CWNA Guide to Wireless LANs, Second Edition - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

CWNA Guide to Wireless LANs, Second Edition

Description:

Title: Linux+ Guide to Linux Certification Subject: Chapter One Created Date: 9/27/2002 11:29:22 PM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:183
Avg rating:3.0/5.0
Slides: 47
Provided by: cmsu2Ucmo
Category:

less

Transcript and Presenter's Notes

Title: CWNA Guide to Wireless LANs, Second Edition


1
CWNA Guide to Wireless LANs, Second Edition
  • Chapter Nine
  • Implementing Wireless LAN Security

2
Objectives
  • List wireless security solutions
  • Tell the components of the transitional security
    model
  • Describe the personal security model
  • List the components that make up the enterprise
    security model

3
Wireless Security Solutions
  • IEEE 802.11a and 802.11b standards included WEP
    specification
  • Vulnerabilities quickly realized
  • Organizations implemented quick fixes
  • Did not adequately address encryption and
    authentication
  • IEEE and Wi-Fi Alliance started working on
    comprehensive solutions
  • IEEE 802.11i and Wi-Fi Protected Access (WPA)
  • Foundations of todays wireless security

4
WEP2
  • Attempted to overcome WEP limitations by adding
    two new security enhancements
  • WEP key increased to 128 bits
  • Kerberos authentication
  • User issued ticket by Kerberos server
  • Presents ticket to network for a service
  • Used to authenticate user
  • No more secure than WEP
  • Collisions still occur
  • New dictionary-based attacks available

5
Dynamic WEP
  • Solves weak IV problem by rotating keys
    frequently
  • More difficult to crack encrypted packet
  • Uses different keys for unicast and broadcast
    traffic
  • Unicast WEP key unique to each users session
  • Dynamically generated and changed frequently
  • Broadcast WEP key must be same for all users on a
    particular subnet and AP

6
Dynamic WEP (continued)
Figure 9-1 Dynamic WEP
7
Dynamic WEP (continued)
  • Can be implemented without upgrading device
    drivers or AP firmware
  • No-cost and minimal effort to deploy
  • Does not protect against man-in-the-middle
    attacks
  • Susceptible to DoS attacks

8
IEEE 802.11i
  • Provides solid wireless security model
  • Robust security network (RSN)
  • Addresses both encryption and authentication
  • Encryption accomplished by replacing RC4 with a
    block cipher
  • Manipulates entire block of plaintext at one time
  • Block cipher used is Advanced Encryption Standard
    (AES)
  • Three step process
  • Second step consists of multiple rounds of
    encryption

9
IEEE 802.11i (continued)
Table 9-1 Time needed to break AES
10
IEEE 802.11i (continued)
  • IEEE 802.11i authentication and key management is
    accomplished by IEEE 802.1x standard
  • Implements port security
  • Blocks all traffic on port-by-port basis until
    client authenticated using credentials stored on
    authentication server
  • Key-caching Stores information from a device on
    the network, for faster re-authentication
  • Pre-authentication Allows a device to become
    authenticated to an AP before moving to it

11
IEEE 802.11i (continued)
Figure 9-2 IEEE 802.1x
12
Wi-Fi Protected Access (WPA)
  • Subset of 802.11i that addresses encryption and
    authentication
  • Temporal Key Integrity Protocol (TKIP) Replaces
    WEPs encryption key with 128-bit per-packet key
  • Dynamically generates new key for each packet
  • Prevents collisions
  • Authentication server can use 802.1x to produce
    unique master key for user sessions
  • Creates automated key hierarchy and management
    system

13
Wi-Fi Protected Access (continued)
  • Message Integrity Check (MIC) Designed to
    prevent attackers from capturing, altering, and
    resending data packets
  • Replaces CRC from WEP
  • CRC does not adequately protect data integrity
  • Authentication accomplished via IEEE 802.1x or
    pre-shared key (PSK) technology
  • PSK passphase serves as seed for generating keys

14
Wi-Fi Protected Access (continued)
Figure 9-3 Message Integrity Check (MIC)
15
Wi-Fi Protected Access 2 (WPA2)
  • Second generation of WPA security
  • Based on final IEEE 802.11i standard
  • Uses AES for data encryption
  • Supports IEEE 802.1x authentication or PSK
    technology
  • Allows both AES and TKIP clients to operate in
    same WLAN

16
Summary of Wireless Security Solutions
  • Wi-Fi Alliance categorizes WPA and WPA2 by modes
    that apply to personal use and to larger
    enterprises

Figure 9-4 Security timeline
17
Summary of Wireless Security Solutions (continued)
Table 9-2 Wi-Fi modes
Table 9-3 Wireless security solutions
18
Transitional Security Model
  • Transitional wireless implementation
  • Should be temporary
  • Until migration to stronger wireless security
    possible
  • Should implement basic level of security for a
    WLAN
  • Including authentication and encryption

19
Authentication Shared Key Authentication
  • First and perhaps most important step
  • Uses WEP keys
  • Networks that support multiple devices should use
    all four keys
  • Same key should not be designated as default on
    each device

20
Authentication SSID Beaconing
  • Turn off SSID beaconing by configuring APs to not
    include it
  • Beaconing the SSID is default mode for all APs
  • Good practice to use cryptic SSID
  • Should not provide any information to attackers

21
Authentication MAC Address Filtering
Figure 9-6 MAC address filter
22
WEP Encryption
  • Although vulnerabilities exist, should be turned
    on if no other options for encryption are
    available
  • Use longest WEP key available
  • May prevent script kiddies or casual
    eavesdroppers from attacking

Table 9-4 Transitional security model
23
Personal Security Model
  • Designed for single users or small office home
    office (SOHO) settings
  • Generally 10 or fewer wireless devices
  • Two sections
  • WPA Older equipment
  • WPA2 Newer equipment

24
WPA Personal Security PSK Authentication
  • Uses passphrase (PSK) that is manually entered to
    generate the encryption key
  • PSK used a seed for creating encryption keys
  • Key must be created and entered in AP and also on
    any wireless device (shared) prior to (pre)
    the devices communicating with AP

25
WPA Personal Security TKIP Encryption
  • TKIP is a substitute for WEP encryption
  • Fits into WEP procedure with minimal change
  • Device starts with two keys
  • 128-bit temporal key
  • 64-bit MIC
  • Three major components to address
    vulnerabilities
  • MIC
  • IV sequence
  • TKIP key mixing
  • TKIP required in WPA

26
WPA Personal Security TKIP Encryption (continued)
Figure 9-7 TKIP/MIC process
27
WPA2 Personal Security PSK Authentication
  • PSK intended for personal and SOHO users without
    enterprise authentication server
  • Provides strong degree of authentication
    protection
  • PSK keys automatically changed (rekeyed) and
    authenticated between devices after specified
    period of time or after set number of packets
    transmitted (rekey interval)
  • Employs consistent method for creating keys
  • Uses shared secret entered at AP and devices
  • Random sequence of at least 20 characters or 24
    hexadecimal digits

28
WPA2 Personal Security AES-CCMP Encryption
  • WPA2 personal security model encryption
    accomplished via AES
  • AES-CCMP Encryption protocol in 802.11i
  • CCMP based on Counter Mode with CBC-MAC (CCM) of
    AES encryption algorithm
  • CCM provides data privacy
  • CBC-MAC provides data integrity and
    authentication
  • AES processes blocks of 128 bits
  • Cipher key length can be 128, 192 and 256 bits
  • Number of rounds can be 10, 12, and 14

29
WPA2 Personal Security AES-CCMP Encryption
(continued)
  • AES encryption/decryption computationally
    intensive
  • Better to perform in hardware

Table 9-5 Personal security model
30
Enterprise Security Model
  • Most secure level of security that can be
    achieved today for wireless LANs
  • Designed for medium to large-size organizations
  • Intended for setting with authentication server
  • Like personal security model, divided into
    sections for WPA and WPA2
  • Additional security tools available to increase
    network protection

31
WPA Enterprise Security IEEE 802.1x
Authentication
  • Uses port-based authentication mechanisms
  • Network supporting 802.1x standard should consist
    of three elements
  • Supplicant Wireless device which requires secure
    network access
  • Authenticator Intermediary device accepting
    requests from supplicant
  • Can be an AP or a switch
  • Authentication Server Accepts requests from
    authenticator, grants or denies access

32
WPA Enterprise Security IEEE 802.1x
Authentication (continued)
Figure 9-8 802.1x protocol
33
WPA Enterprise Security IEEE 802.1x
Authentication (continued)
  • Supplicant is software on a client implementing
    802.1x framework
  • Authentication server stores list of names and
    credentials of authorized users
  • Remote Authentication Dial-In User Service
    (RADIUS) typically used
  • Allows user profiles to be maintained in central
    database that all remote servers can share

34
WPA Enterprise Security IEEE 802.1x
Authentication (continued)
  • 802.1x based on Extensible Authentication
    Protocol (EAP)
  • Several variations
  • EAP-Transport Layer Security (EAP-TLS)
  • Lightweight EAP (LEAP)
  • EAP-Tunneled TLS (EAP-TTLS)
  • Protected EAP (PEAP)
  • Flexible Authentication via Secure Tunneling
    (FAST)
  • Each maps to different types of user logons,
    credentials, and databases used in authentication

35
WPA Enterprise Security TKIP Encryption
  • TKIP is a wrapper around WEP
  • Provides adequate encryption mechanism for WPA
    enterprise security
  • Dovetails into existing WEP mechanism
  • Vulnerabilities may be exposed in the future

36
WPA2 Enterprise Security IEEE 802.1x
Authentication
  • Enterprise security model using WPA2 provides
    most secure level of authentication and
    encryption available on a WLAN
  • IEEE 802.1x is strongest type of wireless
    authentication currently available
  • Wi-Fi Alliance certifies WPA and WPA2 enterprise
    products using EAP-TLS
  • Other EAP types not tested, but should run a WAP
    or WAP2 environment

37
WPA2 Enterprise Security AES-CCMP Encryption
  • AES Block cipher that uses same key for
    encryption and decryption
  • Bits encrypted in blocks of plaintext
  • Calculated independently
  • block size of 128 bits
  • Three possible key lengths 128, 192, and 256
    bits
  • WPA2/802.11i uses128-bit key length
  • Includes four stages that make up one round
  • Each round is iterated 10 times

38
WPA2 Enterprise Security AES-CCMP Encryption
(continued)
Table 9-6 Enterprise security model
39
Other Enterprise Security Tools Virtual Private
Network (VPN)
  • Virtual private network (VPN) Uses a public,
    unsecured network as if it were private, secured
    network
  • Two common types
  • Remote-access VPN User-to-LAN connection used by
    remote users
  • Site-to-site VPN Multiple sites can connect to
    other sites over Internet
  • VPN transmissions are achieved through
    communicating with endpoints

40
Other Enterprise Security Tools Virtual Private
Network (continued)
  • Endpoint End of tunnel between VPN devices
  • Can local software, dedicated hardware device, or
    even a firewall
  • VPNs can be used in WLAN setting
  • Tunnel though WLAN for added security
  • Enterprise trusted gateway Extension of VPN
  • Pairs of devices create trusted VPN connection
    between themselves
  • Can protect unencrypted packets better than a VPN
    endpoint

41
Other Enterprise Security Tools Wireless Gateway
  • AP equipped with additional functionality
  • Most APs are wireless gateways
  • Combine functionality of AP, router, network
    address translator, firewall, and switch
  • On enterprise level, wireless gateway may combine
    functionality of a VPN and an authentication
    server
  • Can provide increased security for connected APs

42
Other Enterprise Security Tools Wireless
Intrusion Detection System (WIDS)
  • Intrusion-detection system (IDS) Monitors
    activity on network and what the packets are
    doing
  • May perform specific function when attack
    detected
  • May only report information, and not take action
  • Wireless IDS (WIDS) Constantly monitors RF
    frequency for attacks
  • Based on database of attack signatures or on
    abnormal behavior
  • Wireless sensors lie at heart of WIDS
  • Hardware-based have limited coverage,
    software-based have extended coverage

43
Other Enterprise Security Tools Captive Portal
  • Web page that wireless users are forced to visit
    before they are granted access to Internet
  • Used in one of the following ways
  • Notify users of wireless policies and rules
  • Advertise to users specific services or products
  • Authenticate users against a RADIUS server
  • Often used in public hotspots

44
Summary
  • IEEE 802.11i and Wi-Fi Protected Access (WPA),
    have become the foundations of todays wireless
    security
  • Dynamic WEP attempts to solve the weak
    initialization vector (IV) problem by rotating
    the keys frequently, making it much more
    difficult to crack the encrypted packet
  • The IEEE 802.11i standard provided a more solid
    wireless security model, such as the block cipher
    Advanced Encryption Standard (AES) and IEEE
    802.1x port security

45
Summary (continued)
  • WPA is a subset of 802.11i and addresses both
    encryption and authentication
  • The transitional security model uses shared key
    authentication, turning off SSID beaconing, and
    implementing MAC address filtering
  • The personal security model is designed for
    single users or small office home office (SOHO)
    settings of generally 10 or fewer wireless
    devices and does not include an authentication
    server

46
Summary (continued)
  • The enterprise security model is intended for
    settings in which an authentication server is
    available if an authentication server is not
    available the highest level of the personal
    security model should be used instead
  • Additional security tools that can supplement the
    enterprise security model to provide even a
    higher degree of security include virtual private
    networks, wireless gateways, wireless intrusion
    detection systems (WIDS), and captive portals
Write a Comment
User Comments (0)
About PowerShow.com