Applying security principles to networking applications
Download
1 / 29

Applying Security Principles to Networking Applications - PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on

Applying Security Principles to Networking Applications. Mark Enright enright@cisco.com Dec 08, 2005. What is Security in Computer Development Projects. What are you protecting Why are you protecting it From whom are you protecting it How are you going to protect it

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Applying Security Principles to Networking Applications' - devona


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Applying security principles to networking applications

Applying Security Principles to Networking Applications

Mark Enright

enright@cisco.com

Dec 08, 2005


What is security in computer development projects
What is Security in Computer Development Projects

  • What are you protecting

  • Why are you protecting it

  • From whom are you protecting it

  • How are you going to protect it

  • What is the cost of protecting it


Wired access topology

V

V

Wired Access Topology

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)


Wireless access topology
Wireless Access Topology

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)


Wireless access topology1
Wireless Access Topology

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)


Wireless access security complication
Wireless Access Security Complication

  • Physical Access to Local Area Network no longer exists

    • Anyone can intercept your conversations

    • Anyone can utilize your network resources


Security solution for wireless access
Security Solution For Wireless Access

  • Authentication

  • Encryption


Typical solution for wireless access
Typical Solution for Wireless Access

Internet

1) Where is Access Point “MyAP”

2) I am here. Prove you know my secret


Typical solution for wireless access1
Typical Solution for Wireless Access

Internet

3) Here is my proof

4) OK. Here are session keys


So whats the problem
So Whats The Problem?

  • Wireless Access is a huge Consumer Market

  • People are beoming concerned with Wireless Security

  • My GrandMother cant use it


What can we do to help
What Can We Do To Help

  • Make it easy for Grandma to set up Wireless Security


Applying security principles to networking applications

Internet

Step 1. Configure Security Parameters Automatically

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd

When Access Point is booted 1st time:

  • Configures Random Secure SSID

  • Configures Random WPA Shared Secret

  • Waits for Wireless Association on Secure SSID


Step 2
Step 2.

  • How Can We Transfer Security Parameters Securely?


Step 2 trial one
Step 2. Trial One

1) Where is my Access Point “Well Known SSID”

SSID: Well Known SSID

Open Authentication

2) Here I am. Come on in


Step 2 trial one1
Step 2. Trial One

3) Give me Security Parameters

SSID: Well Known SSID

Open Authentication

4) Here They Are


Step 2 trial one2
Step 2. Trial One

1) Where is my Access Point “r@ndOm 55ID”

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd

2) I am here. Prove you know my secret


Step 2 trial one3
Step 2. Trial One

3) Here is my proof

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd

4) OK. Here are session keys


Step 2 trial one attack
Step 2. Trial One Attack

SSID: Well Known SSID

Open Authentication

1) Where is my Access Point “Well Known SSID”

2) Here I am. Come on in


Step 2 trial one attack1
Step 2. Trial One Attack

SSID: Well Known SSID

Open Authentication

3) Give me Security Parameters

4) Here they are


Step 2 trial two
Step 2. Trial Two

  • What Authentication is possible given constraints

    • something we know

    • something we have

    • something we are

    • something we do

  • If we can’t be sure, at least be safe


Step 2 trial two1
Step 2. Trial Two

SSID: Well Known SSID

Open Authentication

Where is my Access Point “Well Known SSID”

Where is my Access Point “Well Known SSID”

Here I am. Come on in

Here I am. Come on in


Step 2 trial two2
Step 2. Trial Two

SSID: Well Known SSID

Open Authentication

1) Give Me Security Parameters

Give Me Security Parameters

Hang on a sec

Unable to guarantee unique access

Access to all denied


Step 2 trial 2 attack
Step 2. Trial 2 Attack

  • Attacker just Associates and Listens


Trial 3
Trial 3.

  • Use Trial 2 Method for Authentication

  • Use SSL for Encryption


So whats the problem with ipsec
So Whats The Problem with IPSec?

  • Network Protection is a huge Consumer Market

  • People are beoming concerned with Security and look to IPSec for help

  • My GrandMother cant use it


Network address translation
Network Address Translation

192.168.1.100

192.168.1.101

172.204.19.32

Internet

192.168.1.100

192.168.1.101

62.2.12.17

Local Area Network (LAN)

Wide Area Network (WAN)


The roadwarrior ipsec problem
The RoadWarrior IPSec Problem

  • With common implementations the IP Address need to be known a priori or else a global shared secret is used for Authentication

  • Mobility and NAT make it hard to predict the IP Address


Roadwarrior solution

2. Client configured

Web Install client software

Configure address of Home Gateway

3. Client software connects

Logs on to HTTPS

Initiates the IPSec VPN

1. Gateway configured

SSL Username, password

4. Gateway accepts

Authenticates Client by password

Figures out current Client IP Address

Provisions IPSec for Client IP Address

Joins Client to Protected Network using IPSec VPN

IPSec VPN Tunnel

RoadWarrior Solution

HTTPS

Protected Network

Home

Gateway

Internet

Road Warrior Client