A Low Cost Solution for Scalable
Authenticated Wireless Network
Written by Hanz Makmur {makmur@cs.rutgers.edu}
Edited by Charles McGrew {mcgrew@cs.rutgers.edu}
Laboratory for
Computer Science Research - Department
of Computer Science,
Rutgers, The State University of
New Jersey
Copyrights2001: Rutgers University, Laboratory for Computer Science Research
September 2001
Last Modified: Feb 28, 2002
Introduction
The arrival of the 802.11b (a.k.a Wi-Fi) based wireless networking
technology introduces some conveniences that you will eventually
find hard to live without. When Apple started shipping the
first notebook computer - the iBook - with built-in wireless
networking, it also shipped the first affordable wireless access
points - called the Airport Base Station. At $299, the Airport Base Station
sold fast not only because of its price, but
because it was the first access point that worked for both Macintosh
Notebooks, PC Laptops, and other Wi-Fi compatible devices.
Unfortunately the low cost access point, which is targeted for
small office and home use - also has many limitations. It lacks
central authentication and is not very scalable. The Airport and
similar access points in the $100-$300 price range have limited
features. Implementing a wireless network with even a handful of these
access points requires a lot of system administration. For example:
for secure access, each wireless card hardware address must be added
to each access point before it can access the network. If a user has 3
wireless cards, each card must be registered on each access point. A
reboot is also require after each change. The lack of scalability and
authentication features of the low cost access points made it not very
attractive for organizations or educational institutions with a
limited budget - until now.
At LCSR, the Laboratory for Computer Science Research, part of the
Department of Computer Science at Rutgers, The State
University of New Jersey, a solution for a low cost and scalable
authenticated wireless network has been found. The wireless network
here was first assembled in November 2000. The LAWN (Local Area
Wireless Network) system was conceived in Spring 2001, the final
system was put to test in Summer 2001 and publicly announced in August
2001. The total hardware cost of the system which consists of 12
access points placed strategically in Hill Center floor (first, second
and third floors) and CoRE Building (first, second and third floor)
was less than $5000. This initial placement was to provide wireless
coverage for the entire Department. Further LAWN allows anyone with a
Rutgers computer account - and located within the wireless coverage
area for the Department - to access the local network and Internet
wirelessly. Once authenticated, users can move between floors and
buildings without any re-authentication. This scalable
zero-intervention administration system was easy to deploy and
expandable to other trusted organizations or institutions.
Objectives
As with every system, ease of use, scalability and cost are among first
the first considerations. With LAWN, every one of these issues are
met.
The design of LAWN is driven by the lack of central authentication
and the need for scalability. With over 50,000 faculty, staff and
students at Rutgers University, it would be impossible to manage all
of the hardware addresses of wireless client machines on the hundreds
access points that will need to be installed for university-wide
coverage. The geographic layout of Rutgers University - which consists
of 7 campuses spread over 4 townships with students that move from
campus to campus makes scalability an important issue to address. The
requirement that every network access be traceable to a person
(for security auditing) makes a wireless network even harder to
implement.
1-Ease of Use
LAWN is designed with ease of use in mind. For anyone to access
the wireless network, a Rutgers computer account is required. At Rutgers,
every student, faculty or staff has, or can obtain, a computer account
on one of the central computer services. LAWN uses this account
to authenticate the user to the wireless network. Because the LAWN
system is designed to authenticate a user instead of the hardware,
any time a user changes hardware, there is nothing new the user has
to do.
The authentication process is very easy and simple. A user with a
wireless device simply has to run a web browser, and try and load any
web page. If the user is not authenticated, the browser is
automatically forwarded to a login screen where user is asked to
authenticate themselves as a valid Rutgers user. Once authenticated,
access to the wireless network is granted (see Figure 1) until the
user manually logs out or auto-logout is imposed - when no answer is
heard from the user's device after a defined amount of time (our test
system uses 30 minutes.)
2-Scalability
LAWN was designed as a top-down infrastructure which made it very
easy to deployed securely. To be part of the LAWN system, a department
simply need to implement the firewall part of LAWN (see below,
"Firewall Components"). Since authentication is handled centrally,
departments can simply use that, rather than having to "roll their
own" authentication scheme.
To deploy the LAWN system, a dual ethernet interface Linux system
is required for the firewall. The firewall software is available from
DCIS/LCSR via an RPM file. One ethernet interface on the firewall
should be connected to outside world and the other to a HUB and/or
Switch which is in turn connected to the wireless access points. See
Figure 3 below for infrastructure details.
In the event that a need for the full LAWN system installation
arises - including "in-house" authentication, a trust relationship
can be implemented between the multiple authenticators. In the trust
system, the LAWN system will behave as if it is one system. One
authenticator will consult other trusted peer authenticators to see if
a user has already been authenticated.
3-Low cost
Because all networking related issues such as access restrictions,
dynamic configuration and name services are handled in the firewall;
there is no need to purchase wireless access points with lots of
features. The only consideration for wireless access points are
reliability and cost.
The firewall machine is also built from low cost hardware and
software. A PC with Pentium II 300Mhz, 256Mb memory and 10GB Hard
disk and the free Linux operating system are more than satisfactory.
Such PCs should cost less than $200 each as of Nov 1,2001.
4-Secure
Security is a very important part of the LAWN system. (If
authenticated access to the Internet is not an issue, there would be
no need for the LAWN system, just hook up and go, and good luck
convincing your network administrators that it's a good idea.) With
LAWN, every access to the network is traceable to a person who can can
be identified to answer for unauthorized usage.
There are two issues of security that is part of LAWN. The first
issue is access to the wireless network itself. Anyone who needs
access to LAWN will need to be authenticated. The username and
password of users are verified against one of central password
servers, or another trusted authenticators before access to LAWN is
granted. The authentication is done on a authentication server via a
web browser using the HTTPS protocol which ensures that username and
password data are notn transmitted in the clear.
The second issue is the security of data transmitted over the air
waves. This is the harder part to solve. The 802.11b protocol
(Wi-Fi), the basis of current wireless networking technology has a
built in data encryption technology called Wired Equivalent Privacy
(WEP). The WEP technology is designed to address the data
transmission security. However, in recent months, WEP encryption
has proven to be weak and can be cracked in a matter of minutes.
(See: Overview of 802.11b WEP Weaknesses
http://www.mesongroup.com/users/mhamrick/80211over.html)
An alternative to WEP technology is LEAP (Lightweight
Extensible Authentication Protocol.) LEAP is a Cisco proprietary
technology. Currently LEAP is supported only in the Cisco 802.11b
wireless card and the Apple Airport card (version 2.x firmware) and Cisco
Access Points. This means if you purchase other brands 802.11b cards
or non-Cisco Acccess Points, you can not take advantage of LEAP.
In light of the weaknesses of WEP, LAWN was designed without it.
This was intentional to make sure that users are aware of security
issues and aren't blinded by a false sense of security. To address the
security of transmitted data in the air, LAWN system includes an
optional Virtual Private Network (VPN) server as part of the
design.
A VPN gives users a secure private network between the user's
computer and the VPN server. By encrypting all data transmitted, no
matter what the medium is, users can be sure that no one will be able
to eavesdrop on any data they send. Unlike LEAP, which only works with
expensive Cisco Access Points and Cisco brand 802.11b cards, users
with or without a 802.11b wireless card - or even from home - can
also take advantage of the VPN connection using any low cost access
point and be secure.
(See VPN Frequently Asked Questions for info-
http://www.internetweek.com/VPN/faq.htm)
To use VPN and LAWN, users will have to login twice. First, user
must login to gain access to LAWN as described above. Second, the user
must login using a specific VPN client to the VPN server to use the
VPN encryption service.
What to do?
By leaving the VPN option as a choice, we suspect that many users
won't be using VPN at all (for cost, or perceived 'ease of use'
reasons, for instance.) As a result, users' data will left open and
can be eavesdropped on the wireless network. One alternative is to use
already existing encrypted services, to encrypt all network
traffic. For example, a user may use Secured Shell (SSH) rather than
Telnet, IMAP with Secure Socket Layer (SSL) or POP with SSL rather
than plain IMAP or POP for reading email, and SMTP with SSL for
sending email. These tools are freely available on the Internet for
every computing platform.
In the mean time, all wireless user anywhere should be aware that
the security of WEP is very weak and should not be relied upon. The
best solution is to use secure services and aim for using a VPN as the
ultimate security.
5-Other LAWN Usage
The LAWN system was designed for wireless network. However the
design is applicable for a wired network as well. (See figure 3 for
infrastructure details.) By applying the LAWN concept on wired
networks in public labs or public computers, wired users will be
required to authenticate to the firewall first before the user can
access the network (the wired network would be connected to the
firewall just as the wireless base stations are.) Such implementation
makes it possible to know who uses what computer at anytime. No
special authentication program is required and no changes are needed
in the user's machine's operating system.
Implementation
The LAWN system is designed like a workgroup. Each workgroup consists
of a LinuxOS based dynamic firewall computer, network hub and/or
switch and wireless access points. One interface is connected to the
outside world and the other interface is connected to the wireless
world. The firewall decides who can access the outside world by
adding access to a specific hardware address in its access list,
based on authentication. If a wireless client has been authenticated,
it is added to the access list. If not, or an authenticated machine
has been logged out, it is not in the access list.
Discovery Process
When a user's computer is in range of a wireless access point, the
user's computer is automatically sent all the necessary network
configurations (IP address , nameserver, gateway) via the Dynamic Host
Configuration Protocol (DHCP) server running on the firewall
machine. As soon as the user runs any software that requires access to
the network, the firewall discovers the hardware address of the users
computer. This address is then checked with the authentication
server. If the user has not authenticated, network access is not
granted. If the application that is executed is a web browser, the
browser is re-directed to the authentication server and a login screen
is presented (see Figure 1.) Once the user is authenticated, the
authentication server directs the firewall to grant access for the
hardware address of the user's computer. The firewall continues to
monitor the user's network activity level. If the users computer does
not answer network requests after a predetermined amount of time, or
the user manually logs out, network access for this hardware address
is removed from the firewall's routing tables.
Figure 1.
Roaming Process
When a user's machine leaves the LAWN or has not answered the
firewall's "heartbeat signals" after predefined amount of time, the
firewall removes network access for the computer and reports to the
authentication server that the user's machine is missing. Upon
receiving this notice, authentication server notes the user's machine
as a "roaming computer" and keeps it in this state for a predetermined
length of time. When a user is discovered again by a firewall, the
discovery process described above is restarted. If a user is still
roaming, the firewall will be authorized by the authentication server
to re-open network access for this wireless device without the user
having to re-authenticate. This is done as a convenience to the
wireless users.
Authentication Process
The authentication server can be set up to use multiple methods of
authenticate users. Such methods can include Kerberos, LDAP, SSL IMAP,
Microsoft Active Directory etc. The front end for the authentication
server is a Java Server Page (JSP) with a java servlet backend (see
Figure 2.)
Figure 2.
During authentication, the servlet receives an encrypted username
and password via the SSL protocol. It looks at a list of
authentication methods, selects the appropriate one, and verifies the
username and password against the password server. Once the user's
credentials are verified, the servlet sets session cookies on the
user's computer the servlet then contacts
the firewall daemon and tell it to allow network access for the user's
computer's IP address. The firewall daemon converts the IP address to
a hardware address and requests the user's information from the
authentication server daemon. Once this command is verified, the
firewall opens access to the hardware address of the wireless
device.
Figure 3.
There are 3 main components of the LAWN system. Two of the
components, the firewall and the authentication component, are tied
together to allow and disallow access to LAWN. The third is an
optional component and is a network security monitor. This last
component is an important part of LAWN even if it is optional.
Without it, it would be more difficult to audit network traffic to
find out about possible network attacks and user's abuse of the
network.
A. Firewall Components
The firewall is run on a dual Ethernet computer. The firewall
consists of an IPTable-based firewall, a DHCP Server, a Domain Name
Server (DNS) forwarder, a pinger and a firewall daemon. All of these
components are built into the RedHat Linux OS except for the pinger and
the firewall daemon. These last 2 programs were created at LCSR.
1. IPTable -part of RedHat 7.1 LinuxOS.
The IPTable program is used to control access dynamically by the
pinger and the firewall daemon. It is also used for the Network Address
Translation (NAT) server. IPTable is the core component that blocks
and unblocks access to the outside network. This IPTable is also
configured as a masquerading server via NAT. NAT allows us to grow the
number of hosts on the wireless side of the firewall without worrying
about reserving a block of valuable IP addresses. With NAT, only a
single "real" IP address is needed for all wireless devices connected
behind the firewall. Because the authentication server is placed
beyond the firewall, the IPTable default setting (for unauthenticated
users) is set to allow access to http and https ports only of the
authentication server.
2. DHCP server -part of
RedHat 7.1 LinuxOS.
The DHCP server is used to provide dynamic configuration of the
user's TCP/IP settings. This service sets TCP/IP settings
automatically as a user comes into range of the wireless access
point. The settings provided are an Internet Protocol (IP) Number, a
Subnet Mask, a Gateway address, and a Domain Name Service (DNS) server
address. Without this information, a user's computer will not be able
to access the network. Because all of these settings are provided
automatically, a user does not have to do anything to get the correct
computer network settings. These settings renew themselves after a
predetermined amount of time. All current microcomputer operating
systems support DHCP for this purpose, so no change in the user's
computer setup is needed to use DHCP in this environment.
3. DNS Forwarder -part of RedHat 7.1 LinuxOS.
Because all the wireless devices will be connected behind a
firewall, no Domain Name Service (DNS) access will be granted past
the firewall. DNS is needed to translate a computer's name into its IP
address. To overcome this problem, a DNS forwarder is needed on the
firewall machine. By installing a DNS forwarder on the firewall, all
DNS request from the wireless side gets forwarded to an outside DNS
server via the outside Ethernet Interface of the firewall.
4. Pinger -by Hanz Makmur-Laboratory for
Computer Science Research, Rutgers University
This program was created to clean up user access as well as to
provide access to authorized roaming users. The pinger program will
"ping" all currently authorized user's computers periodically. If no
response is received after a predetermined time, access to the network
for this computer is removed by the firewall. Pinger is also used to
check the authorization list for roaming users to see if the user has
logged in before allowing access.
5. Firewall daemon-by Hanz Makmur-
Laboratory for Computer Science Research, Rutgers University
This daemon is used to listen for instruction by the
authentication server. When a user is authenticated, the authentication
server contacts the firewall daemon and instruct it to open access
for the hardware address of a user's computer. The daemon verifies all
instruction before allowing access to the hardware address of the
wireless device.
B. Security Components
(optional)
An optional second computer can be used for security monitor and as
a log server. The second computer is used as an Intrusion Detection
System (IDS) which monitor network traffics for network attacks and
log all open connections. The log is used to keep track who is
accessing what network resources. This part of the system is not
needed to get LAWN system to work. However, the intrusion detection
function of this component can alert systems administrator for any
malicious attempt of network attacks and unwanted network
activities. The logging function logs all open connections on the
wireless end of the firewall. These logs can later be used to trace
activities when the need arises or monitored in real-time to alert
network administrators to intrusions or misuse. Because the wireless
devices are connected behind the firewall, all access to the outside
services appear to the outside world to come from the firewall
machine. This is all the more reason for implementing this
component.
1. SNORT :Open Source Intrusion Detection System -
http://www.snort.org/
Snort is the main program used for intrusion detection. It
functions as a listener that analyzes and logs suspected network
activity based on predefine rules.
2. AccessLogScript :by Rob Tuck-Laboratory for
Computer Science Research, Rutgers University
This script is a simple script that uses TCPDump software-
part of LinuxOS-to log all open connections. The log is archived
for when the need to investigate a network attack is needed.
3. IPAudit :Open Source Intrusion Detection System -
http://ipaudit.sourceforge.net/ipaudit-web/
IPAudit is the main program used for usage collection . It
functions as a data collector for all network connections on the wireless.
C. Authentication Server
Components
An important part of the LAWN system is the authentication server.
This server resides on the 'far side' of the firewall from wirelss machines. This server is
contacted via World Wide Web (WWW) protocol known as Hyper Text
Transfer Protocol (http) and Hyper Text Transfer Protocol Secured
(https), when a user is trying to authenticate. All firewalls from
multiple workgroups contact this authentication server to
authenticate wireless users. One server can handle hundreds of
workgroups and only one server is needed for one large organization.
In the event of multiple authentication servers are wanted for
redundancy or logistic issues, multiple the authentication servers
can be run and be setup to trust each other. In the trust
relationship, the current server will contact other, trusted, servers to
verify if a user is already authenticated.
The main components of the authentication server are a Web server,
Servlet+JSP Engine or Tomcat, an authentication servlet,
and a daemon. Both webserver and Servlet+JSP engine are open source
software projects which are freely available. The servlet
and daemon were written by Laboratory for Computer Science Research,
Rutgers University.
1.Apache Web Server:http://httpd.apache.org/
Apache Web Server is a very popular web server in the Unix world.
It is a reliable, secure and fast web server engine.
2.Tomcat http://jakarta.apache.org/
Tomcat is servlet+JSP engine, a subproject of the Jakarta Project
from Apache.org, Tomcat is used to execute the authentication servlet
and JSP page for user authentication. Tomcat integrates nicely with
the Apache Web server.
3.AuthServlet :by George Armhold-Laboratory for
Computer Science Research, Rutgers University
This authentication servlet is created to centrally authenticate
the users. With central authentication, the users can roam between workgroups
and still continue to have access. This servlet is designed to be
flexbile enough to allow authentication with multiple authentication
methods such as Kerberos, radius, ldap, and Windows active directory,
SSL IMAP etc.
3.AuthenticationDaemon :by Hanz Makmur-Laboratory
for Computer Science Research, Rutgers University
This authentication daemon main purpose is to verify a request
made by the firewall. During verification, this daemon checks to see
if a specific hardware address is entered as authenticated. In the event that such
an entry does not exist, it also tries to query trusted authenticators
to see if this is "roaming" hardware. If it isn't authenticated
locally, or by an external trusted authenticator, the authentication
daemon tells the firewall to deny access to the network to the
wireless client.
Design/Concept by:
Hanz Makmur, Charles McGrew, Kenneth Harris Jr.
{Laboratory for
Computer Science Research Computing Facility}
Dr. Badrinath and Dr. Donald Smith
{Department of Computer Science}
Programmed by:
Hanz Makmur and George Armhold
{Laboratory for
Computer Science Research Computing Facility}
Network Infrastructure by:
Charles McGrew, Douglass Motto, Rick Crispin, Robert Tuck, Kenneth
Harris Jr
{Laboratory for
Computer Science Research Computing Facility}
Beta Test by:
Rob Toth, Don Watrous
{Laboratory for
Computer Science Research Computing Facility}
Faculty and Students
{Department of Computer Science-Rutgers
University}