32
1 DESIGNING AND DEPLOYING SECURE WIRELESS LANS Karl McDermott Cisco Systems Ireland [email protected]

DESIGNING AND DEPLOYING SECURE WIRELESS LANS · 1 DESIGNING AND DEPLOYING SECURE WIRELESS LANS Karl McDermott Cisco Systems Ireland [email protected]

  • Upload
    voquynh

  • View
    229

  • Download
    0

Embed Size (px)

Citation preview

1

DESIGNING AND DEPLOYINGSECURE WIRELESS LANS

Karl McDermott

Cisco Systems Ireland

[email protected]

222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Agenda

• Wireless LAN Security Overview

• WLAN Security Authentication and Encryption

• Radio Monitoring

Intrusion Detection Services

• Location Services and RFID Tracking

333© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Hackers

Why WLAN Security Is Important?

• Do not rely on basic WEP encryption; Requirement for Enterprise classSecurity (WPA, EAP/802.1x protocols, Wireless IDS, VLANs/SSIDs, etc)

• Employees will install WLAN equipment on their own (compromises securityof your entire network)

Out of the box configuration of APs: All security features are disabled!

• Business impact due to stolen data: Potential financial and legalconsequences (Laws to protect data confidentiality; Example: Healthcare)

Lessons:“War Driving”

Vulnerabilities:Employees

444© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

WLAN Security Vulnerabilities and Threats

• Different forms of Vulnerabilities and Threats Exist

Encryption Vulnerabilities: WEP

Authentication Vulnerabilities: Shared-Key authentication,Dictionary attacks, and MITM attacks

WLAN Sniffing and SSID Broadcasting

Address Spoofing: Mac-address spoofing and IP addressspoofing (both hostile/outsider attacks as well as insiderattacks)

Misconfigured APs and Clients

Denial of Service (DoS) attacks: Using 802.11deauthentication/ disassociation frames, RF jamming, etc.

555© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Attacker

Bit Flipping Vulnerability

Bit Flipped Frame WEP Bit Flipped Frame

Plaintext Error MsgWEP

ICV Pass

CRC Fail

Ciphertext Error Msg

Predicted PlaintextError Msg

Ciphertext Error Msg

XOR Key Stream

Access Point

Layer 3Receiver

666© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

WLAN Sniffing and SSID Broadcasting

Disabling SSID Broadcast should not be considered a securitymechanism- Potential attackers can uncover your SSID by

observing probe responses!

777© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Unknown WLANS - Rogue AP

Frustrated insider• User that installs wireless AP in order to benefit from

increased efficiency and convenience it offers

• Common because of wide availability oflow cost APs

• Usually ignorant of AP security configuration, defaultconfiguration most common

Malicious hacker• Penetrates physical security specifically to

install a rogue AP

• Can customize AP to hide it from detection tools

• Hard to detect—more effective to prevent via 802.1x andphysical security

• More likely to install LINUX box than an AP

Jones from Accounting

>99.9% of Rogue APs

<.1% of Rogue APs

888© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Agenda

• Wireless LAN Security Overview

• WLAN Security Authentication and Encryption

• Radio Monitoring

Intrusion Detection Services

• Location Services and RFID Tracking

999© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

802.11 security approaches

• Open network

SSID can be captured with passive monitoring

• MAC filtering

MACs can be sniffed/spoofed

• WEP

Can be cracked online/offline given enough traffic &time

• Change keys frequently

Traffic can still be decrypted offline

• Place APs on DMZ

Requires VPN access to get back into network

• Use VPN

Doesn’t handle roaming

• WPA and/or EAP

101010© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Authentication methods

• Open systems authentication

• Shared key authentication

• EAP / 802.1x

111111© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Open system authentication

• Required by 802.11

• Just requires SSID fromclient

• Only identification requiredis MAC address of client

• WEP key not verified, butdevice will drop packets itcan’t decrypt

121212© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Shared key authentication

• Utilizes challenge/response

• Requires & matches key

• Steps

Client requests association to AP

AP issues challenge to client

Client responds with challengeencrypted by WEP key

AP decrypts clients & verifies

• WEAK! Attacker sniffs plain-text AND cipher-text!

131313© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

802.1x authentication

• Encapsulates EAP traffic over LAN (akaEAPoL)

• EAP: Standard for securely transportingauthC data

• Supports a variety of authenticationmethods

LEAP, EAP-TLS, etc.

• Port-based – only access is toauthentication server until authenticationsucceeds

Similar to what’s used on Ethernetswitches

• Originally designed for campus-wirednetworks

• Requires little overhead by access point

141414© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

802.1x authentication (cont.)

• 3 entities

Supplicant (e.g., laptopw/wireless card)

Authenticator (e.g., accesspoint)

Authentication server (e.g.,RADIUS)

• Three Main Elements

1. Mutual authenticationbetween client and RADIUS

2. Encryption keys dynamicallyderived after authentication

3. Centralized policy control,

151515© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

EAP-FAST Authentication Overview

RADIUSserver

EAPOL Start

EAP-Request/Identity

EAP -Response/Identity(EAP-ID)

EAP success

RADIUSAccess request

Start EAP Authentication

Ask client for identity

Access Requestwith EAP-ID

Perform sequencedefined by EAP-FAST

Client derives PMK

keykeyRADIUS Access Accept

(Pass PMK to AP)

Supplicant

Enterprise

Network

Secure Tunnel (via TLS & PAC)

Client-sideAuthentication

AP

WPA Key Management

Protected DATA Transfer

161616© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Wired Equivalent Privacy (WEP)

• Part of 802.11 specification

• 64-bit key

Shared key – 40 bits

Initialization vector (IV) = 24 bits

• Uses RC4 for encryption

• Weaknesses/attacks

FMS key recovery attack – weak IVs

Filter weak IVs to mitigate

IV too short, gets reused after 5 hours

IP redirection, MITM attacks

Traffic injection attacks

Bit-flip attacks

• WEP2 added, increases key length to 128 bits

171717© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

TKIP/MIC to the rescue

• Fixes key reuse in WEP

• Same encryption as WEP(RC4)

• MIC Message Integrity Code

• TKIP – Temporal KeyIntegrity Protocol

Protects IV by removingpredictability

Per Packet keying

181818© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

VPN Authentication Overview

• Alternative to 802.1X over WLAN

• IETF standardized IPSec implementation

• Key benefits

Mutual authentication between client machine and VPNconcentrator using Shared-Key or Digital Certificate

Provides 3DES or AES Encryption

Provides SHA/MD5 for data integrity protection

Provides Centralized user authentication (such as OTP)and administration

191919© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

VPN Deployment Requirements

RADIUS/OTPServers

AccessPoint

VPNConcentrator

Client Machine• IPSec VPN supplicant• VPN supplicant & WLAN adapter supplicant integration (optional)• Personal Firewall for Local Attack Mitigation

VPN Concentrator• Authenticate Remote Users• Terminate IPSec• DHCP services (DHCP pool or DHCP Relay)

Packet Filtering

Two-Factor

Authentication

ClientMachine

202020© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Agenda

• Wireless LAN Security Overview

• WLAN Security Authentication and Encryption

• Radio Monitoring

Intrusion Detection Services

• Location Services and RFID Tracking

212121© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

What is Wireless IDS?

• Wireless Intrusion Detection permits the detectionof malicious or non-malicious security events onthe WLAN

Rogue AP detection

Denial-of-Service detection

WLAN Exploit Signature Analysis

RF Interference detection

• Detection of attempts to access WLAN network andattempts to attract managed clients (honeypot)

222222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Radio (Air/RF) Monitoring

Network Core

Distribution

Access

NMSSiSi

SiSi

SiSi

Rogue AP

Rogue AP

SiSi

RM

RM

RM

SiSi

WirelessController orIDS Server

WDS Service(aggregation point)

232323© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Rogue AP Detection & Suppression

• Real-time RF monitoring – ALL channels scanned while offeringservice

• Can scan country channels only or all channels

• During Scan all 802.11 packets are collected and characterized

–Rogue beacons,

–Rogue clients,

–802.11 interference

–Matched against IDS signatures.

• Rogue AP suppression techniques

Trace the rogue AP over the wired network and shut-down the switch port

Use of managed devices to disassociate clients from unauthorized AP andprevent further associations via 802.11 deauthentication frames

242424© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Autonomous AP: Rogue AP Location

252525© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Wireless enabledLocation Solutions ( Active RFID )

252525Presentation_ID

262626© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Active RFID Location Solutions Provide

Real time Asset information provide the answers to:Real time Asset information provide the answers to:– What Do We Have?

– How Many Do We Have?

– Where Is It?

– What Is It’s Status?

PresenceReal-time Location Tracking Choke-point

Pallet X is on the lineInfant X is in room Y Vehicle X entered theterminal

272727© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

“[Hospitals] cannot find 15-20% of the devices they own.”

– Arthur Gasch, MedicalStrategy Planning

“Infusion pumps simply disappear. When itcomes time to do preventative maintenance,

we cannot find them.”– Materials Manager,

large US hospital

Data from hospitals demonstrates magnitude of problem:

• 500-bed hospital: loses 40 of 500 pumps per year (8%)

• 150-bed hospital: loses 250 of 1500 pumps per year (17%)

Loss= failure to locate the equipment in time for scheduled preventative maintenance

Example “Asset Loss” in Hospitals

282828© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Applications for location information

Voice• Code Blue, Voice Alerts• E911

Security• Better rogue detection• Perimeter security• Policy enforcement• Location/movement based alerts

Visibility• Asset Management• Streamline Workflow

Location based trending• RF Capacity Management • Troubleshooting• Security

Location Based Content Distribution

Telemetry•Relevant informationabout tracked item

LOCATION

292929© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

RF Location Architecture

• APs collect RSSI from802.11 devices and tags

• RSSI Locationinformation is aggregatedby Controllers

• Information is sent to theLocation Appliance forcomputation

• Location information isvisually displayed byNMS

• NMS provides immediateapplications for RFcapacity management,location based security &asset visibility.

• Rich location informationcan be used by LocationAppliance API forintegration & display bylocation based applications

Browser BasedRemote Console

Wi-Fi Handsets, clients, rogues & Wi-Fi Tags

WirelessLocation Appliance

3rd party IntegratedApplications: E911, AssetTracking, ERP, WorkflowAutomation…

NMS

SOAP/XML

SO

AP

/XM

L

Wireless LANController

AccessPoint

AccessPoint

HTTPS

303030© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Location services technologies

� Closest AP: Identify AP with strongest RSSI. Limited accuracy:an AP can easily cover several thousand feet.

� RF Triangulation: All APs identify the strength with which theyhear a client. Intelligent algorithms triangulate responses to findprobable location. More accurate than closest AP. But does notaccount for effect of building material and people on signal e.g.multi-path, attenuation, reflection…

� RF Fingerprinting: RF prediction creates a grid that identifieshow every single part of the floorplan looks to all APs. Realworld information is gathered by APs is compared to thesefingerprints to determine location to within a few meters.

313131© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Wi-Fi Active RFID Tags

• Interoperability:– Interoperable with any standards based 802.11 tag

– Proven interoperability with PanGo & Aeroscout tags

• Battery life:– 3-5 years, depends on beacon/blink rates

– Unassociated tags promote battery life; intelligent motiondetectors provide intelligent alerting only, preserving battery life

• Security mechanisms:– 802.11i/WPA2 & VLANs

– Unassociated tags do not associate to network

• Rich Device Information Relay:– Serial telemetry information capable

• Dimensions:– Varies slightly by vendor but approximately

– 2.44” (2.61) x 1.57 (1.74) x 0.67” (0.88) ”/62mm (66.3) x 40mm (44.2)x 17mm (22.35)

– Weight:1.2oz (35g) -2.5oz (w/batteries)

• Various Mounting Options

• Environmental Durability:– Operating Temperature: varies by vendor: -30°C to +75°C (-22°F to

167°F) to 32 to 130°F (0 to 54° C)

– Dirt/Dust/Water resistance, includes rubber lining IP-67, IP-68

323232© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Summary

• WPA, WPA2, with an EAP protocol solution is recommended forWLAN security deployment

• Segment wireless network along the same lines as wired networkand use the same access restrictions

• Implement wired security features as well as Wireless IDS

• Radio Monitoring is a requirement even if you do not have a wirelessnetwork

• Radio Monitoring also delivers Location Services