In: Categories » Electronics and communication » Network security » Secure Wireless Network Positioning and VLANs
| The next point in our security policy checklist is network positioning and separation. If there is a single access point or wireless bridge on the network, its deployment is straightforward: Plug the IP address into the WAN interface of an appropriately configured firewalling device. Such a device can be a sophisticated commercial wireless gateway, a configured common OS-based firewall, or even a SOHO firewall such as Cisco PIX 501 or Nokia SonicWall. However, if multiple access points are deployed and users are allowed to roam freely between these APs, the configuration becomes more complicated. One possibility is to deploy Mobile IP across the corporate network. However, this will make the implementation of Layer 3 and higher VPNs a significant problem. Solutions for this problem do exist, but certain levels of security are likely be sacrificed to provide seamless client roaming. Recall the Wavesec case and kraker_jack attack. A more common and sensible solution is to place all access points on the same broadcast domain using VLANs. To implement this solution, corporate network switches have to support at least static VLAN configuration. Thus, the wireless network design should be an initial part of the overall network design; otherwise, significant additional resources might have to be spent on getting VLAN-enabled switches at the stage of WLAN deployment. We can't describe detailed VLAN setup technicalities in this article because the commands will differ depending on your switch manufacturer. However, we do provide you with examples considering VLAN deployment and secure wireless network positioning and deployment using various Cisco equipment. This is a matter of personal experience and we are not affiliated with Cisco in any way. Using Cisco Catalyst Switches and Aironet Access Points to Optimize Secure Wireless Network DesignAn interesting proprietary VLAN enhancement feature is the private VLANs supported by Cisco Catalyst 6000 switches. Imagine that you have wireless cells A, B, C, and D on the same VLAN, but want to restrict roaming between the cells so that users can roam either A and B or C and D only and can access the wired LAN only if associated with cell A. This way you can segment the WLAN between the company departments and different physical locations without introducing additional VLANs and routers and making the Layer 3 logical network structure more complicated. All these wonderful things are possible with private VLANs, which allow Layer 2 restriction placement: VLANs within VLANs. There are three kinds of private VLAN ports:
Not surprisingly, there are three types of private VLANs. Primary VLANs carry data from promiscuous ports to isolated, community, and other promiscuous ports. Isolated VLANs carry data from isolated to promiscuous ports. Finally, community VLANs carry traffic between single community ports and promiscuous ports. In addition to the security provided by private VLAN segmentation, there is also the option to write VLAN access control lists (VACLs) mapped separately to primary or secondary VLANs. You don't need a router to implement VACLs; having a Policy Feature Card (PFC) for your Catalyst will suffice. To learn more about private VLANs and VACL configuration on Cisco 6000 Catalyst switches, browse to http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml and http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007f4ba.html. Interestingly, ARP entries learned on Layer 3 private VLAN interfaces are "sticky ARP" entries that do not expire and cannot be altered. Imagine an AP plugged into the switch port on a private VLAN that connects to the gateway via the promiscuous port. An attacker manages to associate with the WLAN and launches an ARP spoofing attack against the gateway. With a sticky ARP in use, the CAM table would not be modified by such an attack and a log message would be generated. Note that to avoid using Mobile IP and provide roaming, we intentionally make an awful security-wise wireless network deployment mistake. We plug the access point into a switch, not a secure wireless gateway or at least a decent router with firewal capability. The sticky ARP partially corrects this issue by preventing both ARP-based man-in-the-middle and CAM table overflow attacks. However, this feature is limited to a particular switch brand on the expensive side. On other switches you have to configure MAC filtering and port security, which means hard-coding the MAC addresses and limiting the number of hosts allowed to connect on a port. Note that switch port security and MAC filtering and access point MAC address filtering are similar, but not the same. Both switch and AP MAC address filtering can be bypassed by knocking a legitimate wireless host offline and assuming its MAC address. However, switch port security provides an additional layer of defense by protecting against spoofed MAC address ARP floods. We like Cisco Catalyst switches because they are very hackable (in the sense of "configurable"), so we give you an example of switch port security configuration using Catalysts. On the IOS-style command-line interface (CLI) switches such as Catalyst 1900, use permanent MAC entries to build a switch CAM table: abrvalk(config)#mac-address-table permanent 0040.1337.1337 ethernet 0/4 Enter all addresses you need—let's say 20. Then bind the amount of allowed connections to the number of permanent MACs and define the action taken if that number is exceeded: abrvalk(config)#port security action trap abrvalk(config)#port security max-mac-count 20 abrvalk(config)#address-violation suspend With such a configuration the port would be suspended when receiving an illicit MAC address frame and re-enabled when a valid MAC address frame is received. An SNMP trap reporting the violation would be sent. Of course, an attacker can cause a DoS attack by constantly flooding the port by random MAC addresses, but being temporarily disconnected is better than letting the crackers in, and the flashing alarms will be triggered. The number of MAC addresses you can enter per port on IOS-style CLI Catalyst switches is 132. On the Set/Clear CLI switches such as Catalyst 5000, use the set port security command: eblec>(enable)set port security 2/1 enable eblec>(enable)set port security 2/1 enable 0040.1337.1337 Enter all 20 MAC addresses you want to allow and fix that number with eblec>(enable)set port security 2/1 maximum 20 Define the security violation action: eblec>(enable)set port security 2/1 violation restrict This command tells the switch to drop the packets coming from illicit MAC address hosts but the port will remain enabled. Thus, a MAC address flood DoS attack against such switches is impossible, if properly configured. Check the port security configuration and statistics with eblec>(enable)show port security 2/1 The amount of static ("secure" in a "ciscospeak") CAM table entries on Set/Clear CLI Cisco switches is 1,024 plus one additional secure MAC address per port. This pool of static MACs is shared between all switch ports, so if there are 1,024 static MAC entries on a single port, the rest of the ports will have to use a single static MAC entry. If there are 512 entries, the rest of the ports must share the remaining 512 plus <amount of remaining switch ports> static MACs. Another interesting aspect of using Cisco equipment for both VLAN configuration and wireless networking is per-VLAN WEP or TKIP deployment on Cisco access points. That's right, you can set different WEP or TKIP keys and define different TKIP broadcast key rotation intervals for different VLANs. For example, to set a 128-bit WEP key on a Cisco Aironet 1200 access point to be used on VLAN 13 only, enter aironet#configure terminal aironet(config)#configure interface dot11radio 0 aironet(config-if)#encryption vlan 13 mode cipher wep128 aironet(config-ssid)#end By splitting the wireless network onto different VLANs and assigning multiple WEP keys, you can decrease the amount of traffic encrypted by a single WEP key, making WEP cracking more difficult. However, we strongly recommend using TKIP instead. The following example configures a Cisco Aironet 1200 access point to use the WPA TKIP protocol described later in this tutorial and rotate the broadcast key every 150 seconds on VLAN 13 only: aironet#configure terminal aironet(config)#configure interface dot11radio 0 aironet(config-if)#encryption vlan 13 mode cipher tkip aironet(config-if)#broadcast-key vlan 13 change 150 aironet(config-ssid)#end The opportunity to have various keys on wireless VLANs and change them at different intervals provides better VLAN separation and segmentation and gives additional flexibility to the security-minded wireless network designer.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Can symmetric cryptography meet the requirements of the Biba model, based on the data integrity checks and proper authentication? The answer is "yes," but in a very inefficient way. Recall the practical authentication example with the UNIX (well, Linux in our case) password encryption flaw when DES in ECB is used. Of course, any of the feedback modes or 128-bit block ciphers can be used instead of DES, with the obvious performance penalties. However, in our example, MD5 scales very well. A cryptographic hash function i...
2. 802.11i Wireless Security Standard and WPA
Thus, the main hope of the international 802.11 community and network administrators lies with the 802.11i standard development. Sometimes 802.11i is referred to as the Robust Security Network (RSN) as compared to traditional security network (TSN). The "i" IEEE task group was supposed to produce a new wireless security standard that should have completely replaced legacy WEP by the end of 2003. In the meantime, some bits and pieces of the incoming 802.11i standard have been implemented by wireless equipment and software vendor...
3. Proprietary Improvements to WEP and WEP Usage
The article devoted to the proprietary and standards-based improvements for currently vulnerable 802.11 safeguards. The most publicized 802.11 vulnerability is the insecurity of WEP. We have already reviewed the cryptographic weaknesses of WEP linked to the key IV space reuse and insecure key-from-string generation algorithm. There are also well-known WEP key management issues: All symmetric cipher implementations suffer secure key distribution problems. WEP is no exception. In the original design,...
4. Penetration Testing as Your First Line of Defense
It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks. First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteris...
5. Asymmetric Cryptography
Message authentication using HMACs works just fine, but how do we distribute symmetric cipher keys among the users? We can pass them around on floppies or fancy USB pen-drives with encrypted partitions on them, but what if many users live all over the world? What if the physical key distribution method takes time and the keys must be frequently changed? This is the case with the traditional WEP, which should be rotated every few minutes. Key-encrypting keys (KEKs) were offered as symmetric cipher keys used only to encrypt...
6. Examples and Analysis of Common Wireless Attack Signatures
The best way of knowing these signatures is trying out the tools in question and sniffing out their output: "Attack through defending, defend through attacking" (Dr. Mudge). The best source on wireless network intrusion tool detection and attack signatures we are aware of is Joshua Wright's "Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection" and "Detecting Wireless LAN MAC Address Spoofing" papers. A large part of this tutorial is inspired by these brilliant articles and our experience of analyzing WLAN tr...
7. Deploying a Wireless IDS Solution for Your WLAN
How many IDS solutions that implement the recommendations and follow the guidelines we have already discussed are present on the modern wireless market? The answer is none. There are many wireless IDS solutions that look for illicit MAC addresses and ESSIDs on the monitored WLAN. Some of these solutions are even implemented as specialized hardware devices. Although something is better than nothing, in our opinion such "solutions" are a waste of both money and time. They might also give you a false sense of security. Let's...
8. Hash Functions Their Performance and HMACs
Other widely used hash functions include 128-bit MD5 from RSA Data Security, Inc., which is a very fast and commonly implemented hash. MD5 is traditionally used to encrypt Linux user passwords (hashes start with the "$1$" character), authenticate routing protocols like RIPv2 and OSPF, create checksums of binaries in RPMs, and verify the integrity of Free/OpenBSD ports files. The specifications of MD5 are available in RFC 1321. Host intrusion detection tools like Tripwire (http://www.tripwire.com) use MD5 to take snapshots of a syst...
9. Introduction to Applied Cryptography and Steganography
One can set up a reasonably secure wireless or wired network without knowing which ciphers are used and how the passwords are encrypted. This, however, is not an approach endorsed by us and discussed here. Hacking is about understanding, not blindly following instructions; pressing the buttons without knowing what goes on behind the scenes is a path that leads nowhere. Besides, security and quality of service are tightly interwoven, incorrect selection of the cipher and its implementation method can lead to a secure but sluggish...