1 / 45

Wireless Security Primer

Wireless Security Primer. Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005. About me. CISSP-ISSAP Education Master of Engineering – NC State University (2003) Bachelor’s - Iowa State University – (1990) 3 years as Security Architect in Cisco’s InfoSec

teness
Download Presentation

Wireless Security Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Security Primer Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005

  2. About me • CISSP-ISSAP • Education • Master of Engineering – NC State University (2003) • Bachelor’s - Iowa State University – (1990) • 3 years as Security Architect in Cisco’s InfoSec • Responsible for consulting with application teams to secure their architecture • Monitor for infrastructure vulnerabilities • Infrastructure security architect • Prior – 12 years developing application architectures • Cisco Systems • Sphinx Pharmaceuticals • Eli Lilly & Company

  3. Outline • Wireless intro & history • Wireless security overview • Standards & techniques • Threats and best practices

  4. Wireless intro & history mnystrom 4 4 4 © 2004 Cisco Systems, Inc. All rights reserved.

  5. Background & Overview • History • Developed for military use • Security widely noticed after Peter Shipley’s 2001 DefCon preso on WarDriving • DHS labeled WiFi a terrorist threat, demanded regulation • Non Wi-Fi types • CDPD – 19.2 kbps analog • GPRS – 171.2 kbps digital • WAP – bandwidth-efficient content delivery • Ricochet – 176 kbps wireless broadband flop • Bluetooth – personal area networks, range limited only by transmit power • Blackberry – Use cellular & PCS networks, no authentication at console • IEEE 802 series standards • 802.11 – wireless LANs • 802.15 – wireless personal area networks (e.g., Bluetooth) • 802.16 – wireless broadband up to 155Mb, wireless ISPs

  6. Organizations • FCC – regulates ISM bands • ISM = Industrial, Scientific, and Medical • 900 Mhz, 2.4 Ghz, 5.8 Ghz • Unlicensed bands • IEEE – develops wireless LAN standards • ETSI – IEEE for Europe • HiperLAN/2 similar to IEEE 802.11 standards • WECA (WiFi Alliance) – regulate WiFi labeling

  7. 802.11 standards • 802.11b – 11 Mbps@2.4 Ghz • Full speed up to 300 feet • Coverage up to 1750 feet • Cisco products: Aironet 340, 350, 1100, 1200 • 802.11a – 54 Mbps@5 Ghz • Not interoperable with 802.11b • Limited distance • Dual-mode APs require 2 chipsets, look like two APs to clients • Cisco products: Aironet 1200 • 802.11g – 54 Mbps@2.4 Ghz • Same range as 802.11b • Backward-compatible with 802.11b • Speeds slower in dual-mode • Cisco products: Aironet 1100, 1200

  8. 802.11 standards (cont.) • 802.11e – QoS • Dubbed “Wireless MultiMedia (WMM)” by WiFi Alliance • 802.11i – Security • Adds AES encryption • Requires high cpu, new chips required • TKIP is interim solution • 802.11n – 100Mbps+ (in progress) • Wi-Fi Protected Access (WPA) • Subset of, forward-compatible with 802.11i (WPA2) • Encryption: RC4 w/TKIP • AuthC: 802.1x & EAP – allows auth via RADIUS or PSK

  9. Wireless security overview mnystrom 9 9 9 © 2004 Cisco Systems, Inc. All rights reserved.

  10. 802.11i – wireless security done right • FIPS-140 compliant • AES replaces RC4 w/TKIP • Dubbed “WPA2” by WiFi Alliance • Components • Robust Security Network (RSN) for establishing secure communications • Uses 802.1x for authentication • Replaces TKIP • Counter Mode with Cipher Block Chaining (CCMP) for encryption • CCM mode of AES • 128-bit keys, 48-bit IV • CBC-MAC provides data integrity/authentication • CCMP mandatory with RSN • WRAP was initial selection, licensing rights/problems got in the way

  11. 802.11 security • Shared media – like a network hub • Requires data privacy – encryption • Over the air - cannot effectively restrict layer 2 access • Dealing with rogue clients • Can access network without physical presence in building • Requires authentication • Once you connect to wireless, you are an “insider” on the network • Take care to prevent DoS, attacks on other clients too • Dealing with rogue servers • Prevent clients from connecting to rogue servers • Disallow their participation on your network

  12. 802.11 security approaches • Closed network • SSID can be captured with passive monitoring • MAC filtering • MACs can be sniffed/spoofed • WEP • Can be cracked online/offline given enough traffic & time • Change keys frequently • Traffic can still be decrypted offline • Place APs on DMZ • Requires VPN access to get back into network • Use VPN • Doesn’t handle roaming • Authentication portal • Example: Nocat • More stuff to configure • WPA and/or EAP

  13. Authentication methods • Open systems authentication • Shared key authentication • EAP / 802.1x

  14. Open system authentication • Required by 802.11 • Just requires SSID from client • Only identification required is MAC address of client • WEP key not verified, but device will drop packets it can’t decrypt

  15. Shared key authentication • Utilizes challenge/response • Requires & matches key • Steps • Client requests association to AP • AP issues challenge to client • Client responds with challenge encrypted by WEP key • AP decrypts clients & verifies • WEAK! Attacker sniffs plain-text AND cipher-text!

  16. 802.1x authentication • Encapsulates EAP traffic over LAN (aka EAPoL) • EAP: Standard for securely transporting authC data • Supports a variety of authentication methods • LEAP, EAP-TLS, etc. • Port-based – only access is to authentication server until authentication succeeds • Similar to what’s used on Ethernet switches • Originally designed for campus-wired networks • Requires little overhead by access point

  17. 802.1x authentication (cont.) • 3 entities • Supplicant (e.g., laptop w/wireless card) • Authenticator (e.g., access point) • Authentication server (e.g., RADIUS) • Keys • Unique session key for each client • New WEP key each time client reauthenticates • Broadcast key • Shared by all clients • Mixed with IV to generate session keys • Rotated (Broadcast Key Rotation – BKR) regularly to generate new key space

  18. 802.1x authentication source: nwfusion.com

  19. Wireless security standards mnystrom 19 19 19 © 2004 Cisco Systems, Inc. All rights reserved.

  20. Wired Equivalent Privacy (WEP) • Part of 802.11 specification • 64-bit key • Shared key – 40 bits • Initialization vector (IV) = 24 bits • Uses RC4 for encryption • Weaknesses/attacks • FMS key recovery attack – weak IVs • Filter weak IVs to mitigate • IV too short, gets reused after 5 hours • IP redirection, MITM attacks • Traffic injection attacks • Bit-flip attacks • WEP2 added, increases key length to 128 bits

  21. TKIP/MIC to the rescue • Fixes key reuse in WEP • Same encryption as WEP (RC4) • TKIP – Temporal Key Integrity Protocol • Protects IV by removing predictability • Broadcast WEP key rotation is a good alternative if you can’t support TKIP

  22. TKIP/MIC overview (continued) • MIC – Message Integrity Code • Protects against bit-flip attacks by adding tamper-proof hash to messages • Must be implemented on clients & AP • Hash of random num + MAC header + sequence number + payload • Sequence number must be in order or packet rejected • Part of firmware, not O/S • TKIP Steps • Start with shared key • Add MAC address to get phase 1 key • Mix WEP key with IV to derive per-packet keys • Each packet encrypted separately, fights weaknesses in RC4 key scheduling algorithm

  23. TKIP Per-packet keying

  24. WiFi Protected Access (WPA) • Developed to replace WEP, improve authC • Software upgrade to existing hardware • Forward-compatible with 802.11i • Encryption key management: TKIP • Doubled IV to 48-bits • Better protection from replay & IV collision attacks • Per-packet keying (PPK) • Protects against key-recovery attacks (AirSnort) • Broadcast key rotation

  25. WPA (continued) • Message integrity: Michael • Protects against forgery attacks • Authentication: • 802.1x and EAP • Mutual authentication • So you don’t join rogue networks and give up your credentials

  26. WEP vs. WPA vs. WPA2

  27. WPA deployment modes • Enterprise • w/RADIUS for authC • Home or SOHO • Aka “Pre-Shared Keys (PSK)” mode • User enters master key on each computer • Master key kicks off TKIP & key rotation • Mixed-mode • Operates in WEP-only if any non-WPA clients

  28. Cisco LEAP Username/password authC Per-user, per-session encryption keys w/WEP Vulnerable to password/hash-based attacks EAP-TLS Mutual authC based on X.509 certs 802.11i default EAP-TTLS / PEAP Tunneled TLS Doesn’t require client certs EAP-GTC AuthC via one-time passwords EAP-FAST Client & server have same key (symmetric), establishes secure tunnel Authentication happens over secure tunnel Like VPN authentication today EAP Types

  29. LEAP • Centralized authentication messaging to RADIUS • Cisco proprietary • Spec available only under NDA • Implemented by other vendors via CCX • Features • Uses modified MS-CHAPv2 challenge/response in clear • Mutual authentication • Mitigates MITM attacks • Rotates WEP keys • Prevents use of weak IVs from AP

  30. LEAP weaknesses • Weaknesses • No salt in stored NT hashes (dictionary attacks) • Weak DES key for challenge/response (gives 2 bytes of NT hash) • Username is clear-text • Asleap • Takes pcap file • Offline attack to crack password • Defense: Strong passwords

  31. EAP mechanisms EAP-OPEN EAP-FAST LEAP PEAP Ease of use EAP-MD5 EAP-TTLS EAP-TLS Security For display purposes only. Cisco IT recommends you undertake your own formal security requirements analysis

  32. Enterprise Network EAP-FAST Authentication Overview RADIUS server AP Supplicant EAPOL Start Start EAP Authentication Ask client for identity EAP-Request/Identity EAP -Response/Identity (EAP-ID) RADIUS Access request Access Request with EAP-ID Secure Tunnel (via TLS & PAC) Perform sequence defined by EAP-FAST Client-side Authentication key RADIUS Access Accept (Pass PMK to AP) key EAP success Client derives PMK WPA Key Management Protected DATA Transfer

  33. Threats and Best Practices • WLAN Threats • Best Practices Presentation_ID 33 33 33 © 2004 Cisco Systems, Inc. All rights reserved.

  34. WLAN Threats • Threats • Malicious hacking attempts • Rogue Access Points • Denial-of-Service (DoS) • Mobile devices • Hacking Attempts • War driving/walking/flying • Disgruntled employee • Industrial espionage • Electronic warfare

  35. Hacking methods • Traffic generation • Flood network w/captured traffic to break WEP more quickly • Break 40-bit WEP in 1 hour (in lab) • Defense: Filter weak IVs in AP • Man-in-the-middle • Can be used w/one-way authentication (open, shared, 802.1x) • Must know WEP key if WEP-protected • Requires signal that overpowers AP’s signal • Tool: hostap (advertises wireless client as host AP) • Can be used to collect credentials or deny service • Tools: Monkey-jack, AirJack

  36. Hacking methods (continued) • Get MAC addresses to figure out default settings • Web sites give defaults • MAC addresses • DHCP address ranges • Admin passwords/settings • Some sites post WEP keys • Universities, especially

  37. Rogue Access Points • Probably the most serious security threat to your network • No such thing as a “non-wireless company” • Mitigate by • (1) Strong and documented WLAN security policy • (2) Detection • >> Radio based, client based & network based • (3) Provide “approved” WLAN services • >> No longer any need for rogue deployments

  38. Cisco IT Rogue AP detection • Via “wired” scanning • Regular full scan • Tool similar to “APTools” • Device fingerprinting • Includes remote networks (home) • Via “wireless” scanning • AP or client • Through WLSE WLSE

  39. Denial of Service • Can be malicious or “accidental” • Example: Send de-authenticate frames using MAC of AP • Mitigated by: • IT becomes “regulator” for air-space • Careful radio management (WLSE) • Prudent AP configuration (EMAN) • Monitor the airwaves (WLSE) • Stable authentication back-end

  40. Wireless LAN Security: Recommended Best Practices • Implement Secure Management Policy for APs/Bridges • Disable Telnet, disable http access, disable CDP, enable SSH, and enable TACACS for Admin authentication • Publicly Secure Packet Forwarding: no Inter-client communication on specific VLANs • Virus Scanning + Firewall recommended on WLAN Clients • RF Monitoring and Rogue AP Detection • Radio, client & network based scanning • Wireless IDS (WLSE 2.7) • Select appropriate EAP mechanism

  41. Detecting scans & attacks • Can detect active scanning tools • NetStumbler leaves well-known fingerprints in logs • MAC spoofing • FakeAP – detect short time between broadcasts w/sniffer • WEP reinjection • FCS has consistent value (would change if it were true data traffic) • IDS • Snort-wireless • Snort plug-ins detects rogue APs & active scanning • Kismet detects active scanning, M-I-M attacks • WIDZ detects attacks & rogue APs • AirDefense detects attacks & rogue APs (commercial) • AirMagnet w/distributed sensors • Cisco SWAN deploys sensors into APs

  42. Cisco Structured Wireless Aware Network (SWAN)

  43. Questions?

  44. Presentation_ID 44 44 44 © 2003 Cisco Systems, Inc. All rights reserved.

  45. Demo of tools • Notes • Require setting “monitor mode” on card • Drivers hard to find for this • Linux-built drivers free, Windows drivers custom from other sites • expensive • Monitoring tools • Kismet • AirSnort • Spoofing tools • FakeAP

More Related