VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003.
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Design Requirements for the ITS Wireless LAN Service Standards Based Standards Based Adhere to PSU Security Policy (AD20) Adhere to PSU Security Policy (AD20)AD20 Support Windows ≥ 98 / Linux / Mac OS Support Windows ≥ 98 / Linux / Mac OS Encrypt user data and passwords Encrypt user data and passwords Authenticate users with Penn State Access Account Authenticate users with Penn State Access AccountPenn State Access AccountPenn State Access Account Assignment of IP address via DHCP Assignment of IP address via DHCP Log authenticated users IP address assignment Log authenticated users IP address assignment Roaming within a building Roaming within a building
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Eliminated Solutions Any b AP using WEP and MAC Filtering Any b AP using WEP and MAC Filtering Flawed WEP algorithmFlawed WEP algorithmFlawed WEP algorithmFlawed WEP algorithm Not authenticating userNot authenticating user Cisco Aironet 350 AP with LEAP Cisco Aironet 350 AP with LEAP Required Cisco client cardRequired Cisco client card Required Cisco ACS RADIUS ServerRequired Cisco ACS RADIUS Server LEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attack Orinoco AS2000 Orinoco AS2000 Required Orinoco client cardRequired Orinoco client card No Linux clientNo Linux client
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Solution: Firewall and VPN Router provides firewall function (ACLs) Router provides firewall function (ACLs) Firewall prevents unauthenticated access Firewall prevents unauthenticated access Firewall only allows traffic to: Firewall only allows traffic to: DHCP ServerDHCP Server DNS ServersDNS Servers VPN ConcentratorVPN Concentrator VPN authenticates users VPN authenticates users VPN encrypts observable wireless traffic VPN encrypts observable wireless traffic
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, ITS Wireless LAN Service
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, What is a VPN? A Virtual Private Network (VPN) is a private network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. - VPN Consortium - VPN ConsortiumVPN ConsortiumVPN Consortium
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, VPN Example #1 Mobile users accessing company resources from remote locations
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, VPN Example #2 Interconnect LANs over a shared network infrastructure
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Point-to-Point Tunneling Protocol (PPTP) Developed by 3Com, Ascend, ECI Telematics, USR, and Microsoft Developed by 3Com, Ascend, ECI Telematics, USR, and Microsoft PPTP client is part of most modern Microsoft Windows Operating Systems PPTP client is part of most modern Microsoft Windows Operating Systems RFC 2637 RFC 2637 RFC 2637 RFC 2637 Layer 2 Layer 2 Encapsulates PPP session using Generic Routing Encapsulation (GRE) Encapsulates PPP session using Generic Routing Encapsulation (GRE) Supports non-IP protocols (IPX, NetBEUI, Appletalk, etc.) Supports non-IP protocols (IPX, NetBEUI, Appletalk, etc.) Uses any PPP authentication schemes (PAP, CHAP, MS-CHAP, etc.) Uses any PPP authentication schemes (PAP, CHAP, MS-CHAP, etc.) Encryption via Microsoft Point-to-Point Encryption (MPPE) Encryption via Microsoft Point-to-Point Encryption (MPPE) MPPE uses RC4 algorithm with 40 or 128 bit keys MPPE uses RC4 algorithm with 40 or 128 bit keys
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Layer 2 Tunneling Protocol (L2TP) Combined: Combined: Microsoft PPTPMicrosoft PPTP Cisco’s Layer 2 Forwarding (L2F)Cisco’s Layer 2 Forwarding (L2F) RFC 2661 RFC 2661 RFC 2661 RFC 2661 Supports WAN technologies (Frame Relay, ATM, X.25, etc.) Supports WAN technologies (Frame Relay, ATM, X.25, etc.) Encryption via MPPE or IPSec Encryption via MPPE or IPSec
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, IP Security (IPSec) RFC 2401 – RFC 2411 RFC 2401 – RFC 2411 Layer 3 Layer 3 Peers negotiate Security Association (SA) using Internet Security Association and Key Management Protocol (ISAKMP) Peers negotiate Security Association (SA) using Internet Security Association and Key Management Protocol (ISAKMP) Encryption AlgorithmEncryption Algorithm Hashing AlgorithmHashing Algorithm AuthenticationAuthentication Lifetime of SALifetime of SA Internet Key Exchange (IKE) provides authenticated keying material for ISAKMP Internet Key Exchange (IKE) provides authenticated keying material for ISAKMP IKE implements part of the Oakley Key Determination Protocol and part of the SKEME Protocol IKE implements part of the Oakley Key Determination Protocol and part of the SKEME Protocol Two Modes: Two Modes: Transport: Packet payload encryptedTransport: Packet payload encrypted Tunnel: Entire packet including headersTunnel: Entire packet including headers
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Which one to use? If security primary concern: IPSec If security primary concern: IPSec Resistant to denial of service, man in the middle, dictionary, and spoofing attacks Something quick and simple: PPTP Something quick and simple: PPTP Part of the Microsoft Windows Operating System If underlying protocol is other than IP: L2TP If underlying protocol is other than IP: L2TP Supports IP, X.25, Frame Relay, and ATM
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, VPN solution for wireless is not perfect: ComplexComplex Additional client to installAdditional client to install Another network deviceAnother network device Does not scale wellDoes not scale well Bad network designBad network design Adds latencyAdds latency
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Wish List Remove VPN Concentrator Remove VPN Concentrator Remove Firewall (Router ACLs) Remove Firewall (Router ACLs) Authenticate users at access point Authenticate users at access point Better encryption between AP and wireless device Better encryption between AP and wireless device IEEE i availability IEEE i availability
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, ITS Wireless LAN Service
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Future ITS Wireless LAN Service?
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Wi-Fi Protected AccessWi-Fi Protected Access (WPA) Wi-Fi Protected Access 802.1x Authentication 802.1x Authentication AP filters client traffic until user authenticatesAP filters client traffic until user authenticates Username and password authenticationUsername and password authentication Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC)Message Integrity Check (MIC) MIC adds sequence number to the wireless frameMIC adds sequence number to the wireless frame Mitigates frame tampering / bit flipping vulnerabilityMitigates frame tampering / bit flipping vulnerability Per-packet keyingPer-packet keying Mitigates WEP key derivation vulnerabilityMitigates WEP key derivation vulnerability
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, IEEE i (WPA2) Secure Ad-Hoc Mode Secure Ad-Hoc Mode Secure fast handoff (< 150ms) Secure fast handoff (< 150ms) Secure de-authentication and disassociation Secure de-authentication and disassociation Enhanced encryption protocol (AES-CCMP) Enhanced encryption protocol (AES-CCMP)
The Pennsylvania State University © All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, Questions?