1 / 29

Effective Wireless Security – Technology and Policy

Effective Wireless Security – Technology and Policy. CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge. AGENDA. Some attacks to WLANs Authentication Protocols Encryption Protocols Rogue AP problem Case Studies. 802.11 Passive Monitoring. Access Point.

eadoin
Download Presentation

Effective Wireless Security – Technology and Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Effective Wireless Security – Technology and Policy CSG 256 Final Project PresentationbyDan Ziminski&Bill Davidge

  2. AGENDA Some attacks to WLANs Authentication Protocols Encryption Protocols Rogue AP problem Case Studies

  3. 802.11 Passive Monitoring Access Point Username: dziminski Password:cleartext Station Attacker Passive Monitoring Captures data

  4. 802.11 DOS Attack Access Point X Connection is broken Station Attacker spoofs 802.11 Disassociate frame

  5. 802.11 Man in the Middle Attack • Attacker broadcasts spoofed AP SSID and MAC Address • Station unknowingly connects to attacker • MIM attacks can always be established • But if strong authentication and encryption are used, attacker will be nothing more than a bridge. Station Access Point Station MAC Address Attacker AP MAC Address Station MAC Address AP MAC Address

  6. Authentication and Encryption Standards Certificate Username/Password Credentials MSFT IETF CSCO/MSFT IETF TLS PEAP Authentication Protocols EAP 802.1x Encryption Algorithms RC4 RC4 AES Encryption Standards WEP WPA-TKIP 802.11i

  7. 802.1x Authentication Access Point Authenticator Station Supplicant RADIUS Server Authorizer

  8. 802.1x EAP-TLS Authentication Client digital cert From XYZ CA Access Point Authenticator Station Supplicant RADIUS Server Authorizer Server Digital cert From XYZ CA

  9. 802.1x PEAP authentication Phase 1: Authenticate AP. Secure tunnel to AP using TLS Digital cert From XYZ CA Access Point Authenticator Station Supplicant RADIUS Server Authorizer Username Dan Password: encrypted Phase 2: Password authentication with directory server Success/Fail Directory Server

  10. VPN Authentication and Encryption Access Point VPN Gateway Station LAN IPSEC VPN Tunnel

  11. Web Authentication Web auth security device Access Point Station LAN Backend RADIUS Server HTTPS Login page

  12. Which Authentication to Choose?

  13. WEP Encryption 24 bit IV clear text integrity check IV Payload CRC-32 Encrypted with 40 or 104 bit key. RC4 Algorithm. • WEP has several problems • IV is too small. At 10,000 packets per second IV repeats in 5 hours. • There are several “weak keys”. Those are especially vulnerable. • No key update mechanism built in. • Message replay attacks. DOS.

  14. Wi-Fi Protected Access (WPA) TKIP-encryption • Wi-Fi Protected Access is an interim standard created by the Wi-Fi alliance (group of manufacturers). • WPA-TKIP fixes problems with WEP. • IV changes to 48 bits with no weak keys. 900 years to repeat an IV at 10k packets/sec. • Use IV as a replay counter. • Message integrity. • Per-packet keying. • Supported on many wireless card and on Windows XP (after applying 2 hot fixes). • Uses 802.1x for key distribution. • Can also use static keys.

  15. TKIP – Per Packet Keying • Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm. 128 bits 48 bit IV 24 bits 104 bits 32 bit upper IV 16 bit lower IV IV d IV Per-Packet-Key Key mixing Key mixing MAC Address Session Key

  16. 802.11i AES-encryption • Ratified by the IETF in June of 04. • Uses the AES algorithm for encryption and 802.1x for key distribution. • Backwards compatible with TKIP to support WPA clients. • 802.11i not in many products yet.

  17. Which Encryption to Choose?

  18. Newbury Networks • 3-hour “war driving” DNC in Boston • A total of 3,683 unique Wi-Fi devices • An average of 1 wireless network card every 2 minutes • Nearly 3,000 of the total Wi-Fi devices were discovered in Boston's Back Bay

  19. 3-hour “war driving” DNC in Boston • 65% of the wireless networks detected had no encryption • 457 unique wireless access points-the majority of which were unsecured

  20. DefCon X Hacker Convention-2002 • 2-hour monitoring Wireless LAN • Identified 8 sanctioned access points • 35 rogue access points, and more than • 800 different station addresses

  21. DefCon X Hacker Convention-2002 • 200 to300 of the station addresses were fakes • 115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours • 490 were wireless probes from tools such as Netstumbler and Kismet

  22. DefCon X Hacker Convention-2002 • 100 were varying forms Denial-of-Service attacks that either • jammed the airwaves with noise to shut down an access point • targeted specific stations by continually disconnecting them from an access point or • forced stations to route their traffic through other stations

  23. DefCon X Hacker Convention-2002 • 27 attacks came from out-of-specification management frames where hackers launched attacks that exploited 802.11 protocols to take over other stations and control the network • 190 were identity thefts, such as when MAC addresses and SSIDs

  24. Case Studies-University • University • fosters an open, sharing environment • “…allow all, deny some…” as far as access goes. • large area • large user population • knowledgeable support group and a wide spectrum of knowledge in the user base

  25. Case Studies-Financial Institution • restricted access • limited number of authorized users • Technical staff with control of user hardware • geographically dispersed locations

  26. Case Study: Global Bank (alias) • In process of deploying enterprise WLAN. • Using 802.1x EAP-TLS with client web certificate for authentication. • Tested PEAP, but failed auth attempts would lock out users Active Directory account. • Had a small VPN pilot but found it didn’t scale. • Originally started testing WPA-TKIP but too many interoperability problems with card and APs. • Switched to WEP with keys rotating every 30 minutes using 802.1x. They feel that this is secure enough. • Monitor for rogue APs. Any rogue that is detected by 3+ APs is investigated and removed if on LAN.

  27. Case Studies: home networks • small number of users • with no expectation of heavy volume • Limited technological expertise

  28. Q and A • You Ask • We Answer

More Related