slides
TRANSCRIPT
Secure and Flexible Secure and Flexible Support for Visitors in Support for Visitors in
Enterprise Wi-Fi NetworksEnterprise Wi-Fi Networks
José Carlos BrustoloniDept. Computer Science, University of Pittsburgh210 S. Bouquet St. #6111, Pittsburgh, PA 15260 – USA Email: [email protected] work with Haidong Xia
Jose' Carlos Brustoloni 2GLOBECOM 2005
Motivation Motivation
Will Wi-Fi enable ubiquitous Internet access?+ Cheap+ Adapters built-in most notebook computers and
PDAs+ Access points being deployed everywhere– Most access points meant for use only by
members of owning organization (use by others is trespass, even if technically
possible)– Commercial hotspots viable only in high-
utilization areas
Jose' Carlos Brustoloni 3GLOBECOM 2005
Contribution: Secure Opportunistic HotspotsContribution: Secure Opportunistic Hotspots
♦ Enable noncommercial Wi-Fi networks to provide: to members of owning organization: unrestricted connectivity to invited or paying visitors: Internet access
+ for members, high security and similar performance up-to-date enterprise Wi-Fi security protocols (WPA or 802.11i) firewall blocks visitor access to intranet traffic control limits bandwidth used by visitors
+ for invited visitors, improved collaboration and productivity
+ for paying visitors, opportunistic access without establishing account with owning organization
+ for owning organization, amortized costs of members’ and invited visitors’ connectivity
Jose' Carlos Brustoloni 4GLOBECOM 2005
ChallengesChallenges
1. How to block unauthorized visitor access? Enterprise Wi-Fi security solutions (WPA, 802.11i) inadequate:
would require reconfiguration of visitors’ computers Captive portals readily interoperate, commonly used, but
vulnerable to session hijacking and freeloading attacksNew defenses: session id checking and MAC sequence number
tracking
2. How to bill paying visitors? Subscriptions and pay-per-use accounts inadequate:
limited coverage and uptime, no marketing, sales or support staff
Physical prepaid tokens may be impractical to sell (need outlet and staff) or buy (user needs to find and go to outlet, which needs to be open)
New method: virtual prepaid tokens (VPTs)
Jose' Carlos Brustoloni 5GLOBECOM 2005
Supporting both WPA/802.11i (for members) Supporting both WPA/802.11i (for members) and captive portals (for visitors)and captive portals (for visitors)
♦ Visitor authentication by captive portal SSL-secured Web page that requests visitor’s username and password prisonwall redirects Web requests of unauthorized visitors to captive
portal captive portal authorizes visitor’s access by registering visitor’s IP and
MAC addresses in prisonwall packets of authorized visitors unencrypted, authenticated simply by
address♦ On the contrary, packets of members encrypted and authenticated
by MAC♦ How can the access point broadcast both to visitors and members
(e.g., DHCP, ARP)?♦ Our solution:
keep track of number of associated members and visitors if both present, broadcast packets twice, once encrypted and once
unencrypted low overhead
Jose' Carlos Brustoloni 6GLOBECOM 2005
Session hijacking attackSession hijacking attack
♦ Hijacker snoops victim’s MAC and IP addresses and access point’s MAC address♦ Periodically sends to victim 802.11 disassociation or deauthentication
notifications purported to come from access point (causing denial-of-service)♦ Hijacker uses victim’s MAC and IP addresses to obtain unauthorized access
Jose' Carlos Brustoloni 7GLOBECOM 2005
Detecting and blocking session hijackingsDetecting and blocking session hijackings
Session id checking:♦ Captive portal sends to client a session
management page with cookie containing a cryptographically random session id
♦ Session management page is SSL-secured and tagged with http-equiv = “refresh” directive
♦ Client’s browser periodically sends to captive portal request to refresh the session management page
♦ Each request accompanied by cookie with session id♦ Captive portal deauthorizes MAC and IP addresses of
client whose refresh request and session id cookie were not received in the previous period
Jose' Carlos Brustoloni 8GLOBECOM 2005
Freeloading attackFreeloading attack
♦ Victim continues to communicate (no denial of service) ♦ If victim does not have personal firewall, victim may respond to packets
destined to freeloader (e.g., TCP RST), disrupting freeloader’s communication♦ However, if victim has personal firewall, victim does not respond to such
packets Both victim and freeloader get access: potential for collusion
Jose' Carlos Brustoloni 9GLOBECOM 2005
Detecting freeloadingDetecting freeloading
♦ Each 802.11 packet contains a 12-bit sequence number
♦ Increments by one for each new packet sent; remains the same in case of MAC-layer fragmentation or retransmission
♦ Implemented in adaptor’s firmware; cannot be changed by host
♦ In case of freeloading, sequence numbers of packets using the same MAC and IP addresses form two (or more) trend lines
Jose' Carlos Brustoloni 10GLOBECOM 2005
Blocking freeloadingBlocking freeloading
MAC sequence number tracking:
♦ Access point tracks MAC sequence numbers of packets from each associated client
♦ In case MAC sequence number returns from a trend line to the previous trend line, access point notifies captive portal for deauthorizing client’s MAC and IP addresses
Jose' Carlos Brustoloni 11GLOBECOM 2005
Virtual prepaid tokens (VPTs)Virtual prepaid tokens (VPTs)
♦ Like a physical prepaid token, but bought online, using 3rd-party online payment server (OPS)
♦ Much easier to: sell: no need to provide physical outlet, staff buy: no need to find and go to outlet; always open
♦ Compared to aggregator accounts:+ for seller, OPS much cheaper than Wi-Fi aggregator
PayPal (OPS): $0.30 + 2.9% Boingo (aggregator): 25% or anything in excess of $1 per
connect day+ for buyer, can use OPS account for many other purposes
(auctions, e-commerce, both send and receive payments)
Jose' Carlos Brustoloni 12GLOBECOM 2005
VPT protocolVPT protocol
Jose' Carlos Brustoloni 13GLOBECOM 2005
Experimental resultsExperimental results♦ Access point with:
support for both members and visitors prisonwall blocking visitor/intranet communication and supporting VPTs traffic control MAC sequence number tracking
based on Linux + HostAP + 32 KB new code + 1 KB state for 50 visitors
♦ Captive portal with: session id checking VPT support
♦ Clients: IBM, Dell, Sony notebook computers, Sharp Zaurus PDAs Intel, Orinoco, Cisco, Linksys, Netgear, D-Link adapters
♦ Verified: AP and CP interoperation with all clients simultaneous support for members and visitors
Jose' Carlos Brustoloni 14GLOBECOM 2005
Limiting the impact of visitors on network Limiting the impact of visitors on network performance experienced by membersperformance experienced by members
Jose' Carlos Brustoloni 15GLOBECOM 2005
Overhead of session id checking – throughput Overhead of session id checking – throughput
4% @ 1 s,15 clients
very littleoverhead @ 8 s
Jose' Carlos Brustoloni 16GLOBECOM 2005
Session id checking – CPU utilizationSession id checking – CPU utilization
For 1 s refresh
5% @ 1 s,15 clients
Jose' Carlos Brustoloni 17GLOBECOM 2005
MAC sequence number tracking - throughputMAC sequence number tracking - throughput
Jose' Carlos Brustoloni 18GLOBECOM 2005
Access latency for paying visitorsAccess latency for paying visitors
VPT payment step Latency (sec)
Visitor orders VPT 0.6
Captive portal redirects visitor to online payment server (OPS)
2.6
Visitor inputs id and password to OPS
2.3
OPS verifies password, asks for payment confirmation
1.4
Visitor confirms payment 0.6
OPS processes payment, notifies and confirms payment to captive portal
6.8
TOTAL 14.3(in the above experiment, OPS = PayPal)
Jose' Carlos Brustoloni 19GLOBECOM 2005
Related workRelated work
♦ SPINACH project (Stanford) first proposed captive portals♦ Aboba’s characterization of access point virtualization
techniques Single SSID/beacon, single beacon (only for visitors), single BSSID
vs. Single SSID/beacon, multiple beacon, multiple BSSIDs (commercial
hotspots)♦ Roaming agreements vs. direct payment to visited networks
Patel and Crowcroft Peirce and O’Mahony: micropayments for prepaid roaming Blaze et al.: TAPI micropayments (does not address freeloading)
♦ Mann: US regulations for OPS user guarantees and liabilities same as for credit card if OPS account funded only via credit card
♦ P2PWNC: peer-to-peer arch. for ubiquitous access does not deal with “trade imbalances”
Jose' Carlos Brustoloni 20GLOBECOM 2005
Other related workOther related work
♦ Commercial hotspots surprisingly tricky to find viable business model many failed: MobileStar, AirZone, HereUAre, Joltage, Comet unlike SOHs, do not tolerate low utilization or poor availability
♦ Promotional hotspots unlike SOHs, do not support members or paying visitors – all
users are invited♦ Many informally open networks, community networks
suggest visitors’ impact on security and performance tolerable by many owning organizations + many users interested in using such networks
argue for viability of SOHs♦ 3G wireless♦ Wi-Max
Jose' Carlos Brustoloni 21GLOBECOM 2005
ConclusionsConclusions
♦ Wi-Fi’s potential for ubiquitous access not well supported by existing architectures
♦ Secure Opportunistic Hotspots: enterprise and home Wi-Fi networks provide also Internet access to invited and paying visitors
♦ Simple new scheme for simultaneously supporting members and visitors interoperates well, low implementation cost, low overhead limited visitor impact on members’ performance, no impact on security
♦ New defenses against unauthorized visitor access: session id checking and MAC sequence number tracking effective, low implementation cost, low overhead
♦ New billing method: virtual prepaid tokens lower costs for provider, more convenient for occasional visitor low access latency (< 15 sec)
♦ SOHs could significantly benefit the availability of ubiquitous Internet access