Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.

Similar presentations


Presentation on theme: "CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge."— Presentation transcript:

1 CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge

2 CSG357 Dan Ziminski & Bill Davidge 2 AGENDA Some attacks to WLANs Authentication Protocols Encryption Protocols Rogue AP problem Case Studies

3 CSG357 Dan Ziminski & Bill Davidge 3 802.11 Passive Monitoring Attacker Passive Monitoring Captures data Station Access Point Username: dziminski Password:cleartext

4 CSG357 Dan Ziminski & Bill Davidge 4 802.11 DOS Attack Attacker spoofs 802.11 Disassociate frame Station Access Point X Connection is broken

5 CSG357 Dan Ziminski & Bill Davidge 5 802.11 Man in the Middle Attack Access Point Attacker broadcasts spoofed AP SSID and MAC Address Station unknowingly connects to attacker MIM attacks can always be established But if strong authentication and encryption are used, attacker will be nothing more than a bridge. AP MAC Address Station MAC Address AP MAC Address Station MAC Address Attacker Station

6 CSG357 Dan Ziminski & Bill Davidge 6 Authentication and Encryption Standards EAP 802.1x WPA-TKIP802.11i RC4 TLS MSFT IETF Encryption Algorithms Authentication Protocols PEAP CSCO/MSFT IETF Certificate Credentials Username/Password Encryption Standards WEP RC4AES

7 CSG357 Dan Ziminski & Bill Davidge 7 802.1x Authentication Station Supplicant Access Point Authenticator RADIUS Server Authorizer

8 CSG357 Dan Ziminski & Bill Davidge 8 802.1x EAP-TLS Authentication Station Supplicant Access Point Authenticator RADIUS Server Authorizer Client digital cert From XYZ CA Server Digital cert From XYZ CA

9 CSG357 Dan Ziminski & Bill Davidge 9 802.1x PEAP authentication Station Supplicant Access Point Authenticator RADIUS Server Authorizer Digital cert From XYZ CA Directory Server Phase 1: Authenticate AP. Secure tunnel to AP using TLS Phase 2: Password authentication with directory server Username Dan Password: encrypted Success/Fail

10 CSG357 Dan Ziminski & Bill Davidge 10 VPN Authentication and Encryption Station Access Point VPN Gateway LAN IPSEC VPN Tunnel

11 CSG357 Dan Ziminski & Bill Davidge 11 Web Authentication Station Access Point Web auth security device LAN HTTPS Login page Backend RADIUS Server

12 CSG357 Dan Ziminski & Bill Davidge 12 Which Authentication to Choose? Wireless Auth Type Desktop Control Needed Cost to Implement Difficult to Manage Vendor Support Problems Vulnerable to Attack VPNhigh mediumlow WEPmediumlowhighlowhigh 802.1x EAP TLS ceritficates high mediumlow 802.1x PEAP medium low Web Authlow mediumlowmedium

13 CSG357 Dan Ziminski & Bill Davidge 13 WEP Encryption IVPayloadCRC-32 Encrypted with 40 or 104 bit key. RC4 Algorithm. integrity check 24 bit IV clear text WEP has several problems 1.IV is too small. At 10,000 packets per second IV repeats in 5 hours. 2.There are several “weak keys”. Those are especially vulnerable. 3.No key update mechanism built in. 4.Message replay attacks. DOS.

14 CSG357 Dan Ziminski & Bill Davidge 14 Wi-Fi Protected Access (WPA) TKIP- encryption Wi-Fi Protected Access is an interim standard created by the Wi-Fi alliance (group of manufacturers). WPA-TKIP fixes problems with WEP. IV changes to 48 bits with no weak keys. 900 years to repeat an IV at 10k packets/sec. Use IV as a replay counter. Message integrity. Per-packet keying. Supported on many wireless card and on Windows XP (after applying 2 hot fixes). Uses 802.1x for key distribution. Can also use static keys.

15 CSG357 Dan Ziminski & Bill Davidge 15 TKIP – Per Packet Keying 48 bit IV 16 bit lower IV32 bit upper IV Key mixing Per-Packet-KeyIV d Session Key MAC Address 104 bits24 bits 128 bits Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm.

16 CSG357 Dan Ziminski & Bill Davidge 16 802.11i AES-encryption Ratified by the IETF in June of 04. Uses the AES algorithm for encryption and 802.1x for key distribution. Backwards compatible with TKIP to support WPA clients. 802.11i not in many products yet.

17 CSG357 Dan Ziminski & Bill Davidge 17 Which Encryption to Choose? Wireless Encryption Type Desktop Control Needed Cost to Implement Difficult to Manage Vendor Support Problems Vulnerable to Attack nonelow high WEPmediumlowhighlowmedium WPA TKIPhigh mediumlow 802.11i AEShigh none VPNhigh mediumlownone

18 CSG357 Dan Ziminski & Bill Davidge 18 Newbury Networks 3-hour “war driving” DNC in Boston –A total of 3,683 unique Wi-Fi devices –An average of 1 wireless network card every 2 minutes –Nearly 3,000 of the total Wi-Fi devices were discovered in Boston's Back Bay

19 CSG357 Dan Ziminski & Bill Davidge 19 3-hour “war driving” DNC in Boston –65% of the wireless networks detected had no encryption – 457 unique wireless access points-the majority of which were unsecured

20 CSG357 Dan Ziminski & Bill Davidge 20 DefCon X Hacker Convention-2002 2-hour monitoring Wireless LAN –Identified 8 sanctioned access points –35 rogue access points, and more than – –800 different station addresses

21 CSG357 Dan Ziminski & Bill Davidge 21 DefCon X Hacker Convention-2002 –200 to300 of the station addresses were fakes –115 peer-to-peer ad hoc networks and identified 123 stations that launched a total of 807 attacks during the two hours –490 were wireless probes from tools such as Netstumbler and Kismet

22 CSG357 Dan Ziminski & Bill Davidge 22 DefCon X Hacker Convention-2002 100 were varying forms Denial-of- Service attacks that either –jammed the airwaves with noise to shut down an access point –targeted specific stations by continually disconnecting them from an access point or –forced stations to route their traffic through other stations

23 CSG357 Dan Ziminski & Bill Davidge 23 DefCon X Hacker Convention-2002 –27 attacks came from out-of-specification management frames where hackers launched attacks that exploited 802.11 protocols to take over other stations and control the network 190 were identity thefts, such as when MAC addresses and SSIDs

24 CSG357 Dan Ziminski & Bill Davidge 24

25 CSG357 Dan Ziminski & Bill Davidge 25 Case Studies-University University –fosters an open, sharing environment –“…allow all, deny some…” as far as access goes. –large area – large user population –knowledgeable support group and a wide spectrum of knowledge in the user base

26 CSG357 Dan Ziminski & Bill Davidge 26 Case Studies-Financial Institution –restricted access –limited number of authorized users –Technical staff with control of user hardware –geographically dispersed locations

27 CSG357 Dan Ziminski & Bill Davidge 27 Case Study: Global Bank (alias) In process of deploying enterprise WLAN. Using 802.1x EAP-TLS with client web certificate for authentication. Tested PEAP, but failed auth attempts would lock out users Active Directory account. Had a small VPN pilot but found it didn’t scale. Originally started testing WPA-TKIP but too many interoperability problems with card and APs. Switched to WEP with keys rotating every 30 minutes using 802.1x. They feel that this is secure enough. Monitor for rogue APs. Any rogue that is detected by 3+ APs is investigated and removed if on LAN.

28 CSG357 Dan Ziminski & Bill Davidge 28 Case Studies: home networks –small number of users –with no expectation of heavy volume –Limited technological expertise

29 CSG357 Dan Ziminski & Bill Davidge 29 Q and A You Ask We Answer


Download ppt "CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge."

Similar presentations


Ads by Google