1 / 29

Wireless Security: Issues and Solutions

Wireless Security: Issues and Solutions. Mike Brockney Bluesocket www.bluesocket.com. WLAN Security and Management Requirements WLAN Challenges WLAN security standards WEP, WPA, 802.11i VPNs and WLANs Evolution of WLAN deployment model. Agenda. A little Wi-fi related joke:.

vine
Download Presentation

Wireless Security: Issues and Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Security:Issues and Solutions Mike Brockney Bluesocket www.bluesocket.com

  2. WLAN Security and Management Requirements WLAN Challenges WLAN security standards WEP, WPA, 802.11i VPNs and WLANs Evolution of WLAN deployment model Agenda

  3. A little Wi-fi related joke:

  4. About Bluesocket…

  5. WLAN Management & Security Requirements • Access Control • Authentication • Authorization • Airlink Privacy • Physical Security • Data is more dense • Need to manage bandwidth • Avoid unnecessary encryption overhead • Don’t allow bandwidth “hogs” • Imperative for Interoperability • Multiple devices: laptops, PDAs, scanners, phones, networking vendors’ appliances • Different radio protocols (802.11 alphabet soup) • Need for simple management • Single Web-based login • Transparent login where possible • Guest / Visitor Access • Client software maintenance at a minimum • Secure Mobility™ and Policy-based networks • Voice over WLAN will be widely used

  6. Wireless LAN Challenges – Minimal security and management in APs Stop or Go - Same Access For All Visitor or Employee or Contractor (Policy Management) Weak Security No Bandwidth Management or QoS No True Mobility

  7. Wireless LAN Challenges – Rogue APs • Employee brings an AP to work and simply plugs it in, opening your network to anyone within radio distance • Malicious user attaches an AP to the network to allow access • Attacker positions an AP near the building in an attempt to have a legitimate user associate with it • AirMagnet, AirDefense, Wavelink can detect and alert in real-time • Cisco, Proxim/Orinoco and others are now building Rogue Detection into standard APs

  8. Wireless LAN Challenges – Emerging 802.11 devices

  9. 802.1x Admin Wireless LAN Challenges – Network Authentication PPTP Executive IPsec Finance ACS LDAP Radius Clear Visitor NT Domain

  10. The “Alphabet Soup” of 802.11 standards (b, a, g, h, i, e, f, 1x) and the need to support other wireless interfaces such as Bluetooth on PDAs brings upgrade and compatibility challenges Wireless LAN Challenges – Which standards? ? ? Which protocol? Which air interface? Which vendor? Solutions must be‘agnostic’ to supportcurrent andfuture standards

  11. WEP Security –Wired Equivalent Privacy • Available in all APs and wireless cards • Available in many different key lengths • Uses a static key to encrypt data • Good for home use • Better than no security at all • Can be difficult to manage keys • Encryption algorithm has been compromised

  12. WEP Security –Wired Equivalent Privacy http://airsnort.sourceforge.net/ • A series of academic papers exposed serious flaws in WEP– the security system built into the 802.11b standard. • Rapid passive attack was first described in July 2001by Fluhrer, Mantin & Shamir. • AT&T Labs team successfully implemented the attack and concluded that WEP is “totally insecure”. • In August 2001, the Airsnort program was released on the Web.

  13. 802.1x is an IEEE standard Originally designed for Port Authentication in wired networks IEEE 802.11 has chosen to use 802.1x to support access authentication in WLANs (June 2001) Enables authentication and key management for WLANs Dynamic WEP encryption designed to overcome issues with WEP Augmented to use Upper Layer Authentication Protocols (ULAPs) as a framework for authentication An EAP is an implementation 802.1x originated as a Point-to-Point Protocol (PPP) authentication scheme along with RADIUS Implementing EAP methods in mobile devices requires modifications/additions to the operating system 802.1x Background

  14. EAPOL RADIUS Campus Network Supplicant 802.1X & EAP EAP- (TLS, TTLS, PEAP, LEAP) Authentication Server Authenticator • 802.1X defines EAPOL (Extensible Authentication Protocol Over LAN) • Provides centralized authentication and dynamic key exchange • EAP packets carried at the MAC layer, embed RADIUS commands • Different EAP types deliver different authentication techniques

  15. There is no “standard” EAP, but several competing protocols LEAP, MD5, TTLS, TLS, PEAP, SRP, SIM, AKA The same EAP method needs to be supported on the client device and Authentication Server EAP Methods can be sorted into 3 approaches Password based (can be open to dictionary attacks) Digital Certificate based (cumbersome to set-up and manage) Token Based Early Entries into the field were LEAP, TLS (Mutual Authentication) and TTLS (Digital Certificate for Server-side Authentication) Emerging Leaders: PEAP (Microsoft, Cisco and RSA), TTLS (Funk and Certicom) No specific EAP for PDA clients (PocketPC2002 or Palm), Wi-Fi Phones (SpectraLink, etc.) or Apple devices 802.1x: EAP Methods

  16. Microsoft has started shipping 802.1x client with PEAP Built into Windows XP SP1 Released a PEAP client for Windows 2000 in November 2002 No support yet for other OS’ (’98, ME) WEP keys to supplicant protected by ‘session key’ from RADIUS server At a configurable interval, updated key sent to authenticated PC Using one vendor’s EAP method could lock you into using certain clients and devices PEAP (Protected Extensible Authentication Protocol)

  17. Most implementations require vendor specific APs/NICs/AAA servers Interoperability is difficult in multi-vendor environments There is no consensus on a “standard” EAP method or operating mode (TLS/PEAP in WinXP SP1 only) Same problem as proprietary IPsec clients for guest access Client software is required to run 802.1x , involving the need to upgrade all client devices Only some Windows versions provide support; not on other devices (PDA’s, Apple MACs, Scanners, etc., etc.) No visitor, non-802.1x guest user access Underlying privacy is based on RC4 with rapid re-keying, requiring extensions to APs Installed base of APs may require forklift upgrades Potential high cost of deployment--- as each AP must support the final 802.11 standard and be properly configured Access is all or nothing (either on or off the network) No provisions for prioritization or bandwidth control by class of user Is 802.1x “Good Enough”?

  18. Wi-Fi Protected Access (WPA) New terminology announced by the Wi-Fi Alliance (formally WECA) to describe 802.1x with TKIP and MIC TKIP with WEP represents a significant air-link privacy improvement Subset of the 802.11i security standard 802.11i will use AES in a mode to be determined later Issues with WPA Requires a 802.1x client/driver on all end-user devices Limited device support Variety of methods (LEAP, PEAP, TLS, TTLS, MD5)Which will be widely used or accepted as standard? Does not provide a solution for securing sensitive traffic with alternate type technologies and protocols (e.g. IPSec, PPTP, SSL) Is WPA a Step in the Right Direction?Yes

  19. IEEE 802.11TGi Stronger encryption Makes sense to plan for 802.11i Will support secure, fast, reliable, roaming For Voice over WLAN But not all details are settled upon yet 802.11i (a.k.a. WPAv2) Beware: You may have to upgrade a lot of equipment!

  20. Is WPA/802.11i Good Enough?Depends On Your Needs

  21. Policy Enforcement and Compliance: Healthcare • Enforce network policies based on user rights • Examples: • Nurses:Given HTTPS access to patient databases only • Doctors:E-mail and Web access with IPSec encryptionfor HIPAA compliance • Contractors:Access only to their work servers • Patients/Public/Guests:Access to Internet only, with limited bandwidth

  22. Requires wireless users to authenticate before gaining network access IETF standard - Layer 3 authentication & encryption Familiar, reliable, trustworthy Challenges: No Layer 2 protection mechanisms IPSec clients may not be available for all handheld devices Can be difficult to manage and to scale Ensure the solution provides cross-subnet roaming IPSec Wi-Fi Security Using IPSec Campus Network IPSec Termination Client software

  23. Wireless traffic untrusted Access points placed outside the firewall Local wireless users placed on a separate network Wireless Network Internet Corporate network firewall WLANs Yesterday: External to Corporate Network

  24. Wireless traffic authenticated before accessing network Access points installed on the regular wired LAN Wireless users managed like wired users Wireless Network WLANs Today: Integrated Within the Network Internet Corporate network firewall

  25. Wireless traffic authenticated before accessing network Access points installed on any LAN Wireless users managed like remote users WLANs Tomorrow: Throughout the Network Internet Corporate network Firewall / VPN

  26. The login credentials used at work Are the same credentials used remotely WLANs Tomorrow: Universal Access Regardless of Location Internet Corporate network Firewall / VPN One method for network authentication from any location • One set of login credentials used for on campus and remote network access • Provides appropriate level of security and eases end-user adoption

  27. 802.1x Strongly recommended if you’re using Layer 2 security Provides centralized management/policy control EAP Consider EAP-TLS if client certificates infrastructure is in place Avoid LEAP if standards are important (ASLEAP attack) If you have Microsoft kit, PEAP is built in IPSec If you chose IPSec be sure not to forgo mobility VLAN Deploy per-user VLAN policy if your network supports it Recommendations Take the path of least resistance that meets your network needs

  28. Continue to support standards – PEAP, TTLS, 802.11i Add additional authentication methods to support customer needs Have added PIN, Cosign, Certificate, use API for other methods Continue to innovate around security and mobility VLAN Mobility More efficient traffic routing Load Sharing to distribute load More flexibility around login pages – by location/interface Bluesocket Future Directions

  29. Thank You…. Mike Brockney, SE Manager Bluesocket djuitt@bluesocket.com

More Related