Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP...
-
Upload
estefany-roberds -
Category
Documents
-
view
224 -
download
3
Transcript of Emory Network Communications Wireless Security In an Education Environment Stan Brooks CWNA, CWSP...
EmoryNetwork Communications
Wireless SecurityIn an Education
Environment
Stan Brooks CWNA, CWSPEmory University
Network Communications [email protected]!-MSN: WLANstan
Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.
EmoryEmoryNetwork CommunicationsNetwork Communications
Outline
What this presentation will not cover Not a how-to hacking/cracking course Not a wireless basics discussion Not a deep dive on WLAN protocols
Wireless Security Why do we need security on wireless networks? Wireless Security Basics Wireless Security History Choosing a Wireless Security Model Implementing Wireless Security
Migrating Security Models – A real-life story Protecting yourself – Safe Wireless Computing
At Wi-Fi Hotspots and at Home
EmoryEmoryNetwork CommunicationsNetwork Communications
Why Do We Need Security on WLANs?
Easy to eavesdrop (sniff) Easy to spoof MAC addresses Easy to hack/crack Pre-Shared
Keys (WEP, WPA-PSK) Rogue APs Evil Twin & Man-in-the-Middle
(MitM) Attacks Last 100 feet is the worst of all
Much less secure than even wired Internet access
There is good news – Wireless CAN be more secure than the wired network (if implemented properly)
Internal Network
“Real” Access Point
“Real” Wireless User
Evil Twin/MitMAccess Point
Rogue Access Point
Sniff the Air (Eavesdrop)
Unauthorized AccessU
nau
thorize
d A
ccess
AP Impersonation
Internet
X
EmoryEmoryNetwork CommunicationsNetwork Communications
Wireless Security – What do we Protect?
There 3 areas that need protection:1) Protect data as it travels from
source to destination Eavesdropping Integrity (tampering) Denial of Service (DoS)
2) Protect the network from unauthorized/compromised users
Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.)
3) Protect the client from unauthorized access
MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares
Network
Wireless User
Access Point
EmoryEmoryNetwork CommunicationsNetwork Communications
Security
Security is a PROCESSPROCESS Apply Security in Layers There is NO single security silver bullet Different data require different levels of security
A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records
Different users need different levels of access Student vs. Faculty vs. Guest Users
A Business Risk Assessment helps to define requirements
EmoryEmoryNetwork CommunicationsNetwork Communications
Security Policy
Wireless Security SHOULD be part of your Overall Security Policy Acceptable Use Policy, Terms of Service (AUP/ToS) Policy should address the 3 areas to protect outlined on a
previous slide Role-based Access Control
All users are NOT created equal Student vs. Faculty vs. Staff vs. Guest
All data are NOT created equal Term papers vs. grade reports vs. medical records
Security Policy also defines how the network is accessed Type of Hardware and what type of support Supported OS’s Access methods
EmoryEmoryNetwork CommunicationsNetwork Communications
AAA (or AAAA)
Originated with dial-up Internet and VPN access RADIUS = Remote Dial-In User Service
Authentication (Username/Password) Who are you?
Authorization (Are you a valid user/subscriber) Are you allowed to log on the network?
Access Control (Added for RBAC & Wireless) Where can you go once you are on the network?
(Accounting) – Originally the 3rd “A” Logs
Billing Tracking usage For when the RIAA or MPAA comes around
EmoryEmoryNetwork CommunicationsNetwork Communications
Authentication in a Wireless Environment
Types of Wireless Security Models Open System Shared Key for Encryption & Authentication
Static Key (WEP, WPA / WPA2-PSK)
Dynamic Key (Dynamic WEP, WPA / WPA2-Enterprise)
Authentication Models Open System VPN 802.1x (WPA / WPA2 or wired) – Needs a RADIUS Server Guest Access
Captive Portal, Walled Garden, Other
EmoryEmoryNetwork CommunicationsNetwork Communications
Wi-Fi Security Evolution
Authentication
Encryption WEPDynamic WEP
TKIP AESVPN
SSID Captive Portal 802.1x 802.11i
Easily hacked by children, no real security,
just a no-trespassing sign
Requires a Webserver and may compromise
username/pw.Data encryption at the
expense of authentication and may requires client software
Uses EAP (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.).
Requires a RADIUS Server.Dynamic WEP is fairly secure,
TKIP is much better, addressing all known issues
w/WEP
(also called WPA2)Combines 802.1x
Authentication (EAP-TLS, EAP-TTLS, PEAP, LEAP, etc.) with AES encryption
EmoryEmoryNetwork CommunicationsNetwork Communications
WEP / WPA / WPA2 Basics
WEP WPA-Personal WPA-Enterprise WPA2-Personal WPA2-Enterprise
Encryption RC4 w/WEP
24-bit IV
40/104-bit Key
RC4 w/TKIP
48-bit IV
128-bit Key
RC4 w/TKIP
48-bit IV
128-bit Key
AES-CCMP
48bit-IV
128bit Key
AES-CCMP
48bit-IV
128bit Key
Integrity CRC Michael
64-bit Key
Michael
64-bit Key
CBC-MAC
128-bit Key
CBC-MAC
128-bit Key
Authentication Optional Shared Key
PSK –
Pre-Shared Key
802.1x
Various EAP-Types
PSK –
Pre-Shared Key
802.1x
Various
EAP-Types
Ad-Hoc Support Yes No No Yes No
Standard Part of 802.11b
1999
Snapshot of 802.11i
As of 10/2002
Snapshot of 802.11i
As of 10/2002
Specified in 802.11i
Ratified 06/2004
Specified in 802.11i
Ratified 06/2004
EmoryEmoryNetwork CommunicationsNetwork Communications
WPA / WPA2 Enterprise (8021.x) Elements
Supplicant (the client) Authentication Server (RADIUS server) Authenticator (the AP or WLAN Controller)
Passes authentication transaction between the Supplicant and the Authentication Server
AuthenticationServer (RADIUS)
Authenticator(Access Point)
Supplicant(Client)
Network
EmoryEmoryNetwork CommunicationsNetwork Communications
WPA / WPA2-Enterprise EAP-Types
Source Client Server Auth Client Auth Vulnerability Level
Vulnerability Examples
EAP-MD5 Open – NOT Wi-Fi Certified
Aegis, Odyssey Shared Key Challenge - NO KEY DERIVATION
None Extremely High Offline Dictionary Attacks
LEAP Cisco Proprietary, NOT Wi-Fi Certified
Cisco (CCX), Aegis, Odyssey
Password Hash Password Hash High ASLEAP – Identity Exposure & Offline Dictionary PW Attacks
EAP-FAST Cisco Proprietary, NOT Wi-Fi Certified
Odyssey PAC (Shared Key) MSCHAPv2 Medium PAC Exposure
TLS Open, Wi-Fi Certified Aegis, Odyssey Certificate (PKI) Certificate (PKI) Low Lost or Stolen Devices
TTLS (PAP, CHAP, MSCHAPv2, or GTC)
Open, Wi-Fi Certified Aegis, Odyssey, T-Mobile Conn Mgr (PCTEL)
Certificate PAP, CHAP, MSCHAPv2, GTC
Medium Possible Identity Exposure, MitM Risks
PEAPv0 (TLS or MSCHAPv2)
Microsoft – Wi-Fi Certified
Microsoft WZC, Apple, Aegis, Odyssey
Certificate EAP-TLS (SmartCard), MSCHAPv2
Medium Possible Identity Exposure, MitM Risks
PEAPv1 (EAP-GTC)
Cisco – Wi-Fi Certified Cisco, Aegis, Odyssey
Certificate EAP-GTC (Generic Token Card)
Medium Possible Identity Exposure, MitM Risks
EAP-SIM GSM Wireless Carriers – Wi-Fi Certified
Odyssey SmartCard SmartCard Medium GSM/GPRS Attacks
Note: Aegis Client by Meetinghouse, Odyssey Client by Funk/Juniper Networks
EmoryEmoryNetwork CommunicationsNetwork Communications
Choosing the Right EAP-type
What EAP-types does your client base support? Homogeneous or heterogeneous environment Machine or user authentication – or both? Do you control the clients? Do you support PKI? What clients are you willing to support, and at what level?
What EAP-Types does your authentication server(s) support? RADIUS server supported EAP-types RADIUS proxy capabilities to your back-end credential base
Back-end directory/database capabilities How are passwords stored? Proxy capabilities Back-end directory rights
EmoryEmoryNetwork CommunicationsNetwork Communications
Wireless Clients
PCs Microsoft Windows XP WZC Wireless chip manufacturers’ clients
Atheros Intel Broadcom Prism
Open Source SecureW2 wEAP
Funk/Juniper Odyssey Meetinghouse/Cisco Aegis VPN Clients
Microsoft PPTP, IPSec
Checkpoint Others
MACs Linux
wpa_supplicant Xsupplicant
PDAs Native OS support Funk/Juniper Odyssey Meetinghouse/Cisco Aegis
Wi-Fi & Dual Mode Phones Other Devices
Game Consoles TiVo Appliances Nabaztag Wi-Fi Rabbit
EmoryEmoryNetwork CommunicationsNetwork Communications
Implementing a Secure Wireless Infrastructure
Basic Tenet: Wireless network should be considered UNTRUSTED Wireless traffic should be scrutinized and controlled just like
Internet traffic, perhaps more so. Difficult to build & scale an effective secure architecture
with stand-alone APs Expanding VLANs across the campus Backhauling wireless traffic to a firewall or wireless gateway Managing APs, switches, & routers
I’m an unabashed WLAN Switch/Controller proponent Much easier to implement security model(s) Easier to deploy, manage, & troubleshoot
EmoryEmoryNetwork CommunicationsNetwork Communications
Aruba WLAN Switch/Controller-based Implementation
The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller
The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and
passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the
Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on the
wired network
Authenticated UserSSID: EmoryUnplugged
Emory’s Internal Network
Aruba WLAN Switch/Controllerw/ Built in Firewall and Per User Access Control
InternetGuest UserSSID: EmoryGuest
“Thin” Access Point
EmoryEmoryNetwork CommunicationsNetwork Communications
Migrating to “New” Security Models
Some History Emory originally settled on an Open System/VPN
authentication/access Model in 2004 As we grew, VPN was OK, but not great
The user experience with the VPN was sub-optimal Directive to move to WPA-Enterprise given Spring
2006 Directive for completion by January 1, 2007
EmoryEmoryNetwork CommunicationsNetwork Communications
Changing Security Models
Least impact on clients Clients DO have to change
Plan a transition period Longer (with in reason) is better A natural calendar break is ideal for cut-over
Emory used Winter Break ‘06 as the cut-over
Run both models for the transition period Market, market, market the change and why it’s
better
EmoryEmoryNetwork CommunicationsNetwork Communications
Poster Example
EmoryEmoryNetwork CommunicationsNetwork Communications
Poster/Ad Example
EmoryEmoryNetwork CommunicationsNetwork Communications
Emory’s Transition Timeline
Fall 2005 – Started piloting new model Developed configuration handouts and tools
January 2006 – Started officially supporting new model Spring Semester 2006 (Jan-May)
Marketed change (posters, student newspaper ads) Held clinics to get users transitioned End of semester – Email blast informing students of impending change in Fall
2006 Fall Semester 2006 (Sept-Dec)
Removed old security model from ResNet areas Move in weekend required lots of hands on configuration help for students
Held additional configuration clinics in high use areas Mid & Late Semester – Email blasts to know users of old security model informing
them of model “sunset” Winter Break 2006 – Removed old security model access globally Result: No logged complaints
EmoryEmoryNetwork CommunicationsNetwork Communications
VPN Usage GraphOct 2005 to Feb 2007
Thanksgiving 2005
Winter Break 2005
Spring Break 2006
Summer Break 2006
Move-in Weekend 2006
Thanksgiving 2006
Winter Break 2006
EmoryEmoryNetwork CommunicationsNetwork Communications
Wireless Security – Protecting Yourself
There 3 main areas to address:
1) Protect data as it travels from source to destination
2) Protect the client from unauthorized access
3) Protect the network from unauthorized/compromised users
Internet
“Real” Wireless User
“Real” Access Point
EmoryEmoryNetwork CommunicationsNetwork Communications
Safe HotSpot Wireless Computing
Assume the network connection is HOSTILE - practice safe computing!
Enable/use Personal Firewalls Properly configured for “Internet” or untrusted connection
Configure your Wireless Client Do NOT connect to non-preferred wireless networks Do NOT automatically connect to an open wireless network – Set client to ask you (On
Demand/Manual) No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD)
Encrypt your traffic WPA / WPA2-Enterprise (probably not available at hotspots) VPNs
Your organization’s VPN – PPTP, IPSec, or SSL VPNs Public VPN Gateways such as
Hotspotvpn.com Publicvpn.com JiWire.com SpotLock
Remember: HTTP, POP3, IMAP, FTP, Telnet and other protocols send credentials and data as clear text, so encrypt to be safe!
EmoryEmoryNetwork CommunicationsNetwork Communications
Safe SOHO Wireless Computing
On your clients: Do NOT connect to non-preferred wireless networks No Ad-Hoc Networks (Ad-Hoc networks are REALLY BAD)
On your router: Please. Please, Please - Change your router’s default configuration
CHANGE THE PASSWORD FROM THE DEFAULT Change the SSID from the default
Choose an SSID that does not identify you or your geographic location Set the channel to 1, 6, or 11 to reduce interference
Read the directions and set up WPA-PSK or WPA2-PSK Choose a difficult to guess and long (32+ character) passphrase that has
upper/lower case, numbers, and punctuation. Example: “Emory\University/Rox*My<2>smallW0RLD!!!Yeah!” WPA-PSK can be subject to dictionary attacks, so misspelled words,
added punctuation and longer keys will help mitigate this type of attack – just make it easy for YOU to remember
EmoryEmoryNetwork CommunicationsNetwork Communications
Recap
Why we need security for wireless networks Different security models
Strengths & weaknesses Implementation
Migrating to a New Security Model Basic wireless security methods for home and
hotspots
EmoryEmoryNetwork CommunicationsNetwork Communications
?Questions& Discussion
Wireless SecurityIn an Education Environment
Presentation Evaluation URL: http://resnetsymposium.org/resnet2007/
EmoryEmoryNetwork CommunicationsNetwork Communications
Bibliography & Resources
CWNP –Certified Wireless Network Professional Program Best program for learning ALL about WLANs
Books Real 802.11 Security, Wi-Foo, CWNA/CWSP/CWAP Study
Guides, Hacking Wireless Networks for Dummies Websites
cwnp.com, wi-fiplanet.com and others (hit the forums for good information)
Manufacturers Cisco, Aruba, Meru, Trapeze