180 likes | 183 Views
This blog post discusses the challenges faced in securing wireless networks and provides solutions to improve network security, particularly in relation to wireless LANs and static WEP encryption.
E N D
Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com
So what’s the problem? • WEP is a euphemism • Wired • Equivalent • Privacy • Actually, it’s a lie • It isn’t equivalent to “wired privacy” at all! • How can you secure the air? • Thus: WEP’s v.poor http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
WLAN Security ChallengesUnsecured WLAN Company Servers WLAN Access Point Mobile Employee mailto:boss@company.tld mailto:boss@company.tld Evil Hacker N • Most wireless LANs are unsecured
WLAN Security Challenges Weak Security in 802.11 Static WEP X7!g%k0j37**54bf(jv&8gF… X7!g%k0j 37**54bf(jv &8gB)£F..
Other 802.11 Challenges • Access Points are dim! • Key Management (!!!!) • Manual update = never changed! • Access Control with MAC address filtering • = NO SECURITY! • Neither is scalable Authentication Authorization Data Protection Audit
WLAN Security Challenges Weak Security in 802.11 Static WEP • Static WEP key easily obtained for encryption / authentication X7!g%k0j37**54bf(jv&8gF… X7!g%k0j 37**54bf(jv &8gB)£F.. X7!g%k0j 37**54bf(jv &8gB)£F.. N
WLAN Security ChallengesWeak Security in 802.11 Static WEP • Man in the middle attacks are difficult to detect & prevent X7!g%k0j37** X7!g%k0j37** N Rogue Network
Pros Familiarity Hardware Independent Proven Security Cons Lacks user transparency Only user logon (not computer) Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop No reconnect on resume from standby Complex network structure VPNs
More Cons No protection for WLAN Bottleneck at VPN devices Higher management & hardware cost Prone to disconnection Yet more cons! (non-MS VPNs) 3rd party licensing costs Client compatibility Many VPN auth schemes (IPsec Xauth) are as bad as WEP! VPNs
PEAP encapsulation 1. Server authenticates to client 2. Establishes protected tunnel (TLS) 3. Client authenticates inside tunnel to server • No cryptographic binding between PEAP tunnel and tunneled authN method • Fix: constrain client (in GPO) to trust only a specific corporate root CA • Foils potential MitM attacks
EAP architecture MS-CHAPv2 TLS SecurID TLS GSS_API Kerberos PEAP IKE MD5 method layer EAP EAP layer PPP 802.3 802.5 802.11 Anything… media layer
802.11 association EAPOL-start EAP-request/identity RADIUS-access-request EAP-response/identity RADIUS-access-challenge EAP-request RADIUS-access-request EAP-response (credentials) RADIUS-access-accept EAP-success EAPOW-key (WEP) Access allowed 802.1X over 802.11 AuthenticationServer Supplicant Authenticator Access blocked Gotta get on! Calculating my key… (Wow I just don’t understand this new maths!) Calculating this guy’s key…
Session Summary • Windows XP has great wireless security features • There’s extensive prescriptive guidance available from our website • Don’t be scared of wireless!
Next Steps • Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx • Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx • Check out Security360 http://www.microsoft.com/seminar/events/series/mikenash.mspx • Get additional security tools and content: http://www.microsoft.com/security/guidance
Resources • Microsoft Wi-Fi Page: http://www.microsoft.com/wifi • The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/ • Intercepting Mobile Communications: The Insecurity of 802.11 http://www.drizzle.com/~aboba/IEEE/wep-draft.zip • Fluhrer, Mantin, Shamir WEP Paper: http://www.crypto.com/papers/others/rc4_ksaproc.pdf • WiFi Planet: http://www.wi-fiplanet.com/ • Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) http://www.microsoft.com/technet/security/guidance/peap_0.mspx • Microsoft Solution for Securing Wireless LANs with Certificates • http://www.microsoft.com/technet/security/prodtech/win2003/pkiwire/swlan.mspx • Wifi for SOHO Environments http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx
Credits • Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I “borrowed” several of their slides!