1. Wireless LAN Solutions�- Security, Management Jukka Saarenmaa
Nortel Networks Oy
2. New Ways of Connecting
3. Security Issues and Options with WLANs Security Issues
WEP
Rogue Access Points
IP Mobility
Lack of employee education
Security Options:
Wired and wireless DMZs
IPSec or SSL VPN encryption
Reuse existing IPSec infrastructure or use dedicated wireless security switch
Future: New protocols with better security = added security
4. Different Challenges
5. Standalone�The Traditional Distributed Architecture� Typical Customer Profile
Wireless small branch/remote office
Requires only limited ‘Hot Zone’ capability
Few users
Customer Benefits
Low Startup cost
Easy install / LAN add-on
Simple but effective security
Investment protection
6. Secure Your WLAN � IPsec Security for Wired and Wireless LANs Strong end to end IPsec Security
Common User Experience (VPN)
8. Hybrid�Centralized Security and Management for Existing WLANs Typical Customer Profile
Multi-vendor environment
Larger Deployments
Intelligent Overlay requirement
Wireless upgrade or extension
Customer Benefits
Low incremental cost
Minimal disruption
Centralized security
Centralized management
Introduction of Enterprise roaming
Unauthorized AP detection
Wireless VPN capability
9. WLAN Security Implementation
10. Mobile Authentication, Authorisation & Auditing (AAA)
11. Clear Access Method Non encrypted, non-secure access to Intranet/Internet
If no L2 encryption is used (i.e. WEP, TKIP, AES), the traffic is completely unprotected!
Example: Open new browser window and go to http://web.us.nortel.com
Clear access should be carefully controlled in terms of what Intranet resources (if any!) are allowed.
Default configuration allows clear access to all but “Intranet” networks—Internet access available
Useful for PC-based IP Telephony applications: i2050, SIP,...
12. SSL Access Method Client logs into Portal website via SSL connection
This is the Home WSS (determined by WLAN subnet)
Encrypted session between VIP and Client IP
Unencrypted on Intranet
Intranet/Internet access is virtually the same as SSL VPN
Client IP can be proxied with IIP to solve routing issues
Support for SSL VPN client (SOCKS)
13. PPTP Access Method Client logs into Portal website via SSL connection
Get One-time password from Portal website
Solves PPTP dictionary attack weakness
PPTP tunnel between Client IP and VIP
WSS assigns tunnel IPs from local scope
Scope must be routed by WSS
Scope is local to each WSS
Compatible with MS VPN client
14. IPSec (Passthrough) Access Method No client login on WSS; AAA is bypassed on WSS
IPSec tunnel between Client IP and Contivity
WLAN subnet is not routable on Intranet by default
Static routes on Intranet and/or redistribution into IGP
Static routes plus NAT on Intranet router
Requires NAT Traversal
IPSec tunnel could also be non-Contivity solution
15. Nortel Networks Solution�Nortel Wireless Security Switch 2250
16. Adaptive� Non-Stop Convergence-Ready WLAN for New Deployments Typical Customer Profile
Large number of users
Ubiquitous building coverage
Green field deployments
Recommended for Wireless IP Telephony
Customer Benefits
Ease of deployment
Adjusts to changing environment
Automatic load balancing
Active security including over the air
Voice roaming capability
Dynamic RF management
Plug ‘n’ Play and Plug ‘n’ Grow
Self healing
17. WLAN – Adaptive Solution
18. Split MAC The concept is to decouple timing critical elements of MAC from timing sensitive elements of MAC:
ACKs vs. Probe Responses
Decoupling switching from RF
WSS 2270 is sort of like a traditional L2 switch except with radios instead of 10/100 ports
19. Nortel Access Point Plenum-ratable cast aluminum-case
Standard Ethernet (802.3) cabling
Multi-band support (802.11 a/b/g)
Powerful dual-dispatch directional antenna
Various mounting options
Power over Ethernet(802.3af)
802.11i and 802.11e ready
WPA/TKIP
SNMPv3
SSH v2.0
Multiple SSIDs
Monitor mode available
100 mw radio power
20. Nortel 2270 Wireless Switch Compact design conserves wiring closet space
two 1000Base-SX with LC connector- one logical path�(Failover Protection)
On-board VPN capability using Enhanced �Security Module crypto processor
Configurable Distribution System Port (GigE)
10/100 Mbps-TX Ethernet Service Port
9 pin Serial Connector for Console Port
n+1 redundancy
Crypto H/W accelerator
IPSEC termination
21. APs use encrypted control traffic
22. Data Paths with WSS 2270 LWAPP transports control messages to/from AP
LWAPP transports data packets to/from AP
L2 or L3 tunneling
23. Overlaying 2270/2230 on LAN All ports untagged in VLAN 1
LWAPP is in VLAN 1
User devices are mapped back to VLAN 1 too
All data is tunneled to 2270
BayStack will see MAC of clients on the port connecting to 2270, not the port connecting to 2230
Right hand side represents what the WLAN looks like to the rest of the data network
24. 2270/2230 with Multiple VLANs L2 Switch:
All ports are members of VLAN1
Link to 2270 has VLANs 1, 2, 3 (all tagged)
Link to router has VLANs 1, 2, 3 (all tagged)
Access link to 2230 is only member of VLAN 1 (untagged)
Right hand side represents what the WLAN looks like to the rest of the data network
25. L3 Mode with Multiple VLANs Layer 3 mode of LWAPP is essentially the same logically
Physically APs are placed anywhere in the network though
26. Per-SSID Security Features Layer 2
Static WEP
Shared or Open authentication
MAC-based authentication
WPA
802.1x
Cranite
Fortress
Layer 3
IPsec
Up to 1 Gbps bulk encryption
Web Authorization
VPN Passthrough
27. Where is Encryption Done (L2) L2 Encryption based methods are encrypted/decrypted on 2230
WEP, dynamic WEP, WPA, AES (future)
28. Where is Encryption Done (L3) IPsec terminated on 2270
Tested clients: SSH, Sentinel, Movian, Cisco, Netscreen
Per-SSID
29. VPN Passthrough VPN Passthrough leverages an external VPN server
Configure IP address of server
Applies traffic filter so only traffic to the server can get through
Per-SSID
30. How to Implement VoIP Multiple SSIDs (i.e. two WLANs)
No Active Load Balancing
QoS:
SSID: VOIP = Gold
SSID: DATA = Bronze
Security:
SSID: VOIP = MAC based and/or WEP (only on b/g radio)
SSID: DATA = 802.1x or whatever is desired
Adjust Queue depth
Prioritize LWAPP on switches between 2270 and 2230
31. How to Implement VoIP (cont.)
32. WLAN Management System User interface to WMS is a web browser
Running locally
Running remotely
Database and control reside on WMS server
33. Accurate RF prediction for AP placement and RF topology mapping
Detailed heat maps for easy analysis
Ekahau Site Survey (ESS) tool to verify RF prediction and perform ongoing analysis (if needed)
34. Nortel WLAN Control Software uses advanced fingerprinting for <10 meter accuracy
35. Nortel Location Positioning Closest AP
How: Identify the AP to which a client is associated
Pro: Easy to do; Nothing new required
Con: Limited accuracy – an AP can easily cover several thousand square feet.
RF Triangulation
How: All APs identify the “strength” with which they hear a client. Intelligent algorithms triangulate responses to pinpoint probable location.
Pro: More accurate than closest AP
Con: Does not account for effects of building material on signal (e.g., reflection, attenuation, multi-path)
RF Fingerprinting
How: RF prediction creates grid that identifies how every single part of a floor plan looks to all access points. Real-world info gathered from APs is compared to these fingerprints to determine precise location
Pro: GPS-like accuracy
Con: More comprehensive (requires RF prediction tools)
36. Understanding RF Fingerprinting
37. Nortel’s WLAN – Adaptive Solution
39. Mesh� Minimize Backhaul Costs in Open Environments Typical Customer Profile
Open spaces (depot, campus)
No existing wired infrastructure
Constantly changing environment (e.g. convention center)
Customer Benefits
Minimize backhaul costs
Rapid deployment
Auto-configuration
Resilient
40. Nortel Networks Solutions
41. Security Issues and Options with WLANs Security Is An Issue with WLANs
But….
Problems can be addressed
42. Applying the Unified Security Architecture to Wireless LANs
