Ensure a Secure Environment for Voice over WiFi

1
(No Transcript)
2
Ensure a Secure Environment for Voice over WiFi

• Sri Sundaralingam
• Director, Product Management
• AirTight Networks
• SriS_at_airtightnetworks.net

3
Agenda

• WiFi Security Concerns
• Major WiFi Threats
• Wi-Fi Security Requirements
• Wi-Fi Best Practices
• WIPS Deployment Best Practices
• VoWiFi Planning Monitoring
• Demo
• QA

4
Wi-Fi Security Concerns

• Wi-Fi is inherently insecure
• Signal bleeds through walls and windows
• No central point of control
• Easy to break in if proper security standards are
  not used
• Legacy VoWiFi devices dont support latest
  security standards
• Wi-Fi networks can be easily disrupted
• DoS attacks are easy to launch
• Usual security precautions dont work against DoS

5
Security Legislative Drivers

• Privacy legislation requires companies to keep
  non-public personal information secure
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Gramm-Leach-Bliley (GLB) Act
• Additional drivers
• Sarbanes Oxley
• DoD Directive
• Patriot Act
• Liability for facilitating cyber-terrorism

6
Wi-Fi Security Threats

• Eavesdropping
• Unauthorized access
• Stealing Internet access bandwidth
• Access to sensitive data
• Rogue APs and clients
• Enterprises need to adjust security policies
• Client mis-association
• Sophisticated attacks
• WEP attack (using weak IVs to find actual WEP
  key)
• Brute force or dictionary attacks
• Replay or forgery attacks
• Man-in-the-middle attacks
• Denial of Service (DoS) attack
• Driver/firmware level attacks

7
Major Wi-Fi Threat Categories

• Common
• Rogue Access Points
• Mis-configured Access Points
• Ad hoc connections
• Unauthorized client associations
• Malicious
• Honeypot APs
• MAC spoofing APs
• Denial of Service attack

Denial of Service Attack
Neighboring Network
Mis-association
Enterprise Network
Mis-configured AP
Honeypot
Unauthorized Association
Rogue AP
?
Ad Hoc
AP MAC Spoofing
Firewalls, VPNs, and 802.11 Security Standards Do
Not Prevent These Wi-Fi Threats on Either Wired
or Wireless Networks
8
Layer-2 based DoS attacks

• WLAN networks are prone to Layer-2 DoS attacks!
• Reduces medium availability
• Impacts data throughput, VoIP over WLAN quality,
  Etc
• There are several types of Layer-2 DoS attacks
• 802.11 deauth/disassociation attacks
• EAPOL flooding attacks
• Driver/firmware level attacks
• Etc.
• Wireless Intrusion Prevention (WIPS) system shall
  
• Detect and identify DoS attacks
• Provide means to protect against DoS attacks

9
Legacy Device Issues

• Legacy devices are commonplace
• Bar code scanners, point of sale terminals
• Printers
• Voice over Wi-Fi phones
• Likely not to support proper security methods
• WEP only, or worse, no encryption support at all
• No ability to support IP SEC VPN clients
• Recommendations
• Separate VLAN mapped to SSID with WEP/no
  security
• MAC address authentication
• Regular rotation of WEP key (if available)

10
Wi-Fi Security Requirements

• Encryption/authentication
• Access Point Authentication
• Per User and Per Session Authentication
• RF monitoring and detection
• Threat prevention and location tracking
• Commonplace security threats
• i.e. rogue APs /clients and unauthorized
  associations
• Malicious attacks
• Evil Twin/Honey pot APs
• Denial of Service attacks

11
Wi-Fi Security Best Practices
Wireless/Wired Integration
Wireless Encryption/Authentication
Wireless IPS

• Enable Security!
• WPA or WPA2
• Use 802.1x
• Change the default SSID
• Use VLANs and separate SSIDs for legacy
  devices

• Secure management interfaces
• SSH
• SSL
• SNMPv3
• Management VLAN
• Network Access Protection

• Automatic detection
• Auto-classification
• Rogue AP and client prevention
• Location tracking

12
Deployment Best Practice Security
Wireless Intrusion Prevention System (WIPS)

• Provides 24 x 7 security coverage
• Three key functions
• Detects and automatically classifies wireless
  events devices to determine which are threats
  are which are not
• Robustly prevents (multiple) wireless threats
• Accurately locates wireless threats

13
Locating Wi-Fi Threats
Rogue AP Location Tracking Accuracy
High Power Cisco AP 4 feet
Medium Power D-link AP 5 feet
Low Power Cisco AP 12 feet
Belkin AP 10 feet

14
WIPS Deployment Best Practices

• Security coverage planning
• how many sensors do I need?
• Avoid blind spots!
• Cover your wired network
• Cover all wired VLANs vulnerable to Wi-Fi threats
  
• Automate device classification threat
  prevention
• Avoid manual work to classify APs clients!
• Automate threat prevention based on your risk
  scenarios
• Locate physically remove threats (Rogue APs,
  etc)
• Automated reporting
• Configure WIPS system to provided automated
  detailed reports (weekly, monthly, etc)
• Mobile Security outside the enterprise premises
  
• Locking down the laptop at home, at the airport,
  at the hotel, etc.

15
Now that youve figured out your security
architecture..
16
Deploying VoWiFi

• Demos work great, but ad hoc deployments dont
  scale
• Common problems
• Invisible signal blackout zones
• Signal drop out in Stairways
• Inadequate capacity in high user density areas
• Channel interference Noise
• Data usage is expected to grow Not sure how to
  provision for growth
• Signal bleed through from neighbors building

17
Deployment Best Practice

• Plan
• Anticipate performance needs of VoIP application
  in advance. Deploy/configure WiFi infrastructure
  to obtain the best possible performance
• Monitor
• Monitor for changes that cannot be anticipated at
  the planning stage. Adjust network configuration
  to respond to environment changes
• Secure
• Protect against malicious threats that can
  disrupt VoIP application
• Protect VoWiFi infrastructure vulnerabilities
  that can easily be exploited to breach corporate
  network security

18
Why 3 Steps?
Factors affecting WiFi performance Pre-deployment Planning Live Monitoring Detect Prevent Threats
Site layout, construction material
Co-channel interference from deployed AP
Co-channel interference from neighbor APs and clients Can only be estimated when the network is in operation
Noise Noise level can change over time
Usage, Contention, Traffic Dynamic and can only be measured when the network is operational
Security (e.g. DoS attacks) Need to detect respond in real-time
19
Deployment Best Practice Planning

• What type of QoS capabilities will be deployed?
• How much network capacity should be kept aside
  for these?
• What is the projected growth for applications
  requiring QoS?

20
Deployment Best Practice Planning
Example how to determine required network
capacity?
Call radius 50 ft
Users 39
Active Phone Lines 12
Concentration X1 3.25
Bandwidth (MBPS) Bandwidth (MBPS)
Voice Uplink 0.77
Voice Downlink 0.77
Data Downlink 3.25
Data Uplink 1.63
Total Throughput 6.41

• 200 sqft/user
• 8 hour work day
• 150 Mb of avg data traffic/user over WLAN
• Peak usage is 3x (i.e. need to assume 450 Mb data
  traffic/user)
• 0.15 ERLANG of voice load
• VoIP connection requires 64Kbps in each direction

Assumes 100 wireless
21
Deployment Best Practice Planning
Which signal coverage are you going to assume?
22
Predictive Planning Vs Alternative Methods
23
Deployment Best Practice Monitoring
Sample Monitoring (Event) Chart
24
Deployment Best Practice Monitoring
Sample Monitoring (Usage) Chart
25
Questions?
VoWiFi