Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing your wireless LAN Paul DeBeasi VP Marketing

Similar presentations


Presentation on theme: "Securing your wireless LAN Paul DeBeasi VP Marketing"— Presentation transcript:

1 Securing your wireless LAN Paul DeBeasi VP Marketing Email: pdebeasi@legra.compdebeasi@legra.com

2 Pop quiz At the end of this presentation you will… A.Think you are an expert in all aspects of wireless security. B.Decide that WLANs can never be secure enough for enterprise deployment. C.Become aware of WLAN security risks and approaches for risk mitigation. D.Need a no-whip, triple-shot, cappuccino.

3 Wireless vulnerabilities Theft of service –No security –Key derivation –MAC spoofing –Rogue WLANs –Default SSID –Ad-hoc networks Session hijacking –Man in the middle attacks Deny/degrade service –RF interference/jam –Bit flipping –Disassociation attack –EAP attacks Network eavesdropping –RF Monitors Infrastructure attack –Default passwords

4 Security Concepts Authentication Something you are, you have, you know Data Privacy Keeping your data hidden from prying eyes Data Integrity Prevent data tampering Authorization Control access to network resources

5 Evolution of WLAN security

6 WEP Wired Equivalent Privacy –Protect from eavesdropping “Good enough” privacy –U.S. export control law restrictions in 1999 Network-wide shared key –All packets encrypted IV (24 bits) WEP Key (40 or 104 bits) RC4 Key stream Clear text XOR Encrypted text

7 What’s wrong with WEP? (a lot!) Turned off by default pray –Plug and pray mobility Authentication –No user authentication Encryption –WEP key can be broken in a few hours Data integrity –CRC (cyclic redundancy check) susceptible to bit flipping Difficult to update keys –Must manually change every station

8 WEP/802.11 recommendations Turn on WEP –Better than no security at all Change default SSID –And, don’t use a name like “finance-network” Disable SSID beaconing –Make it difficult for attackers to find your WLANs Change default key –And, change the key frequently Use MAC address filtering –More useful for small deployments

9 Evolution of WLAN security

10 802.1x and EAP Campus Network Authentication Server SupplicantAuthenticator 802.1x defines EAPOL (Extensible Authentication Protocol over LAN) –Provides centralized authentication and dynamic key exchange –EAP packets carried at the MAC layer, embedded in RADIUS commands EAP is extensible –Most common examples: EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP EAPOL RADIUS EAP- (TLS, TTLS, PEAP, LEAP)

11 802.1x and EAP – benefits Centralized authentication –Per user authentication and resource allocation –Authentication server and supplicant authenticate each other –Effectively eliminates Man-in-the-middle attacks Centralized key management –Derived unique per user session key Centralized policy control –Session time-out and automatic key redistribution (“dynamic WEP”) –VLAN assigned by the Authentication server Campus Network Authentication Server SupplicantAuthenticator

12 EAP Types – variations on a theme EAP over TLS (EAP-TLS) –IETF standard (RFC 2716) –Uses digital certificates for both user and server EAP over Tunneled TLS (EAP-TTLS) –IETF draft (Funk), only the server needs to have a certificate –Supports password or token based authentication within a protected tunnel Protected EAP (PEAP) –IETF draft (Cisco, Microsoft, RSA), only the server needs to have a certificate –Supports various EAP-encapsulation methods within a protected tunnel Cisco LEAP –Proprietary solution for mutual authentication –Supports various EAP-encapsulation methods within a protected tunnel –Vulnerable to ASLEAP dictionary attack

13 Virtual private networks An alternative approach –Treats wireless as an “un-trusted” network –IETF standard - layer 3 authentication & encryption Challenges –Vulnerable at layer 2 Rogue AP Layer 2 session hijacking DOS attacks against wireless stations or VPN device –Can be difficult to manage and to scale Campus Network VPN Server Client software IPSec

14 Comparing the options TLSTTLSPEAPLEAPIPSec EncryptRC4 3DES/AES User KeysYes Client software ManyFUNK, MeetingH ManyCiscoMany Auth. Server software ManyFUNK, MeetingH ManyCiscoMany Client certificates Req.Optional NoOptional Server certificates Req. NoOptional Cisco, Microsoft, RSA supported

15 802.1x and VLANs Centralized policy control –Per-user VLAN Policy improves traffic control –Timer-based key rotation reduce WEP key risk Wireless switch Engineering Marketing Engineering Marketing Engineering Authentication Server - VLAN ID - re-key

16 802.1x, VLAN, VPN & EAP Recommendations 802.1x –Strongly recommended to deploy 802.1x –Provides centralized management/policy control VPN –If you chose to use VPNs then be sure to use 802.1x too VLAN –Deploy per-user VLAN policy via the authentication server EAP –Consider EAP-TLS if certificate infrastructure in place –Avoid LEAP if standards-based solutions are important –TTLS and PEAP are very similar/competing approaches

17 Evolution of WLAN security

18 Wi-Fi Protected Access (WPA) Authentication –802.1x port based authentication at layer 2 –Works with EAP methods Data Privacy –TKIP (Temporal Key Integrity Protocol) –Bigger Initialization Vector; 48 bits versus 24 bits –Per-user keying & key rotation with every packet –Requires hardware acceleration Data integrity –MIC (Message Integrity Code) algorithm –Fixes flaws in the CRC algorithm used in WEP. WPA IEEE 802.11i Draft 3 802.1x TKIP MIC

19 WPA recommendations Use it if you can –Many devices/NICs do not yet support WPA Network interface cards –Ensure the card supports WPA, some never will Operating systems –Microsoft XP supports WPA –See Meetinghouse and Funk for other OS clients Authentication servers –Make sure they support EAP types Network infrastructure –Make sure the hardware supports WPA

20 Evolution of WLAN security

21 802.11i / WPA2 The future of 802.11 security –Still in draft form at the IEEE 802.11i working group –Expected to be complete in 2004 Uses Advanced Encryption Standard (AES) encryption –Approved by NIST (National Institute of Standards and Technology) –As secure as 3DES, but requires less computational power –Includes integrated data integrity –Also known as the “Rjindael” algorithm Make sure that new hardware is 802.11i-ready –Must support AES cryptography acceleration now

22 Checklist for securing your WLAN  WEP  Turn on WEP, change key  Change default SSID  Disable SSID beacon  802.1x, VLAN, VPN  Use 802.1x with PEAP  Use L2 security if using VPN  Integrates with your VLAN’s  WPA  Require WPA certification  Don’t use pre-shared keys  Look for hardware acceleration  IEEE 802.11i (WPA2)  Uses new AES cipher  Not yet standardized  Use 802.11i-ready equipment Pop Quiz answer is… C. Become aware of WLAN security risks and approaches for risk mitigation.

23 Useful links http://www.legra.com –Security white papers and resource center http://wlanswitch.com –WLAN BLOG with vendor neutral commentary & links to other useful sites http://www.drizzle.com/~aboba/IEEE/ –The unofficial 802.11 security page http://www.netstumbler.com/ –Commonly used “war driving” tool http://wepcrack.sourceforge.net/ –Commonly used tool to break WEP keys http://www.wifialliance.com/opensection/certified_products.asp –WiFi Alliance list of certified products http://www.unstrung.com/document.asp?doc_id=41185 –“Look before you leap” article that discusses how LEAP was cracked.

24


Download ppt "Securing your wireless LAN Paul DeBeasi VP Marketing"

Similar presentations


Ads by Google