John Poust

poustus@hotmail.com

1

Best Security Practices for

Voice Wireless

LANs

John Poust

2

Who Cares?

� Wiring is significant:

� Cost

� Delay

� Workers are mobile

� Wireless last hop?

� Cell phone convergence?

3

OK, so I care – Now What?

Things you’ll want to know

� Myths & debunking

� The Equipment

� What’s new

4

Myth #1:

The insecurity myth

� Others can peek

� Or poke

� Things that can go wrong:

� Spoofing Identity

� TamperingSecurity Perimiter

5

Spoofing Identity:

OK to go in / let in

� Passphrase, handset OK

� Certificate check, AP OK

(Rouge AP)

6

Tampering with the Data:What didn’t work

�The failing of WEP Cracked in 2 minutes

�The Interim:� Make “As good as possible” w/ existing stuff

� Wi-Fi Alliance used Draft 3 of IEEE 802.11i

� WPA

� Has flaws

� Lightweight security, for things like PDAsRef = http://www.informit.com/articles/article.asp?p=369221&rl=1 http://www.windowsecurity.com/articles/80211i-WPA-RSN-Wi-Fi-

Security.html

Ref = http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

7

Tampering with the Data:What works (WPA2)

+ Strong encryption – AES (lock)

+ Secure encryption key delivery

8

Tampering with the Data:

What works better

� Add another layer

� End to End Security:

� Media - SRTP

� Signaling - TLS

� Works even if wireless link hacked

� Desk phone, for now

9

Myth Debunking:

Busting the insecurity myth (WPA2)

+ Known / trusted / understood methods

+ Can’t prove insecure

See www.cve.mitre.org

and nvd.nist.gov.

+ NOT risk free – but

100M+ users

Security Perimiter

10

Denial of Service:

The interference myth

� Interference does not mean loss of service!

� Strategies:

� Avoid

� Eliminate

� Overcome

11

Avoid:

The Easy Way

� Let AP find best channel

� May conflict with overlap

12

Eliminate:

The Hard Way

� Locate sources of interference

� Portable spectrum analyzer may help

� Can identify interference by “Signature”

� Once identified:

� Eliminate

� Shield

http://www.airmagnet.com/products/handheld_analyzer/

13

Overcome:

It takes thought

� Interference:

� Adds to

� Does not take away from

� Original signal is still there

� Multiple antennas are used to

look harder

14

Overcome:

How its done

� You can use more that two antennas

� Multiple antennas are directional

� Good for keeping signal on one

floor

� Issues:

� Unlicensed spectrum

� Must play with others

� Know what you are dealing with

15

Myth Debunking:Busting the interference myth

� Myth: “There's nothing I can do about interference”

� There's always a cure for interference, but you need to

know what's ailing you 20 Myths of Wi-Fi Interference Cisco whitepaperhttp://www.cisco.com/en/US/prod/collateral/wireless/ps9391/ps9393/ps9394/prod_white_paper0900aecd807395a9_ns736_Networki

ng_Solutions_White_Paper.html

16

How to make it work:

Compliant withCompliant with

17

The Edge:

QoS / VLAN

� Separate Voice and Data

� Separation via Service Set IDs

(SSID):

� Assign QoS

� Tie to VLAN

18

The Edge:

Encrypt

� WPA2 (AES) actually works on a handheld phone

� Some, older, phones may not support WPA2

19

The Edge:

Policy - Only approved devices!

� Define make & model

� Configuration and settingshttp://www.symantec.com/avcenter/reference/symantec.wlan.security.pdf

20

Access Point:

QoS / VLAN

Expedited Forwarding

DSCP (IEEE 802.1d)

21

Access Point:

Advanced Options� Administration:

� SSID avoid transmission

� Secure Administrator access

� Enable Accounting For usage tracking & diagnostics

� Encryption Beware of supporting multiple encryption modes

� Roaming Ensure secure

� Limits:� Association Limit Prevents access points from getting overloaded

� adequate level of service

� Calls maintain the maximum allowed number of calls

� EAP or MAC Re-authentication Interval � Filters prevent or allow the use of specific protocols through the

interface.

� QoS Element for Wireless Phones:

� Determine which access point to associate to, based on traffic

� If phones have support, enable

� For more info: Basic Service Set (QBSS - 892.11e standard)

22

Switches:

� Need QoS, VLAN capable switches

� Configuration required

� Logs – understand to troubleshoot

23

Firewall:

� SIP firewall needed

� Protection

� With VLAN each “Leg”

of network is protected

� Voice legs only see

signaling or media

� Useful for intrusion

detection

� Backup

10 11

20

21

21

11

24

Site planning:

Before you get started

� Site planning before you get started

� Certification

� Consultants

25

What’s new:

Speed & Power

� 802.11n:

� June 2009 (est.)

� Takes advantage of multiple

antennas for beamforming

� 19 Mbit/s(g) � 74 Mbit/s

� 802.11y: Higher power

26

What’s new:

Other coming attractions

� 802.11s – Multi-vendor self configured mesh

� Standardized Roaming:

� 802.11.r – Handoff

� 802.11w - protect

network from malicious

disassociation

27

Recap:

If we did what was promised, we would astound ourselves

� Can’t prove insecure

� Denial of service � avoidable

� Planning

� The future gets better

28

For more info – books:

� Internet QoS Zheng Wang, Morgan

Kaufmann 2001, ISBN 1-55860-608-4

� VoIP Security James Ransom / John

Rittinghouse, Elsevier, 2005, 1-55558-332-6

� SIP Demystified, Gonzalo Camarillo, McGraw

Hill ISBN 978-0-07-137340-1

� Voice-Enabling the Data Network, James

Durkin, 2003, Cisco Press, ISBN 1-58705-

014-5

29

For more info - NIST

� WIRELESS NETWORK SECURITY FOR

IEEE 802.11A/B/G AND BLUETOOTH

(DRAFT)

� http://csrc.nist.gov/publications/drafts/800-48-

rev1/Draft-SP800-48r1.pdf

30

Siemens' PoE Claims Validated

802.11N with 802.3at power

� http://www.networkcomputing.com/showArticl

e.jhtml?articleID=206900489