250 likes | 262 Views
Security for (Wireless) LANs. Klaas.Wierenga@SURFnet.nl 802.1X workshop 30 & 31 March 2004 Amsterdam. Program Workshop. Security for (W)LANs – Klaas Wierenga 802.1X client side – Tom Rixom Coffee 802.1X server side – Paul Dekkers Lunch Hands-on. TOC. Background Threats Requirements
E N D
Security for (Wireless) LANs Klaas.Wierenga@SURFnet.nl 802.1X workshop 30 & 31 March 2004 Amsterdam
Program Workshop • Security for (W)LANs – Klaas Wierenga • 802.1X client side – Tom Rixom • Coffee • 802.1X server side – Paul Dekkers • Lunch • Hands-on
TOC • Background • Threats • Requirements • Solutions for today • Solutions for tomorrow • Conclusion
Background International connectivity Institution A WLAN Access Provider WLAN Institution B SURFnet backbone Access Provider GPRS WLAN Access Provider POTS Access Provider ADSL
Threats • Mac-address and SSID discovery • TCPdump • Ethereal • WEP cracking • Kismet • Airsnort • Man-in-the-middle attacks
Example: Kismet+Airsnort root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
Requirements • Identify users uniquely at the edge of the network • No session hijacking • Allow for guest usage • Scalable • Local user administration and authN! • Using existing RADIUS infrastructure • Easy to install and use • Open • Support for all common OSes • Vendor independent • Secure • After proper AuthN open connectivity
Solutions for today • Open access • MAC-address • WEP European NRENs: • Web-gateway • PPPoE • VPN-gateway • 802.1X
Open network • Open ethernet connectivity, IP-address via DHCP • No client software (DHCP ubiquitous) • No access control • Network is open (sniffing easy, every client and server on LAN is available)
Open network + MAC authentication • Same as open, but MAC-address is verified • No client software • Administrative burden of MAC address tables • MAC addresses easy spoofable • Guest usage hard (impossible)
WEP • Layer 2 encryption between Client en Access Point • Client must know (static) WEP-key • Administrative burden on WEP-key change • Some WEP-keys are easy to crack (some less easy) • Not secure
Open network + web gateway • Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) • Can use a RADIUS backend • Guest use easy • Browser necessary • Hard to make secure
AAA Server Public Access Controller Internet 4. 3. 5. 1. Public Access Network 2. WWW-browser Example: FUNET
Open netwerk + VPN Gateway • Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network • Client software needed • Proprietary (unless IPsec or PPPoE) • Hard to scale • VPN-concentrators are expensive • Guest use hard (sometimes VPN in VPN) • All traffic encrypted
IEEE 802.1X • True port based access solution (Layer 2) between client and AP/switch • Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) • Standardised • Also encrypts all data, using dynamic keys • RADIUS back end: • Scaleable • Re-use existing Trust relationships • Easy integration with dynamic VLAN assignment • Client software necessary (OS-built in or third-party) • Both for wireless AND wired
f.i. LDAP EAP over RADIUS EAPOL How does 802.1X work (in combination with 802.1Q)? Supplicant Authenticator (AP or switch) RADIUS server Institution A User DB jan@student.institution_a.nl Internet Guest VLAN Employee VLAN Student VLAN signalling data
Through the protocol stack Supplicant (laptop, desktop) Authenticator (AccessPoint, Switch) Auth. Server (RADIUS server) EAP 802.1X RADIUS (TCP/IP) EAPOL Ethernet Ethernet
Topic EAP MD5 LEAP EAP TLS PEAP EAP TTLS Security Solution Standards-based Proprietary Standards-based Standards-based Standards-based Certificates – Client No n/a Yes No No Certificates – Server No n/a Yes Yes Yes Credential Security None Weak Strong Strong Strong Supported Authentication Databases Requires clear-text database Active Directory,NT Domains Active Directory, LDAP etc. Active Directory, NT Domain, Token Systems, SQL, LDAP etc. Active Directory, LDAP, SQL, plain password files, Token Systems etc. Dynamic Key Exchange No Yes Yes Yes Yes Mutual Authentication No Yes Yes Yes Yes EAP-types
Available supplicants • Win98, ME: FUNK, Meetinghouse • Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2) • MacOS: Meetinghouse • Linux: Meetinghouse, Open1X • BSD: under development • PocketPC: Meetinghouse, MS (+SecureW2) • Palm: Meetinghouse
Example: SURFnet Supplicant Authenticator (AP or switch) RADIUS server Institution A RADIUS server Institution B User DB User DB Guest piet@institution_b.nl Internet Guest VLAN Employee VLAN Central RADIUS Proxy server Student VLAN signalling data
FUNET SURFnet (DFN) CARnet Radius proxy hierarchy • Participation guidelines are being drafted • Aim is to increase membership. Spain, Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join. University of Southampton FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server
Solutions for tomorrow • 802.11a|b|g • 802.16 (WiMax), 802.20 • IPv6 • MobileIPv6 • WPA (pre standard 802.11i, TKIP) • 802.11i: 802.1x + TKIP+ AES
Conclusion • You can make it safe • One size doesn’t fit all (yet?) • There is convergence in Europe • 802.1X is the future proof solution • It’s all about scalability, i.e. size does matter
More information • SURFnet and 802.1X • http://www.surfnet.nl/innovatie/wlan • TERENA TF-Mobility • http://www.terena.nl/mobility • The unofficial IEEE802.11 security page • http://www.drizzle.com/~aboba/IEEE/