Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Security in Wireless Networks Juan Camilo Quintero D
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,
EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
Windows 2003 and 802.1x Secure Wireless Deployments.
Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation.
Wireless Security Techniques: An Overview Bhagyavati Wayne C. Summers Anthony DeJoie Columbus State University Columbus State University Telcordia Technologies,
Mobile and Wireless Communication Security By Jason Gratto.
EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
© 2004 Bluesocket, Inc. Secure Mobility ™ Wireless Security: Issues and Solutions Mike Brockney Bluesocket
Wireless Networking.
Altai Certification Training Backend Network Planning
Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011 Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
Michal Procházka, Jan Oppolzer CESNET.
Securing your wireless LAN Paul DeBeasi VP Marketing
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
802.1X in SURFnet 22 May 2003.
TERENA TF-Mobility: Roaming for WLANs Tim Chown University of Southampton TF-Mobility WG & UKERNA Wireless Advisory Group.
輔大資工所 在職研一 報告人:林煥銘 學號: Public Access Mobility LAN: Extending The Wireless Internet into The LAN Environment Jun Li, Stephen B. Weinstein, Junbiao.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Workshop roaming services: eduroam / govroam
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Integrating multiple wireless access control schemes at NTUA Spiros Papageorgiou, Christos Siaterlis NOC/NTUA.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force
Port Based Network Access Control
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Authentication and handoff protocols for wireless mesh networks
10 Years of eduroam (from an idea to a product)
On and Off Premise Secure Access
UT Gert Meijerink Service Departement for Information Technology, Library and Education (ITBE) TERENA 2004.
Presentation transcript:

Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam

2 Program Workshop Security for (W)LANs – Klaas Wierenga 802.1X client side – Tom Rixom Coffee 802.1X server side – Paul Dekkers Lunch Hands-on

3 TOC Background Threats Requirements Solutions for today Solutions for tomorrow Conclusion

4 Background Access Provider POTS Institution A WLAN Institution B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS SURFnet backbone

5 Threats Mac-address and SSID discovery –TCPdump –Ethereal WEP cracking –Kismet –Airsnort Man-in-the-middle attacks

6 Example: Kismet+Airsnort tcpdump -n -i eth1 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply ^C

7 Requirements Identify users uniquely at the edge of the network –No session hijacking Allow for guest usage Scalable –Local user administration and authN! –Using existing RADIUS infrastructure Easy to install and use Open –Support for all common OSes –Vendor independent Secure After proper AuthN open connectivity

8 Solutions for today Open access MAC-address WEP European NRENs: Web-gateway PPPoE VPN-gateway 802.1X

9 Open network Open ethernet connectivity, IP-address via DHCP No client software (DHCP ubiquitous) No access control Network is open (sniffing easy, every client and server on LAN is available)

10 Open network + MAC authentication Same as open, but MAC-address is verified No client software Administrative burden of MAC address tables MAC addresses easy spoofable Guest usage hard (impossible)

11 WEP Layer 2 encryption between Client en Access Point Client must know (static) WEP-key Administrative burden on WEP-key change Some WEP-keys are easy to crack (some less easy) Not secure

12 Open network + web gateway Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) Can use a RADIUS backend Guest use easy Browser necessary Hard to make secure

13 Example: FUNET Internet Public Access Network Public Access Controller AAA Server WWW-browser

14 Open netwerk + VPN Gateway Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network Client software needed Proprietary (unless IPsec or PPPoE) Hard to scale VPN-concentrators are expensive Guest use hard (sometimes VPN in VPN) All traffic encrypted

15 Example: SWITCH and Uni Bremen

16 IEEE 802.1X True port based access solution (Layer 2) between client and AP/switch Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) Standardised Also encrypts all data, using dynamic keys RADIUS back end: –Scaleable –Re-use existing Trust relationships Easy integration with dynamic VLAN assignment Client software necessary (OS-built in or third-party) Both for wireless AND wired

17 How does 802.1X work (in combination with 802.1Q)? data signalling EAPOL EAP over RADIUS f.i. LDAP RADIUS server Institution A Internet Authenticator (AP or switch) User DB Student VLAN Guest VLAN Employee VLAN Supplicant

18 Through the protocol stack EAP Ethernet EAPOL RADIUS (TCP/IP) 802.1X Auth. Server (RADIUS server) Authenticator (AccessPoint, Switch) Supplicant (laptop, desktop) Ethernet

19 EAP-types TopicEAP MD5LEAPEAP TLSPEAPEAP TTLS Security SolutionStandards- based ProprietaryStandards- based Certificates – ClientNon/aYesNo Certificates – ServerNon/aYes Credential SecurityNoneWeakStrong Supported Authentication Databases Requires clear-text database Active Directory, NT Domains Active Directory, LDAP etc. Active Directory, NT Domain, Token Systems, SQL, LDAP etc. Active Directory, LDAP, SQL, plain password files, Token Systems etc. Dynamic Key Exchange NoYes Mutual Authentication NoYes

20 Available supplicants Win98, ME: FUNK, Meetinghouse Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2) MacOS: Meetinghouse Linux: Meetinghouse, Open1X BSD: under development PocketPC: Meetinghouse, MS (+SecureW2) Palm: Meetinghouse

21 Example: SURFnet RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Guest VLAN Employee VLAN data signalling

22 FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server University of Southampton Participation guidelines are being drafted Aim is to increase membership. Spain, Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join. SURFnet FUNET (DFN) CARnet Radius proxy hierarchy

23 Solutions for tomorrow a|b|g (WiMax), IPv6 MobileIPv6 WPA (pre standard i, TKIP) i: 802.1x + TKIP+ AES

24 Conclusion You can make it safe One size doesn’t fit all (yet?) There is convergence in Europe 802.1X is the future proof solution It’s all about scalability, i.e. size does matter

25 More information SURFnet and 802.1X – TERENA TF-Mobility – The unofficial IEEE security page –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.