Transcript Firewall has three goals

Local Wireless Network
- An wireless Access Point (AP) which is the bridge the ethernet network and
the wireless network
-The AP protect its wireless network from unauthorized users with different
security protocols.
- One of the most basic and first security protocols is the WEP Shared Key
Authentication
WEP shared key authentication
-
The WEP Shared Key Authentication protocoll process in 5 steps between the
client and the access point on the wireless network.
-The client sends and authentication request to the access point.
-The access point sends and nonce text to the client.
-The client uses its preconfigured 128-bit shared key to encrypt the nonce text
from the access point.
-The access point decrypts the encrypted nonce text by using its preconfigured
WEP key that corresponds with the shared key. The access point then compares
the decrypted text with the original nonce text being sent. If the two nonce
texts matches eachother they share the same WEP key and the access point
can authenticate the client
-The client can then connect to the network through the wireless access point
Configuring WEP keys
- Some manufacturers support only one 128-bit key, but usually
most access points can handle 4 different WEP keys.
- The 128-bit WEP Key is expressed as 13 sets of two
hexadecimal digits (0-9 and A-F). For example, "12 34 56 78 90
AB CD EF 12 34 56 78 90" is a 128-bit WEP key.
WEP weaknesses
- A high percentage of wireless networks have WEP disabled
because of the high administrative workload of maintaining a
shared WEP key
- WEP has the same problem as all systems based upon shared
keys: any secret held by more than one person soon becomes
public knowledge. When users leave the network the WEP key
needs to be changed, which can be a frequent problem in big
networks with many users comming and go.
- The WEP checksum is linear and predictable.
-
Firewall has three goals
- All traffic from outside to inside, and vice
versa, passes through the firewall
-
- Only authorized traffic, as defined by the
local security policy will be allowed to pass
- The firewall itself is immune to penetration
Three different categories
- Traditional Packet Filters
- Stateful Packet Filters
- Applications gateways
Packet Filters
Filtering decisions are typically based on:
- IP source or destination address
- Protocol type in IP datagram field: TCP, UDP, ICMP,
OSPF, and so on
- TCP or UDP source and destination port
- TCP flag bits: SYN, ACK and so on
- Different rules for the different router interfaces
- Different rules for datagram leaving and entering the
network
Access control list for a router
interface
Access control list for stateful filters
Application Gateway
- Finer-level security, firewall combine packet filtering
with application gateways.
- Applications gateway looks beyond the IP/TCP/UDP
header
-Internal network often have multiple applications
gateways, for example, gateways for Telnet, HTTP, FTP
and email.
Weaknesses in WEP security design
Sharing a key with all users.
Problem: Liable for security issues trough
transmission in unprotected channels and
malicious users.
Solution: Public-key protocol for authenticating
indivudal keys. Such as SSL (BankID, FTP-rings,
etc.)
Base stations are never authenticated
Problem: 1337-h4xx0rz who knows the shared key can
introduce a spoof an eavesdrop on the traffic.
Solution: Base stations should supply a certificate
Stream cipher repetition.
Problem: Patterns can be found since the same key is
always used.
Solution: Negotiate a new key before a pattern
reasonably could be found.
Even with higher encryption problems were found so a
range of decryption algroithms can be deployed.
Low level of encryption was used in the first
versions
Problem: With lower levels of encryption brute
force hacking is possible.
Solution: Change to 128-bit keys only
Users not deploying the full range of security
measures.
Problem: People simply didn’t adapt to the new
security specifications.
Solution: Better default settings and documentation