Presentation is loading. Please wait.

Presentation is loading. Please wait.

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

Published byAlexis Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments."— Presentation transcript:

1 Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments Rodrigo Blanco Supervisors:Prof. Dr.-Ing Adam Wolisz Dr.-Ing. Günter Schäfer

2 March 20022 TKN Telecommunication Networks Group Contents – Project Steps 1.Initial study of the problem 2.Definition of the project’s goals 3.Technical analysis: choice of security technology 4.Design of an IPSec-based solution 5.Implementation of the configuration solution 6.Results, conclusions and open issues

3 March 20023 TKN Telecommunication Networks Group Initial Study: WLAN Scenarios Considered Office scenarioHome scenario

4 March 20024 TKN Telecommunication Networks Group Problems Regarding WLAN Security Wireless medium Eavesdropping Active attacks Authorization violation IEEE 802.11 limited security: Shared Key WEP Difficulties of installation / configuration Misconfiguration

5 March 20025 TKN Telecommunication Networks Group Definition of the project’s goals Network security Access control Confidentiality Data integrity / origin authentication Replay Protection Roaming capabilities Nomadic users Requirements imposed by the proposed scenarios Protocols should be available for common operating systems No special, expensive HW and SW requirements Simplicity of use

6 March 20026 TKN Telecommunication Networks Group IEEE Technologies IEEE 802.11 (WEP) Security services Entity authentication (Shared Key) Confidentiality, data integrity / origin authentication, access control (Wired Equivalent Privacy) Limitations: No key management WEP vulnerabilities IEEE 802.1x Security services: Entity authentication Key distribution Solve the WEP key distribution problem Protocol strength Industry support Problems: WEP remains a weak protocol Upgrade of the already existing installations

7 March 20027 TKN Telecommunication Networks Group VPN Technologies PPTP IPSec L2TP/IPSec user-based host-based user & host Entity Authentication yes Confidentiality no yes Data integrity no yes Replay protection dynamic Tunnel config. dynamicstatic IP Sup. Lower Layers IP IP,IPX,etc. Sup. Payloads IPIP,IPX,etc. partly Supports Broadcast nopartly small Overhead high Availability high medium

8 March 20028 TKN Telecommunication Networks Group VPN Technologies (II) PPTP: No data origin authentication and replay protection Vulnerabilities have been detected L2TP (alone): Not recommended without additional protection L2TP/IPSec vs. IPSec L2TP/IPSec introduces bigger overhead L2TP/IPSec provides virtually no advantage over IPSec in the proposed scenarios L2TP/IPSec is not available in all operating systems IPSec is chosen to protect the WLAN scenarios.

9 March 20029 TKN Telecommunication Networks Group Design of the Solution: IPsec (I) Protocol: AH ESP Mode: transport tunnel Authentication: Kerberos Certificates Preshared Key

10 March 200210 TKN Telecommunication Networks Group Design of the Solution: IPsec (II) New entities: SG Security Domain IP subnet ID Passwords Security services Roaming support: steps DHCP “IPSec tunnel negotiation” Protocol Random numbers

11 March 200211 TKN Telecommunication Networks Group Design of the Solution: IPsec(III) Security Gateway IPSec policy: Permitted: Allow DHCP traffic Allow IPSec policy negotiation traffic Allow normal encrypted traffic for each authorized, logged-in user (IPSec tunnels) Per default: BLOCK all traffic Block Require protection Allow SG Wired LAN Wireless LAN

12 March 200212 TKN Telecommunication Networks Group Design of the Solution: IPsec(IV) Mobile Nodes (“logged-in”) IPSec policy: Permitted: Allow DHCP traffic Allow IPSec policy negotiation traffic Per default: allow only encrypted traffic from the Security Gateway (IPSec tunnel) Wireless LAN MN Require protection Allow

13 March 200213 TKN Telecommunication Networks Group Step I: Basic Configuration Security Gateway (DHCP server) (NAT box) IP forwarding (EnableRouting.reg) Initial IPsec blocking rules (InitialIPsecConfigurator.exe) Security Domain Identifier (SGNameConfigurator.exe) Random initialization (RandomInit.exe) Mobile Nodes (DHCP Client) Random Initialization (RandomInit.exe)

14 March 200214 TKN Telecommunication Networks Group Step II: Registration in a new Security Domain Mobile Node (client) Security Gateway (server) (1) The user gives the WLAN administrator the Mobile Node’s name MNName (2) Assign a password to MN and add a new entry in the users’ “database”: SGName ; Password(MNName, SGName) (3) Add a new entry in the Security Domains’ “database”:

15 March 200215 TKN Telecommunication Networks Group Step III: Dynamic IPsec Policy Configuration Mobile Node (client) Security Gateway (server) (3) The MN has now: IP connectivity and IPSec Security on its traffic (4) The MN leaves the WLAN: run WLANDisconnect.exe (1) Run WLANClient.exe (2) IPsec Policy Negotiation Protocol (0) WLANServer.exe is running (as a service) (0) Obtain IP settings (DHCP/manual)

16 March 200216 TKN Telecommunication Networks Group Mobile PC (A)Security Gateway (B) (code=1,A,IP A,r A ) (code=2,B,IP B,A,IP A,r B,r A,Sgn B ) SK A,B =HMAC(AK A,B,r A |r B |const) Sgn B =HMAC(AK A,B,{2|B|IP B |A|IP A |r B |r A }) Sgn A =HMAC(AK A,B,{3|A|IP A |B|IP B |r A |r B }) (Preshared: AK A,B ) (code=4,A,IP A,B,IP B,r A,r B ) IPsec SK A,B =HMAC(AK A,B,r A |r B |const) (code=3,A,IP A,B,IP B,r A,r B,Sgn A ) IPsec IPSec Policy Negotiation Protocol

17 March 200217 TKN Telecommunication Networks Group Pseudo Random Number Generator 160 f SHA-1 160 Y 1 =(Y 0 <<160)|SHA-1(Y 0,CV 1 ) 80 random bits 80 CV 1 Random bit sequence NOTE: The f SHA-1 function cannot be inverted … … f SHA-1 Y i =(Y i-1 <<160)|SHA-1(Y 0,CV i ) CV i …… 80 random bits …… f SHA-1 CV 0 Y0Y0 80 80 random bits Keystrokes Performance

18 March 200218 TKN Telecommunication Networks Group Implementation: prototype components APPLICATIONFUNCTION WLANServer Server part in the IPSec tunnel negotiation protocol WLANClient Client part in the IPSec tunnel negotiation protocol RandomInit Generation of random a random source based on user’s keystrokes InitialIPSecConfigurator Initial WLAN IP address blocking SGNameConfigurator Assignment of a unique SG identifier WLANService Installs the WLANServer.exe as an NT service in the Security Gateway WLANDisconnect Deactivation of the WLAN IPSec policy

19 March 200219 TKN Telecommunication Networks Group Results, Conclusions and Open Issues Results: Nomadic roaming of users Security goals fulfilled HW / SW requirements Facility of use Simple architecture Little impact on the network Open issues IPSec policy compatibility with user additional IPSec settings Non-configured clients IPsec limitations Broadcast traffic No user authentication Possible applications of this project Securing the TKN’s WLAN Port to Unix / Linux

Download ppt "Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security.

Network Security.
Secure Mobile IP Communication

Secure Mobile IP Communication
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Similar presentations

Ads by Google