Transcript Document

Mod 8.1 – Security
Cisco Fundamentals of Wireless LANs version 1.2
Overview
• The goals of network security are to maintain integrity, protect
•
•
•
•
confidentiality, and ensure availability.
The exponential growth of networking, including wireless technologies,
has lead to increased security risks.
Many of these risks are due to hacking, as well as improper uses of
network resources.
The specific weaknesses and vulnerabilities of WLANs will be covered.
Security configuration for APs, bridges, and clients will be shown and
explained.
2
Security Fundamentals
What is security?
• Security usually refers to ensuring that users can perform only the
tasks that they are authorized to do and can obtain only the information
that they are authorized to have.
4
AP: "Allow any SSID"
No Client SSID,
but Associated!
AP Default
Set Guest Mode SSID
• If you want the access point to allow associations from client devices that
do not specify an SSID in their configurations, you can set up a guest
SSID.
• The access point includes the guest SSID in its beacon.
• By default, the access point's default SSID, tsunami, is set to guest mode.
• However, to keep your network secure, you should disable the guest mode
SSID on most access points.
5
AP: “Do NOT allow any SSID"
No Client SSID,
NOT Associated!
Changed to NONE
• Setting the Guest Mode SSID to NONE, will not allow clients that do
•
•
•
not have and SSID to be able to associate.
Remember, it’s not difficult for someone to get the SSID, so this should
not be a security measure.
The next step should be configuring WEP, WPA, or some other
authentication/encryption on your AP.
You cannot have the same SSID set as Guest Mode and
authentication/encryption.
6
Wired equivalent privacy (WEP)
AP
128 bit WEP is sometimes
referred to, and more
accurately, as 104 bit WEP.
ACU
Also, be sure Transmit Key
numbers match, I.e. Key 1 on
the both AP and ACU.
• The IEEE 802.11 standard includes WEP to protect authorized users of
•
•
•
•
a WLAN from casual eavesdropping.
The IEEE 802.11 WEP standard specified a 40-bit key, so that WEP
could be exported and used worldwide.
Most vendors have extended WEP to 128 bits or more.
When using WEP, both the wireless client and the access point must
have a matching WEP key.
WEP is based upon an existing and familiar encryption type, Rivest
Cipher 4 (RC4).
7
Authentication and association
Probe
process
Authentication
process
Successful
Authentication
State 1
Unauthenticated
Unassociated
Association
process
Successful
Association
State 2
Authenticated
Unassociated
Deauthentication
State 3
Authenticated
Associated
Disassociation
• Open Authentication and Shared Key Authentication are the two
•
•
methods that the 802.11 standard defines for clients to connect to an
access point.
The association process can be broken down into three elements
known as probe, authentication, and association.
This section will explain both authentication methods.
8
Open Authentication
•
Open Authentication is basically a null authentication,
which means there is no verification of the user or
machine.
9
Open Authentication
• Typical Open Authentication on
both AP and Client with No WEP
keys
10
Open Authentication and WEP
• Remember there are three steps to Association:
•
•
•
– Probe
– Authentication
– Association
A client can associate with an AP, but use WEP to send the encrypted
data packets.
Authentication and data encryption are two different things.
– Authentication – Is the client allowed to associate with this AP?
– Encryption – Encrypts the data (payload) and ICV (Integrity Check
Value) fields of the 802.11 MAC, not the other fields.
So a client could Associate with the AP, using Open Authentication
(basically no authentication), but use WEP to encrypt the data frames
sent after its associated.
11
Open Authentication and WEP
Associated but data
cannot be sent or
received, since it
cannot be
unencrypted.
•
•
•
•
In some configurations, a client can associate to the access point with an
incorrect WEP key or even no WEP key.
– The AP must be configured to allow this (coming).
A client with the wrong WEP key will be unable to send or receive data, since
the packet payload will be encrypted.
Keep in mind that the header is not encrypted by WEP.
Only the payload or data is encrypted.
12
Open Authentication - Optional WEP
Encryption (AP)
•
•
•
802.11 allows client to associate with AP.
Cisco AP must have WEP Encryption set to Optional
Association successful with any of these options on the client:
– Matching WEP key
– Non-matching WEP key
– No WEP key
13
Authentication Process – Shared-Key
• Shared key requires the client and the access point to have the same
•
•
•
WEP key.
An access point using Shared Key Authentication sends a challenge
text packet to the client.
If the client has the wrong key or no key, it will fail this portion of the
authentication process.
The client will not be allowed to associate to the AP.
14
Authentication Process – Shared-Key
(Review)
• Shared-key authentication uses WEP (Wired Equivalent Privacy) and
•
can only be used on products that support WEP.
802.11 requires any stations that support WEP to also support sharedkey authentication.
15
Authentication Process – Shared-Key
(Review)
Shared-key =
RadiaPerlman
Shared-key =
RadiaPerlman
Authentication Request with
Challenge Text
Authentication Response with
Status Code
• WEP is an encryption algorithm, not a method of authentication.
• Shared-key authentication makes use of WEP, and therefore can only
•
•
be used on APs and clients that implement WEP.
However, 802.11 requires that any stations implementing WEP also
implement shared key authentication.
Shared-key authentication requires that a shared key be distributed to
stations before attempting authentication.
16
Authentication Process – Shared-Key
(Review)
•
•
•
•
The client:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 1
The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 2
– Status Code set to 0 (Successful)
– Challenge Text (later)
The client:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 3
– Challenge Text (later)
The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 4
– Status Code set to 0 (Successful)
17
Authentication Process
or
•
Authentication
– Open-System
– Shared-Key (WEP)
•
Encryption
– None
– WEP
only
18
Authentication Process – Shared-Key
?
next
19
Access Point
Authentication
•
•
•
Open Authentication—Allows your client adapter, regardless of its WEP
settings, to authenticate and attempt to communicate with an access point.
Open Authentication is the default setting.
Shared Key Authentication—Allows your client adapter to communicate only
with access points that have the same WEP key. This option is available only if
Use Static WEP Keys is selected.
In shared key authentication, the access point sends a known unencrypted
"challenge packet" to the client adapter, which encrypts the packet and sends it
back to the access point. The access point attempts to decrypt the encrypted
packet and sends an authentication response packet indicating the success or
failure of the decryption back to the client adapter. If the packet is successfully
encrypted/decrypted, the user is considered to be authenticated.
20
Encryption Modes
• Indicates whether clients should use data encryption when
•
•
•
•
communicating with the device. The three options are:
None - The device communicates only with client devices that are not
using WEP.
WEP Encryption - Choose Optional or Mandatory.
If optional, client devices can communicate with this access point or
bridge with or without WEP.
If mandatory, client devices must use WEP when communicating with
the access point. Devices not using WEP are not allowed to
communicate. WEP (Wired Equivalent Privacy) is an 802.11 standard
encryption algorithm originally designed to provide with a level of
privacy experienced on a wired LAN. The standard defines WEP base
keys of size 40 bits or 104 bits.
21
In Summary
•
•
Client
– Use Open Authentication on the client (does not use WEP, challenge
transaction, during authentication).
– Use WEP for Data Encryption.
AP
– Use Open Authentication
– Use Mandatory WEP Encryption, Devices not using WEP are not allowed
to communicate.
22
Configuring Basic WLAN
Security
Basic WLAN security - Physical Access
•
•
•
•
•
•
Most wireless access points are easily accessible.
They are usually located near users and outside of locked rooms.
This puts wireless access points at special risk for theft and for compromise by
malicious users.
Network monitoring can be used to determine when an access point goes off.
Proper procedures will need to be followed to determine what happened to the
equipment.
Almost all wireless vendors publish the methods of resetting an access point
using reset buttons or the console port.
24
Basic WLAN security - Console
• Administrator accounts and privileges should be setup properly.
• The console port should be password protected. Choose a secure
password
25
Basic WLAN security - SSH
• Telnet is an insecure, unencrypted protocol.
• If at all possible, secure shell (SSH) should be used for all Command
•
•
•
•
Line Interface (CLI) functions.
Telnet and SSH should be password protected.
For maximum security, disable Telnet and use only SSH.
A SSH client is required on the management PC or workstation in
order to connect to an AP running SSH.
Several freeware programs are available such as PuTTY, Teraterm
SSH, and SecureNetTerm.
26
Enabling protocol and MAC filters on APs
•
•
•
•
Filtering can provide an additional layer of wireless security.
Filters can be created to filter a protocol or IP port.
Protocol filters prevent or allow the use of specific protocols through the access
point.
Individual protocol filters can be setup and enabled for one or more VLANs. MAC,
Ethertype and IP filters can be used to filter wireless client devices, users on the
wired LAN, or both
27
Securing clients and APs
• Encryption should always be used unless the WLAN is intended for
•
guest access only!
If the WLAN is intended for guest access only then it should be
segmented from all production traffic (VLAN or DMZ/Internet access).
28
Open and Authentication
Associated
Open Auth.
No WEP Key
Open Auth.
No WEP Key
Associated
Open Auth.
No WEP Key
Open Auth.
WEP = 1234
Associated
Open Auth.
WEP = 4321
Open Auth.
WEP = 1234
Associated
Open Auth.
WEP = 1234
•
Open Auth.
WEP = 1234
See previous slides for examples.
29
Event Log
30
Event Log
31
Event Log
32
Disable unneeded services
• It is important to disable or secure all unneeded services.
• If Cisco discovery protocol (CDP), domain name service (DNS),
network time protocol (NTP), hypertext transfer protocol (HTTP), TFTP,
SNMP, or Telnet are not used in the network, they should be disabled.
33
Using VPNs
• IP Security (IPSec) is a framework of open standards for ensuring
•
•
•
•
•
secure private communication over IP networks.
IPSec Virtual Private Networks (VPNs) use the services defined within
IPSec to ensure confidentiality, integrity, and authenticity of data
communications across networks such as the Internet.
IPSec also has a practical application to secure WLANs.
It does this by overlaying IPSec on top of 802.11 wireless traffic.
When deploying IPSec in a WLAN environment, an IPSec client is
placed on every PC connected to the wireless network.
The user is required to establish an IPSec tunnel and to route any
traffic to the wired network.
34
VLANs
VLANs
36
VLANs
37
VLANs
38
Spanning tree
• Spanning tree is only needed when using wireless bridges.
• It should remain disabled for access points and repeaters, unless
•
•
•
•
•
special circumstances exist in the network.
The spanning-tree algorithm is used to prevent bridging loops.
The algorithm computes available network paths and closes redundant
paths, so that there is only one path between any pair of LANs on the
network.
Improper spanning tree settings can disable needed connections.
From a security perspective, an attacker may be able to disable ports
in a poorly configured network.
Please review and understand spanning tree information when making
configuration decisions.
39
Matching Client to AP
40
Matching Client to AP
41
Matching Client to AP
42
Matching Client to AP
43
Matching Client to AP
44
Matching Client to AP
45
• Cisco Compliant TKIP Features - Temporal Key Integrity Protocol
•
(TKIP) is a suite of algorithms surrounding WEP, designed to achieve
the best possible security on legacy hardware build to run WEP.
TKIP adds four new enhancements to WEP:
1. A per-packet key mixing function, to defeat weak key attacks.
2. A new IV sequencing discipline to detect replay attacks.
3. A cryptographic message integrity check (MIC) to detect forgeries
such as bit flipping and altering of packet source and destination.
4. An extension of IV space, to virtually eliminate the need for a rekey.
46
Message integrity check
•
•
•
•
Enable MIC - MIC prevents attacks on encrypted packets called bit-flip attacks.
During a bit-flip attack, an intruder intercepts an encrypted message, alters it
slightly, and retransmits it, and the receiver accepts the retransmitted message
as legitimate.
The MIC, implemented on both the access point and all associated client
devices, adds a few bytes to each packet to make the packets tamper-proof.
WEP Encryption must be set to Mandatory for MIC to be enabled.
47
• Enable Per Packet Keying - EAP authentication provides dynamic
•
•
unicast WEP keys for client devices but uses static keys.
With broadcast, or multicast, WEP key rotation enabled, the access
point provides a dynamic broadcast WEP key and changes it at the
interval you select in the Broadcast Key Change Frequency field.
Broadcast key rotation is an excellent alternative to TKIP if your
wireless LAN supports wireless client devices that are not Cisco
devices or that cannot be upgraded to the latest firmware for Cisco
client devices.
48
•
•
•
AP has WEP (Optional) and host not using WEP.
Associated.
Would not be Associated if WEP was Mandatory.
49
50
51
52
53
54
•
To configure the access point for WPA, follow these steps.
1. Setup the Encryption Manager
– Enable Cipher for TKIP.
– Clear the value in Key 1.
– Set Encryption Key 2 as the Transmit Key.
– Click the Apply-Radio# button.
55
2. Setup the SSID Manager
• Select the desired SSID from Current SSID List.
• Choose an appropriate authentication method, by which type of client cards used. If EAP worked prior
to the addition of WPA, you should not require change.
• Enable key management. First choose Mandatory from the pulldown box, then check the box to
choose WPA.
• Click Apply-Radio#
56
•
•
•
•
Verify
This section provides information you can use to confirm your configuration
works properly.
Certain show commands are supported by the Output Interpreter Tool (
registered customers only) , which allows you to view an analysis of show
command output.
show dot11 association <MAC> - This command displays information about
a specifically identified associated client. Verify that client negotiates Key
Management as WPA and Encryption as TKIP.
57
• The Association Table entry for a given client should also indicate Key
Management as WPA and Encryption as TKIP. From the Association
Table, click a givenMAC address for a client to see the details of the
association for that client.
58