More complicated to attack thanDHCP/MAC registration
802.1x migration challenges
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 12/32
Static WEPStatic WEP
Not worth much consideration, as it
simply doesn¶t scale
Adds encryption between client and AP But..
One key shared by everyone
Key can be easily recovered given time
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 13/32
802.1x Edge Authentication802.1x Edge Authentication
Authn required prior to network access
Client software (³supplicant´) required
Windows XP/2K: framework built-in, somesupplicants built-in
Mac OS X: framework and most
supplicants built-in
Linux: Add-on software provides
supplicants
Windows Mobile: Add-on software
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 14/32
802.1x ~ Encryption802.1x ~ Encryption
802.1x authn provides keys for edge
encryption
Several levels of encryption: Dynamic WEP: 40/104-bit RC4
Proprietary extension, widely supported
WPA/TKIP: 104-bit RC4
Standard, good client & AP support
WPA2/802.11i: 128-bit AES
Standard, limited client & AP support
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 15/32
802.1x ~ Authentication Types802.1x ~ Authentication Types
Multiple authentication types possible with 802.1x.This modularity comes from the Extensible
Authentication Protocol (EAP)
Some EAP supplicants builtin to OSs, others as thirdparty Microsoft Windows EAP framework [builtin to XP, 2K]
Apple OS X EAP framework [builtin to Mac OS X 10.3+]
SecureW2
Funk Odyssey
Meetinghouse AEGIS
wpa_supplicant
Xsupplicant
Wire1x
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 16/32
802.1x ~ EAP Deployment802.1x ~ EAP Deployment
Each site should choose one (one+ possible)EAP method for authentication
Most popular EAP methods:
TLS: X.509 client certificate authn TTLS: Tunneled TLS; no client cert required. Can
transport plaintext password (TTLS:PAP)
PEAP: Protected EAP; often used w/ MS AD(PEAP:MS-CHAPv2, PEAP:GTC)
Other EAP methods LEAP: Proprietary; cracked.
FAST: Proprietary; not widely supported.
SIM: Authentication for mobile phones.
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 17/32
802.1x ~ EAP Compatibility802.1x ~ EAP Compatibility
Client98/ME
XP/2K
OSX
Linux
PcktPC
TLS PEAP TTLS License
Win Builtin
CHAPv2
Builtin
OSX Builtin Builtin
SecureW2
Free
Odyssey
$$
AEGIS $$
wpa_supp
Free
Xsupplicant
Free
Reference: LIN 802.1x factsheet
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 18/32
802.1x ~ Encryption Compatibility802.1x ~ Encryption Compatibility
Client WEP WPA WPA2 License
Win Builtin Builtin
OSX Builtin Builtin
SecureW2 Free
Odyssey $$
AEGIS $$
wpa_supp Free
Xsupplicant Free
Note: Some hardware & operating system restrictions may apply to support.
Reference: LIN 802.1x factsheet
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 19/32
802.1x ~ EAP, what¶s missing?802.1x ~ EAP, what¶s missing?
Current practical authn types: X.509 Certs (TLS)
Plaintext password (TTLS:PAP, PEAP:GTC)
e.g. for LDAP, Kerberos, OTP Windows hashed password (PEAP:MSCHAPv2,
TTLS:MSCHAPv2)
Many sites use Kerberos; EAP-Kerb/EAP-
GSSAPI would be ideal Somewhat tricky, as recall there is no network
connectivity pre-auth
Some work on this by Shumon Huque @ UPenn
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 20/32
802.1x ~ RADIUS802.1x ~ RADIUS
RADIUS authn required for EAP
Server must support chosen type
Multiple servers provide redundancy (but
accounting becomes trickier) Servers:
Cisco ACS
FreeRADIUS
Radiator
Infoblox
Funk Steel-belted
Many others«
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 21/32
802.1x ~ NetAuth802.1x ~ NetAuth
Edge authentication provides no easy
opportunity for pre-connection scanning
Instead:
Active, periodic scans can be used
Passive detection
Could monitor RADIUS Acctng to launch scan
Common issue: handling insecure boxes Could use dynamic vlan support to drop users into
a walled garden (AP support required)
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 22/32
802.1x ~ Putting it Together 802.1x ~ Putting it Together
Access Points Must support EAP type (should just pass-through all types)
Must support 802.1x auth and encryption mechanism
Encryption Type (WEP/WPA/WPA2) Must be supported by APs
Must be supported by client hardware, OS drivers, andsupplicant
Authentication Type (EAP Method: TLS, TTLS, etc..) Must be supported by client hardware, OS drivers, and
supplicant
Must be supported by RADIUS server
RADIUS Server(s) Must support backend authn using EAP credentials
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 23/32
802.1x ~ Deploying802.1x ~ Deploying
Client config / software may be required Can¶t provide instructions over 802.1x net, due to
pre-auth requirement
Common solution: a limited-access openSSID to provide instructions
Debate over SSID broadcast Windows tends to ignore ³hidden´ SSIDs when
preferred broadcast SSIDs are present But broadcasts can create confusion, and..
Some APs can only broadcast a single SSID (awaning issue)
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 24/32
Example Deployment: 802.1xExample Deployment: 802.1x
Deployment at a ³well-known´ University
Pilot deployment began Aug 2005 in one building
Encryption: WPA Believed the number of older machines would be very small
But WPA2 has only limited client support currently (APs arecapable)
Authentication: EAP-TTLS:PAP Backend auth against central Kerberos database
All users login as ³[email protected]´
RADIUS Server: FreeRADIUS Instructions are provided via an open SSID, which
doubles as a web login portal for guests Any University user can generate one time use ³tokens´
granting a guest up to 2 weeks of access
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 25/32
Comparing Security TypesComparing Security Types
Free
LoveVPN
Web
Portal802.1x
Over-the-Air Encryption
Ease of Deployment
Reliability & Scalability
AuthN System Req¶s
User-Based AuthZ Client Software Req¶s
Guest Access
Inter-site roaming ease
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 26/32
Wireless Network RoamingWireless Network Roaming
Goal: Authenticate users against
multiple, different AuthN realms
Uses: Inter-institutional visitors (state systems,
arbitrary roaming between sites)
Shared tenancy (ongoing collaborations or
collocation)
Independent departmental authn; shared
wireless network
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 27/32
Roaming CookbookRoaming Cookbook
1. Define a realm for each authn serviceexample.edu, cs.example.edu,
cent r al.example2.edu
2. Interconnect servers: 1-1 or hierarchy
Exchange RADIUS secrets
Define RADIUS proxy statements
3. Ensure clients are setup to roam(authenticate as user @example.edu)
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 28/32
Roaming AuthenticationRoaming Authentication
Authentication
802.1x: Most scalable and secure Secure tunnel from client to home institution;
credentials invisible to visited institution ³Outer´ identity must include realm for routing
Open/Web auth: Not scalable or not secure Shibboleth-style WAYF: difficult to scale
(requires knowledge of everyone¶s loginservers)
Simple username/password authn: Possibleusing RADIUS, but a security risk
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 29/32
Roaming ConsiderationsRoaming Considerations
Consider SSID and edge encryption, if using
802.1x
A separate ³roaming´ SSID may be desirable
But, some APs can¶t broadcast multiple SSIDs
Per-SSID 802.1x configuration may be required
Per-User AuthZ is difficult
Easy to permit/deny whole realms Group / attribute-based restrictions not here
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 30/32
eduroam.useduroam.us
I2 Federated Wireless NetAuth (FWNA)
building an experimental inter-
institutional roaming system Mirroring current state of eduroam.eu
Desire to improve current capabilities as
we go forward ³subscribe salsa-fwna´ to
sympa at internet2.edu
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 31/32
RecommendationsRecommendations
Strongly consider 802.1x Noticeable uptick in campuses considering &
deploying 802.1x for wireless (and wired)
Worthwhile evaluating and understanding thechallenges, if any
Web portals still very popular More difficult to implement secure roaming
Useful for providing guest network access
Open access is still used by some Reduces client burden
Many disregard due to legal, security, andresource utilization implications
8/3/2019 Secure Campus Wireless Architecture
http://slidepdf.com/reader/full/secure-campus-wireless-architecture 32/32
Next StepsNext Steps
Reading
WPA/WPA2 Enterprise Deployment Guide
http://www.wi-fi.org/membersonly/getfile.asp
?f=WFA_02_27_05_WPA_WPA2_White_Paper.pdf
Internet2 Working Groups
SALSA-NetAuth: security.internet2.edu/netauth
SALSA-FWNA: security.internet2.edu/fwna
EDUCAUSE Groups
wireless-lan list:http://www.educause.edu/
WirelessLocalAreaNetworkingConstituentGroup/987