© 2004 bluesocket, inc. secure mobility ™ wireless security: issues and solutions mike brockney...
TRANSCRIPT
© 2004 Bluesocket, Inc. Secure Mobility™
Wireless Security:Issues and Solutions
Mike BrockneyBluesocket
www.bluesocket.com
© 2004 Bluesocket, Inc. Secure Mobility™
Agenda
WLAN Security and Management Requirements WLAN Challenges WLAN security standards
– WEP, WPA, 802.11i VPNs and WLANs Evolution of WLAN deployment model
© 2004 Bluesocket, Inc. Secure Mobility™
A little Wi-fi related joke:
© 2004 Bluesocket, Inc. Secure Mobility™
About Bluesocket…
© 2004 Bluesocket, Inc. Secure Mobility™
WLAN Management & Security Requirements
Access Control– Authentication– Authorization– Airlink Privacy– Physical Security
Data is more dense– Need to manage bandwidth– Avoid unnecessary encryption overhead– Don’t allow bandwidth “hogs”
Imperative for Interoperability – Multiple devices: laptops, PDAs, scanners,
phones, networking vendors’ appliances– Different radio protocols (802.11 alphabet soup)
Need for simple management– Single Web-based login – Transparent login where possible– Guest / Visitor Access– Client software maintenance at a minimum
Secure Mobility™ and Policy-based networks– Voice over WLAN will be widely used
© 2004 Bluesocket, Inc. Secure Mobility™
Wireless LAN Challenges – Minimal security and management in APs
No Bandwidth Management or QoS
Stop or Go - Same Access For AllVisitor or Employee or Contractor(Policy Management)
Weak Security
No True Mobility
© 2004 Bluesocket, Inc. Secure Mobility™
Wireless LAN Challenges – Rogue APs
Employee brings an AP to work and simply plugs it in, opening your network to anyone within radio distance
Malicious user attaches an AP to the network to allow access
Attacker positions an AP near the building in an attempt to have a legitimate user associate with it
AirMagnet, AirDefense, Wavelink can detect and alert in real-time
Cisco, Proxim/Orinoco and others are now building Rogue Detection into standard APs
© 2004 Bluesocket, Inc. Secure Mobility™
Wireless LAN Challenges – Emerging 802.11 devices
© 2004 Bluesocket, Inc. Secure Mobility™
Wireless LAN Challenges – Network Authentication
802.1xAdmin
PPTPExecutive
IPsecFinance
ClearVisitor
ACSLDAP
RadiusNT Domain
© 2004 Bluesocket, Inc. Secure Mobility™
Wireless LAN Challenges – Which standards?
The “Alphabet Soup” of 802.11 standards (b, a, g, h, i, e, f, 1x) and the need to support other wireless interfaces such as Bluetooth on PDAs brings upgrade and compatibility challenges
? ?Solutions must be
‘agnostic’ to supportcurrent and
future standards
Which protocol?
Which air interface?
Which vendor?
© 2004 Bluesocket, Inc. Secure Mobility™
WEP Security – Wired Equivalent Privacy
Available in all APs and wireless cards Available in many different key lengths Uses a static key to encrypt data Good for home use Better than no security at all Can be difficult to manage keys Encryption algorithm has been compromised
© 2004 Bluesocket, Inc. Secure Mobility™
WEP Security – Wired Equivalent Privacy
A series of academic papers exposed serious flaws in WEP– the security system built into the 802.11b standard.
Rapid passive attack was first described in July 2001by Fluhrer, Mantin & Shamir.
AT&T Labs team successfully implemented the attack and concluded that WEP is “totally insecure”.
In August 2001, the Airsnort program was released on the Web.
http://airsnort.sourceforge.net/
© 2004 Bluesocket, Inc. Secure Mobility™
802.1x Background
802.1x is an IEEE standard– Originally designed for Port Authentication in wired networks– IEEE 802.11 has chosen to use 802.1x to support
access authentication in WLANs (June 2001) Enables authentication and key management for WLANs
– Dynamic WEP encryption designed to overcome issues with WEP Augmented to use Upper Layer Authentication Protocols (ULAPs)
as a framework for authentication– An EAP is an implementation– 802.1x originated as a Point-to-Point Protocol (PPP) authentication
scheme along with RADIUS– Implementing EAP methods in mobile devices requires
modifications/additions to the operating system
© 2004 Bluesocket, Inc. Secure Mobility™
802.1X & EAP
• 802.1X defines EAPOL (Extensible Authentication Protocol Over LAN)
• Provides centralized authentication and dynamic key exchange
• EAP packets carried at the MAC layer, embed RADIUS commands
• Different EAP types deliver different authentication techniques
Campus
Network
Supplicant
EAPOL RADIUS
EAP- (TLS, TTLS, PEAP, LEAP)
Authentication Server
Authenticator
© 2004 Bluesocket, Inc. Secure Mobility™
802.1x: EAP Methods
There is no “standard” EAP, but several competing protocols– LEAP, MD5, TTLS, TLS, PEAP, SRP, SIM, AKA– The same EAP method needs to be supported on the
client device and Authentication Server EAP Methods can be sorted into 3 approaches
– Password based (can be open to dictionary attacks)– Digital Certificate based (cumbersome to set-up and manage)– Token Based
Early Entries into the field were LEAP, TLS (Mutual Authentication) and TTLS (Digital Certificate for Server-side Authentication)
Emerging Leaders:– PEAP (Microsoft, Cisco and RSA), TTLS (Funk and Certicom)
No specific EAP for PDA clients (PocketPC2002 or Palm), Wi-Fi Phones (SpectraLink, etc.) or Apple devices
© 2004 Bluesocket, Inc. Secure Mobility™
PEAP (Protected Extensible Authentication Protocol)
Microsoft has started shipping 802.1x client with PEAP– Built into Windows XP SP1– Released a PEAP client for Windows 2000 in November 2002– No support yet for other OS’ (’98, ME)
WEP keys to supplicant protected by ‘session key’ from RADIUS server– At a configurable interval, updated key sent to authenticated PC
Using one vendor’s EAP method could lock you into using certain clients and devices
© 2004 Bluesocket, Inc. Secure Mobility™
Is 802.1x “Good Enough”?
Most implementations require vendor specific APs/NICs/AAA servers– Interoperability is difficult in multi-vendor environments– There is no consensus on a “standard” EAP method or operating mode
(TLS/PEAP in WinXP SP1 only)– Same problem as proprietary IPsec clients for guest access
Client software is required to run 802.1x , involving the need to upgrade all client devices
– Only some Windows versions provide support; not on other devices (PDA’s, Apple MACs, Scanners, etc., etc.)
– No visitor, non-802.1x guest user access Underlying privacy is based on RC4 with rapid re-keying, requiring
extensions to APs Installed base of APs may require forklift upgrades
– Potential high cost of deployment--- as each AP must support the final 802.11 standard and be properly configured
Access is all or nothing (either on or off the network) – No provisions for prioritization or bandwidth control by class of user
© 2004 Bluesocket, Inc. Secure Mobility™
Is WPA a Step in the Right Direction?Yes
Wi-Fi Protected Access (WPA)– New terminology announced by the Wi-Fi Alliance (formally WECA)
to describe 802.1x with TKIP and MIC– TKIP with WEP represents a significant air-link privacy
improvement– Subset of the 802.11i security standard– 802.11i will use AES in a mode to be determined later
Issues with WPA– Requires a 802.1x client/driver on all end-user devices– Limited device support– Variety of methods (LEAP, PEAP, TLS, TTLS, MD5)
Which will be widely used or accepted as standard?– Does not provide a solution for securing sensitive traffic with
alternate type technologies and protocols (e.g. IPSec, PPTP, SSL)
© 2004 Bluesocket, Inc. Secure Mobility™
802.11i (a.k.a. WPAv2)
• IEEE 802.11TGi
• Stronger encryption
• Makes sense to plan for 802.11i
• Will support secure, fast, reliable, roaming • For Voice over WLAN
• But not all details are settled upon yet
Beware: You may have to upgrade a lot of equipment!
© 2004 Bluesocket, Inc. Secure Mobility™
Is WPA/802.11i Good Enough?Depends On Your Needs
Feature WPA/80211i Missing Parts
Authentication √
Dynamic WEP Encryption √
Alternate Encryption (IPSec, PPTP, SSL) √
Access Control and Policy Management √
Guest/Visitor Access(Support for “client-free” devices)
√
Bandwidth Management √
Support for any mobile device √
Support for Secure Roaming √
Intrusion Detection √
Rogue Access Point Detection √
© 2004 Bluesocket, Inc. Secure Mobility™
Policy Enforcement and Compliance: Healthcare
Enforce network policies based on user rights
Examples:– Nurses:
Given HTTPS access to patient databases only
– Doctors: E-mail and Web access with IPSec encryptionfor HIPAA compliance
– Contractors: Access only to their work servers
– Patients/Public/Guests:
Access to Internet only, with limited bandwidth
© 2004 Bluesocket, Inc. Secure Mobility™
Wi-Fi Security Using IPSec
• Requires wireless users to authenticate before gaining network access• IETF standard - Layer 3 authentication & encryption• Familiar, reliable, trustworthy
• Challenges:• No Layer 2 protection mechanisms• IPSec clients may not be available for all handheld devices • Can be difficult to manage and to scale• Ensure the solution provides cross-subnet roaming
Campus
NetworkIPSec
TerminationClient software
IPSec
© 2004 Bluesocket, Inc. Secure Mobility™
WLANs Yesterday: External to Corporate Network
Wireless traffic untrusted• Access points placed outside the firewall• Local wireless users placed on a separate network
Internet
Corporate networkfirewall
WirelessNetwork
© 2004 Bluesocket, Inc. Secure Mobility™
WLANs Today: Integrated Within the Network
Wireless traffic authenticated before accessing network• Access points installed on the regular wired LAN• Wireless users managed like wired users
Internet Corporate networkfirewall
WirelessNetwork
© 2004 Bluesocket, Inc. Secure Mobility™
WLANs Tomorrow: Throughout the Network
Wireless traffic authenticated before accessing network• Access points installed on any LAN• Wireless users managed like remote users
Internet Corporate networkFirewall
/ VPN
© 2004 Bluesocket, Inc. Secure Mobility™
WLANs Tomorrow: Universal Access Regardless of Location
Internet CorporatenetworkFirewall
/ VPN
One method for network authentication from any location• One set of login credentials used for on campus and remote network access• Provides appropriate level of security and eases end-user adoption
The login credentialsused at work
Are the same credentials used
remotely
© 2004 Bluesocket, Inc. Secure Mobility™
Recommendations
802.1x• Strongly recommended if you’re using Layer 2 security• Provides centralized management/policy control
EAP• Consider EAP-TLS if client certificates infrastructure is in
place• Avoid LEAP if standards are important (ASLEAP attack)• If you have Microsoft kit, PEAP is built in
IPSec• If you chose IPSec be sure not to forgo mobility
VLAN• Deploy per-user VLAN policy if your network supports it
Take the path of least resistance that meets your network needs
© 2004 Bluesocket, Inc. Secure Mobility™
Bluesocket Future Directions
Continue to support standards – PEAP, TTLS, 802.11i Add additional authentication methods to support customer needs
– Have added PIN, Cosign, Certificate, use API for other methods
Continue to innovate around security and mobility– VLAN Mobility
– More efficient traffic routing
Load Sharing to distribute load More flexibility around login pages – by location/interface
© 2004 Bluesocket, Inc. Secure Mobility™
Thank You….
Mike Brockney, SE ManagerBluesocket