Practical Wireless Security

1
Practical Wireless Security

• A case study on implementing wireless security
  using PEAP

2
Practical Wireless Security

• Rezi Andoni, CCNP
• Systems Security Administrator
• Chicago-Kent College of Law
• Illinois Institute of Technology
• randoni_at_kentlaw.edu
• 312-906-5327

3
Audience

• Security engineers/administrators
• Network engineers
• Network administrators
• Technical level medium - high
• Id like to do frequent polling of
  technology/tool use

4
Brief Introduction to Kent

• Each student is required to have a laptop
  computer
• Estimated number of laptop computers is 1200
  (more than 95 are XP SP1 or better)
• We use Microsoft Active Directory for centrally
  authenticating users (upgraded from Windows 2000
  to 2003 Domain Controllers)
• All computers are/were joined to the domain at
  some point
• We manage our own infrastructure

5
Requirements for the Implementation of the
Wireless Network

• Users have to authenticate
• Wireless traffic must be encrypted
• Need to use the existing Active Directory
  infrastructure for authenticating to the wireless
• Seamless integration (we almost do not see at all
  the evening students)
• Ability to accommodate guests
• No or little overhead on our helpdesk
• Choice of not adding additional vendors to the
  solution (we mostly use Cisco equipment
  technology for network infrastructure and
  Microsoft software for authentication, email and
  desktop applications)
• Ease of implementation

6
Choosing a Security Strategy (an elimination
process)

• Do not Deploy a Wireless LAN
• Wide Open WLAN (no Security)
• Static WEP Security (easy to break and find the
  key difficult to maintain)
• MAC address authentication (no encryption and
  easy to sniff and spoof)
• Use no security (on the wireless side) and
  require VPN to get to network resources
• Need for a VPN concentrator which can
  constitute a bottleneck
• Possible additional client software in each
  client computer
• More complex and costly than a EAP solution
• Client computers can be attacked individually
• In most cases the user is required to initiate
  the connection
• Use end to end IPSEC (this is possible with
  Microsoft clients and servers)
• Needs a certificate infrastructure to be
  implemented (or Kerberos based key distribution)
• Can encrypt traffic between clients and servers
  but not traffic going to the Internet (routers
  need to be IPSEC compliant for this)
• Might be difficult to maintain
• Protection occurs at the network layer not
  data-link layer

7
The Elimination Process (Continued)

• Implement 802.1x security
• Cisco EAP (LEAP)
• Proprietary, Cisco ACS Access Control Server
  needed) extra cost
• EAP-TLS (RFC 2716)
• Supported by Windows XP clients
• Needs client certificates in client computers
• Needs a public key infrastructure which can be
  difficult to maintain
• EAP TTLS (internet draft)
• Protected EAP (PEAP) (internet draft)
• There are more EAP standards

8
The Elimination Process (Continued)

• WPA and WPA2 need firmware support older WLAN
  NIC cards may not have updated firmware
• WPA2 would be the preferred choice
• WPA2 needs as well firmware that supports it in
  the access points (AES encryption)
• The choices left for us were PEAP and EAP - TTLS

9
Choosing between PEAP and TTLS
PEAP TTLS
Radius Server Microsoft, Cisco (others) Funk, Meetinghouse
Status Internet Draft (Microsoft, Cisco, RSA) (Expired) Internet Draft (Funk, Meetinghouse)
Client software Comes with windows XP (Microsoft) (Cisco as well) Needs to be installed separately (Funk, Meetinghouse)
Protocol structure Two phases (1) Establish TLS between client and TTLS server (2) Exchange attribute-value pairs between client and server Two parts (1) Establish TLS between client and PEAP server (2) Run EAP exchange over TLS tunnel
Protection of user identity Yes over TLS MS-CHAPv2 over TLS Yes over TLS
Additional software and cost No Windows 2003 comes with a radius server that has PEAP support XP has the client YES
10
PEAP checklist

• Required components
• Windows 2003 domain controllers (already
  installed)
• Microsoft IAS server (radius server)
• Certificate for server use
• Clients need to trust the authority that issued
  that certificate
• Access points that allow EAP and PEAP
• Cisco AIR-AP1231AG (does not support AES)
• Cisco AIR-AP1232AG (supports AES)
• Client computers with windows XP SP1 or better
• Group policy to automatically configure the
  client computers
• Optional components
• A management solution for the access points
• Wireless LAN solution (WLSE)
• Ciscos WDS (not a necessity in our case but
  needed for the WLSE to produce better reports)

11
Overall Picture
12
Getting a certificate for the radius server

• From an online certification authority
• Cons
• Little additional cost (one certificate for each
  radius server)
• Pros
• The client computers trust the certificates
  issued by Verisign and others
• Implement Microsoft Certificate Services (our
  choice)
• Pros
• Can Be used for other purposes (web servers, EFS
  etc.)
• Propagation of the certification authority can be
  automated to all client computers
• Cons
• one more service to maintain
• Needs understanding of the public key
  infrastructure
• Implement a certificate using free software
  (openssl)
• Pros
• it is free
• can be used for other purposes
• Cons
• Once you generate the certificate for the root
  certification authority you need to manually
  distribute the certificate to all the clients
  that will use it and put it under the Trusted
  Authorities

13
Our experience with Microsoft Certificate Services

• It comes with windows Server System
• The usage is more convenient if the installation
  is integrated with Active Directory
• The certificate request and installation is
  almost seamless
• The authority is automatically installed on all
  domain computers
• After you generate the certificates for the
  radius server (s) and the all clients install the
  certificate in their trusted store, than you can
  shut down the certificate server or install a
  host firewall and block certificate issuances for
  other purposes (EFS etc.)
• If licenses and systems are an issue, the
  Certificate Server can be installed in the same
  computer as the Radius server

14
Steps for the configuration of Microsoft
Certificate Server

• Install one more domain computer with windows
  2003
• Install the Certificate services integrated with
  Active directory
• Request using the wizard a certificate from the
  radius server (from the local certificates
  snap-in)
• Approve the certificate from the certification
  authority (certification authority console)
• Install the certificate in the radius server
• Firewall the certificate server, so no more
  certificates can be issued (Better security for
  the machine itself as well)

15
Installing the IAS server (step 1)
16
IAS server step 1 (continued)

• Add each Access Point IP address under the radius
  clients
• For convenience use the same password for each
  Access Point
• This is not an issue for us since the LAN
  environment is 100 switched and sniffing on the
  wired LAN is not possible
• Choose the AP vendor from the client vendor

17
Configure IAS server Logging (step 2)

• IAS server can log in 3 places
• Flat file
• SQL server (to-do list, the best solution if you
  do not have a management device)
• Windows event viewer (start-up point for
  troubleshooting)

18
IAS configuration policies (step 3 continued)

• You can have more than one policy in the RADIUS
  server
• The policies that get used more should be listed
  first

19
The wireless policy (step 3 continued)

• Generally you need two conditions for this policy
• Make sure that the request comes from an access
  point
• Make sure that not everyone has wireless access
• Make a group and put the computers or users that
  need wireless access in this group

20
The wireless policy (step 3 continued)

• The only thing that needs to be changed under the
  policy from the defaults is the EAP methods and
  Client Timeout

21
Client timeout

• With dynamic WEP you need the radius server to
  force the clients to re-authenticate so a new WEP
  key will be generated for the session
• This puts a heavy load on the IAS server
• For higher security needs the timeout can be
  further reduced to 15 minutes, even 3 minutes
• Use WPA instead which uses a build in mechanism
  to re-key the session

22
PEAP policy (step 3 continued)

• Fast Reconnect will allow a user to roam and not
  need to re-authenticate
• Choose a certificate that was issued for the
  radius server (usually one to choose from)
• Add EAP type MSCHAP V2 in order to allow
  username/passwords to be used for authentication

23
Securing the IAS server

• It is quite safe to have a host firewall
  installed and enabled on the IAS server
• The firewall that comes with windows 2003 is fine
• The only ports that need to be opened are
• UDP 1645, 1646 or
• UDP 1812, 1813 (depends on what was agreed to be
  used between the radius server and the access
  points)
• Plus any other port that will be needed for
  remote administration
• For the same reason it can be placed in a more
  secured zone with only 2 UDP ports open

24
Configuring the access points

• The access points are generally not aware of the
  EAP method the client uses to authenticate to the
  server, so generally there is one configuration
  done for individual EAP methods (PEAP, LEAP,
  TTLS, EAP-TLS)
• Before you go to EAP configuration make sure you
  change the default password, default SNMP
  communities, SNMP location etc.
• Configuring EAP
• Define the SSID
• Require EAP authentication for that SID
• Require mandatory WEP encryption
• Define the radius server(s) needed for the EAP
  authentication (same password used in the radius
  server)
• Or use an wizard that will configure all 4 steps
  in one

25
Load balancing and redundancy between the APs and
the radius servers
26
Load balancing (continued)

• Failure of the radius server will bring the
  wireless network down (single point of failure)
• Configure half of the Access points for server1
  as primary and server2 as secondary
• Configure the other half for server2 as primary
  and server1 as secondary
• Make sure that all the APs are listed at each
  radius server

27
Configuring client computers

• You can send an email with instructions
• Not elegant, can be hard to be followed by
  certain users
• You can create an application that will modify
  the registry properly
• This can be an ActiveX control in a web page
• The executable can be distributed in some form to
  the users
• If you have Windows 2003 domain controllers (or
  at least one domain controller to be 2003 Server)
  you can use the new Group Policy extensions to
  configure the wireless LAN adapters to the client
  computers

28
Configuring client computers with group policy
29
Configuring client computers with group policy
30
Group policy (continued)
31
Group policy considerations

• It will add a SSID under the preferred networks
  of each client computer
• It can be applied to the whole organization
  (domain) or on specific containers or
  organization units
• The preferred network can not be removed by the
  user on normal circumstances
• Other SSIDs (e.g. home networks) can be added
  without issues
• Changes on GPO will be updated to client computers

32
Login Script Issues

• Windows XP brings up the login dialog very fast
• The user might be able to log in with the cached
  credentials before the wireless authentication
  process is finished resulting in inability to
  process any login scripts.
• Solution
• Instruct the users to wait 10-15 seconds before
  they login
• Configure a windows policy to bring up the login
  script after the network connections are up and
  running
• This policy poses no issues when the wireless
  signal reception is good or when there is no
  signal at all
• It becomes a problem when the signal is very
  weak the user might be stuck in retransmissions
  trying to authenticate and never get to the
  desktop

33
More on PEAP
34
EAP Methods
35
More on PEAP (continued)

• Part 1
• AP -gt client (EAP-request identity)
• Client -gt AP (EAP-response identity with
  username)
• AP -gt Radius (EAP-response identity with
  username)
• Radius -gt Client (EAP-Request/Start PEAP )
• Radius lt-gt Client (A series of messages that
  create the TLS channel)
• Part 2
• Radius -gt client (EAP-Request Identity)
• Client -gt radius (EAP-Response/Identity with
  username)
• Radius -gt Client (EAP-Request/EAP-MS-CHAP-V2
  Challenge with the challenge string)
• Client -gt Radius (response to the challenge and a
  challenge to the server to authenticate itself)
• Radius -gt client (Success (after checking with
  the Domain Controller) and response to your
  challenge)
• Client -gt Radius (success)
• Radius -gt AP (EAP success)
• Client lt-gt AP (WEP encrypted traffic)

36
Managing the WLAN infrastructure (40 APs)

• Receive faults from the APs
• Configure the APs in bulk
• Apply standard configuration on newly added
  access points
• Update firmware
• Create reports on clients, devices
• Manage inventory of the access points
• Tune the RF parameters (such as transmit power
  etc.)

37
Our choice was for WLSE

• Wireless LAN Solution Engine
• Gives you plenty of configuration options
• Needs WDS for better reporting
• WDS Wireless Domain Services
• Cisco proprietary technology
• Requires that you have one WDS server per LAN
  segment
• An AP can be turned into a WDS server or it can
  be a card that goes in a 6500 series switch
• WDS simplifies management and makes roaming
  almost seamless (needed for 802.11 phones)

38
WDS implementation
39
WDS Issues

• An access point needs to authenticate itself to
  the WDS server
• Currently the only method supported is LEAP
  (Cisco proprietary and not supported by IAS)
• Workaround???
• Enable the Radius server that comes with the AP
  software
• Use the internal radius server (LEAP) to
  authenticate the access points (infrastructure
  authentication)
• Use IAS (Microsoft Radius Server) for client
  authentication
• I wish that in further updates for the WDS other
  methods are supported for infrastructure
  authentication (AP WDS)
• WDS poses one more point of failure in your
  infrastructure
• Solution enable more than one WDS server per LAN
  segment
• The priority value of the WDS determines which
  WDS enabled Access Point will become the master
  for the segment
• More expensive

40
Guest Access

1. Create accounts for all people that need guest
   access
2. Create one shared account and give the password
   in an instruction sheet
3. Create another SSID for guest access without any
   security enabled in a separate VLAN
4. Currently available as a feature in Cisco Aironet
   Access Points (not sure on others)
5. Requires the switch ports to be turned into
   802.1Q trunks
6. Create a VLAN and assign a non-secure SSID to
   that VLAN
7. Bad news Aironet access points do not support
   DTP (Dynamic Trunk Protocol), so manual
   configuration is needed to change all the ports
   where access points are connected into 802.1Q
   trunks

41
Guest Access in Separate VLAN

• Needs additional firewall configuration to allow
  Guest WLAN users have access to corporate
  resources in the DMZ or Internal Zone

42
Turning the guest VLAN on and off

• Configure jobs in your wireless management device
  for adding and deleting the guest SSID on the
  Guest VLAN
• Shutdown the firewall port to block access down
  and bring it up to restore access
• Change the VLAN state to suspended in your VTP
  server switch

43
References

• PEAP Internet Draft http//www.ietf.org/internet-
  drafts/draft-josefsson-pppext-eap-tls-eap-10.txt
  (expired)
• Securing Wireless LANs with PEAP and Passwords
  microsoft.com
• WLSE, WDS, 1200 Aironet series cisco.com
• Windows 2003 Group Policy http//www.microsoft.co
  m/windowsserver2003/technologies/management/groupp
  olicy/default.mspx
• Internet Authentication Service
  http//www.microsoft.com/windowsserver2003/technol
  ogies/ias/default.mspx

44
Questions