Tackling Security Vulnerabilities in VPNbased Wireless Deployments

1
Tackling Security Vulnerabilities in VPN-based
Wireless Deployments

• Lookman Fazal, Martin Kappes, A. S. Krishnakumar,
  P. Krishnan
• Avaya Labs Research
• Sachin Ganu
• WINLAB, Rutgers University
• Published in Proceedings of IEEE ICC 2004, June
• Presented by Mu-Ying Lu

2
Outline

• Introduction
• The Hidden Wireless Router (HWR)
• Possible Solutions to the HWR Problem
• Monitoring-Based Solutions
• Detection
• Location
• Access Point-Based Solutions
• Experiment and Observations
• Conclusion

3
Introduction

• Security issues arise in wireless access
• WEP ? 802.11i
• 802.11i
• Based on 802.1x port-based authentication
• Key infrastructure
• 802.11i-based devices will reach the market soon
• Before 802.11i is widely deployed, some security
  architecture should be used

4
Introduction (Cont.)

• VPN-based wireless architecture
• The wireless and wired network are separated by a
  VPN server
• Upon association, the client obtains a
  non-routable IP address (private IP address)
  using DHCP
• The client then initiates a VPN connection to the
  VPN server

5
Introduction (Cont.)
192.168.1.32
192.168.1.1
6
Introduction (Cont.)

• VPN
• Per-user authentication
• After appropriate authentication and key
  exchanges, a secure tunnel is established
• The VPN-based architecture is motivated by
• the ability to deploy using existing hardware and
  software
• the familiarity of most IT organizations with the
  underlying technology and tools, ex
  IPSec/PPTP-based VPN

7
Introduction (Cont.)

• Vulnerability of VPN architecture
• The VPN server can be bypassed
• The hidden wireless router

8
The Hidden Wireless Router (HWR)

• Some devices have dual network interface cards
  (Ethernet/Wireless), many enterprises provide
  both Ethernet jacks and VPN-based wireless
  network
• VPN-based wireless network assumes for its
  security
• All wireless clients will access the network
  through the VPN server
• By providing users with a non-routable IP address

9
The Hidden Wireless Router (HWR)
192.168.c.d
192.168.a.b
1. Connects via Ethernet
1. Gets a private address192.168.a.b
2. Gets a private address 192.168.c.d for
wireless
2. Set next-hop to be 192.168.c.d
3. Has NAT enabled
10
The Hidden Wireless Router (HWR)

• Enable a dual-NIC laptop to be a NAT router
• Connection sharing can be enabled on the wired
  interface with the wireless interface as the
  local network
• In Windows
• 192.168.0.1 for wireless interface on NAT router
• Other NAT clients are assigned other IP addresses
  in the 192.168.0.x range
• Situation hacked, viruses, worms,
  misconfiguration, etc.

11
Possible Solutions to the HWR Problem

• Monitor-based solution
• Detecting and locating HWR in reactive manner
• Access point-based solution
• Prevent HWRs in proactive manner

12
Possible Solutions to the HWR Problem

• Client-based solution
• mandating that wireless clients must either not
  forward traffic or be connected to the wired
  network
• Software could be put on clients to warn users
  when connection sharing is detected
• very hard to enforce in a foolproof way
• Non-client-based solution

13
Possible Solutions to the HWR Problem

• Monitoring-Based Solutions sniffers monitor the
  traffic in the wireless network
• Detecting HWR
• Locating and Controlling HWRs

14
Possible Solutions to the HWR Problem

• Detecting HWR in passive
• monitoring cross-traffic, i.e., traffic from a
  wireless station that is not destined to the VPN
  server but to another wireless station
• Cross traffic is all traffic in which the source
  and destination addresses are wireless stations
• permissible MAC destination addresses such as
  those of the VPN server or address of the gateway
  to the VPN server

15
Possible Solutions to the HWR Problem

• Detecting HWR in passive
• Sniffer is not essentially in possession of the
  WEP-encryption key, because the MAC addresses in
  frame header are transmitted in the clear

16
Possible Solutions to the HWR Problem

• Detecting HWR in active
• Sniffer acts as a rogue wireless client
• Try to establish a connection to a honey pot
  server in the wired network using a suspected HWR
  as the gateway

17
Possible Solutions to the HWR Problem

• Locating and Controlling HWRs
• Monitor-based in passive
• Signal strength
• Disassociation message
• Monitor-based in active
• Trace back to a switch-port
• Disable the port
• Do not forward traffic to the device

18
Possible Solutions to the HWR Problem

• Access point-based solution
• Frame filtering based on MAC source and
  destination address
• Permissible address is limited to a few entries

19
Experiments and Observation

• Two network
• N1 protected by PPTP-based VPN
• N2 protected by IPSec-based VPN
• Dual-interface laptop was running the Windows
  2000
• Rogue clients was running the Linux

20
Experiments and Observation

• Verifying the HWR vulnerability
• When not activating the VPN client on H, the
  rogue R exploited the HWR vulnerability by
  setting its default gateway address as the IP
  address of Hs wireless interface

21
Experiments and Observation

• Exploiting Vulnerability Through Bridging
• bridging was enabled on device H, between the
  wireless and the wired interfaces

22
Experiments and Observation

• Effect of Enabling VPN on the HWR
• In network N2 (IPSec), enabling the VPN client on
  H disrupted the operation of the HWR and unable
  to ping Hs wireless interface
• In network N1 (PPTP), we could still ping the
  non-routable IP address on H

23
Experiments and Observation

• We probed the wireless non-routable address space
  by sending ping packet
• Approximately 35 of laptops are associated with
  an access point but not running a VPN client

24
Conclusion

• This paper presented detect/control/prevent
  method to address hidden wireless router problem
  in VPN-based wireless environment

25
Q A