Mod 8.1

1
Mod 8.1 Security

• Cisco Fundamentals of Wireless LANs version 1.2

2
Overview

• The goals of network security are to maintain
  integrity, protect confidentiality, and ensure
  availability.
• The exponential growth of networking, including
  wireless technologies, has lead to increased
  security risks.
• Many of these risks are due to hacking, as well
  as improper uses of network resources.
• The specific weaknesses and vulnerabilities of
  WLANs will be covered.
• Security configuration for APs, bridges, and
  clients will be shown and explained.

3
Security Fundamentals
4
What is security?

• Security usually refers to ensuring that users
  can perform only the tasks that they are
  authorized to do and can obtain only the
  information that they are authorized to have.

5
AP "Allow any SSID"
No Client SSID, but Associated!
AP Default

• Set Guest Mode SSID
• If you want the access point to allow
  associations from client devices that do not
  specify an SSID in their configurations, you can
  set up a guest SSID.
• The access point includes the guest SSID in its
  beacon.
• By default, the access point's default SSID,
  tsunami, is set to guest mode.
• However, to keep your network secure, you should
  disable the guest mode SSID on most access points.

6
AP Do NOT allow any SSID"
No Client SSID, NOT Associated!
Changed to NONE

• Setting the Guest Mode SSID to NONE, will not
  allow clients that do not have and SSID to be
  able to associate.
• Remember, its not difficult for someone to get
  the SSID, so this should not be a security
  measure.
• The next step should be configuring WEP, WPA, or
  some other authentication/encryption on your AP.
• You cannot have the same SSID set as Guest Mode
  and authentication/encryption.

7
Wired equivalent privacy (WEP)
AP
128 bit WEP is sometimes referred to, and more
accurately, as 104 bit WEP. Also, be sure
Transmit Key numbers match, I.e. Key 1 on the
both AP and ACU.
ACU

• The IEEE 802.11 standard includes WEP to protect
  authorized users of a WLAN from casual
  eavesdropping.
• The IEEE 802.11 WEP standard specified a 40-bit
  key, so that WEP could be exported and used
  worldwide.
• Most vendors have extended WEP to 128 bits or
  more.
• When using WEP, both the wireless client and the
  access point must have a matching WEP key.
• WEP is based upon an existing and familiar
  encryption type, Rivest Cipher 4 (RC4).

8
Authentication and association
Probe process
Authentication process
Association process
Successful Authentication
Successful Association
State 1 Unauthenticated Unassociated
State 2 Authenticated Unassociated
State 3 Authenticated Associated
Deauthentication
Disassociation

• Open Authentication and Shared Key Authentication
  are the two methods that the 802.11 standard
  defines for clients to connect to an access
  point.
• The association process can be broken down into
  three elements known as probe, authentication,
  and association.
• This section will explain both authentication
  methods.

9
Open Authentication

• Open Authentication is basically a null
  authentication, which means there is no
  verification of the user or machine.

10
Open Authentication

• Typical Open Authentication on both AP and Client
  with No WEP keys

11
Open Authentication and WEP

• Remember there are three steps to Association
• Probe
• Authentication
• Association
• A client can associate with an AP, but use WEP to
  send the encrypted data packets.
• Authentication and data encryption are two
  different things.
• Authentication Is the client allowed to
  associate with this AP?
• Encryption Encrypts the data (payload) and ICV
  (Integrity Check Value) fields of the 802.11 MAC,
  not the other fields.
• So a client could Associate with the AP, using
  Open Authentication (basically no
  authentication), but use WEP to encrypt the data
  frames sent after its associated.

12
Open Authentication and WEP
Associated but data cannot be sent or received,
since it cannot be unencrypted.

• In some configurations, a client can associate to
  the access point with an incorrect WEP key or
  even no WEP key.
• The AP must be configured to allow this (coming).
• A client with the wrong WEP key will be unable to
  send or receive data, since the packet payload
  will be encrypted.
• Keep in mind that the header is not encrypted by
  WEP.
• Only the payload or data is encrypted.

13
Open Authentication - Optional WEP Encryption (AP)

• 802.11 allows client to associate with AP.
• Cisco AP must have WEP Encryption set to Optional
  
• Association successful with any of these options
  on the client
• Matching WEP key
• Non-matching WEP key
• No WEP key

14
Authentication Process Shared-Key

• Shared key requires the client and the access
  point to have the same WEP key.
• An access point using Shared Key Authentication
  sends a challenge text packet to the client.
• If the client has the wrong key or no key, it
  will fail this portion of the authentication
  process.
• The client will not be allowed to associate to
  the AP.

15
Authentication Process Shared-Key (Review)

• Shared-key authentication uses WEP (Wired
  Equivalent Privacy) and can only be used on
  products that support WEP.
• 802.11 requires any stations that support WEP to
  also support shared-key authentication.

16
Authentication Process Shared-Key (Review)
Shared-key RadiaPerlman
Shared-key RadiaPerlman
Authentication Request with Challenge Text
Authentication Response with Status Code

• WEP is an encryption algorithm, not a method of
  authentication.
• Shared-key authentication makes use of WEP, and
  therefore can only be used on APs and clients
  that implement WEP.
• However, 802.11 requires that any stations
  implementing WEP also implement shared key
  authentication.
• Shared-key authentication requires that a shared
  key be distributed to stations before attempting
  authentication.

17
Authentication Process Shared-Key (Review)

• The client
• Sets the Authentication Algorithm Number to 1
  (shared-key)
• Set Authentication Transaction Sequence Number to
  1
• The AP
• Sets the Authentication Algorithm Number to 1
  (shared-key)
• Set Authentication Transaction Sequence Number to
  2
• Status Code set to 0 (Successful)
• Challenge Text (later)
• The client
• Sets the Authentication Algorithm Number to 1
  (shared-key)
• Set Authentication Transaction Sequence Number to
  3
• Challenge Text (later)
• The AP
• Sets the Authentication Algorithm Number to 1
  (shared-key)
• Set Authentication Transaction Sequence Number to
  4
• Status Code set to 0 (Successful)

18
Authentication Process

• Authentication
• Open-System
• Shared-Key (WEP)
• Encryption
• None
• WEP

only
or
19
Authentication Process Shared-Key
? next
20
Access Point Authentication

• Open AuthenticationAllows your client adapter,
  regardless of its WEP settings, to authenticate
  and attempt to communicate with an access point.
  Open Authentication is the default setting.
• Shared Key AuthenticationAllows your client
  adapter to communicate only with access points
  that have the same WEP key. This option is
  available only if Use Static WEP Keys is
  selected.
• In shared key authentication, the access point
  sends a known unencrypted "challenge packet" to
  the client adapter, which encrypts the packet and
  sends it back to the access point. The access
  point attempts to decrypt the encrypted packet
  and sends an authentication response packet
  indicating the success or failure of the
  decryption back to the client adapter. If the
  packet is successfully encrypted/decrypted, the
  user is considered to be authenticated.

21
Encryption Modes

• Indicates whether clients should use data
  encryption when communicating with the device.
  The three options are
• None - The device communicates only with client
  devices that are not using WEP.
• WEP Encryption - Choose Optional or Mandatory.
• If optional, client devices can communicate with
  this access point or bridge with or without WEP.
• If mandatory, client devices must use WEP when
  communicating with the access point. Devices not
  using WEP are not allowed to communicate. WEP
  (Wired Equivalent Privacy) is an 802.11 standard
  encryption algorithm originally designed to
  provide with a level of privacy experienced on a
  wired LAN. The standard defines WEP base keys of
  size 40 bits or 104 bits.

22
In Summary

• Client
• Use Open Authentication on the client (does not
  use WEP, challenge transaction, during
  authentication).
• Use WEP for Data Encryption.
• AP
• Use Open Authentication
• Use Mandatory WEP Encryption, Devices not using
  WEP are not allowed to communicate.

23
Configuring Basic WLAN Security
24
Basic WLAN security - Physical Access

• Most wireless access points are easily
  accessible.
• They are usually located near users and outside
  of locked rooms.
• This puts wireless access points at special risk
  for theft and for compromise by malicious users.
• Network monitoring can be used to determine when
  an access point goes off.
• Proper procedures will need to be followed to
  determine what happened to the equipment.
• Almost all wireless vendors publish the methods
  of resetting an access point using reset buttons
  or the console port.

25
Basic WLAN security - Console

• Administrator accounts and privileges should be
  setup properly.
• The console port should be password protected.
  Choose a secure password

26
Basic WLAN security - SSH

• Telnet is an insecure, unencrypted protocol.
• If at all possible, secure shell (SSH) should be
  used for all Command Line Interface (CLI)
  functions.
• Telnet and SSH should be password protected.
• For maximum security, disable Telnet and use only
  SSH.
• A SSH client is required on the management PC or
  workstation in order to connect to an AP running
  SSH.
• Several freeware programs are available such as
  PuTTY, Teraterm SSH, and SecureNetTerm.

27
Enabling protocol and MAC filters on APs

• Filtering can provide an additional layer of
  wireless security.
• Filters can be created to filter a protocol or IP
  port.
• Protocol filters prevent or allow the use of
  specific protocols through the access point.
• Individual protocol filters can be setup and
  enabled for one or more VLANs. MAC, Ethertype and
  IP filters can be used to filter wireless client
  devices, users on the wired LAN, or both

28
Securing clients and APs

• Encryption should always be used unless the WLAN
  is intended for guest access only!
• If the WLAN is intended for guest access only
  then it should be segmented from all production
  traffic (VLAN or DMZ/Internet access).

29
Open and Authentication
Associated
Open Auth. No WEP Key
Open Auth. No WEP Key
Associated
Open Auth. No WEP Key
Open Auth. WEP 1234
Associated
Open Auth. WEP 4321
Open Auth. WEP 1234
Associated
Open Auth. WEP 1234
Open Auth. WEP 1234

• See previous slides for examples.

30
Event Log
31
Event Log
32
Event Log
33
Disable unneeded services

• It is important to disable or secure all unneeded
  services.
• If Cisco discovery protocol (CDP), domain name
  service (DNS), network time protocol (NTP),
  hypertext transfer protocol (HTTP), TFTP, SNMP,
  or Telnet are not used in the network, they
  should be disabled.

34
Using VPNs

• IP Security (IPSec) is a framework of open
  standards for ensuring secure private
  communication over IP networks.
• IPSec Virtual Private Networks (VPNs) use the
  services defined within IPSec to ensure
  confidentiality, integrity, and authenticity of
  data communications across networks such as the
  Internet.
• IPSec also has a practical application to secure
  WLANs.
• It does this by overlaying IPSec on top of 802.11
  wireless traffic.
• When deploying IPSec in a WLAN environment, an
  IPSec client is placed on every PC connected to
  the wireless network.
• The user is required to establish an IPSec tunnel
  and to route any traffic to the wired network.

35
VLANs
36
VLANs
37
VLANs
38
VLANs
39
Spanning tree

• Spanning tree is only needed when using wireless
  bridges.
• It should remain disabled for access points and
  repeaters, unless special circumstances exist in
  the network.
• The spanning-tree algorithm is used to prevent
  bridging loops.
• The algorithm computes available network paths
  and closes redundant paths, so that there is only
  one path between any pair of LANs on the network.
  
• Improper spanning tree settings can disable
  needed connections.
• From a security perspective, an attacker may be
  able to disable ports in a poorly configured
  network.
• Please review and understand spanning tree
  information when making configuration decisions.

40
Matching Client to AP
41
Matching Client to AP
42
Matching Client to AP
43
Matching Client to AP
44
Matching Client to AP
45
Matching Client to AP
46

• Cisco Compliant TKIP Features - Temporal Key
  Integrity Protocol (TKIP) is a suite of
  algorithms surrounding WEP, designed to achieve
  the best possible security on legacy hardware
  build to run WEP.
• TKIP adds four new enhancements to WEP
• A per-packet key mixing function, to defeat weak
  key attacks.
• A new IV sequencing discipline to detect replay
  attacks.
• A cryptographic message integrity check (MIC) to
  detect forgeries such as bit flipping and
  altering of packet source and destination.
• An extension of IV space, to virtually eliminate
  the need for a re-key.

47
Message integrity check

• Enable MIC - MIC prevents attacks on encrypted
  packets called bit-flip attacks.
• During a bit-flip attack, an intruder intercepts
  an encrypted message, alters it slightly, and
  retransmits it, and the receiver accepts the
  retransmitted message as legitimate.
• The MIC, implemented on both the access point and
  all associated client devices, adds a few bytes
  to each packet to make the packets tamper-proof.
• WEP Encryption must be set to Mandatory for MIC
  to be enabled.

48

• Enable Per Packet Keying - EAP authentication
  provides dynamic unicast WEP keys for client
  devices but uses static keys.
• With broadcast, or multicast, WEP key rotation
  enabled, the access point provides a dynamic
  broadcast WEP key and changes it at the interval
  you select in the Broadcast Key Change Frequency
  field.
• Broadcast key rotation is an excellent
  alternative to TKIP if your wireless LAN supports
  wireless client devices that are not Cisco
  devices or that cannot be upgraded to the latest
  firmware for Cisco client devices.

49

• AP has WEP (Optional) and host not using WEP.
• Associated.
• Would not be Associated if WEP was Mandatory.

50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55

• To configure the access point for WPA, follow
  these steps.
• 1. Setup the Encryption Manager
• Enable Cipher for TKIP.
• Clear the value in Key 1.
• Set Encryption Key 2 as the Transmit Key.
• Click the Apply-Radio button.

56

• 2. Setup the SSID Manager
• Select the desired SSID from Current SSID List.
• Choose an appropriate authentication method, by
  which type of client cards used. If EAP worked
  prior to the addition of WPA, you should not
  require change.
• Enable key management. First choose Mandatory
  from the pulldown box, then check the box to
  choose WPA.
• Click Apply-Radio

57

• Verify
• This section provides information you can use to
  confirm your configuration works properly.
• Certain show commands are supported by the Output
  Interpreter Tool ( registered customers only) ,
  which allows you to view an analysis of show
  command output.
• show dot11 association ltMACgt - This command
  displays information about a specifically
  identified associated client. Verify that client
  negotiates Key Management as WPA and Encryption
  as TKIP.

58

• The Association Table entry for a given client
  should also indicate Key Management as WPA and
  Encryption as TKIP. From the Association Table,
  click a givenMAC address for a client to see the
  details of the association for that client.