Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade - 12.09.2011 Wenche Backman-Kamila.

Published byMarvin Haynes Modified over 9 years ago

Similar presentations

Presentation on theme: "CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade - 12.09.2011 Wenche Backman-Kamila."— Presentation transcript:

1 CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade - 12.09.2011 Wenche Backman-Kamila

2 802.1x AES WEP TKIP WPA WPA2 WPA- Personal WPA- Enterpise PSK Let’s clean up the mess! web- authentication

3 Agenda The physical interface Authentication Encryption Traffic management Recommendations and comments

4 The physical interface Licence-free frequency bands –2,4 – 2,5 GHz (802.11b/g/n) –5,2 – 5,7 GHz (802.11a/n) Threaths –Interference from Microwave owens and motion sensors Bluetooth, other wireless equipment, other WLANs RF jammers –DoS attacks (assosiation or EAPOL Start)

5 AUTHENTICATION

6 Overall security of authentication methods

7 802.1x networks - alternatives 802.1x networks = eduroam networks 802.1x based on EAP EAP alternatives –TLS Requires personal certificates but no username and password –TTLS, PEAP and FAST Authentication based on username and password

8 Supplicant configuration considerations For 802.1x to be really secure pay attention to which server certificate is used In the supplicant –Define correct CA –Define server name More info in WLAN monitoring and supplicants - session

9 Information security risks in web-authentication The authenticity of the login page cannot be verified User IDs and passwords can be intercepted and sessions hijacked.

10 Authentication considerations Content of database –Eliminate authentication with shared user identities Impact of compromised credentials

11 ENCRYPTION

12 Wireless security vs wired security Signals from Access Points can be captured at the air interface Information security risks –Sniffing –Spoofing –Probing

13 More security risks – and countermeasures Firesheep –Users may get their profiles to e.g. Facebook hijacked Countermeasures –VPN encryption High requirements on the VPN server Performance usually drops –->Link-layer encryption

14 Overview of encryption development

15 Personal and Enterprise WPA-Personal WPA2-Personal (=WPA- PSK WPA2-PSK) WPA-Enterprise WPA2-Enterprise (=802.1x)

16 Details on WPA-TKIP and WPA2-AES WPA-TKIP regular key rotation per-frame key mixing a frame sequence counter to protect against replay attacks an improved message integrity check algorithm. WPA2-AES Actually AES-CCMP at link layer A single component handles –per-frame key management –integrity checks

17 TKIP-vulnerability End of 2008 –Injecting false messages of a few types (e.g. ARP) possible September 2009 –Forging short encypted packes (e.g. ARP messages) in shorter time (1 min vs 12 min) –Increased likelihood of session being hijacked Although encryption key never exposed –-> use only WPA2-AES

18 Wi-Fi alliance and WPA- TKIP Wi-Fi alliance will abandon WPA-TKIP in stages 2011-2014.

19 Encryption conclusions Always use the most secure encryption method WPA2-AES Why? –When all use the same method roaming becomes easier –The Wi-Fi alliance is discontinuing support of WPA-TKIP For access to intranets etc. include also VPN encryption

20 TRAFFIC MANAGEMENT

21 Authorisation Minimum requirement is Internet access Separate VLAN for own users and visitors –@myorganisation more rights and privilegies Check visitor VLAN carefully –no protected networks or machines using the same VLAN If possible access to printers and journals for all

22 MAC address blacklisting Information security and stability can be improved –by stopping Too frequent authentication requests Spreading a worm constantly receiving new IP-addresses –by handling notifications of copyright violations The user should be notified of blacklisting

23 Other restrictions SMTP –Only access to own servers allowed –Block connections from the Internet Block devices from acting as DHCP servers Make terminals communicate with each other through the AP

24 RECOMMENDATIONS

25 Regarding authentication Inform of the weaknesses of unencrypted networks –and of the need to switch to 802.1x Consider implications of stolen passwords Or use different passwords for WLAN Grant access to VPN without web- authentication Don’t allow use of unencrypted protocols in unencrypted networks

26 Comments regarding authentication Open networks are misused and copywright infringements occur MAC address blacklisting improves security and stability

27 Regarding encryption Use only WPA2-AES –If you have VERY good reasons allow also WPA-TKIP –Acknowledge supplicant configuration implications Unencrypted networks are risky –Open networks –Pre-shared key networks –Web-authenticated networks

28 References and contact info Main reference –WLAN Information Security BPD http://www.terena.org/campus-bp/bpd.html Wenche.Backman-Kamila@csc.fi

Download ppt "CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade - 12.09.2011 Wenche Backman-Kamila."

Similar presentations

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Security in Wireless Networks Juan Camilo Quintero D. 1041718.

Security in Wireless Networks Juan Camilo Quintero D
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.

CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Implementing Wireless LAN Security

Implementing Wireless LAN Security
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
TPS Reports Presents… A Wireless Report Joy Gibbons Julia Grant Kelsie Kirkpatrick Kevin Moore Byron Williams Image from:

TPS Reports Presents… A Wireless Report Joy Gibbons Julia Grant Kelsie Kirkpatrick Kevin Moore Byron Williams Image from:
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.

Similar presentations

Ads by Google