E N D
1. Wireless Security
2. Agenda - .11i, IPS/IDS, Ranging WPA
WPA2
IEEE 802.11i
AES Encryption
WPA and WPA2 Comparison
Cisco TKIP, WPA, WPA2 Comparison
3. Wireless Security?
4. 802.1x (EAP) Client associates
5. WPA Wi-Fi Protected Access (WPA)
Standards-based security solution from the Wi-Fi Alliance
Addresses the vulnerabilities in native WLANs using Wired Equivalent Privacy (WEP)
Supports IEEE 802.1X and Pre-Shared Key (PSK) authentication
Temporal Key Integrity Protocol (TKIP) for encryption
Fully supported by the Cisco Wireless Security Suite
6. WPA2 Announced 9/1/04: Next generation of Wi-Fi security
Follows IEEE 802.11i standard
Supports IEEE 802.1X and Pre-Shared Key (PSK) authentication
Advanced Encryption Standard (AES) encryption algorithm using CCMP
Facilitates government FIPS 140-2 compliance
Pre-authentication is optional
Backward compatible with WPA
Mandatory with an optional (18 month) phase-in period
Fully supported by the Cisco Wireless Security Suite
7. IEEE 802.11i Ratified June 2004
Defines security standards for wireless LANs
Details stronger encryption, authentication, and key management strategies for wireless data and system security
Required hardware accelerator chip in radio
Includes the following:
Two new data-confidentiality protocols TKIP and AES-CCMP
Negotiation process for selecting the correct confidentiality protocol
Key system for each traffic type
Key caching and pre-authentication
8. AES Encryption Encryption standard defined by NIST (National Institute of Standards and Technology) to replace DES
The Gold standard
Hardware encryption vs. software encryption
Replaces RC4 encryption in IEEE 802.11i
128 bit symmetric cipher, 48 bit Initialization Vector
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
Requires hardware acceleration, or the overall performance of an 11Mb radio will be unacceptable
Facilitates government FIPS 140-2 compliance
Note: 802.1X is not FIPS compliant
9. WPA and WPA2 Comparison
10. Cisco TKIP, WPA, WPA2 Comparison
11. WPA2 & Extended EAP types Initial WPA2 testing was on EAP-TLS
Other EAP methods now available
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2, (a.k.a., Microsoft PEAP)
PEAPv1/EAP-GTC, (a.k.a., Cisco PEAP)
12. Wireless IDS Traditional wired IDS focus on L3 and higher
Nature of RF medium and wireless standards mandate IDS at the physical and data link layer
RF medium vulnerabilities:
Unlicensed spectrum subject to interference, contention
Not contained by physical security boundaries
Standards vulnerabilities:
Unauthenticated management frames
Session hi-jacking, replay type attacks
Wide availability of wireless hacking literature & tools
13. Wireless IDS Address RF related vulnerabilities
Detect, locate, mitigate rogue devices
Detect and manage RF interference
Detect reconnaissance if possible
Address standards-based vulnerabilities
Detect management frame & hi-jacking style attacks
Enforce security configuration policies
Complementary functionality:
Forensic analysis
Compliance reporting
14. Wireless IDS