1 / 25

Security for (Wireless) LANs

Security for (Wireless) LANs. Klaas.Wierenga@SURFnet.nl 802.1X workshop 30 & 31 March 2004 Amsterdam. Program Workshop. Security for (W)LANs – Klaas Wierenga 802.1X client side – Tom Rixom Coffee 802.1X server side – Paul Dekkers Lunch Hands-on. TOC. Background Threats Requirements

arkadiy
Download Presentation

Security for (Wireless) LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security for (Wireless) LANs Klaas.Wierenga@SURFnet.nl 802.1X workshop 30 & 31 March 2004 Amsterdam

  2. Program Workshop • Security for (W)LANs – Klaas Wierenga • 802.1X client side – Tom Rixom • Coffee • 802.1X server side – Paul Dekkers • Lunch • Hands-on

  3. TOC • Background • Threats • Requirements • Solutions for today • Solutions for tomorrow • Conclusion

  4. Background International connectivity Institution A WLAN Access Provider WLAN Institution B SURFnet backbone Access Provider GPRS WLAN Access Provider POTS Access Provider ADSL

  5. Threats • Mac-address and SSID discovery • TCPdump • Ethereal • WEP cracking • Kismet • Airsnort • Man-in-the-middle attacks

  6. Example: Kismet+Airsnort root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C

  7. Requirements • Identify users uniquely at the edge of the network • No session hijacking • Allow for guest usage • Scalable • Local user administration and authN! • Using existing RADIUS infrastructure • Easy to install and use • Open • Support for all common OSes • Vendor independent • Secure • After proper AuthN open connectivity

  8. Solutions for today • Open access • MAC-address • WEP European NRENs: • Web-gateway • PPPoE • VPN-gateway • 802.1X

  9. Open network • Open ethernet connectivity, IP-address via DHCP • No client software (DHCP ubiquitous) • No access control • Network is open (sniffing easy, every client and server on LAN is available)

  10. Open network + MAC authentication • Same as open, but MAC-address is verified • No client software • Administrative burden of MAC address tables • MAC addresses easy spoofable • Guest usage hard (impossible)

  11. WEP • Layer 2 encryption between Client en Access Point • Client must know (static) WEP-key • Administrative burden on WEP-key change • Some WEP-keys are easy to crack (some less easy) • Not secure

  12. Open network + web gateway • Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) • Can use a RADIUS backend • Guest use easy • Browser necessary • Hard to make secure

  13. AAA Server Public Access Controller Internet 4. 3. 5. 1. Public Access Network 2. WWW-browser Example: FUNET

  14. Open netwerk + VPN Gateway • Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network • Client software needed • Proprietary (unless IPsec or PPPoE) • Hard to scale • VPN-concentrators are expensive • Guest use hard (sometimes VPN in VPN) • All traffic encrypted

  15. Example: SWITCH and Uni Bremen

  16. IEEE 802.1X • True port based access solution (Layer 2) between client and AP/switch • Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) • Standardised • Also encrypts all data, using dynamic keys • RADIUS back end: • Scaleable • Re-use existing Trust relationships • Easy integration with dynamic VLAN assignment • Client software necessary (OS-built in or third-party) • Both for wireless AND wired

  17. f.i. LDAP EAP over RADIUS EAPOL How does 802.1X work (in combination with 802.1Q)? Supplicant Authenticator (AP or switch) RADIUS server Institution A User DB jan@student.institution_a.nl Internet Guest VLAN Employee VLAN Student VLAN signalling data

  18. Through the protocol stack Supplicant (laptop, desktop) Authenticator (AccessPoint, Switch) Auth. Server (RADIUS server) EAP 802.1X RADIUS (TCP/IP) EAPOL Ethernet Ethernet

  19. Topic EAP MD5 LEAP EAP TLS PEAP EAP TTLS Security Solution Standards-based Proprietary Standards-based Standards-based Standards-based Certificates – Client No n/a Yes No No Certificates – Server No n/a Yes Yes Yes Credential Security None Weak Strong Strong Strong Supported Authentication Databases Requires clear-text database Active Directory,NT Domains Active Directory, LDAP etc. Active Directory, NT Domain, Token Systems, SQL, LDAP etc. Active Directory, LDAP, SQL, plain password files, Token Systems etc. Dynamic Key Exchange No Yes Yes Yes Yes Mutual Authentication No Yes Yes Yes Yes EAP-types

  20. Available supplicants • Win98, ME: FUNK, Meetinghouse • Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2) • MacOS: Meetinghouse • Linux: Meetinghouse, Open1X • BSD: under development • PocketPC: Meetinghouse, MS (+SecureW2) • Palm: Meetinghouse

  21. Example: SURFnet Supplicant Authenticator (AP or switch) RADIUS server Institution A RADIUS server Institution B User DB User DB Guest piet@institution_b.nl Internet Guest VLAN Employee VLAN Central RADIUS Proxy server Student VLAN signalling data

  22. FUNET SURFnet (DFN) CARnet Radius proxy hierarchy • Participation guidelines are being drafted • Aim is to increase membership. Spain, Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join. University of Southampton FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server

  23. Solutions for tomorrow • 802.11a|b|g • 802.16 (WiMax), 802.20 • IPv6 • MobileIPv6 • WPA (pre standard 802.11i, TKIP) • 802.11i: 802.1x + TKIP+ AES

  24. Conclusion • You can make it safe • One size doesn’t fit all (yet?) • There is convergence in Europe • 802.1X is the future proof solution • It’s all about scalability, i.e. size does matter

  25. More information • SURFnet and 802.1X • http://www.surfnet.nl/innovatie/wlan • TERENA TF-Mobility • http://www.terena.nl/mobility • The unofficial IEEE802.11 security page • http://www.drizzle.com/~aboba/IEEE/

More Related