CAPWAP Threat Analysis 66 th IETF, Montreal 10 July 2006 Scott KellyCharles Clancy.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Module X Session Hijacking

LinkSec Architecture Attempt 3

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

CAPWAP Architecture draft-mani-ietf-capwap-arch-00 Mahalingam Mani Avaya Bob O’Hara Airespace Lily Yang Intel.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Internet Protocol Security (IPSec)

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From ： Proceeding of the First International Conference on Security and Privacy for.

67th IETF San Diego IETF BMWG WLAN Switch Benchmarking Jerry Perser, Tom Alexander, Muninder Singh Sambi,

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Storage Security and Management: Security Framework

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Wireless and Security CSCI 5857: Encoding and Encryption.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.

Chapter 4 Application Level Security in Cellular Networks.

CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,

Wireless Networking & Security Greg Stabler Spencer Smith.

Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-ietf-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning Schulzrinne.

CAPWAP Taxonomy Recommendations Pat R. Calhoun, Cisco Systems Bob O’Hara, Cisco Systems Inderpreet Singh, Chantry Networks.

Lecture 24 Wireless Network Security

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

62 nd IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan March 2005.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly

57 th IETF CAPWAP Security Issues David Molnar Security Architect July 18, 2003.

Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.

61 st IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan Panasonic 8 November, 2004.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.

Wireless Network Security CSIS 5857: Encoding and Encryption.

CAPWAP Threat Analysis draft-kelly-capwap-threat-analysis th IETF, San Diego 6 November 2006 Scott KellyCharles Clancy.

Introduction to Network Systems Security Mort Anvari.

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.

1 On 3GPP2 Femto Security Anand Palanigounder Qualcomm Inc. Notice: Contributors grant a free, irrevocable license to 3GPP2 and its Organization.

Securing Access to Data Using IPsec Josh Jones Cosc352.

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

CAPWAP Threat Analysis

WLAN Mesh in CAPWAP Architecture

Security in SDR & cognitive radio

Presentation transcript:

CAPWAP Threat Analysis 66 th IETF, Montreal 10 July 2006 Scott KellyCharles Clancy

10 July th IETF - CAPWAP2 A little review… In previous CAPWAP episodes we saw that… –There are many interdependent security protocols running between the station and the network –CAPWAP potentially creates exposure by breaking the original fat AP model into two pieces and connecting them with a channel which may traverse hostile hops –Want to do all we reasonably can to ensure that this architectural change does not degrade existing WLAN security (don’t introduce a weak link)

10 July th IETF - CAPWAP3 Fast-forwarding to the present… CAPWAP is still gestating –Yet current protocol draft is already over 150 pages… The protocol will grow/change as we gain deployment experience Some changes will likely impact security –How will we know when this occurs? –Those designing new features should take security considerations/assumptions into account Security assumptions/requirements should be made explicit Recommendation: –Working group should undertake and document a comprehensive CAPWAP threat analysis (Informational) –Clancy and Kelly are currently working on a draft –We’d like to see this accepted as a work item

10 July th IETF - CAPWAP4 Why a new document? The current document is defining a base protocol –There will be extensions, probably other documents –Threat analysis, security requirements span these Should not have to rev base protocol document each time new extension highlights new threats CAPWAP threat analysis is complex –There are numerous deployment models –Each has unique threat scenarios –Likely to be many (50+ ?) pages Following is a brief document outline (to give a general feel for the level of detail in 00 draft)

10 July th IETF - CAPWAP5 Document Outline Introduction –A little background on original fat AP model –CAPWAP splits this AP function in two WTP implements WLAN edge functions with respect to user AC implements edge functions with respect to LAN, AAA Variable splits of MAC functions between WTP/AC –Splitting in itself introduces nothing new in terms of security if the same assumptions hold as for fat AP model But in most cases they don’t –Ideally, CAPWAP should introduce no new vulnerabilities which are not intrinsic to WLANs (i.e. present in fat AP scenarios) –Practically, this is not achievable, but we must strive to minimize new exposures introduced by the act of splitting the AP function

10 July th IETF - CAPWAP6 Document Outline (2) Example Deployment Scenarios –Localized modular deployment Single building or physically contained area Some physical security for LAN WLAN is extension of LAN –Sometimes it’s an overlay (separate wiring) –Sometimes WTPs are commingled with the existing LAN elements –Internet Hotspot or temporary network Local-MAC model –AC in the cloud –Primary CAPWAP function is WTP control and transport for AAA subscriber management Split-MAC –airport, hotel, conference –wired LAN between AC/WTP may be within single domain of control –data traffic may be tunneled

10 July th IETF - CAPWAP7 Document Outline (3) Example Deployment Scenarios (continued) –Distributed deployment Headquarters with multiple discrete LAN segments Campus (multiple buildings) Remote offices (branch or telecommuters) –Local-MAC (data bridged locally) –Split-MAC (data tunneled back to AC) –WTP network may be within same domain of control as AC (branch office) or not (telecommuter) General Adversary Capabilities –Passive adversaries (sniffers) Can observe and record (eavesdrop), but not interact with the traffic –Active adversaries Pass-by –can sniff, inject, replay, reflect (with duplication), cause redirection Inline (MiM) –Can observe, inject, delete, replay, reflect, redirect, modify packets

10 July th IETF - CAPWAP8 Document Outline (4) Vulnerabilities resulting from splitting AP function –New exposures during session establishment Discovery –Information leakage –DoS potential (by injecting/modifying requests/responses) –Redirection potential Secure association (DTLS handshake) –Various DoS opportunities –Information leakage (identity, capabilities) –New exposures while connected Cryptographic DoS on CAPWAP protocol endpoint(s) mgmt frame attacks (on the wire) Application data exposure Information leakage (topology, applications, etc)

10 July th IETF - CAPWAP9 Document Outline (5) General adversary goals (and sub-goals) in CAPWAP –Eavesdrop on AC-WTP traffic –WTP spoofing –AC spoofing –Control which AC associates with which WTP –Cause (CAPWAP) de-association of WTP/AC –Cause (802.11) de-association of authorized user –Facilitate (802.11) association of unauthorized user (by impersonating AC) –Inject user traffic –Modify user traffic –Remotely take control of WTP Modify WTP configuration, firmware –Remotely take control of AC Buffer overflow –Protocol DoS attacks Inject MiM requests/replies which terminate AC-WTP connection Delete session establishment requests/replies Repeatedly initiate sessions, leaving them dangling

10 July th IETF - CAPWAP10 Document Outline (6) Countermeasures –Preventative Measures Strong control channel security –Prevents impersonation/spoofing for configuration/mgmt/monitoring Strong data channel security –Prevents eavesdropping –Prevents disassociation of authorized users (DoS) Mutual authentication –Prevents AC/WTP impersonation/spoofing –Prevents MiM attacks –Can be used to limit DoS attacks Data origin authentication –Prevents injection, impersonation, spoofing, (dis)association of authorized users Data integrity verification –Prevents reflection, modification Anti-replay protection –Prevents recording and subsequent replay of valid session Confidentiality –Prevents eavesdropping

10 July th IETF - CAPWAP11 Document Outline (7) Countermeasures, cont. –Detection and Response Some things cannot be entirely prevented (but can be detected) Attacks on authentication mechanisms –Credential guessing –Attempt to use expired certificate –Attempt to use invalid certificate –MiM on initial handshake packets to collect data for PSK attack DoS attacks –A MiM can always prevent packets from going through –Session initialization »DTLS handshake interference »Session exhaustion (on AC) –Session runtime »Injection of bogus packets (requiring crypto operations) »Deletion of packets Implementation Recommendations

10 July th IETF - CAPWAP12 Document Outline (8) There are some threats we cannot prevent or detect –Passive monitoring –Traffic analysis (actually, there are ways to prevent this, but not to detect it) –Active MiM traffic interference Packet deletion, re-ordering –Other active attacks ARP poisoning DNS poisoning –Offline dictionary attacks on pre-shared keys –Probably want to provide practical advice for when these are possible, and what can be done to mitigate them.

10 July th IETF - CAPWAP13 Summarizing CAPWAP threat analysis is a complex endeavor It’s important to document our assumptions, so that extensions and modifications don’t wind up breaking our security mechanisms This should be a work item for group Draft is in progress, hope to have 00 out within a few weeks