Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Week 10 Short Lecture Lab
  2. 2. POP Quiz <ul><li>What is the security spec for 802.11? </li></ul><ul><li>Define TKIP? </li></ul><ul><li>How can you locate a rogue AP? </li></ul><ul><li>Which tool is used to attack ipsec deployments? </li></ul><ul><li>What is VOID11 used for? </li></ul><ul><li>What encryption standard is WEP based on? </li></ul>
  3. 3. Wireless Is Addicting Once You Use It You Can’t Live without It
  4. 4. So what is the “business impact” of security? <ul><li>According to the Computer Crime and Security Survey 2002, by the Computer Security Institute (CSI) and the FBI: </li></ul><ul><ul><li>44% of respondents (223 total) were able to quantify financial losses of $455M, or $2.05M per survey respondent </li></ul></ul><ul><ul><li>90% detected computer security breaches within the last 12 months. 80% acknowledged financial loss due to breach. </li></ul></ul><ul><ul><li>85% detected computer viruses </li></ul></ul><ul><ul><li>40% experienced Denial-of-Service attacks </li></ul></ul>Source: FBI and Computer Security Institute (CSI) Computer Crime and Security Survey 2002 Link: Security Breaches Have Real Costs
  5. 5. Baseline Technology Standards, Encryption, Protection Product security features Security tools and products Planning for Security Prevention Detection Reaction Technology, Process, People Dedicated Staff Training Security - a mindset and a priority
  6. 6. <ul><li>Internet Authentication Server (IAS) </li></ul><ul><ul><li>Acts as a RADIUS proxy </li></ul></ul><ul><ul><li>Handle authentication requests </li></ul></ul><ul><li>Remote Authentication Dial-in User Server (RADIUS) </li></ul><ul><li>Extensible Authentication Protocol (EAP) </li></ul>Intro to Wireless Networks Tools and Technologies
  7. 7. Setting up a Wireless Network Authentication Services <ul><li>Open System </li></ul><ul><ul><li>Does not provide authentication </li></ul></ul><ul><ul><li>Identification using the wireless adapter's MAC address </li></ul></ul><ul><li>Shared Key </li></ul><ul><ul><li>Verifies that an authenticating wireless client has knowledge of a shared secret key </li></ul></ul><ul><ul><li>Similar to preshared key authentication in Internet Protocol security (IPsec) </li></ul></ul>
  8. 8. Setting up a Wireless Network Authentication <ul><li>EAP-TLS </li></ul><ul><ul><li>Does not require any dependencies on the user account password </li></ul></ul><ul><ul><li>Authentication occurs automatically, with no intervention by the user </li></ul></ul><ul><ul><li>Uses certificates, providing a strong authentication scheme </li></ul></ul>
  9. 9. <ul><li>IAS as a RADIUS proxy security considerations </li></ul><ul><ul><li>Shared secrets </li></ul></ul><ul><ul><li>Firewall configuration </li></ul></ul><ul><ul><li>Message Authenticator attribute </li></ul></ul><ul><ul><li>Using IPSec filters to lock down IAS proxy servers </li></ul></ul><ul><ul><li>Password Authentication Protocol (PAP) </li></ul></ul>Setting up a Wireless Network Active Directory
  10. 10. Setting up a Wireless Network Security Issues With 802.11 <ul><li>No per-packet authentication </li></ul><ul><li>Vulnerability to disassociation attacks </li></ul><ul><li>No user identification and authentication </li></ul><ul><li>No central authentication, authorization, and accounting support </li></ul><ul><li>RC4 stream cipher is vulnerable to known plain text attacks </li></ul><ul><li>Some implementations derive WEP keys from passwords </li></ul><ul><li>No support for extended authentication </li></ul>
  11. 11. Security in a Wireless World Basic Steps to Authentication CHALLENGE ID Traffic Traffic Traffic STA AP
  12. 12. RADIUS ID REQUEST SUCCESS KEY Security in a Wireless World Basic Steps to Authentication STA AP CREDENTIALS
  13. 13. Dynamic WEP Key Management EAPOL-Start EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (Credential) Radius-Access-Request EAP-Success Access Blocked Radius-Access-Accept RADIUS EAPOW 802.11 802.11 Associate Access Allowed EAPW-Key (WEP) Laptop computer RADIUS Fast Ethernet EAP-Request/Identity
  14. 14. Security in a Wireless World RADIUS Best Practices <ul><li>Deployment </li></ul><ul><ul><li>Implement EAP and EAP types that use strong authentication methods </li></ul></ul><ul><ul><li>Implement authentication methods that use mutual authentication </li></ul></ul><ul><ul><li>If you implement PAP authentication, disable its use by default </li></ul></ul><ul><ul><li>If you implement CHAP authentication, use a strong CHAP challenge </li></ul></ul>
  15. 15. Security in a Wireless World RADIUS Best Practices <ul><li>Implementation </li></ul><ul><ul><li>Strong shared secrets </li></ul></ul><ul><ul><li>Use a different shared secret </li></ul></ul><ul><ul><li>Require Message-Authenticator attribute </li></ul></ul><ul><ul><li>Disable the use of LAN Manager encoding </li></ul></ul><ul><ul><li>A strong EAP and an EAP type </li></ul></ul>
  16. 16. Pros & Cons of Wireless Security
  17. 17. Pros & Cons of Wireless Security
  18. 18. Six-Steps for Wireless Security <ul><li>Enable 128-bit session encryption </li></ul><ul><li>Configure RADIUS server authentication </li></ul><ul><li>Force 30-minute periodic authentication for all users </li></ul><ul><li>* Source Computerworld </li></ul><ul><li>Require use of VPN to access critical resources </li></ul><ul><li>Restrict LAN access rights by role </li></ul><ul><li>Implement two-factor authentication scheme using access tokens </li></ul>
  19. 19. Challenge Message <ul><li>Radius server sends challenge to client via access point </li></ul><ul><li>This challenge packet will vary for each authentication attempt </li></ul><ul><li>The challenge is pulled from information contained a table of known secrets </li></ul><ul><li>New challenge can be sent at intervals based on Radius server settings, or upon client roaming </li></ul>
  20. 20. Calculated HASH <ul><li>Client responds with a calculated value using a “one way hash” function </li></ul><ul><li>This value is derived from a known secrets list </li></ul>Start
  21. 21. Authentication Granted/Denied <ul><li>Radius server checks response against it own calculated hash </li></ul><ul><li>If it matches, then authentication is acknowledged to AP and client </li></ul><ul><li>If authentication is not achieved, the AP will not permit any traffic for that client to pass </li></ul>
  22. 22. Six-Steps for Wireless Security <ul><li>Enable 128-bit session encryption </li></ul><ul><li>Configure RADIUS server authentication </li></ul><ul><li>Force 30-minute periodic authentication for all users </li></ul><ul><li>* Source Computerworld </li></ul><ul><li>Require use of VPN to access critical resources </li></ul><ul><li>Restrict LAN access rights by role </li></ul><ul><li>Implement two-factor authentication scheme using access tokens </li></ul>
  23. 23. Why LEAP ? <ul><li>Cisco Lightweight EAP (LEAP) Authentication type </li></ul><ul><ul><li>No native EAP support currently available on legacy operating systems </li></ul></ul><ul><ul><li>EAP-MD5 does not do mutual authentication </li></ul></ul><ul><ul><li>EAP-TLS (certificates/PKI) too intense for security baseline feature-set </li></ul></ul><ul><ul><li>Quick support on multitude of host systems </li></ul></ul><ul><ul><li>Lightweight implementation reduces support requirements on host systems </li></ul></ul><ul><ul><li>Need support in backend for delivery of session key to access points to speak WEP with client </li></ul></ul>
  24. 24. AT&T Labs Technical Report TD-4ZCPZZ. <ul><ul><li>Using the Fluhrer, Mantin, and Shamir paper a practical test was conducted by AT&T Labs. In this document the statement is made: </li></ul></ul><ul><ul><li>There do exist proprietary solutions that allow each mobile node to use a distinct WEP key, most notably Cisco’s LEAP protocol. LEAP sets up a per-user, per-session WEP key when a user first authenticates to the network. This complicates the attack, but does not prevent it so long as a user’s ”session” lasts sufficiently long. </li></ul></ul>
  25. 25. Cisco LEAP Deployment <ul><li>Radius </li></ul><ul><li>Cisco Secure ACS 2.6 </li></ul><ul><li>Authentication database </li></ul><ul><li>Can use Windows user database </li></ul><ul><li>Radius DLL </li></ul><ul><li>LEAP Authentication support </li></ul><ul><li>MS-MPPE-Send-key support </li></ul><ul><li>EAP extensions for Radius </li></ul><ul><li>EAP Authenticator </li></ul><ul><li>EAP-LEAP today </li></ul><ul><li>EAP-TLS today </li></ul><ul><li>… </li></ul>Client/Supplicant Authenticator Backend/Radius server LEAP Radius Server Laptop Computer with LEAP Supplicant Wireless EAP Access Point Backbone <ul><li>Network Logon </li></ul><ul><li>Win 95/98 </li></ul><ul><li>Win NT </li></ul><ul><li>Win 2K </li></ul><ul><li>Win CE </li></ul><ul><li>MacOS </li></ul><ul><li>Linux </li></ul><ul><li>Driver for OS x </li></ul><ul><li>LEAP Authentication support </li></ul><ul><li>Dynamic WEP key support </li></ul><ul><li>Capable of speaking EAP </li></ul>Ethernet
  26. 26. Security Evolution <ul><li>Static keying </li></ul><ul><ul><li>WEP (Wired Equivalent Privacy) </li></ul></ul><ul><ul><li>TKIP (Temporal Key Integrity Protocol) </li></ul></ul><ul><ul><li>AES (Advanced Encryption Standard) </li></ul></ul><ul><li>IEEE 802.1x dynamic keying (EAP-TLS, EAP-TTLS, PEAP) </li></ul><ul><ul><li>IEEE 802.1x dynamic WEP keying </li></ul></ul><ul><ul><li>IEEE 802.1x dynamic TKIP keying </li></ul></ul><ul><ul><li>IEEE 802.1x dynamic AES keying </li></ul></ul><ul><li>VPN (Virtual Private Network) over WLAN </li></ul>
  27. 27. TKIP <ul><li>Unique dynamic TKIP key by mixing WEP keys with MAC address. </li></ul><ul><li>MIC (Message Integrity Code) prevents hackers from forging packets in the air. </li></ul>
  28. 28. IEEE 802.11i <ul><li>IEEE802.1x (EAP-TLS, EAP-TTLS, PEAP) </li></ul><ul><li>TKIP </li></ul><ul><li>AES-CCMP </li></ul><ul><ul><li>Needs new hardware. </li></ul></ul><ul><li>Secure IBSS (Ad-hoc) </li></ul><ul><li>Secure handoff </li></ul>
  29. 29. IEEE 802.1x in Action (EAP-MD5) Notebook Access Point RADIUS Server EAP-Response/Identity (I am Bernard) Radius-Access-Request (A guy called Bernard wants to come into the network) EAP-Response[credentials] (My password is XXXXX) EAP-Request (Tell me your password) EAP-Success (Welcome!) Radius-Access-Challenge (Tell me his password) EAPOL-Start (I would like to connect to the network!) Radius-Access-Request (His password is XXXXX) Radius-Access-Accept (Ok! Let him in) EAP-Request/Identity (Who are you?)
  30. 30. Community Hacking Efforts <ul><li>Warchalking : Leaving cryptic symbols to inform others about “free” WLAN connections </li></ul><ul><li>More hype than hot </li></ul>
  31. 31. <ul><li>Wired Equivalent Privacy (WEP) </li></ul><ul><ul><li>Provides encryption based on RC-4 cipher </li></ul></ul><ul><li>Wireless Protected Access (WAP) </li></ul><ul><ul><li>Uses dynamic keys and advanced encryption </li></ul></ul><ul><li>802.1x </li></ul><ul><ul><li>Provides authentication using Extensible Authentication Protocol (EAP) </li></ul></ul><ul><li>802.11i </li></ul><ul><ul><li>Advanced encryption and authentication </li></ul></ul>Built-in WLAN Security WLAN Firmware Security Will Not Be Enough to Secure Wireless
  32. 32. 802.11i and WPA <ul><li>Uses 802.1x authentication </li></ul><ul><li>Uses Temporal Key Integrity Protocol (TKIP) to dynamically change encryption keys after 10,000 packets are transferred </li></ul><ul><li>Uses Advanced Encryption Standard (AES) encryption, which is much better than WEP </li></ul><ul><li>A subset of 802.11i, Wi-Fi Protected Access (WAP) is available as a firmware upgrade today </li></ul>
  33. 33. 802.11i and WPA Pitfalls <ul><li>Keys can be cracked using much less than 10,000 packets </li></ul><ul><li>Michael feature — shuts down AP if it receives two login attempts within one second. Hackers can use this to perpetrate a DoS attack. </li></ul><ul><li>802.11i is yet to be released (Sometime in 2003?) </li></ul>
  34. 34. Quiz
  35. 35. Homework <ul><li>Describe Radius authentication in your own words. </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.