Wireless LAN, WLAN Security, and VPN 麟瑞科技 台南辦事處 技術經理 張晃崚

WLAN & VPN FAQ What is WLAN?802.11a?802.11b?802.11g? Which standard (product) should we use? How to deploy WLAN? How to block intruders? How to authenticate users? How to keep data secure? What is roaming? How to provide a fast path for some VIP users? How to exchange data securely between offices?

Agenda Introduction to Wireless LAN WLAN deployments WLAN security issues WLAN security solutions VPN solutions

Agenda Introduction to Wireless LAN WLAN deployments WLAN security issues WLAN security solutions VPN solutions

What is Wireless Network 802.11x standards (Wi-Fi) Cell phones Bluetooth HomeRF Fixed Broadband wireless, IEEE 802.16 Mobile broadband Optical point-to-point wireless

What is Wireless LAN IEEE 802.11-based networks Bluetooth is regarded as a PAN (Personal Area Network) Need Wireless NIC and Access Point(AP)

Wireless LAN vs. Wired LAN Media Access CSMA/CA CSMA/CD -10 Bit error rate 0.1% 10 Duplex half half/full Speed slow fast Throughput Reduce 50-60% N/A

Wireless LAN vs. Wired LAN All 802 WLANs employ handshaked transmission to compensate WLAN just like PUSH-to-TALK radio WLAN will be a step backward: slower speed, half duplex, shared media. BUT, gain FREEDOM AP usually is a Layer 2 bridge (between wired LAN and wireless LAN) Spanning Tree Protocol issue

Distance for half speed Wireless LAN Standards 802.11b 802.11a 802.11g Frequency 2.4 GHz 5 GHz 2.4 GHz Channel 3 8 3 Max speed 11Mbps 54Mbps 54Mbps Real throughput 4-6 Mbps 22-27 Mbps 22-27 Mbps Interference Yes No Yes Distance for max speed 120-140 ft. 1-2 ft. 120-140 ft. 120-140 ft. 60 ft. ??? ft. Distance for half speed Maturity Very mature Early No product

802.11b+ IEEE 802.11g will be finalized in May 2003 Not a formal IEEE specification Texas Instruments (TI) applied PBCC to enable 22Mbps data rate Interoperable with 802.11b device at 11Mbps Must use TI’s chip to enable 22Mbps

Other 802.11x standard 802.11d: Multiple regulatory domains 802.11e: QoS 802.11f: Inter-Access Point Protocol (IAPP) 802.11h: Dynamic Frequency Selection(DFS) and Transmit Power Control (TPC) 802.11i: Security

Which Technology should you use? Decision should be based on requirements of system/users User bandwidth requirements User density Overall implementation cost Upgrade requirements Client availability Client platform features

Agenda Introduction to Wireless LAN WLAN deployments WLAN security issues WLAN security solutions VPN solutions

Typical WLAN Topologies Wireless “Cell” Wireless “Cell” Channel 1 Channel 6 LAN Backbone Access Point Access Point Wireless Clients Wireless Clients

Wireless Repeater Topology Wireless Repeater “Cell” Channel 1 LAN Backbone Channel 1 Access Point Access Point Wireless Clients

Hot Standby LAN Backbone Monitored AP Standby AP Wireless Clients

Multi-rate Implementations 2 Mbps 5.5 Mbps 11 Mbps

Vendor Offering Higher and variable transmission power External antennas Little throughput degradation with encryption Line-power via the wired Ethernet cable Dual-band: 802.11b + 802.11a AP load balancing Roaming between IP subnets Hot Standby AP VLAN support Lockable case Enhanced security features: 802.1x, 802.11i draft, etc.

Agenda Introduction to Wireless LAN WLAN deployments WLAN security issues WLAN security solutions VPN solutions

WLAN Security Issues Wireless is like having an RJ45 jack in the parking lot Need to deny access to intruders Need to secure message with good encryption technology

WLAN Security Issues Managing the security side of you networks requires several things Protecting the ‘network’ from intruders Requires authentication for users Protecting the Wireless DATA from sniffers Requires some type of encryption Protecting you RF networks from being detected The ability to MANAGE you users credentials Includes WEP keys, users names, passwords, etc. Protecting your wireless infrastructure from improper configuration Required a good user manager interface on APs

WLAN Security Issues Managing the security side of you networks requires several things To dynamically assign user’s IP address, gateway, etc. Deploy DHCP server To let roaming users be authenticated by their original account and passwords Requires authentication roaming features for authentication servers

Agenda Introduction to Wireless LAN WLAN deployments WLAN security issues WLAN security solutions VPN solutions

Authentication Techniques Open System Authentication No security SSID Authentication SSID is broadcast in clear text form Can be obtained by snooping on traffic Shared key Authentication (WEP) Key stolen Employee leaves

Authentication Techniques MAC address Authentication MAC is sent in clear form Can be obtained be snooping Attackers may change their MAC to match Not flexible and scalable 802.1x and Extensible Authentication Protocol (EAP) Secure not only client but also devices Only Windows XP and few vendors support this technique

Authentication Techniques VPN client Authentication Does good authentication and encryption Variable authentication and encryption method to choose Need VPN client software installed Wireless Gateway Authentication No need to install any client software Pop up authentication window when initiating connection (use web browser) Easy to install and configure One wireless gateway for a subnet

Wireless Gateway Topology

Blocking Inter-client communication PSPF—Publicly Secure Packet Forwarding Prevents WLAN inter-client communication Relies on MAC address Same subnet devices only

Encryption Techniques Key Management Can be painful Requires a power tool to manage keys Easy to hack with well-know single key Key Rotation Changing the user’s key periodically Broadcast Key Rotation WEP Encryption 128 bit WEP IPsec

Encryption Techniques IEEE 802.11i TKIP (Data Integrity) MIC (Data Integrity) AES (Encryption) Not yet complete

WLAN Security Solution Product Wireless Gateway Bluesocket Vernier ReefEdge VPN Cisco VPN concentrator/router/client NetScreen Authentication Server Cisco ACS (RADIUS, TACACS, LEAP) RADIUS

WLAN Security Solution Product Campus switch DHCP&AAA Server Wireless Gateway (Bluesocket) Or VPN Gateway (Cisco/NetScreen) Cisco Aironet 1100 (802.11b, 802.11g) Mobile IP VLAN Cisco Aironet 1200 (802.11a, 802.11b, 802.11g) External Antenna

Cisco Aironet 1200 AP Modular platform for single or dual band operation Field upgradeable radios Modular design enhances future upgrade ability Simultaneous dual radio operation 10/100 Ethernet LAN uplink

Cisco Aironet 1100 AP VLAN support 802.11b, 802.11g (2.4 GHz)

Bluesocket Wireless Gateway

Agenda Introduction to Wireless LAN WLAN deployments WLAN security issues WLAN security solutions VPN solutions

Extend Connectivity Increased Bandwidth VPN Type and Applications Type Application As Alternative To Benefits Remote Access VPN Dedicated Dial ISDN Remote Dial Connectivity Ubiquitous Access Lower Cost Site-to-Site Internal Connectivity Leased Line Frame Relay ATM Site-to-Site VPN Extend Connectivity Increased Bandwidth Lower Cost Biz-to-Biz External Connectivity Fax Mail EDI Extranet VPN Facilitates E-Commerce

VPN Type and Applications Extranet Business Partner Central Site Mobile User POP Internet VPN DSL Cable Home Telecommuter Site-to-Site Remote Office

Microsoft Win 9x/NT (PPTP) Remote Access VPN Cisco VPN Clients Microsoft Win 2000 (IPSec) Microsoft Win 9x/NT (PPTP) WAN Router PIX Firewall Cisco VPN 3000 Concentrator Cisco Secure ACS (AAA) Telecommuter Internet VPN POP Central Site Mobile Customer

Site-to-Site VPN Remote Campus Main Campus Remotel Campus Internet Small Office/ Home Office

Extranet VPN ISP Network DMZ Corporate Intranet Remote Office Supplier ISP Gateway Firewall Security Server Supplier ISP Network DMZ Corporate Intranet