802.11 Network Security

About This Presentation

Title:

802.11 Network Security

Description:

802.11 Network Security (Hubert Yang) hwyang_at_iii.org.tw 802.11 Protocol Architecture 802.11 Access Process 802.11 ... – PowerPoint PPT presentation

Number of Views:556

Avg rating:3.0/5.0

Slides: 199

Provided by: 6649548

Category:

more less

Transcript and Presenter's Notes

Title: 802.11 Network Security

1
802.11 Network Security

??????????
??? (Hubert Yang)
hwyang_at_iii.org.tw

2
??

802.11 Protocol Architecture
802.11 Access Process
802.11 Network Security Architecture
802.11 Network Security Analysis and
Troubleshooting
802.11 Network Security Policy Basics

3
Part 1802.11 Protocol Architecture
..........
..........
4
BSS

Basic Service Set (?????)
802.11??????????
????????
Id-BSS (Independent BSS / IBSS)
???????
If-BSS (Infrastructure BSS / BSS)

5
???BSS

ad hoc ??(?????????)?
????????(????)????

Peer-to-Peer
6
IBSS????outbound

??STA??Routing
????????(ICS)
?????
????

7
???BSS

??????AP???????,???Basic Service Area?
???????AP????

8
?????????
9
BSSID

???????,????BSS?
?48?2???? / 6??????(MAC Address)????
?????????(BSS)??
BSSID AP??????
?????????(IBSS)??
BSSID ????????

10
?????

BSSID??????

11
??BSS???

????BSS?,??????
????subnet
?????????

12
ESS

Extended Service Set (??????)
???BSS??,????SSID??????

Overlap ? Roaming ?????
13
ESSID

???????,????ESS?
???SSID
????AP??Associate
???SSID????Associate
?????,?2-32???(Bytes)??????????
???AP?????16?SSID
??radio?8?SSID

14
SSID??

???Close System
?????????????
??SSID???
SSID????
??????SSID?
?????????SSID?
?????SSID?
??ESS?,SSID????

15
?AP???SSID
16
?????

??SSID(MSSID)??????

17
??????SSID
18
????????

?????????
???????
??????
(RSSI?dB)

19
BSSID vs. ESSID
SSID ?? ??? ?? ??
BSSID ????BSS YES 16?? ?? 48
ESSID ??ESS NO ?? (Bytes) 2-32
20
??SSID???

Beacon -Passive Scan
Probe Request -Active Scan
Probe Response -Active Scan
Association Request
Re-association Request

21
?????

??????,?????????SSID?

22
Part 2 802.11 Access Process
..........
..........
23
??WLAN???

??(Scanning)
??(Joining)
??(Authentication)
??(Association)

24
????????

Beacon
Probe request
Probe response

The Beacon Tower
25
Beacon

Beacon management frame ???
?AP???frame,?????????
???? (??????)
???? (DS????FH?Hop/dwell)
SSID?? (?????????)
????TIM (???????????????)
??????
???????(Ad hoc)???,?frame????????

26
?????

??????????????????,?????AP?SSID??????,???????

27
Locating a WLAN

?????
AP?100ms(kµs)????Beacon?
??????????????Beacon?
?????
?STA????????probe request?
???SSID??,??????????
???????

28
????Beacon??
l kµs 1(103) (l06) s 1 (103) s 1ms
29
Passive Scanning

Client?????????Beacon?
??AP?
????????????????

30
??Passive Scanning
31
?????

?AP???????Passive Scanning?

X
32
??????
33
Active Scanning

STA??AP??Probe Request
??????SSID,?????SSID???AP??
AP??Probe Response(?Beacon??)
??TIM
?????SSID

Probe Request
Probe Request
Probe Request
34
??Active Scanning
35
?????

?????,?????????,??????

36
Joining a WLAN

????
??(Authentication)
??(Association)

37
??

?????
AP???????
????(RADIUS)??????????
?????
????????(MAC filter)
??????
????????
????????

38
Part 3 802.11 Network Architecture
..........
..........
39
?????/???

???????????(LWAPP)
?thin AP??
L2??

40
??LWAPP

Lightweight Access Point Protocol
2002??Airespace?NTT DoCoMo??
?IETF?????????
????
????
?????

41
???AP

?Wireless Switch/Control ???AP??Lightweight
AP?Thin AP
?????????????????
??802.3-2005, Clause 33 PoE
???Lightweight AP???AP,??Autonomous AP?Fat AP

42
Fat?Thin
Fat Access Points
43
??LWAPP??

??????

??????

??????

??????

??????

??????

??????

??????

??????

44
??????
45
??????
46
????
47
??????
Locate the rogue AP
Rogue AP
Air Monitors
48
WLAN????????

802.1q VLAN tagging
??VLAN?,??SSID
?VLAN?????
?VLAN??
??????????
SSID????

49
???????

Cisco Airespace
Aruba
Chantry Networks
Reefedge
Trapeza Networks
Symbol Technologies

50
Part 4 802.11 Network Security Architecture
..........
..........
51
RSN

Robust security network
?????four-way handshake???????,????????RSNA?
?????RSNAs?????RSN
Confidentiality
Integrity
Authentication

52
????

Pre-RSNA
??????
??????
WEP

RSNA
TKIP/RC4
IEEE 802.11i
CCMP/AES
IEEE 802.1X(AKM)
PSK
????
TSN

53
??????

??authentication??????

54
????(PSK)??

??? Challenge-Response Authentication
????AP??????WEP???

1.??????
2. ????(128bits)
3.?WEP Key?????
4.?WEP key?????????
55
??????????

??WEP Key??????,???????WEP Key?

1.??????
2.(??)128bits????
3.?WEP Key?????
4.?WEP key?????????
56
WEP

Wired Equivalent Privacy
????????????????
??WEP-40?WEP-104?????
IEEE 802.11-2007??,pre-RSNA?????????
????casual eavesdropping
????malicious eavesdropping

57
WEP Key

STA?AP??????Key,?????
802.11?????????
??HEX?ASCII?????Key??
WEP Algorithm?WEP Key??????????,???????
??????????

58
????WEP??

40 Bit ??
??10?16????(0-9, a-f, or A-F)
Ex. 234F4B67AD
104 Bit ??
??26?16????(0-9, a-f, or A-F)
Ex. 6C89DAB421FE34DF87135987FD

59
AP ?????
60
???????
??WEP Key
61
???????????
62
WEP???

?IV?WEP key???
24 40 64bit
24 104 128bit
24 128 152bit (???)
?RC4??PRNG??,??keystream
IV?????????,????????,??WEP key??keystream?

63
?? WEP ??
IV
24 bits
IV
WEP key
RC4 PRNG
??
WEP key
Keystream
40, 104 bits
ICV
32 bits
??
??
CRC32

CRC

IV ?????

CRC ??????

PRNG ?????

ICV ??????

64
WEP???

??????
???data payload,??????
IV??24bits?
?????IV??
?pcap???(interesting frame)??,???????

65
WEP?????

Brute force attack
???????
????????
Dictionary attack
???????
Weak IV attack
??bit-flipping attack

66
WEP?????(cont.)

Reinjection attack
??ARP??,????
Storage attack
WZC?????????????????,?????(ex. wzcook)????????????
?

67
IEEE 802.11?8?

2004???,??IEEE802.11i
??????RSN???????
802.1X
passphrase-to-preshared key mapping
RSN????
Four-way handshake
PMK, GTK

68
TKIP??

Temporal key Integrity Protocol
??RC4 encryption
???WEP(??WEPv2)
???????128bits
??IV?24bits
?MIC??ICV (Integrity Check Value)
WiFi????WPA?????

69
MIC

Message Integrity Check
????'Michael
?data???????8byte???
?????frame?????
??frame counter,
???bit-flipping attacks

70
PSK??

??Pairwise Master Key?????
PMK??????????(PSK)?EAP
??256bits
??PMK?,??four-way handshake
??512-bit?Pairwise Transient Key
PTK?????unicast
?Group Temporal Key?multicast?broadcast????

71
?????
???
???
????
72
CCMP

11i??????????
??AES encryption?
??Rijndael????
?????128bits
??MIC?64bits
???????

73
(???)??PSK
74
WPA vs. WPA2
Wi-Fi?? ???? ??? ????
WPA-PSK passphase TKIP RC4
WPA-Enterprise 802.1X TKIP RC4
WPA2-PSK passphase CCMP AES
WPA2-Enterprise 802.1X CCMP AES
75
?????

??WPA2-Enterprise????OSI??
?????

76
IEEE 802.1X

?IETF?EAP (?????????) ????,??AAA model?
?port-based????
???PAE (port access entity) control
????
??Protocol Authentication Entity
???
????

77
802.1X???

Uncontrolled port (????)
???????,??data??
Controlled port (???)
???????,?????

78
??PAE

Supplicant (???)
??????
Authenticator (???)
?????Supplicant???????
Authentication Server (?????)
?Authenticator?????????

79
??802.1X??
(AS) ?????
???
???
EAP over Wireless
EAP over RADIUS
80
???AS??

RADIUS
Remote Authentication dial-in user service
TACACS
Terminal Access Controller Access Control System

81
?????

?????????????(AS)????

82
AS local DB

??????????
?????????

RADIUS
83
AS External DB

??????????
Microsoft AD
Novell eDirectory
LDAP

84
802.1X????

???? (EAP-MD5)
???EAP (PEAP)
???EAP (LEAP)
FAST
???? (EAP-TLS)
?????? (EAP-TTLS)
SIM??(EAP-SIM)

85
EAP??
MD5 TLS TTLS PEAP LEAP FAST
??????? ? ? ? ?? ? ?
??????? ? ? ? ? ? ?
??????? ? ? ? ?? ? ?
??PAC ? ? ? ? ? ?
???? ? ? ? ? ? ?
???? ? ? ? ? ? ?
????? ? ? ? ? ? ?
86
(???)??EAP-PEAP
87
(???)??EAP-LEAP
88
(???)??EAP-FAST
89
(???)??EAP-TLS
90
????

?????????????????
????
?????????X509??
??CA
??Third-party CA (ex. )
?Cisco????
Protected Access Credential

91
????

Before 11i
????
??????
?????? (pre-RSNA)
????
WEP (pre-RSNA)
TKIP

After 11i
????
802.1X
PSK
????
CCMP

92
TSN

Transition Security Network
??pre-RSNA?RSNA??
??Legacy equipment???RSNA
?????
??????

93
Part 5 ??WLAN??
..........
..........
94
??????

Eavesdropping
Hijacking
Man-in-the-middle
Denial of service
Management interface exploits

Encryption cracking
Authentication cracking
MAC spoofing
Peer-to-peer attacks
Social engineering

95
?????

????
Easy Wi-Fi Radar
MiniStumbler
MacStumbler
KisMac
NetStumbler
KisMet

96
????

OmniPeek Personal
AiroPeek
Network Instrument Observer
AirMagnet Laptop Analyzer
Javvin CAPSA
WireShark
CommView for Wi-Fi

97
??(?????)
SSID III
SSID III
STA
Server
(Software AP)
98
?????

?????????

99
?????????

????????
?????
??????????
?? ?? ??? !!
?????????

100
???????

????,??????????
????Microsoft WZC???????
??third-party?????

101
????

Physical Layer DoS
RF Jamming
MAC layer DoS
Data Flooding
Management Frame Injection
PS-Pool floods

802.11w ?????
102
Intentional DoS

?????(PSG)
??? ???
???(Jammer)
????1000mW
802.11???
???Continuous transmit state,???medium,????CCA
??Queensland Attack

103
Unintentional DoS

??????2.4GHz ISM?????
RF video camera
Baby monitor
????
???

104
?????
105
????DoS

???????
?????
??rogue AP
P802.11w??robust mgt. frame

106
??????

Serial (??????)
Web-based (HTTPS)
SNMP (SNMP v3)
telnet (SSH2)

107
????????
108
???????

?????--?WEP cracking
??????????weak IV??
??????????????
?????--?WPA cracking
????full authentication infra-structure
??????PSK????????

109
MAC??

?????
??Windows Registry??
SMAC spoofing tool

110
????????????

??????????
??Windows file sharing??
????ad hoc??
?SSID??III,????
?AP??

111
????????????

????????
Cisco?PSPF??(Public Secure
Packet Forwarding)

112
????

??????????????????????
????
????
????
????
??????

113
Part 6 ??????
..........

RBAC
NAC
WAC
VPN
VLAN
WIPS

..........
114
??????

????????????
Firewall-type filter
Layer 2 permission
Layer 3 permission
Bandwidth-limiting permission
??WLAN??????
Guest???128kbps, port 80

115
Profile-based???

??????(???/??)??????
??WLAN??????

116
??????

?WLAN??????NAC policy
?????????????
???NAC system
Microsoft NAP
ConSentry NAC
Extreme Sentriant AG
Cisco NAC Appliance

117
Captive Portal

Web-based Access Control (WAC)
????,???????????
??IP???
??????(redirect),??????????
?EWG?Wireless Controller???
??VPN???????????

118
????framework
119
VPN

Virtual Private Network
????????? ???? ????

120
VPN?????

??
????
????
????

??
PPTP
L2TP
IPSec

121
VPN???

VPDN (Dialup Network)
????
???NAS (Network
Access Server)??PPP
????
VPRN (Remote Network)
????

122
VLAN

Virtual LAN (802.1Q)
???????????????????(Broadcast domain)?
????
????
????
QoS

123
VLAN????

L1 VLAN
Port-Based
SSID-Based
L2 VLAN
MAC Address-Based
Protocol-Based
L3 VLANIP-Based
Higher Layer VLAN
Application-Based VLAN

124
????????

SSID/VLAN
??
?????
??VLAN????,????????

125
VLAN trunk
VLAN Trunk
VLAN1
VLAN2
VLAN2
VLAN1
126
?????

????????VLAN aware?device?

supplicant (???)
authenticator (???)
authentication server (?????)
127
IDS IPS

Intrusion Detection System
???????????????????????,??????????????
Intrusion Prevention System
???????,?????????????????????(????????????..)?????
?

128
WIPS?feature

???????????????????
???????????
???????????????
??????????????????
???????????,?????,???????
????????????????(dashboard)
??????

129
WIPS?????

??rouge client
?rouge client?????AP
??rouge client
???deauth frame
??rouge AP
????AP?deauth,????
??Ethernet port
??SNMP

130
WIPS??

???(Centralized)
?(Thin) Sensor???????????????,??????????????
???(Distributed)
?(Fat) Sensor???????????

131
Centralized WIPS
132
Distributed WIPS
133
WIPS???
?? ?? ????
??? ?????? ??????
??? ??? ?????
134
???WIPS

Bluesocket BlueSecure
????????(Shared Constituent Analysis)
Sensor?????????????????????????(key
indicators)??????????
?????????(Signature)???

135
Mobile WIPS

????????????

136
Layered Security
???
HTTPS, SFTP, SSH2, WAC, NAC, RBAC
???
???
???
???
VPN, VLAN, RBAC
?????
Encryption, 802.1x, VLAN, NAC, RBAC, WIPS
???
????, VLAN
137
Part 7 ????????
..........

L7????
??????

..........
138
L7??????

??HTTPS???HTTP????
AP????????
SSL????
?SSH2??Telnet
FTP??SSL
??SNMPv3
??authentication and privacy control

139
Rouge Management

???Rouge AP??
????
???AP
????Rouge AP
????
EAP authentication
????(port 80 23)
?????

140
??Rouge AP

?????????
???????(MAC filter)
????
??NAC??
????????
ex. Cisco Unified Wireless Network
ex. Aruba Mobile Management System

141
Part 8 WLAN????
..........

??????
RF?????
????????

..........
142
??????

???
CommView for Wi-Fi PPC
MiniStumbler
???/???
OmniPeek Personal
CommView for Wi-Fi
AiroPeek NX

143
?????????

????
?L2L7?????????
????????? (WEP, WPA-Personal)
????????
Frame retransmission
Heavy fragmentation
Frame corruption

144
CommView for Wi-Fi
145
????-Open System
146
????-Open System
147
?????

???
MetaGeek WiSpy Chanalyzer
Fluke AnalyzeAir
Cisco Cognio
AirMagnet

???
Willtek
Anritsu
Agilent
HP

148
RF?????

Willtek 9101
100kHz 4GHz
FHSS, DSSS, HR/DSSS, ERP

149
??????

Wi-Spy 2.4x
USB adapter
USD399
Chanalyzer 3.1
???????

150
????????

Site survey
?????
????????
Security audit
??rouge AP
??PHY DoS??

151
???????

Distributed RF Spectrum Analyzer
(Cisco Network)

152
Part 9 WLAN????
..........

???????
???????

..........
153
???????

??????????????,??
????
????
????
????
?????
????

154
???????

?????????????????
??????????

????
????
???????(AUP)
????

????
???????
???????
????

155
?SOHO?????????

?AP?client??????????
????WPA2?????
??WPA2-Personal????
???????(SSID, ????)
??????

156
?SMB?????????

?AP?client??????????
????WPA2?????
?WPA2-Personal?WPA2-Enterprise????
??????????,?VLAN??
?????,??????

157
?????????????

?????????????
????????
??WPA2-Enterprise????
?VLAN?????
??WIPS??
??NAC??

158
????

????
???(???fake,????)
????
?????????
??????
??????enclosure
?Console Port??????

159
????

????????
penetration test (????)
????
Vulnerability analysis
????

160
Part 10 WLAN????
..........

?????????
?????????

..........
161
??????????

MAC filtering
SSID hiding
???WEP

162
?????????

????????,?????????????
IEEE 802.11i
IEEE 802.1X

163
??

Wi-Fi???????
????????
????????

164
??- Wi-Fi Protected setup
165
??WPS

Wi-Fi???????
WPS??
?????????????????
?AP???SSID?WPA/WPA2??????????????
WPS?????
???(Registrar) AP
???(Enrollee) STA

166
WPS???

WPS-PIN
Personal Information Number
??????AP????????PIN
????????
WPS-PBC
Push Button Configuration
?AP???????2???,?????????

167
????WPS??
168
?????
169
?????(PBC)
170
?????(PIN)
171
WPS???

Discovery Protocol
????Registrar?Enrollee???
Registration Protocol
????????(??/SSID)

172
??-????????
173
????????(1)

??????????
Client for Microsoft Network
File and Printer sharing for Microsoft Networks
??????
Microsoft Update
????

174
????????(2)

??VPN??
??????????
universal plug and play device host
Routing Remote Access
remote registry ()
SSDP Discovery Service
Clipbook
Terminal Services

175
????????(3)

?????
?????
??????
??????
http//www.hackerwatch.org/probe/
gtgtgt Port scan

176
????????(4)

???????
????????

177
????????(5)
178
??-????????
179
????????(1)

?AP?????????
??AP?STA??????
????IP???
?????????????
?????????????
(???)??????????
?????????

180
????????(2)

??SSID???(SSID cloaking)
????SSID,????????
?SSID?????????
??MAC?????
??DHCP???
?????AP???
????????

181
????????(3)

(???)??5GHz???
?STA??Anti-Spyware???
????????
????????????
???,?AP?????

182
????
183
Q1

??RSN??????????????

184
Q2

IEEE 802.11??????????????

185
Q3

????????????????

186
Q4

802.1X/EAP????????????????

187
Q5

ABC?????WPA2-Enterprise,???POP3/SSL??Email???,???
???OSI???????

188
Q6

XYZ?????ERP-OFDM(802.11g)????802.1X/EAP-FAST?????
???????????????????,?????????????

189
Q7

????????pre-RSNA??,????????????

190
Q8

????????,??????????????

191
Q9

???????????????,?????????????AP?

192
Q10

??????????????VPN?????IPX???

193
Q11

?802.11-1999(R2003)????????????????????????

194
Q12

??????????TKIP???

195
Q13

?????????????????????

196
Q14

??????????????????DHCP?????IP???

197
Q15

????????????????SSIDs,????,???????????????

198
The End

Write a Comment

User Comments (0)

About PowerShow.com

802.11 Network Security - PowerPoint PPT Presentation

802.11 Network Security

802.11 Network Security (Hubert Yang) hwyang_at_iii.org.tw 802.11 Protocol Architecture 802.11 Access Process 802.11 ... – PowerPoint PPT presentation