Transcript Ensure a Secure Environment for Voice over WiFi

Ensure a Secure Environment for
Voice over WiFi
Sri Sundaralingam
Director, Product Management
AirTight Networks
[email protected]
January 23-26, 2007• Ft. Lauderdale, Florida
Agenda
•
•
•
•
•
•
•
•
WiFi Security Concerns
Major WiFi Threats
Wi-Fi Security Requirements
Wi-Fi Best Practices
WIPS Deployment Best Practices
VoWiFi Planning & Monitoring
Demo
Q&A
January 23-26, 2007• Ft. Lauderdale, Florida
Wi-Fi Security Concerns
• Wi-Fi is inherently insecure
– Signal bleeds through walls and windows
– No central point of control
• Easy to break in if proper security standards are not
used
– Legacy VoWiFi devices don’t support latest security
standards
• Wi-Fi networks can be easily disrupted
– DoS attacks are easy to launch
– Usual security precautions don’t work against DoS
January 23-26, 2007• Ft. Lauderdale, Florida
Security Legislative Drivers
• Privacy legislation requires companies to keep
non-public personal information secure
– Health Insurance Portability and Accountability
Act (HIPAA)
– Gramm-Leach-Bliley (GLB) Act
• Additional drivers
– Sarbanes Oxley
– DoD Directive
• Patriot Act
– Liability for facilitating cyber-terrorism
January 23-26, 2007• Ft. Lauderdale, Florida
Wi-Fi Security Threats
• Eavesdropping
• Unauthorized access
– Stealing Internet access bandwidth
– Access to sensitive data
• Rogue APs and clients
– Enterprises need to adjust security policies
• Client mis-association
• Sophisticated attacks:
– WEP attack (using weak IVs to find actual
WEP key)
– Brute force or dictionary attacks
– Replay or forgery attacks
– Man-in-the-middle attacks
– Denial of Service (DoS) attack
– Driver/firmware level attacks
January 23-26, 2007• Ft. Lauderdale, Florida
Major Wi-Fi Threat Categories
Common
• Rogue Access Points
• Mis-configured
Access Points
• Ad hoc connections
• Unauthorized client
associations
Malicious
• Honeypot APs
• MAC spoofing APs
• Denial of Service
attack
Denial of
Service
Attack
Misassociation
Misconfigured
AP
Honeypot
Unauthorized
Association
Rogue
AP
?
AP MAC
Spoofing
Ad
Hoc
Firewalls, VPNs, and 802.11 Security Standards
Do Not Prevent These Wi-Fi Threats on Either Wired or Wireless Networks
January 23-26, 2007• Ft. Lauderdale, Florida
Layer-2 based DoS attacks
• WLAN networks are prone to Layer-2 DoS attacks!
– Reduces medium availability
– Impacts data throughput, VoIP over WLAN quality, Etc
• There are several types of Layer-2 DoS attacks
–
–
–
–
802.11 deauth/disassociation attacks
EAPOL flooding attacks
Driver/firmware level attacks
Etc.
• Wireless Intrusion Prevention (WIPS) system shall
– Detect and identify DoS attacks
– Provide means to protect against DoS attacks
January 23-26, 2007• Ft. Lauderdale, Florida
Legacy Device Issues
• Legacy devices are commonplace
–
–
–
Bar code scanners, point of sale terminals
Printers
Voice over Wi-Fi phones
• Likely not to support proper security
methods
–
–
WEP only, or worse, no encryption support at all
No ability to support IP SEC VPN clients
• Recommendations
– Separate VLAN mapped to SSID with WEP/no
security
– MAC address authentication
– Regular rotation of WEP key (if available)
January 23-26, 2007• Ft. Lauderdale, Florida
Wi-Fi Security Requirements
• Encryption/authentication
– Access Point Authentication
– Per User and Per Session Authentication
• RF monitoring and detection
• Threat prevention and location tracking
– Commonplace security threats
• i.e. rogue APs /clients and unauthorized
associations
– Malicious attacks
• Evil Twin/Honey pot APs
• Denial of Service attacks
January 23-26, 2007• Ft. Lauderdale, Florida
Wi-Fi Security Best Practices
Wireless Encryption/
Authentication
• Enable Security!
• WPA or WPA2
• Use 802.1x
• Change the default
SSID
• Use VLANs and
separate SSIDs for
legacy devices
Wireless/Wired
Integration
• Secure
management
interfaces
• SSH
• SSL
• SNMPv3
Wireless IPS
• Automatic
detection
• Auto-classification
• Rogue AP and
client prevention
• Management
VLAN
• Network Access
Protection
• Location tracking
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice: Security
Wireless Intrusion Prevention System (WIPS)
• Provides 24 x 7 security
coverage
• Three key functions:
– Detects and
automatically
classifies wireless
events & devices – to
determine which are
threats are which are
not
– Robustly prevents
(multiple) wireless
threats
– Accurately locates
wireless threats
January 23-26, 2007• Ft. Lauderdale, Florida
Locating Wi-Fi Threats
Rogue AP
Location
Tracking
Accuracy
High Power
Cisco AP
4 feet
Medium Power
D-link AP
5 feet
Low Power
Cisco AP
12 feet
Belkin AP
10 feet
January 23-26, 2007• Ft. Lauderdale, Florida
WIPS Deployment Best Practices
• Security coverage planning
– how many sensors do I need?
– Avoid blind spots!
• Cover your wired network
– Cover all wired VLANs vulnerable to Wi-Fi threats
• Automate device classification & threat prevention
– Avoid manual work to classify APs & clients!
– Automate threat prevention based on your risk scenarios
• Locate & physically remove threats (Rogue APs, etc)
• Automated reporting
– Configure WIPS system to provided automated detailed
reports (weekly, monthly, etc)
• Mobile Security – outside the enterprise premises
– Locking down the laptop: at home, at the airport, at the hotel,
etc.
January 23-26, 2007• Ft. Lauderdale, Florida
Now that you’ve figured out your
security architecture…..
January 23-26, 2007• Ft. Lauderdale, Florida
Deploying VoWiFi
Demos work great, but ad hoc
deployments don’t scale
Common problems
1.
2.
3.
4.
5.
6.
Invisible signal blackout zones
Signal drop out in Stairways
Inadequate capacity in high user density
areas
Channel interference; Noise
Data usage is expected to grow; Not sure
how to provision for growth
Signal bleed through from neighbor’s
building
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice
• Plan
• Anticipate performance needs of VoIP
application in advance.
Deploy/configure WiFi infrastructure to
obtain the best possible performance
• Monitor
• Monitor for changes that cannot be
anticipated at the planning stage.
Adjust network configuration to
respond to environment changes
• Secure
• Protect against malicious threats that
can disrupt VoIP application
• Protect VoWiFi infrastructure
vulnerabilities that can easily be
exploited to breach corporate network
security
January 23-26, 2007• Ft. Lauderdale, Florida
Why 3 Steps?
Factors affecting WiFi
performance
Pre-deployment
Planning
Live Monitoring
Detect & Prevent
Threats
Site layout, construction
material
Co-channel interference
from deployed AP
Co-channel interference
from neighbor APs and
clients
Can only be estimated
when the network is in
operation
Noise
Noise level can
change over time
Usage, Contention,
Traffic
Dynamic and can only
be measured when
the network is
operational
Security (e.g. DoS
attacks)
Need to detect &
respond in real-time
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice: Planning
• What type of QoS capabilities will be
deployed?
• How much network capacity should be kept
aside for these?
• What is the projected growth for applications
requiring QoS?
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice: Planning
Example: how to determine required network capacity?
• 200 sqft/user
• 8 hour work day
• 150 Mb of avg data traffic/user
over WLAN
• Peak usage is 3x (i.e. need to
assume 450 Mb data traffic/user)
• 0.15 ERLANG of voice load
• VoIP connection requires 64Kbps
in each direction
Assumes 100% wireless
Call radius
50 ft
Users
39
Active Phone Lines
12
Concentration X:1
3.25
Bandwidth (MBPS)
Voice Uplink
0.77
Voice Downlink
0.77
Data Downlink
3.25
Data Uplink
1.63
Total Throughput
6.41
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice: Planning
Which signal coverage are you going to assume?
January 23-26, 2007• Ft. Lauderdale, Florida
Predictive Planning Vs
Alternative Methods
120%
100%
Increase in
Network
Performance
95%
80%
60%
60%
50%
40%
Reduction in
Planning Cost
35%
20%
0%
Reduction in
Planning Time
0%
RF Predict
Best Practices
Site Surveys
10%
20%
5%
10%
10%
3%
Ad-hoc Deployment
1%
40%
Reduction in
Equipment
Cost
60%
54%
69%
80%
100%
120%
100%
100%
71%
100%
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice: Monitoring
Sample Monitoring (Event) Chart
January 23-26, 2007• Ft. Lauderdale, Florida
Deployment Best Practice: Monitoring
Sample Monitoring (Usage) Chart
January 23-26, 2007• Ft. Lauderdale, Florida
Questions?
VoWiFi
January 23-26, 2007• Ft. Lauderdale, Florida