210 likes | 371 Views
Next Generation Security for 802.11. What is 21 st Century Security? 802.11 Responsibilities VOIP/VoWLAN Reality Identity Solutions 802.11 Architecture. What is Security?. Security comes from certainty about "Who, What, Where, When, How and Why".
E N D
Next Generation Security for 802.11 • What is 21st Century Security? • 802.11 Responsibilities • VOIP/VoWLAN Reality • Identity Solutions • 802.11 Architecture
What is Security? Security comes from certainty about "Who, What, Where, When, How and Why". Whatever adds to that certainty increases security, and whatever obscures that certainty decreases security. Certainty is about knowing the neighborhood, including identity, the regulatory domains, location, and surrounding equipment.
Today’s 802.11 Wireless Security Low Quality X High Quality X Insecure on WLAN Secure on WLAN X Insecure on non-802.11 Secure on non-802.11 Fear Knowledge Near Future 802.11 Wireless Security (w 11k, 11n, 11r, 11s, 11u, 11w, 11y, 11z) X High Quality Low Quality X Secure on WLAN Insecure on WLAN X Secure on non-802.11 Insecure on non-802.11 Tomorrow’s Security (for P2P VOIP) X Low Quality High Quality X Insecure on WLAN Secure on WLAN X Insecure on non-802.11 Secure on non-802.11
Shared medium (all wireless in regulatory domains) Identity Assurance Location Knowledge with Location Privacy Transition from Fear to Safety Assurance From Spoofing to Identity Protection Uncertainty Protection and Minor Risk Acceptance Weapons of Internet Offense and Defense Reliability Assurance (protection from DOS attacks) 21st Century Security
Leading network standard (11ma, 11k,11n,11r, 11s, 11T, 11u, 11v, 11w, 11y, and 11z) Should be primary to deliver mobility/identity/location privacy/identity protection/uncertainty protection/independent from 802.3 and the Internet Reliability assurance during handoffs (11k and 11r) How 802.11 Fits in 21st Century Security
802.11 leadership in an unwired world Independence from previous wired thought VoWLAN – 802.11 issues (QoS, DOS, etc) Transition from ESS to P2P Enabling seamless secure wireless to wired (P2P as in VoWLAN) Enabling identity-based security wireless to wired (P2P as in VoWLAN) 802.11 Responsibilities
802.11 secure wireless (WPA and RSN) Transition to the wired network insecure AP is the source of the transition to the wired 802.11 Leadership
Security for wireless enough Applications must handle their own security Not the responsibility of the wireless realm 802.11 in prime position to solve the problem Previous Thought
Security end-to-end will require IEEE 802.11 protocols (mobility and identity) VoWLAN will change the world IETF security not enough (HIP part of SMA) Transition to new thinking about Internet security (P2P) 802.11 should step up to new thinking Future Thinking
11u VoWLAN projects ENUM ECRIT 11e/WMM discrepancies Not adequate for widespread VoWLAN Failure of the QSE proposed 802.11 work 802.11 security only addresses ESS Must address wireless to wired security VoWLAN - 802.11 Issues
VOIP Reality • VOIP will operate over both wired and wireless • SIP reality is over both wired and wireless • Secure communications is BSS/ESS and VPN (not secure past the VPN server) • VOIP to demand secure voice comm • IETF working on securing P2P (P2PSIP)
VoWLAN entering the BSS and ESS via wire VOIP requiring peer-to-peer or end-to-end secure voice communications 802.11 must have an end-to-end and peer-to-peer transition and handoff solution VoWLAN Reality
End-to-End/Peer-to-Peer • Tunnels • SSL • SIP/HIP (Host Identity Protocol)
Naming and Addressing IP Addresses vulnerable MAC addresses vulnerable PKI Identity-based security associations OK IETF Middlebox Capabilities Potential Solution: AP must have middlebox features HIP Middlebox possibilities or SSL Tunnel Handoffs Transition from ESS to P2P
Possible Solutions HIP Secure Tunnels Security Solutions IPv6/MIPv6 Identity Based HIP 802.1x Enabling Secure P2P – Wired and Wireless
HIP Cryptographic Names/Identifiers Security Associations HIP-enabled communications Parity Need ongoing parity Overlap in BSS Changing keys by symbol Identity-Based P2P
VPN HTTP PROXY SMA Big Picture AP Middlebox AP Middlebox SCADAnet Plane Overlay Network Cellular WiMAX WiMAX Subnet Cell Subnet Subnet A Intranet Plane Subnet B VPN Internet Plane HIP MB
AP AP Router AP AP … … AP AP Boeing 2007 SMA/HIP Implementation Boeing Intranet AAAServer Boeing PKI Msg Brkr Msg Brkr WiFi Switch WiFi Switch Robots Directory Directory TempCert RA TempCert RA HIP SA DNS DNS LPDD LPDD Robot Controller LocationServer LocationServer HIP SA SMAx VOIP smaX HIP SA DNS Namespace: mobile.tl.boeing.com HIP SA HIP SA HIP SA HIP SA HIP SA Smamobiles VOIP HIP SA smamobiles Cellular Smamobile Internet
AP Middlebox HIP Names/Identifiers Security Associations HIP-enabled communications Rendezvous Server Tunnels + AP Middlebox
Do Nothing Concede an 802.1 P2P enhancement 802.11 SG on P2P 802.11 enhancements 802.11 SG on NG security 11u address P2P in amendment 11u address VoWLAN in E911 Combination of 802.1 and 802.11 802.11 Possibilities