© 2004 bluesocket, inc. secure mobility ™ wireless security: issues and solutions mike brockney...

© 2004 Bluesocket, Inc. Secure Mobility™

Wireless Security:Issues and Solutions

Mike BrockneyBluesocket

www.bluesocket.com


Agenda

WLAN Security and Management Requirements WLAN Challenges WLAN security standards

– WEP, WPA, 802.11i VPNs and WLANs Evolution of WLAN deployment model


A little Wi-fi related joke:


About Bluesocket…


WLAN Management & Security Requirements

Access Control– Authentication– Authorization– Airlink Privacy– Physical Security

Data is more dense– Need to manage bandwidth– Avoid unnecessary encryption overhead– Don’t allow bandwidth “hogs”

Imperative for Interoperability – Multiple devices: laptops, PDAs, scanners,

phones, networking vendors’ appliances– Different radio protocols (802.11 alphabet soup)

Need for simple management– Single Web-based login – Transparent login where possible– Guest / Visitor Access– Client software maintenance at a minimum

Secure Mobility™ and Policy-based networks– Voice over WLAN will be widely used


Wireless LAN Challenges – Minimal security and management in APs

No Bandwidth Management or QoS

Stop or Go - Same Access For AllVisitor or Employee or Contractor(Policy Management)

Weak Security

No True Mobility


Wireless LAN Challenges – Rogue APs

Employee brings an AP to work and simply plugs it in, opening your network to anyone within radio distance

Malicious user attaches an AP to the network to allow access

Attacker positions an AP near the building in an attempt to have a legitimate user associate with it

AirMagnet, AirDefense, Wavelink can detect and alert in real-time

Cisco, Proxim/Orinoco and others are now building Rogue Detection into standard APs


Wireless LAN Challenges – Emerging 802.11 devices


Wireless LAN Challenges – Network Authentication

802.1xAdmin

PPTPExecutive

IPsecFinance

ClearVisitor

ACSLDAP

RadiusNT Domain


Wireless LAN Challenges – Which standards?

The “Alphabet Soup” of 802.11 standards (b, a, g, h, i, e, f, 1x) and the need to support other wireless interfaces such as Bluetooth on PDAs brings upgrade and compatibility challenges

? ?Solutions must be

‘agnostic’ to supportcurrent and

future standards

Which protocol?

Which air interface?

Which vendor?


WEP Security – Wired Equivalent Privacy

Available in all APs and wireless cards Available in many different key lengths Uses a static key to encrypt data Good for home use Better than no security at all Can be difficult to manage keys Encryption algorithm has been compromised


WEP Security – Wired Equivalent Privacy

A series of academic papers exposed serious flaws in WEP– the security system built into the 802.11b standard.

Rapid passive attack was first described in July 2001by Fluhrer, Mantin & Shamir.

AT&T Labs team successfully implemented the attack and concluded that WEP is “totally insecure”.

In August 2001, the Airsnort program was released on the Web.

http://airsnort.sourceforge.net/


802.1x Background

802.1x is an IEEE standard– Originally designed for Port Authentication in wired networks– IEEE 802.11 has chosen to use 802.1x to support

access authentication in WLANs (June 2001) Enables authentication and key management for WLANs

– Dynamic WEP encryption designed to overcome issues with WEP Augmented to use Upper Layer Authentication Protocols (ULAPs)

as a framework for authentication– An EAP is an implementation– 802.1x originated as a Point-to-Point Protocol (PPP) authentication

scheme along with RADIUS– Implementing EAP methods in mobile devices requires

modifications/additions to the operating system


802.1X & EAP

• 802.1X defines EAPOL (Extensible Authentication Protocol Over LAN)

• Provides centralized authentication and dynamic key exchange

• EAP packets carried at the MAC layer, embed RADIUS commands

• Different EAP types deliver different authentication techniques

Campus

Network

Supplicant

EAPOL RADIUS

EAP- (TLS, TTLS, PEAP, LEAP)

Authentication Server

Authenticator


802.1x: EAP Methods

There is no “standard” EAP, but several competing protocols– LEAP, MD5, TTLS, TLS, PEAP, SRP, SIM, AKA– The same EAP method needs to be supported on the

client device and Authentication Server EAP Methods can be sorted into 3 approaches

– Password based (can be open to dictionary attacks)– Digital Certificate based (cumbersome to set-up and manage)– Token Based

Early Entries into the field were LEAP, TLS (Mutual Authentication) and TTLS (Digital Certificate for Server-side Authentication)

Emerging Leaders:– PEAP (Microsoft, Cisco and RSA), TTLS (Funk and Certicom)

No specific EAP for PDA clients (PocketPC2002 or Palm), Wi-Fi Phones (SpectraLink, etc.) or Apple devices


PEAP (Protected Extensible Authentication Protocol)

Microsoft has started shipping 802.1x client with PEAP– Built into Windows XP SP1– Released a PEAP client for Windows 2000 in November 2002– No support yet for other OS’ (’98, ME)

WEP keys to supplicant protected by ‘session key’ from RADIUS server– At a configurable interval, updated key sent to authenticated PC

Using one vendor’s EAP method could lock you into using certain clients and devices


Is 802.1x “Good Enough”?

Most implementations require vendor specific APs/NICs/AAA servers– Interoperability is difficult in multi-vendor environments– There is no consensus on a “standard” EAP method or operating mode

(TLS/PEAP in WinXP SP1 only)– Same problem as proprietary IPsec clients for guest access

Client software is required to run 802.1x , involving the need to upgrade all client devices

– Only some Windows versions provide support; not on other devices (PDA’s, Apple MACs, Scanners, etc., etc.)

– No visitor, non-802.1x guest user access Underlying privacy is based on RC4 with rapid re-keying, requiring

extensions to APs Installed base of APs may require forklift upgrades

– Potential high cost of deployment--- as each AP must support the final 802.11 standard and be properly configured

Access is all or nothing (either on or off the network) – No provisions for prioritization or bandwidth control by class of user


Is WPA a Step in the Right Direction?Yes

Wi-Fi Protected Access (WPA)– New terminology announced by the Wi-Fi Alliance (formally WECA)

to describe 802.1x with TKIP and MIC– TKIP with WEP represents a significant air-link privacy

improvement– Subset of the 802.11i security standard– 802.11i will use AES in a mode to be determined later

Issues with WPA– Requires a 802.1x client/driver on all end-user devices– Limited device support– Variety of methods (LEAP, PEAP, TLS, TTLS, MD5)

Which will be widely used or accepted as standard?– Does not provide a solution for securing sensitive traffic with

alternate type technologies and protocols (e.g. IPSec, PPTP, SSL)


802.11i (a.k.a. WPAv2)

• IEEE 802.11TGi

• Stronger encryption

• Makes sense to plan for 802.11i

• Will support secure, fast, reliable, roaming • For Voice over WLAN

• But not all details are settled upon yet

Beware: You may have to upgrade a lot of equipment!


Is WPA/802.11i Good Enough?Depends On Your Needs

Feature WPA/80211i Missing Parts

Authentication √

Dynamic WEP Encryption √

Alternate Encryption (IPSec, PPTP, SSL) √

Access Control and Policy Management √

Guest/Visitor Access(Support for “client-free” devices)

√

Bandwidth Management √

Support for any mobile device √

Support for Secure Roaming √

Intrusion Detection √

Rogue Access Point Detection √


Policy Enforcement and Compliance: Healthcare

Enforce network policies based on user rights

Examples:– Nurses:

Given HTTPS access to patient databases only

– Doctors: E-mail and Web access with IPSec encryptionfor HIPAA compliance

– Contractors: Access only to their work servers

– Patients/Public/Guests:

Access to Internet only, with limited bandwidth


Wi-Fi Security Using IPSec

• Requires wireless users to authenticate before gaining network access• IETF standard - Layer 3 authentication & encryption• Familiar, reliable, trustworthy

• Challenges:• No Layer 2 protection mechanisms• IPSec clients may not be available for all handheld devices • Can be difficult to manage and to scale• Ensure the solution provides cross-subnet roaming

Campus

NetworkIPSec

TerminationClient software

IPSec


WLANs Yesterday: External to Corporate Network

Wireless traffic untrusted• Access points placed outside the firewall• Local wireless users placed on a separate network

Internet

Corporate networkfirewall

WirelessNetwork


WLANs Today: Integrated Within the Network

Wireless traffic authenticated before accessing network• Access points installed on the regular wired LAN• Wireless users managed like wired users

Internet Corporate networkfirewall

WirelessNetwork


WLANs Tomorrow: Throughout the Network

Wireless traffic authenticated before accessing network• Access points installed on any LAN• Wireless users managed like remote users

Internet Corporate networkFirewall

/ VPN


WLANs Tomorrow: Universal Access Regardless of Location

Internet CorporatenetworkFirewall

/ VPN

One method for network authentication from any location• One set of login credentials used for on campus and remote network access• Provides appropriate level of security and eases end-user adoption

The login credentialsused at work

Are the same credentials used

remotely


Recommendations

802.1x• Strongly recommended if you’re using Layer 2 security• Provides centralized management/policy control

EAP• Consider EAP-TLS if client certificates infrastructure is in

place• Avoid LEAP if standards are important (ASLEAP attack)• If you have Microsoft kit, PEAP is built in

IPSec• If you chose IPSec be sure not to forgo mobility

VLAN• Deploy per-user VLAN policy if your network supports it

Take the path of least resistance that meets your network needs


Bluesocket Future Directions

Continue to support standards – PEAP, TTLS, 802.11i Add additional authentication methods to support customer needs

– Have added PIN, Cosign, Certificate, use API for other methods

Continue to innovate around security and mobility– VLAN Mobility

– More efficient traffic routing

Load Sharing to distribute load More flexibility around login pages – by location/interface


Thank You….

Mike Brockney, SE ManagerBluesocket

[email protected]

© 2004 bluesocket, inc. secure mobility ™ wireless security: issues and solutions mike brockney...

Documents