Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.

Published bySteven Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam."— Presentation transcript:

1

2 Security for (Wireless) LANs Klaas.Wierenga@SURFnet.nl 802.1X workshop 30 & 31 March 2004 Amsterdam

3 2 Program Workshop Security for (W)LANs – Klaas Wierenga 802.1X client side – Tom Rixom Coffee 802.1X server side – Paul Dekkers Lunch Hands-on

4 3 TOC Background Threats Requirements Solutions for today Solutions for tomorrow Conclusion

5 4 Background Access Provider POTS Institution A WLAN Institution B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS SURFnet backbone

6 5 Threats Mac-address and SSID discovery –TCPdump –Ethereal WEP cracking –Kismet –Airsnort Man-in-the-middle attacks

7 6 Example: Kismet+Airsnort root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C

8 7 Requirements Identify users uniquely at the edge of the network –No session hijacking Allow for guest usage Scalable –Local user administration and authN! –Using existing RADIUS infrastructure Easy to install and use Open –Support for all common OSes –Vendor independent Secure After proper AuthN open connectivity

9 8 Solutions for today Open access MAC-address WEP European NRENs: Web-gateway PPPoE VPN-gateway 802.1X

10 9 Open network Open ethernet connectivity, IP-address via DHCP No client software (DHCP ubiquitous) No access control Network is open (sniffing easy, every client and server on LAN is available)

11 10 Open network + MAC authentication Same as open, but MAC-address is verified No client software Administrative burden of MAC address tables MAC addresses easy spoofable Guest usage hard (impossible)

12 11 WEP Layer 2 encryption between Client en Access Point Client must know (static) WEP-key Administrative burden on WEP-key change Some WEP-keys are easy to crack (some less easy) Not secure

13 12 Open network + web gateway Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) Can use a RADIUS backend Guest use easy Browser necessary Hard to make secure

14 13 Example: FUNET Internet Public Access Network Public Access Controller AAA Server WWW-browser 1. 2. 3. 4. 5.

15 14 Open netwerk + VPN Gateway Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network Client software needed Proprietary (unless IPsec or PPPoE) Hard to scale VPN-concentrators are expensive Guest use hard (sometimes VPN in VPN) All traffic encrypted

16 15 Example: SWITCH and Uni Bremen

17 16 IEEE 802.1X True port based access solution (Layer 2) between client and AP/switch Several available authentication-mechanisms (EAP-MD5, MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP) Standardised Also encrypts all data, using dynamic keys RADIUS back end: –Scaleable –Re-use existing Trust relationships Easy integration with dynamic VLAN assignment Client software necessary (OS-built in or third-party) Both for wireless AND wired

18 17 How does 802.1X work (in combination with 802.1Q)? data signalling EAPOL EAP over RADIUS f.i. LDAP RADIUS server Institution A Internet Authenticator (AP or switch) User DB jan@student.institution_a.nl Student VLAN Guest VLAN Employee VLAN Supplicant

19 18 Through the protocol stack EAP Ethernet EAPOL RADIUS (TCP/IP) 802.1X Auth. Server (RADIUS server) Authenticator (AccessPoint, Switch) Supplicant (laptop, desktop) Ethernet

20 19 EAP-types TopicEAP MD5LEAPEAP TLSPEAPEAP TTLS Security SolutionStandards- based ProprietaryStandards- based Certificates – ClientNon/aYesNo Certificates – ServerNon/aYes Credential SecurityNoneWeakStrong Supported Authentication Databases Requires clear-text database Active Directory, NT Domains Active Directory, LDAP etc. Active Directory, NT Domain, Token Systems, SQL, LDAP etc. Active Directory, LDAP, SQL, plain password files, Token Systems etc. Dynamic Key Exchange NoYes Mutual Authentication NoYes

21 20 Available supplicants Win98, ME: FUNK, Meetinghouse Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2) MacOS: Meetinghouse Linux: Meetinghouse, Open1X BSD: under development PocketPC: Meetinghouse, MS (+SecureW2) Palm: Meetinghouse

22 21 Example: SURFnet RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest piet@institution_b.nl Student VLAN Guest VLAN Employee VLAN data signalling

23 22 FCCN RADIUS Proxy servers connecting to a European level RADIUS proxy server University of Southampton Participation guidelines are being drafted Aim is to increase membership. Spain, Norway, Slovenia, Czech Republic & Greece have indicated their willingness to join. SURFnet FUNET (DFN) CARnet Radius proxy hierarchy

24 23 Solutions for tomorrow 802.11a|b|g 802.16 (WiMax), 802.20 IPv6 MobileIPv6 WPA (pre standard 802.11i, TKIP) 802.11i: 802.1x + TKIP+ AES

25 24 Conclusion You can make it safe One size doesn’t fit all (yet?) There is convergence in Europe 802.1X is the future proof solution It’s all about scalability, i.e. size does matter

26 25 More information SURFnet and 802.1X –http://www.surfnet.nl/innovatie/wlanhttp://www.surfnet.nl/innovatie/wlan TERENA TF-Mobility –http://www.terena.nl/mobilityhttp://www.terena.nl/mobility The unofficial IEEE802.11 security page –http://www.drizzle.com/~aboba/IEEE/

Download ppt "Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam."

Similar presentations

Authentication.

Authentication.
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Security in Wireless Networks Juan Camilo Quintero D. 1041718.

Security in Wireless Networks Juan Camilo Quintero D
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Similar presentations

Ads by Google