1 / 18

Implementing Network Security – Wireless Security Segway!

This blog post discusses the challenges faced in securing wireless networks and provides solutions to improve network security, particularly in relation to wireless LANs and static WEP encryption.

idac
Download Presentation

Implementing Network Security – Wireless Security Segway!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com

  2. So what’s the problem? • WEP is a euphemism • Wired • Equivalent • Privacy • Actually, it’s a lie • It isn’t equivalent to “wired privacy” at all! • How can you secure the air? • Thus: WEP’s v.poor http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

  3. WLAN Security ChallengesUnsecured WLAN Company Servers WLAN Access Point Mobile Employee mailto:boss@company.tld mailto:boss@company.tld Evil Hacker N • Most wireless LANs are unsecured

  4. WLAN Security Challenges Weak Security in 802.11 Static WEP X7!g%k0j37**54bf(jv&8gF… X7!g%k0j 37**54bf(jv &8gB)£F..

  5. Other 802.11 Challenges • Access Points are dim! • Key Management (!!!!) • Manual update = never changed! • Access Control with MAC address filtering • = NO SECURITY! • Neither is scalable Authentication Authorization Data Protection Audit

  6. WLAN Security Challenges Weak Security in 802.11 Static WEP • Static WEP key easily obtained for encryption / authentication X7!g%k0j37**54bf(jv&8gF… X7!g%k0j 37**54bf(jv &8gB)£F.. X7!g%k0j 37**54bf(jv &8gB)£F.. N

  7. WLAN Security ChallengesWeak Security in 802.11 Static WEP • Man in the middle attacks are difficult to detect & prevent X7!g%k0j37** X7!g%k0j37** N Rogue Network

  8. Alternatives to WEP

  9. Pros Familiarity Hardware Independent Proven Security Cons Lacks user transparency Only user logon (not computer) Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop No reconnect on resume from standby Complex network structure VPNs

  10. More Cons No protection for WLAN Bottleneck at VPN devices Higher management & hardware cost Prone to disconnection Yet more cons! (non-MS VPNs) 3rd party licensing costs Client compatibility Many VPN auth schemes (IPsec Xauth) are as bad as WEP! VPNs

  11. PEAP encapsulation 1. Server authenticates to client 2. Establishes protected tunnel (TLS) 3. Client authenticates inside tunnel to server • No cryptographic binding between PEAP tunnel and tunneled authN method • Fix: constrain client (in GPO) to trust only a specific corporate root CA • Foils potential MitM attacks

  12. EAP architecture MS-CHAPv2 TLS SecurID TLS GSS_API Kerberos PEAP IKE MD5 method layer EAP EAP layer PPP 802.3 802.5 802.11 Anything… media layer

  13. 802.11 association EAPOL-start EAP-request/identity RADIUS-access-request EAP-response/identity RADIUS-access-challenge EAP-request RADIUS-access-request EAP-response (credentials) RADIUS-access-accept EAP-success EAPOW-key (WEP) Access allowed 802.1X over 802.11 AuthenticationServer Supplicant Authenticator Access blocked Gotta get on! Calculating my key… (Wow I just don’t understand this new maths!) Calculating this guy’s key…

  14. Session Summary • Windows XP has great wireless security features • There’s extensive prescriptive guidance available from our website • Don’t be scared of wireless!

  15. Next Steps • Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx • Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx • Check out Security360 http://www.microsoft.com/seminar/events/series/mikenash.mspx • Get additional security tools and content: http://www.microsoft.com/security/guidance

  16. Resources • Microsoft Wi-Fi Page: http://www.microsoft.com/wifi • The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/ • Intercepting Mobile Communications: The Insecurity of 802.11 http://www.drizzle.com/~aboba/IEEE/wep-draft.zip • Fluhrer, Mantin, Shamir WEP Paper: http://www.crypto.com/papers/others/rc4_ksaproc.pdf • WiFi Planet: http://www.wi-fiplanet.com/ • Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) http://www.microsoft.com/technet/security/guidance/peap_0.mspx • Microsoft Solution for Securing Wireless LANs with Certificates • http://www.microsoft.com/technet/security/prodtech/win2003/pkiwire/swlan.mspx • Wifi for SOHO Environments http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx

  17. Credits • Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I “borrowed” several of their slides!

  18. Questions and Answers

More Related