Beruflich Dokumente
Kultur Dokumente
Executive Summary
Wireless LAN security has come a long way since the early days and the negative publicity around the shortcomings of WEP. Recent advances in WLAN technology and the ratification of key wireless security standards are giving CIOs and network administrators the high level of confidence in WLAN security that they have always needed. This whitepaper will explain the key requirements of wireless security and how the CIO can make sure their enterprise network is protected. To be effective, WLAN security must address three critical areas; Data Confidentiality and Integrity, Authentication and Access Control, and Intrusion Detection and Prevention Todays WLAN systems incorporating WPA/WPA2 with AES encryption, in conjunction with 802.1x authentication, can provide a level of security for WLANs that can exceed the security of a wired LAN. At the same time wireless intrusion detection and prevention systems are becoming more capable and easier to manage. Even if you dont have a WLAN in place, if you do not have a wireless security solution in place you are vulnerable to malicious attacks. Siemens HiPath Wireless Manager provides a complete WLAN security solution. It is WPA/WPA certified to provide AES encryption for data confidentiality and 802.1x for network authentication. In addition, HiPath Wireless Manager HiGuard provides an innovative and adaptive solution for wireless intrusion detection and prevention. HiGuard provides three different operational modes; sensor-less, mixed and dedicated sensor modes to enable the wireless infrastructure to adapt to the organizations needs.
By incorporating 802.11i-based solutions as part of a multilayered approach, enterprise network managers can reasonably ensure WLAN security. Although threat mitigation is an ongoing process, 802.11i and Advanced Encryption Standard (AES) provide WLANs with security as good as that available for wired LANs. Source: William Terrill, the Burton Group - December 2004
July 2008 I 2
Table of Contents
Executive Summary 1.0 The Current State of WLAN Security 1.1 WLAN Security Threats 2.0 What Makes a WLAN Secure Data Confidentiality and Integrity Authentication and Access Control Intrusion Detection and Prevention The WLAN Security Policy 2.1 Data Confidentiality and Integrity WiFi Protected Access (WPA & WPA2) 2.2 Authentication and Access Control How 802.1x Authentication Works 2.4 802.11i - Bringing it all Together 802.11n Implications for WIDS/WIPS 2.3 Intrusion Detection and Prevention WLAN that is more Secure than Wired LAN 3.0 Siemens HiPath Wireless Security 802.11i Security Made Easy State-of-the-Art Integrated Intrusion Detection and Prevention 4.0 Conclusion 2 4 4 7 7 7 7 8 8 9 10 10 11 12 12 14 15 15 15 17
July 2008 I 3
July 2008 I 4
Just as dangerous as an unauthorized rogue access point is an access point that has been legitimately connected to the wired network, but improperly or insufficiently configured. For instance, if no security settings were configured, then such an access point would provide open network access to anyone. Operating systems like Windows allow the creation of networks consisting of multiple wireless clients, without an access point in between. If one of these computers is configured to participate in an ad hoc network as well as connect to the corporate WLAN via an access point, they could be inadvertently creating an opening for a hacker to exploit. In cases where companies are physically near one another, it is very possible for two wireless networks to have the same network information. In such a case, a wireless client will associate with the first access point that it contacts, and if it belongs to the neighboring WLAN, a security threat can exist.
Client Mis-associations
Malicious users can often take advantage of the openings presented above, but the following examples also represent circumstances in which they can create their own openings:
July 2008 I 5
An unauthorized access point that has been connected to the wired network, which can provide malicious or unauthorized users with open access to the LAN. Some hackers will be able to determine the configuration settings of the wireless LAN, and will plant an access point with the same settings within range of the network. Through mis-association, clients can connect to these honeypots assuming that they are legitimate. Clever hackers can then exploit this by connecting decoy network resources to the AP so that users login, after which the hacker can steal passwords or even confidential documents. Wireless client computers can be configured to behave like legitimate participants in the network. In this manner, a hacker can mimic an authorized user or even act as a honeypot AP.
Honeypot APs
AP MAC Spoofing
Once a hacker has been able to find a way onto the network whether through an existing opening or one that they created there are a number of techniques that can be used to actually affect the corporate network:
Hackers continually probe areas for open wireless networks. If a network has a weak user authentication scheme or none at all it is very easy for a hacker to obtain access to the corporate network and take information or launch attacks on resources in order to cause disruptions. Because of the way networking devices work, they need to respond to any client requests. Hackers are able to exploit this by inundating a network resource with more requests than it is able to handle. Distributed DoS attacks magnify this problem by enlisting a number of unknowing computers through hidden code to simultaneously launch denial of service attacks on a potentially massive scale. If data is unprotected, hackers can intercept messages and change the content to mislead parties that are communicating, making it seem as if the hacker is actually one of the parties. By modifying the source IP address contained in the packet header, a hacker can intercept traffic coming from a legitimately authenticated user and make it appear that the user is actually using the hackers computer. As a result, all data and messages coming from a server would go back to the hacker. Using software that is secretly installed on the PC of a corporate user, a hacker can gain control of the computer to gain access to resources the user is able to see, or to cause damage to servers and other computers.
IP Spoofing
Hijacking
90% of WLAN security incidents until 2010 will be the result of misconfigured systems. Source: Gartner, November 2006
July 2008 I 6
July 2008 I 7
Advanced implementations are able to visually represent the network area along with potential threats, and have automatic classification capabilities so that threats can be easily identified. Enterprise WLAN security is not one-size-fits-all. While it is desirable to have the most sophisticated frame-level and RF-level security available, wider considerations mean that this may not always be possible. Each enterprise must weigh the level of security required against the overall costs. The solution must be cost-effective, leverage and integrate with existing security technology where possible, require little administrative maintenance and interaction, and represent an overall implementation cost that is commensurate with the initial capital expenditure. End-users will resist any implementation that is not transparent. They will expect full access to applications and network resources, and will not tolerate excessive complexity and/or performance degradation resulting from the security infrastructure. Even enterprises that have decided not to install WLANs must be concerned about WLAN security, because rogue APs and ad hoc networks between wireless-enabled laptop computers can open gaping security holes in an otherwise secure network by allowing access to the wired LAN from remote locations. Companies that are pursuing enterprise mobility and deploying WLAN should consider an enterprise wireless security policy (See sidebar The WLAN Security Policy).
Identify who may use WLAN technology and what type of access is required; Describe who can install access points and other wireless infrastructure equipment; Describe the type of information that can and cannot be sent over wireless links; Describe conditions under which wireless devices are allowed and how they may be used; Describe the hardware and software configuration for any access device; Provide guidelines on reporting losses of wireless devices and security incidents; Provide guidelines on the use of encryption and other security software; and, Define the frequency and scope of security assessments, audits and report generation.
July 2008 I 8
hard-coded into the access point and the client. RC4 encryption was originally available with a 40-bit key, but the IEEE later introduced a more robust 128-bit key to enhance data confidentiality. Unfortunately, there were a number of flaws found in the way that WEP addressed confidentiality and integrity.
To start, encryption keys were statically configured, meaning that if a WEP key were cracked, someone would be able to decrypt the information until the user reconfigured it, which rarely happened. The increased protection of 128-bit RC4 turned out to be misleading, as an exploit was reported whereby effective encryption strength could easily be brought back down to 40-bit. Data integrity was poorly addressed with the simplistic CRC-32 algorithm. Therefore, if a user could crack the WEP key, they could easily modify the data, re-encrypt it, and then send it to an unknowing user. The simplistic pre-shared key authentication method used by WEP was not particularly robust or scalable, requiring separate configuration of each individual wireless device, with no leveraging of existing enterprise user directories or security applications.
WEP remained sufficient to stop casual eavesdroppers from illicitly accessing the network or compromising data ideal for small offices or home use. However, the findings mentioned above as well as a number of subsequent well-publicized attacks forced the conclusion that WEP did not provide the level of security necessary for enterprise-wide WLAN deployment.
July 2008 I 9
EAP-TTLS
EAP-SIM
PEAP
July 2008 I 10
July 2008 I 11
July 2008 I 12
WIDS/WIPS solutions can function in one of two different modes time slicing or always on. These two modes offer varying degrees of security for the enterprise. In a time slicing mode the WIPS solution does not require dedicated sensors distributed throughout the enterprise, but rather borrows slices of time from existing access points to take a snap shot listen of the environment. This mode offers the advantage of lower cost security to the enterprise but also offers a lower level of security. Sophisticated hacking routines have been known to identify listening patterns and intersplice their activities between the listening slots, effectively going undetected. This is similar to the escaping prisoner avoiding the searchlight and thus going undetected. The more costly, but more effective mode, is to use dedicated sensors on full time listening mode to detect (and with WIPS prevent) threats. This is the equivalent of leaving all the lights on, so no matter when the prisoner attempts to escape, he will be seen. Both modes offer their benefits and can even be used at the same time in different physical parts of the enterprise (depending on risks of say visitor or customer traffic). A well thought out plan and risk assessment is needed when deciding how to best implement WIPS for an enterprise. Enterprises generally have two alternatives when deploying intrusion detection and prevention solutions. The first is to deploy an overlay solution, which is a specialized network of dedicated equipment completely separate from the WLAN. These solutions tend to provide the most comprehensive security and the best performance. However, overlay solutions have the disadvantages of adding operational complexity and cost, forcing the deployment of two wireless networks with no management integration or hardware economies. The other alternative is to accept the integrated IDS/IPS functionality which most WLAN infrastructure vendors offer with their solution. The problem with this alternative is that what the IDS solution vendors offer is generally inferior to over-lay products, if not in features then certainly in performance. WLAN Vendors are now starting to address this discrepancy. For example, Siemens has fully integrated the industry leading Airtight WIPS solution into its HiGuard product, deliver world-class WIPS security along with the benefit of reduced overhead and maintenance associated with an overlay solution.
July 2008 I 13
For an enterprise to protect itself from abuse of its information, it must monitor the events occurring in its computer system or network and analyze them for signs of intrusion. To do this, the enterprise must install an Intrusion Detection System (IDS). Source: Gartner, September 2004
July 2008 I 14
Location Services. HiPath Wireless Manager maintains an up-to-date visual perspective of the network. This greatly aids the intrusion prevention process by making it possible to physically find threats. It is also possible for the organization to track mobile corporate resources. Performance Optimization. The variety of heat maps actually showing the physical makeup of the RF environment can be used by managers to ensure the greatest coverage area and eliminate potential bottlenecks. Network Monitoring and Control. All of the events and information generated by the three applications feed into the management interface. The Servers dashboard provides a consolidated view of the network, and a variety of rich charts, reports, and statistics are available to aid in
July 2008 I 15
network monitoring and troubleshooting. The portfolios intrusion detection and prevention capabilities are dramatically extended by the addition of HiPath Wireless Manager HiGuard. It provides the best-in-breed security protection seen in overlay IDS/IPS solutions as well as significant integration with existing WLAN infrastructure and management tools. The HWM HiGuard solution depends on HiPath Wireless Access Points that have been deployed in dedicated sensor mode, where they focus solely on scanning all channels and frequencies on the 802.11a, b, and g radios. The information gathered by the Sensors is then sent to the central HWM Server, which consolidates and analyzes it using sophisticated heuristics. Sensors can then use precise RF countermeasures to proactively neutralize threats while the rest of the network remains unaffected. HWM HiGuard is one of the only WLAN security solutions that can detect Rogue 802.11n APs to prevent unauthorized access to the wireless network.
Optimized performance as HiPath Wireless Access Points can devote their attention to delivering consistent network access to users key for voice and other real-time applications. Enhanced security as sensors can proactively scan all WiFi radio bands and channels to identify and neutralize the most sophisticated attacks. Intrusion information is forwarded to a management server that provides robust reporting capabilities. Automatic threat classification (member, neighbor, rogue, etc.) and the flexibility to locate rogues or even deny them access to the network. Visual representation of signal coverage and device locations through mapped-over floor plans that can allow staff to find and physically remove suspect devices.
HiPath Wireless Manager not only gives recognized industry-leading intrusion detection and prevention for a complete wireless security solution, but also sets a new standard in the industry for integrating IDS/IPS with existing infrastructure and management systems, and is a key step in creating a single wireless network that supports all mobility applications across the enterprise cost-effectively and easily. In 2006, the Tolly Group declared that the security features of HiPath Wireless products were proven best-in-class for performance among both standalone and integrated IDS/IPS solutions (100% success vs. 65%-75% from competitors).
July 2008 I 16
4.0 Conclusion
Secure wireless communication is at long last a reality. Industry standards have matured to provide a comprehensive solution to the WLAN security dilemma, but as with any form of security, wireless security will have to continually evolve to keep up with the newest and most sophisticated attacks. Furthermore, WLAN vendors are now looking beyond the IEEE standards for authentication and encryption to ensure that appropriate intrusion detection and prevention capabilities are in place to provide a complete and layered security solution. Siemens has developed a security solution that not only addresses the data confidentiality and authentication needs of today, but has also created an open standards-based solution that has the flexibility to adapt in the future. In conjunction with the sophisticated intrusion detection and prevention capabilities delivered by HiPath Wireless Manager, the HiPath Wireless Portfolio provides a complete, futureready solution that addresses the core tenets of wireless security. Management demands for a cost effective approach are being met through an integrated security solution that leverages existing network infrastructure. At the same time, end-users will be satisfied that they have no need to complicate their computing experience in the least. In fact, features like secure fast roaming may actually simplify user experience. Many enterprise network managers have resisted the introduction of wireless LAN technology, delaying the opportunity to reap the numerous benefits to be had in terms of productivity, responsiveness, and TCO reductions. While the absence of an acceptable security standard served as the chief justification for this decision, Siemens HiPath Wireless delivers a secure solution that resolves this problem and makes the enterprise ready for wireless LAN today. More information about Siemens HiPath Wireless security solutions is available at http://www.siemens.com/hipath. Siemens Enterprise Communications is a thought leader and innovator in the enterprise communications industry. We are one of the leading players in the market with full coverage of all the relevant markets from a strong European base with global reach. Our people have the passion, commitment, skills and know-how to deliver a broad range of cutting-edge technologies, outstanding products and professional services. All with the support of an enterprise that has the financial strength to outperform the rest in this competitive and consolidating market.
A properly engineered WiFi security system can not only provide robust security for your wireless users, it can also act as a platform to better secure wired network segments that have, for too long, relied on nothing more than physical security to combat abuse. Source: Network Computing, June 2005
July 2008 I 17
Munich-based Siemens Enterprise Communications GmbH & Co. KG, a wholly owned subsidiary of Siemens with more than 15,000 employees, is one of the worlds leading vendors of Open Communications solutions for enterprises of all sizes. Our products, solutions and services make business processes more productive, faster and more secure - with any device, network or IT infrastructure.
Siemens Enterprise Communications GmbH & Co. KG Hofmannstr. 51, D-81359 Mnchen, Germany The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice. The trademarks used are owned by Siemens Enterprise Communications GmbH & Co. KG or their respective owners.