Wireless Security Strategy
Pros & Cons of Wireless Security MAC
Pros
Cons Source: Network World 5/20/02
TKIP
NonStandard
Media Access Control Easy to configure Access Points to permit only particular MAC addresses
Temporal Key Integrity Protocol
“Key-hopping”
MAC addresses easy to fake
No intensive testing done on this “Standard”
“Interim Standard”
WEP
64 and 128-bit encryption Change Easy to encryption keys configure every few Built into 802.11 seconds. Hard to cards. extract different keys Effective Solutions but no standards
Easy to break keys Keys are widely known No end-system and user authentication
Sources of *WEP Information www.nwfusion.com DocFinder 2040 ■ www.ieeeusa.org ■ www.encryption.com/rsalabs/faq/3-6-3.htm l ■ www.isaac.cs.berkeley.edu/isaac/wepfaq.html WEP - hacking testing results ■ www.iss.net/wireless Wireless Security test ■ N.I.S.T. “New” Special Publication 800-48 ■ * WEP - Wireless Equivalent Privacy 40 bit ■
Pros & Cons of Wireless Security Browser
IPSec
802.1X
Pros
Greatest compatibility with wireless devices. Ease of use
Uses Digital Certificates and twofactor authentication. Existing VPN support.
Cons
No Embedded device support. No encryption Easy to Spoof
IPSec software complex to set-up and support. Reduces LAN speeds. Supports only IP networks
Best Match of Security and Wireless * U. of Maryland found flaws in client-side Requires Windows - XP support EAP RADIUS server required AES will require hardware
Source: Network World 9/9/02
Tried &True Methods for Securing wired LAN’s ■ ■ ■ ■
Authentication Types Radius Kerberos LDAP
■ ■ ■ ■
■
Layer 3 Solutions PPTP* L2TP* IPSec VPN’s
* bundled as part of Windows
Six-Steps for Wireless Security ■
■
■
■
Enable 128-bit session encryption Configure RADIUS server authentication Force 30-minute periodic authentication for all users * Source Computerworld
■
■
■
Require use of VPN to access critical resources Restrict LAN access rights by role Implement two-factor authentication scheme using access tokens
Equipment Manufacturer’s Fault All 802.11b equipment shipped with WEP security options “turned off” for ease of installation ■ 80 bit key was used for ease of export ■ Hardware assist required for ease of encryption but adds cost and design time ■ AES and 128 bit keys to WEP helps ■ Add IPSec hardware to 802.11 products ■
General Description IEEE 802.1X Terminology Semi-Public Network / Enterprise Edge
Enterprise Network
EAP
IUS D A rR Ove
) OL ) P A W PAE N (E EAPO A L ( r s Ove ireles P E A er W Authenticator v O (e.g. Switch, EAP Access Point)
PAE
Uncontrolled Port
Supplicant
Controlled Port
R A D I U S
Authentication Server
IEEE 802.1X Over 802.11 Wireless
Laptop Computer
Radius Server
Access Point Ethernet
Association
Access Blocked 802.11 Associate
802.11
Radius
EAPOW
EAPOL-Start
EAP-Request/Identity EAP-Response/Identity
Radius-Access-Request Radius-Access-Challenge
EAP-Request EAP-Response (Cred)
Radius-Access-Request Radius-Access-Accept
EAP-Success EAPOW-Key (WEP)
Access Allowed
Introductions to MS-CHAPS ■
Challenge Handshake ■ Authentication Protocol ■ Challenge Handshake ■
Authentication depends on a secret known only to authenticator and client
Challenge Message
■
Radius server sends challenge to client via access point
■
This challenge packet will vary for each authentication attempt
■
The challenge is pulled from information contained a table of known secrets
■
New challenge can be sent at intervals based on Radius server settings, or upon client roaming
Calculated HASH
Start ■
■
Client responds with a calculated value using a “one way hash” function This value is derived from a known secrets list
Authentication Granted/Denied ■
■
■
Radius server checks response against it own calculated hash If it matches, then authentication is acknowledged to AP and client If authentication is not achieved, the AP will not permit any traffic for that client to pass
WEP Keys ■
■
■ ■
WEP key is calculated by the Radius server, only after the authentication is completed The key is passed to Access Point for THAT single authenticated client. This is a session key Client calculates the same WEP key Key is never transmitted over RF
How Often Does the Key Change ■
■
■
Every time a client roams to a new AP, it will go through the same authentication and Session WEP key exercise The Radius server will also require a new Authentication/key at a timed interval (programmable) This provides different WEP keys often, and totally unique keys to each client
Advantages of 802.1X for 802.11 ■
Open, extensible and standards based –
Enables interoperable user identification, centralized authentication, key management
–
Leverages existing standards: EAP (extensible authentication protocol), Radius
–
Compatible with existing roaming technologies, enabling use in hotels and public places
■
User-based identification
■
Dynamic key management
■
Centralized user administration –
Support for Radius (RFC 2138, 2139) enables centralized authentication, authorization and accounting
Why LEAP ? ■
Cisco Lightweight EAP (LEAP) Authentication type – – – – – –
No native EAP support currently available on legacy operating systems EAP-MD5 does not do mutual authentication EAP-TLS (certificates/PKI) too intense for security baseline featureset Quick support on multitude of host systems Lightweight implementation reduces support requirements on host systems Need support in backend for delivery of session key to access points to speak WEP with client
Cisco LEAP Deployment Wireless EAP Access Point
Laptop Computer with LEAP Supplicant
Ethernet
Backbone
Network Logon
Radius
• Win 95/98 • Win NT • Win 2K • Win CE • MacOS • Linux
• Cisco Secure ACS 2.6
LEAP Radius Server
• Authentication database • Can use Windows user database
Driver for OS x
EAP Authenticator
Radius DLL
• LEAP Authentication support
• EAP-LEAP today • EAP-TLS soon • …
• LEAP Authentication support
Authenticator
Backend/Radius server
• Dynamic WEP key support • Capable of speaking EAP
Client/Supplicant
• MS-MPPE-Send-key support • EAP extensions for Radius
What Does the Radius Server Perform? Authentication ■ Generates dynamic session key ■ Sends session key to access point ■
What Does the AP Perform? ■
On successful authentication – – – –
Send broadcast WEP key to client Maintain clients WEP key Start running WEP with client Distribute pre-auth
Future EAP Client Work? ■
Microsoft placing 802.11 EAP Native supplicant in, –
■
What about other Microsoft OS’s? –
■
Win2K, WinCE Win9x/WinNT (need LEAP)
What about other OS’s? –
Linux, MacOS (need LEAP)
Standards Update ■
■
802.1X current status –
Draft 8: http://www.manta.IEEE.org/groups/802/1/pages/802.1x.html
–
Scheduled for letter ballot, January 2001
802.11 security –
TG e (Task Group E) working on security and QoS extensions to the MAC 802.11 layer
–
TG-e Security sub-group chair: Dave Halasz (Cisco-Aironet Engineering)
–
Joint multi-vendor 802.1X for 802.11 proposal accepted as baseline security document
Presenters Contact Information Philip Ardire - Western DataCom ■
[email protected] ■ 440-8.35-1510 ■
Brian Casto - ICI Networks ■
[email protected] ■ 330-256-7770 ■