Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transparent Firewall for Wireless Network Kasom Koth-arsa 1, Surasak Sanguanpong 2, Anan Phonphoem 2 {Kasom.K, Surasak.S, 1 Engineering.

Similar presentations


Presentation on theme: "Transparent Firewall for Wireless Network Kasom Koth-arsa 1, Surasak Sanguanpong 2, Anan Phonphoem 2 {Kasom.K, Surasak.S, 1 Engineering."— Presentation transcript:

1 Transparent Firewall for Wireless Network Kasom Koth-arsa 1, Surasak Sanguanpong 2, Anan Phonphoem 2 {Kasom.K, Surasak.S, Anan.P}@ku.ac.th 1 Engineering Computer Center, Faculty of Engineering 2 Department of Computer Engineering, Faculty of Engineering Kasetsart University APAN, Hawaii, Network Security, 23 rd Januray 2008 This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

2 2/29 Agenda Backgrounds Backgrounds Obstacles & Opportunities Obstacles & Opportunities Design Design Implementation Implementation Conclusion Conclusion

3 3/29 Kasetsart University Wireless Network Kasetsart University Wireless Network – KUWiN Kasetsart University Wireless Network – KUWiN Centralize control, managed by Office of Computer Services Centralize control, managed by Office of Computer Services 452 APs in Bangkhen campus (As of 2008/01/18) 452 APs in Bangkhen campus (As of 2008/01/18) 200 more APs will be deploy within the next three month 200 more APs will be deploy within the next three month 110 Buildings 110 Buildings 34,780 registered wireless devices 34,780 registered wireless devices More than 2,000 maximum concurrent clients More than 2,000 maximum concurrent clients

4 4/29 KUWiN Currently 452 APs available (2008/01/18) Campus Ministry of Agriculture 1.5 km

5 5/29 Agenda Backgrounds Backgrounds Obstacles & Opportunities Obstacles & Opportunities Design Design Implementation Implementation Results Results Conclusion Conclusion

6 6/29 Obstacles & Opportunities Large number of concurrent clients Large number of concurrent clients More than 2,000 maximum concurrent clients More than 2,000 maximum concurrent clients Require large number of IP addresses Require large number of IP addresses Rouge DHCP server and broadcast storm in Wireless Network Rouge DHCP server and broadcast storm in Wireless Network User use static IP address User use static IP address Conflict with the user who uses DHCP Conflict with the user who uses DHCP Wireless roaming within the campus Wireless roaming within the campus

7 7/29 Agenda Backgrounds Backgrounds Obstacles & Opportunities Obstacles & Opportunities Design Design Implementation Implementation Results Results Conclusion Conclusion

8 8/29 Design: The Two Extreme Single subnet for the whole wireless network Single subnet for the whole wireless network Efficient IP address utilization Efficient IP address utilization Seamless roaming Seamless roaming Suffer from broadcast problems Suffer from broadcast problems Multiple subnet, one for each access point Multiple subnet, one for each access point Separate broadcast domain, separate the problems Separate broadcast domain, separate the problems Not smooth roaming Not smooth roaming IP address utilization is not efficient IP address utilization is not efficient

9 9/29 Design: Previous KUWiN Single VLAN across the whole campus, dedicated for wireless network Single VLAN across the whole campus, dedicated for wireless network Single subnet, single broadcast domain Single subnet, single broadcast domain Router Ethernet Switch AP Single VLAN/Single subnet

10 10/29 Design: The New KUWiN Multiple VLANs Multiple VLANs Network Management VLAN Network Management VLAN Registration VLAN (For the users to register their devices MAC address) Registration VLAN (For the users to register their devices MAC address) Unencrypted VLAN: KUWIN (For legacy clients) Unencrypted VLAN: KUWIN (For legacy clients) WPA VLAN: KUWIN-WPA WPA VLAN: KUWIN-WPA Shadow VLANs Shadow VLANs Split the unencrypted and WPA VLAN into multiple VLANs Split the unencrypted and WPA VLAN into multiple VLANs Join those VLAN together with transparent bridge/firewalls Join those VLAN together with transparent bridge/firewalls

11 11/29 Design: Shadow VLANs The network management VLAN and the registration VLAN are not shadowed The network management VLAN and the registration VLAN are not shadowed Both the unencrypted VLAN and the WPA VLAN are divided into N Shadow VLAN each Both the unencrypted VLAN and the WPA VLAN are divided into N Shadow VLAN each Some broadcast packets will be filtered using transparent firewalls, thus create a single subnet with (somewhat) multiple broadcast domains Some broadcast packets will be filtered using transparent firewalls, thus create a single subnet with (somewhat) multiple broadcast domains

12 12/29 Design: Shadow VLAN/Logical View Router Ethernet Switch AP Transparent Firewall Transparent Firewall Transparent Firewall Primary VLAN Shadow VLAN #1Shadow VLAN #2Shadow VLAN #3 Multiple VLAN/Single subnet

13 13/29 Design: VLAN Partitioning Selecting the number of Shadow VLANs Selecting the number of Shadow VLANs Cost of firewall servers Cost of firewall servers Ease of management Ease of management Effectiveness of separating the broadcast domain Effectiveness of separating the broadcast domain

14 14/29 Design: Filtering DHCP DHCP Allow request from client side to the router Allow request from client side to the router Allow reply from the router to the client Allow reply from the router to the client ARP ARP Assume that all wireless users are clients, the clients will always issue the ARP request Assume that all wireless users are clients, the clients will always issue the ARP request Drop requests from the router Drop requests from the router Allow request from client side to the router Allow request from client side to the router Allow reply from the router to the client Allow reply from the router to the client NetBIOS broadcast/other broadcasts NetBIOS broadcast/other broadcasts Drop all Drop all Design a daemon to permitting DHCP users/blocking static IP users (Adjust the ipset) Design a daemon to permitting DHCP users/blocking static IP users (Adjust the ipset)

15 15/29 Design: Force User to Use DHCP Bridge/ Transparent Firewall Router/DHCP Server Side Client Side Daemon DHCP Offer/ACK Packets ipset Member Database update

16 16/29 Agenda Backgrounds Backgrounds Obstacles & Opportunities Obstacles & Opportunities Design Design Implementation Implementation Results Results Conclusion Conclusion

17 17/29 Implementation: Overview Use two large subnet, 16 class C each Use two large subnet, 16 class C each The first subnet is for unencrypted VLAN The first subnet is for unencrypted VLAN The second subnet is for the WPA VLAN The second subnet is for the WPA VLAN Split both unencrypted and WPA VLAN into 5 VLAN each Split both unencrypted and WPA VLAN into 5 VLAN each Use transparent firewall/bridge to tie those VLANs together Use transparent firewall/bridge to tie those VLANs together

18 18/29 Implementation: Transparent bridge/firewall Use Linux server as a bridge Use Linux server as a bridge Iptables + ipset & ebtables Iptables + ipset & ebtables Focus on filtering of broadcast packets Focus on filtering of broadcast packets DHCP DHCP ARP ARP NetBIOS broadcast NetBIOS broadcast

19 19/29 Implementation: Hardware Sun Fire X2100 Sun Fire X2100 Opteron 1210 Dual core(1.8 GHz) Opteron 1210 Dual core(1.8 GHz) 512MB of RAM 512MB of RAM 300 GB SATA hard disk 300 GB SATA hard disk Built-in Gigabit Ethernet Controller Built-in Gigabit Ethernet Controller

20 20/29 Implementation: Software Linux 2.6.23.9+ipset patch on CentOS 5 (64 bit) Linux 2.6.23.9+ipset patch on CentOS 5 (64 bit) bridge-utils bridge-utils ebtables ebtables Iptables 1.3.5 + ipset patch Iptables 1.3.5 + ipset patch Create a daemon for permitting DHCP users/blocking static IP users (Adjust the ipset) Create a daemon for permitting DHCP users/blocking static IP users (Adjust the ipset)

21 21/29 Implementation: Filtering/ebtables Bridge chain: FORWARD, entries: 18, policy: ACCEPT -d 1:0:5e:0:0:2 -j DROP -d 1:0:5e:0:0:5 -j DROP -d 1:0:5e:0:0:d -j DROP -d 1:0:5e:7f:ff:fa -j DROP -d 1:0:c:cc:cc:cd -j DROP -d 1:0:c:cc:cc:cc -j DROP -d BGA -j DROP -d 33:33:0:0:0:5 -j DROP -p ARP -d Broadcast -i eth2 -j DROP -p ARP -j ACCEPT -p IPX -d Broadcast -j DROP -p NetBEUI -d Broadcast -j DROP -p IPv4 -d Broadcast --ip-proto udp --ip-dport 137:138 -j DROP -p IPv4 -d Broadcast -i eth3.112 --ip-proto udp --ip-dport 68 -j DROP -p IPv4 -d Broadcast -o eth3.112 --ip-proto udp --ip-dport 67 -j DROP -p IPv4 -j ACCEPT -p IPv6 -j ACCEPT -j DROP

22 22/29 Implementation: Filtering/iptables Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT 0 -- 0.0.0.0 0.0.0.0/0 PHYSDEV match --physdev-in eth3.112 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth3.112 \ set fixip src,src ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth3.112 \ set usedhcp src,src LOG 0 -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth3.112 \ LOG flags 0 level 4 DROP 0 -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth3.112

23 23/29 Implementation: Filtering/ipset Name: fixip Type: ipmap References: 1 Default binding: Header: from: 158.108.0.0 to: 158.108.255.255 Members: 158.108.X.X … Bindings: Name: usedhcp Type: macipmap References: 1 Default binding: Header: from: 158.108.0.0 to: 158.108.255.255 Members: 158.108.X.X:XX:XX:XX:XX:XX:XX … Bindings: Manually insert to allow some IP to be set statically. Automatically insert/remove By the daemon to allow DHCP users

24 24/29 Agenda Backgrounds Backgrounds Obstacles & Opportunities Obstacles & Opportunities Design Design Implementation Implementation Results Results Conclusion Conclusion

25 25/29 Results From our experiments From our experiments ARP broadcast from the router is greatly reduced ARP broadcast from the router is greatly reduced Rouge DHCP server still disturbed the local VLAN in which it is connected to but no longer effect the other Shadow VLAN, thus the scope is smaller Rouge DHCP server still disturbed the local VLAN in which it is connected to but no longer effect the other Shadow VLAN, thus the scope is smaller The latency introduced by adding transparent firewall is very small The latency introduced by adding transparent firewall is very small

26 26/29 Agenda Backgrounds Backgrounds Obstacles & Opportunities Obstacles & Opportunities Design Design Implementation Implementation Results Results Conclusion Conclusion

27 27/29 Conclusions A wireless network deployment that combine the efficient IP address allocation of single subnet design with the (partial) broadcast domain separation of multiple subnet design A wireless network deployment that combine the efficient IP address allocation of single subnet design with the (partial) broadcast domain separation of multiple subnet design Rouge DHCP server will not effect the whole subnet Rouge DHCP server will not effect the whole subnet The number of broadcast is reduced The number of broadcast is reduced Roaming within the campus is seamless Roaming within the campus is seamless Prevent the users from using static IP address in the wireless network Prevent the users from using static IP address in the wireless network

28 28/29 Future Works Rouge Access Point Detection and Blocking Rouge Access Point Detection and Blocking

29 29/29 Questions? Thank you!


Download ppt "Transparent Firewall for Wireless Network Kasom Koth-arsa 1, Surasak Sanguanpong 2, Anan Phonphoem 2 {Kasom.K, Surasak.S, 1 Engineering."

Similar presentations


Ads by Google