Wireless Authentication via EAP-FAST Party of Five Brandon Hoffman Kelly Koenig Azam Masood Phil Nwafor MSIT 458: Security (Professor Chen)

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Encrypting Wireless Data with VPN Techniques

Internet Protocol Security (IP Sec)

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

802.1x EAP Authentication Protocols

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.

Ariel Eizenberg PPP Security Features Ariel Eizenberg

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

KIRAN CHAMARTHI NETWORK SECURITY

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Virtual Private Network

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.

Windows 2003 and 802.1x Secure Wireless Deployments.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Chapter 10: Authentication Guide to Computer Network Security.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Michal Rapco 05, 2005 Security issues in Wireless LANs.

Mobile and Wireless Communication Security By Jason Gratto.

WIRELESS LAN SECURITY Using

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Wireless and Security CSCI 5857: Encoding and Encryption.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Eugene Chang EMU WG, IETF 70

Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli

Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

WEP Protocol Weaknesses and Vulnerabilities

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.

Microsoft Management Seminar Series SMS 2003 Change Management.

Lecture 24 Wireless Network Security

Workshop roaming services: eduroam / govroam

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”

Wireless Network Security CSIS 5857: Encoding and Encryption.

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

Simon Prasad. Introduction  Smartphone and other mobile devices have made it so easy to stay connected.  But this easy availability may lead to personal.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Port Based Network Access Control

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

Radius, LDAP, Radius used in Authenticating Users

On and Off Premise Secure Access

Wireless Authentication via EAP-FAST

Presentation transcript:

Wireless Authentication via EAP-FAST Party of Five Brandon Hoffman Kelly Koenig Azam Masood Phil Nwafor MSIT 458: Security (Professor Chen)

Agenda The Need Alternatives Considered Our Solution (Technical Detail) Real World Example Q & A

The Need

What’s the Big Deal? Many considerations need to be made to ensure the system is: Effective Efficient Easy for end users and administrators With the increase in usage of wireless-based technologies, security has formulated a substantial focus of IT departments globally.

Tenets of Effective Security * Secure network platform with integrated security that is scalable to advanced security technologies and services Threat control services focused on antivirus protection and policy enforcement. Secure communication services that maintain privacy and confidentiality of sensitive data. * Cisco Systems

Security: Business Benefits Rapidly identify and respond to evolving threats Enforce business policies Protect critical assets Decrease complexity Ease the administrative burden of IT Lower total cost of ownership

Our Scope Wireless users need to have an account created manually The accounts expire and need manual attention The credentials for wireless require a PAC (certificate) to access the system that must be manually installed The wireless users authenticate to an island as opposed to the enterprise Identity Vault The current wireless security implementation is effective but manually intensive.

*Culled from Secure Wireless: Integrity of Information on the Move (Cisco Paper)

Alternatives Considered

Wireless Authentication WPA & WPA2:  Designed as a stop gap between WEP and 802.1x (EAP) development.  The most common mode of WPA2 is pre-shared key.  Enterprises need a more distributed model.

Wireless Authentication EAP (Extensible Authentication Protocols) were created because a pre-shared key model does not make sense with hundreds or thousands of wireless clients. Wireless Admin using PSK

Variety in EAP LEAP- Modified version of MS-CHAP. No credential protection. No native Windows Support PEAP- Joint venture between Cisco and Microsoft. Similar to EAP-TTLS by using PKI server side certs. Users will only know PEAPv0. PEAPv1 includes different inner authentication mechanisms. There are many variations of EAP types. Some are no longer widely used due to imperfections.

Variety in EAP (cont’d) EAP-(T)TLS - Uses PKI to communicate securely with RADIUS or authentication server. Requires client cert. TTLS only requires server cert. Convenience vs. Security. EAP-IKEv2 – Mutual authentication and session key establishment. Supports Passwords, Asymmetric, or Symmetric keys. Can utilize different methods in each direction. EXPERIMENTAL. EAP-FAST – Provides multiple secured tunnels. Flexible inner methods for authentication. Exploits TLS without inconvenience of manual client side certs.

EAP TYPE Comparison The many varieties of EAP that have evolved can be quickly evaluated for specific, enterprise desirable benefits by viewing the charts below

Our Solution

Digging into EAP-FAST EAP-FAST is a Cisco proprietary 802.1x authentication scheme. It contains a feature called “automatic PAC” that allows the system to manage and maintain the user certificates. The mechanism boasts the following features: Utilizes a series of secure tunnels for credential transport Leverages existing user credentials and authentication back-end (Radius AAA, and LDAP/IdM3) Encrypts wireless data with leading edge encryption methods such as WPA2 AES-CCMP EAP-FAST is a triple phase authentication mechanism

EAP-FAST Phase Zero Phase zero is essential to the automatic PAC creation process. EAP-FAST requires the use of Cisco’s ACS server Phase zero has several custom radius elements and wireless client components Phase zero consists of the ACS server opening and SSL tunnel with the client It then checks the credentials sent via GTC (for generic LDAP) against the enterprise identity system If valid it creates a PAC and sends it to the client.

EAP-FAST Phase One Phase one is where the ACS server and the client setup the TLS tunnel. The client sends a Hello message to the server The server responds with a variety of information The client checks the info and sends its encrypted PAC file to the server for mutual authentication Once completed the master secret is generated and the TLS tunnel is opened. At this point, Phase Two may now commence.

EAP-FAST Phase Two Phase two is very simple. The TLS tunnel is already established, the client simply sends its unencrypted credentials to the ACS server The ACS server forwards the information to the LDAP server and upon a positive response grants network access.

Real World: Case Studies

Large Telecommunications Company Provide a unique access point for guests and employees. Provide employees with a similar end-user experience to the one they have now (transparency) Reduce maintenance related costs incurred by IT department CHALLENGES

Large Telecommunications Company EAP-FAST as opposed to LEAP solution Less susceptible to dictionary attack since there is less of a reliance on user’s password strength. Employ the additional security that EAP- FAST provides through ‘tunneling. Like LEAP, eschews digital certificate need. SOLUTION

Large Telecommunications Company More secure and cost-effective client access Tunneling affords less reliance on user passwords by authenticating only after tunnel is established. Most of this remains transparent to the user. Repeatable/Predictable and consistent client experience. RESULTS

Healthcare Case Study Lifespan Healthcare emerged as a result of the merger of two of the largest acute care facilities in Rhode Island Wireless technology was critical strategic and tactical element to support care delivery. Authentication of mobile clients from two large institutions was a challenge. Mobile diagnostic devices had to be tethered to Ethernet which was usually logistically inconvenient. CHALLENGES

Healthcare Case Study EAP-FAST was visited as an authentication alternative due to some of its inherent benefits. Less susceptible to dictionary attack since there is less of a reliance on user’s password strength. Employ the additional security that EAP- FAST provides through ‘tunneling. Like LEAP, eschews digital certificate need. SOLUTION (Same as previous)

Healthcare Case Study The goal was achieved through simplified authentication, via EAP-FAST enabling secure mobility to clinical systems. Facilitated point-of-care functions to physicians and other clinicians anytime, anywhere. More secure and cost-effective client access RESULTS

Q & A QUESTIONS?

Our References Secure Wireless: Integrity of Information on the Move, s394/ns348/ns386/net_presentation0900aecd805febbb. pdf (Cisco) s394/ns348/ns386/net_presentation0900aecd805febbb. pdf The Business Case for Enterprise-Class Wireless LANS FsX1RvYz94bWxpZD0xNTg3MjAxMjU5L2NoMTA=