2
Who Cares?
� Wiring is significant:
� Cost
� Delay
� Workers are mobile
� Wireless last hop?
� Cell phone convergence?
3
OK, so I care – Now What?
Things you’ll want to know
� Myths & debunking
� The Equipment
� What’s new
4
Myth #1:
The insecurity myth
� Others can peek
� Or poke
� Things that can go wrong:
� Spoofing Identity
� TamperingSecurity Perimiter
5
Spoofing Identity:
OK to go in / let in
� Passphrase, handset OK
� Certificate check, AP OK
(Rouge AP)
6
Tampering with the Data:What didn’t work
�The failing of WEP Cracked in 2 minutes
�The Interim:� Make “As good as possible” w/ existing stuff
� Wi-Fi Alliance used Draft 3 of IEEE 802.11i
� WPA
� Has flaws
� Lightweight security, for things like PDAsRef = http://www.informit.com/articles/article.asp?p=369221&rl=1 http://www.windowsecurity.com/articles/80211i-WPA-RSN-Wi-Fi-
Security.html
Ref = http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
7
Tampering with the Data:What works (WPA2)
+ Strong encryption – AES (lock)
+ Secure encryption key delivery
8
Tampering with the Data:
What works better
� Add another layer
� End to End Security:
� Media - SRTP
� Signaling - TLS
� Works even if wireless link hacked
� Desk phone, for now
9
Myth Debunking:
Busting the insecurity myth (WPA2)
+ Known / trusted / understood methods
+ Can’t prove insecure
See www.cve.mitre.org
and nvd.nist.gov.
+ NOT risk free – but
100M+ users
Security Perimiter
10
Denial of Service:
The interference myth
� Interference does not mean loss of service!
� Strategies:
� Avoid
� Eliminate
� Overcome
11
Avoid:
The Easy Way
� Let AP find best channel
� May conflict with overlap
12
Eliminate:
The Hard Way
� Locate sources of interference
� Portable spectrum analyzer may help
� Can identify interference by “Signature”
� Once identified:
� Eliminate
� Shield
http://www.airmagnet.com/products/handheld_analyzer/
13
Overcome:
It takes thought
� Interference:
� Adds to
� Does not take away from
� Original signal is still there
� Multiple antennas are used to
look harder
14
Overcome:
How its done
� You can use more that two antennas
� Multiple antennas are directional
� Good for keeping signal on one
floor
� Issues:
� Unlicensed spectrum
� Must play with others
� Know what you are dealing with
15
Myth Debunking:Busting the interference myth
� Myth: “There's nothing I can do about interference”
� There's always a cure for interference, but you need to
know what's ailing you 20 Myths of Wi-Fi Interference Cisco whitepaperhttp://www.cisco.com/en/US/prod/collateral/wireless/ps9391/ps9393/ps9394/prod_white_paper0900aecd807395a9_ns736_Networki
ng_Solutions_White_Paper.html
16
How to make it work:
Compliant withCompliant with
17
The Edge:
QoS / VLAN
� Separate Voice and Data
� Separation via Service Set IDs
(SSID):
� Assign QoS
� Tie to VLAN
18
The Edge:
Encrypt
� WPA2 (AES) actually works on a handheld phone
� Some, older, phones may not support WPA2
19
The Edge:
Policy - Only approved devices!
� Define make & model
� Configuration and settingshttp://www.symantec.com/avcenter/reference/symantec.wlan.security.pdf
20
Access Point:
QoS / VLAN
Expedited Forwarding
DSCP (IEEE 802.1d)
21
Access Point:
Advanced Options� Administration:
� SSID avoid transmission
� Secure Administrator access
� Enable Accounting For usage tracking & diagnostics
� Encryption Beware of supporting multiple encryption modes
� Roaming Ensure secure
� Limits:� Association Limit Prevents access points from getting overloaded
� adequate level of service
� Calls maintain the maximum allowed number of calls
� EAP or MAC Re-authentication Interval � Filters prevent or allow the use of specific protocols through the
interface.
� QoS Element for Wireless Phones:
� Determine which access point to associate to, based on traffic
� If phones have support, enable
� For more info: Basic Service Set (QBSS - 892.11e standard)
22
Switches:
� Need QoS, VLAN capable switches
� Configuration required
� Logs – understand to troubleshoot
23
Firewall:
� SIP firewall needed
� Protection
� With VLAN each “Leg”
of network is protected
� Voice legs only see
signaling or media
� Useful for intrusion
detection
� Backup
10 11
20
21
21
11
24
Site planning:
Before you get started
� Site planning before you get started
� Certification
� Consultants
25
What’s new:
Speed & Power
� 802.11n:
� June 2009 (est.)
� Takes advantage of multiple
antennas for beamforming
� 19 Mbit/s(g) � 74 Mbit/s
� 802.11y: Higher power
26
What’s new:
Other coming attractions
� 802.11s – Multi-vendor self configured mesh
� Standardized Roaming:
� 802.11.r – Handoff
� 802.11w - protect
network from malicious
disassociation
27
Recap:
If we did what was promised, we would astound ourselves
� Can’t prove insecure
� Denial of service � avoidable
� Planning
� The future gets better
28
For more info – books:
� Internet QoS Zheng Wang, Morgan
Kaufmann 2001, ISBN 1-55860-608-4
� VoIP Security James Ransom / John
Rittinghouse, Elsevier, 2005, 1-55558-332-6
� SIP Demystified, Gonzalo Camarillo, McGraw
Hill ISBN 978-0-07-137340-1
� Voice-Enabling the Data Network, James
Durkin, 2003, Cisco Press, ISBN 1-58705-
014-5
29
For more info - NIST
� WIRELESS NETWORK SECURITY FOR
IEEE 802.11A/B/G AND BLUETOOTH
(DRAFT)
� http://csrc.nist.gov/publications/drafts/800-48-
rev1/Draft-SP800-48r1.pdf
30
Siemens' PoE Claims Validated
802.11N with 802.3at power
� http://www.networkcomputing.com/showArticl
e.jhtml?articleID=206900489