Presentation is loading. Please wait.

Presentation is loading. Please wait.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights.

Published byAleesha Barrett Modified over 9 years ago

Similar presentations

Presentation on theme: "VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights."— Presentation transcript:

1 VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003.

2 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?

3 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Design Requirements for the ITS Wireless LAN Service Standards Based Standards Based Adhere to PSU Security Policy (AD20) Adhere to PSU Security Policy (AD20)AD20 Support Windows ≥ 98 / Linux / Mac OS Support Windows ≥ 98 / Linux / Mac OS Encrypt user data and passwords Encrypt user data and passwords Authenticate users with Penn State Access Account Authenticate users with Penn State Access AccountPenn State Access AccountPenn State Access Account Assignment of IP address via DHCP Assignment of IP address via DHCP Log authenticated users IP address assignment Log authenticated users IP address assignment Roaming within a building Roaming within a building

4 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Eliminated Solutions Any 802.11b AP using WEP and MAC Filtering Any 802.11b AP using WEP and MAC Filtering Flawed WEP algorithmFlawed WEP algorithmFlawed WEP algorithmFlawed WEP algorithm Not authenticating userNot authenticating user Cisco Aironet 350 AP with LEAP Cisco Aironet 350 AP with LEAP Required Cisco client cardRequired Cisco client card Required Cisco ACS RADIUS ServerRequired Cisco ACS RADIUS Server LEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attackLEAP vulnerable to dictionary attack Orinoco AS2000 Orinoco AS2000 Required Orinoco client cardRequired Orinoco client card No Linux clientNo Linux client

5 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Solution: Firewall and VPN Router provides firewall function (ACLs) Router provides firewall function (ACLs) Firewall prevents unauthenticated access Firewall prevents unauthenticated access Firewall only allows traffic to: Firewall only allows traffic to: DHCP ServerDHCP Server DNS ServersDNS Servers VPN ConcentratorVPN Concentrator VPN authenticates users VPN authenticates users VPN encrypts observable wireless traffic VPN encrypts observable wireless traffic

6 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. ITS Wireless LAN Service

7 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?

8 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. What is a VPN? A Virtual Private Network (VPN) is a private network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. - VPN Consortium - VPN ConsortiumVPN ConsortiumVPN Consortium

9 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. VPN Example #1 Mobile users accessing company resources from remote locations

10 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. VPN Example #2 Interconnect LANs over a shared network infrastructure

11 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?

12 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Point-to-Point Tunneling Protocol (PPTP) Developed by 3Com, Ascend, ECI Telematics, USR, and Microsoft Developed by 3Com, Ascend, ECI Telematics, USR, and Microsoft PPTP client is part of most modern Microsoft Windows Operating Systems PPTP client is part of most modern Microsoft Windows Operating Systems RFC 2637 RFC 2637 RFC 2637 RFC 2637 Layer 2 Layer 2 Encapsulates PPP session using Generic Routing Encapsulation (GRE) Encapsulates PPP session using Generic Routing Encapsulation (GRE) Supports non-IP protocols (IPX, NetBEUI, Appletalk, etc.) Supports non-IP protocols (IPX, NetBEUI, Appletalk, etc.) Uses any PPP authentication schemes (PAP, CHAP, MS-CHAP, etc.) Uses any PPP authentication schemes (PAP, CHAP, MS-CHAP, etc.) Encryption via Microsoft Point-to-Point Encryption (MPPE) Encryption via Microsoft Point-to-Point Encryption (MPPE) MPPE uses RC4 algorithm with 40 or 128 bit keys MPPE uses RC4 algorithm with 40 or 128 bit keys

13 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Layer 2 Tunneling Protocol (L2TP) Combined: Combined: Microsoft PPTPMicrosoft PPTP Cisco’s Layer 2 Forwarding (L2F)Cisco’s Layer 2 Forwarding (L2F) RFC 2661 RFC 2661 RFC 2661 RFC 2661 Supports WAN technologies (Frame Relay, ATM, X.25, etc.) Supports WAN technologies (Frame Relay, ATM, X.25, etc.) Encryption via MPPE or IPSec Encryption via MPPE or IPSec

14 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. IP Security (IPSec) RFC 2401 – RFC 2411 RFC 2401 – RFC 2411 Layer 3 Layer 3 Peers negotiate Security Association (SA) using Internet Security Association and Key Management Protocol (ISAKMP) Peers negotiate Security Association (SA) using Internet Security Association and Key Management Protocol (ISAKMP) Encryption AlgorithmEncryption Algorithm Hashing AlgorithmHashing Algorithm AuthenticationAuthentication Lifetime of SALifetime of SA Internet Key Exchange (IKE) provides authenticated keying material for ISAKMP Internet Key Exchange (IKE) provides authenticated keying material for ISAKMP IKE implements part of the Oakley Key Determination Protocol and part of the SKEME Protocol IKE implements part of the Oakley Key Determination Protocol and part of the SKEME Protocol Two Modes: Two Modes: Transport: Packet payload encryptedTransport: Packet payload encrypted Tunnel: Entire packet including headersTunnel: Entire packet including headers

15 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Which one to use? If security primary concern: IPSec If security primary concern: IPSec  Resistant to denial of service, man in the middle, dictionary, and spoofing attacks Something quick and simple: PPTP Something quick and simple: PPTP  Part of the Microsoft Windows Operating System If underlying protocol is other than IP: L2TP If underlying protocol is other than IP: L2TP  Supports IP, X.25, Frame Relay, and ATM

16 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Agenda ITS Wireless Service ITS Wireless Service What is a VPN? What is a VPN? VPN Tunneling Protocols VPN Tunneling Protocols What is next for the ITS WLAN Service? What is next for the ITS WLAN Service?

17 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. VPN solution for wireless is not perfect: ComplexComplex Additional client to installAdditional client to install Another network deviceAnother network device Does not scale wellDoes not scale well Bad network designBad network design Adds latencyAdds latency

18 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Wish List Remove VPN Concentrator Remove VPN Concentrator Remove Firewall (Router ACLs) Remove Firewall (Router ACLs) Authenticate users at access point Authenticate users at access point Better encryption between AP and wireless device Better encryption between AP and wireless device IEEE 802.11i availability IEEE 802.11i availability

19 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. ITS Wireless LAN Service

20 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Future ITS Wireless LAN Service?

21 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Wi-Fi Protected AccessWi-Fi Protected Access (WPA) Wi-Fi Protected Access 802.1x Authentication 802.1x Authentication AP filters client traffic until user authenticatesAP filters client traffic until user authenticates Username and password authenticationUsername and password authentication Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC)Message Integrity Check (MIC) MIC adds sequence number to the wireless frameMIC adds sequence number to the wireless frame Mitigates frame tampering / bit flipping vulnerabilityMitigates frame tampering / bit flipping vulnerability Per-packet keyingPer-packet keying Mitigates WEP key derivation vulnerabilityMitigates WEP key derivation vulnerability

22 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. IEEE 802.11i (WPA2) Secure Ad-Hoc Mode Secure Ad-Hoc Mode Secure fast handoff (< 150ms) Secure fast handoff (< 150ms) Secure de-authentication and disassociation Secure de-authentication and disassociation Enhanced encryption protocol (AES-CCMP) Enhanced encryption protocol (AES-CCMP)

23 The Pennsylvania State University © 2003. All rights reserved. Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) November 10, 2003. Questions?

Download ppt "VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.

VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.

1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Virtual Private Networks

Virtual Private Networks
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.

VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Similar presentations

Ads by Google