140 likes | 427 Views
WIRELESS LAN SECURITY Using. EAP - TTLS. Security - In the Broad Sense. Focuses on network security, system security, information security, and physical security Made up of a suite of multiple technologies that solve authentication, information integrity, and identification problems.
E N D
WIRELESS LAN SECURITY Using EAP - TTLS
Security - In the Broad Sense • Focuses on network security, system security, information security, and physical security • Made up of a suite of multiple technologies that solve authentication, information integrity, and identification problems. • Includes technologies – firewalls, authentication servers, biometrics, cryptography, intrusion detection, virus protection, and VPNs.
Wireless Network Security Issues • Security is an even greater problem for wireless networks • Use radio frequency (RF) technology, to transmit and receive data over the air • Authentication of network users is not strong • Unauthorized users can access network resources. • Traffic encryption is also weak, so attackers are able to recover transmissions
IEEE 802.11 Standard • Wired Equivalent Privacy (WEP) • Static WEP Key • Open and Shared Authentication • MAC address matches an address in an authentication table used by the access point. It can be forged or NIC stolen • One Way Authentication (Client to AP) • 15 min to crack a 40-bits key (45 min to crack 128-bits)
802.1x - Authentication Methods • EAP defines a standard message exchange that allows a server to authenticate a client based on an authentication protocol agreed upon by both parties. • The access points defer to the Remote Authentication Dial-In User Service (RADIUS) server to authenticate users and to support particular EAP authentication types.
802.1x EAP – Authentication Types • EAP-Transport Layer Security (EAP-TLS) • Tunneled Transport Layer Security (TTLS) • Cisco Light Weighted EAP (LEAP) • Protected EAP (PEAP).
EAP – TLS and its Disadvantages • In EAP-TLS, certificates are used to provide authentication in both directions. • The server presents a certificate to the client, and, after validating the server's certificate the client presents a client certificate. • Requires each user to have a certificate. • Imposes substantial administrative burden in operating a certificate authority to distribute, revoke and manage user certificates
EAP- Tunneled Transport Layer Security (EAP- TTLS) • EAP - TTLS protocol developed in response to the PKI barrier in EAP-TLS. • Developed by Funk and Certicom. • TTLS a two-stage protocol - establish security in stage one, exchange authentication in stage two. • RADIUS servers, not the users, are required to have certificates • The user’s identity and password-based credentials are tunneled during authentication
Advantages of Using EAP – TTLS • Users to be authenticated with existing password credentials, and, using strong public/private key cryptography • Prevents dictionary attacks, man-in-the-middle attacks, and hijacked connections by wireless eavesdroppers. • Does not require the use of client certificates. • Requires little additional administration unlike EAP-TLS • Dynamic per-session keys are generated to encrypt the wireless connection and protect data privacy
Situations when EAP – TTLS can Fail • User's identity is not hidden from the EAP-TTLS server and may be included in the clear in AAA messages between the access point, the EAP-TTLS server, and the AAA/H server. • Server certificates within EAP-TTLS makes EAP-TTLS susceptible to attack. • EAP – TTLS is vulnerable to attacks by rogue EAP-TTLS servers
Microsoft, Cisco and RSA Security developed Protected Extensible Authentication Protocol (PEAP) over 802.11 WLANs Windows XP is currently the only operating system that supports PEAP. Only EAP - generic token card Funk Software and Interlink Networks added support for the proposed wireless security protocol, developed by Funk and Certicom, Linux, Mac OS X, Windows 95/98/ME, and Windows NT/2000/XP. Any Authentication Method - CHAP, PAP, MS-CHAP, and MS-CHAPv2 and EAP Comparison of EAP- TTLS and PEAP Protocols
Conclusions • Selection of an authentication method is the key decision in securing a wireless LAN deployment. • EAP-TLS is best suited under situations when a well configured PKI is already deployed • TTLS slight degree of flexibility at the protocol level and supports wider of client operating systems. • No single security solution is likely to address all security risks. Hence should implement multiple approaches to completely secure wireless application access
Future Areas of Research • Implement TTLS in a Wireless LAN. • Develop test benches to compare the two 802.1x standards EAP-TTLS and PEAP. • Implement PEAP for other operating systems other than Windows – XP. • Develop ways to protect security between the access point, the EAP-TTLS server, and the AAA/H server by implementing firewalls or other such viable security techniques. • Alternative ways to protect the private key in EAP –TTLS servers as they are susceptible to attacks in the case where the EAP-TTLS certificates are lost or are to be compromised.
References • www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-02.txt • http://www.nwfusion.com/research/2002/0506ilabwlan.html • http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html • http://www.nwfusion.com/news/2002/1111funk.html • http://www.nwfusion.com/news/2002/0923peap.html