Secure and Flexible Secure and Flexible Support for Visitors in Support for Visitors in

Enterprise Wi-Fi NetworksEnterprise Wi-Fi Networks

José Carlos BrustoloniDept. Computer Science, University of Pittsburgh210 S. Bouquet St. #6111, Pittsburgh, PA 15260 – USA Email: jcb@cs.pitt.eduJoint work with Haidong Xia

Jose' Carlos Brustoloni 2GLOBECOM 2005

Motivation Motivation

Will Wi-Fi enable ubiquitous Internet access?+ Cheap+ Adapters built-in most notebook computers and

PDAs+ Access points being deployed everywhere– Most access points meant for use only by

members of owning organization (use by others is trespass, even if technically

possible)– Commercial hotspots viable only in high-

utilization areas

Jose' Carlos Brustoloni 3GLOBECOM 2005

Contribution: Secure Opportunistic HotspotsContribution: Secure Opportunistic Hotspots

♦ Enable noncommercial Wi-Fi networks to provide: to members of owning organization: unrestricted connectivity to invited or paying visitors: Internet access

+ for members, high security and similar performance up-to-date enterprise Wi-Fi security protocols (WPA or 802.11i) firewall blocks visitor access to intranet traffic control limits bandwidth used by visitors

+ for invited visitors, improved collaboration and productivity

+ for paying visitors, opportunistic access without establishing account with owning organization

+ for owning organization, amortized costs of members’ and invited visitors’ connectivity

Jose' Carlos Brustoloni 4GLOBECOM 2005

ChallengesChallenges

1. How to block unauthorized visitor access? Enterprise Wi-Fi security solutions (WPA, 802.11i) inadequate:

would require reconfiguration of visitors’ computers Captive portals readily interoperate, commonly used, but

vulnerable to session hijacking and freeloading attacksNew defenses: session id checking and MAC sequence number

tracking

2. How to bill paying visitors? Subscriptions and pay-per-use accounts inadequate:

limited coverage and uptime, no marketing, sales or support staff

Physical prepaid tokens may be impractical to sell (need outlet and staff) or buy (user needs to find and go to outlet, which needs to be open)

New method: virtual prepaid tokens (VPTs)

Jose' Carlos Brustoloni 5GLOBECOM 2005

Supporting both WPA/802.11i (for members) Supporting both WPA/802.11i (for members) and captive portals (for visitors)and captive portals (for visitors)

♦ Visitor authentication by captive portal SSL-secured Web page that requests visitor’s username and password prisonwall redirects Web requests of unauthorized visitors to captive

portal captive portal authorizes visitor’s access by registering visitor’s IP and

MAC addresses in prisonwall packets of authorized visitors unencrypted, authenticated simply by

address♦ On the contrary, packets of members encrypted and authenticated

by MAC♦ How can the access point broadcast both to visitors and members

(e.g., DHCP, ARP)?♦ Our solution:

keep track of number of associated members and visitors if both present, broadcast packets twice, once encrypted and once

unencrypted low overhead

Jose' Carlos Brustoloni 6GLOBECOM 2005

Session hijacking attackSession hijacking attack

♦ Hijacker snoops victim’s MAC and IP addresses and access point’s MAC address♦ Periodically sends to victim 802.11 disassociation or deauthentication

notifications purported to come from access point (causing denial-of-service)♦ Hijacker uses victim’s MAC and IP addresses to obtain unauthorized access

Jose' Carlos Brustoloni 7GLOBECOM 2005

Detecting and blocking session hijackingsDetecting and blocking session hijackings

Session id checking:♦ Captive portal sends to client a session

management page with cookie containing a cryptographically random session id

♦ Session management page is SSL-secured and tagged with http-equiv = “refresh” directive

♦ Client’s browser periodically sends to captive portal request to refresh the session management page

♦ Each request accompanied by cookie with session id♦ Captive portal deauthorizes MAC and IP addresses of

client whose refresh request and session id cookie were not received in the previous period

Jose' Carlos Brustoloni 8GLOBECOM 2005

Freeloading attackFreeloading attack

♦ Victim continues to communicate (no denial of service) ♦ If victim does not have personal firewall, victim may respond to packets

destined to freeloader (e.g., TCP RST), disrupting freeloader’s communication♦ However, if victim has personal firewall, victim does not respond to such

packets Both victim and freeloader get access: potential for collusion

Jose' Carlos Brustoloni 9GLOBECOM 2005

Detecting freeloadingDetecting freeloading

♦ Each 802.11 packet contains a 12-bit sequence number

♦ Increments by one for each new packet sent; remains the same in case of MAC-layer fragmentation or retransmission

♦ Implemented in adaptor’s firmware; cannot be changed by host

♦ In case of freeloading, sequence numbers of packets using the same MAC and IP addresses form two (or more) trend lines

Jose' Carlos Brustoloni 10GLOBECOM 2005

Blocking freeloadingBlocking freeloading

MAC sequence number tracking:

♦ Access point tracks MAC sequence numbers of packets from each associated client

♦ In case MAC sequence number returns from a trend line to the previous trend line, access point notifies captive portal for deauthorizing client’s MAC and IP addresses

Jose' Carlos Brustoloni 11GLOBECOM 2005

Virtual prepaid tokens (VPTs)Virtual prepaid tokens (VPTs)

♦ Like a physical prepaid token, but bought online, using 3rd-party online payment server (OPS)

♦ Much easier to: sell: no need to provide physical outlet, staff buy: no need to find and go to outlet; always open

♦ Compared to aggregator accounts:+ for seller, OPS much cheaper than Wi-Fi aggregator

PayPal (OPS): $0.30 + 2.9% Boingo (aggregator): 25% or anything in excess of $1 per

connect day+ for buyer, can use OPS account for many other purposes

(auctions, e-commerce, both send and receive payments)

Jose' Carlos Brustoloni 12GLOBECOM 2005

VPT protocolVPT protocol

Jose' Carlos Brustoloni 13GLOBECOM 2005

Experimental resultsExperimental results♦ Access point with:

support for both members and visitors prisonwall blocking visitor/intranet communication and supporting VPTs traffic control MAC sequence number tracking

based on Linux + HostAP + 32 KB new code + 1 KB state for 50 visitors

♦ Captive portal with: session id checking VPT support

♦ Clients: IBM, Dell, Sony notebook computers, Sharp Zaurus PDAs Intel, Orinoco, Cisco, Linksys, Netgear, D-Link adapters

♦ Verified: AP and CP interoperation with all clients simultaneous support for members and visitors

Jose' Carlos Brustoloni 14GLOBECOM 2005

Limiting the impact of visitors on network Limiting the impact of visitors on network performance experienced by membersperformance experienced by members

Jose' Carlos Brustoloni 15GLOBECOM 2005

Overhead of session id checking – throughput Overhead of session id checking – throughput

4% @ 1 s,15 clients

very littleoverhead @ 8 s

Jose' Carlos Brustoloni 16GLOBECOM 2005

Session id checking – CPU utilizationSession id checking – CPU utilization

For 1 s refresh

5% @ 1 s,15 clients

Jose' Carlos Brustoloni 17GLOBECOM 2005

MAC sequence number tracking - throughputMAC sequence number tracking - throughput

Jose' Carlos Brustoloni 18GLOBECOM 2005

Access latency for paying visitorsAccess latency for paying visitors

VPT payment step Latency (sec)

Visitor orders VPT 0.6

Captive portal redirects visitor to online payment server (OPS)

2.6

Visitor inputs id and password to OPS

2.3

OPS verifies password, asks for payment confirmation

1.4

Visitor confirms payment 0.6

OPS processes payment, notifies and confirms payment to captive portal

6.8

TOTAL 14.3(in the above experiment, OPS = PayPal)

Jose' Carlos Brustoloni 19GLOBECOM 2005

Related workRelated work

♦ SPINACH project (Stanford) first proposed captive portals♦ Aboba’s characterization of access point virtualization

techniques Single SSID/beacon, single beacon (only for visitors), single BSSID

vs. Single SSID/beacon, multiple beacon, multiple BSSIDs (commercial

hotspots)♦ Roaming agreements vs. direct payment to visited networks

Patel and Crowcroft Peirce and O’Mahony: micropayments for prepaid roaming Blaze et al.: TAPI micropayments (does not address freeloading)

♦ Mann: US regulations for OPS user guarantees and liabilities same as for credit card if OPS account funded only via credit card

♦ P2PWNC: peer-to-peer arch. for ubiquitous access does not deal with “trade imbalances”

Jose' Carlos Brustoloni 20GLOBECOM 2005

Other related workOther related work

♦ Commercial hotspots surprisingly tricky to find viable business model many failed: MobileStar, AirZone, HereUAre, Joltage, Comet unlike SOHs, do not tolerate low utilization or poor availability

♦ Promotional hotspots unlike SOHs, do not support members or paying visitors – all

users are invited♦ Many informally open networks, community networks

suggest visitors’ impact on security and performance tolerable by many owning organizations + many users interested in using such networks

argue for viability of SOHs♦ 3G wireless♦ Wi-Max

Jose' Carlos Brustoloni 21GLOBECOM 2005

ConclusionsConclusions

♦ Wi-Fi’s potential for ubiquitous access not well supported by existing architectures

♦ Secure Opportunistic Hotspots: enterprise and home Wi-Fi networks provide also Internet access to invited and paying visitors

♦ Simple new scheme for simultaneously supporting members and visitors interoperates well, low implementation cost, low overhead limited visitor impact on members’ performance, no impact on security

♦ New defenses against unauthorized visitor access: session id checking and MAC sequence number tracking effective, low implementation cost, low overhead

♦ New billing method: virtual prepaid tokens lower costs for provider, more convenient for occasional visitor low access latency (< 15 sec)

♦ SOHs could significantly benefit the availability of ubiquitous Internet access