EE579S Computer Security
Download
Report
Transcript EE579S Computer Security
EE579T
Network Security
8: Wireless Security
Prof. Richard A. Stanley
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #1
Overview of Today’s Class
•
•
•
•
Administrivia
Review last week’s lesson
Security in the news
Wireless security
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #2
Reminders
• Wednesday, September 3: class at usual
time with project presentations
• Final for this course is take-home
– Final exam will be distributed on project day
– Exam is due 17 September
• We start the next class on Sept. 8th
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #3
SNMP Summary
• SNMP is widely-used for managing clients
distributed across a network
• SNMPv1 is simple, effective, and provides
the majority of SNMP service in the field
• SNMPv2 adds some functionality to v1
• SNMPv3 is a security overlay for either
version, not a standalone replacement
• SNMP security is a major issue!
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #4
IDS Summary
• IDS’s can be useful in monitoring networks
for intrusions and policy violations
• Up-to-date attack signatures and policy
implementations essential
• Many types of IDS available, at least one as
freeware
• Serious potential legal implications
• Automated responses to be avoided
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #5
News Items
• It has been a great fortnight for viruses
– Blaster (a.k.a. Lovsan) worm
• Exploits flaw in Windows NT, 2000 and XP; drops a
malicious program on your computer to force
frequent reboots
• Blamed for safety system failures in Ohio nuclear
power system, and for commuter rail outages in
Washington, DC area caused by failure of the CSX
railway signaling system
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #6
But Wait, There’s More!
• Nachi worm
– Spreads by exploiting a hole in Microsoft Windows.
Instructs remote target system to download and execute
the worm from the infected host. Once running, the
worm terminates and deletes the W32/Lovsan.worm.a
process and applies the Microsoft patch to prevent other
threats from infecting the system through the same
hole. When the system clock reaches Jan 1, 2004, the
worm will delete itself upon execution.
– Is this good or bad?
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #7
And Still More...
• SoBig worm
– arrives as an email attachment with a .pif or .scr
extension. When run, it infects the host computer, then
emails itself (using its own SMTP engine) to harvested
email addresses from the victim's machine.
– worm "spoofs" the "from: field", using one of the
harvested email addresses
– saps bandwidth and slows network performance.
– can also open up a user's computer port
– believed to have planted hostile code seeking further
instructions
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #8
Wireless Security:
What’s the Problem?
•
•
•
•
Rapid, extensive wireless deployment
Little to no installation RF engineering
Ineffective built-in security protocols
Lack of awareness of ways that wireless
access can compromise networks
– Inadvertently
– Maliciously
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #9
Standards
• This is new territory
• Until the late 1990’s, no overall standards
existed for WLANs
– Each manufacturer did their own thing
– Interoperability virtually nonexistent
• Cross-vendor operability still an issue in
some settings
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #10
WLANs Today Are Largely
Standardized
• Dominant -- but not only -- standard is IEEE 802.11x
– 802.11b: currently most popular, large $$
• 2.4 gHz ISM band, DSSS, 1-11 MBps
Incompatible
– 802.11a: about to take over?
• 5 gHz UNII band, OFDM, up to 54 MBps
– 802.11i: coming on fast, includes integrated, improved
security features
• Intended to be 802.11a compatible
• Single standard allows intruders to focus their efforts to
maximum effect
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #11
Most
Common
WLAN
Standards
Protocol
Author
Frequency
802.11
IEEE
900 MHz ISM
802.11a
IEEE
802.11b
IEEE
802.11e
Data Rate
Comments
FHSS
~ 300 Kbps
Original standard of the
series Obsolescent
5 GHz UNII
OFDM
Up to 54 Mbps
DSSS
FHSS legacy
1 to 11 Mbps
IEEE
2.4 GHz ISM,
900MHz
legacy
5 GHz UNII
Emerging Standard Not
backward compatible
with 802.11b
Most popular at this
writing. Often called
“Wi-Fi”
OFDM
Up to 54 Mbps
802.11g
IEEE
2.4 GHz ISM
DSSS
FHSS
Up to 54 Mbps
802.11h
IEEE
5 GHz UNII
OFDM
Up to 54 Mbps
802.11i
IEEE
5 GHz UNII
OFDM
54 Mbps or
beyond
802.11j
(5UP-2003)
IEEE, ETSI
5 GHz UNII
OFDM,
GMSK
54 Mbps or
beyond
HiperLAN
ETSI
5.15-5.30 GHz
or 17.1-17.3
GHz
OFDM,
GMSK
23.529 Mbps
HiperLAN/2
ETSI
5.15-5.30 GHz
or 17.1-17.3
GHz
OFDM,
GMSK
54 Mbps
HomeRFTM
Industry
group
Bluetooth
Consortium
2.4 GHz
FHSS
Up to 10 Mbps
2.4 GHz
FHSS
1 Mbps
TM
HomeRF
Bluetooth
Summer 2003
© 2000-2003, Richard A. Stanley
Modulation
Adds QoS capability to
802.11h
Not yet available
Intended to maintain
backward compatibility
with 802.11b.
Adds transmit power
control dynamic freq.
selection to 802.11a, to
counter EU area
interference issues
Intended to specifically
include security and
authentication.
Effort to converge
802.11 and HiperLAN
standards to permit
interoperation in the 5
1
GHz band . Committee
forming
European Community
backed standard,
expected to appear by
mid 2002
European Community
developed standard,
expected to appear in
2002
Integrated voice, data &
entertainment for home
networking
Cable replacement, not
comparable to 802.11 or
HiperLAN
EE579T/GD_6 #12
WLANs Don’t Usually Stand
Alone
• Wireless LANs are usually extensions to
wired LANs, using access points (AP)
– An AP functions as an IP bridge between the
wired and wireless media
• While all-wireless LANs are possible, they
are uncommon as intentional configurations
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #13
WLAN Operation
• Probes
– Signals from clients seeking to connect
– Elicit response from potential APs
– Connection established w/strongest signal
• Beacons
– Advertise presence and ID of AP
– Provide public notice of network presence
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #14
Typical WLAN Topology
AP
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #15
But What If The Topology
Actually Looks Like This?
Unauthorized
Client
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #16
Internal Security Vulnerabilities
• Rogue WLANs
– Created by unauthorized APs on network
– Modern computer configurations facilitate
• Accidental Associations
– WLAN client inadvertently associating with
another network within range
• Insecure Network Configurations
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #17
External Security Vulnerabilities
• Eavesdropping
– Common, easy to do
• Denial of service & interference
– Simply a jamming problem
• Masquerade
– Capture legitimate info, use to log on
• Man-in-the-middle attacks
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #18
RF Engineering Issues
• Most WLANs are installed without benefit
of detailed RF engineering
• Access points, although low power, still can
cover a large geographic area
• Addition of directional antennas to AP or
receiver can further extend range
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #19
RF Issues
• Mapping the coverage of your APs is
critical, but seldom done
• Widely available data on WLAN coverage
that can be used for “free” service
• It isn’t just your system. What about
overlapping coverage from your neighbors?
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #20
Measured Coverage of One
Access Point in Lawrence, KS
It was
intended to
cover only
the interior
of the
building in
red!
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #21
Northeast US Wi-Fi Coverage
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #22
Free Wi-Fi in NYC (one view)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #23
Rogue WLANs
• “Standard” computer configuration today
includes WLAN NIC, especially on laptops
(cf. Intel Centrino®)
• Result is same as when modems connecting
around the firewall were the primary
problem
• User may be totally unaware W/L device is
activated and in use
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #24
Inadvertent Association
• When the client can “see” multiple APs, it
may be difficult to force it to associate with
the correct one
• Result: network client connected to foreign
network, which can leak sensitive info and
anything else available over the network
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #25
Insecure Configurations
•
•
•
•
Default settings
SSID broadcast
Weak or no encryption
Weak authentication
• Beware the “helpful” employee or the
power-up reset menu!
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #26
Configuration Settings
• As with so many other network elements,
many default settings remain at their factory
setting in deployed nets
• SSIDs should always be changed from the
default, and rarely broadcast
– This makes it harder, but far from impossible,
for intruders to “find” the net
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #27
WEP: Too Literal An
Implementation
• WEP=Wired Equivalent Privacy
– That’s exactly what it provides, perhaps even
better than that
– Problem? That isn’t enough
• Wired signals are confined to cables (mostly)
• Wireless signals are available to all listeners
• Although flawed, WEP is better than
nothing, but most users turn it off
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #28
Origins of WEP
• Marketing and Political Issues:
– Developed as part of a wireless LAN research
project at Apple Computer, Inc.
– Eavesdropping was perceived as a barrier to
market acceptance
– Apple sells into a worldwide market so solution
had to be exportable
– When WEP developed, NSA allowed only 40bit encryption to be exported
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #29
Origins of WEP (cont.)
• Technical Issues:
– Eavesdropping on wireless link => privacy and
authentication problems
– Multiple network protocols (in 1993) =>
solution required at data link layer
– Data link layer is “best effort” => crypto-state
(other than shared key) must accompany each
frame
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #30
WEP Solution
• Apple had unlimited RC4 license from
RSA, Inc.
• Method and apparatus for variableoverhead cached encryption, US Patent
5,345,508 applied for 23 Aug 1993, granted
6 Sept 1994
• Licensed for export in mid-1994
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #31
WEP Encryption
IV
Initialization
Vector (IV)
Key Sequence
Seed
+
PRNG
RC4()
Cache
(MAX_MSG_SZ)
Secret Key
Ciphertext
+
Plaintext
The problems with this approach are obvious!
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #32
IEEE 802.11’s use of WEP
• WEP introduced in March 1994
• Strong pushback in standards committee
regarding cost and overhead of encryption
• Dilution of proposal; privacy in 802.11x
made optional
– By default, WEP is not activated in 802.11x
devices; requires positive user intervention
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #33
WEP Security Problems
• Papers submitted to 802.11 committee
highlight the problems with WEP; “Unsafe
at any Key Size” presented in October 2000
• 802.11 Task Group I formed to solve WEP
security problems
• Press gets wind of the issue
• Public domain attacks; “war driving”
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #34
WEP Security Problems (cont.)
• Passive attacks to decrypt traffic based on
statistical analysis
• Active ‘known plaintext’ attack to inject new
traffic from unauthorized mobile stations
• Active attacks to decrypt traffic, based on tricking
the access point
• Dictionary-building attack; real-time automated
decryption of all traffic after a day’s sampling
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #35
Wardriving Sample
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #36
The Threat: A Sampler of WLAN
Hacker Tools
Courtesy AirDefense
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #37
802.11 Task Group I
• Long term security architecture for 802.11
• Based on 802.1X authentication standard
and two new encryption protocols (TKIP
and CCMP)
– Labeled Robust Security Network (RSN)
• Uses Upper Layer Authentication (ULA)
protocols outside the scope of 802.11i (e.g.
EAP/TLS)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #38
RSN Data Privacy Protocols
• Temporal Key Integrity Protocol (TKIP)
– a cipher suite enhancing the WEP protocol on pre-RSN
hardware
• Counter Mode/CBC-MAC Protocol
– based on AES and Counter-Mode/CBC-MAC (CCM)
– Mandatory for RSN compliance
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #39
Robust Security Network
Includes:
• Better key derivation/distribution based on 802.1X
– For TKIP: per message 128 bit key derivation
• Improved encryption (TKIP, CCMP)
• Stronger keyed Message Integrity Checks
– Custom MIC for TKIP with 22 bit effective strength
– Strong AES-based MIC for CCMP
• IV sequencing to control message replay
– 44 bits to avoid re-keying (4 bits for QoS)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #40
802.1X
• Originally designed as port-based network
access control for PPP
• Provides support for a centralized
management model
• Primary encryption keys are unique to each
station and generated dynamically
• Provides support for strong upper layer
authentication (ULA)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #41
802.1X Architectural Framework
• Employs Extensible Authentication Protocol
(EAP)
– EAP built around challenge-response paradigm
– operates at network layer = flexibility
• Provides transport for ULA protocols
• Two sets of keys dynamically generated
– Session Keys, Group Keys
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #42
802.1X Overview
• Generic method for Port Based Network Access and
Authentication for IEEE 802 LAN’s
• Specifies protocol between devices (wireless clients)
desiring access to the bridged LAN and devices (Access
Points) providing access to the bridged LAN
• Specifies the protocol between the authentication server
(e.g. RADIUS) and the authenticator
• Specifies different levels of access control
• Specifies the behavior of the port providing access to
the LAN
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #43
802.1x Definitions
• Authenticator : System port that is responsible for granting
access to services that are accessible via the port (e.g. AP)
• Supplicant : The port requesting access to the service via
the authenticator (e.g. wireless client)
• Port Access Entity: The software that is associated with the
port. It supports the functionality of Authenticator,
Supplicant or both
• Authentication Server: An entity that provides the
authentication service to the authenticator. Usually an
external or remote server (e.g. RADIUS)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #44
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #45
Description cont.
IEEE 802.1X Terminology
Pieces of the system.
Supplicant
Authenticator
Authentication Server
Uncontrolled port
Controlled port
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #46
Normal Data Initially Blocked by
Access Point
802.1X traffic
Wireless laptop
Authentication traffic
Access Point
Authentication Server
Authentication traffic flows
Normal Data Blocked
• Wireless client associates with the AP
• Only Authentication Traffic is allowed to flow through Access Point
• The Access Point Blocks all Normal Data Traffic
• Access point correctly encapsulates the 802.1x traffic and Authentication Traffic
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #47
Mutual Authentication
802.1X traffic
Authentication traffic
Wireless laptop
(Supplicant)
Access Point
Authentication Server
(Authenticator)
• The Supplicant securely obtains the WEP key during Proper Authentication
• The RADIUS Server sends the WEP Key to the Access Point
• The WEP Key is then used by the Access Point to send the Broadcast WEP key
• Normal Data Traffic is still blocked
• Only Authentication Traffic is passed by the AP
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #48
Client Access Granted
802.1X traffic
Authentication traffic
Wireless laptop
(Supplicant)
Access Point
Authentication Server
(Authenticator)
• The client decrypts the broadcast key using the session WEP key
• The client sets the broadcast WEP key through the NIC interface
• Successful EAP Authentication
Authentication traffic flows
• Normal Data traffic is now enabled
Data traffic flows
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #49
New Authentication Types
802.1X traffic
Authentication traffic
Wireless laptop
(Supplicant)
Access Point
Authentication Server
(Authenticator)
• Only Authentication server is aware of the authentication type, e.g.
- Kerberos
- One Time Password
• Client and AP need not be modified to add new authentication
types
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #50
Key Distribution
• Dynamic Session Key
- Session key depends on EAP authentication type
- The client specific session key is sent to the AP from the RADIUS
• Broadcast Key
- The Dynamic session Key is used to encrypt the broadcast key sent
from the AP to the wireless client
- Authentication server timeouts can be configured to re-authenticate
the client (adds extra security)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #51
Client-AP Implementation
• Client (Supplicant)
- Prior to 802.1x authentication, the client-AP use an open
authentication model
- On authentication, dynamic WEP is used
- Both the client and AP must be able to support WEP and nonWEP traffic
• Access Point (Authenticator)
- Communicates with the client using 802.1x
- Communicates with the Authentication Server using RADIUS
- Encapsulates incoming EAPOL traffic into RADIUS traffic
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #52
Drawbacks
• EAPOL traffic for Shared-Media LANS
means that WLANs should be encrypted.
Encryption of EAPOL not mandatory in
802.1x
• Port Based Network access defined only for
“Infrastructure Mode” of WLANs. Peer-topeer (Ad Hoc) mode not dealt with.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #53
EAP Summary
• EAP is an end-to-end security solution
– Mitigates the current WLAN security threats of stolen
hardware and rogue access points.
– User-specific session-based WEP keys used. Reduces
risk of static WEP keys lying around on clients and APs
– Replaces currently deployed Static WEP with a more
secure Dynamic WEP key distribution mechanism
– Centralized authentication and access model via the
RADIUS server
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #54
802.11i - Summary
• Draft provides a system to greatly enhance
security for users of Wi-Fi equipment
• Improved encryption and 802.1X standard
for authentication – address all the shortfalls
in the current standard
• Draft standard expected to be ratified in fall
of 2003
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #55
Issues
• 802.11i draft standard exists on paper, but
compliance cannot be claimed before
ratification
• Solution required now
• Current proprietary solutions do not
interoperate
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #56
Existing Solutions & Other Methods
• MAC address filtering
• Access Point Placement
• Proprietary Solutions
– Cisco’s LEAP
– NextComm’s Key Hopping
– 3Com’s Embedded firewall in wireless APs
• Virtual Private Networks (VPNs)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #57
Wi-Fi Protected Access - WPA
• WPA is a response by the industry to offer strong
and immediate security solution that would
replace WEP
• It is a subset of 802.11i draft standard and is going
to maintain forward compatibility
• Main idea - “Bring what is ready now to the
market”
• Increases the level of security for Wireless LAN
• It is a standards-based, interoperable security
specification
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #58
WPA
• Provides user authentication
– Central authentication server (like RADIUS)
– Via 802.1x and EAP
• Improves data encryption
– Temporal Key Integrity Protocol (TKIP)
• Eventually will support full 802.11i
compliance
• Some implementation issues remain
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #59
Best Practices For Now
• WEP is better than nothing; turn it on and
change keys often
• Engineer placement of access points
• Upgrade firmware and drivers on APs and
wireless cards as they are released
• VPN (treat wireless users as you would
dial-in users)
– No panacea, but much better than nothing
• Check for 802.1x support before buying
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #60
The Future
• Improved encryption and authentication
– Part of 802.11i standard
– Likely to be deployed soon (2004?)
– Major problems with installed base
• Increased user sensitivity to security issues
driving demand for solutions
• Products entering the marketplace to
automatically identify vulnerabilities
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/GD_6 #61