applying security principles to networking applications

1Copyright © 2005, Cisco Systems, Inc. All rights reserved.

Applying Security Principles to Networking Applications

Mark [email protected]

Dec 08, 2005

222Copyright © 2003, Cisco Systems, Inc. All rights reserved.EDCS-301795

What is Security in Computer Development Projects

• What are you protecting

• Why are you protecting it

• From whom are you protecting it

• How are you going to protect it

• What is the cost of protecting it


Wired Access Topology

V V

Internet

Access Device

Local Area Network (LAN)

Wide Area Network (WAN)


Wireless Access Topology

Internet

Access Device




Wireless Access Security Complication

• Physical Access to Local Area Network no longer exists

– Anyone can intercept your conversations

– Anyone can utilize your network resources


Security Solution For Wireless Access

• Authentication

• Encryption


Typical Solution for Wireless Access

Internet

1) Where is Access Point

“MyAP”

2) I am here. Prove you know my secret


Typical Solution for Wireless Access

Internet

3) Here is my proof

4) OK. Here are session keys


So Whats The Problem?

• Wireless Access is a huge Consumer Market

• People are beoming concerned with Wireless Security

• My GrandMother cant use it


What Can We Do To Help

• Make it easy for Grandma to set up Wireless Security


Step 1. Configure Security Parameters Automatically

Internet

When Access Point is booted 1st time:Configures Random Secure SSID

Configures Random WPA Shared Secret

Waits for Wireless Association on Secure SSID

SSID: r@ndOm 55ID

WPA-PSK: R@NDOM_P@SsW0Rd


Step 2.

• How Can We Transfer Security Parameters Securely?


Step 2. Trial One

SSID: Well Known SSID

Open Authentication

1) W

here i

s my A

cces

s

Point “

Well

Known S

SID”

2) H

ere

I am

. Com

e on in


Step 2. Trial One


Open Authentication 3)

Give

me S

ecurit

y

Param

eter

s

4) H

ere

They A

re


Step 2. Trial One

1) W

here i

s my A

cces

s

Point “

r@ndOm

55ID

”

2) I

am h

ere.

Pro

ve y

ou know m

y se

cret

SSID: r@ndOm 55ID



Step 2. Trial One

3) H

ere i

s my p

roof

4) O

K. Her

e ar

e se

ssio

n key

s

SSID: r@ndOm 55ID



Step 2. Trial One Attack


Open Authentication

1) Where is my Access

Point “Well Known SSID”

2) Here I am. Come on in


Step 2. Trial One Attack


Open Authentication

3) Give me Security

Parameters

4) Here they are


Step 2. Trial Two

• What Authentication is possible given constraints

– something we know

– something we have

– something we are

– something we do

• If we can’t be sure, at least be safe


Step 2. Trial Two


Open Authentication

Wher

e is m

y Acc

ess

Point “

Well

Known S

SID”

Here

I am

. Com

e on in

Where is m

y

Access Point “Well

Known SSID”

Here I am. Com

e on in


Step 2. Trial Two


Open Authentication

1) G

ive M

e Sec

urity

Param

eter

s

Hang o

n a s

ec

Give Me Security

Parameters

Unable to guarantee unique access

Access to all denied


Step 2. Trial 2 Attack

• Attacker just Associates and Listens


Trial 3.

• Use Trial 2 Method for Authentication

• Use SSL for Encryption


So Whats The Problem with IPSec?

• Network Protection is a huge Consumer Market

• People are beoming concerned with Security and look to IPSec for help

• My GrandMother cant use it


Network Address Translation

Internet



192.168.1.100

192.168.1.100

192.168.1.101

192.168.1.101

172.204.19.32

62.2.12.17


The RoadWarrior IPSec Problem

• With common implementations the IP Address need to be known a priori or else a global shared secret is used for Authentication

• Mobility and NAT make it hard to predict the IP Address


RoadWarrior Solution

2. Client configuredWeb Install client software

Configure address of Home Gateway

3. Client software connectsLogs on to HTTPS

Initiates the IPSec VPN

1. Gateway configuredSSL Username, password

4. Gateway acceptsAuthenticates Client by password

Figures out current Client IP Address

Provisions IPSec for Client IP Address

Joins Client to Protected Network using IPSec VPN

HomeGateway

Internet

Pro

tected

Netw

ork

IPSec VPN Tunnel

HTTPS

Road Warrior Client

applying security principles to networking applications

Documents