WLAN SECURITY and other 802 protocols

1
WLAN SECURITY and other 802 protocols
2
Addenda to the basic 802.11 protocol

• 802.11 a, b,
• 802.11 e
• 802.11 d
• 802.11 g
• 802.11 h
• 802.11 i
• 802.1 x

3
Task Group H Spectrum Managed 802.11a
802.11 radios transmit and without getting
appropriate feedback, halt and retransmit.
802.11h overlays 802.11a to solve both
interference and overuse problems, as well as
improve coexistence with other specs that might
reside on the same band. The h spec requires
devices to check whether given frequencies are
in use before transmitting (Dynamic Frequency
Selection or DFS), as well as only transmitting
at the minimum necessary power level (Transmit
Power Control or TPC).
4
Task Group H Spectrum Managed 802.11a
These additions were formulated specifically to
meet requirements for using the 5 GHz band in the
European Union, which has been promoting its own
specification called HiperLAN2 There's a chance
for spillover of h into other standards like b
and g, of course, to improve their responsiveness
5
Task Group E Quality of Service

• Every packet has an equal chance of getting
  through in 802.11b. Task Group E wants to change
  that, allowing for what's known as "quality of
  service" or QoS, to guarantee that some packets
  have more priority than others. This is a fairly
  tricky task, involving coordination between
  client radios, access points, and system
  administrators.
• QoS is needed for consistent voice-quality calls
  using VOIP (voice over IP) and for streaming
  multimedia.

6
Task Group I Enhanced Security

• Originally, 802.11e covered both scheduling and
  security. With the constant release of weakness
  reports in the WEP (Wireless Equivalent Privacy)
  encryption system built into 802.11b, however,
  security popped into its own group, letter I.
• Task Group I has been working to find a
  replacement for WEP that, hopefully, would also
  have enough compatibility to be implemented
  without vastly revising the current generation of
  systems

7
Task Group I Enhanced Security

• The long-term goal of 802.11i, however, is to
  replace WEP. The failure in public confidence has
  the group looking at specifications that are at
  a much higher level of complexity but still
  computationally efficient enough to embed in
  lower-power, inexpensive devices, such as
  chipsets used for PC cards.

8
Task Group I Enhanced Security

• The failure of WEP resulted in the group
  dropping the name WEP2 for the new standard and
  replacing it with Temporal Key Integrity Protocol
  (TKIP), something which is much more descriptive
  assuring that a key retains its security over a
  period of time .

9
Task Group 802.1x

• Is developing a method of authenticating users
  through a back-end system in a secure fashion.
  Some weaknesses in the approach have already been
  discovered, unfortunately, as there is a lot of
  room for man-in-the-middle style interception

10

• Wireless LAN Security Issues Wireless LAN
  Security Issues
• Issue
• Wireless sniffer can view all WLAN data packets
• Anyone in AP coverage area can get on WLAN
• 802.11 Solution
• Encrypt all data transmitted between client and
  AP
• Without encryption key, user cannot transmit or
  receive data

11
Limitations of 802.11 Security Limitations of
802.11 Security Shared, static WEP keys No
centralized key management Poor protection from
variety of security attacks No effective way to
deal with lost or stolen adapter Possessor has
access to network Re-keying of all WLAN client
devices is required Lack of integrated user
administration Need for separate user databases
no use of RADIUS Potential to identify user only
by device attribute like MAC address
12
802.1X Authentication 802.1X Authentication
Process
13
Require VPNs for WLAN Access? Require Ns for WLAN
Access? Pros Ensures 3DES encryption from
client to concentrator Is in use at most
shops Makes WLAN and remote access UIs
consistent Supports central security management
14
Cons Client does encryption, decryption in
software Requires VPN concentrators behind APs,
increasing cost User must reinitialize VPN
connection when roaming between concentrators
15
802.1X The IEEE 802.1X standard, Port Based
Network Access Control, defines a mechanism for
port-based network access control that makes use
of the physical access characteristics of IEEE
802 LAN infrastructure. It provides a means of
authenticating and authorizing devices attached
to a LAN port that has point-to-point connection
characteristics. The 802.1X specification
includes a number of features aimed specifically
at supporting the use of Port Access Control in
IEEE 802.11 Wireless LANs (WLANs). These include
the ability for a WLAN Access Point to distribute
or obtain global key information to/from attached
stations, following successful authentication.
16
Wireless LAN Analysis- tools

• AiroPeek from WildPackets
• Grasshopper from BV Systems
• Mobile Manager from Wavelink
• Sniffer Wireless from Network Associates
• NetStumbler
• AirSnort via the SourceForge
• AirSnort has been designed to break WEP
  encryption keys.
• It operates by passively monitoring
  transmissions, and when enough interesting
  packets have been gathered, usually over a 24
  hour period, it can then calculate the WEP key.
• .

17
Extensible Authentication Protocol (EAP) The
Extensible Authentication Protocol (EAP),
specified in RFC 2284, is a method of conducting
an authentication conversation between a
Supplicant and an Authentication Server.
Intermediate devices such as Access Points and
proxy servers do not take part in the
conversation. Their role is to relay EAP messages
between the parties performing the
authentication. The EAP messages are transported
between a wireless station and an 802.1X
Authenticator using EAPOL. The EAP messages are
transported between an 802.1X Authenticator and
the Authentication Server using RADIUS. The EAP
framework supports the definition of
Authentication Methods. Currently implemented EAP
Authentication Methods include MD5, TLS, TTLS,
PEAP, and Ciscoss LEAP
18
(No Transcript)
19
Supplicant The Supplicant is the client
authentication software/firmware. It runs on the
station seeking WLAN access and conducts an
authentication conversation with the
Authentication Server using EAP. Until
authenticated, the Supplicant can only
communicate with the Authentication Server.
20
Authenticator An Authenticator performs
port-based access control on a Network Access
Server such as a Wireless Access Point. During
authentication it relays EAP messages between the
Supplicant and Authentication Server and discards
all other traffic from the Supplicant. Once
notified of successful authentication by the
Authentication Server, the Authenticator
establishes the session and provides network
access to the Supplicant using any session keys
provided by the Authentication Server.
21
Authentication Server The Authentication Server
provides authentication services to the
Authenticator. The Authenticator and
Authentication Server have a trusted
(client/server) relationship over the secure
(usually wired) portion of the network. The
Authentication Server conducts an authentication
conversation with the Supplicant using EAP. The
Authentication Server authenticates the
Supplicant based upon a user profile that can be
maintained either locally or remotely. The
Authentication Server may also perform
authorization, collect accounting, and provide
session keys to the Authenticator.
22
The WLAN access points can identify every
wireless card ever manufactured by its unique
Media Access Control (MAC) address that is burned
into and printed on the card. Some WLANs require
that the cards be registered before the
wireless services can be used. The access point
then identifies the card by the user, but this
scenario is complex because every access point
needs to have access to this list. Even if it
were implemented, it cannot account for hackers
who use WLAN cards that can be loaded with
firmware that does not use the built-in MAC
address, but a randomly chosen, or deliberately
spoofed, address. Using this spoofed address, a
hacker can attempt to inject network traffic or
spoof legitimate users. It is also easy to
interfere with wireless communications. A simple
jamming transmitter can make communications imposs
ible. For example, consistently hammering an AP
with access requests, whether successful or not,
will eventually exhaust its available radio
frequency spectrum and knock it off the network.
Other wireless services in the same
frequency range can reduce the range and usable
bandwidth of WLAN technology.
23
Access point security recommendations Enable
user authentication for the management
interface. Choose strong community strings for
Simple Network Management Protocol (SNMP) and
change them often. Consider using SNMP Read
Only if your management infrastructure allows
it. Disable any insecure and nonessential
management protocol provided by the
manufacturer. Limit management traffic to a
dedicated wired subnet. Encrypt all management
traffic where possible. Enable wireless frame
encryption where available. Client security
recommendations Disable ad hoc mode. Enable
wireless frame encryption where available.
24
On a busy network, 128-bit static WEP keys can be
obtained in as little as 15 minutes. WEP uses the
RC4 stream cipher that was invented by Ron Rivest
of RSA Data Security, Inc., (RSADSI) for
encryption. The RC4 encryption algorithm is a
symmetric stream cipher that supports a
variable-length key. The IEEE 802.11 standard
describes the use of the RC4 algorithm and key in
WEP, but does not specify specific methods for
key distribution. Without an automated method for
key distribution, any encryption protocol will
have implementation problems due to the potential
for human error in key input, escrow, and
management. As discussed later in this document,
802.1X has been ratified in the IEEE and is being
embraced by the WLAN vendor community as a
potential solution for this key distribution
problem.
25
IP Security

• When deploying IPSec in a WLAN environment, an
  IPSec client is placed on every PC connected to
  the wireless network and the user is required to
  establish an IPSec tunnel to route any traffic to
  the wired network. Filters are put in place to
  prevent any wireless traffic from reaching any
  destination other than the VPN gateway and
  DHCP/DNS server. IPSec provides for
  confidentiality of IP traffic, as well as
  authentication and antireplay capabilities.
• Confidentiality is achieved through encryption
  using a variant of the Data Encryption Standard
  (DES), called Triple DES (3DES), which encrypts
  the data three times with up to three different
  keys.
• Though IPSec is used primarily for data
  confidentiality, extensions to the standard allow
  for user authentication and authorization to
  occur as part of the IPSec process. This scenario
  offers a potential solution to the user
  differentiation problem with WLANs

26
EAP/802.1X

• An alternative WLAN security approach focuses on
  developing a framework for providing centralized
  authentication and dynamic key distribution
• EAP allows wireless client adapters, that may
  support different authentication types, to
  communicate with different back-end servers such
  as Remote Access Dial-In User Service (RADIUS)
• IEEE 802.1X, is a standard for port based network
  access control

27
EAP/802.1X

• When these features are implemented, a
  wireless client that associates with an AP cannot
  gain access to the network until the user
  performs a network logon. When the user enters a
  username and password into a network logon dialog
  box or its equivalent, the client and a RADIUS
  server perform a mutual authentication, with the
  client authenticated by the supplied username and
  password. The RADIUS server and client then
  derive a client-specific WEP key to be used by
  the client for the current logon session. User
  passwords and session keys are never transmitted
  in the clear, over the wireless link.

28
Summary Organizations should choose to deploy
either IPSec or EAP/802.1X, hereafter referred to
as LEAP, but generally not both. Organizations
should use IPSec when they have the utmost
concern for the sensitivity of the
transported data, but remember that this solution
is more complex to deploy and manage than LEAP.
LEAP should be used when an organization wants
reasonable assurance of confidentiality and a
transparent user security experience. The basic
WEP enhancements can be used anywhere WEP is
implemented.
29
Wireless Encryption Technology Comparison
30
Key LEAP Devices Wireless client adapter and
softwareA software solution that provides the
hardware and software necessary for
wireless communications to the AP it provides
mutual authentication to the AP via LEAP
Wireless access pointMutually authenticates
wireless clients via LEAP Layer 2/3
switchProvides Ethernet connectivity and Layer
3/4 filtering between the WLAN AP and the
corporate network RADIUS serverDelivers
user-based authentication for wireless clients
and access-point authentication to the
wireless clients DHCP serverDelivers IP
configuration information for wireless LEAP
clients
31