450 likes | 674 Views
Wireless Security Primer. Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005. About me. CISSP-ISSAP Education Master of Engineering – NC State University (2003) Bachelor’s - Iowa State University – (1990) 3 years as Security Architect in Cisco’s InfoSec
E N D
Wireless Security Primer Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005
About me • CISSP-ISSAP • Education • Master of Engineering – NC State University (2003) • Bachelor’s - Iowa State University – (1990) • 3 years as Security Architect in Cisco’s InfoSec • Responsible for consulting with application teams to secure their architecture • Monitor for infrastructure vulnerabilities • Infrastructure security architect • Prior – 12 years developing application architectures • Cisco Systems • Sphinx Pharmaceuticals • Eli Lilly & Company
Outline • Wireless intro & history • Wireless security overview • Standards & techniques • Threats and best practices
Wireless intro & history mnystrom 4 4 4 © 2004 Cisco Systems, Inc. All rights reserved.
Background & Overview • History • Developed for military use • Security widely noticed after Peter Shipley’s 2001 DefCon preso on WarDriving • DHS labeled WiFi a terrorist threat, demanded regulation • Non Wi-Fi types • CDPD – 19.2 kbps analog • GPRS – 171.2 kbps digital • WAP – bandwidth-efficient content delivery • Ricochet – 176 kbps wireless broadband flop • Bluetooth – personal area networks, range limited only by transmit power • Blackberry – Use cellular & PCS networks, no authentication at console • IEEE 802 series standards • 802.11 – wireless LANs • 802.15 – wireless personal area networks (e.g., Bluetooth) • 802.16 – wireless broadband up to 155Mb, wireless ISPs
Organizations • FCC – regulates ISM bands • ISM = Industrial, Scientific, and Medical • 900 Mhz, 2.4 Ghz, 5.8 Ghz • Unlicensed bands • IEEE – develops wireless LAN standards • ETSI – IEEE for Europe • HiperLAN/2 similar to IEEE 802.11 standards • WECA (WiFi Alliance) – regulate WiFi labeling
802.11 standards • 802.11b – 11 Mbps@2.4 Ghz • Full speed up to 300 feet • Coverage up to 1750 feet • Cisco products: Aironet 340, 350, 1100, 1200 • 802.11a – 54 Mbps@5 Ghz • Not interoperable with 802.11b • Limited distance • Dual-mode APs require 2 chipsets, look like two APs to clients • Cisco products: Aironet 1200 • 802.11g – 54 Mbps@2.4 Ghz • Same range as 802.11b • Backward-compatible with 802.11b • Speeds slower in dual-mode • Cisco products: Aironet 1100, 1200
802.11 standards (cont.) • 802.11e – QoS • Dubbed “Wireless MultiMedia (WMM)” by WiFi Alliance • 802.11i – Security • Adds AES encryption • Requires high cpu, new chips required • TKIP is interim solution • 802.11n – 100Mbps+ (in progress) • Wi-Fi Protected Access (WPA) • Subset of, forward-compatible with 802.11i (WPA2) • Encryption: RC4 w/TKIP • AuthC: 802.1x & EAP – allows auth via RADIUS or PSK
Wireless security overview mnystrom 9 9 9 © 2004 Cisco Systems, Inc. All rights reserved.
802.11i – wireless security done right • FIPS-140 compliant • AES replaces RC4 w/TKIP • Dubbed “WPA2” by WiFi Alliance • Components • Robust Security Network (RSN) for establishing secure communications • Uses 802.1x for authentication • Replaces TKIP • Counter Mode with Cipher Block Chaining (CCMP) for encryption • CCM mode of AES • 128-bit keys, 48-bit IV • CBC-MAC provides data integrity/authentication • CCMP mandatory with RSN • WRAP was initial selection, licensing rights/problems got in the way
802.11 security • Shared media – like a network hub • Requires data privacy – encryption • Over the air - cannot effectively restrict layer 2 access • Dealing with rogue clients • Can access network without physical presence in building • Requires authentication • Once you connect to wireless, you are an “insider” on the network • Take care to prevent DoS, attacks on other clients too • Dealing with rogue servers • Prevent clients from connecting to rogue servers • Disallow their participation on your network
802.11 security approaches • Closed network • SSID can be captured with passive monitoring • MAC filtering • MACs can be sniffed/spoofed • WEP • Can be cracked online/offline given enough traffic & time • Change keys frequently • Traffic can still be decrypted offline • Place APs on DMZ • Requires VPN access to get back into network • Use VPN • Doesn’t handle roaming • Authentication portal • Example: Nocat • More stuff to configure • WPA and/or EAP
Authentication methods • Open systems authentication • Shared key authentication • EAP / 802.1x
Open system authentication • Required by 802.11 • Just requires SSID from client • Only identification required is MAC address of client • WEP key not verified, but device will drop packets it can’t decrypt
Shared key authentication • Utilizes challenge/response • Requires & matches key • Steps • Client requests association to AP • AP issues challenge to client • Client responds with challenge encrypted by WEP key • AP decrypts clients & verifies • WEAK! Attacker sniffs plain-text AND cipher-text!
802.1x authentication • Encapsulates EAP traffic over LAN (aka EAPoL) • EAP: Standard for securely transporting authC data • Supports a variety of authentication methods • LEAP, EAP-TLS, etc. • Port-based – only access is to authentication server until authentication succeeds • Similar to what’s used on Ethernet switches • Originally designed for campus-wired networks • Requires little overhead by access point
802.1x authentication (cont.) • 3 entities • Supplicant (e.g., laptop w/wireless card) • Authenticator (e.g., access point) • Authentication server (e.g., RADIUS) • Keys • Unique session key for each client • New WEP key each time client reauthenticates • Broadcast key • Shared by all clients • Mixed with IV to generate session keys • Rotated (Broadcast Key Rotation – BKR) regularly to generate new key space
802.1x authentication source: nwfusion.com
Wireless security standards mnystrom 19 19 19 © 2004 Cisco Systems, Inc. All rights reserved.
Wired Equivalent Privacy (WEP) • Part of 802.11 specification • 64-bit key • Shared key – 40 bits • Initialization vector (IV) = 24 bits • Uses RC4 for encryption • Weaknesses/attacks • FMS key recovery attack – weak IVs • Filter weak IVs to mitigate • IV too short, gets reused after 5 hours • IP redirection, MITM attacks • Traffic injection attacks • Bit-flip attacks • WEP2 added, increases key length to 128 bits
TKIP/MIC to the rescue • Fixes key reuse in WEP • Same encryption as WEP (RC4) • TKIP – Temporal Key Integrity Protocol • Protects IV by removing predictability • Broadcast WEP key rotation is a good alternative if you can’t support TKIP
TKIP/MIC overview (continued) • MIC – Message Integrity Code • Protects against bit-flip attacks by adding tamper-proof hash to messages • Must be implemented on clients & AP • Hash of random num + MAC header + sequence number + payload • Sequence number must be in order or packet rejected • Part of firmware, not O/S • TKIP Steps • Start with shared key • Add MAC address to get phase 1 key • Mix WEP key with IV to derive per-packet keys • Each packet encrypted separately, fights weaknesses in RC4 key scheduling algorithm
WiFi Protected Access (WPA) • Developed to replace WEP, improve authC • Software upgrade to existing hardware • Forward-compatible with 802.11i • Encryption key management: TKIP • Doubled IV to 48-bits • Better protection from replay & IV collision attacks • Per-packet keying (PPK) • Protects against key-recovery attacks (AirSnort) • Broadcast key rotation
WPA (continued) • Message integrity: Michael • Protects against forgery attacks • Authentication: • 802.1x and EAP • Mutual authentication • So you don’t join rogue networks and give up your credentials
WPA deployment modes • Enterprise • w/RADIUS for authC • Home or SOHO • Aka “Pre-Shared Keys (PSK)” mode • User enters master key on each computer • Master key kicks off TKIP & key rotation • Mixed-mode • Operates in WEP-only if any non-WPA clients
Cisco LEAP Username/password authC Per-user, per-session encryption keys w/WEP Vulnerable to password/hash-based attacks EAP-TLS Mutual authC based on X.509 certs 802.11i default EAP-TTLS / PEAP Tunneled TLS Doesn’t require client certs EAP-GTC AuthC via one-time passwords EAP-FAST Client & server have same key (symmetric), establishes secure tunnel Authentication happens over secure tunnel Like VPN authentication today EAP Types
LEAP • Centralized authentication messaging to RADIUS • Cisco proprietary • Spec available only under NDA • Implemented by other vendors via CCX • Features • Uses modified MS-CHAPv2 challenge/response in clear • Mutual authentication • Mitigates MITM attacks • Rotates WEP keys • Prevents use of weak IVs from AP
LEAP weaknesses • Weaknesses • No salt in stored NT hashes (dictionary attacks) • Weak DES key for challenge/response (gives 2 bytes of NT hash) • Username is clear-text • Asleap • Takes pcap file • Offline attack to crack password • Defense: Strong passwords
EAP mechanisms EAP-OPEN EAP-FAST LEAP PEAP Ease of use EAP-MD5 EAP-TTLS EAP-TLS Security For display purposes only. Cisco IT recommends you undertake your own formal security requirements analysis
Enterprise Network EAP-FAST Authentication Overview RADIUS server AP Supplicant EAPOL Start Start EAP Authentication Ask client for identity EAP-Request/Identity EAP -Response/Identity (EAP-ID) RADIUS Access request Access Request with EAP-ID Secure Tunnel (via TLS & PAC) Perform sequence defined by EAP-FAST Client-side Authentication key RADIUS Access Accept (Pass PMK to AP) key EAP success Client derives PMK WPA Key Management Protected DATA Transfer
Threats and Best Practices • WLAN Threats • Best Practices Presentation_ID 33 33 33 © 2004 Cisco Systems, Inc. All rights reserved.
WLAN Threats • Threats • Malicious hacking attempts • Rogue Access Points • Denial-of-Service (DoS) • Mobile devices • Hacking Attempts • War driving/walking/flying • Disgruntled employee • Industrial espionage • Electronic warfare
Hacking methods • Traffic generation • Flood network w/captured traffic to break WEP more quickly • Break 40-bit WEP in 1 hour (in lab) • Defense: Filter weak IVs in AP • Man-in-the-middle • Can be used w/one-way authentication (open, shared, 802.1x) • Must know WEP key if WEP-protected • Requires signal that overpowers AP’s signal • Tool: hostap (advertises wireless client as host AP) • Can be used to collect credentials or deny service • Tools: Monkey-jack, AirJack
Hacking methods (continued) • Get MAC addresses to figure out default settings • Web sites give defaults • MAC addresses • DHCP address ranges • Admin passwords/settings • Some sites post WEP keys • Universities, especially
Rogue Access Points • Probably the most serious security threat to your network • No such thing as a “non-wireless company” • Mitigate by • (1) Strong and documented WLAN security policy • (2) Detection • >> Radio based, client based & network based • (3) Provide “approved” WLAN services • >> No longer any need for rogue deployments
Cisco IT Rogue AP detection • Via “wired” scanning • Regular full scan • Tool similar to “APTools” • Device fingerprinting • Includes remote networks (home) • Via “wireless” scanning • AP or client • Through WLSE WLSE
Denial of Service • Can be malicious or “accidental” • Example: Send de-authenticate frames using MAC of AP • Mitigated by: • IT becomes “regulator” for air-space • Careful radio management (WLSE) • Prudent AP configuration (EMAN) • Monitor the airwaves (WLSE) • Stable authentication back-end
Wireless LAN Security: Recommended Best Practices • Implement Secure Management Policy for APs/Bridges • Disable Telnet, disable http access, disable CDP, enable SSH, and enable TACACS for Admin authentication • Publicly Secure Packet Forwarding: no Inter-client communication on specific VLANs • Virus Scanning + Firewall recommended on WLAN Clients • RF Monitoring and Rogue AP Detection • Radio, client & network based scanning • Wireless IDS (WLSE 2.7) • Select appropriate EAP mechanism
Detecting scans & attacks • Can detect active scanning tools • NetStumbler leaves well-known fingerprints in logs • MAC spoofing • FakeAP – detect short time between broadcasts w/sniffer • WEP reinjection • FCS has consistent value (would change if it were true data traffic) • IDS • Snort-wireless • Snort plug-ins detects rogue APs & active scanning • Kismet detects active scanning, M-I-M attacks • WIDZ detects attacks & rogue APs • AirDefense detects attacks & rogue APs (commercial) • AirMagnet w/distributed sensors • Cisco SWAN deploys sensors into APs
Presentation_ID 44 44 44 © 2003 Cisco Systems, Inc. All rights reserved.
Demo of tools • Notes • Require setting “monitor mode” on card • Drivers hard to find for this • Linux-built drivers free, Windows drivers custom from other sites • expensive • Monitoring tools • Kismet • AirSnort • Spoofing tools • FakeAP