802.1X in SURFnet
Download
Report
Transcript 802.1X in SURFnet
Security for Wireless LANs
[email protected]
27 August 2003
TOC
•
•
•
•
•
•
Background
Threats
Requirements
Solutions for today
Solutions for tomorrow
Conclusion
2
Background
International
connectivity
Institution
A
WLAN
Access
Provider
WLAN
SURFnet
backbone
Institution
B
WLAN
Access
Provider
GPRS
Access
Provider
POTS
Access
Provider
ADSL
3
Threats
• Mac-address and SSID discovery
– TCPdump
– Ethereal
• WEP cracking
– Kismet
– Airsnort
• Man-in-the-middle attacks
4
Example: Kismet+Airsnort
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo
reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo
reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo
reply ^C
5
Requirements
• Identify users uniquely at the edge of the network
– No session hijacking
• Allow for guest usage
• Scalable
– Local user administration and authN!
– Using existing RADIUS infrastructure
• Easy to install and use
• Open
– Support for all common OSes
– Vendor independent
• Secure
• After proper AuthN open connectivity
6
Solutions for today
• Open access
• MAC-address
• WEP
European NRENs:
• Web-gateway
• PPPoE
• VPN-gateway
• 802.1X
7
Open network
• Open ethernet connectivity, IP-address via
DHCP
• No client software (DHCP ubiquitous)
• No access control
• Network is open (sniffing easy, every client
and server on LAN is available)
8
Open network + MAC
authentication
•
•
•
•
•
Same as open, but MAC-address is verified
No client software
Administrative burden of MAC address tables
MAC addresses easy spoofable
Guest usage hard (impossible)
9
WEP
• Layer 2 encryption between Client en Access
Point
• Client must know (static) WEP-key
• Administrative burden op WEP-key change
• Some WEP-keys are easy to crack (some less
easy)
• Not secure
10
Open network + web gateway
• Open (limited) network, gateway between (W)LAN
and de rest of the network intercepts all traffic
(session intercept)
• Can use a RADIUS backend
• Guest use easy
• Browser necessary
• Hard to make secure
11
Example: FUNET
AAA
Server
Public Access
Controller
4.
Internet
3.
5.
1.
Public Access
Network
2.
WWW-browser
12
Open netwerk + VPN Gateway
• Open (limited) network, client must
authenticate on a VPN-concentrator to get to
rest of the network
• Client software needed
• Proprietary (unless IPsec or PPPoE)
• Hard to scale
• VPN-concentrators are expensive
• Guest use hard (sometimes VPN on VPN)
• All traffic encrypted
13
Example: SWITCH and Uni Bremen
14
IEEE 802.1X
• True port based access solution (Layer 2) between client
and AP/switch
• Several available authentication-mechanisms (EAP-MD5,
MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP)
• Standardised
• Also encrypts all data, using dynamic keys
• RADIUS back end:
– Scaleable
– Re-use existing Trust relationships
• Easy integration with dynamic VLAN assignment
• Client software necessary (OS-built in or third-party)
• Both for wireless AND wired
15
How does 802.1X work (in
combination with 802.1Q)?
f.i. LDAP
EAP over
RADIUS
EAPOL
Supplicant
Authenticator
RADIUS server
(AP or switch)
Institution A
[email protected]_a.nl
User
DB
Internet
Employee
VLAN
Guest
VLAN
Student
VLAN
signalling
data
16
Through the protocol stack
Supplicant
Authenticator
Auth. Server
(laptop,
(AccessPoint,
(RADIUS server)
802.1X
desktop)
Switch)
EAP
EAPOL
RADIUS
(TCP/IP)
Ethernet
Ethernet
17
EAP-types
Topic
EAP MD5
LEAP
EAP TLS
PEAP
EAP TTLS
Security Solution
Standardsbased
Proprietary
Standardsbased
Standard
s-based
Standardsbased
Certificates – Client
No
n/a
Yes
No
No
Certificates – Server
No
n/a
Yes
Yes
Yes
Credential Security
None
Weak
Strong
Strong
Strong
Supported
Authentication
Databases
Requires
clear-text
database
Active
Directory,
NT Domains
Active
Directory,
Active
Directory
, NT
Domain,
Token
Systems,
SQL,
LDAP
etc.
Active
Directory,
LDAP, SQL,
plain password
files, Token
Systems etc.
Dynamic Key
Exchange
No
Yes
Yes
Yes
Yes
Mutual
Authentication
No
Yes
Yes
Yes
Yes
LDAP etc.
18
Example: SURFnet
Supplicant
Authenticator
(AP or switch)
RADIUS server
Institution A
Guest
RADIUS server
User
DB
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
Guest
VLAN
Student
VLAN
Central RADIUS
Proxy server
signalling
data
19
Example: Client configuration 1-2
Authentication tab
20
Example: Client configuration 2-2
TLS
TTLS
21
Available supplicants
•
•
•
•
•
•
•
Win98, ME: FUNK, Meetinghouse
Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2)
MacOS: Meetinghouse
Linux: Meetinghouse, Open1X
BSD: under development
PocketPC: Meetinghouse, MS (+SecureW2)
Palm: Meetinghouse
22
Current status
• Web-based gateway
– FUNET (most Uni’s)
• VPN-based
– Uni Bremen
– SWITCH (all Uni’s)
– Uni Lisbon (Ipsec)
– Uni Bristol (PPPoE)
• 802.1X
– SURFnet (most Uni’s)
– DFN (office, Fraunhofer)
– CARnet (office)
– FCCN (6 Uni’s)
– Uni Southampton
23
The road ahead
• European toplevel RADIUS server
• Currently
– NL
– UK
– FI
– DE
– PT
– HR
• When IS, NO, DK, SE?????
24
Example: RADIUS configuration
for local users
# TTLS, Lookup local users in file
<Realm institution_a.nl>
<AuthBy FILE> Filename /var/Radiator3/users
EAPType PEAP, TTLS, TLS EAPTLS_CAFile
/var/Radiator3/cert/ca/cafile.p7b
EAPTLS_CertificateFile
/var/Radiator3/cert/certificate.crt
EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile
/var/Radiator3/cert/certificate.key
EAPTLS_PrivateKeyPassword pppp EAPTLS_MaxFragmentSize
1024 AutoMPPEKeys
</AuthBy>
</Realm>
25
Example: RADIUS configuration
for guest users
# TTLS, Proxy other request to proxy
<Realm DEFAULT>
<AuthBy RADIUS>
Host radius.surfnet.nl
Secret zzzz
AuthPort 1812
Retries 3
</AuthBy>
</Realm>
26
Solutions for tomorrow
• 802.11a|b|g
• 802.16 (WiMax), 802.20
• IPv6
• WPA (pre standard 802.11i, TKIP)
• 802.11i: 802.1x + TKIP+ AES
27
Conclusion
•
•
•
•
You can make it safe
One size doesn’t fit all (yet?)
There is (some) convergence in Europe
802.1X is seen as the future proof solution
• It’s all about scalability
28
More information
• SURFnet and 802.1X
– http://www.surfnet.nl/innovatie/wlan
• TERENA TF-Mobility
– http://www.terena.nl/mobility
• The unofficial IEEE802.11 security page
– http://www.drizzle.com/~aboba/IEEE/
29