1 / 54

Security

Security. Olga Torstensson Halmstad University. Key terms. WEP TKIP MIC EAP 802.1X WPA CCKM RADIUS SSH Encryption RSA RC4 (WEP) DES, 3DES, AES Cipher BKR. Advanced Security Terms. WEP – Wired Equivalent Privacy EAP – Extensible Authentication Protocol

gil
Download Presentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Olga Torstensson Halmstad University

  2. Key terms • WEP • TKIP • MIC • EAP • 802.1X • WPA • CCKM • RADIUS • SSH • Encryption • RSA RC4 (WEP) • DES, 3DES, AES • Cipher • BKR

  3. Advanced Security Terms • WEP – Wired Equivalent Privacy • EAP – Extensible Authentication Protocol • TKIP – Temporal Key Integrity Protocol • CKIP – Cisco Key Integrity Protocol • CMIC – Cisco Message Integrity Check • Broadcast Key Rotation – Group Key Update • WPA – Wi-Fi Protected Access (WPA)

  4. Security Fundamentals Balancing Security and Access

  5. Vulnerabilities • Technology • TCP/IP • WEP and Broadcast SSID • Association Process • Wireless Interference • Configuration • Default passwords • Unneeded Services enabled • Few or no filters • Poor device maintenance • Policy • Weak Security Policy • No Security Policy • Poorly enforced Policy • Physical Access • Poor or no monitoring

  6. Threats • Internal • External • Structured • Unstructured

  7. The Security Attack—Recon and Access

  8. The Security Attacks—DoS

  9. WLAN Security Wheel Always have a good WLAN Security Policy in place. Secure the network based on the policy

  10. WLAN Security Considerations • Authentication – only authorized users and devices should be allowed. • Encryption – traffic should be protected from unauthorized access. • Administration Security – only authorized users should be able to access and configure the AP configuration interfaces.

  11. Common Protocols which use Encryption • When using a public network such as a WLAN, FTP, HTTP, POP3, and SMTP are insecure and should be avoided whenever possible. Utilize protocols with encryption. No Encryption Traffic Encryption Web Browsing HTTP HTTPS * File Transfer SCP TFTP or FTP Email POP3 or SMTP SPOP3 * Remote Mgmt Telnet SSH * SSL/TLS

  12. WLAN Security Hierarchy Enhanced Security 802.1x, TKIP/WPA Encryption, Mutual Authentication, Scalable Key Mgmt., etc. Basic Security Open Access 40-bit or 128-bitStatic WEP Encryption No Encryption, Basic Authentication Home Use Business Public “Hotspots” VirtualPrivateNetwork (VPN) Business Traveler, Telecommuter Remote Access

  13. Basic WLAN Security • Admin Authentication on AP • To prevent unauthorized access to the AP configuration interfaces: • Configure a secret password for the privileged mode access. (good) • Configure local usernames/passwords. (better) • Configure AP to utilize a security server for user access. (best)

  14. User Manager

  15. Admin Access CLI View

  16. Console Password

  17. SSID Manager

  18. SSID Manager (cont)

  19. Global SSID Properties

  20. SSID CLI View

  21. WEP • WEP is a key. • WEP scrambles communications between AP and client. • AP and client must use same WEP keys. • WEP keys encrypt unicast and multicast. • WEP is easily attacked

  22. ? Supported Devices • What can be a client? • Client • Non-Root bridge • Repeater access point • Workgroup Bridge • Authenticator? • Root access point • Root bridge

  23. Enabling LEAP on the Client

  24. Configuring LEAP on the Client

  25. WEP Encryption Keys

  26. Enterprise WLAN AuthenticationAuthentication Types • Open Authentication to the Access Point • Shared Key Authentication to the Access Point • EAP Authentication to the Network • MAC Address Authentication to the Network • Combining MAC-Based, EAP, and Open Authentication • Using CCKM for Authenticated Clients • Using WPA Key Management

  27. WLAN Security:802.1X Authentication Radius Server AP • Mutual Authentication • EAP-TLS • EAP-Transport Layer Security • Mutual Authentication implementation • Used in WPA interoperability testing • LEAP • “Lightweight” EAP • Nearly all major OS’s supported: • WinXP/2K/NT/ME/98/95/CE, Linux, Mac, DOS • PEAP • “Protected” EAP • Uses certificates or One Time Passwords (OTP) • Supported by Cisco, Microsoft, & RSA • GTC (Cisco) & MSCHAPv2 (Microsoft) versions Client

  28. EAP • Extensible Authentication Protocol (802.1x authentication) • Provides dynamic WEP keys to user devices. • Dynamic is more secure, since it changes. • Harder for intruders to hack…by the time they have performed the calculation to learn the key, they key has changed!

  29. Basic RADIUS Topology • RADIUS can be implemented: • Locally on an IOS AP • Up to 50 users • On a ACS Server

  30. Local Radius Server

  31. Local Radius Server Statistics

  32. Radius Server User Groups

  33. ACS Server Options Cisco Secure ACS Software Cisco ACS Solution Engine

  34. Backup Security Server Manager

  35. Global Server Properties

  36. Enterprise Encryption WPA Interoperable, Enterprise-Class Security

  37. Cipher “Suite” • Cipher suites are sets of encryption and integrity algorithms. • Suites provide protection of WEP and allow use of authenticated key management. • Suites with TKIP provide best security. • Must use a cipher suite to enable: • WPA – Wi-Fi Protected Access • CCKM – Cisco Centralized Key Management

  38. Configuring the Suite • Create WEP keys • Enable Cipher “Suite” and WEP • Configure Broadcast Key Rotation • Follow the Rules

  39. WEP Key Restrictions

  40. Security Levels

  41. Enterprise WLAN Security Evolution • TKIP/WPA • Successor to WEP • Cisco’s pre-standard TKIP has been shipping since Dec.’01 • Cisco introduced TKIP into 802.11i committee • 802.11i-standardized TKIP part of Wi-Fi Protected Access (WPA) • WPA software upgrade now available for AP1100 & AP1200 • AES • The “Gold Standard” of encryption • AES is part of 802.11i standard • - AES will be part of WPA2 standard (expected in 2004)

  42. Encryption Modes

  43. Encryption Global Properties

  44. Matching Client to AP

  45. Matching Client to AP

  46. Matching Client to AP

  47. Matching Client to AP

  48. Matching Client to AP

  49. Matching Client to AP

  50. Advanced Security: MAC Authentication

More Related