SECURING WIRELESS LANS WITH CERTIFICATE SERVICES Microsoft Solution for Security (MSS) Group Presented by PHILIP HUYNH 2009
Purposes of the Report WLAN in the Organization: Benefits and Threats. The design of solution for securing WLAN using 802.1x Certificate Based Authentication (EAP-TLS). 11/20/2018 PHILIP HUYNH
Wireless LAN Architecture Need a Corporate WLAN picture! 11/20/2018 PHILIP HUYNH
The Benefits of WLAN Core Business Benefits Mobile connection to corporation LAN Organizational flexibility Integration of new devices and applications into the corporate IT environment Operational Benefits The cost of provisioning network Easily scale the network to respond to different levels of demand Capital cost no longer is tied to building infrastructure 11/20/2018 PHILIP HUYNH
Main Security Threats for WLANs Eavesdropping (disclosure of data) Interception and modification of transmitted data Spoofing Denial of Service (DoS) Free-loading (or resource theft) Accidental threats Rogue WLANs 11/20/2018 PHILIP HUYNH
Elements of WLAN Protecting Authenticating the person (or device) connecting to the network Authorizing the person or device to use the WLAN Protecting the data transmitted on the network 11/20/2018 PHILIP HUYNH
IEEE 802.1x Protocol The 802.1x protocol is an IEEE standard Authenticating access to a network Managing keys used to protect traffic. The 802.1x protocol involves The network user A network access (or gateway) device such as wireless AP An authentication and authorization service in form of a Remote Authentication Dial-In Service (RADIUS) server. 802.1x protocol relies on the Extensible Authentication Protocol (EAP) to carry out the authentication exchange between the client and the RADIUS server. 11/20/2018 PHILIP HUYNH
EAP-TLS Authentication Method IETF standard (RFC 2716) Probably the most widely supported authentication method on both wireless clients and RADIUS servers in used today Uses public key certificates to authenticate both the wireless client and RADIUS server. Establishing an encrypted TLS session between client and server 11/20/2018 PHILIP HUYNH
The Benefits of 802.1X with WLAN Data Protection High security Stronger encryption Transparent User and computer authentication Low cost High performance 11/20/2018 PHILIP HUYNH
Target Organization’s Network 11/20/2018 PHILIP HUYNH
802.1X EAP-TLS Strategy 11/20/2018 PHILIP HUYNH
802.1X EAP-TLS Strategy 11/20/2018 PHILIP HUYNH
802.1X EAP-TLS Strategy 11/20/2018 PHILIP HUYNH
802.1X EAP-TLS Strategy 11/20/2018 PHILIP HUYNH
802.1X EAP-TLS Strategy 11/20/2018 PHILIP HUYNH
802.1X EAP-TLS Strategy 11/20/2018 PHILIP HUYNH
Future Work Implement the solution Public Key Infrastructure using MS Server 2003 Certificate Services RADIUS Infrastructure using MS Internet Authentication Service WLAN Security: Client and AP Testing and deriving the learning lessons 11/20/2018 PHILIP HUYNH
Related Work CS Master thesis of NIRMALA LUBUSU (2003) Implementation and Performance Analysis of The Protected Extensible Authentication Protocol http://cs.uccs.edu/~chow/pub/master/nbulusu/doc/ Different EAP method: What is PEAP? 1st stage: a TLS session is established between client and server, and allows the client to authenticate the server using the server’s digital certificate. 2nd stage: requires a second EAP method tunneled inside the PEAP session to authenticate the client to the RADIUS server. Different implementation PKI/Certificate Server using the OpenSSL RADIUS Server using FreeRADIUS / Linux OS 11/20/2018 PHILIP HUYNH
References IEEE Std 802.1X-2001 (2001) IEEE Standard for Local and metropolitan area network – Port based Network Access Control, The Institute of Electrical and Electronics Engineers, Inc. The Microsoft Solution for Security (MSS) group (2004) Securing Wireless LANs with Certificate Services Release 1.6, Microsoft Corporation. Nirmala Lubusu (2003) Implementation and Performance Analysis of The Protected Extensible Authentication Protocol, Department of Computer Science, UCCS. 11/20/2018 PHILIP HUYNH
Questions ? 11/20/2018 PHILIP HUYNH