A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir...
-
Upload
asher-francis -
Category
Documents
-
view
213 -
download
0
Transcript of A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir...
A Policy-based Approachto Wireless LAN Security
Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum
Speaker: George [email protected]
Athens/Greece, September 9, 2005 Telcordia Technologies Proprietary – Internal Use OnlyThis document contains proprietary information that shall be distributed, routed or made available only within Telcordia Technologies, except with written permission of Telcordia Technologies.
Policy-based WLAN Security Management - 2
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
WLAN Security Management Challenges WLANs are an open shared medium Broken security mechanisms
Large installed base of 802.11a/b/g Known WPA vulnerabilities
Untested new standards TKIP IEEE 802.11i
Mitigating the Insider Threat E.g., Unauthorized access to internal network resources/services
Traditional security based on manual static configuration – In Policy-based tools administrators define high-level policies– Need to account for user mobility, rapidly changing configuration
environment Unified and consistent wireline-wireless security policy enforcement
Policy-based WLAN Security Management - 3
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
The Smart Firewalls Technology Objective: “hands-free” management of multi-layer
network security policies in dynamic network environments– Given a network, verify that the desired access is enabled and
every undesired access is verifiably denied Simple language to express network security policies
– in terms of access to applications and network services Policy engine populated by declarative models of
network elements and services– validates policies– computes new configuration settings for network elements when
policies are violated Network monitoring and instrumentation layer
– reports network changes as they occur– implements configuration changes computed by the policy engine
Policy-based WLAN Security Management - 4
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Policy Engine State Diagram
Policy-based WLAN Security Management - 5
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Policy
PolicyEngine Topology
High-level PolicyConfiguration
SummarizedConfiguration
AccessPoints
Co
ntr
ol
&M
on
ito
r
Wireless Domain Policy Manager
Low-level PolicyConfiguration
DetailedConfiguration
Wireless Domain Policy ManagerWireless Domain
Policy Managers
Policy-based Security Architecture
Policy-based WLAN Security Management - 6
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
WirelessPolicy
Domain A
Multi-Domain Wireless AccessPolicy Control
Policy Engine
WirelessPolicy
Domain B
Wireless Policy Domain
Controller
Access Point
Wireless Policy Domain
Controller
Local Monitor
Mobile Host
Wireless Subnet
AP and Host Info
Access Point
Access Router
Local Monitor
Mobile Host
Wireless Subnet
…
WLAN Security Architecture
Policy-based WLAN Security Management - 7
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Wireless Domain Policy Manager Introduced to scale up the system for mobility and rapid
configuration changes– Centralized depository might become a bottleneck in a volatile network
Operates as a Global Policy Adaptor– Forwards abstracted snapshots of wireless network host connectivity
status to the policy engine Access point connectivity abstracted
– Translates and pushes low-level vendor-specific AP configurations when engine uncovers inconsistencies
Operates as a WLAN Policy Controller with some local autonomy– Security Monitoring configuration to Local Monitors– May independently block hosts if necessary
Policy-based WLAN Security Management - 8
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Database Module
HostTable
AP Interface Definition
Table
APTable
Execution Module
PE Messaging SystemInterface
XML MessageHandler
PolicyExecution
Multi-typeAccess Points
Policy Engine
Local MonitorWireless Domain Policy Manager
Adaptation Module
SNMP Adaptor
HTTP Adaptor
CLI Adaptor
Wireless Traffic Sniffer& Attack Detection Module
Global Monitor Module
Local Monitor Correlator
Local Monitor Configuration
Alarming and Logging
Attack 1
Attack n
Attack 2
…
Wireless Domain Policy Manager and Local Monitor
Policy-based WLAN Security Management - 9
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Supported Attack Detection Modules
Denial of Service
Rogue Access Point
Main in The Middle
Mobility-based Attacks
Obviously not all-inclusive!
Policy-based WLAN Security Management - 10
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Wireline Network
WLAN Access Network
WLAN Access Network
Mobile Host
attack
Report
3
Action4
Recover
5
Detect
2
1
Policy Engine
2
WDPMan
AP
Local policy &Configuration
LM
Globalpolicy
TopologyUpdate
Local policy &Configuration
LM
Deployment Scenario
Policy-based WLAN Security Management - 11
Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.
Future Work
Current implementation supports Wi-Fi networks, extend to WiMAX
Extend to more types of intrusion attacks using additional detection modules
Extend to cover more access point types, vendors, and interfaces
Use the engine for intruder redirection to honeypots Further scalability limits with multiple policy engines
– tradeoff is global security policy consistency