1 / 24

Securing Wireless LAN using Cisco-based technology

Securing Wireless LAN using Cisco-based technology. Campus Crew Study Group Paul Matijevic Ed McCulloch Peter Mozdzierz Greg Schrader. June 2007. Outline. Scenario Solution Solution Rationale Concerns. Scenario. Deploy a wireless LAN infrastructure

emile
Download Presentation

Securing Wireless LAN using Cisco-based technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch Peter Mozdzierz Greg Schrader June 2007

  2. Outline • Scenario • Solution • Solution Rationale • Concerns

  3. Scenario • Deploy a wireless LAN infrastructure • Provide coverage for the following areas of a manufacturing environment: • Office • Shop floor • Security goals: • protect data confidentiality and integrity • authenticate and authorize each user • provide scalability and central manageability

  4. Solution • Hardware purchased: • 8 Cisco 1200 Access Points (enterprise grade) • Assigned different channels to minimize interference • Assigning use of only channels 1, 6, and 11 minimizes interference by maximizing distance between carrier frequencies • Cisco 802.11 b/g computer hardware • PCI adapters and PCMCIA cards

  5. Solution • 14 overlapping (staggered) channels (11 in the U.S.) • Center frequencies are separated by 5 MHz 2007 MITP 413 Wireless Technology - Michael L. Honig

  6. Solution • Security considerations: • Encryption Algorithm mechanism • Message Integrity mechanism • Authentication Framework mechanism • Authentication Algorithm mechanism

  7. Wi-Fi Protected Access (WPA) • Flaws in WEP (Wired Equivalent Privacy) known since January 2001 - flaws include weak encryption (keys no longer than 40 bits), static encryption keys, lack of key distribution method. • In April 2003, the Wi-Fi Alliance introduced an interoperable security protocol known as WiFi Protected Access (WPA), based on draft 3 of the IEEE 802.11i amendment. • WPA was designed to be a replacement for WEP networks without requiring hardware replacements, using a subset IEEE 802.11i amendment. • WPA provides stronger data encryption (weak in WEP) and user authentication (largely missing in WEP).

  8. WPA Security Enhancements • WPA includes Temporal Key Integrity Protocol (TKIP) and 802.1x mechanisms. • The combination of these two mechanisms provides dynamic key encryption and mutual authentication • TKIP adds the following strengths to WEP: • 48-bit initialization vectors, use one-way hash function instead of XOR • Per-packet key construction and distribution: WPA automatically generates a new unique encryption key periodically for each client. In fact, WPA uses a unique key for each 802.11 frame. This avoids the same key staying in use for weeks or months as they do with WEP • Message integrity code: guard against forgery attacks.

  9. Solution

  10. Message Integrity Solution • Using TKIP-MIC (message integrity check) • MIC ensures data frames have not been tampered with and authenticity of source addresses • Also prevents WEP reuse • 8 byte field placed between data portion of 802.11 frame and 4 byte ICV (integrity Check Value) protecting both payload and header

  11. WPA2 • In July 2004, the IEEE approved the full IEEE 802.11i specification, which was quickly followed by a new interoperability testing certification from the WiFi Alliance known as WPA2. • Strong encryption and authentication for infrastructure and ad-hoc networks (WPA1 is limited to infrastructure networks) • Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the AES as an alternative to the TKIP protocol • AES is the equivalent of the RC4 algorithm used by WPA. • CCMP is the equivalent of TKIP in WPA. Changing even one bit in a message produces a totally different result. CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection

  12. WPA2 • TKIP was designed as an interim solution for wireless security, with the goal of providing sufficient security for 5 years while organizations transitioned to the full IEEE 802.11i security mechanism. • As of March 2006, the WPA2 certification became mandatory for all new equipment certified by the Wi-Fi Alliance, ensuring that any reasonably modern hardware will support both WPA1 and WPA2.

  13. Authentication Solution • Facilitates authentication messages sent between AP’s and clients • 802.1x authentication used • Protocol resides at layer 2 - supports EAP (extensible authentication protocol) • Provides centralized policy control with timeout triggers • AP’s blocked until authentication process complete • RADIUS (Remote Access Dial-In User Service) server used • Low deployment complexity

  14. Authentication Solution

  15. Authentication Solution • Authentication Algorithm • Validates each users network access credentials • RADIUS server stores strong passwords • 25 alphanumeric characters • Non-dictionary phrases • Passwords encrypted and stored in users wireless profiles • Cisco’s LEAP (lightweight extensible authentication protocol) used • Allows for clients to re-authenticate frequently

  16. Solution

  17. Solution • Additional security • MAC address authentication • Valid addresses authenticated against list in RADIUS server • AP’s also possess a copy of users, passwords and valid MAC addresses • MAC and IP address spoofing is very difficult with 802.11X implementations

  18. Concerns • LEAP allows clients to acquire a new WEP key that does not expire - could be hacked • Considered minimal risk in this case • Employees installing their own WLAN devices • AP’s configured to collect rogue SSID info • DoS attacks could occur against AP’s • Alarms configured to observe flooding behavior • Logs track details of usage and are reviewed regularly • Telnet disabled in favor of SSH

  19. Concerns • Wireless IDS is not installed • WIDS understands data level patterns / signatures (like wired IDS) and also RF signatures of attacks • Current hardware does not include IDS • At the time of purchase, software IDS was not an option • Newer versions of Cisco AP’s include IDS capability • AP’s are upgradeable (as of 2005) • Firmware upgrade would install software wireless IDS

  20. Questions? Other than Ron…

  21. Other EAP • EAP-MD5 • LEAP (Lightweight EAP) • CISCO authentication that provides mutual authentication and dynamic WEP key generation • EAP-TLS (Transport Layer Security) • offers full authentication consistent with PKI public/private keys, PKI and digital certificates • Needs client certificate in order to authenticate client • Users login from different computers in coffee shops • Users are more familiar with the idea of passwords. Certificates may require some training.

  22. Other EAPs • EAP-PEAP and EAP-TTLS • Uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator • Establish a strongly encrypted "outer" TLS tunnel in stage one and then exchange authentication credentials (inner EAP) through an "inner" method in stage two. • Plus, as a result of authentication, session keys are distributed to enable data privacy between client and access point. 

  23. Solution

  24. Solution Rationale • WEP encryption and static-WEP key vulnerabilities are patched with 802.11X protocols • Authentication vulnerabilities minimized by use of strong, non-dictionary passwords • Cisco TKIP protocol preferred over WPA (Wi-Fi Protected Access) • TKIP session key rotation is dynamic • Changes every 4 hours and 40 minutes

More Related