WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security,...
-
Upload
oscar-atkinson -
Category
Documents
-
view
213 -
download
1
Transcript of WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security,...
![Page 1: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/1.jpg)
WIRELESS LAN SECURITYWIRELESS LAN SECURITY Using Using
EAP - TTLSEAP - TTLS
![Page 2: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/2.jpg)
Security - In the Broad SenseSecurity - In the Broad Sense
Focuses on network security, system security, information security, and physical security
Made up of a suite of multiple technologies that solve authentication, information integrity, and identification problems.
Includes technologies – firewalls, authentication servers, biometrics, cryptography, intrusion detection, virus protection, and VPNs.
![Page 3: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/3.jpg)
Wireless Network Security IssuesWireless Network Security Issues
Security is an even greater problem for wireless networks
Use radio frequency (RF) technology, to transmit and receive data over the air
Authentication of network users is not strong Unauthorized users can access network
resources. Traffic encryption is also weak, so attackers are
able to recover transmissions
![Page 4: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/4.jpg)
IEEE 802.11 StandardIEEE 802.11 Standard
Wired Equivalent Privacy (WEP) Static WEP Key Open and Shared Authentication MAC address matches an address in an
authentication table used by the access point. It can be forged or NIC stolen
One Way Authentication (Client to AP) 15 min to crack a 40-bits key (45 min to crack
128-bits)
![Page 5: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/5.jpg)
802.1x - Authentication Methods802.1x - Authentication Methods
EAP defines a standard message exchange that allows a server to authenticate a client based on an authentication protocol agreed upon by both parties.
The access points defer to the Remote Authentication Dial-In User Service (RADIUS) server to authenticate users and to support particular EAP authentication types.
![Page 6: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/6.jpg)
802.1x EAP – Authentication Types802.1x EAP – Authentication Types
EAP-Transport Layer Security (EAP-TLS) Tunneled Transport Layer Security (TTLS) Cisco Light Weighted EAP (LEAP)Protected EAP (PEAP).
![Page 7: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/7.jpg)
EAP – TLS and its DisadvantagesEAP – TLS and its Disadvantages
In EAP-TLS, certificates are used to provide authentication in both directions.
The server presents a certificate to the client, and, after validating the server's certificate the client presents a client certificate.
Requires each user to have a certificate. Imposes substantial administrative burden in
operating a certificate authority to distribute, revoke and manage user certificates
![Page 8: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/8.jpg)
EAP- Tunneled Transport Layer EAP- Tunneled Transport Layer Security (EAP- TTLS)Security (EAP- TTLS)
EAP - TTLS protocol developed in response to the PKI barrier in EAP-TLS. Developed by Funk and Certicom. TTLS a two-stage protocol - establish security in stage one, exchange
authentication in stage two. RADIUS servers, not the users, are required to have certificates The user’s identity and password-based credentials are tunneled during
authentication
![Page 9: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/9.jpg)
Advantages of Using EAP – TTLS
Users to be authenticated with existing password credentials, and, using strong public/private key cryptography
Prevents dictionary attacks, man-in-the-middle attacks, and hijacked connections by wireless eavesdroppers.
Does not require the use of client certificates. Requires little additional administration unlike EAP-TLS Dynamic per-session keys are generated to encrypt the
wireless connection and protect data privacy
![Page 10: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/10.jpg)
Situations when EAP – TTLS can Fail
User's identity is not hidden from the EAP-TTLS server and may be included in the clear in AAA messages between the access point, the EAP-TTLS server, and the AAA/H server.
Server certificates within EAP-TTLS makes EAP-TTLS susceptible to attack.
EAP – TTLS is vulnerable to attacks by rogue EAP-TTLS servers
![Page 11: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/11.jpg)
Comparison of EAP- TTLS and PEAP Protocols
Microsoft, Cisco and RSA Security developed Protected Extensible Authentication Protocol (PEAP) over 802.11 WLANs
Windows XP is currently the only operating system that supports PEAP.
Only EAP - generic token card
Funk Software and Interlink Networks added support for the proposed wireless security protocol, developed by Funk and Certicom,
Linux, Mac OS X, Windows 95/98/ME, and Windows NT/2000/XP.
Any Authentication Method - CHAP, PAP, MS-CHAP, and MS-CHAPv2 and EAP
![Page 12: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/12.jpg)
Conclusions
Selection of an authentication method is the key decision in securing a wireless LAN deployment.
EAP-TLS is best suited under situations when a well configured PKI is already deployed
TTLS slight degree of flexibility at the protocol level and supports wider of client operating systems.
No single security solution is likely to address all security risks. Hence should implement multiple approaches to completely secure wireless application access
![Page 13: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/13.jpg)
Future Areas of ResearchFuture Areas of Research Implement TTLS in a Wireless LAN. Develop test benches to compare the two 802.1x
standards EAP-TTLS and PEAP. Implement PEAP for other operating systems other
than Windows – XP. Develop ways to protect security between the access
point, the EAP-TTLS server, and the AAA/H server by implementing firewalls or other such viable security techniques.
Alternative ways to protect the private key in EAP –TTLS servers as they are susceptible to attacks in the case where the EAP-TTLS certificates are lost or are to be compromised.
![Page 14: WIRELESS LAN SECURITY Using EAP - TTLS. Security - In the Broad Sense Focuses on network security, system security, information security, and physical.](https://reader036.fdocuments.net/reader036/viewer/2022082817/56649e2f5503460f94b1f6f6/html5/thumbnails/14.jpg)
References
www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-02.txt
http://www.nwfusion.com/research/2002/0506ilabwlan.html
http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html
http://www.nwfusion.com/news/2002/1111funk.html
http://www.nwfusion.com/news/2002/0923peap.html