Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP...

EmoryNetwork Communications

Wireless SecurityIn an Education

Environment

Stan Brooks CWNA, CWSPEmory University

Network Communications [email protected]!-MSN: WLANstan

Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate

otherwise or to republish requires written permission from the author.

EmoryEmoryNetwork CommunicationsNetwork Communications

Outline

What this presentation will not cover Not a how-to hacking/cracking course Not a wireless basics discussion Not a deep dive on WLAN protocols

Wireless Security Why do we need security on wireless networks? Wireless Security Basics Wireless Security History Choosing a Wireless Security Model Implementing Wireless Security

Migrating Security Models – A real-life story Protecting yourself – Safe Wireless Computing

At Wi-Fi Hotspots and at Home


Why Do We Need Security on WLANs?

Easy to eavesdrop (sniff) Easy to spoof MAC addresses Easy to hack/crack Pre-Shared

Keys (WEP, WPA-PSK) Rogue APs Evil Twin & Man-in-the-Middle

(MitM) Attacks Last 100 feet is the worst of all

Much less secure than even wired Internet access

There is good news – Wireless CAN be more secure than the wired network (if implemented properly)

Internal Network

“Real” Access Point

“Real” Wireless User

Evil Twin/MitMAccess Point

Rogue Access Point

Sniff the Air (Eavesdrop)

Unauthorized AccessU

nau

thorize

d A

ccess

AP Impersonation

Internet

X


Wireless Security – What do we Protect?

There 3 areas that need protection:1) Protect data as it travels from

source to destination Eavesdropping Integrity (tampering) Denial of Service (DoS)

2) Protect the network from unauthorized/compromised users

Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.)

3) Protect the client from unauthorized access

MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares

Network

Wireless User

Access Point


Security

Security is a PROCESSPROCESS Apply Security in Layers There is NO single security silver bullet Different data require different levels of security

A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records

Different users need different levels of access Student vs. Faculty vs. Guest Users

A Business Risk Assessment helps to define requirements


Security Policy

Wireless Security SHOULD be part of your Overall Security Policy Acceptable Use Policy, Terms of Service (AUP/ToS) Policy should address the 3 areas to protect outlined on a

previous slide Role-based Access Control

All users are NOT created equal Student vs. Faculty vs. Staff vs. Guest

All data are NOT created equal Term papers vs. grade reports vs. medical records

Security Policy also defines how the network is accessed Type of Hardware and what type of support Supported OS’s Access methods


AAA (or AAAA)

Originated with dial-up Internet and VPN access RADIUS = Remote Dial-In User Service

Authentication (Username/Password) Who are you?

Authorization (Are you a valid user/subscriber) Are you allowed to log on the network?

Access Control (Added for RBAC & Wireless) Where can you go once you are on the network?

(Accounting) – Originally the 3rd “A” Logs

Billing Tracking usage For when the RIAA or MPAA comes around


Authentication in a Wireless Environment

Types of Wireless Security Models Open System Shared Key for Encryption & Authentication

Static Key (WEP, WPA / WPA2-PSK)

Dynamic Key (Dynamic WEP, WPA / WPA2-Enterprise)

Authentication Models Open System VPN 802.1x (WPA / WPA2 or wired) – Needs a RADIUS Server Guest Access

Captive Portal, Walled Garden, Other


Wi-Fi Security Evolution

Authentication

Encryption WEPDynamic WEP

TKIP AESVPN

SSID Captive Portal 802.1x 802.11i

Easily hacked by children, no real security,

just a no-trespassing sign

Requires a Webserver and may compromise

username/pw.Data encryption at the

expense of authentication and may requires client software

Uses EAP (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.).

Requires a RADIUS Server.Dynamic WEP is fairly secure,

TKIP is much better, addressing all known issues

w/WEP

(also called WPA2)Combines 802.1x

Authentication (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.) with AES encryption


WEP / WPA / WPA2 Basics

WEP WPA-Personal WPA-Enterprise WPA2-Personal WPA2-Enterprise

Encryption RC4 w/WEP

24-bit IV

40/104-bit Key

RC4 w/TKIP

48-bit IV

128-bit Key

RC4 w/TKIP

48-bit IV

128-bit Key

AES-CCMP

48bit-IV

128bit Key

AES-CCMP

48bit-IV

128bit Key

Integrity CRC Michael

64-bit Key

Michael

64-bit Key

CBC-MAC

128-bit Key

CBC-MAC

128-bit Key

Authentication Optional Shared Key

PSK –

Pre-Shared Key

802.1x

Various EAP-Types

PSK –

Pre-Shared Key

802.1x

Various

EAP-Types

Ad-Hoc Support Yes No No Yes No

Standard Part of 802.11b

1999

Snapshot of 802.11i

As of 10/2002

Snapshot of 802.11i

As of 10/2002

Specified in 802.11i

Ratified 06/2004

Specified in 802.11i

Ratified 06/2004


WPA / WPA2 Enterprise (8021.x) Elements

Supplicant (the client) Authentication Server (RADIUS server) Authenticator (the AP or WLAN Controller)

Passes authentication transaction between the Supplicant and the Authentication Server

AuthenticationServer (RADIUS)

Authenticator(Access Point)

Supplicant(Client)

Network


WPA / WPA2-Enterprise EAP-Types

Source Client Server Auth Client Auth Vulnerability Level

Vulnerability Examples

EAP-MD5 Open – NOT Wi-Fi Certified

Aegis, Odyssey Shared Key Challenge - NO KEY DERIVATION

None Extremely High Offline Dictionary Attacks

LEAP Cisco Proprietary, NOT Wi-Fi Certified

Cisco (CCX), Aegis, Odyssey

Password Hash Password Hash High ASLEAP – Identity Exposure & Offline Dictionary PW Attacks

EAP-FAST Cisco Proprietary, NOT Wi-Fi Certified

Odyssey PAC (Shared Key) MSCHAPv2 Medium PAC Exposure

TLS Open, Wi-Fi Certified Aegis, Odyssey Certificate (PKI) Certificate (PKI) Low Lost or Stolen Devices

TTLS (PAP, CHAP, MSCHAPv2, or GTC)

Open, Wi-Fi Certified Aegis, Odyssey, T-Mobile Conn Mgr (PCTEL)

Certificate PAP, CHAP, MSCHAPv2, GTC

Medium Possible Identity Exposure, MitM Risks

PEAPv0 (TLS or MSCHAPv2)

Microsoft – Wi-Fi Certified

Microsoft WZC, Apple, Aegis, Odyssey

Certificate EAP-TLS (SmartCard), MSCHAPv2


PEAPv1 (EAP-GTC)

Cisco – Wi-Fi Certified Cisco, Aegis, Odyssey

Certificate EAP-GTC (Generic Token Card)


EAP-SIM GSM Wireless Carriers – Wi-Fi Certified

Odyssey SmartCard SmartCard Medium GSM/GPRS Attacks

Note: Aegis Client by Meetinghouse, Odyssey Client by Funk/Juniper Networks


Choosing the Right EAP-type

What EAP-types does your client base support? Homogeneous or heterogeneous environment Machine or user authentication – or both? Do you control the clients? Do you support PKI? What clients are you willing to support, and at what level?

What EAP-Types does your authentication server(s) support? RADIUS server supported EAP-types RADIUS proxy capabilities to your back-end credential base

Back-end directory/database capabilities How are passwords stored? Proxy capabilities Back-end directory rights


Wireless Clients

PCs Microsoft Windows XP WZC Wireless chip manufacturers’ clients

Atheros Intel Broadcom Prism

Open Source SecureW2 wEAP

Funk/Juniper Odyssey Meetinghouse/Cisco Aegis VPN Clients

Microsoft PPTP, IPSec

Checkpoint Others

MACs Linux

wpa_supplicant Xsupplicant

PDAs Native OS support Funk/Juniper Odyssey Meetinghouse/Cisco Aegis

Wi-Fi & Dual Mode Phones Other Devices

Game Consoles TiVo Appliances Nabaztag Wi-Fi Rabbit


Implementing a Secure Wireless Infrastructure

Basic Tenet: Wireless network should be considered UNTRUSTED Wireless traffic should be scrutinized and controlled just like

Internet traffic, perhaps more so. Difficult to build & scale an effective secure architecture

with stand-alone APs Expanding VLANs across the campus Backhauling wireless traffic to a firewall or wireless gateway Managing APs, switches, & routers

I’m an unabashed WLAN Switch/Controller proponent Much easier to implement security model(s) Easier to deploy, manage, & troubleshoot


Aruba WLAN Switch/Controller-based Implementation

The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller

The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and

passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the

Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on the

wired network

Authenticated UserSSID: EmoryUnplugged

Emory’s Internal Network

Aruba WLAN Switch/Controllerw/ Built in Firewall and Per User Access Control

InternetGuest UserSSID: EmoryGuest

“Thin” Access Point


Migrating to “New” Security Models

Some History Emory originally settled on an Open System/VPN

authentication/access Model in 2004 As we grew, VPN was OK, but not great

The user experience with the VPN was sub-optimal Directive to move to WPA-Enterprise given Spring

2006 Directive for completion by January 1, 2007


Changing Security Models

Least impact on clients Clients DO have to change

Plan a transition period Longer (with in reason) is better A natural calendar break is ideal for cut-over

Emory used Winter Break ‘06 as the cut-over

Run both models for the transition period Market, market, market the change and why it’s

better


Poster Example


Poster/Ad Example


Emory’s Transition Timeline

Fall 2005 – Started piloting new model Developed configuration handouts and tools

January 2006 – Started officially supporting new model Spring Semester 2006 (Jan-May)

Marketed change (posters, student newspaper ads) Held clinics to get users transitioned End of semester – Email blast informing students of impending change in Fall

2006 Fall Semester 2006 (Sept-Dec)

Removed old security model from ResNet areas Move in weekend required lots of hands on configuration help for students

Held additional configuration clinics in high use areas Mid & Late Semester – Email blasts to know users of old security model informing

them of model “sunset” Winter Break 2006 – Removed old security model access globally Result: No logged complaints


VPN Usage GraphOct 2005 to Feb 2007

Thanksgiving 2005

Winter Break 2005

Spring Break 2006

Summer Break 2006

Move-in Weekend 2006

Thanksgiving 2006

Winter Break 2006


Wireless Security – Protecting Yourself

There 3 main areas to address:

1) Protect data as it travels from source to destination

2) Protect the client from unauthorized access

3) Protect the network from unauthorized/compromised users

Internet

“Real” Wireless User

“Real” Access Point


Safe HotSpot Wireless Computing

Assume the network connection is HOSTILE - practice safe computing!

Enable/use Personal Firewalls Properly configured for “Internet” or untrusted connection

Configure your Wireless Client Do NOT connect to non-preferred wireless networks Do NOT automatically connect to an open wireless network – Set client to ask you (On

Demand/Manual) No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD)

Encrypt your traffic WPA / WPA2-Enterprise (probably not available at hotspots) VPNs

Your organization’s VPN – PPTP, IPSec, or SSL VPNs Public VPN Gateways such as

Hotspotvpn.com Publicvpn.com JiWire.com SpotLock

Remember: HTTP, POP3, IMAP, FTP, Telnet and other protocols send credentials and data as clear text, so encrypt to be safe!


Safe SOHO Wireless Computing

On your clients: Do NOT connect to non-preferred wireless networks No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD)

On your router: Please. Please, Please - Change your router’s default configuration

CHANGE THE PASSWORD FROM THE DEFAULT Change the SSID from the default

Choose an SSID that does not identify you or your geographic location Set the channel to 1, 6, or 11 to reduce interference

Read the directions and set up WPA-PSK or WPA2-PSK Choose a difficult to guess and long (32+ character) passphrase that has

upper/lower case, numbers, and punctuation. Example: “Emory\University/Rox*My<2>smallW0RLD!!!Yeah!” WPA-PSK can be subject to dictionary attacks, so misspelled words,

added punctuation and longer keys will help mitigate this type of attack – just make it easy for YOU to remember


Recap

Why we need security for wireless networks Different security models

Strengths & weaknesses Implementation

Migrating to a New Security Model Basic wireless security methods for home and

hotspots


?Questions& Discussion

Wireless SecurityIn an Education Environment

Presentation Evaluation URL: http://resnetsymposium.org/resnet2007/


Bibliography & Resources

CWNP –Certified Wireless Network Professional Program Best program for learning ALL about WLANs

Books Real 802.11 Security, Wi-Foo, CWNA/CWSP/CWAP Study

Guides, Hacking Wireless Networks for Dummies Websites

cwnp.com, wi-fiplanet.com and others (hit the forums for good information)

Manufacturers Cisco, Aruba, Meru, Trapeze

Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP...

Documents

Transcript of Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP...