1 / 19

Lecture 5

Lecture 5. Enterprise Security Model. Most secure level of security that can be achieved today for wireless LANs Designed for medium to large-size organizations Intended for setting with authentication server Like personal security model, divided into sections for WPA and WPA2

elisa
Download Presentation

Lecture 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 5

  2. Enterprise Security Model • Most secure level of security that can be achieved today for wireless LANs • Designed for medium to large-size organizations • Intended for setting with authentication server • Like personal security model, divided into sections for WPA and WPA2 • Additional security tools available to increase network protection

  3. WPA Enterprise Security: IEEE 802.1x Authentication • Uses port-based authentication mechanisms • Network supporting 802.1x standard should consist of three elements: • Supplicant: Wireless device which requires secure network access • Authenticator: Intermediary device accepting requests from supplicant • Can be an AP or a switch • Authentication Server: Accepts requests from authenticator, grants or denies access

  4. WPA Enterprise Security: IEEE 802.1x Authentication (continued) Figure 9-8: 802.1x protocol

  5. WPA Enterprise Security: IEEE 802.1x Authentication (continued) • Supplicant is software on a client implementing 802.1x framework • Authentication server stores list of names and credentials of authorized users • Remote Authentication Dial-In User Service (RADIUS) typically used • Allows user profiles to be maintained in central database that all remote servers can share

  6. WPA Enterprise Security: IEEE 802.1x Authentication (continued) • 802.1x based on Extensible Authentication Protocol (EAP) • Several variations: • EAP-Transport Layer Security (EAP-TLS) (Requires certificates on servers and clients) • Lightweight EAP (LEAP) (Cisco proprietary) • EAP-Tunneled TLS (EAP-TTLS) (tunnel for PAP) • Protected EAP (PEAP) (Microsoft native, Not an encryption protocol, it secure via a SSL/TLS tunnel) • Flexible Authentication via Secure Tunneling (FAST) • Each maps to different types of user logons, credentials, and databases used in authentication

  7. WPA Enterprise Security: TKIP Encryption • TKIP is a “wrapper” around WEP • Provides adequate encryption mechanism for WPA enterprise security • Dovetails into existing WEP mechanism • Vulnerabilities may be exposed in the future

  8. WPA2 Enterprise Security: IEEE 802.1x Authentication • Enterprise security model using WPA2 provides most secure level of authentication and encryption available on a WLAN • IEEE 802.1x is strongest type of wireless authentication currently available • Wi-Fi Alliance certifies WPA and WPA2 enterprise products using EAP-TLS

  9. WPA2 Enterprise Security: AES-CCMP Encryption • AES: Block cipher that uses same key for encryption and decryption • Bits encrypted in blocks of plaintext • Calculated independently • block size of 128 bits • Three possible key lengths: 128, 192, and 256 bits • WPA2/802.11i uses128-bit key length • Includes four stages that make up one round • Each round is iterated 10 times

  10. WPA2 Enterprise Security: AES-CCMP Encryption (continued) Table 9-6: Enterprise security model

  11. Other Enterprise Security Tools: Virtual Private Network (VPN) • Virtual private network (VPN): Uses a public, unsecured network as if it were private, secured network • Two common types: • Remote-access VPN: User-to-LAN connection used by remote users • Site-to-site VPN: Multiple sites can connect to other sites over Internet • VPN transmissions are achieved through communicating with endpoints

  12. Other Enterprise Security Tools: Virtual Private Network (continued) • Endpoint: End of tunnel between VPN devices • Can local software, dedicated hardware device, or even a firewall • VPNs can be used in WLAN setting • Tunnel though WLAN for added security • Enterprise trusted gateway: Extension of VPN • Pairs of devices create “trusted” VPN connection between themselves • Can protect unencrypted packets better than a VPN endpoint

  13. Other Enterprise Security Tools: Wireless Gateway • AP equipped with additional functionality • Most APs are wireless gateways • Combine functionality of AP, router, network address translator, firewall, and switch • On enterprise level, wireless gateway may combine functionality of a VPN and an authentication server • Can provide increased security for connected APs

  14. Other Enterprise Security Tools: Wireless Intrusion Detection System (WIDS) • Intrusion-detection system (IDS): Monitors activity on network and what the packets are doing • May perform specific function when attack detected • May only report information, and not take action • Wireless IDS (WIDS): Constantly monitors RF frequency for attacks • Based on database of attack signatures or on abnormal behavior • Wireless sensors lie at heart of WIDS • Hardware-based have limited coverage, software-based have extended coverage

  15. Port scans SYN attack Brute force attack Firewall Internet Intrusion detection software: • Detects the pattern of common attacks • Records suspicious traffic in event logs • Integrates with other firewall features to prevent common attacks • Alerts administrators to potential attacks Administrator What Is Intrusion Detection Software?

  16. Consider using both network-based IDS and host-based IDS • Frequently update IDS signatures • Understand the nature of intrusions that an IDS can detect • Distinguish between real intrusions and false positives • Deploy an IDS on each network segment • Use a centralized management console tomanage an IDS Guidelines for Using IDS

  17. Other Enterprise Security Tools: Captive Portal • Web page that wireless users are forced to visit before they are granted access to Internet • Used in one of the following ways: • Notify users of wireless policies and rules • Advertise to users specific services or products • Authenticate users against a RADIUS server • Often used in public hotspots

  18. Summary (continued) • The enterprise security model is intended for settings in which an authentication server is available; if an authentication server is not available the highest level of the personal security model should be used instead • Additional security tools that can supplement the enterprise security model to provide even a higher degree of security include virtual private networks, wireless gateways, wireless intrusion detection systems (WIDS), and captive portals

  19. Labs • LAB C

More Related