110 likes | 206 Views
A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim , Subir Das, Farooq Anjum Speaker: George Lapiotis lapiotis@research.telcordia.com Athens/Greece, September 9, 2005. Telcordia Technologies Proprietary – Internal Use Only
E N D
A Policy-based Approachto Wireless LAN Security ManagementGeorge Lapiotis, Byungsuk Kim, Subir Das, Farooq AnjumSpeaker: George Lapiotislapiotis@research.telcordia.comAthens/Greece, September 9, 2005 Telcordia Technologies Proprietary – Internal Use Only This document contains proprietary information that shall be distributed, routed or made available only within Telcordia Technologies, except with written permission of Telcordia Technologies.
WLAN Security Management Challenges • WLANs are an open shared medium • Broken security mechanisms • Large installed base of 802.11a/b/g • Known WPA vulnerabilities • Untested new standards • TKIP • IEEE 802.11i • Mitigating the Insider Threat • E.g., Unauthorized access to internal network resources/services • Traditional security based on manual static configuration • In Policy-based tools administrators define high-level policies • Need to account for user mobility, rapidly changing configuration environment • Unified and consistent wireline-wireless security policy enforcement
The Smart Firewalls Technology • Objective: “hands-free” management of multi-layer network security policies in dynamic network environments • Given a network, verify that the desired access is enabled and every undesired access is verifiably denied • Simple language to express network security policies • in terms of access to applications and network services • Policy engine populated by declarative models of network elements and services • validates policies • computes new configuration settings for network elements when policies are violated • Network monitoring and instrumentation layer • reports network changes as they occur • implements configuration changes computed by the policy engine
Policy Policy Engine Topology High-level Policy Configuration Summarized Configuration Wireless Domain Policy Manager Wireless Domain Policy Manager Wireless Domain Policy Managers Detailed Configuration Low-level Policy Configuration Access Points Control & Monitor Policy-based Security Architecture
Policy Engine WLAN Security Architecture Multi-Domain Wireless Access Policy Control WirelessSubnet Mobile Host … Local Monitor Wireless Policy Domain B Access Point Wireless Subnet Access Point Wireless Policy Domain Controller Mobile Host Access Router Local Monitor AP and Host Info Wireless Policy Domain Controller Wireless Policy Domain A
Wireless Domain Policy Manager • Introduced to scale up the system for mobility and rapid configuration changes • Centralized depository might become a bottleneck in a volatile network • Operates as a Global Policy Adaptor • Forwards abstracted snapshots of wireless network host connectivity status to the policy engine • Access point connectivity abstracted • Translates and pushes low-level vendor-specific AP configurations when engine uncovers inconsistencies • Operates as a WLAN Policy Controller with some local autonomy • Security Monitoring configuration to Local Monitors • May independently block hosts if necessary
Wireless Domain Policy Manager Local Monitor Adaptation Module Database Module SNMP Adaptor AP Interface Definition Table AP Table Host Table HTTP Adaptor Multi-type Access Points Policy Engine CLI Adaptor Execution Module Global Monitor Module PE Messaging System Interface Local Monitor Configuration Wireless Traffic Sniffer & Attack Detection Module XML Message Handler Local Monitor Correlator Policy Execution Alarming and Logging … Attack 1 Attack n Attack 2 Wireless Domain Policy Manager and Local Monitor
Supported Attack Detection Modules • Denial of Service • Rogue Access Point • Main in The Middle • Mobility-based Attacks • Obviously not all-inclusive!
Report Action Detect Mobile Host Deployment Scenario Policy Engine Global policy Topology Update 1 5 Wireline Network 2 Local policy & Configuration 2 Local policy & Configuration WDPMan 4 LM LM Recover AP WLAN Access Network 3 attack WLAN Access Network
Future Work • Current implementation supports Wi-Fi networks, extend to WiMAX • Extend to more types of intrusion attacks using additional detection modules • Extend to cover more access point types, vendors, and interfaces • Use the engine for intruder redirection to honeypots • Further scalability limits with multiple policy engines • tradeoff is global security policy consistency