Ch. 8 – Security This presentation was originally created by Prof. Rick Graziani. Few Modifications were made by Prof. Yousif Overview • The goals of network security are to maintain integrity, protect • • • • confidentiality, and ensure availability. The exponential growth of networking, including wireless technologies, has lead to increased security risks. Many of these risks are due to hacking, as well as improper uses of network resources. The specific weaknesses and vulnerabilities of WLANs will be covered. Security configuration for APs, bridges, and clients will be shown and explained. Security Fundamentals What is security? • Security usually refers to ensuring that users can perform only the tasks that they are authorized to do and can obtain only the information that they are authorized to have. WLAN vulnerabilities CommView DriftNet • WLANs are vulnerable to specialized attacks. • Many of these attacks exploit technology weaknesses since 802.11 • • WLAN security is relatively new. There are also many configuration weaknesses since some companies are not using the security features of WLANs on all their equipment. Many devices are shipped with default administrator passwords. WLAN threats • There are four primary classes of threats to wireless security: 1. Unstructured threats - individuals using easily available hacking tools 2. Structured threats - Hackers who are more highly motivated and technically competent. These people know wireless system vulnerabilities, and they can understand and develop exploit-code, scripts, and programs. 3. External threats - They work their way into a network mainly from outside the building such as parking lots, adjacent buildings or common areas. 4. Internal threats - internal access and misuse account for 60 to 80 percent of reported incidents. Security Fundamentals • Wireless attack methods can be broken up into three categories: 1. Reconnaissance 2. Access attack 3. Denial of Service (DoS) Reconnaissance • Reconnaissance is the unauthorized discovery and mapping of • • • systems, services, or vulnerabilities. – Not usually illegal, but is illegal in some countries. It is also known as information gathering and it usually precedes an actual access or DoS attack. Reconnaissance is similar to a thief scouting a neighborhood for unsecure homes. Wireless reconnaissance is often called wardriving. Reconnaissance - Wardriving Maps Stumbler Code of Ethics v0.2 • http://www.worldwidewardrive.org/ • By Renderman • • • • • Render@Renderlab.net These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them and to inform others of them to help keep this hobby safe and legal. 1. Do Not Connect!!: At no time should you ever connect to any AP's that are not your own. Disable client managers and TCP/IP stacks to be sure. Simply associating can be interpreted as computer trespass by law enforcement. 2. Obey traffic laws: It's your community too, the traffic laws are there for everyone's safety including your own. Doing doughnuts at 3am gets unwanted attention from the authorities anyways. Stumbler Code of Ethics v0.2 • 3. Obey private property and no-trespassing signs: • Don't trespass in order to scan an area. That's what the directional • • • • • • antenna is for :) You wouldn't want people trespassing on your property would you? 4. Don't use your data for personal gain: Share the data with like-minded people, show it to people who can change things for the better, use it for education but don't try and make any money or status off your data. It's just wrong to expect these people to reward you for pointing out their own stupidity. 5. Be like the hiker motto of 'take only pictures, leave only footprints': Detecting SSID's and moving on is legal, anything else is irresponsible to yourself and your community. 6. Speak intelligently to others: When telling others about wardriving and wireless security, don't get sensationalistic. Horror stories and FUD are not very helpful to the acceptance of wardrivers. Speak factually and carefully, Point out problems, but also point out solutions, especially how we are not the problem because we don't connect. Stumbler Code of Ethics v0.2 • 7. If/When speaking to media, remember you are representing the • • community: Your words reflect on our entire hobby and the rest of us. Do not do anything illegal no matter how much they ask. They may get pissed off, but at least you have demonstrated the integrity that this hobby requires. This document is merely a set of suggestions for the Wardriving community, assembled over time from the Wardriving community. This is a living document so it will be updated from time to time. Suggestions and comments should be sent to Render@Renderlab.net. Feel free to copy, just make sure to leave the credits intact and a link back to the original if possible. Reconnaissance • Commercial wireless protocol analyzers like AiroPeek (by • • • WildPackets), AirMagnet, or Sniffer Wireless can be used to eavesdrop on WLANs. Free protocol analyzers like Ethereal or tcpdump fully support wireless eavesdropping under Linux. Utilities used to scan for wireless networks can be active or passive. Passive tools, like Kismet, transmit no information while they are detecting wireless networks. Access AirSnort • System access, in this context, is the ability for an unauthorized • • intruder to gain access to a device for which the intruder does not have an account or password. Entering or accessing systems to which one does not have authorized access usually involves running a hack script or tool that exploits a known vulnerability of the system or application being attacked. Includes – Exploitation of weak or non-existent passwords – Exploitation of services such as HTTP, FTP, SNMP, CDP, and Telnet. Access - Rogue AP Attack • Most clients will associate to the access point with the strongest signal. • • If an unauthorized AP, which is generally a rogue AP, has a strong signal, clients will associate to the rogue AP. The rogue AP will have access to the network traffic of all associated clients. The rogue AP can also use ARP and IP spoofing to trick clients into sending passwords and sensitive information. CiscoWorks WLSE detects Rogue APs Access - Wired Equivalent Privacy (WEP) Attacks AirSnort • Attacks against WEP include Bit Flipping, Replay Attacks, and Weak IV • • collection. Many WEP attacks have not been released from the laboratory, but they are well documented. One utility, called AirSnort, captures weak Initialization Vectors to determine the WEP key being used. Denial of service (DoS) • DoS is when an attacker disables or corrupts wireless networks, • • systems, or services, with the intent of denying the service to authorized users. DoS attacks take many forms. In most cases, performing the attack simply involves running a hack, script, or tool. • One utility, called Wlan Jack, sends fake disassociation packets, which disconnect 802.11 clients from the access point. Basic WLAN Security Technologies The WLAN security wheel • An effective wireless security policy works to ensure that the network • • assets of the organization are protected from sabotage and from inappropriate access, which includes both intentional and accidental access. All wireless security features should be configured in compliance with the security policy of the organization. If a security policy is not present, or if the policy is out of date, the policy should be created or updated before deciding how to configure or deploy wireless devices. First generation wireless security • Many WLANs used the Service Set Identifier (SSID) as a basic form of • • security. Some WLANs controlled access by entering the media access control (MAC) address of each client into the wireless access points. Neither option was secure, since wireless sniffing could reveal both valid MAC addresses and the SSID. AP: "Allow any SSID" • Most access points have options like "SSID broadcast" and "Allow any • • • • • SSID". These features are usually enabled by default and make it easy to set up a wireless network. The "Allow any SSID" option permits the access point to allow access to a client with a blank SSID. The "SSID broadcast" sends beacon packets that advertise the SSID. Disabling these two options does not secure the network, since a wireless sniffer can easily capture a valid SSID from normal WLAN traffic. SSIDs should not be considered a security feature. AP: "Allow any SSID" No Client SSID, but Associated! AP Default Set Guest Mode SSID • If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. • The access point includes the guest SSID in its beacon. • By default, the access point's default SSID, tsunami, is set to guest mode. • However, to keep your network secure, you should disable the guest mode SSID on most access points. AP: “Do NOT allow any SSID" No Client SSID, NOT Associated! Changed to NONE • Setting the Guest Mode SSID to NONE, will not allow clients that do • • • not have and SSID to be able to associate. Remember, it’s not difficult for someone to get the SSID, so this should not be a security measure. The next step should be configuring WEP, WPA, or some other authentication/encryption on your AP. You cannot have the same SSID set as Guest Mode and authentication/encryption. Wired equivalent privacy (WEP) AP 128 bit WEP is sometimes referred to, and more accurately, as 104 bit WEP. ACU Also, be sure Transmit Key numbers match, I.e. Key 1 on the both AP and ACU. • The IEEE 802.11 standard includes WEP to protect authorized users of • • • • a WLAN from casual eavesdropping. The IEEE 802.11 WEP standard specified a 40-bit key, so that WEP could be exported and used worldwide. Most vendors have extended WEP to 128 bits or more. When using WEP, both the wireless client and the access point must have a matching WEP key. WEP is based upon an existing and familiar encryption type, Rivest Cipher 4 (RC4). Authentication and association Probe process Authentication process Successful Authentication State 1 Unauthenticated Unassociated Association process Successful Association State 2 Authenticated Unassociated Deauthentication State 3 Authenticated Associated Disassociation • Open Authentication and Shared Key Authentication are the two • • methods that the 802.11 standard defines for clients to connect to an access point. The association process can be broken down into three elements known as probe, authentication, and association. This section will explain both authentication methods. Open Authentication • Open Authentication is basically a null authentication, which means there is no verification of the user or machine. Authentication Process (Review) • On a wired network, authentication is implicitly provided by the physical • • cable from the PC to the switch. Authentication is the process to ensure that stations attempting to associate with the network (AP) are allowed to do so. 802.11 specifies two types of authentication: – Open-system – Shared-key (makes use of WEP) Authentication Process – Open-System (Review) • Open-system authentication is really “no authentication”. • Open-system authentication is the only method required by 802.11 • – You could buy an AP that doesn’t support Shared-key The client and the station exchange authentication frames. Authentication Process – Open-System (Review) Frame Control omitted in this Authentication Response • The client: • – Sets the Authentication Algorithm Number to 0 (open-system) – Set Authentication Transaction Sequence Number to 1 The AP: – Sets the Authentication Algorithm Number to 0 (open-system) – Set Authentication Transaction Sequence Number to 2 – Status Code set to 0 (Successful) Open Authentication • Typical Open Authentication on both AP and Client with No WEP keys Open Authentication and WEP • Remember there are three steps to Association: • • • – Probe – Authentication – Association A client can associate with an AP, but use WEP to send the encrypted data packets. Authentication and data encryption are two different things. – Authentication – Is the client allowed to associate with this AP? – Encryption – Encrypts the data (payload) and ICV (Integrity Check Value) fields of the 802.11 MAC, not the other fields. So a client could Associate with the AP, using Open Authentication (basically no authentication), but use WEP to encrypt the data frames sent after its associated. Open Authentication and WEP Associated but data cannot be sent or received, since it cannot be unencrypted. • • • • In some configurations, a client can associate to the access point with an incorrect WEP key or even no WEP key. – The AP must be configured to allow this (coming). A client with the wrong WEP key will be unable to send or receive data, since the packet payload will be encrypted. Keep in mind that the header is not encrypted by WEP. Only the payload or data is encrypted. Open Authentication - Optional WEP Encryption (AP) • • • 802.11 allows client to associate with AP. Cisco AP must have WEP Encryption set to Optional Association successful with any of these options on the client: – Matching WEP key – Non-matching WEP key – No WEP key Authentication Process – Shared-Key • Shared key requires the client and the access point to have the same • • • WEP key. An access point using Shared Key Authentication sends a challenge text packet to the client. If the client has the wrong key or no key, it will fail this portion of the authentication process. The client will not be allowed to associate to the AP. Authentication Process – Shared-Key (Review) • Shared-key authentication uses WEP (Wired Equivalent Privacy) and • can only be used on products that support WEP. 802.11 requires any stations that support WEP to also support sharedkey authentication. Authentication Process – Shared-Key (Review) Shared-key = RadiaPerlman Shared-key = RadiaPerlman Authentication Request with Challenge Text Authentication Response with Status Code • WEP is an encryption algorithm, not a method of authentication. • Shared-key authentication makes use of WEP, and therefore can only • • be used on APs and clients that implement WEP. However, 802.11 requires that any stations implementing WEP also implement shared key authentication. Shared-key authentication requires that a shared key be distributed to stations before attempting authentication. Authentication Process – Shared-Key (Review) • • • • The client: – Sets the Authentication Algorithm Number to 1 (shared-key) – Set Authentication Transaction Sequence Number to 1 The AP: – Sets the Authentication Algorithm Number to 1 (shared-key) – Set Authentication Transaction Sequence Number to 2 – Status Code set to 0 (Successful) – Challenge Text (later) The client: – Sets the Authentication Algorithm Number to 1 (shared-key) – Set Authentication Transaction Sequence Number to 3 – Challenge Text (later) The AP: – Sets the Authentication Algorithm Number to 1 (shared-key) – Set Authentication Transaction Sequence Number to 4 – Status Code set to 0 (Successful) Authentication Process or • Authentication – Open-System – Shared-Key (WEP) • Encryption – None – WEP only Authentication Process – Shared-Key ? next Access Point Authentication • • • • Open Authentication—Allows your client adapter, regardless of its WEP settings, to authenticate and attempt to communicate with an access point. Open Authentication is the default setting. Shared Key Authentication—Allows your client adapter to communicate only with access points that have the same WEP key. This option is available only if Use Static WEP Keys is selected. In shared key authentication, the access point sends a known unencrypted "challenge packet" to the client adapter, which encrypts the packet and sends it back to the access point. The access point attempts to decrypt the encrypted packet and sends an authentication response packet indicating the success or failure of the decryption back to the client adapter. If the packet is successfully encrypted/decrypted, the user is considered to be authenticated. Note Cisco recommends that shared key authentication not be used because it presents a security risk. Encryption Modes • Indicates whether clients should use data encryption when • • • • communicating with the device. The three options are: None - The device communicates only with client devices that are not using WEP. WEP Encryption - Choose Optional or Mandatory. If optional, client devices can communicate with this access point or bridge with or without WEP. If mandatory, client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate. WEP (Wired Equivalent Privacy) is an 802.11 standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN. The standard defines WEP base keys of size 40 bits or 104 bits. In Summary • • Client – Use Open Authentication on the client (does not use WEP, challenge transaction, during authentication). – Use WEP for Data Encryption. AP – Use Open Authentication – Use Mandatory WEP Encryption, Devices not using WEP are not allowed to communicate. Wi-Fi WPA Presentation Wi-Fi WPA Presentation http://www.wifialliance.org/ opensection/protected_access .asp • • Welcome to the Wi-Fi Protected Access (WPA) Security Web page. Here you will find all the latest updates on WPA and the Wi-Fi Alliance's wireless LAN security improvements. A 60-minute Web cast regarding WPA and the Wi-Fi Alliance's response to the need for improved WLAN security was held on June 11, 2003. The Web cast included a 40-minute presentation titled "Wi-Fi Protected Access: Locking Down the Link," in which Michael Disabato (Senior Analyst, Burton Group) reviewed the features and benefits of WPA, highlighted wired equivalent privacy (WEP) weaknesses, discussed wireless LAN implementation issues, reviewed the second phase of WPA (WPA2) and provided WLAN security recommendations. Mr. Disabato's presentation was followed by a 20-minute question and answer session that included several of the industry's most knowledgable WLAN security experts. Secure 802.11 WLANs Thanks to Pejman Roshan and Jonathan Leary at Cisco Systems, authors of 802.11 Wireless LAN Fundamentals for allowing me to use their graphics and examples for this part of the presentation. Secure 802.11 WLANs • • • • • WLAN industry recognized the vulnerabilities of 802.11 authentication and data privacy. Changes are being incorporated into the 802.11i draft standard. To date, 802.11i draft has not been passed as a standard. (Due May 2004) Wi-Fi Alliance has put together a subset of the components of 802.11i called Wi-Fi Protected Access (WPA). This part of the presentation explains 802.11i and WPA. Secure 802.11 WLANs • • Many mistakenly believe WEP to be the only component to WLAN security. Wireless security consists of four facets: 1. The Authentication Framework – The mechanism that accommodates the authentication algorithm by securely communicating messages between the client, AP, and authentication Server. 2. The Authentication Algorithm – Algorithm that validates the user credentials. 3. The Date Privacy Algorithm – Algorithm that provides data privacy across the wireless medium for data frames. 4. The Date Integrity Algorithm – Algorithm that provides data integrity across the wireless medium to ensure to the receiver that the data frame was not tampered with. 1. The Authentication Framework • The authentication framework in 802.11 is the 802.11 authentication • management frame. The authentication frame facilitates Open and Shared Key authentication algorithms, yet the frame itself does not possess the ability to authenticate the client. 1. The Authentication Framework • 802.11 is missing some key components: – Centralized, user-based authentication – Dynamic encryption keys – Encryption key management – Mutual Authentication 1. The Authentication Framework Centralized, user-based authentication • Critical for network security • Device-based authentication such as Open or Shared Key, does not prevent unauthorized users from using authorized devices. • Logistical issues as network administrators must rekey all 802.11 APs and clients if: – Lost or stolen devices – Employee termination • Centralized, user-based management via authentication, authorization, and accounting (AAA) server, such as RADIUS, lets you allow or disallow specific users, regardless of the specific devices they use. 1. The Authentication Framework Dynamic encryption keys • User-based authentication has a positive side effect: userspecific encryption keys. • Per-user, dynamic keys relieve the network administrator from having to statically manage keys. • Encryption keys are dynamically derived and discarded as the user authenticates and disconnects from the network. Encryption key management • Should the need to remove a user from the network, you only need to disable her account to prevent her access. 1. The Authentication Framework Mutual Authentication • Mutual authentication is two-way authentication. • Not only does the network authenticate the client, but the client also authenticates the network. • In Open and Shared Key authentication, the AP or network authenticates the client. • The client does not know for sure that the AP or network is valid because no mechanism is defined in 802.11 to allow the client to authenticate the network. • A rogue AP or client posing as a valid AP can subvert the data on the client’s machine. 1. The Authentication Framework 802.11i 802.1X (EAP) WPA is a subset • User-based authentication • Mutual authentication • Dynamic Key Generation • IEEE has addressed the shortcomings of 802.11 authentication by • • • • incorporating 802.1X authentication framework. 802.1X itself is an IEEE standard that provides all 802 link layer topologies with extensible authentication, normally seen in higher layers. 802.1X is based on a Point-to-Point (PPP) authentication framework known as Extensible Authentication Protocol (EAP). In oversimplified terms, 802.1X encapsulates EAP messages for use at Layer 2. 802.11i incorporates the 802.1X authentication framework requiring its use for user-based authentication. 1. The Authentication Framework 802.1X Differing environments EAP-Cisco EAP-TLS EAP-PEAP 802.5 Any EAP-compliant authentication type Authen. Framework 802.1X/EAP 802.3 Authen. Method 802.11 Access Mechanism • EAP (RFC 2284) and 802.1X do not mandate the use of any specific • • • authentication algorithm. Network administrator can use any EAP-compliant authentication type for either 802.1X or EAP authentication. The only requirement is that both the 802.11 client (known as the supplicant) and the authentication server support the EAP authentication algorithm. This open and extensible architecture lets you use one authentication framework in differing environments, each environment may use a different authentication type. 1. The Authentication Framework Differing environments EAP-Cisco EAP-TLS EAP-PEAP 802.5 Any EAP-compliant authentication type Authen. Framework 802.1X/EAP 802.3 Authen. Method 802.11 Access Mechanism • EAP-PEAP – Operates similar to Secure Sockets (SSL) at the link • • layer. – Mutual authentication is accomplished via server-side digital certificates used to create a SSL tunnel for the client to securely authenticate to the network. EAP-MD5 – Similar to Challenge Handshake Authentication Protocol (CHAP), provides a password based, one way hash algorithm. EAP-Cisco – Also known a s LEAP, First EAP type defined for WLANs, is a password-based mutually authenticating algorithm. 1. The Authentication Framework • 802.1X requires three entities – Supplicant – Resides on WLAN client – Authenticator – Resides on AP – Authentication Server – Resides on RADIUS server 2. The Authentication Algorithm • 802.11i and WPA provide a mechanism for authentication algorithms to • communicate between client, AP, and the authentication server, via the 802.1X authentication framework. Neither 802.11i nor WPA mandate the use of a specific authentication algorithm, but both recommend the use of an algorithm that supports: – mutual authentication – dynamic encryption key generation – user-based authentication. EAP Authentication Process 3. Data Privacy • The encryption vulnerabilities in WEP present 802.11 vendors and the • • IEEE with a predicament: – How can you fix 802.11 encryption without requiring a complete replacement of AP hardware or client NICs? The IEEE answered this question with Temporal Key Integrity Protocol (TKIP) as part of 802.11i (and WPA). TKIP uses many key functions of WEP to maintain client investment of existing 802.11 equipment and infrastructure, but fixes several of the vlnerabilities to provide effect data-frame encryption. 3. Data Privacy • The key enhancements with TKIP are: • • – Per-frame keying – The WEP key is quickly changed on a perframe basis. – Message integrity check (MIC) – A check provides effective dataframe integrity to prevent frame tampering and frame replay. Solves statistical attacks such as Airsnort and the IV vulnerability. (FYI – To be included at a later date.) Changes WEP key used between client and AP before an attacker can collect enough frames to derive key bytes. 3. Data Privacy • The IEEE has adopted a scheme known as per-frame keying (also • • • known as per-packet keying or fast packet keying). The premise behind per-frame keying is that the IV, the transmitter MAC address, and the WEP key are processed together via a twophase mixing function. The output of the function matches the standard 104-bit WEP key and 24-bit IV. IEEE is also proposing that the 24-bit IV be increased to a 48-bit IV. 4. Data Integrity Data Integrity • The MIC is a feature used to augment the ineffective Integrity Check Value (ICV) of 802.11 standard. (More to be added on this at a later date.) • The MIC solves vulnerabilities such as the frame tampering/bit flipping attacks (to be added later). • The IEEE has proposed a specific algorithm, Michael, to augment the ICV function in the encryption of 802.11 data frames. • The MIC is a unique key that differs from the key used to encrypt data frames. • This unique key is mixed with the destination MAC address and the source MAC address from the frame as well as the entire unencrypted data payload of the frame. AES • WEP encryption and 802.11 authentication are known to be weak. • IEEE and WPA are enhancing WEP with TKIP and providing robust • • • • • authentication options with 802.1Z to make 802.11 based WLANs more secure. At the same time, IEEE is also looking to stronger encryption mechanisms. IEEE has adopted AES to the data-privacy section of the proposed 802.11i standard. WPA does not include support for AES encryption. Later versions of WPA are likely to be released to align with 802.11i for interoperable AES encryption support. AES is the next generation encryption function approved by the National Institute of Standards and Technology (NIST). Configuring Basic WLAN Security Basic WLAN security - Physical Access • • • • • • Most wireless access points are easily accessible. They are usually located near users and outside of locked rooms. This puts wireless access points at special risk for theft and for compromise by malicious users. Network monitoring can be used to determine when an access point goes off. Proper procedures will need to be followed to determine what happened to the equipment. Almost all wireless vendors publish the methods of resetting an access point using reset buttons or the console port. Basic WLAN security - Console • Administrator accounts and privileges should be setup properly. • The console port should be password protected. Choose a secure password Basic WLAN security - SSH • Telnet is an insecure, unencrypted protocol. • If at all possible, secure shell (SSH) should be used for all Command • • • • Line Interface (CLI) functions. Telnet and SSH should be password protected. For maximum security, disable Telnet and use only SSH. A SSH client is required on the management PC or workstation in order to connect to an AP running SSH. Several freeware programs are available such as PuTTY, Teraterm SSH, and SecureNetTerm. Enabling protocol and MAC filters on APs • • • • Filtering can provide an additional layer of wireless security. Filters can be created to filter a protocol or IP port. Protocol filters prevent or allow the use of specific protocols through the access point. Individual protocol filters can be setup and enabled for one or more VLANs. MAC, Ethertype and IP filters can be used to filter wireless client devices, users on the wired LAN, or both Securing clients and APs • WEP should be enabled when possible (unless stronger • authentication/encryption is available). No matter which type of authentication is used, the WEP keys entered on the client and the access point must match. Open and Authentication Associated Open Auth. No WEP Key Open Auth. No WEP Key Associated Open Auth. No WEP Key Open Auth. WEP = 1234 Associated Open Auth. WEP = 4321 Open Auth. WEP = 1234 Associated Open Auth. WEP = 1234 • See previous slides for examples. Open Auth. WEP = 1234 Event Log Event Log Event Log Disable unneeded services • It is important to disable or secure all unneeded services. • If Cisco discovery protocol (CDP), domain name service (DNS), network time protocol (NTP), hypertext transfer protocol (HTTP), TFTP, SNMP, or Telnet are not used in the network, they should be disabled. Enterprise WLAN Authentication We will not discuss all of the details in this module, but I do suggest several resources if you are interested. Second generation authentication • Network designers and security experts realize that just fixing the • • • • • • • weaknesses of WEP is not enough. Organizations must decide how much security is required and include this in the wireless security policy. Some networks will rely on existing VPN solutions to provide additional security. Other networks will implement the access control and fixes to WEP, which are included in Wi-Fi Protected Access (WPA). WPA uses elements of 802.11i, a longer-term standardized security solution, to secure WLANs. WPA is also called Simple Secure Networking (SSN). Some network administrators may decide to wait for 802.11i before deploying WLANs. The next few sections will discuss what is wrong with WEP security and what is missing. IEEE 802.11i • To provide users with a secure WLAN solution that is scalable and • • manageable, IEEE are creating a new 802.11i standard. To date the 802.11i draft has not been passed as a standard. The Wi-Fi Alliance has put together a subset of the components of 802.11i called Wi-Fi Protected Access (WPA). WPA and 802.11x • • • • • • • WPA allows user authentication through the IEEE 802.1x protocol. 802.1X is a recently completed standard for controlling entry to both wired and wireless LANs. 802.1X is an authentication framework. 802.1X provides all 802 link layer technologies extensible authentication. 802.1X is based on a PPP authentication framework known as Extensible Authentication Protocol (EAP), RFC 2284. 802.1X encapsulates EAP messages for use at Layer 2 (overly simplified). 802.11i incorporates 802.1X authentication framework. 802.1X EAP-Cisco EAP-TLS EAP-PEAP Authen. Framework 802.1X/EAP 802.3 802.5 Authen. Method 802.11 Access Mechanism • 802.1X provides mutual authentication. • Mutual authentication means that the network and the user prove their • • • identity to each other. 802.1X and EAP do not mandate any specific type of authentication. The network administrator can use any EAP-compliant authentication type as long as both the client and authentication server use the same one. The 802.11i standard also uses 802.1X and the TKIP enhancements to WEP 802.1X • An access point that supports 802.1x and its protocol, Extensible • Authentication Protocol (EAP), acts as the interface between a wireless client and an authentication server such as a Remote Access Dial-In User Service (RADIUS) server. The access point communicates with the RADIUS server over the wired network. 802.1x basics • • • • • • • • • 802.1x requires support on the client, access point, and authentication server. 802.1x uses a RADIUS proxy to authenticate clients on the network. This proxy device could be a device such as a switch or an access point. This device operates at the access layer. The EAP client or supplicant sends authentication credentials to the authenticator which in turn sends the information to the authentication server. The authentication server is where the logon request is compared against a user database to determine if, and at what level, the user may be granted access to the network resources. The access point is called the authenticator. The authentication server is usually a RADIUS or an authentication, authorization, and accounting (AAA) server. The authentication server needs to run extra software to understand the authentication type that is used by the client. 802.1x basics • Any client that does not have built in 802.1x must use software called a • • supplicant. The client must have some proof of identity. Forms of identity include a username and password, digital certificate, or one-time password (OTP). EAP Authentication Process Microsoft’s diagram of EAP How 802.1x works • • • • • • After the client has associated to the access point, the supplicant starts the process for using EAPOL (EAP over LAN) by asking the user for their logon and password. The client responds with their username and password. Using 802.1x and EAP the supplicant then sends the username and a one-way hash of the password to the access point. The access point then encapsulates the request and sends the request to the RADIUS server. The RADIUS server then checks the username and password against the database to determine if the client should be authenticated on the network. If the client is to be authenticated, the RADIUS server then issues an access challenge, which is passed to the access point and then sent to the client. How 802.1x works • • • • • • The client sends the EAP response to the access challenge to the RADIUS server via the access point. If the client sends the proper response then the RADIUS server sends an access success message and session WEP key (EAP over Wireless) to the client via the access point. The same session WEP key is also sent to the access point in a success packet. The client and the access point then begin using session WEP keys. The WEP key used for multicasts is then sent from the access point to the client. It is encrypted using the session WEP key. Upon client log off, the access point returns to the initial state, allowing only 802.1x traffic to pass. RADIUS Server Manager • Can also set up a local Radius server on the AP (lab). 802.1x authentication types • Different authentication types are supported when using 802.1x on a WLAN Choosing an 802.1x type • Choose a method that fits in with the existing network. • Choose a method that supports mutual authentication. • Review the security policy and find out what 802.1x types • are compatible. Finally, look at the clients to be protected and choose the best way to secure the existing equipment. WLAN Security: 802.1X Authentication • • Mutual Authentication • LEAP –“Lightweight” EAP –Nearly all major OS’s supported: •WinXP/2K/NT/ME/98/95/CE, Linux, Mac, DOS • EAP-TLS –EAP-Transport Layer Security –Mutual Authentication implementation –Used in WPA interoperability testing Radius Server PEAP –“Protected” EAP –Uses certificates or One Time Passwords (OTP) –Supported by Cisco, Microsoft, & RSA –GTC (Cisco) & MSCHAPv2 (Microsoft) versions AP Client EAP • • • • Extensible Authentication Protocol (802.1x authentication) Provides dynamic WEP keys to user devices. Dynamic is more secure, since it changes. Harder for intruders to hack…by the time they have performed the calculation to learn the key, they key has changed! Basic RADIUS Topology RADIUS can be implemented: • Locally on an IOS AP • Up to 50 users • On a ACS Server Enterprise Wireless Encryption We will not discuss all of the details in this module, but I do suggest several resources if you are interested. Strengthening WEP • WPA includes mechanisms from the emerging 802.11i standard for • • improving wireless data encryption. WPA has TKIP, which uses the same algorithm as WEP, but it constructs keys in a different way. See curriculum and other resources for details. Strengthening WEP • TKIP is also called WEP Key hashing and was initially referred to as • • • • • WEP2. TKIP is a temporary solution that fixes the key reuse problem of WEP. WEP periodically uses the same key to encrypt data. The TKIP process begins with a 128-bit temporal key that is shared among clients and access points. TKIP combines the temporal key with the client MAC address. It then adds a relatively large, 16-octet initialization vector to produce the key that will encrypt the data. Strengthening WEP • This procedure ensures that each station uses different key streams to encrypt the data. WEP Key hashing protects weak Initialization Vectors (IVs) from being exposed by hashing the IV on a per-packet basis. Strengthening WEP • • • • • • TKIP uses RC4 to perform the encryption, which is the same as WEP. A major difference from WEP, however, is that TKIP changes temporal keys every 10,000 packets. This provides a dynamic distribution method, which significantly enhances the security of the network. An advantage of using TKIP is that companies having existing WEP-based access points and radio NICs can upgrade to TKIP through relatively simple firmware patches. In addition, WEP-only equipment will still interoperate with TKIP-enabled devices using WEP. TKIP is only a temporary solution. Most experts believe that stronger encryption is still needed. Message integrity check • Stronger WEP keys are provided by TKIP enhancements such as MIC. • • • • MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it. The receiver accepts the retransmitted message as legitimate. The client adapter driver and firmware must support MIC functionality, and MIC must be enabled on the access point. TKIP enhancements, such as MIC and WEP Key hashing, can be enabled by using static WEP keys. They do not need a RADIUS server to function. Broadcast key rotation (BKR) • • • • • • • • • • • • The Broadcast Key Rotation (BKR) feature, is also a TKIP enhancement. BKR protects the multicast traffic of the access point from being exploited by dynamically changing the multicast encryption key. The access point generates broadcast WEP keys by using a seeded pseudorandom number generator (PRNG). The access point rotates the broadcast key after a configured broadcast WEP key timer expires. This process should generally be in sync with the timeouts configured on the RADIUS servers for user re-authentication. Broadcast key rotation is an excellent alternative to WEP key hashing. This is true if the WLAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices. It is recommended that broadcast key rotation be enabled when the access point services an 802.1x exclusive wireless LAN. It is not necessary to enable broadcast key rotation if WEP key hashing is enabled. Use of both key rotation and key hashing provides unnecessary protection. When broadcast key rotation is enabled, only wireless client devices using LEAP or EAPTLS authentication can use the access point. Client devices using static WEP with open, shared key, or EAP-MD5 authentication cannot use the access point when broadcast key rotation is enabled. Second generation encryption • In addition to the TKIP solution, the 802.11i standard will most likely • • • • • include the Advanced Encryption Standard (AES) protocol. AES offers much stronger encryption. In fact, the U.S. Commerce Department National Institute of Standards and Technology (NIST) organization chose AES to replace the aging DES. AES is now a U.S. Federal Information Processing Standard (FIPS), Publication 197. It defines a cryptographic algorithm for use by United States government organizations to protect sensitive, unclassified information. The Secretary of Commerce approved the adoption of AES as an official Government standard in May 2002. Second generation encryption • One issue is that AES requires a coprocessor or additional hardware to • • • • operate. This means that companies need to replace existing access points and client NICs to implement AES. Based on marketing reports, the currently installed base is relatively small compared to predicted future deployments. As a result, there will be a very large percentage of new WLAN implementations that will take advantage of AES when it becomes part of 802.11. On the other hand, companies that have already installed WLANs will need to determine whether it is worth the costs of upgrading for better security. Second generation encryption • AES specifies three key sizes, which are 128, 192, and 256 bits. It • • uses the Rijndael Algorithm. If someone where to build a machine that could recover a DES key in a second, then it would take that machine approximately 149 thousandbillion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. Using VPNs • IP Security (IPSec) is a framework of open standards for ensuring • • • • • secure private communication over IP networks. IPSec Virtual Private Networks (VPNs) use the services defined within IPSec to ensure confidentiality, integrity, and authenticity of data communications across networks such as the Internet. IPSec also has a practical application to secure WLANs. It does this by overlaying IPSec on top of 802.11 wireless traffic. When deploying IPSec in a WLAN environment, an IPSec client is placed on every PC connected to the wireless network. The user is required to establish an IPSec tunnel and to route any traffic to the wired network. VLANs VLANs VLANs VLANs Spanning tree • Spanning tree is only needed when using wireless bridges. • It should remain disabled for access points and repeaters, unless • • • • • special circumstances exist in the network. The spanning-tree algorithm is used to prevent bridging loops. The algorithm computes available network paths and closes redundant paths, so that there is only one path between any pair of LANs on the network. Improper spanning tree settings can disable needed connections. From a security perspective, an attacker may be able to disable ports in a poorly configured network. Please review and understand spanning tree information when making configuration decisions. WPA Interoperable, Enterprise-Class Security Cipher “Suite” • • • • Cipher suites are sets of encryption and integrity algorithms. Suites provide protection of WEP and allow use of authenticated key management. Suites with TKIP provide best security. Must use a cipher suite to enable: –WPA – Wi-Fi Protected Access –CCKM – Cisco Centralized Key Management Configuring the Suite • • • • Create WEP keys Enable Cipher “Suite” and WEP Configure Broadcast Key Rotation Follow the Rules WEP Key Restrictions Security Configuration WEP Restriction CCKM or WPA key mgt. No WEP in slot 1 LEAP or EAP No WEP in slot 4 40-bit WEP No 128-bit key 128-bit WEP No 40-bit key TKIP No WEP keys TKIP and 40 or 128 WEP No WEP in slot 1 and 4 Static WEP w/MIC or CMIC WEP and slots must match on AP & client Keys in slots 2 & 3 overwritten Broadcast key rotation Security Levels Enterprise WLAN Security Evolution • TKIP/WPA –Successor to WEP –Cisco’s pre-standard TKIP has been shipping since Dec.’01 –Cisco introduced TKIP into 802.11i committee –802.11i-standardized TKIP part of Wi-Fi Protected Access (WPA) –WPA software upgrade now available for AP1100 & AP1200 • AES –The “Gold Standard” of encryption –AES is part of 802.11i standard •- AES will be part of WPA2 standard (expected in 2004) Matching Client to AP Matching Client to AP Matching Client to AP Matching Client to AP Matching Client to AP Matching Client to AP Additional screen-shots to be used when this presentation is completed. • Wi-Fi Protected Access (WPA) • Enables Wi-Fi Protected Access (WPA), which adds an extra level of • • • • data security to other security protocols. Because WPA enhances other security protocols, you must also select and configure a specific network authentication type. To use WPA, you must also enable WPA on the associated access point. Host Based EAP—Authenticates users using host-based EAP implementations, such as EAP-TLS or EAP-MD5. For example, you can use host-based EAP with Microsoft Windows XP • Cisco Compliant TKIP Features - Temporal Key Integrity Protocol • (TKIP) is a suite of algorithms surrounding WEP, designed to achieve the best possible security on legacy hardware build to run WEP. TKIP adds four new enhancements to WEP: 1. A per-packet key mixing function, to defeat weak key attacks. 2. A new IV sequencing discipline to detect replay attacks. 3. A cryptographic message integrity check (MIC) to detect forgeries such as bit flipping and altering of packet source and destination. 4. An extension of IV space, to virtually eliminate the need for a rekey. Message integrity check • • • • Enable MIC - MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. WEP Encryption must be set to Mandatory for MIC to be enabled. • Enable Per Packet Keying - EAP authentication provides dynamic • • unicast WEP keys for client devices but uses static keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select in the Broadcast Key Change Frequency field. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices. • • • AP has WEP (Optional) and host not using WEP. Associated. Would not be Associated if WEP was Mandatory. Authentication Process http://www.cisco.com/en/US/products/hw/wireless/ps430/products_installation_and_configuration_guide_c hapter09186a008014868e.html • But will it associate?