Transcript TC-20020905-022_WLAN Security

WLAN Security, an Oxymoron?
Telecommunications Industry Association
VAR Working Group
2PM EDT, May 9th – 2002
Ron Williams
Senior Enterprise Architect – Security
IBM Corporation
IBM Software Group
Is WLAN Security an Oxymoron?
• Technical Answer: Yes
• Business Answer: Maybe, maybe not
Wrong Question!
2
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Right Question
• Can WLAN be used in a secure manner?
• Answer: Yes!
3
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
WLAN Security - What We’ll Cover
•
•
•
•
•
•
What is (and is not) WLAN Security
What is meant by “WLAN Security”
Assertions
Security Review
Network Review
Recommendations
4
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Who Cares if WLAN is secure?
1. I don’t – I just want an access point, cheap.
2. The Malicious don’t, because they want an access point from
which they can be anonymous.
3. Vendor’s may. Insecurity provides a sales opportunity.
4. Business users do, because they don’t want un-authorized
devices (or their drivers) on their net.
5. Wireless Service Providers do, because they want to be paid
for their services.
5
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
What is WLAN?
•
•
•
•
A radio based physical layer
An Ethernet like data link layer
IEEE 802.11[a,b]
Bluetooth (proposed 802.15)
WLAN is Ethernet without the Wire
6
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
What does this mean about WLAN
Security?
• WLAN security is point-to-point security
– Identifies one WLAN device to another
– Authenticates one WLAN device to another
– Authorizes access to LAN for which Access Point is Gateway
• WLAN security does not
– “Know” who initiates the link (Who is the “User”?)
– “Know” what application is accessing the link
– Protect resources beyond the Access Point
– Protect other wireless client’s using the same Access Point
7
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
What is WLAN Security
Physical Layer
Data Link Layer (Medium Access Layer)
There is no “security” at the Physical Layer
At the Data Link Layer, there is
• Authentication (Device)
• Confidentiality (Session)
There are two security attributes at the Data Link layer
1. Device Authentication
2. Session Encryption
8
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
What is WLAN Security Supposed to Do?
• Limits use of an Access Point to a pre-registered device
• Enables confidentiality of data transferred between link devices
9
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
What doesn’t 802.11b security do? Or
not do very well?
• Protect the elements of
– link authentication
– access authorization
– confidentiality of the link
“WEP, he don’t work vewy well, do he?”
– with apologies to Tweety Bird
10
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
WAIT! My Vendor Said
•
•
•
•
•
•
•
11
The research is only academic, anyway
Even though its academic, we do security differently
Our competitors use weak schemes
We use strong schemes
We have smarter people
We use a secret method
<Invention>
Be a Marketeer! Spin your own response here …
</invention>
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Assertions
• All Communication Security is Point-to-Point
– Trick is, identify the right points!
• Though Point-to-Point, security may have implications both
broad and sometimes unintended
– “I used SSL to transmit my Credit Card Number, how did
somebody else get it to use?”
12
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Security Review
• Identity (Identifiers) and Authentication
– Typical (Mutual) Authentication Protocol
A
B
A -> B: {identifiera}
B -> A: {challengea, identifierb}
A -> B: {responsea, challengeb}
B -> A: {responseb, sessionIDab}
A and B are now mutually authenticated
13
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Of Access Points and Wireless Clients
• WEP Authentication (802.11b)
Wireless
Client
Access
Point
WC -> AP: {authentication request}
AP -> WC: {authentication challenge}
WC -> AP: {authentication response}
AP -> WC: {authentication result}
WC and AP are now mutually authenticated
14
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Network Protocol Review, the Layers
Application
15
} HTTP, FTP, Proprietary, etc.
Transport
} TCP,UDP
Network
} IP
Data Link
} 802.11 (MAC)
Physical
} 802.11 (radio)
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Layers talk to Layers, not between!
16
Application
Application
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Network Security Review
Application
Client Side
Application
Layer Security
A
17
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Application
Server Side
B
Network Security Review
Transport
Transport
Network
Data Link
802.11 & WEP
Data Link
Physical
18
Application
Unrelated
Application
Application
Layer Security
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Network
Physical
Security is Layer to Layer, not between!
19
Application
Application
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Why?
• Each layer is encapsulated in the previous (lower)
• Encapsulated security is guaranteed by design
– Lower levels don’t interfere with the security of upper layers
– Upper layers aren’t aware of lower layer security
20
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Back to the Future – So What?
• Poor security of a lower layer (802.11b) need not affect security
of application layer
• Use of VPNs, Kerberos, Radius, and Authorization Proxies
mitigates WLAN insecurity at different Layers
Kerberos: Application Layer (Client to Server Application)
VPN: Client to Gateway (Network Client to Network Gateway)
Radius: Client to Gateway
Authorization Proxy: User Client to Application Server
Wireless Ethernet Compatibility Alliance (WECA)
21
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
What of Access Point Owners?
Do they Need Security?
Yes!
22
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Access Point Owners are Most
Vulnerable
• Wireless service providers need to be paid
• Businesses don’t want to pay for unauthorized users
• Businesses don’t want unauthorized individuals accessing their
resources
23
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
How do you mitigate the risk of
unauthorized access?
• Businesses and Service Providers (MobileNet, WayPort, Verizon,
AT&T, Sprint, SBC, etc.) authenticate users at the application or
transport layers – not the data link layer.
• Vendors provide proprietary key management and session key
switching schemes to mitigate WLAN cracking technology
• Block lower level protocols with a higher level proxy, i.e.
Firewall, VPN, Authorization Proxy/Engine
• Or, you don’t – if the consequence of WLAN breach doesn’t cost
you anything
24
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Enterprise WLAN Architecture
25
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Designing the Enterprise for WLAN
What to Do
– Firewall WLAN access points (eliminate direct access to internal network
from wireless devices)
– Require VPN access to internal network for application protocols that run
over WLAN
– Use Authorization Proxies/Engines authenticated user access to
enterprise application resources
– Use SSL/TLS for upper layer confidentiality (encryption of the transport
layer)
What not to do
– Allow installation of unauthorized WLAN access points in the enterprise
intranet
– Configure unauthenticated WLAN access points
– Use off the shelf or standard 802.11 WEP to secure WLAN
– Use Bluetooth instead of 802.11 because of its more complex security
model
– Use 802.11 instead of Bluetooth because of its “current Standard” label
– Take vendor statements at face value
26
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Summary
• Threats
– Unauthorized use resulting in
• additional cost or lost revenue
• Unknown liability from “anonymous” and malicious user(s)
– Disclosure of sensitive data
• not protected at higher layers of the protocol stack
• Poorly protected by WEP
WLAN provides a fast growing on to access to LAN's and those
resources connected by them
Wireless Providers (MobileNet, WayPort, Verizon, etc.)
authenticate users at the application, not data link layer.
27
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Conclusions
•
•
WLAN is and will be “insecure” for the foreseeable future
The impact of WLAN’s security characteristics can be readily
mitigated where they are felt
– Access Points separated by Firewalls from critical resources
– VPN Access for WLAN clients access enterprise
– Authorization proxies/engines for authenticated and authorized
user access to enterprise application resources
•
The risks lay not in what we know about WLAN, but in ignoring
its fundamental characteristics
28
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
References (alphabetical)
[Anderson 2001] Ross Anderson, “Why Information Security is Hard – an
Economic Perspective”
[ASW 2001] Arbaugh, Shankar, Wan, “Your 802.11 has no clothes”, U of Maryland,
3.30.2001
[BGW 2001] Borisov, Goldberg, Wagner, “Intercepting Mobile Communications:
The Insecurity of 802.11”
[Cisco 2001a] Response to [ASW 2001] “Product Bulletin No. 1327”
[Cisco 2001b] “Cisco Aironet Security Solution Provides Dynamic WEP to Address
Researchers’ Concerns” – Cisco Product Bulletin
[IEEE 1999] IEEE Standard 802.11, 1999
[Hulton 2002] David Hulton, Practical Exploitation of RC4 Weaknesses in WEP
Environments February 22, 2002
[SIR 2001] Adam Stubblefield, John Ioannidis,and Aviel D. Rubin - Using the
Fluhrer, Mantin,and Shamir Attack to Break WEP, August 18th, 2001
[Traskback 2000] Marijanna Traskback, Security of Bluetooth: an Overview of
Bluetooth Security, 2000
[ Vainio 2000] Juha T. Vainio, Bluetooth Security, May 5th, 2000
[WECA 2001] WECA Analyst Briefings, October 10-18th, 2002
29
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.
Questions
Presented by
Ron Williams, Senior Enterprise Architect/Security
[email protected]
IBM Corporation, Tivoli Security
30
| IBM Public Distribution
|
© Copyright IBM Corporation 2002. All Rights Reserved.