220 likes | 335 Views
Identity-based Networking. Klaas.Wierenga@SURFnet.nl ESA workshop 17 December 2004 Utrecht. Program Workshop. Identity-based Networking – Klaas Wierenga Extensible Authentication Protocol – Paul Dekkers Lunch EduRoam – Klaas Wierenga ESA implementation – Paul Dekkers
E N D
Identity-based Networking Klaas.Wierenga@SURFnet.nl ESA workshop 17 December 2004 Utrecht
Program Workshop • Identity-based Networking – Klaas Wierenga • Extensible Authentication Protocol – Paul Dekkers • Lunch • EduRoam – Klaas Wierenga • ESA implementation – Paul Dekkers • Any other business / Discussion
Contents • Threats • Requirements for secure networking (with focus on wireless) • Possible solutions • 802.1X • WPA • 802.11i/WPA2 • Conclusions
Threats • Mac-address and SSID discovery • TCPdump • Ethereal • WEP cracking • Kismet • Airsnort • Man-in-the-middle attacks
Example: Kismet+Airsnort root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C
Requirements • Identify users uniquely at the edge of the network • No session hijacking • Allow for guest usage • Scalable • Local user administration and authN • Using existing RADIUS infrastructure • Easy to install and use • Open • Support for all common OSes • Vendor independent • Secure
Possible solutions • Open access • MAC-address • WEP • Web-gateway • PPPoE • VPN-gateway • 802.1X
Open network • Open ethernet connectivity, IP-address via DHCP • No client software (DHCP ubiquitous) • No access control • Network is open (sniffing easy, every client and server on LAN is available)
Open network + MAC authentication • Same as open, but MAC-address is verified • No client software • Administrative burden of MAC address tables • MAC addresses easy spoofable • Guest usage hard (impossible)
WEP • Layer 2 encryption between Client en Access Point • Client must know (static) WEP-key • Administrative burden on WEP-key change • Some WEP-keys are easy to crack (some less easy) • Not secure
Open network + web gateway • Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) • Can use a RADIUS backend • Guest use easy • Browser necessary • Hard to make secure
Open netwerk + VPN Gateway • Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network • Client software needed • Proprietary (unless IPsec or PPPoE) • Hard to scale • VPN-concentrators are expensive • Guest use hard (sometimes VPN in VPN) • All traffic encrypted
IEEE 802.1X • True port based access solution (Layer 2) between client and AP/switch • Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) • Standardised • Also encrypts all data, using dynamic keys • RADIUS back end: • Scaleable • Re-use existing Trust relationships • Easy integration with dynamic VLAN assignment • Client software necessary (OS-built in or third-party) • Both for wireless AND wired
f.i. LDAP EAP over RADIUS EAPOL How does 802.1X work (in combination with 802.1Q)? Supplicant Authenticator (AP or switch) RADIUS server Institution A User DB jan@student.institution_a.nl Internet Guest VLAN Employee VLAN Student VLAN signalling data
Through the protocol stack Supplicant (laptop, desktop) Authenticator (AccessPoint, Switch) Auth. Server (RADIUS server) EAP 802.1X RADIUS (TCP/IP) EAPOL Ethernet Ethernet
Available supplicants • Win98, ME: FUNK, Meetinghouse • Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2) • MacOS: Meetinghouse • Linux: Meetinghouse, Open1X • BSD: under development • PocketPC: Meetinghouse, MS (+SecureW2) • Palm: Meetinghouse
WPA • WPA-Personal • Using Pre-Shared Keys • Huge improvement over static WEP by using TKIP after initial PSK • Not scalable • WPA-enterprise • Using 802.1X+EAP backend • Huge improvement over static WEP by using TKIP • Scalable
WPA Enterprise • Solves weaknesses of WEP: • Encryption with TKIP • Provide User authentication • 802.1X+EAP • TKIP • Temporal Key Integrity Protocol • Per packet keying • Message Integrity Check (MIC) • Extended Initialization Vector • Upward compatible with 802.11i • WPA=802.1X+EAP+TKIP
Disadvantages of WPA • Mixed-mode usually not available (but in > IOS Release 12.2(15)JA) • All AP’s and clients need to be upgraded (software) • WPA support for older products is not guaranteed • Support in 802.11g products usually ok
802.11i/WPA2 • 802.11i = 802.1X+TKIP+AES • Plus fast handoff, secure disassociation etc. • AP’s and clients need to be upgraded (software and hardware!) • Ratified June 25, 2004!
Conclusion/Discussion • 802.1X+EAP+RADIUS is the way to go • WPA is too early (unless mixed-mode) • 802.11i is too new
More information • http://www.surfnet.nl/innovatie/wlan • http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf • http://www.tomsnetworking.com/Sections-article50-page1.php • http://www.openxtra.co.uk/articles/wpa-vs-80211i.htm • The unofficial IEEE802.11 security page • http://www.drizzle.com/~aboba/IEEE/