1 / 22

Six Strategies to Secure Wireless LANs

Six Strategies to Secure Wireless LANs. Joel Snyder, PhD Senior Partner Opus One. It’s not as insecure as some folks want you to believe… You can’t “break into” a wireless LAN in 15 minutes It’s not trivial to “break into” wireless networks

palma
Download Presentation

Six Strategies to Secure Wireless LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Six Strategies to Secure Wireless LANs Joel Snyder, PhD Senior Partner Opus One

  2. It’s not as insecure as some folks want you to believe… You can’t “break into” a wireless LAN in 15 minutes It’s not trivial to “break into” wireless networks Adolescents are not decoding your wireless transmissions at 30 miles per hour On the other hand… Compared to other networking we do, wireless has the least inherent security Denial-of-Service is a real danger from intentional and unintentional sources You will have to work harder with wireless networks to gain the same level of security you get in other environments I’m not here to spread FUD about WLAN Security

  3. The SSID is not a security feature and hiding it won’t do you any good. (but it will bother everyone who tries to use your LAN) The 6 pages of security in 802.11 don’t help much

  4. No standardized security proposal for 802.11 does anything about the poor state of management Denial of Service attacks are unstoppable … and the microwave oven in your break room really does act as an effective tool for shutting down local access.

  5. Wired Equivalent Privacy is the Built-in Option • Designed to provide security equivalent to a wired network • Uses shared WEP key of 40 bits • Nonstandard, but common, extension uses 104 bits • Uses an initialization vector (IV) of 24 bits—client changes this every packet and is included in the packet in the clear • Combined IV+WEP key gives a key size of 64 or 128 bits • Packet includes a integrity check value (ICV)—basically a CRC check • Provides encryption but no user or per-packet authentication

  6. How does WEP work? Key ID bits Serves as integrity check IV Payload CRC-32 RC4 encrypted Access Point Shared key used by everyone The World

  7. Known WEP Vulnerabilities • 40-bit WEP key • Weak IVs • IV Replay • Known packet attack • Known packet start attack • Bit Flipping attack • Management

  8. WEP keys are generally static. WEP keys are shared among lots of users. WEP keys are passed around and are hard to change. This is roughly the same as giving everyone in the company the same password and then refusing to let anyone change it! The worst WEP vulnerability:Management!

  9. Firewall-style AAA is a strategy for controlling access Access Point The World Access Point Corporate Network

  10. Firewall-style AAA is popular with folks who do not understand the security exposure • A wide variety of vendors are bringing products to market based on solving the problem without doing the hard work • Vernier • Perfigo • Reefedge • You can use this technique and maintain security • If you’re willing to play with the access points • Say “hello” to Airespace, Aruba, etc.

  11. Sometimes you’ll take this tack if you define “security” differently Plausible deniability in an academic setting Sometimes firewall-style is a useful adjunct for keeping the casual user off your wireless LAN Firewall-style AAA is popular with folks who do not understand the security exposure, II

  12. 802.1X gives link layer authentication EAP over RADIUS Supplicant EAP over WirelessEAP over LAN Authentication Server (e.g., RADIUS server) Authenticators Supplicant The World

  13. 802.1X has special support for wireless communications • When properly used with a TLS-based authentication mechanism, you get per-user/per-session WEP keys • TLS (certificates for user and authentication server) • TTLS or PEAP (certificates for authentication server; legacy authentication for users) Our good friends Microsoft and Cisco are doing a great deal of harm here… Source: B. Aboba

  14. Association Access blocked EAPOW-Start EAP-Request/Identity Radius-Access-Request EAP-Response/Identity EAP-Response/Identity Radius-Access-Challenge EAP-Request/TTLS-Start EAP-Request/TTLS-Start Radius-Access-Request EAP-Response/TLS-Client-Hello EAP-Request Radius-Access-Challenge EAP-Response/TLS-Client-Hello EAP-RequestTLS-Server-HelloTLS-Server-Certificate TLS-Server-HelloTLS-Server-Certificate RADIUS server 802.11 access point & 802.1X Authenticator EAP-TTLS or PEAP Authentication(1 of 2) Supplicant EAPOW RADIUS Server is Authenticated

  15. EAP-Response Radius-Access-Request EAP-Response TLS-Record[User Auth] TLS-Key-ExchangeTLS-Change-Cipher EAP-ResponseTLS-Key-Exchange, Cipher Radius-Access-Challenge EAP-Success EAP-Request/TLS-Change-Cipher Radius-Access-Request Radius-Access-Accept EAP-Request EAP-Key EAP-Response/TLS-Record[User Authentication] TLS-Change-Cipher EAP-SuccessMS-MPPE-Recv-Key Supplicant 802.11 access point & 802.1X Authenticator RADIUS server EAP-TTLS or PEAP (2 of 2) Encrypted Tunnel is Established WEP enabled

  16. 802.11i: Robust Security • IEEE developing 802.11 supplement “Specification for Robust Security” in Task Group I (802.11i) • Improved security with deployed hardware • Complete “robust” security: whole new model • Estimated approval date: 2004 • Wi-Fi Protected Access provides an intermediate standard

  17. 802.11i represents IEEE “fixing” of 802.11 security • Temporal Key Integrity Protocol (TKIP) • Enhances WEP to provide a per-packet re-keying mechanism • Adds a Message Integrity Check (MIC) field to packet to stop packet tampering—also adds break-in evasion features in the MIC • Needs 802.1X to provide base key change mechanism • Advanced Encryption Standard (AES) • Replaces RC4 in WEP • Encryption of management frames Wi-Fi Protected Access(WPA) calls for a subset of 802.11i

  18. Wi-Fi’s WPA • Wireless Ethernet Compatability Alliance (WECA), AKA Wi-Fi Alliance initially provided 802.11 interoperability certification • Board Members • Agere, Cisco, Dell, Intermec, Intel, Intersil, Microsoft, Nokia, Philips, Sony, Symbol, TI • Have provided an “interim standard” for 802.11 security: Wi-Fi Protected Acess (WPA) • Immediate interoperability without waiting for IEEE 802.11i • WPA 1.2 is portions of 802.11i, Draft 3.0 • Uses TKIP, but not AES-CCMP (or WRAP)

  19. IPsec gives serious security IP ESP IP Payload ESP-Auth Positive bi-directional authentication of user and gateway Per-packet encryption and authentication High re-key rate Selector-based firewall rules 3-DES encrypted SHA-1 authenticated IP in IPSEC The World

  20. So many choices, so little time... Solution Pros Cons Questionable security; changing keys difficult; other security flaws Need client (supplicant); need new RADIUS server Not a standard yet; need new hardware for AES Very compatible; easy to set up User authentication; per-session WEP key; useful in wired and wireless 802.1X + better encryption + per-packet authentication + DoS evasion WEP 802.1X 802.11i / WPA

  21. So many choices, so little time, II Solution Pros Cons Very weak security; easy to hijack, eavesdrop Need client software; deployment and updating hard Tunnel server can be easily overloaded; doesn’t work well for guest users Web authentication IPsec IPsec pass through Most compatible; ultra easy to use Strongest security model; use same model for wireless as Internet remote access Easy to integrate into existing network + VPN

  22. Thank you.Questions, comments?

More Related