1 / 24

Securing your wireless LAN

Securing your wireless LAN. Paul DeBeasi VP Marketing Email: pdebeasi@legra.com. Pop quiz. At the end of this presentation you will… Think you are an expert in all aspects of wireless security. Decide that WLANs can never be secure enough for enterprise deployment.

kamin
Download Presentation

Securing your wireless LAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing your wireless LAN Paul DeBeasi VP Marketing Email: pdebeasi@legra.com

  2. Pop quiz At the end of this presentation you will… • Think you are an expert in all aspects of wireless security. • Decide that WLANs can never be secure enough for enterprise deployment. • Become aware of WLAN security risks and approaches for risk mitigation. • Need a no-whip, triple-shot, cappuccino.

  3. Theft of service No security Key derivation MAC spoofing Rogue WLANs Default SSID Ad-hoc networks Session hijacking Man in the middle attacks Deny/degrade service RF interference/jam Bit flipping Disassociation attack EAP attacks Network eavesdropping RF Monitors Infrastructure attack Default passwords Wireless vulnerabilities

  4. Security Concepts Data Privacy Keeping your data hidden from prying eyes Authentication Something you are, you have, you know Authorization Control access to network resources Data Integrity Prevent data tampering

  5. Evolution of WLAN security

  6. IV (24 bits) WEP Key (40 or 104 bits) RC4 Key stream XOR Encrypted text Clear text WEP • Wired Equivalent Privacy • Protect from eavesdropping • “Good enough” privacy • U.S. export control law restrictions in 1999 • Network-wide shared key • All packets encrypted

  7. What’s wrong with WEP? (a lot!) • Turned off by default • Plug and pray mobility • Authentication • No user authentication • Encryption • WEP key can be broken in a few hours • Data integrity • CRC (cyclic redundancy check) susceptible to bit flipping • Difficult to update keys • Must manually change every station

  8. WEP/802.11 recommendations • Turn on WEP • Better than no security at all • Change default SSID • And, don’t use a name like “finance-network” • Disable SSID beaconing • Make it difficult for attackers to find your WLANs • Change default key • And, change the key frequently • Use MAC address filtering • More useful for small deployments

  9. Evolution of WLAN security

  10. EAP- (TLS, TTLS, PEAP, LEAP) EAPOL RADIUS Campus Network Supplicant Authenticator Authentication Server 802.1x and EAP • 802.1x defines EAPOL (Extensible Authentication Protocol over LAN) • Provides centralized authentication and dynamic key exchange • EAP packets carried at the MAC layer, embedded in RADIUS commands • EAP is extensible • Most common examples: EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP

  11. 802.1x and EAP – benefits Campus Network • Centralized authentication • Per user authentication and resource allocation • Authentication server and supplicant authenticate each other • Effectively eliminates Man-in-the-middle attacks • Centralized key management • Derived unique per user session key • Centralized policy control • Session time-out and automatic key redistribution (“dynamic WEP”) • VLAN assigned by the Authentication server Supplicant Authenticator Authentication Server

  12. EAP Types – variations on a theme • EAP over TLS (EAP-TLS) • IETF standard (RFC 2716) • Uses digital certificates for both user and server • EAP over Tunneled TLS (EAP-TTLS) • IETF draft (Funk), only the server needs to have a certificate • Supports password or token based authentication within a protected tunnel • Protected EAP (PEAP) • IETF draft (Cisco, Microsoft, RSA), only the server needs to have a certificate • Supports various EAP-encapsulation methods within a protected tunnel • Cisco LEAP • Proprietary solution for mutual authentication • Supports various EAP-encapsulation methods within a protected tunnel • Vulnerable to ASLEAP dictionary attack

  13. IPSec Virtual private networks Campus Network • An alternative approach • Treats wireless as an “un-trusted” network • IETF standard - layer 3 authentication & encryption • Challenges • Vulnerable at layer 2 • Rogue AP • Layer 2 session hijacking • DOS attacks against wireless stations or VPN device • Can be difficult to manage and to scale Client software VPN Server

  14. Comparing the options Cisco, Microsoft, RSA supported

  15. - VLAN ID - re-key Marketing Engineering 802.1x and VLANs Authentication Server • Centralized policy control • Per-user VLAN Policy improves traffic control • Timer-based key rotation reduce WEP key risk Wireless switch Marketing Marketing Engineering Engineering

  16. 802.1x, VLAN, VPN & EAP Recommendations • 802.1x • Strongly recommended to deploy 802.1x • Provides centralized management/policy control • VPN • If you chose to use VPNs then be sure to use 802.1x too • VLAN • Deploy per-user VLAN policy via the authentication server • EAP • Consider EAP-TLS if certificate infrastructure in place • Avoid LEAP if standards-based solutions are important • TTLS and PEAP are very similar/competing approaches

  17. Evolution of WLAN security

  18. 802.1x TKIP MIC Wi-Fi Protected Access (WPA) WPA • Authentication • 802.1x port based authentication at layer 2 • Works with EAP methods • Data Privacy • TKIP (Temporal Key Integrity Protocol) • Bigger Initialization Vector; 48 bits versus 24 bits • Per-user keying & key rotation with every packet • Requires hardware acceleration • Data integrity • MIC (Message Integrity Code) algorithm • Fixes flaws in the CRC algorithm used in WEP. IEEE 802.11i Draft 3

  19. WPA recommendations • Use it if you can • Many devices/NICs do not yet support WPA • Network interface cards • Ensure the card supports WPA, some never will • Operating systems • Microsoft XP supports WPA • See Meetinghouse and Funk for other OS clients • Authentication servers • Make sure they support EAP types • Network infrastructure • Make sure the hardware supports WPA

  20. Evolution of WLAN security

  21. 802.11i / WPA2 • The future of 802.11 security • Still in draft form at the IEEE 802.11i working group • Expected to be complete in 2004 • Uses Advanced Encryption Standard (AES) encryption • Approved by NIST (National Institute of Standards and Technology) • As secure as 3DES, but requires less computational power • Includes integrated data integrity • Also known as the “Rjindael” algorithm • Make sure that new hardware is 802.11i-ready • Must support AES cryptography acceleration now

  22. WEP Turn on WEP, change key Change default SSID Disable SSID beacon 802.1x, VLAN, VPN Use 802.1x with PEAP Use L2 security if using VPN Integrates with your VLAN’s Checklist for securing your WLAN • WPA • Require WPA certification • Don’t use pre-shared keys • Look for hardware acceleration • IEEE 802.11i (WPA2) • Uses new AES cipher • Not yet standardized • Use 802.11i-ready equipment Pop Quiz answer is… C. Become aware of WLAN security risks and approaches for risk mitigation.

  23. http://www.legra.com Security white papers and resource center http://wlanswitch.com WLAN BLOG with vendor neutral commentary & links to other useful sites http://www.drizzle.com/~aboba/IEEE/ The unofficial 802.11 security page http://www.netstumbler.com/ Commonly used “war driving” tool http://wepcrack.sourceforge.net/ Commonly used tool to break WEP keys http://www.wifialliance.com/opensection/certified_products.asp WiFi Alliance list of certified products http://www.unstrung.com/document.asp?doc_id=41185 “Look before you leap” article that discusses how LEAP was cracked. Useful links

More Related