802.1X in SURFnet

Download Report

Transcript 802.1X in SURFnet

Identity-based Networking
[email protected]
ESA workshop
17 December 2004
Utrecht
Program Workshop
•
•
•
•
•
•
Identity-based Networking – Klaas Wierenga
Extensible Authentication Protocol – Paul Dekkers
Lunch
EduRoam – Klaas Wierenga
ESA implementation – Paul Dekkers
Any other business / Discussion
2
Contents
• Threats
• Requirements for secure networking (with
focus on wireless)
• Possible solutions
• 802.1X
• WPA
• 802.11i/WPA2
• Conclusions
3
Threats
• Mac-address and SSID discovery
– TCPdump
– Ethereal
• WEP cracking
– Kismet
– Airsnort
• Man-in-the-middle attacks
4
Example: Kismet+Airsnort
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo
reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo
reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo
reply ^C
5
Requirements
• Identify users uniquely at the edge of the network
– No session hijacking
• Allow for guest usage
• Scalable
– Local user administration and authN
– Using existing RADIUS infrastructure
• Easy to install and use
• Open
– Support for all common OSes
– Vendor independent
• Secure
6
Possible solutions
• Open access
• MAC-address
• WEP
•
•
•
•
Web-gateway
PPPoE
VPN-gateway
802.1X
7
Open network
• Open ethernet connectivity, IP-address via
DHCP
• No client software (DHCP ubiquitous)
• No access control
• Network is open (sniffing easy, every client
and server on LAN is available)
8
Open network + MAC
authentication
•
•
•
•
•
Same as open, but MAC-address is verified
No client software
Administrative burden of MAC address tables
MAC addresses easy spoofable
Guest usage hard (impossible)
9
WEP
• Layer 2 encryption between Client en Access
Point
• Client must know (static) WEP-key
• Administrative burden on WEP-key change
• Some WEP-keys are easy to crack (some less
easy)
• Not secure
10
Open network + web gateway
• Open (limited) network, gateway between (W)LAN
and de rest of the network intercepts all traffic
(session intercept)
• Can use a RADIUS backend
• Guest use easy
• Browser necessary
• Hard to make secure
11
Open netwerk + VPN Gateway
• Open (limited) network, client must
authenticate on a VPN-concentrator to get to
rest of the network
• Client software needed
• Proprietary (unless IPsec or PPPoE)
• Hard to scale
• VPN-concentrators are expensive
• Guest use hard (sometimes VPN in VPN)
• All traffic encrypted
12
IEEE 802.1X
• True port based access solution (Layer 2) between client
and AP/switch
• Several available authentication-mechanisms (EAP-MD5,
MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP)
• Standardised
• Also encrypts all data, using dynamic keys
• RADIUS back end:
– Scaleable
– Re-use existing Trust relationships
• Easy integration with dynamic VLAN assignment
• Client software necessary (OS-built in or third-party)
• Both for wireless AND wired
13
How does 802.1X work (in
combination with 802.1Q)?
f.i. LDAP
EAP over
RADIUS
EAPOL
Supplicant
Authenticator
RADIUS server
(AP or switch)
Institution A
User
DB
Internet
[email protected]_a.nl
Employee
VLAN
Guest
VLAN
Student
VLAN
signalling
data
14
Through the protocol stack
Supplicant
Authenticator
Auth. Server
(laptop,
(AccessPoint,
(RADIUS server)
802.1X
desktop)
Switch)
EAP
EAPOL
RADIUS
(TCP/IP)
Ethernet
Ethernet
15
Available supplicants
•
•
•
•
•
•
•
Win98, ME: FUNK, Meetinghouse
Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2)
MacOS: Meetinghouse
Linux: Meetinghouse, Open1X
BSD: under development
PocketPC: Meetinghouse, MS (+SecureW2)
Palm: Meetinghouse
16
WPA
• WPA-Personal
– Using Pre-Shared Keys
– Huge improvement over static WEP by using
TKIP after initial PSK
– Not scalable
• WPA-enterprise
– Using 802.1X+EAP backend
– Huge improvement over static WEP by using
TKIP
– Scalable
17
WPA Enterprise
• Solves weaknesses of WEP:
– Encryption with TKIP
• Provide User authentication
– 802.1X+EAP
• TKIP
–
–
–
–
Temporal Key Integrity Protocol
Per packet keying
Message Integrity Check (MIC)
Extended Initialization Vector
• Upward compatible with 802.11i
• WPA=802.1X+EAP+TKIP
18
Disadvantages of WPA
• Mixed-mode usually not available (but in >
IOS Release 12.2(15)JA)
• All AP’s and clients need to be upgraded
(software)
• WPA support for older products is not
guaranteed
• Support in 802.11g products usually ok
19
802.11i/WPA2
• 802.11i = 802.1X+TKIP+AES
– Plus fast handoff, secure disassociation etc.
• AP’s and clients need to be upgraded
(software and hardware!)
• Ratified June 25, 2004!
20
Conclusion/Discussion
• 802.1X+EAP+RADIUS is the way to go
• WPA is too early (unless mixed-mode)
• 802.11i is too new
21
More information
• http://www.surfnet.nl/innovatie/wlan
• http://www.wi-fi.org/OpenSection/pdf/WiFi_Protected_Access_Overview.pdf
• http://www.tomsnetworking.com/Sectionsarticle50-page1.php
• http://www.openxtra.co.uk/articles/wpa-vs80211i.htm
• The unofficial IEEE802.11 security page
– http://www.drizzle.com/~aboba/IEEE/
22