Security for (Wireless) LANs

Download Report

Transcript Security for (Wireless) LANs

Security for (Wireless) LANs
[email protected]
802.1X workshop
30 & 31 March 2004
Amsterdam
Program Workshop
•
•
•
•
•
•
Security for (W)LANs – Klaas Wierenga
802.1X client side – Tom Rixom
Coffee
802.1X server side – Paul Dekkers
Lunch
Hands-on
2
TOC
•
•
•
•
•
•
Background
Threats
Requirements
Solutions for today
Solutions for tomorrow
Conclusion
3
Background
International
connectivity
Institution
A
WLAN
Access
Provider
WLAN
SURFnet
backbone
Institution
B
WLAN
Access
Provider
GPRS
Access
Provider
POTS
Access
Provider
ADSL
4
Threats
• Mac-address and SSID discovery
– TCPdump
– Ethereal
• WEP cracking
– Kismet
– Airsnort
• Man-in-the-middle attacks
5
Example: Kismet+Airsnort
root@ibook:~# tcpdump -n -i eth1
19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo
reply
19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo
reply
19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo
request
19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo
reply ^C
6
Requirements
• Identify users uniquely at the edge of the network
– No session hijacking
• Allow for guest usage
• Scalable
– Local user administration and authN!
– Using existing RADIUS infrastructure
• Easy to install and use
• Open
– Support for all common OSes
– Vendor independent
• Secure
• After proper AuthN open connectivity
7
Solutions for today
• Open access
• MAC-address
• WEP
European NRENs:
• Web-gateway
• PPPoE
• VPN-gateway
• 802.1X
8
Open network
• Open ethernet connectivity, IP-address via
DHCP
• No client software (DHCP ubiquitous)
• No access control
• Network is open (sniffing easy, every client
and server on LAN is available)
9
Open network + MAC
authentication
•
•
•
•
•
Same as open, but MAC-address is verified
No client software
Administrative burden of MAC address tables
MAC addresses easy spoofable
Guest usage hard (impossible)
10
WEP
• Layer 2 encryption between Client en Access
Point
• Client must know (static) WEP-key
• Administrative burden on WEP-key change
• Some WEP-keys are easy to crack (some less
easy)
• Not secure
11
Open network + web gateway
• Open (limited) network, gateway between (W)LAN
and de rest of the network intercepts all traffic
(session intercept)
• Can use a RADIUS backend
• Guest use easy
• Browser necessary
• Hard to make secure
12
Example: FUNET
AAA
Server
Public Access
Controller
4.
Internet
3.
5.
1.
Public Access
Network
2.
WWW-browser
13
Open netwerk + VPN Gateway
• Open (limited) network, client must
authenticate on a VPN-concentrator to get to
rest of the network
• Client software needed
• Proprietary (unless IPsec or PPPoE)
• Hard to scale
• VPN-concentrators are expensive
• Guest use hard (sometimes VPN in VPN)
• All traffic encrypted
14
Example: SWITCH and Uni Bremen
15
IEEE 802.1X
• True port based access solution (Layer 2) between client
and AP/switch
• Several available authentication-mechanisms (EAP-MD5,
MS-CHAPv2, EAP-SIM, EAP-TLS, EAP-TTLS, PEAP)
• Standardised
• Also encrypts all data, using dynamic keys
• RADIUS back end:
– Scaleable
– Re-use existing Trust relationships
• Easy integration with dynamic VLAN assignment
• Client software necessary (OS-built in or third-party)
• Both for wireless AND wired
16
How does 802.1X work (in
combination with 802.1Q)?
f.i. LDAP
EAP over
RADIUS
EAPOL
Supplicant
Authenticator
RADIUS server
(AP or switch)
Institution A
[email protected]_a.nl
User
DB
Internet
Employee
VLAN
Guest
VLAN
Student
VLAN
signalling
data
17
Through the protocol stack
Supplicant
Authenticator
Auth. Server
(laptop,
(AccessPoint,
(RADIUS server)
802.1X
desktop)
Switch)
EAP
EAPOL
RADIUS
(TCP/IP)
Ethernet
Ethernet
18
EAP-types
Topic
EAP MD5
LEAP
EAP TLS
PEAP
EAP TTLS
Security Solution
Standardsbased
Proprietary
Standardsbased
Standard
s-based
Standardsbased
Certificates – Client
No
n/a
Yes
No
No
Certificates – Server
No
n/a
Yes
Yes
Yes
Credential Security
None
Weak
Strong
Strong
Strong
Supported
Authentication
Databases
Requires
clear-text
database
Active
Directory,
NT Domains
Active
Directory,
LDAP etc.
Active
Directory
, NT
Domain,
Token
Systems,
SQL,
LDAP
etc.
Active
Directory,
LDAP, SQL,
plain password
files, Token
Systems etc.
Dynamic Key
Exchange
No
Yes
Yes
Yes
Yes
Mutual
Authentication
No
Yes
Yes
Yes
Yes
19
Available supplicants
•
•
•
•
•
•
•
Win98, ME: FUNK, Meetinghouse
Win2k, XP: FUNK, Meetinghouse, MS (+SecureW2)
MacOS: Meetinghouse
Linux: Meetinghouse, Open1X
BSD: under development
PocketPC: Meetinghouse, MS (+SecureW2)
Palm: Meetinghouse
20
Example: SURFnet
Supplicant
Authenticator
(AP or switch)
RADIUS server
Institution A
Guest
RADIUS server
User
DB
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
Guest
VLAN
Student
VLAN
Central RADIUS
Proxy server
signalling
data
21
Radius proxy hierarchy
FUNET
SURFnet
University of
Southampton
FCCN
RADIUS Proxy servers
connecting to a European
level RADIUS proxy server
(DFN)
•
Participation
guidelines are
being drafted
•
Aim is to
increase
membership.
Spain, Norway,
Slovenia, Czech
Republic &
Greece have
indicated their
willingness to
join.
CARnet
22
Solutions for tomorrow
• 802.11a|b|g
• 802.16 (WiMax), 802.20
• IPv6
• MobileIPv6
• WPA (pre standard 802.11i, TKIP)
• 802.11i: 802.1x + TKIP+ AES
23
Conclusion
•
•
•
•
You can make it safe
One size doesn’t fit all (yet?)
There is convergence in Europe
802.1X is the future proof solution
• It’s all about scalability, i.e. size does matter
24
More information
• SURFnet and 802.1X
– http://www.surfnet.nl/innovatie/wlan
• TERENA TF-Mobility
– http://www.terena.nl/mobility
• The unofficial IEEE802.11 security page
– http://www.drizzle.com/~aboba/IEEE/
25