Transcript Slide 1

•
•
•
•
•
•
Chapter 13-802.11 Network Security
Architecture
802.11 Security Basics
Legacy 802.11 security
Robust Security
Segmentation
Infrastructure Security
VPN wireless Security
Exam Essentials
• Define the concept of AAA.
– Be able to explain the differences between authentication, authorization,
and accounting and why each is needed for a WLAN network.
• Explain why data privacy and segmentation are needed.
– Be able to discuss why data frames must be protected with encryption.
Know the differences between the various encryption ciphers.
Understand how VLANs and RBAC mechanisms are used to further
restrict network resources.
• Understand legacy 802.11 security.
– Identify and understand Open System authentication and Shared Key
authentication. Understand how WEP encryption works and all of its
weaknesses.
• Explain the 802.1X/EAP framework.
– Be able to explain all of the components of an 802.1X solution and the
EAP authentication protocol. Understand that dynamic encryption key
generation is a by-product of mutual authentication.
Exam Essentials
• Define the requirements of a robust security network
(RSN).
– Understand what the 802.11-2007 standard specifically defines
for robust security and be able to contrast what is defend by both
the WPA and WPA2 certifications.
• Understand TKIP/RC4 and CCMP/AES.
– Be able to explain the basics of both dynamic encryption types
and why they are the end result of an RSN solution.
• Explain VLANs and VPNs.
– Understand that VLANs are typically used for wireless
segmentation solutions. Define the basics of VPN technology
and when it might be used in a WLAN environment.
Wireless Security
• Data Privacy and Authentication
• What attacks are there
• What defenses are there
802.11 Security basics
•
•
•
•
•
Data Privacy
Authentication, Authorization, Accounting
Segmentation
Monitoring
Policy
Pg 438
802.11 Security basics
• Wireless tend to be a portal to existing, secure
networks
• Wireless needs to be protected as well
– Too easy to capture
• Use authorization to prevent access to internal
network resources
– Then regular authentication for network resources
• 802.11i and the RSN improved the reputation of
wireless
Pg 438
Data Privacy
• Since wireless is in unlicensed frequency, easy
to detect transmissions
• Data privacy is used to restrict access to the
data
– Encryption Algorithms
– RC4 and AES
• Management Frames not encrypted
• The MSDU from the data frames is encrypted
– Layer 2 encryption
Pg 439
Authentication, Authorization,
Accounting (AAA)
• Authentication
– Verification of user identity and credentials
• Authorization
– Granting access to network resources based
on authentication
• Accounting
– Tracking the use of network resources by
users
Pg 439
Authentication, Authorization,
Accounting (AAA)
• 802.11i and the RSN provided AAA
standards for wireless networks
• Accounting trail is necessary for many
government regulation
Pg 439
Segmentation
• Before good encryption on wireless networks,
they were segmented (separated) from wired
– Untrusted
• Still important to keep different kinds of traffic
separate on the networks
– Firewalls, routers, VPNS, VLANS
– Wireless VLAN is mores common
• Related to Role Based Access Control (RBAC)
Pg 440
Monitoring and Privacy
• Need to monitor network to prevent
attacks
• Using a Wireless Intrusion Detection
system can help
Pg 440
Legacy Security
• Open System Authentication
– Null authentication, everyone gets in
• Shared Key
– Used the WEP key as source
• WEP key was static, and same for
everyone.
– Major security risk.
Pg 440
Static WEP
• Wired Equivalent Privacy is layer 2
encryption
– RC4 with 64 or 128 bit key
• Confidentiality, access control and data
integrity were goals
• Static WEP was on both AP and clients
– Up to 4 keys, but all must match
Pg 442
Static WEP
WEP runs a cyclic redundancy check (CRC) on the plaintext data that is to be
encrypted and then appends the Integrity Check Value (ICV) to the end of the
plaintext data. A 24-bit cleartext Initialization Vector (IV) is then generated and
combined with the static secret key. WEP then uses both the static key and the
IV as seeding material through a pseudorandom algorithm that generates
random bits of data known as a keystream. These pseudorandom bits are equal
in length to the plaintext data that is to be encrypted. The pseudorandom bits in
the keystream are then combined with the plaintext data bits by using a Boolean
XOR process. The end result is the WEP ciphertext, which is the encrypted
data. The encrypted data is then prefxed with the cleartext IV. Figure 13.3
illustrates this process.
Pg 442
Static WEP
• Attacks
– IV Collisions
– Weak Key
– Reinjection
– Bit-Flipping
• Easy to crack WEP
Pg 442
MAC Filters
• Have AP use only approved MAC
addresses
– Not part of the standard
• Too easy to spoof a MAC address
– Use protocol analyzer to grab MAC address
and then use it on your own machine
Pg 444
SSID Cloaking
• Hide the SSID
• The SSID field appears blank in beacon
frames and probe responses
• A protocol Analyzer will see the SSID field
in actual data frames
Pg 444
Robust Security
• The 802.11-2007 standard defines an
enterprise authentication method as well
as a method of authentication for home
use.
• Requires the use of 802.1x/EAP for
enterprise and use of PSK for SOHO
• Strong Encryption required as well
– CCMP/AES
– TKIP/RC4
Pg 445
Robust Security
• WiFi Alliance created WPA and WPA2
– WPA before 802.11i
– WPA2 after
Pg 445
Robust Security Network
• Robust Security Network Associations
– How two stations authenticate and associate
– Create dynamic encryption through a 4 way
handshake
• CCMP/AES is mandatory
• TKIP/RC4 is optional
• RSN field is in the beacon
– RSN Information Elelement
– Defines supported cipher elements
Pg 446
802.1x/EAP
•
•
•
•
Not specific to wireless
Port based authentication
Three players
Supplicant
– Client that wants access
• Authenticator
– System that accepts requests (AP)
• Authentication Server
– Database of users
– RADIUS server
Pg 446
802.1x/EAP
Pg 446
802.1x/EAP
• EAP allows for different authentication systems
to be used
• Defines when traffic moves from the
uncontrolled to the controlled port
Pg 446
EAP Types
• Many EAP types
– LEAP,PEAP, etc
• One way or mutual authentication
– Mutual authentication usually requires the AP
to provide a digital certificate to client that
they can verify
Pg 450
Dynamic Encryption
• Since 802.1x/EAP can provide for
distribution on certificates it is often used
to help with encryption
• Generate encryption keys during the
authentication process
– Much better than a static key that is used by
everyone
• Keys are generated per session/per user
– Every authentication, new key
Pg 450
4 Way Handshake
• The RSNA process creates multiple keys
– Group Master Key (GMK)
– Pairwise Master Key (PMK)
• PMK can also be created from a Pre-Shared Key
(PSK)
Pg 452
WPA/WPA-2 Personal
• In 802.1x/EAP you need an authentication
server
– Like RADIUS
• Most SOHO implementations use preshared Keys (PSK)
– PSK is still a security risk
• PSK isn’t used for encryption on all
stations
– Each creates own encryption keys
Pg 453
Encryption Options
• TKIP uses RC4
– Like WEP
– Optional solution
• Can help legacy devices support better encryption
than WEP
• CCMP/AES
– Much more secure
– Requires hardware support
Pg 453
Segmentation
• Dividing up network to restrict access to
resources
– VLANs
– RBAC
Pg 454
VLANs
• Common on wired networks
• With 802.11, map VLAN to specific SSIDs
• APs can support multiple SSIDs
– Wireless VLANS
• Each VLAN has different access to
internal network and other networks
Pg 457
VLANs
RBAC
• Restrict Access to authorized users
• When set up with a WLAn controller, RBAC can
divide access based on users, roles or
permission
• Roles like sales or marketing
• Permissions
– Layer 2 or 3 access
– Layer 4-7 firewalls
– Bandwidth
• When user authenticates, their access is
dependant on user credentials
– Like traditional wired networks
Pg 457
Infrastructure Security
• Physical
– Don’t want expensive APs walking away
• Interface Security
– Limit access to the management functions
– Turn off the ones not in use
Pg 458
VPN Wireless Security
• VPNs were often used by systems before
802.11i
• Not recommended now since there are
other measures
• Still required for remote access
– When connecting through Public Hot Spots
Pg 459
Layer 3 VPN
• VPNs use secure tunneling
– Encapsulate one network layer packet in
another
– Encapsulated packet has “hidden” data
• Outside packet has public addresses for
transmitting over network.
Pg 459
Layer 3 VPN
Pg 459
Exam Essentials
• Define the concept of AAA.
– Be able to explain the differences between authentication, authorization,
and accounting and why each is needed for a WLAN network.
• Explain why data privacy and segmentation are needed.
– Be able to discuss why data frames must be protected with encryption.
Know the differences between the various encryption ciphers.
Understand how VLANs and RBAC mechanisms are used to further
restrict network resources.
• Understand legacy 802.11 security.
– Identify and understand Open System authentication and Shared Key
authentication. Understand how WEP encryption works and all of its
weaknesses.
• Explain the 802.1X/EAP framework.
– Be able to explain all of the components of an 802.1X solution and the
EAP authentication protocol. Understand that dynamic encryption key
generation is a by-product of mutual authentication.
Exam Essentials
• Define the requirements of a robust security network
(RSN).
– Understand what the 802.11-2007 standard specifically defines
for robust security and be able to contrast what is defend by both
the WPA and WPA2 certifications.
• Understand TKIP/RC4 and CCMP/AES.
– Be able to explain the basics of both dynamic encryption types
and why they are the end result of an RSN solution.
• Explain VLANs and VPNs.
– Understand that VLANs are typically used for wireless
segmentation solutions. Define the basics of VPN technology
and when it might be used in a WLAN environment.