Implementation of multiple security zones for wireless Viaduct

1
Implementation of multiple security zones for
wireless Viaduct

• Huaiyu Liu
• Univ. of Texas at Austin

Mentors Eric Grosse Sean Quinlan
John Venutolo Jim Mckie
2
Outline

• Current Viaduct
• Integrate wireless into Viaduct
• Current wireless standards and products
• The goal of this project

• What we need to do
• What we have done this summer
• Summary future work

08/16/100
3
The current Viaduct

• Provides an encrypted tunnel from home to office
• Easy-to-administer, secure and low-cost
• Strong demand within Lucent, more than 100 users
  currently

08/16/100
4
Integrate wireless into Viaduct

• Motivations
• Working at home
• Increase of mobile users
• Easy to install

08/16/100
5
Wireless standards and products

• 802.11 Standard

Basic Service Sets (Managed)
Ad-hoc networks

• Wired Equivalent Privacy
• protect authorized users of a wireless LAN from
  casual eavesdropping
• Using RC4 algorithm for encryption

08/16/100
6
Wireless standards and products (cont.)

• WaveLAN 802.11 IEEE PC Card (Orinoco)

• Security support -- RC4 encryption
• Does not support using different encryption keys
• HCF library from WaveLAN people
• Linux driver

08/16/100
7
Goal of the project
Internet
Lucent network

• Provide secure wireless access, without too much
  modification on end-user
• Easy administration
• Support multiple security zones
• network name
• different keys for different sessions

Neighbors PC
Viaduct
Lucent PC
Kids PC
ATT PC
08/16/100
8
What we need to do

• A WaveLAN driver for plan 9
• ethernet driver
• support WEP
• Make the Viaduct be a wireless base station

Ad-hoc network
08/16/100
9
What we need to do (cont.)

• Mechanisms for automatic key downloading
• protocol
• modification on the client
• accept both plaintext and ciphertext

08/16/100
10
What we need to do (cont.)

• Support multiple security zones
• a better solution -- different keys for different
  pairs
• currently -- two zones

Internet
Lucent networks
VPN applications
Authentication server
NAT
NAT
DHCP server
WaveLAN driver
plaintext
ciphertext
08/16/100
11
What we have done

• Write WaveLAN card driver
• fit WaveLAN driver into plan 9 system

attach
Ether-device
l
transmit
ether
devtab
open
interrupt
close
ifstat
promiscuous
CTL
-- support for WEP configuration tools
08/16/100
12
Write WaveLAN driver (cont.)

• 802.11 packets vs. Ethernet packetsEthernet
  packets are encapsulated inside 802.11 packets

Control fields
802.11 header
Ether header
Data Info (common for 802.11 and ether)
type
Frame control
Ether header
Ethernet DATA
802.11 header
DATA FRAME
MANAGEMENT FRAME
802.11 header
802.11 DATA
CONTROL FRAME
08/16/100
13
What we have done (cont.)

• Key downloading two security zones

DHCP server Auth server
Viaduct
Input queue
Input queue
Logical ether driver 1
Logical ether driver 2
WEP
Frame control
08/16/100
14
Summary

• Implement multiply security zones for wireless
  Viaduct
• secure wireless communication
• easy administration
• multiple security zones
• Currently
• ethernet driver
• demultiplex traffic
• two security zones
• Future work
• implement automatic key downloading
• more security zones

08/16/100