Title: Ensure a Secure Environment for Voice over WiFi
1(No Transcript)
2Ensure a Secure Environment for Voice over WiFi
- Sri Sundaralingam
- Director, Product Management
- AirTight Networks
- SriS_at_airtightnetworks.net
3Agenda
- WiFi Security Concerns
- Major WiFi Threats
- Wi-Fi Security Requirements
- Wi-Fi Best Practices
- WIPS Deployment Best Practices
- VoWiFi Planning Monitoring
- Demo
- QA
4Wi-Fi Security Concerns
- Wi-Fi is inherently insecure
- Signal bleeds through walls and windows
- No central point of control
- Easy to break in if proper security standards are
not used - Legacy VoWiFi devices dont support latest
security standards - Wi-Fi networks can be easily disrupted
- DoS attacks are easy to launch
- Usual security precautions dont work against DoS
5Security Legislative Drivers
- Privacy legislation requires companies to keep
non-public personal information secure - Health Insurance Portability and Accountability
Act (HIPAA) - Gramm-Leach-Bliley (GLB) Act
- Additional drivers
- Sarbanes Oxley
- DoD Directive
- Patriot Act
- Liability for facilitating cyber-terrorism
6Wi-Fi Security Threats
- Eavesdropping
- Unauthorized access
- Stealing Internet access bandwidth
- Access to sensitive data
- Rogue APs and clients
- Enterprises need to adjust security policies
- Client mis-association
- Sophisticated attacks
- WEP attack (using weak IVs to find actual WEP
key) - Brute force or dictionary attacks
- Replay or forgery attacks
- Man-in-the-middle attacks
- Denial of Service (DoS) attack
- Driver/firmware level attacks
7Major Wi-Fi Threat Categories
- Common
- Rogue Access Points
- Mis-configured Access Points
- Ad hoc connections
- Unauthorized client associations
- Malicious
- Honeypot APs
- MAC spoofing APs
- Denial of Service attack
Denial of Service Attack
Neighboring Network
Mis-association
Enterprise Network
Mis-configured AP
Honeypot
Unauthorized Association
Rogue AP
?
Ad Hoc
AP MAC Spoofing
Firewalls, VPNs, and 802.11 Security Standards Do
Not Prevent These Wi-Fi Threats on Either Wired
or Wireless Networks
8Layer-2 based DoS attacks
- WLAN networks are prone to Layer-2 DoS attacks!
- Reduces medium availability
- Impacts data throughput, VoIP over WLAN quality,
Etc - There are several types of Layer-2 DoS attacks
- 802.11 deauth/disassociation attacks
- EAPOL flooding attacks
- Driver/firmware level attacks
- Etc.
- Wireless Intrusion Prevention (WIPS) system shall
- Detect and identify DoS attacks
- Provide means to protect against DoS attacks
9Legacy Device Issues
- Legacy devices are commonplace
- Bar code scanners, point of sale terminals
- Printers
- Voice over Wi-Fi phones
- Likely not to support proper security methods
- WEP only, or worse, no encryption support at all
- No ability to support IP SEC VPN clients
- Recommendations
- Separate VLAN mapped to SSID with WEP/no
security - MAC address authentication
- Regular rotation of WEP key (if available)
10Wi-Fi Security Requirements
- Encryption/authentication
- Access Point Authentication
- Per User and Per Session Authentication
- RF monitoring and detection
- Threat prevention and location tracking
- Commonplace security threats
- i.e. rogue APs /clients and unauthorized
associations - Malicious attacks
- Evil Twin/Honey pot APs
- Denial of Service attacks
11Wi-Fi Security Best Practices
Wireless/Wired Integration
Wireless Encryption/Authentication
Wireless IPS
- Enable Security!
- WPA or WPA2
- Use 802.1x
- Change the default SSID
- Use VLANs and separate SSIDs for legacy
devices
- Secure management interfaces
- SSH
- SSL
- SNMPv3
- Management VLAN
- Network Access Protection
- Automatic detection
- Auto-classification
- Rogue AP and client prevention
- Location tracking
12Deployment Best Practice Security
Wireless Intrusion Prevention System (WIPS)
- Provides 24 x 7 security coverage
- Three key functions
- Detects and automatically classifies wireless
events devices to determine which are threats
are which are not - Robustly prevents (multiple) wireless threats
- Accurately locates wireless threats
13Locating Wi-Fi Threats
Rogue AP Location Tracking Accuracy
High Power Cisco AP 4 feet
Medium Power D-link AP 5 feet
Low Power Cisco AP 12 feet
Belkin AP 10 feet
14WIPS Deployment Best Practices
- Security coverage planning
- how many sensors do I need?
- Avoid blind spots!
- Cover your wired network
- Cover all wired VLANs vulnerable to Wi-Fi threats
- Automate device classification threat
prevention - Avoid manual work to classify APs clients!
- Automate threat prevention based on your risk
scenarios - Locate physically remove threats (Rogue APs,
etc) - Automated reporting
- Configure WIPS system to provided automated
detailed reports (weekly, monthly, etc) - Mobile Security outside the enterprise premises
- Locking down the laptop at home, at the airport,
at the hotel, etc.
15Now that youve figured out your security
architecture..
16Deploying VoWiFi
- Demos work great, but ad hoc deployments dont
scale -
- Common problems
- Invisible signal blackout zones
- Signal drop out in Stairways
- Inadequate capacity in high user density areas
- Channel interference Noise
- Data usage is expected to grow Not sure how to
provision for growth - Signal bleed through from neighbors building
17Deployment Best Practice
- Plan
- Anticipate performance needs of VoIP application
in advance. Deploy/configure WiFi infrastructure
to obtain the best possible performance - Monitor
- Monitor for changes that cannot be anticipated at
the planning stage. Adjust network configuration
to respond to environment changes - Secure
- Protect against malicious threats that can
disrupt VoIP application - Protect VoWiFi infrastructure vulnerabilities
that can easily be exploited to breach corporate
network security
18Why 3 Steps?
Factors affecting WiFi performance Pre-deployment Planning Live Monitoring Detect Prevent Threats
Site layout, construction material
Co-channel interference from deployed AP
Co-channel interference from neighbor APs and clients Can only be estimated when the network is in operation
Noise Noise level can change over time
Usage, Contention, Traffic Dynamic and can only be measured when the network is operational
Security (e.g. DoS attacks) Need to detect respond in real-time
19Deployment Best Practice Planning
- What type of QoS capabilities will be deployed?
- How much network capacity should be kept aside
for these? - What is the projected growth for applications
requiring QoS?
20Deployment Best Practice Planning
Example how to determine required network
capacity?
Call radius 50 ft
Users 39
Active Phone Lines 12
Concentration X1 3.25
Bandwidth (MBPS) Bandwidth (MBPS)
Voice Uplink 0.77
Voice Downlink 0.77
Data Downlink 3.25
Data Uplink 1.63
Total Throughput 6.41
- 200 sqft/user
- 8 hour work day
- 150 Mb of avg data traffic/user over WLAN
- Peak usage is 3x (i.e. need to assume 450 Mb data
traffic/user) - 0.15 ERLANG of voice load
- VoIP connection requires 64Kbps in each direction
Assumes 100 wireless
21Deployment Best Practice Planning
Which signal coverage are you going to assume?
22Predictive Planning Vs Alternative Methods
23Deployment Best Practice Monitoring
Sample Monitoring (Event) Chart
24Deployment Best Practice Monitoring
Sample Monitoring (Usage) Chart
25Questions?
VoWiFi