ASSEMBLING A SECURE 802.11 WIRELESS
                NETWORK
     Joerg Fritsch, NATO C3 Agency
RSA Conference 2005, 18 Oct...
Session learning objectives

• Understand the meaning of NIST recommendations and ‘FIPS’
 compliance.
• Introduce the buil...
What is “NIST compliant” WLAN ?

•   U.S. NIST = National Institute of
    Standards and Technology
•   NIST WLAN = 56
   ...
“NIST compliant” = new standards, (i.e. be
   brave…)

•   Network authentication
    —   802.1x
    —   EAP, EAP-FAST
   ...
What are the building blocks?

• Users (fixed, or mobile)
• Access points
• Authentication (this is new, compared to tradi...
What about FIPS compliance ?

•   (U.S) Federal Information Processing Standard
•   “Mandatory” feature that equipment bou...
IPSEC overlay:
   Fully NIST and FIPS compliant WLANs

                                     Disadvantages
Advantages
     ...
There are 2 ways to assemble the building
blocks: WLAN collocated with LAN

•   We prefer this implementation
    framewor...
There are two ways to assemble the building
blocks: WLAN segregated from LAN

•   Additional security
•   Integrates best ...
Planning of a NIST compliant WLAN net

• All the stuff for a regular installation
   —   Site Survey Tools
         • RF p...
Rolling out a NIST-compliant WLAN net
(Here’s what we did at NC3A)

• Our design goals
• Our security goals
• Our implemen...
Primary Design Goals

•   Following the U.S. NIST security guidelines for governmental use
     —   Not required in NATO a...
Security Goals

• Do the best we can do (remember, it’s NATO UNCLASSIFIED)
• Do not cut the link between us and the rest o...
We live in a simple security environment
(not everyone is so lucky)

                              We can place APs in
   ...
Fitting the APs to the Physical Building




We find that even simple RF
propagation models are quite effective
and realis...
What we bought

• Authentication:
  —   Funk “Steel Belted Radius” Server
  —   Microsoft Windows Domain Controller

• Acc...
What we bought (continued)

• Cisco 6509 Wireless Service Module
  —   Centralized management of APs
  —   Achieve roaming...
Problems we had during installation
(and how we solved them)

• New wireless networks require a lot of new wires to be pul...
Lessons Learned

•   Do not compare a corporate WLAN to your living room WLAN
     —   corporate WLANs can use: authentica...
So what? Why is this useful to you?

• NIST-compliant WLAN an “interesting” technology
• It’s not super-secure but it atte...
Questions & Answers




            Thank you for your attention
             joerg.fritsch@nc3a.nato.int
If you were in “their” shoes: What you need to
attack WLANs

•   NO Pringles Antenna!
•   Educated guesses
•   Time !!! – ...
If you were in “their” shoes: What you need to
attack WLANs (continued)

•   WPA disassociation/de-authentication Attacks
...
Upcoming SlideShare
Loading in...5
×

Assembling a secure 802.11 wireless network

1,289

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,289
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Assembling a secure 802.11 wireless network

  1. 1. ASSEMBLING A SECURE 802.11 WIRELESS NETWORK Joerg Fritsch, NATO C3 Agency RSA Conference 2005, 18 Oct, 2pm, Austria Center Vienna
  2. 2. Session learning objectives • Understand the meaning of NIST recommendations and ‘FIPS’ compliance. • Introduce the building blocks of a secure 802.11 wireless network. • Visualize aspects of site survey, planning and roll out of a secure wireless network. • Discriminate between ‘WLAN compatible’ and ‘security compatible’ equipment. • Know why this is important for your future plans
  3. 3. What is “NIST compliant” WLAN ? • U.S. NIST = National Institute of Standards and Technology • NIST WLAN = 56 recommendations http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf • last updated in November 2002, but still pretty much up-to-date and relevant to implementers • mainly standards which were (at that time) still in the draft stage • rumor about proposed update since beginning 2005 http://www.findarticles.com/p/articles/mi_qa3649/is_200501/ai_n9468284 • NIST makes recommendations, not law, not recipes
  4. 4. “NIST compliant” = new standards, (i.e. be brave…) • Network authentication — 802.1x — EAP, EAP-FAST — LEAP etc. • Temporal key management — WPA, WPAv2 • Ciphers — AES — TKIP
  5. 5. What are the building blocks? • Users (fixed, or mobile) • Access points • Authentication (this is new, compared to traditional WLAN) • Confidentiality — Link encryption by APs — IPSec overlay (fully FIPS compliant WLANs, - this is also a new idea) • Monitoring and logging • Physical Security of the APs
  6. 6. What about FIPS compliance ? • (U.S) Federal Information Processing Standard • “Mandatory” feature that equipment bought by the government must support • Currently there are no FIPS compliant wireless access points • Be careful! Some vendors advertise this, but they really mean a combination of AP and VPN • FIPS 140-2 compliance always generated by some sort of VPN concentrator (at our site Cisco VPN 3K)
  7. 7. IPSEC overlay: Fully NIST and FIPS compliant WLANs Disadvantages Advantages • • Industry's efforts are aiming for Fully “NIST compliant” integrated wireless networks • Common vulnerabilities (i.e. ! you cut the link between you during association of the WLAN and the rest of the world client) do not fire. • VPN Client required (compatibility, • Increases security and interoperability!) interoperability • Single Sign On is hard to achieve • Integrates well with strong authentication
  8. 8. There are 2 ways to assemble the building blocks: WLAN collocated with LAN • We prefer this implementation framework because • SSO for all WLAN Clients • Additional Software (VPN Client) optional • All private network services available for WLAN Clients — File and Print services — VLAN segmentation — VoIP
  9. 9. There are two ways to assemble the building blocks: WLAN segregated from LAN • Additional security • Integrates best with — IPSEC overlay — Server based computing • WLAN itself still needs to be secured • Firewall policy easily will become permissive if not implemented in conjunction with IPSEC overlay or server based computing
  10. 10. Planning of a NIST compliant WLAN net • All the stuff for a regular installation — Site Survey Tools • RF propagation Software • Antennas, Cards & GPS • Floor Plans — Site Survey • Selection of cell size and antennas • General positioning indoor/outdoor — Recommendations on physical security vs shielding & interference • … plus physical security of the APs (manipulation, theft) • … this can make your life much, much harder
  11. 11. Rolling out a NIST-compliant WLAN net (Here’s what we did at NC3A) • Our design goals • Our security goals • Our implementation plan • What we bought and our experience of implementing it • What we have learned (so far…) — How it fits with our existing hard- and software (If it’s only 6 months old, can you call it “legacy” ???) — Risk evaluation !!!!!!!
  12. 12. Primary Design Goals • Following the U.S. NIST security guidelines for governmental use — Not required in NATO as yet, but probably a “best practice” • Building a network that — provides an acceptable privacy for a NATO UNCLASSIFIED network — is not too difficult to implement — Can teach us about future, higher security WLAN nets • New features supportable on our existing hardware • Preserving the advantages of a traditional WLAN — Mobility — user friendly — low administrative overhead
  13. 13. Security Goals • Do the best we can do (remember, it’s NATO UNCLASSIFIED) • Do not cut the link between us and the rest of the world • Mitigate known risks • Imagine the unknown risks • Know who is on our network (and who might try to sneak in) • Understand what we are doing, and why • Visualize the new network perimeter
  14. 14. We live in a simple security environment (not everyone is so lucky) We can place APs in corridors where they are visible and accessible
  15. 15. Fitting the APs to the Physical Building We find that even simple RF propagation models are quite effective and realistic … But you need to have good physical building plans
  16. 16. What we bought • Authentication: — Funk “Steel Belted Radius” Server — Microsoft Windows Domain Controller • Access points: Cisco 1200 Access Points • Antennas: 2dBi omni directional, ceiling mountable • Confidentiality: — WPA/TKIP or WPAv2/AES through Cisco IOS on APs — FIPS-compliant Cisco VPN 3000 is used alternatively • Monitoring and Logging: OpenSystems Envision HA
  17. 17. What we bought (continued) • Cisco 6509 Wireless Service Module — Centralized management of APs — Achieve roaming qualities good enough for 802.11g telephones • Clients: Disable Windows Zero Configuration Utility — Several Vendor (Laptop) Client Utilities in use • Atheros, IBM, Dell TrueMobile, Cisco all work for us • Meanwhile long list of “Cisco Compatible Client Devices” published (this was not there when we started …) http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf • No security compatible wireless Print Servers available — Lowest common denominator: WPA-PSK — Print Servers segregated from LAN
  18. 18. Problems we had during installation (and how we solved them) • New wireless networks require a lot of new wires to be pulled throughout the building — We rejected “wireless, wireless” approach to get more useable bandwidth throughout the building • Changed our minds several times on authentication — Cisco LEAP, PEAP/Microsoft CHAPv2, EAP-TLS — Settled on LEAP (straight forward implementation, easy reauthentication through cached credentials) • New equipment first available with FCC certification, then re- configured for non-US channel schemes — We started with US-legal equipment for testing, prototyping, then waited for “street-legal” European models
  19. 19. Lessons Learned • Do not compare a corporate WLAN to your living room WLAN — corporate WLANs can use: authentication, VLAN Tagging, multiple SSIDs, fast roaming, positioning engines • WiFi compatible is not security compatible — “WiFi certified” = interoperability of equipment on an unprotected HotSpot • Secure WLANs needs excellent signal stability; - i.e. FCC-approved equipment not good enough for a secure ETSI WLAN — FCC client adapters get de-authenticated frequently w/o any obvious reason • Expect incompatibilities even within the product lines of a single vendor — problems and fixed bugs sometimes reappear after a firmware upgrade (i.e. de-authentication at high network load or when USB devices are (dis)connected) • Even reasonably-priced RF propagation models turned out to be very accurate — EKAHAU Site Survey, ESS
  20. 20. So what? Why is this useful to you? • NIST-compliant WLAN an “interesting” technology • It’s not super-secure but it attempts to go a significant step beyond commercial “best practice” • It is not influenced by any vendor, or any network philosophy • Since we must live with WLAN, this is a way to sleep easily at night • By forcing considering of AP physical security, it may also force an evaluation of other physical security issues. This is good. • (left as an exercise for the student)
  21. 21. Questions & Answers Thank you for your attention joerg.fritsch@nc3a.nato.int
  22. 22. If you were in “their” shoes: What you need to attack WLANs • NO Pringles Antenna! • Educated guesses • Time !!! – If they are not carried out in a staged or protected lab environment most attacks need time • Wireless network sniffers and analyzers — Kismet, http://www/kismetwireless.net — Netstumbler, http://www.netstumbler.org — Airopeek, http://www.airopeek.com • Tools to decrypt WEP Keys — Airsnort, http://airsnort.shmoo.com — Weplab, http://weplab.sourceforge.net — Chochop
  23. 23. If you were in “their” shoes: What you need to attack WLANs (continued) • WPA disassociation/de-authentication Attacks — Airforge (re-inject packets – such as de-authentication packets), http://new.remote-exploit.org • Attacks on the LEAP authentication — Asleap, http://asleap.sourceforge.net • WPA PSK brut force attacks — Cowpatty, http://sourceforge.net/projects/cowpatty • Attacks on the Wireless Client — Airpwn, http://airpwn.sourceforge.net — Hotspotter, http://new.remote-exploit.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×