Presentation is loading. Please wait.

Presentation is loading. Please wait.

This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed."— Presentation transcript:

1 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. NETW 05A: APPLIED WIRELESS SECURITY Segmentation Devices By Mohammad Shanehsaz Spring 2005

2 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Enterprise Wireless Gateways Understand the functionality of enterprise wireless gateways (EWG) Recognize strengths, weaknesses, and appropriate applications for an enterprise wireless gateway Describe common security features, tools, and configuration techniques for enterprise wireless gateway products Install and configure an enterprise wireless gateway, including profiles and VPNs Manage and recognize scalability limitations of an enterprise wireless gateway

3 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Firewalls and Routers Given a wireless LAN topology, explain where firewalls can be added for security Describe the wireless security benefits of routers Explain the benefits of implementing access control lists Given a wireless LAN design, demonstrate how to implement a wireless DMZ Explain the benefits of network segmentation in a wireless network Implement segmentation of a wireless LAN on a network

4 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Segmentation Devices Considerations Routers Layer3 switches VPN Concentrators Firewalls Enterprise Encryption Gateways (EEG) Enterprise Wireless Gateways (EWG)

5 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Considerations Segmentation means placing the wireless APs on a network segment that is separated from the backbone network by some type of security device To avoid a single point of failure for the entire wireless LAN, redundancy should be considered (failover or clustering) Redundancy can be built using traditional backup router protocols such as VRRP, HSRP or new devices such as enterprise wireless gateways, firewalls and others Use of NAT/PAT at the border between the backbone and the wireless segment (NAPT, Network Address Port Translation, commonly used with wireless network )

6 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Consideration (continued) Impact of NAT or NAPT on VPN protocols Impact of NAPT on management of APs from a management workstation on the wired LAN (solution will be static NAT) Impact on 802.1x/EAP traffic through an EWG between access points and authentication server (APs must have a gateway address) Connectivity problems associated with clients roaming across different layer3 devices

7 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Routers Routers are intelligent yet slow devices The strongest supported security is firewall feature set Access Control List security mechanism Some router software such as Cisco’s IOS supports Mobile IP Most routers allow no authentication

8 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Layer 3 Switches Layer3 switches have many names : route switches, switch routers,layer3 switches, network switches They are routers that perform traffic switching between physical interfaces and route network traffic through virtual interfaces Layer3 switches are very fast Expensive Access Control List security mechanism Rarely support Mobile IP They don’t provide any means of authentication

9 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. VPN Concentrators VPN concentrators support RADIUS or TACACS+ authentication Very expensive to scale for large roll-outs They have two purposes First to block layer3 traffic from entering the backbone without authentication Second to provide an encrypted point-to-point connection between client and concentrator Client and server must use the same VPN protocol, and settings must match on each end Security depends on protocol used

10 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Firewalls It is mostly too slow to support wireless LAN speeds The all-purpose group added VPN concentrator functionality followed by RADIUS support The purpose-built group segmented it into several different types (Internet, WLAN) When used in conjunction with other solutions firewalls offer great security (example: client uses SSH2 to connect to a SSH2 server through a firewall) Firewalls have one distinct advantages - already supported as integral part of the enterprise security solution

11 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Enterprise Encryption Gateways EEG are layer2 encryption devices that take Ethernet frames originating from or destined to WLAN segment and place them in proprietary frame formats that traverse both the wireless and wired segments (layer2 VPN design in which each link is an encrypted point-to-point tunnel between the client and gateways) Encrypted and unencrypted segments EEG have an IP address for management purposes only (do not perform routing) Data compression for increased throughput Access point management is part of the configuration of an EEG EEG offer support for RADIUS authentication or authentication via a proprietary Access Control Server

12 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Enterprise Wireless Gateways There are two main types: EWG appliances (stand-alone boxes) Software EWG which is installed on a typical Intel PC with 2 internet interfaces The EWG has features common to routers, layer3 switches, firewalls, and VPN concentrators plus more The principle weakness among EWGs is lack of protection for access point

13 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Network Positioning EWGs are positioned between the wireless network segment and the network backbone If VLANs are used then EWG will reside between VLANs EWGs act as a router with two fast, gigabit interfaces (one for WLAN, and another for wired side) each with its own IP address NAT can be performed in both directions

14 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Firewall Functionality EWGs have integrated firewall features When complex firewall filtering is done the number of simultaneously supported APs and supported wireless clients goes down

15 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. VPN Concentrator Functionality The main security feature of EWGs The most common VPN types such as PPTP, L2TP, and IPSec are usually supported Local user database, LDAP, and RADIUS authentication

16 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Wireless-Oriented Features Rate Limiting (may defeat DoS attacks) Role-based access control (RBAC) Creating “role” based on job description (network security) or network use requirements (bandwidth) Proprietary methods of subnet roaming for seamless mobility (802.11f standard addresses seamless mobility through the Inter Access Point Protocol (IAPP), and IETF RFC2002 addresses the mobileIP protocol )

17 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Performance Performance is a key consideration when comparing EWGs, Consider the following factors when purchasing EWGs: Number of simultaneous users Unencrypted throughput Encrypted throughput

18 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Resources CWSP certified wireless security professional, from McGraw-Hill

Download ppt "This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed."

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco SB Summit Praha, 26.4.2012 Jan Křístek Tomáš Chott.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco SB Summit Praha, Jan Křístek Tomáš Chott.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.

VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.

Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.

VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
1 13-Jun-15 S Ward Abingdon and Witney College LAN design CCNA Exploration Semester 3 Chapter 1.

1 13-Jun-15 S Ward Abingdon and Witney College LAN design CCNA Exploration Semester 3 Chapter 1.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

Similar presentations

Ads by Google