vpn wireless security at penn state rich cropp senior systems engineer information technology...

VPN Wireless SecurityVPN Wireless Securityat Penn Stateat Penn State

Rich CroppRich CroppSenior Systems EngineerSenior Systems Engineer

Information Technology ServicesInformation Technology Services

The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)November 10, 2003.


AgendaAgenda

ITS Wireless ServiceITS Wireless Service What is a VPN?What is a VPN? VPN Tunneling ProtocolsVPN Tunneling Protocols What is next for the ITS WLAN Service?What is next for the ITS WLAN Service?


Design Requirements forDesign Requirements for

the ITS Wireless LAN Servicethe ITS Wireless LAN Service

Standards BasedStandards Based Adhere to PSU Security Policy (Adhere to PSU Security Policy (AD20AD20)) Support Windows ≥ 98 / Linux / Mac OSSupport Windows ≥ 98 / Linux / Mac OS Encrypt user data and passwordsEncrypt user data and passwords Authenticate users with Authenticate users with Penn State Access AccountPenn State Access Account Assignment of IP address via DHCPAssignment of IP address via DHCP Log authenticated users IP address assignmentLog authenticated users IP address assignment Roaming within a buildingRoaming within a building


Eliminated SolutionsEliminated Solutions

Any 802.11b AP using WEP and MAC FilteringAny 802.11b AP using WEP and MAC Filtering• Flawed WEP algorithmFlawed WEP algorithm• Not authenticating userNot authenticating user

Cisco Aironet 350 AP with LEAPCisco Aironet 350 AP with LEAP• Required Cisco client cardRequired Cisco client card• Required Cisco ACS RADIUS ServerRequired Cisco ACS RADIUS Server• LEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attack

Orinoco AS2000Orinoco AS2000• Required Orinoco client cardRequired Orinoco client card• No Linux clientNo Linux client


Solution: Firewall and VPNSolution: Firewall and VPN Router provides firewall function (ACLs) Router provides firewall function (ACLs) Firewall prevents unauthenticated accessFirewall prevents unauthenticated access Firewall only allows traffic to:Firewall only allows traffic to:

• DHCP ServerDHCP Server• DNS ServersDNS Servers• VPN ConcentratorVPN Concentrator

VPN authenticates usersVPN authenticates users VPN encrypts observable wireless trafficVPN encrypts observable wireless traffic


ITS Wireless LAN ServiceITS Wireless LAN Service

Firewall

Access Point

VPN Concentrator

RADIUS Server

DNS Server

DHCP Server

DCE Authentication Server

Access Point

Access Point

Laptop Laptop

Wireless LAN

NTP Server

Integrated Backbone


AgendaAgenda



What is a VPN?What is a VPN?

A A Virtual Private NetworkVirtual Private Network (VPN) is a private network (VPN) is a private network that makes use of the that makes use of the public telecommunication public telecommunication infrastructure, maintaining infrastructure, maintaining privacy through the use of privacy through the use of a tunneling protocol and a tunneling protocol and security procedures.security procedures.

- - VPN ConsortiumVPN ConsortiumCentral/HQ

BranchOffice Warehouse

SoHo

VPN

InternetFactory


VPN Example #1VPN Example #1

Mobile users accessing company resources from remote locationsMobile users accessing company resources from remote locations

Firewall + VPN ConcentratorMobile User Enterprise LAN

Shared NetworkInfrastructure


VPN Example #2VPN Example #2

Interconnect LANs over a shared network infrastructureInterconnect LANs over a shared network infrastructure

VPN DeviceLocation A LAN

VPN Device

VPN Device

Location C LAN

Location B LAN

Shared NetworkInfrastructure


AgendaAgenda



Point-to-Point Tunneling Protocol (PPTP)Point-to-Point Tunneling Protocol (PPTP) Developed by 3Com, Ascend, ECI Telematics, USR, and MicrosoftDeveloped by 3Com, Ascend, ECI Telematics, USR, and Microsoft PPTP client is part of most modern Microsoft Windows Operating SystemsPPTP client is part of most modern Microsoft Windows Operating Systems RFC 2637RFC 2637 Layer 2Layer 2 Encapsulates PPP session using Generic Routing Encapsulation (GRE)Encapsulates PPP session using Generic Routing Encapsulation (GRE) Supports non-IP protocols (IPX, NetBEUI, Appletalk, etc.)Supports non-IP protocols (IPX, NetBEUI, Appletalk, etc.) Uses any PPP authentication schemes (PAP, CHAP, MS-CHAP, etc.)Uses any PPP authentication schemes (PAP, CHAP, MS-CHAP, etc.) Encryption via Microsoft Point-to-Point Encryption (MPPE)Encryption via Microsoft Point-to-Point Encryption (MPPE) MPPE uses RC4 algorithm with 40 or 128 bit keysMPPE uses RC4 algorithm with 40 or 128 bit keys


Layer 2 Tunneling Protocol (L2TP)Layer 2 Tunneling Protocol (L2TP)

Combined:Combined:• Microsoft PPTPMicrosoft PPTP• Cisco’s Layer 2 Forwarding (L2F)Cisco’s Layer 2 Forwarding (L2F)

RFC 2661RFC 2661 Supports WAN technologies (Frame Relay, ATM, X.25, etc.)Supports WAN technologies (Frame Relay, ATM, X.25, etc.) Encryption via MPPE or IPSecEncryption via MPPE or IPSec


IP Security (IPSec)IP Security (IPSec)

RFC 2401 – RFC 2411RFC 2401 – RFC 2411 Layer 3Layer 3 Peers negotiate Security Association (SA) using Internet Security Peers negotiate Security Association (SA) using Internet Security

Association and Key Management Protocol (ISAKMP)Association and Key Management Protocol (ISAKMP)• Encryption AlgorithmEncryption Algorithm• Hashing AlgorithmHashing Algorithm• AuthenticationAuthentication• Lifetime of SALifetime of SA

Internet Key Exchange (IKE) provides authenticated keying material for Internet Key Exchange (IKE) provides authenticated keying material for ISAKMPISAKMP

IKE implements part of the Oakley Key Determination Protocol and part of IKE implements part of the Oakley Key Determination Protocol and part of the SKEME Protocolthe SKEME Protocol

Two Modes:Two Modes:• Transport: Packet payload encryptedTransport: Packet payload encrypted• Tunnel: Entire packet including headersTunnel: Entire packet including headers


Which one to use?Which one to use? If security primary concern: IPSecIf security primary concern: IPSec

Resistant to denial of service, man in the middle, Resistant to denial of service, man in the middle, dictionary, and spoofing attacksdictionary, and spoofing attacks

Something quick and simple: PPTPSomething quick and simple: PPTP Part of the Microsoft Windows Operating SystemPart of the Microsoft Windows Operating System

If underlying protocol is other than IP: L2TPIf underlying protocol is other than IP: L2TP Supports IP, X.25, Frame Relay, and ATMSupports IP, X.25, Frame Relay, and ATM


AgendaAgenda



VPN solution for wireless is not perfect:VPN solution for wireless is not perfect:

• Complex Complex • Additional client to installAdditional client to install• Another network device Another network device • Does not scale wellDoes not scale well• Bad network designBad network design• Adds latencyAdds latency


Wish ListWish List

Remove VPN ConcentratorRemove VPN Concentrator Remove Firewall (Router ACLs)Remove Firewall (Router ACLs) Authenticate users at access pointAuthenticate users at access point Better encryption between AP and wireless deviceBetter encryption between AP and wireless device IEEE 802.11i availabilityIEEE 802.11i availability


ITS Wireless LAN ServiceITS Wireless LAN Service

Firewall

Access Point

VPN Concentrator

RADIUS Server

DNS Server

DHCP Server


Access Point

Access Point

Laptop Laptop

Wireless LAN

NTP Server

Integrated Backbone


Future ITS Wireless LAN Service?Future ITS Wireless LAN Service?

Access Point

RADIUS Server

DNS Server

DHCP Server


Access Point

Access Point

Laptop Laptop

Wireless LAN

NTP Server

Integrated Backbone


Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)

802.1x Authentication802.1x Authentication• AP filters client traffic until user authenticatesAP filters client traffic until user authenticates• Username and password authenticationUsername and password authentication

Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP)• Message Integrity Check (MIC) Message Integrity Check (MIC) • MIC adds sequence number to the wireless frameMIC adds sequence number to the wireless frame• Mitigates frame tampering / bit flipping vulnerabilityMitigates frame tampering / bit flipping vulnerability• Per-packet keyingPer-packet keying• Mitigates WEP key derivation vulnerabilityMitigates WEP key derivation vulnerability


IEEE 802.11i (WPA2)IEEE 802.11i (WPA2) Secure Ad-Hoc ModeSecure Ad-Hoc Mode Secure fast handoff (< 150ms)Secure fast handoff (< 150ms) Secure de-authentication and disassociationSecure de-authentication and disassociation Enhanced encryption protocol (AES-CCMP)Enhanced encryption protocol (AES-CCMP)


Questions?Questions?

vpn wireless security at penn state rich cropp senior systems engineer information technology...

Documents

academic services

users vpn

pennsylvania state university

vpn wireless security

vpn router

protocols vpn

emerging technologies

wireless service