1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.

Slides:



Advertisements
Similar presentations
Inter WISP WLAN roaming
Advertisements

Authentication.
Encrypting Wireless Data with VPN Techniques
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
1 © 2000, Cisco Systems, Inc. Wireless LAN Roadmap: Performance and Hardware Features 1.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft.
802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
December 17, Wi-Fi Mark Faggiano GBA 576. December 17, Purpose of the Project  I hear Wi-Fi, WLAN, everywhere  What does it all.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Security & Authentication in WLAN
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
Windows 2003 and 802.1x Secure Wireless Deployments.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
WLAN Infrastructure. Wireless Wireless Data Networks Broadband PCS Broadband PCS Metricom Local Wide Coverage Area Satellite Spread Spectrum Wireless.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
WIRELESS LAN SECURITY Using
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
Wireless Networking.
Altai Certification Training Backend Network Planning
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.
Eugene Chang EMU WG, IETF 70
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Securing your wireless LAN Paul DeBeasi VP Marketing
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
WEP Protocol Weaknesses and Vulnerabilities
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.
Doc.: IEEE /035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft.
.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Doc.: IEEE /419 Submission November 2000 David Halasz et alSlide 1 TGe Security Baseline David Halasz, Stuart Norman, Glen Zorn Cisco Systems,
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Port Based Network Access Control
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Security for Next Generation Wireless LANs Merwyn Andrade 11/16/00
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS
On and Off Premise Secure Access
– Chapter 5 (B) – Using IEEE 802.1x
A Joint Proposal for Security
Presentation transcript:

1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs WNBU Technical Marketing

2 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with today 802.1X for Deployment of new security feature-set Standards update/Pointers Questions ?

3 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication SSIDs in Association Open Authentication Shared-key Authentication WEP/RC4 in WEP encrypted frames

4 350 Security Update 1/2001Cisco Company Confidential - Do not distribute Past Security Methods SSID (Service Set Identifier) Commonly used feature in Wireless LANs which provides a rudimentary level of security. Serves to logically segment the users and Access Points that form part of a Wireless subsystem. May be advertised or manually pre-configured at the station.

5 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - SSIDs in

6 350 Security Update 1/2001Cisco Company Confidential - Do not distribute SSID problem 32 ASCII character string Under , any client with a ‘NULL’ string will associate to any AP regardless of SSID setting on AP This is NOT a security feature!

7 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP- Association With Client (user machine) Access Point Probe request on 11 channels; may include (broadcast) SSID Probe response including info not in spec, such as # clients, % load AP selection based on strength and quality of signal Wired Ethernet LAN Access Point

8 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - Open Authentication With Client AP Authentication request Open Authentication Authentication response Open or Shared needs to be setup identically on both the Access Point and Client

9 350 Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - WEP/RC4 in

Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP – WEP Encrypted Frames

Security Update 1/2001Cisco Company Confidential - Do not distribute RECAP - Shared-key Authentication With Open or Shared needs to be setup identically on both the Access Point and Client Client AP Authentication request Shared-Key Authentication Challenge text packet Authentication response Encrypted challenge text packet

Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with today 802.1X for Deployment of new security feature-set Standards Update/Pointers Questions ?

Security Update 1/2001Cisco Company Confidential - Do not distribute Deployment issues with today Lack of integrated User administration Integration with existing user administration tools required (RADIUS, LDAP-based directories) Identification via User-Name easier to administer than MAC address identification Usage accounting and auditing desirable Lack of Key management solution Static keys difficult to manage on clients, access points Proprietary key management solutions require separate user databases

Security Update 1/2001Cisco Company Confidential - Do not distribute Security Issues User loses wireless NIC, doesn’t report it Without user authentication, Intranet now accessible by attackers Without centralized accounting and auditing, no means to detect unusual activity Users who don’t log on for periods of time Users who transfer too much data, stay on too long Multiple simultaneous logins Logins from the “wrong” machine account With global keys, large scale re-keying required

Security Update 1/2001Cisco Company Confidential - Do not distribute Comparison First-generation Security Issues Vulnerability w/per Packet IV Addition of keyed Integrity check 3DES instead of WEP/ RC w/MIC Kerb + DES ImpersonationVulnerable Fixed NIC theftVulnerable Fixed Brute force attack (40/56 bit key)Vulnerable FixedVulnerable Packet spoofingVulnerableFixedVulnerableFixed Rogue Access PointsVulnerable Fixed Disassociation spoofingVulnerableFixedVulnerableFixed Passive monitoringVulnerable Global keying issuesVulnerable Fixed Pre-computed dictionary attackImplementation Vulnerable Offline dictionary attackVulnerable

Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with today 802.1X for Deployment of new security feature-set Standards Update/Pointers Questions ?

Security Update 1/2001Cisco Company Confidential - Do not distribute What Is 802.1X ? IEEE Standard in progress Port Based Network Access Control

Security Update 1/2001Cisco Company Confidential - Do not distribute General Description IEEE 802.1X Terminology Authenticator (e.g. Switch, Access Point) Supplicant Enterprise Network Semi-Public Network / Enterprise Edge Authentication Server RADIUSRADIUS EAP Over Wireless (EAPOW) EAP Over RADIUS PAE PAE Controlled port Uncontrolled port EAP Over LAN (EAPOL)

Security Update 1/2001Cisco Company Confidential - Do not distribute IEEE 802.1X Conversation Ethernet Laptop computer 802.1X Authenticator/Bridge Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Port connect Radius-Access-Accept Access allowed RADIUS EAPOL

Security Update 1/2001Cisco Company Confidential - Do not distribute IEEE 802.1X Over Ethernet Access Point Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Association Radius-Access-Accept RADIUS EAPOW Laptop computer Wireless Associate Access allowed EAPOW-Key (WEP)

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet exchange Start Authenticate Finish

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Start -1 EAPOL-Start Defined in IEEE 802.1X draft Purpose: Start the authentication process. EAP supplicant is ready for authenticator. EAPOL-Start EAP- Request/Identity EAP- Response/Identity Radius-Access-Request

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Start -2 EAP-Request/Identity EAP-Packet defined in 802.1X draft. EAP-Request/Identity defined in RFC2284. Purpose: Start the authentication process. Authenticator asks for supplicants Identity. EAPOL-Start EAP- Request/Identity EAP- Response/Identity Radius-Access-Request

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Start -3 EAP-Response/Identity EAP-Packet defined in 802.1X draft. EAP-Response/Identity defined in RFC2284. Purpose: Supplicant delivers its Identity. AP uses this to send the Radius-Access-Request. EAPOL-Start EAP- Request/Identity EAP- Response/Identity Radius-Access-Request

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Authenticate EAP-Request EAP-ResponseRadius-Access-Request Radius-Access-Challenge Authenticate sequence varies per authentication method Radius-Access-Request

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Authenticate Draft-ietf-radius-ext-07 describes encapsulating EAP in the radius protocol. Transport Level Security (TLS) described in RFC2246 EAP-TLS described in RFC2716 EAP-Request EAP-ResponseRadius-Access-Request Radius-Access- Challenge Radius-Access-Request

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Finish -1 Radius-Access-Accept Contains MS-MPPE-Send-Key attribute per RFC2548. This WEP session key has already been delivered/derived by the supplicant in the authentication phase. It is delivered here to the AP. EAP-SuccessRadius-Access-Accept EAPOW-Key

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Finish -2 EAP-Success Defined in IEEE 802.1X draft. Supplicant could turn WEP on (timing). EAP-SuccessRadius-Access-Accept EAPOW-Key

Security Update 1/2001Cisco Company Confidential - Do not distribute 802.1X Packet Exchange Finish -3 EAPOW-Key Defined in IEEE 802.1X draft 5. Broadcast WEP key to the supplicant. EAPOW-Key gets sent without WEP since timing is not certain. The WEP broadcast keys are encrypted with the session key via software. EAP-SuccessRadius-Access-Accept EAPOW-Key Supplicant & Authenticator start using the WEP session key.

Security Update 1/2001Cisco Company Confidential - Do not distribute Advantages of 802.1X for Open, extensible and standards based. Enables interoperable user identification, centralized authentication, key management. Leverages existing standards: EAP (extensible authentication protocol), RADIUS. Compatible with existing roaming technologies, enabling use in hotels and public places. User-based identification. Dynamic key management. Centralized user administration. Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting. RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS.

Security Update 1/2001Cisco Company Confidential - Do not distribute Advantages of 802.1X for continued Extensible authentication support EAP designed to allow additional authentication methods to be deployed with no changes to the access point or client NIC RFC 2284 includes support for password authentication (EAP- MD5), One-Time Passwords (OTP) Windows 2000 supports smartcard authentication (RFC 2716) and Security Dynamics

Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with today 802.1X for Deployment case study with new security features Standards Update Questions ?

Security Update 1/2001Cisco Company Confidential - Do not distribute Cisco Security Framework EAP Layer Method Layer TLS Media Layer NDIS APIs EAP APIs PPP LEAP GSS_API VPN 802.1X Backend AAA infrastructure CS-ACS , Third party EAP-Radius,Kerberos... Backend AAA infrastructure CS-ACS , Third party EAP-Radius, Kerberos... IKE EAP Layer NDIS APIs EAP Method Layer EAP LEAP Media Layer APIs

Security Update 1/2001Cisco Company Confidential - Do not distribute Why LEAP ? Cisco Lightweight EAP (LEAP) Authentication type No native EAP support currently available on legacy operating systems EAP-MD5 does not do mutual authentication EAP-TLS (certificates/PKI) too intense for security baseline feature-set Quick support on multitude of host systems Lightweight implementation reduces support requirements on host systems Need support in backend for delivery of session key to access points to speak WEP with client

Security Update 1/2001Cisco Company Confidential - Do not distribute Cisco LEAP deployment Ethernet EAP Access Point LEAP Radius Server Laptop computer with LEAP supplicant Wireless Network Logon Win 95/98 Win NT Win 2K Win CE MacOS Linux Backbon e Driver for OS x LEAP Authentication support Dynamic WEP key support Capable of speaking EAP Radius Cisco Secure ACS 2.6 Authentication database Can use Windows user database Radius DLL LEAP Authentication support MS-MPPE-Send-key support EAP extensions for Radius EAP Authenticator EAP-LEAP today EAP-TLS soon ….. Client/SupplicantAuthenticator Backend/Radius server

Security Update 1/2001Cisco Company Confidential - Do not distribute LEAP Client / Supplicant Support

Security Update 1/2001Cisco Company Confidential - Do not distribute EAP Support in Access Point

Security Update 1/2001Cisco Company Confidential - Do not distribute LEAP Support in Radius Server -1 Configuring the user database

Security Update 1/2001Cisco Company Confidential - Do not distribute LEAP Support in Radius Server -2 Configuring the NAS/AP

Security Update 1/2001Cisco Company Confidential - Do not distribute What Does the Radius Server Perform? Cont. Authentication Generates dynamic session key Sends session key to access point

Security Update 1/2001Cisco Company Confidential - Do not distribute What Does the AP Perform? Cont. On successful authentication, Send broadcast WEP key to client. Maintain clients WEP key. Start running WEP with client. Distribute pre-auth.

Security Update 1/2001Cisco Company Confidential - Do not distribute Future EAP Client Work ? Microsoft placing EAP Native supplicant in, Win2K, WinCE What about other Microsoft OS’s? Win9x/WinNT (need LEAP) What about other OS’s? Linux, MacOS (need LEAP)

Security Update 1/2001Cisco Company Confidential - Do not distribute Future Backend Work ? Support for Kerberos Promote EAP authentication types on backend servers Integrate with SSGs.. etc

Security Update 1/2001Cisco Company Confidential - Do not distribute What About Edge Devices Support for 802.1X Authenticator ? ELoB Switches. Catalyst 6k/5k/4k... DSBU Switches. Catalyst 29xx/35xx...

Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap – WEP/SSIDs/authentication Deployment issues with today 802.1X for Deployment of new security feature-set Standards Update/Pointers Questions ?

Security Update 1/2001Cisco Company Confidential - Do not distribute Standards Update 802.1X Current Status Draft 8 : Scheduled for letter ballot, January Security TG e (Task Group E) Working on security and QoS extensions to the MAC layer TG-e Security sub-group chair : Dave Halasz (Cisco- Aironet Engineering) Joint multi-vendor 802.1X for proposal accepted as baseline security document.

Security Update 1/2001Cisco Company Confidential - Do not distributePointers Whitepaper : Security for Next Generation Wireless LANs v1.1 IEEE 802.1X RADIUS EAP

Security Update 1/2001Cisco Company Confidential - Do not distribute Agenda Recap 1st-generation security for WLANs Deployment issues with today 802.1X for Standards Update Questions ?

49Presentation_ID © 2000, Cisco Systems, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.