SJSU

Download Report

Transcript SJSU 

Applying Security Principles to
Networking Applications
Mark Enright
[email protected]
Dec 08, 2005
Copyright © 2005, Cisco Systems, Inc. All rights reserved.
1
What is Security in Computer Development
Projects
• What are you protecting
• Why are you protecting it
• From whom are you protecting it
• How are you going to protect it
• What is the cost of protecting it
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
2
Wired Access Topology
Internet
V
Access Device
Local Area Network
(LAN)
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
Wide Area Network
(WAN)
3
Wireless Access Topology
Internet
Access Device
Local Area Network
(LAN)
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
Wide Area Network
(WAN)
4
Wireless Access Topology
Internet
Access Device
Local Area Network
(LAN)
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
Wide Area Network
(WAN)
5
Wireless Access Security Complication
• Physical Access to Local Area Network no
longer exists
– Anyone can intercept your conversations
– Anyone can utilize your network resources
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
6
Security Solution For Wireless Access
EDCS-301795
•
Authentication
•
Encryption
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
7
Typical Solution for Wireless Access
Internet
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
8
Typical Solution for Wireless Access
Internet
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
9
So Whats The Problem?
• Wireless Access is a huge Consumer
Market
• People are beoming concerned with
Wireless Security
• My GrandMother cant use it
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
10
What Can We Do To Help
• Make it easy for Grandma to set up
Wireless Security
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
11
Step 1. Configure Security Parameters
Automatically
Internet
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
When Access Point is booted 1st time:
Configures Random Secure SSID
Configures Random WPA Shared Secret
Waits for Wireless Association on Secure SSID
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
12
Step 2.
• How Can We Transfer Security Parameters
Securely?
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
13
Step 2. Trial One
SSID: Well Known SSID
Open Authentication
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
14
Step 2. Trial One
SSID: Well Known SSID
Open Authentication
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
15
Step 2. Trial One
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
16
Step 2. Trial One
SSID: r@ndOm 55ID
WPA-PSK: R@NDOM_P@SsW0Rd
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
17
Step 2. Trial One Attack
SSID: Well Known SSID
Open Authentication
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
18
Step 2. Trial One Attack
SSID: Well Known SSID
Open Authentication
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
19
Step 2. Trial Two
• What Authentication is possible given
constraints
– something we know
– something we have
– something we are
– something we do
• If we can’t be sure, at least be safe
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
20
Step 2. Trial Two
SSID: Well Known SSID
Open Authentication
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
21
Step 2. Trial Two
SSID: Well Known SSID
Open Authentication
Unable to guarantee unique access
Access to all denied
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
22
Step 2. Trial 2 Attack
• Attacker just Associates and Listens
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
23
Trial 3.
• Use Trial 2 Method for Authentication
• Use SSL for Encryption
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
24
So Whats The Problem with IPSec?
• Network Protection is a huge Consumer
Market
• People are beoming concerned with
Security and look to IPSec for help
• My GrandMother cant use it
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
25
Network Address Translation
192.168.1.100
192.168.1.101
172.204.19.32
Internet
192.168.1.100
192.168.1.101
62.2.12.17
Local Area Network
(LAN)
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
Wide Area Network
(WAN)
26
The RoadWarrior IPSec Problem
• With common implementations the IP
Address need to be known a priori or else
a global shared secret is used for
Authentication
• Mobility and NAT make it hard to predict
the IP Address
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
27
RoadWarrior Solution
IPSec VPN Tunnel
Internet
Road Warrior
Client
2. Client configured
Web Install client software
Configure address of Home Gateway
3. Client software connects
Logs on to HTTPS
Initiates the IPSec VPN
Home
Gateway
Protected Network
HTTPS
1. Gateway configured
SSL Username, password
4. Gateway accepts
Authenticates Client by password
Figures out current Client IP Address
Provisions IPSec for Client IP Address
Joins Client to Protected Network using
IPSec VPN
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
28
EDCS-301795
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
29