1 / 40

NETW 05A: APPLIED WIRELESS SECURITY Wireless VPN Technology

NETW 05A: APPLIED WIRELESS SECURITY Wireless VPN Technology. By Mohammad Shanehsaz Spring 2005. Objectives . Virtual Private Networks Implement, configure, and manage the following VPN solutions in a wireless LAN environment: PPTP IPSec L2TP

roden
Download Presentation

NETW 05A: APPLIED WIRELESS SECURITY Wireless VPN Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETW 05A: APPLIED WIRELESS SECURITY Wireless VPN Technology By Mohammad Shanehsaz Spring 2005

  2. Objectives • Virtual Private Networks • Implement, configure, and manage the following VPN solutions in a wireless LAN environment: • PPTP • IPSec • L2TP • Explain the importance and benefits of session persistence in a wireless VPN environment • Describe benefits of mobile VPN solutions

  3. Objectives • Explain the differences, strengths, and limitations of each of the following as a wireless VPN solution • Routers • VPN • Concentrators • Firewalls

  4. Objectives • Software solutions Implement software solutions for the following: • SSH2 Tunneling • Securing wireless thin clients • Port redirection • Transport Layer Security (TLS)

  5. Virtual Private Network • Provides a means for a computer and network to securely communicate over public or unsecured network connections • VPN uses both authentication and encryption to ensure that only authorized users access the network and read data while data integrity is maintained from cryptographic checksums • VPN typically employs a form of encapsulation where one protocol is carried inside of another (Tunneling)

  6. Wireless VPN • The use of VPN technology over wireless medium • Allows mobile users to securely access a corporate network from remote locations (such as a wireless hot spot)

  7. VPN Process • A device that initiates a connection to a VPN server (VPN concentrator) is a VPN client • A VPN client can be an individual computer obtaining remote access or a router that obtains a peer-to-peer (router-to-router) VPN connection • The connection is referred to as a tunnel (encapsulating one protocol inside another) • During tunnel setup, the devices on each side of the tunnel agree on the details of authentication and encryption

  8. VPN Process • Passwords, smart cards, biometrics and other methods are commonly deployed for VPN authentication • Some standard tunneling protocols are: • PPTP (Point-to-Point Tunneling Protocol) • L2TP Layer 2 Tunneling Protocol) • IPSec (Internet Protocol Security)

  9. Wireless VPN Considerations • Wireless VPNs do not always fulfill every security design requirement • For maximum security in wireless VPN both layer 2 and layer 3 of the OSI model should be secured • This level of security carries a high price tag, • high administrative overhead and • reduced throughput

  10. Wireless VPN Considerations • Advantages vs Disadvantages (coming slides) • Security Issues (unintentional sharing of the VPN connection) • Administration (VPNs administered remotely) • Scalability (solutions will grow with the organization without constant replacement and retraining ) • Subnet Roaming (MobileIP VPNs solution needed to solve the roaming, but it is complicated to configure and manage in large environment)

  11. Wireless VPN Considerations • Role-based Access Control (assign privileges based on user’s role in network) • VLANs (since VPNs servers are encrypting routers with authentication support, segmentation will happen at layer 3 in the network and requires skilled & experienced IT professionals)

  12. Advantages of using Wireless VPNs • Very secure encryption is available • Connections are point-to-point • Well established standards are readily available from many vendors • Many security administrators already understand VPN technology • Most VPN servers work with established authentication methods like RADIUS • Class-of-Service mechanisms like RBAC can be deployed • VPNs reduce broadcast domains in comparison with 802.1x/EAP solutions • Authentication can be performed through a web browser

  13. Disadvantages of Wireless VPNs • Expensive • Hot failover designs are very expensive • Advanced routing is difficult • Lack of interoperability between vendors • Lack of OS support across multiple platforms • Configuration of clients and servers and deployment can be difficult • High encryption/decryption overhead • VPN connections can be broken by roaming across layer 3 boundaries

  14. VPN Connections types • Remote Access Connections - created when a client initiates a connection to a VPN server • Peer-to-Peer Connections - connect two private networks

  15. PPTP VPN protocol • Point-to-Point-Tunneling Protocol supports multiple encapsulated protocols, authentication and encryption • It uses a client/server architecture • Microsoft developed it so most of Microsoft’s desktop and server OS support it natively • It is based on the point-to-point protocol • PPTP supports Microsoft Point-to-Point encryption (MPPE) using the RC4 algorithm with a 128-bit key • PPTP support has been implemented in the Linux server software called POPTOP • The authentication methods used by PPTP are typically PAP. MS-CHAP or MS-CHAPv2

  16. How does PPTP works? • Starts by forming a tunnel between the client and server • Many protocols can be encapsulated inside of IP for use with PPTP, but by far IP-in-IP is the most common • Client/server connection has an IP subnet, and the tunnel itself has a different subnet • DHCP can be used for both subnets inside and outside the tunnel • VPN server handles tunnel IP address • Client connects with the server by dialing the server • The server then authenticates the user, establishes tunnel addresses and begins passing traffics

  17. L2TP VPN Protocol • Developed jointly by Cisco and Microsoft • L2TP is a combination of Cisco’s Layer2 Forwarding (L2F) and Microsoft’s PPTP • There are two distinct parts to the L2TP network: • The L2TP Access Concentrator (LAC) where the client’s physical connection terminates • The L2TP Network Server (LNS) where the upstream LNS terminates the PPP session • Since it does not define any encryption standard, L2TP is often combined with IPSec for security

  18. Similarities between PPTP and L2TP • Both provide a logical transport mechanism to send PPP frames • Both provide tunneling and encapsulation so that PPP frames based on any protocol can be sent across an IP network • Both rely on the PPP connection process to perform user authentication, typically using • a user name and password, and • protocol configuration

  19. Differences between PPTP and L2TP • With PPTP data encryption begins after the PPP connection process is completed, so the user authentication process is not encrypted, while L2TP/IPSec user authentication is encrypted • PPTP uses MPPE encryption which is RC4 with 40,56,128 bit encryption keys where L2TP/IPSec uses DES ( 56 bit key) or 3DES.( Note: Microsoft L2TP/IPSec VPN client only supports DES ) • PPTP requires only user-level authentication while L2TP/IPSec connections require two levels, to create SAs (for protecting encapsulated data), first client must perform a computer-level authentication with a certificate or pre-shared key , then user-level authentication will be performed

  20. Advantages of using L2TP • IPSec provides per-packet data origin authentication, data integrity, replay protection, and data confidentiality, where PPTP provides only per-packet data confidentiality • L2TP/IPSec requires stronger authentication. (two level authentication) • PPP frames exchanged during user-level authentication are encrypted

  21. IPSec/IKE • Collection of IETF standards specify key management protocols and encrypted packet formats/protocols (RFCs 2401 to 241X) • Supports a wide variety of encryption algorithms (DES,3DES,AES,RC4) • It supports a variety of data integrity mechanisms (128-bit MD5,160-bit SHA-1) • Standards supports pre-shared secrets and X.509 digital certificates for authenticating VPN peers • IPSec is a network layer VPN technology independent of the applications that use it • IPSec encapsulates the original IP data packet with its own packet • The IPSec standards support IP unicast traffic only

  22. IPSec Security Features • Prevent Eavesdropping by encrypting headers and data • Prevent Data modification by including a checksum with each packets • Prevent Forgery by keying the data and the encryption of identities • Replay attacks are prevented by sequencing the packets • Mutual authentication and shared keys prevent man-in-the-middle attacks • The packet filtering features of IPSec prevent denial-of-service by blocking the packets that do not come from a valid IP range

  23. IPSec protocols • There are two main protocols used with IPSec: • Authentication Header • Encapsulating Security Payload

  24. Authentication Header • Provides datagram authentication and integrity by applying a key (secret shared key between two systems) to create a one-way hash message digest • The AH function is applied to the entire datagram except for any mutable IP header fields that change in transit • The IP header and data payload is hashed for integrity • The hash is used to build a new header, which is appended to the original packet • After receiving the new packet ,the peer router hashes the IP header and data payload, and compares that with the transmitted hash from AH header

  25. Encapsulating Security Payload • Provides confidentiality (encryption at IP layer), data origin authentication, integrity, optional anti-replay service, and limited traffic-flow confidentiality • ESP provides confidentiality by encrypting at the IP layer (original IP header is unencrypted) • It supports a variety of symmetric encryption algorithms, but for interoperability it uses 56-bit DES

  26. Modes of IPSec • Transport mode, is used between end stations or between end station and a gateway, if it is being treated as a host (telnet session to a router from workstation ) where only the data portion of each packet gets encrypted • Tunnel mode, is the most commonly used between gateways or at the end station to a gateway where both the header and payload get encrypted • See figures 13.11 and 13.12 for comparison of AH and ESP with transport and tunnel modes

  27. Choosing between AH or ESP • If you need to transfer data with integrity and don’t need confidentiality, use the AH protocol • If you need to transfer data with integrity and confidentiality, use the ESP protocol, because ESP will encrypt the upper-layer protocols in transport mode and the entire IP datagram in tunnel mode

  28. IPSec/IKE Remote Access • The IP connection uses special encapsulation or header between two end-points • Client configuration is done through client software (native or third party), and consists of setting authentication and encryption rule (also called a policy)

  29. Policies • Policy items may include most, if not all, of the following: • Whether to secure a single connection or all connections • Connection type and ID (such as a secure gateway tunnel and IP address) • Mode ( Transport or Tunnel ) • ID Type ( Digital Certificate or Pre-Shared Key ) • Negotiation Mode (Main or Aggressive) • Perfect Forward Secrecy (enabled/disabled) • PFS Key Group (Diffie-Hellman type) • Replay Detection (enabled/disabled) • Phase 1 proposal (encryption algorithm, hash algorithm SA life key group) • Phase II proposal (SA life, compression, ESP/AH)

  30. IPSec VPNs Pros • All IP types and services are supported • Failover without dropping sessions is available from multiple vendors • High performance is available • Dynamic re-keying, strong algorithms, and long key lengths make encryption very strong • Same technology base works in client-to-site, site-to-site, and client-to-client • Supports strong authentication technologies and directory integration

  31. IPSec VPNs Pros (continue) • VPN server/gateway is typically co-resident, and therefore integrated, with firewall functions for access control, content screening, and other security controls • IPSec client solution manufacturers are starting to bundle personal firewall, and other security functions (e.g. anti-virus and intrusion detection) with IPSec client products • Once a key exchange is complete, many connections can utilize the established tunnel

  32. IPSec VPNs Cons • Typically requires a client software installation; not all required client OS may be supported • Connectivity can be adversely affected by firewalls between the client and gateway • Connectivity can be adversely affected by NAT or proxy devices between the client and gateway • Requires client configuration before the tunnel is established • Weak interoperability between IPSec clients and servers/gateways due to configuration issue • Once a client has a tunnel into an organization, this can be a target of hackers, unless mitigated by personal firewalls or access controls at the VPN gateway

  33. Advantages and Disadvantages of Using Digital Certificate for Authentication • Users no longer have to maintain a set passwords for entities that need to be authenticated when using certificates • L2TP/IPSec connections still need passwords for user authentication (entity being authenticated using certificate is a computer) • CAs issue certificates only to trusted entities • It is difficult to impersonate a certificate holder • The main disadvantage is that a PKI needed to issue certificates to users

  34. Advantages and disadvantages of Pre-Shared Key Authentication • The advantage is that it does not require PKI • The disadvantages are: • A single key for all L2TP/IPSec connections in WIN2k server and Microsoft L2TP/IPSec VPN client • The key can be mistyped • The difficulty in method of distribution • The origin, history and valid lifetime can not be determined

  35. SSH2 • IETF open standard • Provides secure TCP/IP tunnel between two computers with authentication • Encryption at transport layer while authentication is implemented within the application • Requires client and server software • Clients get authenticated using its public key or username and password or both methods • Uses public key/private key encryption scheme • Uses Message Authentication Code (MAC) algorithms for data integrity (SSH1 uses 32-bit CRC)

  36. SSH2 protocol • SSH2 provides three main capabilities: • Secure command shell • Secure file transfer • Port forwarding (uses IP port 22 to route encrypted traffic from client to server and vice versa ) • Can be handled “locally” on the client computer Client is preconfigured with redirected ports • Can be handled “remotely" on the server • SSH2 mitigates the following attacks: • Eavesdropping • Man-in-the middle attacks • Insertion and Replay attacks

  37. Mobile IP • Specified in RFC 2002 • It is combined with IPSec to provide security • Made up of two primary components: • Home Agent (HA) a server or router with static IP address that serves as VPN tunnel server • Client with a mobile IP software (vendor-specific) installed registers with HA • When client roams to a foreign network, it registers (notifies the HA) its new address, “ care-of ” address • Foreign Agent (FA), which is preconfigured with HA connectivity information that act as liaison between the client and the HA, when there is no DHCP server

  38. Mobile IP Process • The mobile node roams onto a foreign network and requests an IP address from DHCP server • If there is no DHCP, the client locates the FA, through broadcasting • The FA registers the mobile node’s new care-of address with HA • The HA accepts packets destined to the mobile node on its behalf • The HA redirects the packets to mobile node by creating a new IP header with a destination address of the care-of address • The FA unwraps the packet and forwards it to the destination • Whenever the mobile node moves, it registers a new care-of address with its HA

  39. Mobile IP security • The Mobile IP specification addresses only redirection attacks • All other security issues open for resolution by employing additional security layering

  40. Resources • CWSP certified wireless security professional, from McGraw-Hill

More Related