Wireless LAN, WLAN Security, and VPN

Wireless LAN,WLAN Security,

and VPN

麟瑞科技台南辦事處技術經理張晃崚

WLAN & VPN FAQ

• What is WLAN?802.11a?802.11b?802.11g?• Which standard (product) should we use?• How to deploy WLAN?• How to block intruders?• How to authenticate users?• How to keep data secure?• What is roaming?• How to provide a fast path for some VIP users?• How to exchange data securely between offices?

Agenda

• Introduction to Wireless LAN• WLAN deployments• WLAN security issues• WLAN security solutions• VPN solutions

Agenda


What is Wireless Network

• Wireless Network:– 802.11x standards (Wi-Fi)– Cell phones– Bluetooth– HomeRF– Fixed Broadband wireless, IEEE 802.16– Mobile broadband– Optical point-to-point wireless

What is Wireless LAN

• IEEE 802.11-based networks• Bluetooth is regarded as a PAN (Personal

Area Network)• Need Wireless NIC and Access Point(AP)

Wireless LAN vs. Wired LAN

Wireless LAN Wired LAN

Media Access CSMA/CA CSMA/CD

Bit error rate 0.1% 10-10

Duplex half half/full

Speed slow fast

Throughput Reduce 50-60% N/A

Wireless LAN vs. Wired LAN

• All 802 WLANs employ handshaked transmission to compensate

• WLAN just like PUSH-to-TALK radio• WLAN will be a step backward: slower spe

ed, half duplex, shared media.• BUT, gain FREEDOM• AP usually is a Layer 2 bridge (between wi

red LAN and wireless LAN)• Spanning Tree Protocol issue

Wireless LAN Standards

802.11b 802.11a 802.11g

Frequency 2.4 GHz 2.4 GHz5 GHz

Channel 3 38

Max speed 11Mbps 54Mbps 54Mbps

Real throughput 4-6 Mbps 22-27 Mbps 22-27 Mbps

Interference Yes YesNo

Distance for max speed

Distance for half speed

120-140 ft. 120-140 ft.

120-140 ft.

1-2 ft.

60 ft. ??? ft.

Maturity Very mature Early No product

802.11b+

• IEEE 802.11g will be finalized in May 2003• Not a formal IEEE specification• Texas Instruments (TI) applied PBCC to

enable 22Mbps data rate• Interoperable with 802.11b device at

11Mbps• Must use TI’s chip to enable 22Mbps

Other 802.11x standard

• 802.11d: Multiple regulatory domains• 802.11e: QoS• 802.11f: Inter-Access Point Protocol (IAPP)• 802.11h: Dynamic Frequency Selection(DFS)

and Transmit Power Control (TPC)• 802.11i: Security

Which Technology should you use?

• Decision should be based on requirements of system/users• User bandwidth requirements• User density• Overall implementation cost• Upgrade requirements• Client availability• Client platform features

Agenda


Access Point

Wireless “Cell”

Channel 6

Wireless Clients

LAN Backbone

Channel 1

Access Point

Wireless “Cell”

Wireless Clients

Typical WLAN Topologies

Wireless Repeater Topology

Channel 1

Access Point

Wireless Clients

Channel 1

Access Point

Wireless Repeater “Cell”

LAN Backbone

Hot Standby

Wireless Clients

LAN Backbone Monitored AP Standby AP

Multi-rate Implementations

2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps


5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps

5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps



Vendor Offering

• Higher and variable transmission power• External antennas• Little throughput degradation with encryption• Line-power via the wired Ethernet cable• Dual-band: 802.11b + 802.11a• AP load balancing• Roaming between IP subnets• Hot Standby AP• VLAN support• Lockable case• Enhanced security features: 802.1x, 802.11i draft,

etc.

Agenda


WLAN Security Issues

• Wireless is like having an RJ45 jack in the parking lot

• Need to deny access to intruders• Need to secure message with good

encryption technology

• Managing the security side of you networks requires several things

–Protecting the ‘network’ from intruders•Requires authentication for users

–Protecting the Wireless DATA from sniffers•Requires some type of encryption

–Protecting you RF networks from being detected

–The ability to MANAGE you users credentials•Includes WEP keys, users names, passwords, etc.

–Protecting your wireless infrastructure from improper configuration

•Required a good user manager interface on APs


• Managing the security side of you networks requires several things

–To dynamically assign user’s IP address, gateway, etc.

•Deploy DHCP server

–To let roaming users be authenticated by their original account and passwords

•Requires authentication roaming features for authentication servers


Agenda


Authentication Techniques

• Open System Authentication• No security

• SSID Authentication• SSID is broadcast in clear text form• Can be obtained by snooping on traffic

• Shared key Authentication (WEP)• Key stolen• Employee leaves


• MAC address Authentication• MAC is sent in clear form• Can be obtained be snooping• Attackers may change their MAC to match• Not flexible and scalable

• 802.1x and Extensible Authentication Protocol (EAP)• Secure not only client but also devices• Only Windows XP and few vendors support

this technique


• VPN client Authentication• Does good authentication and encryption• Variable authentication and encryption method

to choose • Need VPN client software installed

• Wireless Gateway Authentication• No need to install any client software• Pop up authentication window when initiating

connection (use web browser)• Easy to install and configure• One wireless gateway for a subnet

Wireless Gateway Topology

Blocking Inter-client communication

• PSPF—Publicly Secure Packet Forwarding

• Prevents WLAN inter-client communication

• Relies on MAC address • Same subnet devices

only

Encryption Techniques

• Key Management• Can be painful• Requires a power tool to manage keys• Easy to hack with well-know single key

• Key Rotation• Changing the user’s key periodically

• Broadcast Key Rotation• WEP Encryption• 128 bit WEP• IPsec

Encryption Techniques

• IEEE 802.11i• TKIP (Data Integrity)• MIC (Data Integrity)• AES (Encryption)

• Not yet complete

WLAN Security Solution Product

• Wireless Gateway• Bluesocket• Vernier• ReefEdge

• VPN• Cisco VPN concentrator/router/client• NetScreen

• Authentication Server• Cisco ACS (RADIUS, TACACS, LEAP)• RADIUS

DHCP&AAAServer

Campus switch

Wireless Gateway (Bluesocket)OrVPN Gateway (Cisco/NetScreen)

Cisco Aironet 1200(802.11a,802.11b,802.11g)

External Antenna

Cisco Aironet 1100(802.11b,802.11g)Mobile IP

VLAN

WLAN Security Solution Product

• Modular platform for single or dual band operation

• Field upgradeable radios• Modular design enhances futu

re upgrade ability• Simultaneous dual radio oper

ation• 10/100 Ethernet LAN uplink

Cisco Aironet 1200 AP

Cisco Aironet 1100 AP

•VLAN support•802.11b, 802.11g (2.4 GHz)

Bluesocket Wireless Gateway

Agenda


Type Application As Alternative To

Site-to-Site Site-to-Site VPNVPN

ExtranetExtranetVPNVPN

Benefits

Site-to-SiteSite-to-Site

InternalInternal

ConnectivityConnectivity

Extend ConnectivityExtend ConnectivityIncreased BandwidthIncreased Bandwidth

Lower CostLower Cost

Leased LineLeased Line

Frame RelayFrame Relay

ATMATM

RemoteRemoteAccess Access

VPNVPN

Remote Dial Remote Dial


Dedicated Dedicated Dial Dial

ISDNISDN

Ubiquitous AccessUbiquitous AccessLower CostLower Cost

Biz-to-BizBiz-to-Biz

External External


FaxFax

MailMail

EDIEDI

FacilitatesFacilitates E-CommerceE-Commerce

VPN Type and Applications

Central Site

Site-to-SiteRemote Office

ExtranetBusiness Partner

POP

DSLCable

Mobile User

Home Telecommuter

VPNInternet

VPN Type and Applications

Internet VPN

Central Site

Mobile Customer

Telecommuter

POP

Cisco VPN ClientsMicrosoft Win 2000 (IPSec)Microsoft Win 9x/NT (PPTP)

WAN RouterPIX Firewall

Cisco VPN 3000 ConcentratorCisco Secure ACS (AAA)

Remote Access VPN

Main Campus

Small Office/Home Office

RemoteCampus

InternetRemotelCampus

Site-to-Site VPN

Corporate Intranet

SecurityServer

Firewall

DMZ

Remote Office

ISP Network

ISP Gateway

Supplier

Supplier

Extranet VPN

Documents

Wireless LAN, WLAN Security, and VPN