112
1 © 2002, Cisco Systems, Inc. All rights reserved. 4515_03_2002_c1 Securing Wireless LANs Oct 30th, 2002 Louis Louis Senecal Senecal [email protected] [email protected]
1© 2002, Cisco Systems, Inc. All rights reserved.4515_03_2002_c1
Securing Wireless LANsOct 30th, 2002
Louis Louis [email protected]@cisco.com
222
Agenda
• WLAN Overview
• Intro to WLAN Security
• Attack Scenarios
• Mitigation Stategies
333
Benefits of Wireless
• Mobility within building or campus
Lots of Notebooks / Handhelds
• Convenience (no cables)
• Flexibility (anytime, anywhere access)
Challenging Work Environments
• Easier to set-up temporary spaces
• Cost Effective
No cable infrastructure / trenching
Moves / Adds / Changes
Reduce / Eliminate Recurring Network Costs
• Investment Protection
Pick it up and move it out
• Productivity gains
Rapid Deployment
444
Wireless Office
• Quickly emerging market
• New solutions being developed
• Ad hoc network may be the answer
• May want site survey for future growth
• All Cisco Offices Use WLANs as infrastructure overlay
• Wireless Technology becoming Pervasive
• Public Hotspots
555
• End users stayed connected an average of 1¾ hours more per dayto their corporate network
• Average daily time savings:70 minutes
• Productivity: +22%
NOP Study –Wireless LANs Increase Productivity
Source: NOP World-Technology, Sept. 2001
Based on a survey of 300+ U.S.-based organizations with more than 100 employees:
666
Wireless LAN Technologies
802.11b802.11b 802.11a802.11a 802.11g802.11g
2.4 GHz2.4 GHz 5 GHz5 GHz 2.4 GHz2.4 GHz
WorldwideWorldwide US/APUS/AP WorldwideWorldwide
11 Mbps 11 Mbps 54 Mbps 54 Mbps 54 Mbps54 Mbps
FrequencyBand
Availability
MaximumData Rate
777
Frequency Bands
ExtremelyLow
VeryLow
Low Medium High VeryHigh
UltraHigh
SuperHigh
Infrared VisibleLight
Ultra-violet
X-Rays
AudioAM Broadcast
Short Wave Radio FM BroadcastTelevision Infrared wireless LAN
Cellular (840MHz)NPCS (1.9GHz)
900 MHz26 MHz
Older Devices
5 GHz
(8 non-overlapping)
2.4GHZ83.5 MHz
11 FC(3 non-overlapping)Industrial, Scientific& Medical (ISM) band Unlicensed National Information
Infrastructure (U-NII) band
11.b11.g 11.a
888
IEEE 802.11 Standard Activities
• 802.11a—54 Mbps, 5 GHz, ratified in 1999,
• 802.11b—11Mbps, 2.4 GHz, ratified in 1999
• 802.11d—World Wide Roaming
• 802.11e—Quality of Service
• 802.11f—Inter-Access Point Protocol (IAPP) – To be ratified soon
• 802.11g—Higher Data rate (54 Mbps) 2.4 GHz
• 802.11h—Dynamic Frequency Selection and Transmit Power Control mechanisms
• 802.11i—Authentication and Security
999
Local Area Network (LAN)
Cisco Switch
Server Cisco Switch
Internet
Cisco Access PointCisco Switch
Wireless LAN (WLAN) as an extension to wired LAN
Work Group Bridge
Rogue
Access Point ??
101010
Typical Multicell Configuration
Access PointAccess Point
LAN BackboneLAN Backbone
WirelessCell
WirelessCell
Channel 1Channel 1 Channel 6Channel 6
WirelessClients
WirelessClients
WirelessCell
WirelessCell
111111
Association Process-- Passive Scanning
Steps to Association:
Client evaluates APresponse, selects best AP.
AP sends probe response.Access Point A
Access Point
B
Initial connection to an Access Point
Client sends probe.
Client sends authenticationrequest to selected AP (A).
AP A confirms authenticationand registers client.
Client sends associationrequest to selected AP (A).
AP A confirms associationand registers client.
121212
Aironet 802.11b: Power and Range
2 Mbps DSSS200-275 feet radius@30mW250-350 feet radius@100mW
5.5 Mbps DSSS100-130 feet radius@ 30mW130-150 feet radius@ 100mW
11 Mbps DSSS80-100 feet radius @ 30mW
100-150 feet radius@ 100mW
131313
Channel Setup
Site Survey Channel ExampleChannel 1
Channel 6
Channel 11
Channel 1
Channel 6
Channel 11
Channel 11
Channel 1
Channel 6
Channel 11
141414
Site Survey Bandwidth Example
Multi-rate Implementation
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
151515
Things to Consider for Site Survey
• Floor Plan
• Bandwidth required
• Dense or sparse user population
• Know your users:Protocols
Types of applications mainly being used
• Possibility to connect AP to wired network
161616
AironetEthernet In-Line Power
Ethernet In-line Power Source:• Catalyst 3524 Power Switch• Catalyst 6000 Power Blade• Catalyst 4000 Power Blade• 48 Port Power Patch Panel
Ethernet In-line Power Source:• Aironet Power Injector No Power
Power
Power
• Aironet 350 uses Ethernet in-line power ONLY
• Eliminates need for local power and AC infrastructure cost
• Draws in-line power from edge devices (-48 Volts)
• Catalyst power switches support device discovery mode
171717
Mixed Antenna Example
Maximum CoverageAutorate Negotiation
Wireless for StudentsDiPole Indoor, Patch Outdoor
Class 1 Class 3
Hallway
1000’
850’
Class 4Class 2
Class 8 Class 10 Class 11Class 9
Building Courtyard
1000’
Channel 1Channel 1
Channel 1Channel 1
Channel 11
Channel 11
Channel 6Channel 6
Channel 6Channel 6
181818
Cisco Aironet 350 Series Wireless LAN Solution
• PC Card/PCI Client Adapters• Access Points• Line-of-Sight Bridge Products• Antennas & Accessories
The Cisco Aironet 350 Series of 802.11b compliant high speed wireless solutions offers the best performance, manageability, scalability and security for both
in-building and building to building wireless applications
191919
Cisco Aironet 350/340 SeriesClient Adapters
• Client access for both notebook and desktop systems
• Broad Operating Systems Support:
Windows 95, 98,
Windows NT 4.0
Windows 2000
Windows Millennium
Windows CE
Linux
MacOS
• Easy, simple installation
• Lifetime limited warranty
202020
New AP1200 Dual-Band Access Point
• The Cisco Aironet 1200 Series Access Point delivers on enterprise requirements
212121
AP1200 Access Point
1. 2.4GHz antenna connectors
2. DC input
3. Ethernet
4. Console Port
5. Reserved
6. LEDs (Ethernet, Status, Radio)
7. Mounting plate2.4GHz mini-PCI radio
5GHz PC-Cardbus Module
222222
Investment Protection and Future Proofing
• Modular platform for single or dual band operation
• Field upgradeable radios
• Eight megabytes of storage and support for Cisco management tools
232323
Cisco Aironet 1100 Series
• Scalable Fully functional access point ideal for all enterprise deployments without expensive controllers
• AffordableLowest priced upgradable Cisco Aironet access point protects customer investment
• Enterprise-class featuresEnd-to-end intelligent networking extended to WLAN
• SecureEnterprise-class interoperable security for WLAN
• Easy-to-useIntuitive installation and set up for rapid deployment FCS Friday Oct 18, 2002
GA Approx mid-Nov
242424
Wireless AntennasAccess Points
Rubber DiPole Pillar Mount Ground Plane Patch Wall Ceiling Mount Ceiling MountHigh Gain
Type
Gain
~ IndoorRange at 1 Mbps
~ IndoorRange at 11 Mbps
Cable Length
Directional
Beam Width
5.2 dBi
360° H75° V
497’
142’
3’
Omni
5.2 dBi
360° H75° V
497’
142’
3’
Directional
8.5 dBi
60° H55° V
700’
200’
3’
Omni
2.2 dBi
350’
100’
9’
360° H75° V
Omni
5.2 dBi
497’
142’
3’
360° H75° V
Omni
2.15 dBi
360° H75° V
300’
100’
N/A
252525
Agenda
• WLAN Overview
• Intro to WLAN Security
• Attack Scenarios
• Migigation Strategies
262626
Toronto Insecure ?? (Pearson to Downtown Cab ride yesterday)
50 AP out of 102 with WEP
272727
HAS Your Building Been Chalked?
War Driver’s Results
282828
Default setups: Work well, but are not secure
(Some) WLAN Security Issues
Newness: Confusion, lots of attacks and variants
Policy: Monitoring, updating and enforcement
Safeguards: Poorly architected/implementedNew Attacks: Radio protocol attacks are nasty (ECM)
RF Propagation: Extends network environment beyond the walls
Rogue APs: Impact security of wired network
AP Technology: Many flawed implementations
WEP: Broken at any key length
292929
Intruder/Safeguard Cycle
VulnerabilityDiscovery
Crude ToolsAppear
Hackers ExploitCrude Tools
Automated ScanningTools
Widespread Use
Intruders move to newer,more interesting exploits
Time1999
Survey Scripts
RSA ‘01
KismetWellenreiterNetstumblerWEP CrackAir Jack
Jul ‘01
Safeguards Mature, Attackers move on Legacy Systems Still Vulnerable!
Better Safeguards Appear
Basic SafeguardsInherent in Technology
We are HereToday
Hackers Continually Optimize Attacks
303030
“Border guards”
Web Servers
Directory/Database
AppServersEmployees
SuppliersCustomers
SSL
Typical Security Environment
313131
“Border guards”
Web Servers
Directory/Database
AppServersEmployees
SuppliersCustomers
SSL
Wireless Breaches The Perimeter
AttackerWireless
Sniffer
323232
Textbook radiation patterns of the AP isotropic monopole antenna
Security With Antennas?
Dispelling Misinformation
333333
Engineering Theory
Some ‘Experts’ say you can ‘place the antenna’ to get ‘better security’ and ‘control the perimeter’
343434
Reality
Indoor Propagation in a Typical Crowded Office Building:•Reflections•Re-Radiation•Attenuation•Un-intentional wave guide structures•Not a ‘perfect’ environment
Elevator or
Utility Shaft
Access Point
WLAN Station
353535
Reality in Practice
There are limits to what you can
achieve with directional
antennas, site surveys are
needed if local physical
environment requires it
http://www.byte.com/documents/s=1422/byt20010926s0002/1001_marshall.html
363636
Typical 2.4 GHz WLAN AP has mono-pole antennas with 0dBi gain.
A Low Profile patch antenna can provide 8 dBi gain at 2.4 GHz and costsabout $65 US
Add Some Antenna Gain
373737
~12 dB gain, +/- 5000 calorieYagi antenna$6.45
Hacking with a Pringle Tube
383838
Now Available
• SAFE: Wireless LAN Security in Depth
Now available as of 12/31/01
Shows what changes when WLAN is introduced into the SAFE Enterprise and SMB designs
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm
393939
SAFE Blueprint for Secure E-Business
404040
Agenda
• WLAN Overview
• Intro to WLAN Security
• Attack Scenarios
• Mitigation Strategies
414141
The Network Layers
424242
The Bottom Layers
• Manipulating the bottom 2 layers of the OSI
Data Link (Layer 2)
Media Access Control (MAC) – Access to medium
Logical Link Control (LLC) – Frame sync, flow control
Physical (Layer 1)
Radio bit stream
Divided into channels
434343
The Bottom Layers
444444
Management Frames
• Management frames can control link characteristics and physical medium properties
• 802.11b management frames are NOTauthenticated
Why is this bad? Maybe DOS
454545
WLAN-Jack
• Denial of Service – De-authentication
Use MAC address of Access Point
Send deauthenticate frames
Send continuously
Send to broadcast address or specific MAC
Users are unable to reassociate with AP
• Air-Jack + WLAN-Jack
464646
WLAN-Jack
474747
Attack Scenarios – WLAN-Jack
484848
Attack Scenarios – WLAN-Jack
• Decode of Deauthentication Frame
494949
Attack Scenarios – WLAN-Jack
This is your connection
505050
Attack Scenarios – WLAN-Jack
This is your connection on WLAN-Jack.
515151
Past Security Methods
• SSID (Service Set Identifier)Commonly used feature in Wireless LANs which provides a rudimentary level of security
Serves to logically segment the users and Access Points that form part of a Wireless subsystem
May be advertised or manually pre-configured at the station
525252
Network Stumbleror MiniStumbler FREE
Free!
535353
Or Kismet (Also Free)
545454
SSID no Broadcast
555555
ESSID-Jack
• Is the ESSID a shared secret?
• If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP?
• Discover Masked ESSID
Send a deauthenticate frame to the broadcast address.
Obtain ESSID contained in client probe request or AP probe response.
565656
ESSID-Jack
575757
ESSID-Jack
585858
Rogue Access-Point
• Men in the Middle Attack
595959
Monkey-Jack
• MITM Attack
Taking over connections at layer 1 and 2
Insert attack machine between victim and access point
• Management frames
Deauthenticate victim from real AP
Send deauthenticate frames to the victim using the access point’s MAC address as the source
606060
Monkey-Jack
Victim’s 802.11 card scans channels to search for new AP
Victim’s 802.11 card associates with fake AP on the attack machine
Fake AP is on a different channel than the real one
Attack machine’s fake AP is duplicating MAC address and ESSID of real AP
616161
Monkey-Jack
Attack machine associates with real AP
Attack machine duplicates MAC address of the victim’s machine.
• Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols
626262
Monkey-Jack
• Before Monkey-Jack
636363
Monkey-Jack
• After Monkey-Jack
646464
Monkey-Jack
656565
Open Authentication With 802.11
ClientAP
Authentication request
Open Authentication
Authentication response
Open or Shared needs to be setup identically on both the Access Point and Client
666666
Shared Key - WEP/RC4 in 802.11
676767
Shared-key Authentication With 802.11
Open or Shared needs to be setup identically on both the Access Point and Client
Client AP
Authentication request
Shared-Key Authentication
Challenge text packet
Authentication response
Encrypted challenge text packet
686868
802.11 Security Issues
• Authentication is one-way
• No way to dynamically generate keys
• No integration with existing network authentication methods on LAN
• Authentication is device-based
• No method for account auditing
• Keys are static
696969
“In order to carry out the attack, the cryptanalyst needs the first output word of a large number RC4 streams along with the IV that was used to generate each one of them.”
“Since in WEP, the IVs are transmitted in the clear, and the first message word in most packets is a known constant these requirements are satisfied. Optimizations of the attack have lead to deduction of a 128 bit RC4 key in 15 minutes from an actual network.”
RSA LaboratoriesVolume 5, No. 2, Summer / Fall 2002
Improved Attacks on RC4 (WEP)
707070
AirSnort, WEPCrack and the others
717171
UC Berkeley Study
• Bit flippingBits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated
• ReplayBit flipped frames with known IVs resent
AP accepts frame since CRC32 is correct
Layer 3 device will reject, and send predictable response
Response database built and used to derive key
727272
UC Berkeley Study
Predicted PlainTextCisco
1234
XXYYZZCisco
XXYYZZ 1234
PlainText
CipherText
CipherText
Stream Cipher
Stream Cipher
WEP
WEP
PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText
If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived
737373
UC Berkeley Study
Bit Flipped Frame Sent
Attacker Anticipates Response from Upper
Layer Device and Attempts to Derive Key
Frame Passes ICV Forwarded to Dest MAC
Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC
AP WEP Encrypts Response and Forwards to Source MAC
747474
Agenda
• WLAN Overview
• Intro to WLAN Security
• Attack Scenarios
• Mitigation Stategies
757575
WEP Mitigation:Temporal Key Integrity Protocol (TKIP)
• Base key and IV hashed
Transmit WEP Key changes as IV changes
• Key hashing is still pre-standards, awaiting 802.11i ratification
767676
WEP and TKIP Implementations
• WEP today uses an IV and base key; this includes weak IVs which can be compromised
• TKIP uses the IV and base key to hash a new key—thus a new key every packet; weak keys are mitigated
WEP Encryption Today TKIP
IVBase Key
Plaintext Data
StreamCipher
CipherTextDataRC4 XOR
IVBaseKey
PlaintextData
StreamCipher
CipherTextDataHash XOR
RC4
IVPacket
Key
777777
WECA (Wireless Ethernet Compatibility Alliance)Security Improvements
• Will develop a new test plan that will require TKIP as part of certification
• This will include 128 bit encryption
• Products certified prior to new plan will not need to be re-tested (and do not need to include TKIP)
787878
UC Berkeley Study MitigationMessage Integrity Check (MIC)
• The MIC will protect WEP frames from being tampered with
• The MIC is based on seed value, destination MAC, source MAC, and payload
Any change to these will change MIC value
• The MIC is included in the WEP encrypted payload
797979
Message Integrity Check
• MIC uses a hashing algorithm to stamp frame
• The MIC is still pre-standards, awaiting 802.11i ratification
WEP Frame—No MIC
WEP Frame—MIC
DA SA IV Data ICV
DA SA IV Data SEQ MIC ICV
WEP Encrypted
WEP Encrypted
808080
WEP & Rogue Access PointCisco LEAP Overview
• Provides centralized, scalable, user-basedauthentication
• Algorithm requires mutual authenticationNetwork authenticates client, client authenticates network
• Uses 802.1X for 802.11 authentication messagingAPs will support WinXP’s EAP-TLS also
• Dynamic WEP key support with WEP key session timeouts
818181
802.1X
828282
Solution: 802.1X over Wireless
• 802.1X is IEEE draft standard for port-based network access control
• Leverages existing standards
Extensible Authentication Protocol (EAP)
RADIUS
• 802.1X for 802.11 overcomes limitations of 802.11 security
Mutual authentication
Dynamic, session-based encryption keys
Centralized user administration
Extensible authentication support
client
AP
RADIUSserver
EAP
RADIUS
userdatabase
1
2
3
1
2
3
4
4
838383
802.1X for 802.11Authentication Types
• Authentication typeOperates over 802.1X for 802.11 (EAP and RADIUS)
Enables client and authentication server to:
Do mutual authentication
Derive session-based encryption key
• Available authentication typesEAP−Cisco Wireless (LEAP): Uses password as shared secret
EAP-TLS: Uses certificates
848484
Availability
• Cisco Aironet access points support 802.1X and EAPAP can act as 802.1X “middleman” when wireless client and authentication (RADIUS) server support authentication type
• Cisco introduced LEAP in December 2000Is supported by Cisco Aironet client adapters on wide range of client operating systems (Windows, CE, Mac OS, Linux)
Is supported by Cisco Secure ACS RADIUS server
Will be supported by other RADIUS servers in 2001
• Microsoft supports EAP-TLS authentication type in Windows XP and Windows CE 4.0
Cisco is first to fully support EAP-TLS with its client adapters and APs
858585
LEAP Authentication Process
Start
Broadcast Key AP Sends Client Broadcast Key, Encrypted with Session Key
Identity
RADIUS Server Authenticates Client
Request Identity
Client Authenticates RADIUS Server
Key Length
Client AP RADIUS Server
DeriveKeyDerive
Key
Identity
AP Blocks All Requests Until Authentication Completes
868686
How LEAP Challenges and Responses Work
challenge
Create
password from
database
one-wayhash
password hash
LEAP algorithmresponse A
challenge
challenge
Using password from database, generate response to own challenge
878787
How LEAP Challenges and Responses Work
user-supplied
password
one-wayhash
password hash
response B
response B
If response A = response B, then authenticate user
Why?
challenge
challenge
LEAP algorithm
response A
Using user-supplied password, generate response to challenge
888888
Comparing Responses
password from
database
one-wayhash
password hash
LEAP algorithmresponse A
challenge
user-supplied
password
one-wayhash
password hash response B
challenge
LEAP algorithm
If response A = response B, then user-supplied password = password from database
898989
Deriving the Session Key
hash (hash (password))
client challenge to RADIUS RADIUS challenge to client
RADIUS response to client client response to RADIUS
MD5
128-bit key
909090
WEP Keys
• WEP key is calculated by the Radius server, only after the authentication is completed
• The key is passed to Access Point for THAT single authenticated client. This is a session key
• Client calculates the same WEP key
• Key is never transmitted over RF
919191
Advantages of 802.1X for 802.11
• Open, extensible and standards based.Enables interoperable user identification, centralized authentication, key management.
Leverages existing standards: EAP (extensible authentication protocol), RADIUS.
Compatible with existing roaming technologies, enabling use in hotels and public places.
• User-based identification.
• Dynamic key management.
• Centralized user administration.Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting.
RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS.
929292
Deploying LEAP
Clients• Cisco Aironet adapters
Turn on LEAP in ACU
Windows: Use Windows Networking logon to supply username/password
Others: Use ACU window to supply username/password
• Others: No support for LEAP
Use static WEP
On Windows XP, use EAP-TLS
One AP can support LEAP, EAP-TLS, and static WEP
RADIUS servers• Cisco Secure ACS
Supports LEAP
Needs access to an NT-formatted database or ODBC connection to NT Domain Controller or Active Directory
With LEAP proxy in V3.0, can interact with database manager that supports MS-CHAP*
• Others: Cisco is working with:
Funk Software
Interlink Networks
Open Systems Consultants
* LDAP and NDS do not support MS-CHAP
939393
Managing YourSecure 802.11 Network
• Static WEP keys not only are insecure, but difficult to manage and scale
• Cisco EAP (Leap) utilizes RADIUS servers, and a single database to manage users’ credentials
• Cisco APs support management via SNMP, WEB (with secure User Manager settings), CiscoWorks 2000, and Wavelink
Wireless Access VPN
3000 Concentrator Series
94Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
959595
Wireless Access VPNs
Corporate Network
VPN 3000
SOHO
Cisco Aironetusing WEP/128 bit
Certicom Palm OS IPSec VPN Client -movianVPN™
(AVVID Partner)
Cisco 3000 VPN Client with Aironet 802.11b PCMCIA card
Internet
969696
Attack Mitigation Roles for Standard VPN WLAN Design
DHCP/RADIUS/OTPServers
Wireless Computer with VPN
Client
Access Point
VPN Concentrator
Authenticate Remote VPN Gateway
Terminate IPSec
Personal Firewall for Local Attack Mitigation
Authenticate Remote VPN Gateway
Terminate IPSec
Personal Firewall for Local Attack Mitigation
Authenticate Remote Users
Terminate IPsec
Authenticate Remote Users
Terminate IPsec
Two-Factor AuthenticationTwo-Factor Authentication
RFC2827 Filtering
Inter-Subnet Filtering
RFC2827 Filtering
Inter-Subnet Filtering
Protocol Filter to Discard none IPSEC traffic
Protocol Filter to Discard none IPSEC traffic
979797
AP Radio Protocol Filter (Inbound/Outbound)
Protocol Type Protocol Value Disposition
Ethertype ARP 0x0800 ForwardEthertype IP 0x0806 Forward
IP Protocol UDP 17 ForwardIP Protocol ESP 50 Forward
IP Port BootPC 68 ForwardIP Port DNS 53 ForwardIP Port IKE 500 Forward
989898
Cisco AP Allows for Filtering
999999
Cisco AdvantagesGoC Environment
“Cisco VPN Client/Gateway technology is ‘Best in Class’ for WLAN Applications”
John Pavelich, Senior Consultant Entrust
üStrong encryption, True IPSec VPN
üAuto-initiate VPN tunnel for WLAN connections
üForce ‘Disable Split Tunneling’
üStateful Inspection Firewall Client
üStrong, certificate based authentication
üSecurity Hardware and Software from a ‘Mature’ vendor
100100100
Cisco VPN Gateway Forces a Client Policy
101101101
Auto Initiation of VPN in aWireless Environment (New VPN 3.6)
• The Cisco VPN Client can be configured to automatically initiate a VPN based on the network that the user's machine is connected to (that is, based on a user’s assigned address). This feature is called Auto Initiation for on-site Wireless LANs (WLANs).
• The auto initiation feature was designed to make the user experience more like a traditional wired network in those environments in which VPNs are being used to secure WLANs. These environments are also known as on-site WLANs.
102102102
Adopted Safe Wireless Architecture
• Addison Texas Office, HQ Kanata
• Access Point 350 and 1200
• Concentrator 3060
• VPN Using Digital Certificates
• Client PC used the Integrated Zone Alarm PF
• Filtering Protocol on the AP
103103103
LEAP / IPSec & Static WEP Differentiation
LEAP IPSec Static WEP
Key Length (bits) 128 168 128
Encryption Algorithm RC4 3 DES RC4
Packet Integrity CRC32/MIC MD5-HMAC/SHA-HMAC CRC32/MIC
Device Authentication None Pre-shared secret or Certificates None
User Authentication Username/Password Username/Password or OTP None
User Differentiation * No Yes No
Transparent user experience Yes No Yes
ACL requirements None Substantial N/A
Additional Hardware Authentication Server Authentication Server and VPN Gateway
No
Per user keying Yes Yes No
Protocol Support Any IP Unicast Any
Client Support PCs and high end PDAs. Wide range of OSs supported from Cisco
PCs and high end PDAs. Wide range of OSs supported from Cisco and 3rd
Party Vendors.
All clients supported
Open Standard No Yes Yes
Time based key rotation Configurable Configurable No
Client hardware Encryption Yes Available, software is most common method
Yes
Additional Software No IPSec client No
Per-flow QoS Policy Management At access switch After VPN gateway At access switch
104104104
• Includes a standards based VPN Client and management GUI
• Allows mobile workers and telecommuters broadband connectivity over Cable and DSL
• Uses RADIUS for Authentication (Softoken)
• Split tunneling – corporate and Internet
• Implement behind the Internet access router and parallel to the PIX Firewall
Cisco VPN 3000 Concentrator Series
105105105
3005 3015 3030 3060 3080Simultaneous Users 100 100 1500 5000 10,000Performance (Mbps) 4 4 50 100 100Encryption Cards 0 0 1 2 4Memory (Mb) 64 128 128 256 256Upgradable No Yes Yes Yes n/aDual Power Supply No Optional Optional Optional YesRedundancy No Yes Yes Yes YesSite-to-Site Tunnels 100 100 500 1000 1000
Cisco VPN 3000 Concentrator Series
106106106
Platform HighlightsModels 3015, 3030, 3060, 3080
§Modular§Expandable§Redundant§Hardware Encryption
§Extensive Instrumentation§2U Form Factor
107107107
Cisco Remote Access VPN
Cisco VPN 3000 Concentrator Series
Cisco 3000 VPN Client
HTML-Based Management
108108108
NETWORK COMPUTING 11/15/99“..has a great overall management architecture with configuration options laid out in a logical tree structure, a hierarchical profile management and excellent troubleshooting tools.”
VPN Device Manager (VDM)HTML Based
109109109
Wireless Best Practices
• Enable WEP Key rotation when equipment supports it
• Change default SSID• Disable broadcast of ESSID• Change default password AP• Block null ESSID connection• Restrict access by MAC address• Use VPN technology or Dynamic WEP• Use strong mutual authentication
• Monitor wireless network medium (air space) for suspicious activity
110110110
For more information ...
• Home Pagewww.cisco.com/warp/public/cc/pd/witc/ao350ap/
• Technical documents (white papers, app notes, etc.)www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/index.htm
• Product Cataloghttp://www.cisco.com/univercd/cc/td/doc/pcat/ao350.htm
• Product Supportwww.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:Cisco_Aironet_350
111111111
Questions ??
112112112© 2002, Cisco Systems, Inc. All rights reserved.4515_03_2002_c1
