1 / 21

Secure and Flexible Support for Visitors in Enterprise Wi-Fi Networks

Secure and Flexible Support for Visitors in Enterprise Wi-Fi Networks. José Carlos Brustoloni Dept. Computer Science, University of Pittsburgh 210 S. Bouquet St. #6111, Pittsburgh, PA 15260 – USA Email: jcb@cs.pitt.edu Joint work with Haidong Xia. Motivation.

pollyj
Download Presentation

Secure and Flexible Support for Visitors in Enterprise Wi-Fi Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure and Flexible Support for Visitors in Enterprise Wi-Fi Networks José Carlos Brustoloni Dept. Computer Science, University of Pittsburgh 210 S. Bouquet St. #6111, Pittsburgh, PA 15260 – USA Email: jcb@cs.pitt.edu Joint work with Haidong Xia

  2. Motivation Will Wi-Fi enable ubiquitous Internet access? • Cheap • Adapters built-in most notebook computers and PDAs • Access points being deployed everywhere • Most access points meant for use only by members of owning organization (use by others is trespass, even if technically possible) • Commercial hotspots viable only in high-utilization areas Jose' Carlos Brustoloni

  3. Contribution: Secure Opportunistic Hotspots • Enable noncommercial Wi-Fi networks to provide: • to members of owning organization: unrestricted connectivity • to invited or paying visitors: Internet access • for members, high security and similar performance • up-to-date enterprise Wi-Fi security protocols (WPA or 802.11i) • firewall blocks visitor access to intranet • traffic control limits bandwidth used by visitors • for invited visitors, improved collaboration and productivity • for paying visitors, opportunistic access without establishing account with owning organization • for owning organization, amortized costs of members’ and invited visitors’ connectivity Jose' Carlos Brustoloni

  4. Challenges • How to block unauthorized visitor access? • Enterprise Wi-Fi security solutions (WPA, 802.11i) inadequate: would require reconfiguration of visitors’ computers • Captive portals readily interoperate, commonly used, but vulnerable to session hijacking and freeloading attacks New defenses: session id checking and MAC sequence number tracking • How to bill paying visitors? • Subscriptions and pay-per-use accounts inadequate: limited coverage and uptime, no marketing, sales or support staff • Physical prepaid tokens may be impractical to sell (need outlet and staff) or buy (user needs to find and go to outlet, which needs to be open) New method: virtual prepaid tokens (VPTs) Jose' Carlos Brustoloni

  5. Supporting both WPA/802.11i (for members) and captive portals (for visitors) • Visitor authentication by captive portal • SSL-secured Web page that requests visitor’s username and password • prisonwall redirects Web requests of unauthorized visitors to captive portal • captive portal authorizes visitor’s access by registering visitor’s IP and MAC addresses in prisonwall • packets of authorized visitors unencrypted, authenticated simply by address • On the contrary, packets of members encrypted and authenticated by MAC • How can the access point broadcast both to visitors and members (e.g., DHCP, ARP)? • Our solution: • keep track of number of associated members and visitors • if both present, broadcast packets twice, once encrypted and once unencrypted • low overhead Jose' Carlos Brustoloni

  6. Session hijacking attack • Hijacker snoops victim’s MAC and IP addresses and access point’s MAC address • Periodically sends to victim 802.11 disassociation or deauthentication notifications purported to come from access point (causing denial-of-service) • Hijacker uses victim’s MAC and IP addresses to obtain unauthorized access Jose' Carlos Brustoloni

  7. Detecting and blocking session hijackings Session id checking: • Captive portal sends to client a session management page with cookie containing a cryptographically random session id • Session management page is SSL-secured and tagged with http-equiv = “refresh” directive • Client’s browser periodically sends to captive portal request to refresh the session management page • Each request accompanied by cookie with session id • Captive portal deauthorizes MAC and IP addresses of client whose refresh request and session id cookie were not received in the previous period Jose' Carlos Brustoloni

  8. Victim continues to communicate (no denial of service) If victim does not have personal firewall, victim may respond to packets destined to freeloader (e.g., TCP RST), disrupting freeloader’s communication However, if victim has personal firewall, victim does not respond to such packets Both victim and freeloader get access: potential for collusion Freeloading attack Jose' Carlos Brustoloni

  9. Detecting freeloading • Each 802.11 packet contains a 12-bit sequence number • Increments by one for each new packet sent; remains the same in case of MAC-layer fragmentation or retransmission • Implemented in adaptor’s firmware; cannot be changed by host • In case of freeloading, sequence numbers of packets using the same MAC and IP addresses form two (or more) trend lines Jose' Carlos Brustoloni

  10. Blocking freeloading Jose' Carlos Brustoloni MAC sequence number tracking: Access point tracks MAC sequence numbers of packets from each associated client In case MAC sequence number returns from a trend line to the previous trend line, access point notifies captive portal for deauthorizing client’s MAC and IP addresses

  11. Virtual prepaid tokens (VPTs) • Like a physical prepaid token, but bought online, using 3rd-party online payment server (OPS) • Much easier to: • sell: no need to provide physical outlet, staff • buy: no need to find and go to outlet; always open • Compared to aggregator accounts: • for seller, OPS much cheaper than Wi-Fi aggregator • PayPal (OPS): $0.30 + 2.9% • Boingo (aggregator): 25% or anything in excess of $1 per connect day • for buyer, can use OPS account for many other purposes (auctions, e-commerce, both send and receive payments) Jose' Carlos Brustoloni

  12. VPT protocol Jose' Carlos Brustoloni

  13. Experimental results • Access point with: • support for both members and visitors • prisonwall blocking visitor/intranet communication and supporting VPTs • traffic control • MAC sequence number tracking based on Linux + HostAP + 32 KB new code + 1 KB state for 50 visitors • Captive portal with: • session id checking • VPT support • Clients: • IBM, Dell, Sony notebook computers, Sharp Zaurus PDAs • Intel, Orinoco, Cisco, Linksys, Netgear, D-Link adapters • Verified: • AP and CP interoperation with all clients • simultaneous support for members and visitors Jose' Carlos Brustoloni

  14. Limiting the impact of visitors on network performance experienced by members Jose' Carlos Brustoloni

  15. Overhead of session id checking – throughput very little overhead @ 8 s 4% @ 1 s, 15 clients Jose' Carlos Brustoloni

  16. Session id checking – CPU utilization For 1 s refresh 5% @ 1 s, 15 clients Jose' Carlos Brustoloni

  17. MAC sequence number tracking - throughput Jose' Carlos Brustoloni

  18. Access latency for paying visitors (in the above experiment, OPS = PayPal) Jose' Carlos Brustoloni

  19. Related work • SPINACH project (Stanford) first proposed captive portals • Aboba’s characterization of access point virtualization techniques • Single SSID/beacon, single beacon (only for visitors), single BSSID vs. • Single SSID/beacon, multiple beacon, multiple BSSIDs (commercial hotspots) • Roaming agreements vs. direct payment to visited networks • Patel and Crowcroft • Peirce and O’Mahony: micropayments for prepaid roaming • Blaze et al.: TAPI micropayments (does not address freeloading) • Mann: US regulations for OPS user guarantees and liabilities • same as for credit card if OPS account funded only via credit card • P2PWNC: peer-to-peer arch. for ubiquitous access • does not deal with “trade imbalances” Jose' Carlos Brustoloni

  20. Other related work • Commercial hotspots • surprisingly tricky to find viable business model • many failed: MobileStar, AirZone, HereUAre, Joltage, Comet • unlike SOHs, do not tolerate low utilization or poor availability • Promotional hotspots • unlike SOHs, do not support members or paying visitors – all users are invited • Many informally open networks, community networks • suggest visitors’ impact on security and performance tolerable by many owning organizations + many users interested in using such networks • argue for viability of SOHs • 3G wireless • Wi-Max Jose' Carlos Brustoloni

  21. Conclusions • Wi-Fi’s potential for ubiquitous access not well supported by existing architectures • Secure Opportunistic Hotspots: enterprise and home Wi-Fi networks provide also Internet access to invited and paying visitors • Simple new scheme for simultaneously supporting members and visitors • interoperates well, low implementation cost, low overhead • limited visitor impact on members’ performance, no impact on security • New defenses against unauthorized visitor access: session id checking and MAC sequence number tracking • effective, low implementation cost, low overhead • New billing method: virtual prepaid tokens • lower costs for provider, more convenient for occasional visitor • low access latency (< 15 sec) • SOHs could significantly benefit the availability of ubiquitous Internet access Jose' Carlos Brustoloni

More Related