1 / 64

IFIP-UNU ADVANCED COURSE ON NETWORKING AND SECURITY Module II-Wireless Communications Section 8

This module provides an overview of wireless security challenges and covers the basics of securing WLANs. It discusses specific weaknesses and vulnerabilities of WLANs, security configuration for APs, bridges, and clients, and enterprise-level WLAN security.

amadorj
Download Presentation

IFIP-UNU ADVANCED COURSE ON NETWORKING AND SECURITY Module II-Wireless Communications Section 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IFIP-UNU ADVANCED COURSE ON NETWORKING AND SECURITYModule II-Wireless CommunicationsSection 8 • Wireless Security

  2. Overview WLANs present unique security challenges. This module will cover the basics of securing WLANs. Specific weaknesses and vulnerabilities of WLANs will be covered. Security configuration for APs, bridges, and clients will be shown and explained. Finally, enterprise level WLAN security will be presented.

  3. Learning Objectives • Understand the 3 types of vulnerabilities and attacks • Understand the 4 types of threats • Understand the importance of a security policy • Understand the 4 steps of the WLAN security wheel • Properly configure basic WLAN security via IOS GUI and CLI • Understand advance enterprise level WLAN security technologies and configuration principles

  4. Key terms • WEP • TKIP • MIC • EAP • 802.1X • WPA • CCKM • RADIUS • SSH • Encryption • RSA RC4 (WEP) • DES, 3DES, AES • Cipher • BKR

  5. Advanced Security Terms • WEP – Wired Equivalent Privacy • EAP – Extensible Authentication Protocol • TKIP – Temporal Key Integrity Protocol • CKIP – Cisco Key Integrity Protocol • CMIC – Cisco Message Integrity Check • Broadcast Key Rotation – Group Key Update • WPA – Wi-Fi Protected Access (WPA)

  6. Security Fundamentals

  7. Balancing Security and Access

  8. Vulnerabilities • Technology • TCP/IP • WEP and Broadcast SSID • Association Process • Wireless Interference • Configuration • Default passwords • Unneeded Services enabled • Few or no filters • Poor device maintenance • Policy • Weak Security Policy • No Security Policy • Poorly enforced Policy • Physical Access • Poor or no monitoring

  9. Threats • Internal • External • Structured • Unstructured

  10. The Security Attack—Recon and Access

  11. The Security Attacks—DoS

  12. WLAN Security Wheel Always have a good WLAN Security Policy in place. Secure the network based on the policy

  13. WLAN Security Considerations • Authentication – only authorized users and devices should be allowed. • Encryption – traffic should be protected from unauthorized access. • Administration Security – only authorized users should be able to access and configure the AP configuration interfaces.

  14. Common Protocols which use Encryption • When using a public network such as a WLAN, FTP, HTTP, POP3, and SMTP are insecure and should be avoided whenever possible. Utilize protocols with encryption. No Encryption Traffic Encryption Web Browsing HTTP HTTPS * File Transfer SCP TFTP or FTP Email POP3 or SMTP SPOP3 * Remote Mgmt Telnet SSH * SSL/TLS

  15. WLAN Security Hierarchy Enhanced Security 802.1x, TKIP/WPA Encryption, Mutual Authentication, Scalable Key Mgmt., etc. Basic Security Open Access 40-bit or 128-bitStatic WEP Encryption No Encryption, Basic Authentication Home Use Business Public “Hotspots” VirtualPrivateNetwork (VPN) Business Traveler, Telecommuter Remote Access

  16. Configuring Basic WLAN Security

  17. Admin Authentication on AP • To prevent unauthorized access to the AP configuration interfaces: • Configure a secret password for the privileged mode access. (good) • Configure local usernames/passwords. (better) • Configure AP to utilize a security server for user access. (best)

  18. User Manager

  19. Admin Access CLI View

  20. Console Password

  21. SSID Manager

  22. SSID Manager (cont)

  23. Global SSID Properties

  24. SSID CLI View

  25. WEP • WEP is a key. • WEP scrambles communications between AP and client. • AP and client must use same WEP keys. • WEP keys encrypt unicast and multicast. • WEP is easily attacked

  26. ? Supported Devices • What can be a client? • Client • Non-Root bridge • Repeater access point • Workgroup Bridge • Authenticator? • Root access point • Root bridge

  27. Enabling LEAP on the Client

  28. Configuring LEAP on the Client

  29. WEP Encryption Keys

  30. Enterprise WLAN Authentication

  31. Authentication Types • Open Authentication to the Access Point • Shared Key Authentication to the Access Point • EAP Authentication to the Network • MAC Address Authentication to the Network • Combining MAC-Based, EAP, and Open Authentication • Using CCKM for Authenticated Clients • Using WPA Key Management

  32. WLAN Security:802.1X Authentication Radius Server AP • Mutual Authentication • EAP-TLS • EAP-Transport Layer Security • Mutual Authentication implementation • Used in WPA interoperability testing • LEAP • “Lightweight” EAP • Nearly all major OS’s supported: • WinXP/2K/NT/ME/98/95/CE, Linux, Mac, DOS • PEAP • “Protected” EAP • Uses certificates or One Time Passwords (OTP) • Supported by Cisco, Microsoft, & RSA • GTC (Cisco) & MSCHAPv2 (Microsoft) versions Client

  33. EAP • Extensible Authentication Protocol (802.1x authentication) • Provides dynamic WEP keys to user devices. • Dynamic is more secure, since it changes. • Harder for intruders to hack…by the time they have performed the calculation to learn the key, they key has changed!

  34. Basic RADIUS Topology • RADIUS can be implemented: • Locally on an IOS AP • Up to 50 users • On a ACS Server

  35. Local Radius Server

  36. Local Radius Server Statistics

  37. Radius Server User Groups

  38. ACS Server Options Cisco Secure ACS Software Cisco ACS Solution Engine

  39. Backup Security Server Manager

  40. Global Server Properties

  41. Enterprise Encryption

  42. WPA Interoperable, Enterprise-Class Security

  43. Cipher “Suite” • Cipher suites are sets of encryption and integrity algorithms. • Suites provide protection of WEP and allow use of authenticated key management. • Suites with TKIP provide best security. • Must use a cipher suite to enable: • WPA – Wi-Fi Protected Access • CCKM – Cisco Centralized Key Management

  44. Configuring the Suite • Create WEP keys • Enable Cipher “Suite” and WEP • Configure Broadcast Key Rotation • Follow the Rules

  45. WEP Key Restrictions

  46. Security Levels

  47. Enterprise WLAN Security Evolution • TKIP/WPA • Successor to WEP • Cisco’s pre-standard TKIP has been shipping since Dec.’01 • Cisco introduced TKIP into 802.11i committee • 802.11i-standardized TKIP part of Wi-Fi Protected Access (WPA) • WPA software upgrade now available for AP1100 & AP1200 • AES • The “Gold Standard” of encryption • AES is part of 802.11i standard • - AES will be part of WPA2 standard (expected in 2004)

  48. Encryption Modes

  49. Encryption Global Properties

  50. Matching Client to AP

More Related