Effective Wireless Security – Technology and Policy

1. Effective Wireless Security – Technology and Policy CSG 256 Final Project PresentationbyDan Ziminski&Bill Davidge

2. AGENDA Some attacks to WLANs Authentication Protocols Encryption Protocols Rogue AP problem Case Studies

3. 802.11 Passive Monitoring Access Point Username: dziminski Password:cleartext Station Attacker Passive Monitoring Captures data

4. 802.11 DOS Attack Access Point X Connection is broken Station Attacker spoofs 802.11 Disassociate frame

5. 802.11 Man in the Middle Attack • Attacker broadcasts spoofed AP SSID and MAC Address • Station unknowingly connects to attacker • MIM attacks can always be established • But if strong authentication and encryption are used, attacker will be nothing more than a bridge. Station Access Point Station MAC Address Attacker AP MAC Address Station MAC Address AP MAC Address

6. Authentication and Encryption Standards Certificate Username/Password Credentials MSFT IETF CSCO/MSFT IETF TLS PEAP Authentication Protocols EAP 802.1x Encryption Algorithms RC4 RC4 AES Encryption Standards WEP WPA-TKIP 802.11i

7. 802.1x Authentication Access Point Authenticator Station Supplicant RADIUS Server Authorizer

8. 802.1x EAP-TLS Authentication Client digital cert From XYZ CA Access Point Authenticator Station Supplicant RADIUS Server Authorizer Server Digital cert From XYZ CA

9. 802.1x PEAP authentication Phase 1: Authenticate AP. Secure tunnel to AP using TLS Digital cert From XYZ CA Access Point Authenticator Station Supplicant RADIUS Server Authorizer Username Dan Password: encrypted Phase 2: Password authentication with directory server Success/Fail Directory Server

10. VPN Authentication and Encryption Access Point VPN Gateway Station LAN IPSEC VPN Tunnel

11. Web Authentication Web auth security device Access Point Station LAN Backend RADIUS Server HTTPS Login page

12. Which Authentication to Choose?

13. WEP Encryption 24 bit IV clear text integrity check IV Payload CRC-32 Encrypted with 40 or 104 bit key. RC4 Algorithm. • WEP has several problems • IV is too small. At 10,000 packets per second IV repeats in 5 hours. • There are several “weak keys”. Those are especially vulnerable. • No key update mechanism built in. • Message replay attacks. DOS.

14. Wi-Fi Protected Access (WPA) TKIP-encryption • Wi-Fi Protected Access is an interim standard created by the Wi-Fi alliance (group of manufacturers). • WPA-TKIP fixes problems with WEP. • IV changes to 48 bits with no weak keys. 900 years to repeat an IV at 10k packets/sec. • Use IV as a replay counter. • Message integrity. • Per-packet keying. • Supported on many wireless card and on Windows XP (after applying 2 hot fixes). • Uses 802.1x for key distribution. • Can also use static keys.

15. TKIP – Per Packet Keying • Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm. 128 bits 48 bit IV 24 bits 104 bits 32 bit upper IV 16 bit lower IV IV d IV Per-Packet-Key Key mixing Key mixing MAC Address Session Key

16. 802.11i AES-encryption • Ratified by the IETF in June of 04. • Uses the AES algorithm for encryption and 802.1x for key distribution. • Backwards compatible with TKIP to support WPA clients. • 802.11i not in many products yet.

17. Which Encryption to Choose?

18. Newbury Networks • 3-hour “war driving” DNC in Boston • A total of 3,683 unique Wi-Fi devices • An average of 1 wireless network card every 2 minutes • Nearly 3,000 of the total Wi-Fi devices were discovered in Boston's Back Bay

19. 3-hour “war driving” DNC in Boston • 65% of the wireless networks detected had no encryption • 457 unique wireless access points-the majority of which were unsecured

20. DefCon X Hacker Convention-2002 • 2-hour monitoring Wireless LAN • Identified 8 sanctioned access points • 35 rogue access points, and more than • 800 different station addresses

21. DefCon X Hacker Convention-2002 • 200 to300 of the station addresses were fakes • 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours • 490 were wireless probes from tools such as Netstumbler and Kismet

22. DefCon X Hacker Convention-2002 • 100 were varying forms Denial-of-Service attacks that either • jammed the airwaves with noise to shut down an access point • targeted specific stations by continually disconnecting them from an access point or • forced stations to route their traffic through other stations

23. DefCon X Hacker Convention-2002 • 27 attacks came from out-of-specification management frames where hackers launched attacks that exploited 802.11 protocols to take over other stations and control the network • 190 were identity thefts, such as when MAC addresses and SSIDs

25. Case Studies-University • University • fosters an open, sharing environment • “…allow all, deny some…” as far as access goes. • large area • large user population • knowledgeable support group and a wide spectrum of knowledge in the user base

26. Case Studies-Financial Institution • restricted access • limited number of authorized users • Technical staff with control of user hardware • geographically dispersed locations

27. Case Study: Global Bank (alias) • In process of deploying enterprise WLAN. • Using 802.1x EAP-TLS with client web certificate for authentication. • Tested PEAP, but failed auth attempts would lock out users Active Directory account. • Had a small VPN pilot but found it didn’t scale. • Originally started testing WPA-TKIP but too many interoperability problems with card and APs. • Switched to WEP with keys rotating every 30 minutes using 802.1x. They feel that this is secure enough. • Monitor for rogue APs. Any rogue that is detected by 3+ APs is investigated and removed if on LAN.

28. Case Studies: home networks • small number of users • with no expectation of heavy volume • Limited technological expertise

29. Q and A • You Ask • We Answer