WLAN Security

Download Report

Transcript WLAN Security

© 2003, Cisco Systems, Inc. All rights
© 2003,
reserved.
Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-1
1
Module 8
Security
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-2
Overview
WLANs present unique security challenges. This
module will cover the basics of securing
WLANs. Specific weaknesses and vulnerabilities
of WLANs will be covered. Security
configuration for APs, bridges, and clients will
be shown and explained. Finally, enterprise level
WLAN security will be presented.
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-3
Learning Objectives
• Understand the 3 types of vulnerabilities and
attacks
• Understand the 4 types of threats
• Understand the importance of a security policy
• Understand the 4 steps of the WLAN security
wheel
• Properly configure basic WLAN security via
IOS GUI and CLI
• Understand advance enterprise level WLAN
security technologies and configuration
principles
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-4
Advanced Security Terms
• WEP – Wired Equivalent Privacy
• EAP – Extensible Authentication Protocol
• TKIP – Temporal Key Integrity Protocol
• CKIP – Cisco Key Integrity Protocol
• CMIC – Cisco Message Integrity Check
• Broadcast Key Rotation – Group Key
Update
• WPA – Wi-Fi Protected Access (WPA)
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-5
Balancing Security and Access
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-6
Vulnerabilities
•Technology
–
–
–
–
TCP/IP
WEP and Broadcast SSID
Association Process
Wireless Interference
•Configuration
–
–
–
–
Default passwords
Unneeded Services enabled
Few or no filters
Poor device maintenance
•Policy
–
–
–
–
–
© 2003, Cisco Systems, Inc. All rights reserved.
Weak Security Policy
No Security Policy
Poorly enforced Policy
Physical Access
Poor or no monitoring
FWL 1.0—8-7
Threats
•Internal
•External
•Structured
•Unstructured
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-8
The Security Attack—Recon and
Access
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-9
The Security Attacks—DoS
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-10
WLAN Security Wheel
Always have a good WLAN Security Policy in place.
Secure the network based on the policy
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-11
WLAN Security Considerations
Authentication – only authorized users and
devices should be allowed.
Encryption – traffic should be protected from
unauthorized access.
Administration Security – only authorized users
should be able to access and configure the AP
configuration interfaces.
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-12
Common Protocols which use Encryption
When using a public network such as a
WLAN, FTP, HTTP, POP3, and SMTP are
insecure and should be avoided whenever
possible. Utilize protocols with encryption.
No
Encryption
Encryption
Web Browsing
HTTP
HTTPS *
File Transfer
TFTP or FTP
Traffic
Email
Remote Mgmt
SCP
POP3 or SMTP
SPOP3 *
Telnet
SSH
* SSL/TLS
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-13
WLAN Security Hierarchy
Enhanced Security
40-bit or 128-bit
Static WEP Encryption
802.1x,
TKIP/WPA Encryption,
Mutual Authentication,
Scalable Key Mgmt., etc.
Home Use
Business
Basic Security
Open Access
No Encryption,
Basic Authentication
Public “Hotspots”
Remote
Access
Virtual
Private
Network
(VPN)
© 2003, Cisco Systems, Inc. All rights reserved.
Business
Traveler,
Telecommuter
FWL 1.0—8-14
Basic WLAN Security
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-15
Admin Authentication on AP
To prevent unauthorized access to the AP
configuration interfaces:
•Configure a secret password for the privileged
mode access. (good)
•Configure local usernames/passwords.
(better)
•Configure AP to utilize a security server for
user access. (best)
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-16
Console Password
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-17
WEP
WEP is a key.
WEP scrambles
communications
between AP and client.
AP and client must use
same WEP keys.
WEP keys encrypt unicast
and multicast.
WEP is easily attacked
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-18
Supported Devices
What can be a client?
•Client
•Non-Root bridge
•Repeater access point
?
•Workgroup Bridge
Authenticator?
•Root access point
•Root bridge
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-19
Authentication Types
• Open Authentication to the Access Point
• Shared Key Authentication to the Access Point
• EAP Authentication to the Network
• MAC Address Authentication to the Network
• Combining MAC-Based, EAP, and Open
Authentication
• Using CCKM for Authenticated Clients
• Using WPA Key Management
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-20
WLAN Security:
802.1X Authentication
Mutual Authentication
EAP-TLS
•EAP-Transport Layer Security
•Mutual Authentication implementation
•Used in WPA interoperability testing
Radius
Server
LEAP
•“Lightweight” EAP
•Nearly all major OS’s supported:
–WinXP/2K/NT/ME/98/95/CE, Linux, Mac, DOS
AP
Client
PEAP
•“Protected” EAP
•Uses certificates or One Time Passwords (OTP)
•Supported by Cisco, Microsoft, & RSA
•GTC (Cisco) & MSCHAPv2 (Microsoft) versions
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-21
EAP
Extensible Authentication Protocol (802.1x
authentication)
Provides dynamic WEP keys to user
devices.
Dynamic is more secure, since it changes.
Harder for intruders to hack…by the time
they have performed the calculation to
learn the key, they key has changed!
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-22
Basic RADIUS Topology
RADIUS can be implemented:
• Locally on an IOS AP
• Up to 50 users
• On a ACS Server
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-23
Enterprise Encryption
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-24
WPA
Interoperable, Enterprise-Class Security
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-25
Cipher “Suite”
Cipher suites are sets of encryption and
integrity algorithms.
Suites provide protection of WEP and allow
use of authenticated key management.
Suites with TKIP provide best security.
Must use a cipher suite to enable:
•WPA – Wi-Fi Protected Access
•CCKM – Cisco Centralized Key Management
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-26
Configuring the Suite
Create WEP keys
Enable Cipher “Suite” and WEP
Configure Broadcast Key Rotation
Follow the Rules
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-27
WEP Key Restrictions
Security Configuration
WEP Restriction
CCKM or WPA key mgt.
No WEP in slot 1
LEAP or EAP
No WEP in slot 4
40-bit WEP
No 128-bit key
128-bit WEP
No 40-bit key
TKIP
No WEP keys
TKIP and 40 or 128 WEP No WEP in slot 1 and 4
Static WEP w/MIC or
CMIC
Broadcast key rotation
© 2003, Cisco Systems, Inc. All rights reserved.
WEP and slots must
match on AP & client
Keys in slots 2 & 3
overwritten
FWL 1.0—8-28
Security Levels
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-29
Enterprise WLAN Security Evolution
TKIP/WPA
•Successor to WEP
•Cisco’s pre-standard TKIP has been shipping since Dec.’01
•Cisco introduced TKIP into 802.11i committee
•802.11i-standardized TKIP part of Wi-Fi Protected Access (WPA)
•WPA software upgrade now available for AP1100 & AP1200
AES
•The “Gold Standard” of encryption
•AES is part of 802.11i standard
–- AES will be part of WPA2 standard (expected in 2004)
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-30
VLANs
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-31
VLANs
Configuring your access point to support
VLANs is a three-step process:
Assign SSIDs to VLANs.
Assign authentication settings to SSIDs.
Enable the VLAN on the radio and Ethernet
ports.
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-32
Using VLANs for Security
802.1Q wired
network w/ VLANs
AP Channel: 6
SSID “data” = VLAN 1
SSID “voice” = VLAN 2
SSID “visitor” = VLAN 3
SSID: data
Security: PEAP + AES
SSID: voice
Security: LEAP + WPA
SSID: visitor
Security: None
© 2003, Cisco Systems, Inc. All rights reserved.
FWL 1.0—8-33