wireless lan current & future status
TRANSCRIPT
Wireless LAN Current & Future Status
Kevin Cheng2005 Wireless Security Technology Development Seminar
Outline
• Wifi-Citywide: New York City & San Francisco
• Hotspots: Roaming & Content Management• High Speed Technology for WLAN• VPN Gateway To Security• Intrusion Detection / Prevention Systems
(IDS/IPS)• Locking Down Your Voice Data (VoIP)• Wireless IPv6 VPN Routers• Wireless Sensors
Wifi Cities - Status• New York City
• Bidders: EDS, HP, IBM, Lockheed, Northrop, Raytheon.
• $500M to $2B, say, 15 years• Wifi Clouds: a fiber metropolitan area network • Cost savings, overall functionality,
redundancy, security, truly converged network.• Traveling at speeds of up to 70 mph citywide.• Anchor multiple cost saving applications such
as VoIP and wireless last miles links
Wifi City - NYC
Wifi City - NYC
Wifi City – San Francisco
Mnt. San Bruno coverage MapThe Link to Mnt. San Bruno
The Bay Area Research Wireless Network (BARWN), Oct. 2003
The first attempt: the installation of a 20 mile path between Hayward and South San Francisco with experimentation to increase the reliability of this link.
A second link: deployed an 11Mb/s link from the United Layer co-location center at Sixth and Mission6 in San Francisco to an Access Point on top of San Bruno Mountain.
WIfi City – Mesh Technology• Lifesaver: how firefighters inside a burning building can
communicate with multiple devices, giving the commander a 3D representation of their locations within the building.
ComputerWorld, 2004
www.firetide.com
WIfi City – Mesh Technology
Cover an area of up to several city blocks in size, forming a “hot-zone” that is blanketed by Wi-Fi access points that are connected by a wireless backbone to resemble one large hot spot.
Baton Rouge, LA
Wifi City – Bandera, Texas
www.dmarc.us: Wireless ISP (WISP)• One AP – EPIA MII board with ORiNOCO Gold amplified with Fidelity amplifier• One HSG-1000 Hotspot Gateway• Broadcast to circular 12 miles now, deploying in S.T. Antonio, Texas soon!
The Cowboy Capital of the World
High Speed Technology for WLAN
Conclusion: At the end of the Broadband Wireless Era, billions of people worldwide will be communicating wirelessly using devices and services not yet designed. Many of these people will have access to multiple technologies that will allow them choices for an always best-connected advantage.
WiMAX – 802.16, The Last Mile Solutions• The vision: Broadband everywhere
• Standardization: WiMAX – Worldwide Interoperability for Microware Access
Worldwide Broadband Market Growth Worldwide Sub 11GHz – 5 Years Growth
WiMAX – Technology Specs• Based on IEEE 802.16 and ETSI HiperMAN - WiMAX selected
the common mode of operation of these two standards -256FFT OFDM.
• Concentrated in 2-11GHz Wireless MAN (Metropolitan Access Networks), with the following set of features:• Service area range up to
50km as today• Non Line of Sight• QoS designed in for
voice/video, differentiated services
• Very high spectrum utilization: 3.8 bit/Hz
• Up to 280Mbps per base station• True broadband for portable users – based on IEEE 802.16e enables the
creation of a ‘CPE-less’ broadband market, providing broadband connectivity for laptops and PDAs with integrated WiMAX technology
WiMAX – Case Study
www.airspan.com
Product Offering: WLAN as hosted service• Telcos may offer their customers a hosted and managed WLAN service based on their
broadband access • The access is split up in private (intranet) and public WLAN network• WLAN management includes security, firewall, AAA, and possibly control of content,
bandwidth access times of the users
Advantages for customers:• Value added services in-house• Additional revenues and better services for external visitors• No deployment effort, since service is provided ready to go
Possible customer target segments:• Enterprises with a large public area, e.g. for campus training• Public institutions, public transportation • Business Centers with several companies to which this service is offered• Health care: Hospitals
Hotspot: WLAN as Hosted Service for Enterprises
Hotspot: Example of WLAN Management ServicesServices offered:
Virtual tourist guide on a WLAN-PDA
Customer requirements:• Offers roaming & billing of all
major players to users• Offers VoWLAN (Voice over WLAN)• Offers local content of many hotspot owners
without security compromises but givesthem access to edit the content themselves
• Follow moving users over different hotspots and gateways without losing the session
• Show same content in different languages• Navigation• Provides high-volume tourism content
directly from gateway• Easy setup and survey of network
infrastructure
WLAN-enabled end devices (e.g. laptop, PDA, mobile, car)
Access Points
HSG10 Gateway
NOCDSLISDNdedicated lineSatellite
Internet-Uplink
Hotspot
Wireless InfrastructureManagement SystemNOC / BackOffice running on aServer (Cluster)
cVirtualWISPs
cRoamingPartners
cPaymentInterfaces
cDiagnosisInterfaces
WLAN infrastructure with managementsystem
Hotspot: How to Support WLAN Management Systems
Internet
VPN Gateway To Security• Essentials: authentication, confidentiality, and
integrity.• How to choose VPN device: supported protocols,
supported platforms, speed, and price.• VPN works at layer 3 or above to support all
applications.• 3DES or AES encryptions. • VPN Tunnel: install-and-forget-it technology.• IPSec or SSL VPNs?• Advanced features: client policy, QoS, failover…
WLAN Poll Analysis
- Network Computing 2.17.2005
WLAN – Features for IDS• Intelligent Analytical Engine• Performance & Infrastructure Monitoring• Security Monitoring• Wireless LAN Administration• Site Survey• Troubleshooting Connections• Packet Capture & Decodes
WLAN IDS Signatures
WLAN IPS – Rouge AP
WLAN IPS – 24/7 Monitoring
Locking Down Your Voice Data (VoIP)• An easy way: Separate voice from data LAN, use your switches’ 802.1Q to
place them in different virtual LANs (VLAN).• Very selective about which IT staffers are allowed access to the core
operating systems of your IP PBX servers.• consider using intrusion-detection and prevention systems to monitor all
voice servers and segments.• Stay away from PC-based IP phones wherever possible.• Implement NAT between the voice and data segments, with private address
spaces for all IP telephony devices• Authentication: allowing access only from phones with known MAC
addresses, to personal IDs, passwords, and PINs.• Using static IP addresses for your IP phones, mapped to MAC addresses.• Keep up to date with the latest security patches on all your voice mail and
call-processing servers and make sure you have good virus protection.• a "fuzzer" for SIP: test SIP for weaknesses and vulnerabilities that could lead
to attacks.
Locking Down Your Voice Data – cont’• VoIP Security Area: configuration, call control, voice streams, and
data streams.• Major performance measurement: the level of security, encryption
delay, message delay, and processing power. What is the desiredsize of security key? Can not cause one second of delay.
• Voice Encryption Protocol – Secure Real-Time Protocol (SRTP) that provides a framework for encryption and message authentication of RTP and RTCP streams. Only AES encryption is supported in SRTP. MIKEY is the trend key to be used.
Open Issues: Key Managements for how distribute, update, store, and prevent such keys been stolen.
IPv6 - Security• IPv6 Extension Headers that support IPSec, but
with limitations such as weak DES algorithm, complex configuration, DoS, etc.
• It inherits similar vulnerabilities as IPv4.• New features such as neighbor discovery ,
router discovery , autoconfiguration and renumbering of IPv6 nodes, MTU, DHCPv6 and DNS
• Return routability: a new security algorithm to optimize route security for DoS, redirection attacks.
Wireless IPv6 - IPSec Router (AWG60)
Wireless Sensors - StandardsStandards Application Focus Success Metrics
ZigBee802.15.4
Remote control, battery-operated products, sensors
Reliable, secure networking Protocol simplicity Low power consumption, low cost
Bluetooth 802.15.1
Interoperability, cable replacement, wireless, USB, handset, headset
Low incremental costEase of use / convenienceModerate data rate
Wi-Fi 802.11
Web, email, P2P, PC networking, file transfers, and video
High data throughputFlexibility (work and home) Hot Spot connectivity
GPRS / GSM 1XRTT/CDMA
Wireless voice and data Broad geographic coverage Datacentric pricing plans Network build-out
Wireless Sensors - Security Threads• Digital signatures for authentication are impractical for sensor networks: improved
by SPINS and µTESLA (the micro version of the Timed, Efficient, Streaming, Loss-tolerant Authentication protocol)
• Assume individual sensors are untrusted, compromising the base station can render the entire sensor network to be useless.
• Insertion of malicious code – spread to all nodes• Interception of the messages containing the physical locations of sensor nodes
allows an attacker to locate the nodes and destroy them.• an adversary can observe the application specific content of messages including
message IDs, time stamps and other fields.• inject false messages that give incorrect information about the environment to the
user.• Inter-router authentication prior to the exchange of network control information• Spoofed, altered, or replayed routing information• Selective forwarding• Sinkhole attacks• Sybil attacks• Wormholes• Denial of Service (DoS), such as HELLO
flood attacks• Acknowledgement spoofing
www.tinyos.net
Wireless Sensors - Secure It!• Security mechanisms: depends on network applications
and environmental conditions.• Resources of sensor nodes (CPU, memory, battery)
make it impractical to use secure algorithms designed for powerful workstations.
• Standard security: availability, confidentiality, integrity, authentication, and non-repudiation
• Wireless sensors: message freshness, intrusion detection, intrusion tolerance, or containment exists.
• Security policies defined by admin of sensor nodes. Define the system architecture and the trust requirements.
• SPINS: Security protocols for sensor networks.• 802.15.4/ZigBee with 128-bit AES encryption.