A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir...

A Policy-based Approachto Wireless LAN Security

Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum

Speaker: George [email protected]

Athens/Greece, September 9, 2005 Telcordia Technologies Proprietary – Internal Use OnlyThis document contains proprietary information that shall be distributed, routed or made available only within Telcordia Technologies, except with written permission of Telcordia Technologies.

Policy-based WLAN Security Management - 2

Telcordia Technologies Proprietary - Internal use only. See proprietary restrictions on title page.

WLAN Security Management Challenges WLANs are an open shared medium Broken security mechanisms

Large installed base of 802.11a/b/g Known WPA vulnerabilities

Untested new standards TKIP IEEE 802.11i

Mitigating the Insider Threat E.g., Unauthorized access to internal network resources/services

Traditional security based on manual static configuration – In Policy-based tools administrators define high-level policies– Need to account for user mobility, rapidly changing configuration

environment Unified and consistent wireline-wireless security policy enforcement



The Smart Firewalls Technology Objective: “hands-free” management of multi-layer

network security policies in dynamic network environments– Given a network, verify that the desired access is enabled and

every undesired access is verifiably denied Simple language to express network security policies

– in terms of access to applications and network services Policy engine populated by declarative models of

network elements and services– validates policies– computes new configuration settings for network elements when

policies are violated Network monitoring and instrumentation layer

– reports network changes as they occur– implements configuration changes computed by the policy engine



Policy Engine State Diagram



Policy

PolicyEngine Topology

High-level PolicyConfiguration

SummarizedConfiguration

AccessPoints

Co

ntr

ol

&M

on

ito

r

Wireless Domain Policy Manager

Low-level PolicyConfiguration

DetailedConfiguration

Wireless Domain Policy ManagerWireless Domain

Policy Managers

Policy-based Security Architecture



WirelessPolicy

Domain A

Multi-Domain Wireless AccessPolicy Control

Policy Engine

WirelessPolicy

Domain B

Wireless Policy Domain

Controller

Access Point

Wireless Policy Domain

Controller

Local Monitor

Mobile Host

Wireless Subnet

AP and Host Info

Access Point

Access Router

Local Monitor

Mobile Host

Wireless Subnet

…

WLAN Security Architecture



Wireless Domain Policy Manager Introduced to scale up the system for mobility and rapid

configuration changes– Centralized depository might become a bottleneck in a volatile network

Operates as a Global Policy Adaptor– Forwards abstracted snapshots of wireless network host connectivity

status to the policy engine Access point connectivity abstracted

– Translates and pushes low-level vendor-specific AP configurations when engine uncovers inconsistencies

Operates as a WLAN Policy Controller with some local autonomy– Security Monitoring configuration to Local Monitors– May independently block hosts if necessary



Database Module

HostTable

AP Interface Definition

Table

APTable

Execution Module

PE Messaging SystemInterface

XML MessageHandler

PolicyExecution

Multi-typeAccess Points

Policy Engine

Local MonitorWireless Domain Policy Manager

Adaptation Module

SNMP Adaptor

HTTP Adaptor

CLI Adaptor

Wireless Traffic Sniffer& Attack Detection Module

Global Monitor Module

Local Monitor Correlator

Local Monitor Configuration

Alarming and Logging

Attack 1

Attack n

Attack 2

…

Wireless Domain Policy Manager and Local Monitor



Supported Attack Detection Modules

Denial of Service

Rogue Access Point

Main in The Middle

Mobility-based Attacks

Obviously not all-inclusive!



Wireline Network

WLAN Access Network

WLAN Access Network

Mobile Host

attack

Report

3

Action4

Recover

5

Detect

2

1

Policy Engine

2

WDPMan

AP

Local policy &Configuration

LM

Globalpolicy

TopologyUpdate

Local policy &Configuration

LM

Deployment Scenario



Future Work

Current implementation supports Wi-Fi networks, extend to WiMAX

Extend to more types of intrusion attacks using additional detection modules

Extend to cover more access point types, vendors, and interfaces

Use the engine for intruder redirection to honeypots Further scalability limits with multiple policy engines

– tradeoff is global security policy consistency

A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir...

Documents

Transcript of A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir...