Western Data Com

Wireless Security Strategy

Pros & Cons of Wireless Security MAC

Pros

Cons Source: Network World 5/20/02

TKIP

NonStandard

Media Access Control Easy to configure Access Points to permit only particular MAC addresses

Temporal Key Integrity Protocol

“Key-hopping”

MAC addresses easy to fake

No intensive testing done on this “Standard”

“Interim Standard”

WEP

64 and 128-bit encryption Change Easy to encryption keys configure every few Built into 802.11 seconds. Hard to cards. extract different keys Effective Solutions but no standards

Easy to break keys Keys are widely known No end-system and user authentication

Sources of *WEP Information www.nwfusion.com DocFinder 2040 ■ www.ieeeusa.org ■ www.encryption.com/rsalabs/faq/3-6-3.htm l ■ www.isaac.cs.berkeley.edu/isaac/wepfaq.html WEP - hacking testing results ■ www.iss.net/wireless Wireless Security test ■ N.I.S.T. “New” Special Publication 800-48 ■ * WEP - Wireless Equivalent Privacy 40 bit ■

Pros & Cons of Wireless Security Browser

IPSec

802.1X

Pros

Greatest compatibility with wireless devices. Ease of use

Uses Digital Certificates and twofactor authentication. Existing VPN support.

Cons

No Embedded device support. No encryption Easy to Spoof

IPSec software complex to set-up and support. Reduces LAN speeds. Supports only IP networks

Best Match of Security and Wireless * U. of Maryland found flaws in client-side Requires Windows - XP support EAP RADIUS server required AES will require hardware

Source: Network World 9/9/02

Tried &True Methods for Securing wired LAN’s ■ ■ ■ ■

Authentication Types Radius Kerberos LDAP

■ ■ ■ ■

■

Layer 3 Solutions PPTP* L2TP* IPSec VPN’s

* bundled as part of Windows

Six-Steps for Wireless Security ■

■

■

■

Enable 128-bit session encryption Configure RADIUS server authentication Force 30-minute periodic authentication for all users * Source Computerworld

■

■

■

Require use of VPN to access critical resources Restrict LAN access rights by role Implement two-factor authentication scheme using access tokens

Equipment Manufacturer’s Fault All 802.11b equipment shipped with WEP security options “turned off” for ease of installation ■ 80 bit key was used for ease of export ■ Hardware assist required for ease of encryption but adds cost and design time ■ AES and 128 bit keys to WEP helps ■ Add IPSec hardware to 802.11 products ■

General Description IEEE 802.1X Terminology Semi-Public Network / Enterprise Edge

Enterprise Network

EAP

IUS D A rR Ove

) OL ) P A W PAE N (E EAPO A L ( r s Ove ireles P E A er W Authenticator v O (e.g. Switch, EAP Access Point)

PAE

Uncontrolled Port

Supplicant

Controlled Port

R A D I U S

Authentication Server

IEEE 802.1X Over 802.11 Wireless

Laptop Computer

Radius Server

Access Point Ethernet

Association

Access Blocked 802.11 Associate

802.11

Radius

EAPOW

EAPOL-Start

EAP-Request/Identity EAP-Response/Identity

Radius-Access-Request Radius-Access-Challenge

EAP-Request EAP-Response (Cred)

Radius-Access-Request Radius-Access-Accept

EAP-Success EAPOW-Key (WEP)

Access Allowed

Introductions to MS-CHAPS ■

Challenge Handshake ■ Authentication Protocol ■ Challenge Handshake ■

Authentication depends on a secret known only to authenticator and client

Challenge Message

■

Radius server sends challenge to client via access point

■

This challenge packet will vary for each authentication attempt

■

The challenge is pulled from information contained a table of known secrets

■

New challenge can be sent at intervals based on Radius server settings, or upon client roaming

Calculated HASH

Start ■

■

Client responds with a calculated value using a “one way hash” function This value is derived from a known secrets list

Authentication Granted/Denied ■

■

■

Radius server checks response against it own calculated hash If it matches, then authentication is acknowledged to AP and client If authentication is not achieved, the AP will not permit any traffic for that client to pass

WEP Keys ■

■

■ ■

WEP key is calculated by the Radius server, only after the authentication is completed The key is passed to Access Point for THAT single authenticated client. This is a session key Client calculates the same WEP key Key is never transmitted over RF

How Often Does the Key Change ■

■

■

Every time a client roams to a new AP, it will go through the same authentication and Session WEP key exercise The Radius server will also require a new Authentication/key at a timed interval (programmable) This provides different WEP keys often, and totally unique keys to each client

Advantages of 802.1X for 802.11 ■

Open, extensible and standards based –

Enables interoperable user identification, centralized authentication, key management

–

Leverages existing standards: EAP (extensible authentication protocol), Radius

–

Compatible with existing roaming technologies, enabling use in hotels and public places

■

User-based identification

■

Dynamic key management

■

Centralized user administration –

Support for Radius (RFC 2138, 2139) enables centralized authentication, authorization and accounting

Why LEAP ? ■

Cisco Lightweight EAP (LEAP) Authentication type – – – – – –

No native EAP support currently available on legacy operating systems EAP-MD5 does not do mutual authentication EAP-TLS (certificates/PKI) too intense for security baseline featureset Quick support on multitude of host systems Lightweight implementation reduces support requirements on host systems Need support in backend for delivery of session key to access points to speak WEP with client

Cisco LEAP Deployment Wireless EAP Access Point

Laptop Computer with LEAP Supplicant

Ethernet

Backbone

Network Logon

Radius

• Win 95/98 • Win NT • Win 2K • Win CE • MacOS • Linux

• Cisco Secure ACS 2.6

LEAP Radius Server

• Authentication database • Can use Windows user database

Driver for OS x

EAP Authenticator

Radius DLL

• LEAP Authentication support

• EAP-LEAP today • EAP-TLS soon • …

• LEAP Authentication support

Authenticator

Backend/Radius server

• Dynamic WEP key support • Capable of speaking EAP

Client/Supplicant

• MS-MPPE-Send-key support • EAP extensions for Radius

What Does the Radius Server Perform? Authentication ■ Generates dynamic session key ■ Sends session key to access point ■

What Does the AP Perform? ■

On successful authentication – – – –

Send broadcast WEP key to client Maintain clients WEP key Start running WEP with client Distribute pre-auth

Future EAP Client Work? ■

Microsoft placing 802.11 EAP Native supplicant in, –

■

What about other Microsoft OS’s? –

■

Win2K, WinCE Win9x/WinNT (need LEAP)

What about other OS’s? –

Linux, MacOS (need LEAP)

Standards Update ■

■

802.1X current status –

Draft 8: http://www.manta.IEEE.org/groups/802/1/pages/802.1x.html

–

Scheduled for letter ballot, January 2001

802.11 security –

TG e (Task Group E) working on security and QoS extensions to the MAC 802.11 layer

–

TG-e Security sub-group chair: Dave Halasz (Cisco-Aironet Engineering)

–

Joint multi-vendor 802.1X for 802.11 proposal accepted as baseline security document

Presenters Contact Information Philip Ardire - Western DataCom ■ [email protected] ■ 440-8.35-1510 ■

Brian Casto - ICI Networks ■ [email protected] ■ 330-256-7770 ■