1 / 29

Applying Security Principles to Networking Applications

Applying Security Principles to Networking Applications. Mark Enright enright@cisco.com Dec 08, 2005. What is Security in Computer Development Projects. What are you protecting Why are you protecting it From whom are you protecting it How are you going to protect it

devona
Download Presentation

Applying Security Principles to Networking Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applying Security Principles to Networking Applications Mark Enright enright@cisco.com Dec 08, 2005

  2. What is Security in Computer Development Projects • What are you protecting • Why are you protecting it • From whom are you protecting it • How are you going to protect it • What is the cost of protecting it

  3. V V Wired Access Topology Internet Access Device Local Area Network (LAN) Wide Area Network (WAN)

  4. Wireless Access Topology Internet Access Device Local Area Network (LAN) Wide Area Network (WAN)

  5. Wireless Access Topology Internet Access Device Local Area Network (LAN) Wide Area Network (WAN)

  6. Wireless Access Security Complication • Physical Access to Local Area Network no longer exists • Anyone can intercept your conversations • Anyone can utilize your network resources

  7. Security Solution For Wireless Access • Authentication • Encryption

  8. Typical Solution for Wireless Access Internet 1) Where is Access Point “MyAP” 2) I am here. Prove you know my secret

  9. Typical Solution for Wireless Access Internet 3) Here is my proof 4) OK. Here are session keys

  10. So Whats The Problem? • Wireless Access is a huge Consumer Market • People are beoming concerned with Wireless Security • My GrandMother cant use it

  11. What Can We Do To Help • Make it easy for Grandma to set up Wireless Security

  12. Internet Step 1. Configure Security Parameters Automatically SSID: r@ndOm 55ID WPA-PSK: R@NDOM_P@SsW0Rd When Access Point is booted 1st time: • Configures Random Secure SSID • Configures Random WPA Shared Secret • Waits for Wireless Association on Secure SSID

  13. Step 2. • How Can We Transfer Security Parameters Securely?

  14. Step 2. Trial One 1) Where is my Access Point “Well Known SSID” SSID: Well Known SSID Open Authentication 2) Here I am. Come on in

  15. Step 2. Trial One 3) Give me Security Parameters SSID: Well Known SSID Open Authentication 4) Here They Are

  16. Step 2. Trial One 1) Where is my Access Point “r@ndOm 55ID” SSID: r@ndOm 55ID WPA-PSK: R@NDOM_P@SsW0Rd 2) I am here. Prove you know my secret

  17. Step 2. Trial One 3) Here is my proof SSID: r@ndOm 55ID WPA-PSK: R@NDOM_P@SsW0Rd 4) OK. Here are session keys

  18. Step 2. Trial One Attack SSID: Well Known SSID Open Authentication 1) Where is my Access Point “Well Known SSID” 2) Here I am. Come on in

  19. Step 2. Trial One Attack SSID: Well Known SSID Open Authentication 3) Give me Security Parameters 4) Here they are

  20. Step 2. Trial Two • What Authentication is possible given constraints • something we know • something we have • something we are • something we do • If we can’t be sure, at least be safe

  21. Step 2. Trial Two SSID: Well Known SSID Open Authentication Where is my Access Point “Well Known SSID” Where is my Access Point “Well Known SSID” Here I am. Come on in Here I am. Come on in

  22. Step 2. Trial Two SSID: Well Known SSID Open Authentication 1) Give Me Security Parameters Give Me Security Parameters Hang on a sec Unable to guarantee unique access Access to all denied

  23. Step 2. Trial 2 Attack • Attacker just Associates and Listens

  24. Trial 3. • Use Trial 2 Method for Authentication • Use SSL for Encryption

  25. So Whats The Problem with IPSec? • Network Protection is a huge Consumer Market • People are beoming concerned with Security and look to IPSec for help • My GrandMother cant use it

  26. Network Address Translation 192.168.1.100 192.168.1.101 172.204.19.32 Internet 192.168.1.100 192.168.1.101 62.2.12.17 Local Area Network (LAN) Wide Area Network (WAN)

  27. The RoadWarrior IPSec Problem • With common implementations the IP Address need to be known a priori or else a global shared secret is used for Authentication • Mobility and NAT make it hard to predict the IP Address

  28. 2. Client configured Web Install client software Configure address of Home Gateway 3. Client software connects Logs on to HTTPS Initiates the IPSec VPN 1. Gateway configured SSL Username, password 4. Gateway accepts Authenticates Client by password Figures out current Client IP Address Provisions IPSec for Client IP Address Joins Client to Protected Network using IPSec VPN IPSec VPN Tunnel RoadWarrior Solution HTTPS Protected Network Home Gateway Internet Road Warrior Client

More Related