Implementing Network Security – Wireless Security Segway! Steve Lamb Technical Security Advisor

So whats the problem? WEP is a euphemism –Wired –Equivalent –Privacy Actually, its a lie –It isnt equivalent to wired privacy at all! –How can you secure the air? Thus: WEPs v.poor

WLAN Security Challenges Unsecured WLAN Most wireless LANs are unsecured mailt o:bo com pany. tld WLAN Access Point Company Servers Mobile Employee Evil Hacker

WLAN Security Challenges Weak Security in Static WEP X7!g%k0j37**54bf(jv&8gF… X7!g %k0j 37**54 bf(jv &8gB) £F..

Other Challenges Access Points are dim! Key Management (!!!!) –Manual update = never changed! Access Control with MAC address filtering –= NO SECURITY! Neither is scalable Authentication Authorization Data Protection Audit

WLAN Security Challenges Weak Security in Static WEP Static WEP key easily obtained for encryption / authentication X7!g%k0j37**54bf(jv&8gB)£F.. X7!g%k0j37**54bf(jv&8gF… X7!g %k0j 37**54 bf(jv &8gB) £F..

WLAN Security Challenges Weak Security in Static WEP Man in the middle attacks are difficult to detect & prevent X7!g%k0j37** Rogue Network X7!g%k0j37**

Alternatives to WEP

VPNs Pros –Familiarity –Hardware Independent –Proven Security Cons –Lacks user transparency –Only user logon (not computer) –Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop –No reconnect on resume from standby –Complex network structure

VPNs More Cons –No protection for WLAN –Bottleneck at VPN devices –Higher management & hardware cost –Prone to disconnection Yet more cons! (non- MS VPNs) –3 rd party licensing costs –Client compatibility –Many VPN auth schemes (IPsec Xauth) are as bad as WEP!

PEAP encapsulation Server authenticates to client Establishes protected tunnel (TLS) Client authenticates inside tunnel to server No cryptographic binding between PEAP tunnel and tunneled authN method Fix: constrain client (in GPO) to trust only a specific corporate root CA –Foils potential MitM attacks

EAP architecture TLSTLS GSS_API Kerberos GSS_API Kerberos PEAP IKE MD5 EAP PPP … Anything… method layer method layer EAPlayerEAPlayer medialayermedialayer MS-CHAPv2 TLS SecurID

802.1X over Supplicant Authenticator Authentication Server association EAPOL-start EAP-request/identity EAP-response/identityRADIUS-access-request EAP-requestRADIUS-access-challenge EAP-response (credentials) RADIUS-access-request EAP-successRADIUS-access-accept Access allowed EAPOW-key (WEP) Gotta get on! Calculating this guys key… Accessblocked Calculating my key… (Wow I just dont understand this new maths!)

Session Summary Windows XP has great wireless security features Theres extensive prescriptive guidance available from our website Dont be scared of wireless!

Next Steps Find additional security training events: Sign up for security communications: default.mspx Check out Security360 Get additional security tools and content:

Resources Microsoft Wi-Fi Page: The Unofficial Security Web Page Intercepting Mobile Communications: The Insecurity of Fluhrer, Mantin, Shamir WEP Paper: WiFi Planet: Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) Microsoft Solution for Securing Wireless LANs with Certificates Wifi for SOHO Environments

Credits Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I borrowed several of their slides!

Questions and Answers