20160530 presentatie internet of things - david coleman
TRANSCRIPT
Internet of Things (IoT)WLAN Design, Security and Administration Challenges
WLAN Professionals ConferenceBerlin - October/2015
© Aerohive Networks, Proprietary & Confidential
© Aerohive Networks, Proprietary & Confidential
Overview
2
• Introduction• Consumerization of IT• History of Wi-Fi client devices• IoT WLAN design considerations• IoT management considerations• IoT security considerations
Coming Soon:Sybex CWSP Study Guide
2nd Edition
ISBN: 978-1119211082
Amazon preorder:http://amzn.com/1119211085
Who am I?
Internet of Things (IoT)
© Aerohive Networks, Proprietary & Confidential 6
• Technology research firm Gartner estimates that by 2020, the number of Internet of Thing (IoT) devices will be 26 billion units worldwide, which far exceeds the expected 7.3 billion PCs, tablets, and smartphones. •Could this be the beginning of the self-aware Skynet predicted by the Terminator movies?
Internet of Things (IoT)
© Aerohive Networks, Proprietary & Confidential 8
New enterprise WLAN challenges lie ahead in a world where all the number of IoT devices far exceeds the number of people on the planet Earth.
WLAN administrators will have to confront new WLAN design, security and administration challenges as we move into the future with an IoT connected world.
Consumerization of IT
© Aerohive Networks, Proprietary & Confidential 9
• Consumerization of IT is a catch-phrase used to describe a shift in information technology (IT) that begins in the consumer market and moves into business and government facilities. • Employees introduce consumer market
devices into the workplace after already embracing new technology at home. • Evil Rogue APs forced the enterprise to
deal with Wi-Fi
History of enterprise Wi-Fi client devices
© Aerohive Networks, Proprietary & Confidential 10
• In the beginning there was scan guns• Then came the laptops• Then came smart phones and tablets•Wearable devices*• IoT devices*
History of enterprise Wi-Fi client devices
© Aerohive Networks, Proprietary & Confidential 11
• Personal mobile Wi-Fi devices, such as smartphones and tablets, have been around for quite a few years. • The Apple iPhone was first introduced in June 2007.• Apple iPad debuted in April 2010. • HTC introduced the first Android smartphone in
October 2008. • Smart phones and tablets now exceed laptop
connectivity in the enterprise.
History of enterprise Wi-Fi client devices
© Aerohive Networks, Proprietary & Confidential 12
• Holder• Holder
2.4 GHz
© Aerohive Networks, Proprietary & Confidential 14
• 2.4 GHz is a disaster zone• Only three usable channels• Almost impossible to prevent CCI
• High SNR• Oversaturation of 802.11 devices• Non-802.11 transmitter interference
5 GHz is the answer
© Aerohive Networks, Proprietary & Confidential 15
Dynamic Frequency Selection
U-NII-2A38 46 54 62
U-NII-1 U-NII-2C U-NII-3 U-NII-4102 110 118 126 134 142 151 159
42 58 106 122 138 155
50 114
70 78 86 94
74 90
82
U-NII-2B
36 40 44 48 52 56 60 64 100
104
108
112
116
120
124
128
132
136
140
144
149
153
157
161
165
173
177
181
169
68 72 76 80 84 88 92 96
5.15 5.25 5.35 5.47 5.725 5.9255.825
5.85
167 175
171
163
Take the Pledge
© Aerohive Networks, Proprietary & Confidential 16
• Do not deploy 802.11 radios that transmit exclusively on 2.4 GHz.• This pledge should be for
all 802.11 devices, not just IoT devices.• Ensure that the 5 GHz
radios support DFS channels.• Sadly…. Most IoT radios
are currently only 2.4 GHz
#takethepledge
Airtime Consumption
© Aerohive Networks, Proprietary & Confidential 17
• Cheap IoT radios that only support 802.11b data rates are still going to slow everyone down• May only support data rates of 1 and 2 Mbps
“Where we are going, we don’t need 802.11b”
IoT and Multipath
© Aerohive Networks, Proprietary & Confidential 18
• IoT devices may use non-MIMO chipsets• Multipath becomes our enemy
once again• High multipath environments can still
have an impact on non-MIMO clients such as IoT sensors
IoT and Multipath
© Aerohive Networks, Proprietary & Confidential 19
• Bad news: Most IoT clients are non-MIMO.• Bad news: Non-MIMO IoT clients will
still be negatively impacted when receiving downstream traffic from the APs.• Good news: MIMO APs support
maximum ratio combining (MRC) • Most communication from IoT
sensors is upstream to the AP and MRC compensates for multipath.
IoT and Design
© Aerohive Networks, Proprietary & Confidential 20
• Do we redesign the WLAN to cut down on reflections and multipath?• Life will be better if the IoT devices use
1x1:1 MIMO radios supporting both maximum ratio combining (MRC) and space time block coding (STBC).• Example: Adriano 1x1:1 b/g/n
www.arduino.cc
IoT and MU-MIMO
22
• Requires clients to have 802.11ac chipset that supports explicit transmit beamforming.• IoT client support for TxBF is
currently not a reality.• Clients need to be medium
range from the AP• Clients must have distance
between each other• Downstream only
IoT and MU-MIMO
23
• Might be a good fit for IoT devices that are bandwidth intensive.• Reduction in airtime
consumption for downstream transmissions.• Not a reality at this point.
IoT and IPv6
© Aerohive Networks, Proprietary & Confidential 24
• Everything has an IP address•Multiple LLC… 802.3, 802.11, etc
• Bring Your Own Device (BYOD)• Although mobile devices initially were
intended for personal use, employees now want to use their personal mobile devices in the workplace. • Employees have expectations of
being able to connect to a corporate WLAN with multiple personal mobile devices.• We live in a BYOD world
CORPORATE ISSUED LAPTOP
PERSONAL CONSUMER TABLET
CORPORATE ISSUED SMARTPHONE
CORPORATE ISSUED TABLET
PERSONAL SMARTPHONE
BYOD
• Mobile Device Management (MDM)• MDM solution might be needed for
onboarding personal mobile devices as well as corporate issued devices• Corporate IT departments can deploy
MDM to manage, secure, and monitor the mobile devices
MDM
• Mobile Device Management (MDM)• Secure over-the-air provisioning of
MDM profiles - Device restrictions• Easy way to distribute root CA
certificates for 802.1X security with mobile devices• Over-The-Air Management• Application Management
MDM
• Onboarding solutions for mobile devices may the better way to go• Simple way to distribute and
install certificates or PPSK security credentials to mobile devices• Installation process should be
simple and painless for the end user
All aboard!
IoT Management
© Aerohive Networks, Proprietary & Confidential 30
• MDM is not intended for IoT devices• MDM solutions are based on Google and Apple APIs• We will need management solutions because…• We are beginning to live in an IoT world• Currently consumer driven, but moving to the
enterprise
IoT Framework
Physical Device(sensing, monitoring, actuation, control…)
Communication
Services(monitoring, data publishing,
discovery…)
Application(interface to the user)
Security (authentication, authorization,
data integrity…)
Management
IoT Communication
• The application functional block usually resides somewhere in the cloud.
• The communication with the Cloud is often done through RESTFul APIs, which use HTTP for transport.
Application(interface to the user)
API Overview - External
© Aerohive Networks, Proprietary & Confidential 33
HiveManger NG
NG GUIExternal API
(monitoring, location, utility…) Partner App #2
Partner App #3
REST API call
Partner App #1
• Aerohive provides an external RESTFul API that may be used by customers, partners, and managed service providers to integrate with Aerohive services. • The Monitoring API exposes information related to a customer's access
points and client devices connected to APs.
Big Data
© Aerohive Networks, Proprietary & Confidential 34
• Big data is a broad term for data sets so large that traditional data processioning applications are insufficient.
• Data collection grows in size in proportion to the numerous low-cost and low-power IoT devices.
• Predictive analysis derived from big data sets.• Applications and APIs will be vital.
IoT and WLAN Security
© Aerohive Networks, Proprietary & Confidential 36
• The 802.11-2012 standard defines authentication and key management (AKM) services. • Authentication required for key creation• Robust Security Network (RSN) dynamic
encryption• 4-Way Handshake
Supplicant
PMK
PTK created
PTK created
GTK created
GTK delivered
GTK
Temporal keys installed
Controlled port unblocked
EAPOL-KEY message #1
EAPOL-KEY message #3
EAPOL-KEY message #2
EAPOL-KEY message #4PTK
Master Keys: PMK and GMK
Temporal Keys: PTK and GTK
PMK GMK
Authenticator
GTK
Temporal keys installed
PTK
Validating Identity is important
• David Coleman•Wi-Fi Geek• Born February
1960
• David Coleman Headley•Convicted terrorist• Born June1960
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA certServer cert
802.1X/EAP
• Extensible Authentication Protocol (EAP)• Server certificate and Root
CA certificate• Tunneled authentication using
SSL/TLS
• 802.1X: Port based access control• Authorization Framework
• Supplicant• Authenticator• Authentication Server
• Integrates with LDAP
LDAP
EAP EAP
RADIUSCLIENT AP
Root CA certServer cert
802.1X/EAP
•Most secure authentication method• Ideal for the enterprise•Certificates and PKI needed•Can be difficult to deploy•Can be difficult to troubleshoot•Not necessarily ideal for IoT devices
PSK
© Aerohive Networks, Proprietary & Confidential 40
PSK =Password123!
PSK = Password123!
• 8-63 character shared passphrase• Never intended for use in the
enterprise• Susceptible to offline dictionary
attacks• Wi-Fi Alliance recommends 20
strong characters or more• Biggest weakness is that the PSK
credential is “static”
PPSK
© Aerohive Networks, Proprietary & Confidential 41
• Several WLAN vendors offer proprietary PSK solutions• Multiple per-user and per-
device PSKs assigned to a single SSID• Easy to deploy• Can be time-based credentials• Solves the “static” PSK problem
• 802.1X not always an option• PPSK provides unique per-device secure credentials• PPSK provides deployment simplicity• PPSK scales
IoT device security
^F/Lf&K&,2Em{h^w
4QYu[PE_~qeXKa"D
u2sy5)X@>+<Zd2}H
~g{{HdyjkJ+_Kk8M M%y72V&=A~.E]wJE
k$a=8;7Lz9@~K7$%
IoT security demo
© Aerohive Networks, Proprietary & Confidential 43
Marko TislerInternational Technical Training
CWNE #136
@tishlaaar
TDLS
© Aerohive Networks, Proprietary & Confidential 44
Access Point
TPK
TDLSresponder STA
TPK
Direct Link
TDLSinitiatorSTA
• Tunneled Direct Link Setup (TDLS)
• Future replacement for PSK authentication• Secure Authentication of Equals
(SAE)• SAE is a variant of Dragonfly, a
password authentication key exchange based on a zero-knowledge proof
SAE commit
SAE commit
SAE confirm
SAE confirm
Selectpassphrase Select
passphrase
Future Security
• Prove you know the credentials without compromising the credentials• No forging, modification or
replay attacks• No offline dictionary attacks
SAE commit
SAE commit
SAE confirm
SAE confirm
Selectpassphrase Select
passphrase
Future Security
• Two authentication message exchanges:• commitment exchange
used to guess password• confirmation exchange
to prove password was guessed correctly
• PMK is then derived• 4-Way Handshake
SAE commit
SAE commit
SAE confirm
SAE confirm
Selectpassphrase Select
passphrase
Future Security
802.11ah
© Aerohive Networks, Proprietary & Confidential 48
• New MAC and PHY• Operates below 1 GHz: 900-928 MHz USA | 863-868 MHz Europe• Ideal for low power consumption and long-range data transmissions• Ideal for machine-2-machine communications such as sensor
networks• Mandatory: 1 mHz and 2 mHz modes - Support: 4, 8 and 16 MHz• Up to 8,191 devices associated with an access point (AP) through a
hierarchical identifier structure• Low power consumption due to short and infrequent data
transmission and targeted wake-up times • Data packet size approximately 100 bytes• 150 Kbps minimum data rate
© Aerohive Networks, Proprietary & Confidential
Response
50
Next three slides are a quick response to an opposing view that was presented during the convention:• Agree that IoT is not only a Wi-Fi technology. IoT devices will operate using
other RF technologies such as Zigbee, Bluetooth and more.• IoT devices will operate at many MAC layers and the their underlying
physical layer.• Agree that IoT needs to operate on other frequencies which is why this
presentation also mentioned the 802.11h amendment and below 1 MHz frequencies.• Disagree that Wi-Fi IoT devices should remain on 2.4 GHz and never
transmit on 5 GHz. Currently the majority of IoT radios are 2.4 GHz only, but that will change and should change.
© Aerohive Networks, Proprietary & Confidential
Response
51
Agree that there are many security challenges ahead. However, that is not a reason to discourage Wi-Fi IoT devices.
• Anything can be hacked. Human beings are always the weakest link.• The Wi-Kettle hack was an application hack not an 802.11 security
hack• Other technologies such as Bluetooth and Zigbee might also be
hacked• The answer is to deal with security issues and not put our head in the
sand.
© Aerohive Networks, Proprietary & Confidential
Response
52
Agree that there are many security challenges ahead. However, that is not a reason to discourage Wi-Fi IoT devices. • A strong 63 character unique passphrase that might protect an IoT device
such as a NEST thermostat is converted into a 256-bit PSK.• A strong 63 character unique passphrase contains 170 bits of entropy
randomness and would take 100’s of years to crack with a brute-force dictionary attack.• Regardless, SAE is a proposed improvement for PSK/PPSK security• As mentioned in this presentation, another issue is the security
management and administration of IOT devices. On-boarding solutions for security credentials will have to be developed.