1 / 22

Identity-based Networking

Identity-based Networking. Klaas.Wierenga@SURFnet.nl ESA workshop 17 December 2004 Utrecht. Program Workshop. Identity-based Networking – Klaas Wierenga Extensible Authentication Protocol – Paul Dekkers Lunch EduRoam – Klaas Wierenga ESA implementation – Paul Dekkers

Download Presentation

Identity-based Networking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity-based Networking Klaas.Wierenga@SURFnet.nl ESA workshop 17 December 2004 Utrecht

  2. Program Workshop • Identity-based Networking – Klaas Wierenga • Extensible Authentication Protocol – Paul Dekkers • Lunch • EduRoam – Klaas Wierenga • ESA implementation – Paul Dekkers • Any other business / Discussion

  3. Contents • Threats • Requirements for secure networking (with focus on wireless) • Possible solutions • 802.1X • WPA • 802.11i/WPA2 • Conclusions

  4. Threats • Mac-address and SSID discovery • TCPdump • Ethereal • WEP cracking • Kismet • Airsnort • Man-in-the-middle attacks

  5. Example: Kismet+Airsnort root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C

  6. Requirements • Identify users uniquely at the edge of the network • No session hijacking • Allow for guest usage • Scalable • Local user administration and authN • Using existing RADIUS infrastructure • Easy to install and use • Open • Support for all common OSes • Vendor independent • Secure

  7. Possible solutions • Open access • MAC-address • WEP • Web-gateway • PPPoE • VPN-gateway • 802.1X

  8. Open network • Open ethernet connectivity, IP-address via DHCP • No client software (DHCP ubiquitous) • No access control • Network is open (sniffing easy, every client and server on LAN is available)

  9. Open network + MAC authentication • Same as open, but MAC-address is verified • No client software • Administrative burden of MAC address tables • MAC addresses easy spoofable • Guest usage hard (impossible)

  10. WEP • Layer 2 encryption between Client en Access Point • Client must know (static) WEP-key • Administrative burden on WEP-key change • Some WEP-keys are easy to crack (some less easy) • Not secure

  11. Open network + web gateway • Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) • Can use a RADIUS backend • Guest use easy • Browser necessary • Hard to make secure

  12. Open netwerk + VPN Gateway • Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network • Client software needed • Proprietary (unless IPsec or PPPoE) • Hard to scale • VPN-concentrators are expensive • Guest use hard (sometimes VPN in VPN) • All traffic encrypted

  13. IEEE 802.1X • True port based access solution (Layer 2) between client and AP/switch • Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) • Standardised • Also encrypts all data, using dynamic keys • RADIUS back end: • Scaleable • Re-use existing Trust relationships • Easy integration with dynamic VLAN assignment • Client software necessary (OS-built in or third-party) • Both for wireless AND wired

  14. f.i. LDAP EAP over RADIUS EAPOL How does 802.1X work (in combination with 802.1Q)? Supplicant Authenticator (AP or switch) RADIUS server Institution A User DB jan@student.institution_a.nl Internet Guest VLAN Employee VLAN Student VLAN signalling data

  15. Through the protocol stack Supplicant (laptop, desktop) Authenticator (AccessPoint, Switch) Auth. Server (RADIUS server) EAP 802.1X RADIUS (TCP/IP) EAPOL Ethernet Ethernet

  16. Available supplicants • Win98, ME: FUNK, Meetinghouse • Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2) • MacOS: Meetinghouse • Linux: Meetinghouse, Open1X • BSD: under development • PocketPC: Meetinghouse, MS (+SecureW2) • Palm: Meetinghouse

  17. WPA • WPA-Personal • Using Pre-Shared Keys • Huge improvement over static WEP by using TKIP after initial PSK • Not scalable • WPA-enterprise • Using 802.1X+EAP backend • Huge improvement over static WEP by using TKIP • Scalable

  18. WPA Enterprise • Solves weaknesses of WEP: • Encryption with TKIP • Provide User authentication • 802.1X+EAP • TKIP • Temporal Key Integrity Protocol • Per packet keying • Message Integrity Check (MIC) • Extended Initialization Vector • Upward compatible with 802.11i • WPA=802.1X+EAP+TKIP

  19. Disadvantages of WPA • Mixed-mode usually not available (but in > IOS Release 12.2(15)JA) • All AP’s and clients need to be upgraded (software) • WPA support for older products is not guaranteed • Support in 802.11g products usually ok

  20. 802.11i/WPA2 • 802.11i = 802.1X+TKIP+AES • Plus fast handoff, secure disassociation etc. • AP’s and clients need to be upgraded (software and hardware!) • Ratified June 25, 2004!

  21. Conclusion/Discussion • 802.1X+EAP+RADIUS is the way to go • WPA is too early (unless mixed-mode) • 802.11i is too new

  22. More information • http://www.surfnet.nl/innovatie/wlan • http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf • http://www.tomsnetworking.com/Sections-article50-page1.php • http://www.openxtra.co.uk/articles/wpa-vs-80211i.htm • The unofficial IEEE802.11 security page • http://www.drizzle.com/~aboba/IEEE/

More Related