WIRELESS SECURITY

About This Presentation

Title:

Description:

Number of Views:17

Avg rating:3.0/5.0

Slides: 13

Provided by: a0195

Learn more at: http://cs.uccs.edu

Category:

Tags: security | wireless | funk

Transcript and Presenter's Notes

Title: WIRELESS SECURITY

1
WIRELESS SECURITY

2
802.1x - Authentication Methods

EAP defines a standard message exchange that
allows a server to authenticate a client based on
an authentication protocol agreed upon by both
parties.
The access point relays authentication messages
from the wireless client device to the RADIUS
server and from the RADIUS server to the wireless
client device.
Components involved in the 802.1x/EAP
authentication process are
supplicant (the end entity, or end user's
machine),
the authenticator (the access point), and
the authentication server (back-end RADIUS
server).
IEEE 802.1x is a port based authentication
protocol

3
EAP How It Works
4
802.1x EAP Authentication Types

A specific EAP authentication scheme is known as
an EAP type.
Both the remote access client and the
authenticator must support the same EAP type for
successful authentication to occur.
The access point has to support the 802.1x/EAP
authentication process. (The access point is not
aware of the EAP authentication protocol type.)
The different EAP-Types are
EAP-Transport Layer Security (EAP-TLS)
Tunneled Transport Layer Security (TTLS)
Cisco Light Weighted EAP (LEAP)
Protected EAP (PEAP).

5
EAP TLS and its Disadvantages

In EAP-TLS, certificates are used to provide
authentication in both directions.
The server presents a certificate to the client,
and, after validating the server's certificate
the client presents a client certificate.
Requires each user to have a certificate.
Imposes substantial administrative burden in
operating a certificate authority to distribute,
revoke and manage user certificates

6
EAP TLS in Action
7
EAP- Tunneled Transport Layer Security (EAP- TTLS)

EAP - TTLS protocol developed in response to the
PKI barrier in EAP-TLS.
TTLS a two-stage protocol - establish security in
stage one, exchange authentication in stage two.
RADIUS servers, not the users, are required to
have certificates
The users identity and password-based
credentials are tunneled during authentication

8
Advantages of Using EAP TTLS

Users to be authenticated with existing password
credentials, and, using strong public/private key
cryptography
Prevents dictionary attacks, man-in-the-middle
attacks, and hijacked connections by wireless
eavesdroppers.
Does not require the use of client certificates.
Requires little additional administration unlike
EAP-TLS
Dynamic per-session keys are generated to encrypt
the wireless connection and protect data privacy

9
Situations when EAP TTLS can Fail

User's identity is not hidden from the EAP-TTLS
server and may be included in the clear in AAA
messages between the access point, the EAP-TTLS
server, and the AAA/H server.
Server certificates within EAP-TTLS makes
EAP-TTLS susceptible to attack.
EAP TTLS is vulnerable to attacks by rogue
EAP-TTLS servers

10
Comparison of EAP- TTLS and PEAP Protocols

Microsoft, Cisco and RSA Security developed
Protected Extensible Authentication Protocol
(PEAP) over 802.11 WLANs
Windows XP is currently the only operating system
that supports PEAP.
Only EAP - generic token card

Funk Software and Interlink Networks added
support for the proposed wireless security
protocol, developed by Funk and Certicom,
Linux, Mac OS X, Windows 95/98/ME, and Windows
NT/2000/XP.
Any Authentication Method - CHAP, PAP, MS-CHAP,
and MS-CHAPv2 and EAP

11
Conclusions

Selection of an authentication method is the key
decision in securing a wireless LAN deployment.
EAP-TLS is best suited under situations when a
well configured PKI is already deployed
TTLS slight degree of flexibility at the protocol
level and supports wider of client operating
systems.
No single security solution is likely to address
all security risks. Hence should implement
multiple approaches to completely secure wireless
application access

12
References