Beruflich Dokumente
Kultur Dokumente
WIRELESS LANS
Varnost v brezžičnih omrežjih
Arijan Šiška, Cisco Slovenija
arsiska@cisco.com
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 1
Agenda
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 2
Why WLAN Security Is important?
Hackers Employees
VULNERABILITIES:
“War Driving”
LESSONS:
• Do not rely on basic WEP encryption; Requirement for Enterprise class
Security (WPA, EAP/802.1x protocols, Wireless IDS, VLANs/SSIDs, etc)
• Employees will install WLAN equipment on their own (compromises security
of your entire network)
Out of the box configuration of APs: All security features are disabled!
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 4
WLAN Security Vulnerabilities and Threats
• Dictionary attacks
On-line (active) attacks: Active attack to compromise passwords or
pass-phrases
Off-line attacks: Passive attack to compromise passwords or
pass-phrases
• MITM attacks
Active attacks where the attacker inserts himself in the middle of
authentication sequence
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 7
Cisco LEAP: Offline Dictionary Attack
Access
PSK pre-programmed
Wireless in the AP and the STA
Point
Station
802.11 Security Capabilities Discovery
• RF jamming
A simple RF Jamming Transmitter (Example: Microwave or
codeless phone next to an AP)
• DoS attacks using 802.11 management frames
802.11 management frames are NOT authenticated between
the AP and the clients
Anyone can spoof a client’s MAC address and send an
802.11 management frame on behalf of that client
• 802.1x authentication flooding
An attacker can send a flood of 802.1x authentication
requests to the AP
This causes the AP to process unnecessary
authentication frames
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 13
Agenda
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 14
Basic Requirements to Secure
Wireless LANs
• Encryption algorithm
Mechanism to provide data privacy
• Message integrity
Ensures data frames are tamper free and truly from the
source address
• Authentication framework
Framework to facilitate authentication messages between
clients, access point, and AAA server
• Authentication algorithm
Mechanism to validate client credentials
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 15
Basic Requirements to Secure
Wireless LANs
Encryption and
Data Privacy Encryption Message
Algorithm Integrity
TKIP-PPK or TKIP-MIC or
AES-CCM AES-CBC-MAC
Authentication Authentication
Framework Algorithm
LEAP, PEAP,
802.1X/EAP
Authentication, or EAP-FAST
Authorization, and
Access Control
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 16
Advanced Requirements to
Secure Wireless LANs
• Wireless IDS
Provide capability to detect and suppress unauthorized
APs, detect active attacks, and enhance Layer-2 Security
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 17
Agenda
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 18
Enterprise Deployment Example
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 19
Agenda
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 20
Wireless LAN Security Best Practices
• Client Support
Windows 95-XP, Windows CE, Macintosh OS 9.X and 10.X,
and Linux
• RADIUS Server
Cisco ACS and Cisco AR
Funk Steel Belted/or Odyssey products
Interlink Merit
• Microsoft Domain or Active Directory (optional) for
back end authentication
• Device support
Workgroup bridges (WGB 340 and 350)
Bridges (BR350, BR1400, and BR1300 series)
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 23
Best Practices for LEAP Deployment
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 24
Best Practices for LEAP Deployment
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 25
EAP-FAST: Flexible Authentication via
Secure Tunneling
• Client Support
Windows 2000, XP, and Windows CE (natively supported)
Non-Windows platforms: Third-Party supplicants (Meetinghouse
and Funk)
Each client requires a user certificate
• Infrastructure Requirements
EAP-TLS supported RADIUS server
Cisco ACS, Cisco AR, MS IAS, Funk, Interlink
RADIUS server requires a server certificate
Certificate Authority Server (PKI Infrastructure)
• Certificate Management
Both client and RADIUS server certificates to be managed
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 27
EAP-PEAP
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 28
EAP Protocols: Feature Support
EAP-TLS PEAP LEAP EAP-FAST
Single sign-on Yes Yes Yes Yes
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 29
EAP Protocols: Feature Support
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 30
IEEE 802.11i (WLAN Security)
Improvements
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 31
Cisco TKIP (CKIP)
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 32
Wi-Fi Protected Access (WPA)
• Components of WPA:
Authenticated key management using 802.1X:
EAP authentication and Pre-Shared Key (PSK) authentication
TKIP: Per-Packet Keying and Message Integrity Check (MIC)
Unicast and broadcast key management
IV expansion: 48-bit IVs
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 35
VPN Authentication Overview
Client
Machine
VPN
RADIUS/OTP Concentrator Access Packet Filtering
Servers Point
VPN Concentrator
• Authenticate Remote Users
• Terminate IPSec
• DHCP services (DHCP pool or DHCP Relay)
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 37
VPN Deployment Example
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 38
Wireless LAN Security Best Practices
• CCX client
LEAP: CCXv1 and above
EAP-FAST: CCxv3.0 (Target: 1QCY2005)
PEAP-GTC: CCXv2 and above
WPA: CCXv2 and above
• Third-party supplicants (for both EAP and WPA)
Funk
Meetinghouse Data Communications
• Using Cisco/CCX supplicant vs. native OS supplicant
Client management functions
Vendor specific configurations: RF Management, Roaming, etc.
• Bridges
Cisco LEAP supported on BR1400, BR1300, BR350, WGB350, etc.
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 41
Cisco Compatible Extensions (CCX)
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 42
RADIUS Server Scalability and Availability
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 43
RADIUS Server Scalability
• EAP Protocol vs. RADIUS server scalability (Cisco Secure ACS)
The hardware for testing the ACS system was configured as follows:
HW Platform: HP Kayak 1.6 GHz, 256 MB RAM
Cisco Secure ACS v3.1 Internal database with 100,000 users in the database
300 APs
Performance results
(not including network latency, reliability, or user distribution factors)
Sustained LEAP: 90 authentications per second
Sustained EAP-TLS: 32 authentications per second
Sustained PEAP: 32 authentications per second
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a
00801495a1.shtml
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 44
RADIUS Server Availability
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 45
Fast Secure Roaming
• What else?
Deploy Fast Secure Roaming (CCKM) and non-Fast Secure Roaming
(non-CCKM) clients using separate VLANs/SSIDs
Fast Secure Roaming is supported for LEAP (Cisco/CCXv2 and above)
clients as well as EAP-FAST (Cisco/CCXv3 and above) clients
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 46
Wireless LAN Security Best Practices
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 48
Agenda
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 49
Why Wireless IDS Matters?
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 50
Radio (Air/RF) Monitoring
Si
Si Si
Network Core
RM-Agg
Si Si
Switch based WDS Distribution
Access
RM
RM
Rogue AP
Rogue AP
RM
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 51
Why Client-Based Scanning?
18 Mbps Note: Rogue AP only has
24 Mbps 54 Mbps data rate enabled!
36 Mbps
54 Mbps Only
48 Mbps
54 Mbps Rogue
AP
802.11a/g
AP
WLAN Client does detects
802.11a/g Client
the Rogue AP and reports
the Rogue AP information to
the Cisco AP!
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 55
CiscoWorks WLSE: Location Manager
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 56
WLAN Deployment Examples (Cont.)
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 58
Wired/Wireless Integration
Best Practices
To Distribution
• Multiple WLAN Security Policies Layer
Data vs. voice vs. legacy devices vs.
guest access AP Channel: 6
SSID “Data” = VLAN 1
VLAN to SSID mapping
SSID “Voice” = VLAN 2
SSID “Visitor” = VLAN 3
• Mapping WLAN security policies to
wired security policies
Use L2 to L4 ACLs on the wired side to
reinforce WLAN security policies
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 60
Summary
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 61
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 62
Reference URLs
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 63
Coming Soon (October, 2004) …
ISBN: 1587051540
http://www.amazon.com/exec/obidos/tg/detail/-/1587051540/104-2859460-7383/104-2859460-7383904
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 64
CCX Laptops
zd7000
nx7000
nc4000
nc6000
nc8000
nc4000 tc1100 R40
nx7000 nc4000 Centrino R50 Inspiron Notebooks
nc6000 Centrino T40 500M, 600M, 1100,
nc8000 Centrino 5100, 5150, 8500
T41
tc1100 Centrino X31 Latitude Notebooks
D400, D500, 600,
D800
WAG511
WPC55AG
NNT
T
WAG311
PCI Adapter
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 66
CCX Vertical Application Devices
CV60 WinXP
730/750 PPC 2004
Vehicle Mount
Available today!
Available Today!
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
ACC-2011
9879_05_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 67