Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

Transcription

1 Bill Buchanan, Reader, School of Computing. W.Buchanan (1)

2 Lab setup W.Buchanan (2)

3 W.Buchanan (3) Console Server Con Cisco Aironet Port 2001 Con Cisco Aironet Port 2002 Con Cisco Aironet Port 2003

4 W.Buchanan (4)

5 W.Buchanan (5) Wireless Network APskills1 APskills2 APskills Port: Console Server Con

6 W.Buchanan (6)

7 W.Buchanan (7)

8 W.Buchanan (8) Week Date Academic Cisco Lab/Tutorial 1 26 Sep 1: Radio Wave Fundamentals 2 3 Oct 2: Wireless Fundamentals Intro to Wireless LANs Access Point Tutorial 1 (T) 3 10 Oct 3: Wireless Infrastructures IEEE and NICs Access Point Tutorial 2 (T) 4 17 Oct 4: Encryption Wireless Radio Technology Ad-hoc Networks (L) 5 24 Oct Wireless Topologies Infrastructure Networks (L) 6 31 Oct 5: Authentication Access Points Radio Configuration Settings (L) 7 7 Nov 6: Antennas Bridges Filtering (L) 8 14 Nov 7: Filtering Antennas Encryption (L) 9 21 Nov 8: GSM/3G Security Authentication/EAP (L) Nov 9: Future Technologies Applications Configuring Services (L) 11 5 Dec 10: Site Surveys/ Troubleshooting Site Survey VLANs (L) Dec 11: Location-finding Troubleshooting Proxy Mobile IP (L) Holidays 13 9 Jan Revision/Cram (Cisco Exam) Emerging Technologies Power Management (L) Jan Revision (Napier Exam) Revision/Cram Coursework/Practical (50%) Jan Napier Exam (40%) Cisco Exam (10%)

9 Coursework W.Buchanan (9)

10 Academic Professional Certification On-line test: 40% On-line test: 10% Coursework test: 50% Demonstrates analytical and synthesis skills in defining the key stages in the development of a wireless solution from its specification and design to its evaluation. Provides an in-depth understanding of the key principles involved in the operation of a wireless system. Demonstrates key practical skills in the implementation, evaluation and debugging of wireless systems. Single mark submitted Academic/Professional Certification W.Buchanan (10)

11 W.Buchanan (11) Title: Secure Wireless Network Design Objective: To design a secure wireless network. Outline: The objective of this coursework is to design a secure wireless network which meets certain objectives, and to implement a prototype of the system. Submission: PDF document submitted to Web-CT by Monday, 16 January 2005, 12pm. Assessment: A grade will be assigned for the assessment, which will be returned to the student. This grade will then be converted to a mark for the module board.

12 W.Buchanan (12) Introduction. This should define the aims of the coursework, and provide background material. [5%] Design. This section should present a possible wireless design for an organisation network which supports up to 100 simultaneous users. This design should include encryption, authentication and the required firewalling/ filtering. Further details of the security constraints will be given in the lecture [25%] Implementation. This section should provide a prototype of the proposed wireless system including sample configurations, and an explanation of their operation. [35%] Conclusions. This should outline the main conclusions of the report. [15%] Presentation/references. This relates to the layout and format of the report. Any references should be given using the Harvard referencing standard. Do not copy any material directly from a source. [20%]

13 W.Buchanan (13) Production Sales Engineering

14 W.Buchanan (14) Three main groups: Sales, Production and Engineering. Each group has 60 users in each group. The standard network card is a Cisco Aironet 350, and the access point selected is a Cisco Aironet The physical span of the network is similar to the size of the Merchiston library. The Sales and Production departments should not be able to access the Web server on any access points, but Engineering can. The Sales department should not be able to ping any of the network, while the Production department can ping for the access point, while the Engineering department can ping any part of the network. The Engineering department should be able to access SNMP information on the access point and the router, but no other device. Sales and Production should not be able to access any SNMP information.

15 W.Buchanan (15) The department servers are located at: (for the Sales department); (for the Production department); and (for the Engineering department). Access should be barred to the server which is not defined for the department. There is also a public access server at External WWW access should only be allowed for the Sales department. An server is located at It supports most of the commonly used protocols. Every user should be able to access it. The organisation has external access to a single router which has an external IP address of /24, and has at least three ports (but more can be added, as required). Users in Engineering should be allowed to log into any access points, in a secure way. Overall, the network should be fairly secure and robust, in case of failures.

16 Filtering W.Buchanan (16)

17 Filtering Application Application Application Application Transport Transport Transport Transport TCP/UDP/ ICMP Internet Internet Network Network Host A Internet Internet Network Network Intermediate system Internet Internet Network Network Host B IP/IPX MAC Example of encryption applied at the Network layer W.Buchanan (17)

18 Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Screening firewall: Filters for source and destination TCP ports Screen firewall: Filters for source and destination IP addresses Transport Internet Internet model Firewalls W.Buchanan (18)

19 Screening Firewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Screening firewall: Advantages: -Simple. - Low costs Disadvantages: - Complexity of rules. - Cost of managing firewall. - Lack of user-authentication. Transport Internet Internet model Firewalls and Proxies W.Buchanan (19)

20 W.Buchanan (20) Core Proxies/ Public access servers DMZ (Demilitarized Zone) Distribution Access

21 W.Buchanan (21) Core Proxies/ Public access servers PIX PIX firewall. firewall. Defines Defines security security rules rules DMZ (Demilitarized Zone) Distribution Access

22 W.Buchanan (22) Core Proxies/ Public access servers Screening Screening firewall. firewall. Filters Filters packets, packets, based based on on source/destination source/destination IP IP addresses addresses and and TCP TCP ports ports DMZ (Demilitarized Zone) Distribution Access

23 W.Buchanan (23) Core Proxies/ Public access servers DMZ (Demilitarized Zone) VLAN1 Distribution VLAN2 Access

24 W.Buchanan (24) Core Proxies/ Public access servers DMZ (Demilitarized Zone) VLANs. VLANs. MAC MAC filtering. filtering. IP IP filtering. filtering. TCP TCP filtering. filtering. NAT. NAT. Distribution Access

25 NAT W.Buchanan (25)

26 : :4444 Outgoing data data : :5555 Outgoing data data : :4444 Incoming data data : :5555 Incoming data data PAT (Port address translation) Maps many addresses to one global address. N Network address translation W.Buchanan (26)

27 : :4444 Outgoing data data : :5555 Outgoing data data : :4444 Incoming data data N : :5555 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port : : :80 NAT router remembers the source and destination IP address and ports Network address translation W.Buchanan (27)

28 : :4444 Outgoing data data : :5555 Outgoing data data : :4444 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port : : : : : : : : : : : :80 N : :5555 Incoming data data New connects in the table Network address translation W.Buchanan (28)

29 : :4444 Outgoing data data : :5555 Outgoing data data : :4444 Incoming data data Nat: Hides the network addresses of the network. Bars direct contact with a host. Increased range of address. Allow easy creation of subnetworks. Network address translation N : :5555 Incoming data data W.Buchanan (29)

30 Static translation. Each public IP address translates to a private one through a static table. Good for security/logging/traceabilty. Bad, as it does not hide the internal network. a1.b1.c1.d1 a2.b2.c2.d2 N w1.x1.y1.z1 w2.x2.y2.z2 IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic. Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used Private address a1.b1.c1.d1 a2.b2.c2.d2 Private address N Public address w.x.y.z w.x.y.z Public address NAT W.Buchanan (30)

31 a1.b1.c1.d1 Or a1.b1.c1.d1 Or an.bn.cn.dn NAT device selects the least used resource w.x.y.z N a1.b1.c1.d1 a1.b1.c1.d1 an.bn.cn.dn Private address Server pool Public address NAT - Load balancing W.Buchanan (31)

32 a1.b1.c1.d1 a2.b2.c2.d2 Private address N w1.x1.y1.z1 w2.x2.y2.z2 Public address NAT is good as we are isolated from the external public network, where our hosts make the initiate connections a1.b1.c1.d1 a2.b2.c2.d2 Private address N w.x.y.z Public address but what happens if we use applications which create connections in the reverse direction, such as with FTP and IRC?.. we thus need some form of backtracking of connections in the NAT device. NAT - Backtrack connections W.Buchanan (32)

33 Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping. Dynamic NAT is good for security, as it hides the network. Unfortunately it has two major weaknesses: - Backtracking allows external parties to trace back a connection. - If the NAT device becomes compromised the external party can redirect traffic. Corporate WWW site a1.b1.c1.d1 N w1.x1.y1.z1 Compromised NAT table causes the connection to point to the external intruder s WWW site Backtracking External Intruder s WWW site NAT - Weaknesses. W.Buchanan (33)

34 Screening Firewall W.Buchanan (34)

35 For example the firewall may block FTP traffic going out of the network. A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number Router with firewall Screening Firewall W.Buchanan (35)

36 MAC address. Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic. ACLs W.Buchanan (36)

37 MAC address filtering W.Buchanan (37)

38 W.Buchanan (38)

39 W.Buchanan (39) Scope of MAC address filtering Defined by broadcast domain

40 W.Buchanan (40) access-list [< > < >] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of b54.d83a access to 0060.b39f.cae1: (config)# access-list 1101 deny b54.d83a b39f.cae (config)# access-list 1101 permit ffff.ffff.ffff ffff.ffff.ffff (config)# int d0 (config-if)# l2-filter bridge-group-acl (config-if)# bridge-group input-address-list D D0

41 Standard ACLs W.Buchanan (41)

42 Router# access-list access-list-value {permit deny} source source-mask Router# access-list 1 deny Router# access-list 1 deny Router# access-list 1 deny Router# access-list 1 permit ip any any Standard ACLs filter on the source IP address Router (config)# interface Ethernet0 Router (config-if)# ip address Router (config-if)# ip access-group 1 in Standard ACLs W.Buchanan (42)

43 E0 D Traffic from any address rather than can pass Match this part Router# access-list 1 deny Router# access-list 1 permit any Ignore this part Router (config)# interface D0 Router (config-if)# ip address Router (config-if)# ip access-group 1 in Standard ACLs W.Buchanan (43)

44 E ! interface E0 ip address ip access-group 1 in! access-list 1 deny access-list 1 permit any Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic Standard ACLs W.Buchanan (44)

45 W.Buchanan (45) (config)#ip access-list standard? <1-99> Standard IP access-list number < > Standard IP access-list number (expanded range) WORD Access-list name where WORD is the name of the access-list is be defined. For example: (config)#ip access-list standard Test (config-std-nacl)#? Standard Access List configuration commands: deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward and to define a standard access-list: (config-std-nacl)#deny (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address

46 W.Buchanan (46) (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address (config-std-nacl)#permit any? log Log matches against this entry <cr> (config-std-nacl)#permit any It can then be applied with: (config)#int e0 (config-if)#ip access-group? <1-199> IP access list (standard or extended) < > IP expanded access list (standard or extended) WORD Access-list name (config-if)#ip access-group Test? in inbound packets out outbound packets (config-if)#ip access-group Test in

47 Extended ACLs W.Buchanan (47)

48 Router# access-list access-list-value {permit deny} {test-conditions} Router(config)#access-list 100 deny ip host Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip host Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address Router (config-if)# ip access-group 100 in Extended ACLs W.Buchanan (48)

49 E0 D from (config)#access-list 100 deny ip host (config)#access-list 100 permit ip any any to Denies traffic from to the network (config)#access-list 100 deny ip (config)#access-list 100 permit ip any any Denies traffic from any host on to the network Extended ACLs W.Buchanan (49)

50 Traffic blocked to the barred site All other traffic can flow ! interface D0 ip address ip access-group 100 in! access-list 100 deny ip access-list 100 permit ip any any Extended ACLs are applied as near to the source as possible, as they are more targeted Example of an Extended ACL W.Buchanan (50)

51 An extended ACLs can also filter for TCP/UDP traffic, such as: Optional field in brackets Router(config)#access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port access-list 101 deny tcp eq any host eq telnet access-list 101 permit ip any any E No Telnet Access to E Extended ACLs filtering TCP traffic W.Buchanan (51)

52 access-list 101 permit. access-list 101 deny ip any any E0 D A closed firewall, permits some things, and denies everything else access-list 101 deny. access-list 101 permit ip any any E0 D An open firewall, denies some things, and permits everything else Open and closed firewalls W.Buchanan (52)